Call it right after -device devices get created.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 668680f7)

Unused since commit 9ad4531e.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7f76abe1)

Most of these are obvious NULL-deref bug fixes, for example,
the ones in these files:

  block/curl.c
  net.c
  slirp/misc.c

and the first one in block/vvfat.c.
The others in block/vvfat.c may not lead to an immediate segfault, but I
traced the two schedule_rename(..., strdup(path)) uses, and a failed
strdup would appear to trigger this assertion in handle_renames_and_mkdirs:

	    assert(commit->path);

The conversion to use qemu_strdup in envlist_to_environ is not technically
needed, but does avoid a theoretical leak in the caller when strdup fails
for one value, but later succeeds in allocating another buffer(plausible,
if one string length is much larger than the others).  The caller does
not know the length of the returned list, and as such can only free
pointers until it hits the first NULL.  If there are non-NULL pointers
beyond the first, their buffers would be leaked.  This one is admittedly
far-fetched.

The two in linux-user/main.c are worth fixing to ensure that an
OOM error is diagnosed up front, rather than letting it provoke some
harder-to-diagnose secondary error, in case of exec failure, or worse, in
case the exec succeeds but with an invalid list of command line options.
However, considering how unlikely it is to encounter a failed strdup early
in main, this isn't a big deal.  Note that adding the required uses of
qemu_strdup here and in envlist.c induce link failures because qemu_strdup
is not currently in any library they're linked with.  So for now, I've
omitted those changes, as well as the fixes in target-i386/helper.c
and target-sparc/helper.c.

If you'd like to see the above discussion (or anything else)
in the commit log, just let me know and I'll be happy to adjust.

>From 9af42864fd1ea666bd25e2cecfdfae74c20aa8c7 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Mon, 8 Feb 2010 18:29:29 +0100
Subject: [PATCH] don't dereference NULL after failed strdup

Handle failing strdup by replacing each use with qemu_strdup,
so as not to dereference NULL or trigger a failing assertion.
* block/curl.c (curl_open): s/\bstrdup\b/qemu_strdup/
* block/vvfat.c (init_directories): Likewise.
(get_cluster_count_for_direntry, check_directory_consistency): Likewise.
* net.c (parse_host_src_port): Likewise.
* slirp/misc.c (fork_exec): Likewise.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 6265eb26)

Fix a race condition where qemu finds that there are not enough virtio
ring buffers available and the guest make more buffers available before
qemu can enable notifications.
Signed-off-by: NTom Lendacky <toml@us.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 06b12970)

OK we are fooled by the json lexer and parser. As we use %I64d to
print 'long long' variables in Win32, but lexer and parser only deal
with %lld but not %I64d, this patch add support for %I64d and solve
'info pci', 'powser_reset' and 'power_powerdown' assert failure in
Win32.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 2c0d4b36)

qemu_opt_set wants on/off, not yes/no.
Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 2198a62e)

Round robin vcpus in tcg_cpu_next even if the vm stopped. This
allows all cpus to enter stopped state.
Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit c37cc7b0)

This fixes a segfault due to buffer overrun in the usb-serial device.
The memcpy was incrementing the start location by recv_used yet, the
computation of first_size (how much to write at the end of the buffer
before wrapping to the front) was not accounting for it. This causes the
next element after the receive buffer (recv_ptr) to get overwritten with
random data.
Signed-off-by: NDavid Ahern <daahern@cisco.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4ab4183d)

Checking for return codes < 0 isn't really going to work with unsigned
types. Use signed types instead.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f4f0d391)

In case, when qemu is executed with option like
-serial /dev/ttyS0, report if there are problems with
opening of devices. At now errors are silently ignoring.
Signed-off-by: NEvgeniy Dushistov <dushistov@mail.ru>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit afc535ac)

 - 9fb3f4d Fix PkgLength calculation for the SSDT.
 - 6d75be2 Go back to using 0xf0000000 for PCI memory start.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This should explain a lot of the weird breakages of upstream KVM we've
seen recently (actually we should have seen it much earlier):

Stop translating eflags into TCG format when in kvm mode as we never
translate it back and rather sync this broken state into the kernel.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAvi Kivity <avi@redhat.com>

Backported from HEAD (cc3f20fee2c9bea3793bf873c531ae6baf68df3a)
Signed-off-by: NNathan Froyd <froydnj@codesourcery.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

When we signal a CpU exception for coprocessor 0, we should indicate
that it's for coprocessor 0 instead of coprocessor 1.
Signed-off-by: NNathan Froyd <froydnj@codesourcery.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 13f160cebd0778113ba8d251aea297286b1666cb)

The address register is overriden when it corresponds to v0 and the fast
path is taken, which leads to a crash. Fix that by using the a0 register
instead.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit cca1af8c)

In helper.c AREG0 may not correspond do env, so it's not possible to
call cpu_loop_exit() here. Call it from op_helper.c instead.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit c36bbb28)

If an I/O request fails right away instead of getting an error only in the
callback, we still need to consider rerror/werror.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 6c510fbf)

Current code assumes that only write requests are ever going to be restarted.
This is wrong since rerror=stop exists. Instead of directly starting writes,
use the same request processing as used for new requests.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f1b52868)

We need a function that handles a single request. Create one by splitting out
code from virtio_blk_handle_output.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit bc6694d4)

This fixes CONFIG_FB_CIRRUS for Linux guests and probably much more:

When switching away from linearly mapped vram, we also have to restore
the I/O handlers for the LFB.

