If qemu is run like:

 qemu-system-ppc64 -nodefaults -device spapr-vty

We end up in spapr_vty_init() with dev->chardev == NULL. Currently
that leads to a segfault because we unconditionally call
qemu_chr_add_handlers().

Although we could make that call conditional, I think a spapr-vty
without a chardev is basically useless so fail the init. This is
similar to what the serial code does for example.
Signed-off-by: NMichael Ellerman <michael@ellerman.id.au>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The spapr_vio_find_by_reg() function in hw/spapr_vio.c is supposed to find
the device structure for a PAPR virtual IO device with the given reg value,
and return NULL if none exists.

It does the first ok, but if no device with that reg exists, it just
returns the last device traversed in the list.  This patch fixes it.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The SLOF firmware used on the pseries machine needs a reasonable amount of
(guest) RAM in order to run, so we have a check in the machine init
function to check that this is available.  However, SLOF runs in real mode
(MMU off) which means it can only actually access the RMA (Real Mode Area),
not all of RAM.  In many cases the RMA is the same as all RAM, but when
running with Book3S HV KVM on PowerPC 970, the RMA must be especially
allocated to be (host) physically contiguous.  In this case, the RMA size
is determined by what the host admin allocated at boot time, and will
usually be less than the whole guest RAM size.

This patch corrects the test to see if SLOF has enough memory for this
case.

In addition, more recent versions of SLOF that were committed earlier don't
need quite as much memory as earlier versions.  Therefore, this patch also
reduces the amount of RAM we require to run SLOF.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

When using gdb to single step a ppc interrupt routine, the execution
flow passes the rfi instruction without actually returning from the
interrupt.

The patch fixes this by avoiding to update the nip when the debug
exception is raised and a previous POWERPC_EXCP_SYNC was set.

The latter is the case only, if code for rfi or a related instruction
was generated.
Signed-off-by: NSebastian Bauer <mail@sebastianbauer.info>
Signed-off-by: NAlexander Graf <agraf@suse.de>

tcg/ppc64/tcg-target.c has a couple of places where variables are set
unconditionally, but otherwise used only for softmmu builds, not
userspace only builds.  This causes compiler warnings (which are fatal
by default) when compiling for a ppc64 host with gcc 4.6.  This patch
fixes the problem by moving the code which defines and sets the
variables into the CONFIG_SOFTMMU guarded regions.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Since we added PCI support to the pseries machine, we include a qlist of
PCI host bridges in the sPAPREnvironment structure.  However this list
was never properly initialized it.  Somehow we got away with this until
some other recent change broke it, and we now segfault immediately on
startup.

This patch adds the required QLIST_INIT(), and while we're at it makes sure
we initialize the rest of the sPAPREnvironment structure to 0, to avoid
future nasty surprises.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Add a missing 'break' statement to fix a buffer overrun when
executing the EEPROM write-all command. Spotted by Coverity
(see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

To reproduce the leak, put two name options into the same [cpudef]
section of target-x86_64.conf.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Fixes missing error checking.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Fixes protocol_client_auth_sasl_mechname() not to crash when malloc()
fails.  Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Signed-off-by: NChen Wen-Ren (陳韋任) <chenwj@iis.sinica.edu.tw>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

  Update the document since the default code cache size is 32 MB now.
Signed-off-by: Nchenwj <chenwj@cs.nctu.edu.tw>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

hpet_timer timer callback rearms itself based on difference between
current HPET tick counter and comparator value. Difference calculated by
the hpet_calculate_diff function is limited to non-negative values.

cur_tick is calculated via hpet_get_ticks that uses qemu_get_clock_ns(vm_clock).

With -icount enabled vm_clock doesn't advance during qemu_run_timers
loop thus once difference is zero, qemu_run_timers loops forever
handling hpet_timer.

Limit hpet_calculate_diff results to positive only values to avoid that
infinite loop.

This fixes the following qemu-system-x86_64 hang when it reaches
timer_irq_works() in the linux bootup:

[    0.000000] Fast TSC calibration using PIT
[    0.000000] Detected 1000.054 MHz processor.
[    0.000031] Calibrating delay loop (skipped), value calculated using timer frequency.. 2000.10 BogoMIPS (lpj=10000540)
[    0.000404] pid_max: default: 32768 minimum: 301
[    0.001138] Mount-cache hash table entries: 256
[    0.003883] Initializing cgroup subsys ns
[    0.004035] Initializing cgroup subsys cpuacct
[    0.004280] Initializing cgroup subsys freezer
[    0.004790] Performance Events: AMD PMU driver.
[    0.004985] ... version:                0
[    0.005134] ... bit width:              48
[    0.005285] ... generic registers:      4
[    0.005437] ... value mask:             0000ffffffffffff
[    0.005625] ... max period:             00007fffffffffff
[    0.005807] ... fixed-purpose events:   0
[    0.005957] ... event mask:             000000000000000f
[    0.006275] SMP alternatives: switching to UP code
Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Add missing 'break' statements which would have meant that writing
to an 8 bit NAND device was broken. Spotted by Coverity (see bug
887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Fix a bug revealed by a coverity scan (see bug 887883) which meant
that we would never print the warning about unpredictable behaviour
if a nonexistent overlay is enabled.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The fact that a host cpu supports a feature doesn't mean that QEMU and KVM
will also support it, yet -cpuid host brings host features wholesale.