This regression was once introduced by commit 2bec46dc.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4516e45f)

Now that qcow2_alloc_clusters can return error codes, we must handle them in
the callers of qcow2_alloc_clusters.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 5d757b56)

update_refcount can return errors that need to be handled by the callers.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit db3a964f)

There's absolutely no problem with updating the refcounts of 0 clusters.
At least snapshot code is doing this and would fail once the result of
update_refcount isn't ignored any more.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7322afe7)

If update_refcount fails, try to undo any changes made so far to avoid
inconsistencies in the image file.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 09508d13)

Return the appropriate error code instead of -EIO.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f2b7c8b3)

Don't assume -EIO but return the real error.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 9a8c4cce)

Returning 0/-errno allows it to distingush different errors classes. The
cluster offset of newly allocated clusters is now returned in the QCowL2Meta
struct.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 148da7ea)

Switching to 0/-errno allows it to distinguish different error cases.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 1e3e8f1a)

Don't assume success but pass the bdrv_pwrite return value on.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 1d36e3aa)

Return the appropriate error value instead of always using EIO. Don't free the
L1 table on errors, we still need it.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit fb8fa77c)

Toggle full screen on Win32/SDL 1.2.13 was broken by commit
c18a2c36. Re-add the call to
do_sdl_resize() which was removed in this revision
Signed-off-by: NHerve Poussineau <hpoussin@reactos.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit a35aed57)

Win32 suffers from a very big memory leak when dealing with SCSI devices.
Each read/write request allocates memory with qemu_memalign (ie
VirtualAlloc) but frees it with qemu_free (ie free).
Pair all qemu_memalign() calls with qemu_vfree() to prevent such leaks.
Signed-off-by: NHerve Poussineau <hpoussin@reactos.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f8a83245)

Hi all,
this patch fixes another bug in vnc_refresh: calling vnc_update_client
might cause vs to be free()ed, in this case we cannot access vs->next
right after to examine the next item on the list.
Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 6185c578)

Commit 930c8682 introduced a regression to eth_send: eth_tx_desc_put
manipulates the host's tx descriptor copy before writing it back, but
two lines down the descriptor is evaluated again, leaving us with an
invalid next address if host and guest endianness differ. So this was
the actual issue commit 2e87c5b9 tried to paper over.
Signed-off-by: NJan Kiszka <jan.kiszka@web.de>
Signed-off-by: Nmalc <av1474@comtv.ru>
(cherry picked from commit 07b064e9)
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Commit b3a21988 uncovered that we attached the Wolfson with an I2C
address shifted left by one. Fixing this makes sound work again for
the Musicpal.
Signed-off-by: NJan Kiszka <jan.kiszka@web.de>
Signed-off-by: Nmalc <av1474@comtv.ru>
(cherry picked from commit 64258229)
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

savevm without id or tag segfaults in:

(gdb) bt
#0  0x00007f600a83bf8a in __strcmp_sse42 () from /lib64/libc.so.6
#1  0x00000000004745b6 in bdrv_snapshot_find (bs=<value optimized out>,
    sn_info=0x7fff996be280, name=0x0) at savevm.c:1631
#2  0x0000000000475c80 in del_existing_snapshots (name=<value optimized out>,
    mon=<value optimized out>) at savevm.c:1654
#3  do_savevm (name=<value optimized out>, mon=<value optimized out>)
Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f139a412)

Windows 7 BSODs under load with HAL_RTC_IRQF_WILL_NOT_CLEAR error.

It happens here:
hal!HalpRtcUnmaskClock:
8281b93a 8bff            mov     edi,edi
8281b93c 56              push    esi
8281b93d 33f6            xor     esi,esi
8281b93f 6a0c            push    0Ch
8281b941 e8b2ffffff      call    hal!CMOS_READ (8281b8f8)
8281b946 84c0            test    al,al
8281b948 7920            jns     hal!HalpRtcUnmaskClock+0x30 (8281b96a)
8281b94a 6a0a            push    0Ah
8281b94c 46              inc     esi
8281b94d e854c8ffff      call    hal!KeStallExecutionProcessor (828181a6)
8281b952 83fe64          cmp     esi,64h
8281b955 72e8            jb      hal!HalpRtcUnmaskClock+0x5 (8281b93f)
8281b957 6a00            push    0
8281b959 6a00            push    0
8281b95b 6a00            push    0
8281b95d 680a010000      push    10Ah
8281b962 6a5c            push    5Ch
8281b964 ff1500c38082    call    dword ptr [hal!_imp__KeBugCheckEx (8280c300)]
8281b96a 5e              pop     esi
8281b96b c3              ret

So it loops for 100(64h) times reading register C before BSOD. Lets
reduce number of immediate reinjection well under this limit.
Signed-off-by: NGleb Natapov <gleb@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit dd17765b)

Commit f039a563 introduces
a regression as monitor_protocol_event() will return in
the first user Monitor it finds in the QLIST_FOREACH()
loop.

The right thing to do is to only delivery an asynchronous
event if the 'mon' is a QMP Monitor.

The aforementioned commit was an early version, if it was
applied to stable (it should) this one has to be applied
there too.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 23fabed1)

The command line options -device, -nodefaults, -readconfig,
-writeconfig had entries for command line help, but
documentation for texi and derived formats (man, html, info)
was missing.

This also required moving "@end table" to the end of
qemu-options.hx again.
Signed-off-by: NStefan Weil <weil@mail.berlios.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3dbf2c7f)

This patch adds compat property entries for ide-disk.ver and
scsi-disk.ver to pc-0.10 and pc-0.11.  With this patch applied
the scsi and ide disks report "0.10" and "0.11" as version when
you start qemu with "-M pc-0.10" or "-M pc-0.11".
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 374ef704)