We need to whitelist each feature separately to make sure we support it.
This patch adds KVM whitelisting (by simply using KVM_GET_SUPPORTED_CPUID
instead of the CPUID instruction).
Signed-off-by: NAvi Kivity <avi@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Modern distributions place xattr.h in /usr/include/sys, and fold
libattr.so into libc.  They also don't have an ENOATTR.

Make configure detect this, and add a qemu-xattr.h file that
directs the #include to the right place.
Signed-off-by: NAvi Kivity <avi@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

g_strdup() can't fail, remove assertion.  Assert its argument can't be
null, because that's not obvious (add_boot_device_path() ensures it).
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The function that writes pidfile for win32 uses WriteFileEx which is an
asynchronous IO function. The arguments given to WriteFileEx are allocated on
the stack and one of them is "in out". When the IO operation is actually
executed the calling function has already returned, so the arguments are no
longer allocated or allocated to another frame.
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NFabien Chouteau <chouteau@adacore.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The non-dynticks timer variations are broken, so they can be
removed.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

clk_setup is now a function. Fixes a segfault.
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

vga_putcharxy()'s underline code sets font_data to 0xffff instead of
0xff.  vga_putcharxy() then reads dmask16[0xffff >> 4] and
dmask4[0xffff >> 6].  In practice, these out-of-bounds subscripts
"only" put a few crap bits into the display surface.

For 32 bit pixels, there's no array access.  font_data's extra bits go
straight into the display surface.

Broken when commit 6d6f7c28 implemented underline.

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The caller of qemu_timedate_diff() does not expect that tm it passes to
the function will be modified, but mktime() is destructive and modifies
its argument. Pass a copy of tm to it and set tm_isdst so that mktime()
will not rely on it since its value may be outdated.
Signed-off-by: NGleb Natapov <gleb@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

We disable vm_clock when pausing all vcpus, but we forget to
reenable it when resuming all vcpus. It will cause that the
guest can not be rebooted.
Tested-by: NZhi Yong Wu <zwu.kernel@gmai.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NWen Congyang <wency@cn.fujitsu.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Commit 0a039dc7 broke vga modes for
qxl-vga by loosing vga_ioport_read windup.  qxl needs to hook into
vga port writes only and used to realize that by letting vga_init() do
the work for both reads and writes, then overwrite the write function.
That little detail was missed while doing the conversion ...

This patch fixes it.  It also switch qxl vga ioport registration to
portio lists while being at it.

Cc: Hans de Goede <hdegoede@redhat.com>
Acked-by: NAlon Levy <alevy@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This patch removes the code lines which set the subsystem id for the
emulated ac97 card to 8086:0000.  Due to the device id being zero the
subsystem id isn't vaild anyway.  With the patch applied the sound card
gets the default qemu subsystem id (1af4:1100) instead.

[ v2: old & broken id is maintained for -M pc-$oldqemuversion ]

Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This patch adds a pc-1.0 machine type.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

sgabios hasn't gotten a lot of coverage since it was not shipped.  For 1.0,
let's disable the automatic loading of the option ROM in -nographic
mode.  We can put it back for 1.1.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The rom was not added together with the sgabios device and is
not installed.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Somehow, the read/write functions handle an offset that does not exist anymore.
Signed-off-by: NAnthony PERARD <anthony.perard@citrix.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

readline_hist_add() moves the history entry to the end of history.  It
uses memmove() to move rs->history[idx + 1..] to rs->history[idx..].
However, its size argument is off by two array elements, so it writes
one element beyond rs->history[], and reads two.

On my system, this clobbers rs->hist_entry and the hole right after
it.  Since the function assigns to rs->hist_entry in time, the bug has
no ill effects for me.

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Signed-off-by: NPavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Signed-off-by: NPavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Before the next patches, fix coding style of the affected functions.
Signed-off-by: NPavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

The first enable set/clear register (which controls the PPIs and SGIs)
is supposed to be banked for each processor.  Currently it is just
handled globally and this prevents recent SMP Linux kernels from
booting, because CPU0 stops receiving localtimer interrupts when CPU1
disables them locally.

To fix this, allow the enable bits to be enabled per-cpu.  For SPIs,
always enable/disable ALL_CPU_MASK.
Signed-off-by: NRabin Vincent <rabin@rab.in>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>