Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit f7177937)

The store queues are located from 0xe0000000 to 0xe3ffffff.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit b1563142123593581895049568c5526b1e91da7b)

There is an ITLB access violation if SR_MD=0 (user mode) while
the high bit of the protection key is 0 (priviledge mode).
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit bc13ad29e6b7484ccd5e7ee0f5d0f966585eb4c9)

The mem_idx is wrongly computed. As written in target-sh4/cpu.h, mode 0
corresponds to kernel mode (SR_MD = 1), while mode 1 corresponds to user
mode (SR_MD = 0).
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 33b8f5546cc16eaa3d89fe133a9843c794b65d6c)

When the MMUCR TI bit is set, all the UTLB and ITLB entries should be
flushed.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit e781d1285fc3b81d689ba25360c6c272116387fa)

Only raise an interrupt if the TD has actually completed.
Signed-off-by: NPaul Brook <paul@codesourcery.com>

Branch offsets should only be overwritten during relocation, to support
partial retranslation.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 6d8ff4d8)

Since commit 6113d6d3 QEMU crashes
on ARM hosts. This is not a bug of this commit, but a latent bug
revealed by this commit.

The TCG code is called through a procedure call using the prologue
and epilogue code. This code does not save and restore enough registers.
The "Procedure Call Standard for the ARM Architecture" says:

  A subroutine must preserve the contents of the registers r4-r8, r10,
  r11 and SP (and r9 in PCS variants that designate r9 as v6).

The current code only saves and restores r9 to r11, and misses r4 to
r8. The patch fixes that by saving r4 to r12. Theoretically there is
no need to save and restore r12, but an even number of registers have
to be saved as per EABI.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 4e17eae9)

This is a workaround only, and is a partial revert
of a few changes to BMDMAState which removed pci_dev
field on the way.

- cmd646 pci_from_bm() expects bm->unit value to
correspond with bm data being passed to callback
as opaque pointer. This breaks when write to dma
control register of second channel happens when no
dma operation is in progress, so bm->unit is zero
for second channel, and pci_from_bm() returns garbage
pointer. Crash happens shortly after that while
dereferencing that pointer.

v0->v1: cleaned up dead code from pci_from_bm.
Signed-off-by: NIgor V. Kovalenko <igor.v.kovalenko@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 90228ee3)

The missing '@' broke 'udp::<port>@:<port>' parsing.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 39324ca4)

This fixes eg. "-nographic -serial mon:stdio [-serial ...]".
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 18141ed6)

here's a trivial patch to fix the spelling of "compatibility":
Signed-off-by: NVagrant Cascadian <vagrant@freegeek.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 66c80e75)

Fix the floppy controller init wrappers to set the drive properties
only in case the DriveInfo pointers passed in are non NULL.  This allows
to set the properties using -global.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 995bf0ca)

The commit c2254920 led movntps &
movntdq to be translated incorrectly.
Signed-off-by: NTeLeMan <geleman@gmail.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 2e21e749)

A SIB byte with an index of 4 means "no scaled index", even if the scale
value is not 0. In 64-bit mode, if REX.X is used, an index of 4 selects
%r12. This is correctly handled by the computation of the index variable,
which includes the index bits, and also the REX.X prefix:

    index = ((code >> 3) & 7) | REX_X(s);

Thanks to Avi Kivity, Jamie Lokier and Malc for the analysis of the
problem and the initial patch.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit b16f827b)

Currently, x86_64-softmmu qemu segfaults when trying to use > 4095M memsize.
This patch adds a simple check and error message (much like the 2047 limit on
32-bit hosts) on ram_size in the control path after we determine we're
not using kvm

Upstream qemu-kvm is affected if using the -no-kvm option; this patch address
the segfault there as well.
Signed-off-by: NRyan Harper <ryanh@us.ibm.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Signed-off-by: Nmalc <av1474@comtv.ru>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 41b1e61f)

This instruction load data from memory to register and not the reverse.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit c2254920)

Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Acked-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 5bb59902)

This one is for 0.12 too.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 0dfbd514)

Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit aa375206)

Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

If a write requests crosses a L2 table boundary and all clusters until the
end of the L2 table are usable for the request, we must not look at the next
L2 entry because we already have arrived at the end of the array.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4805bb66)

Save/restore information necessary to continue in progress PIO/ATAPI CMD
transfers.

This includes the IO buffer.
Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit ed487bb1)

Clients not associated with a VLAN exist since commit d80b9fc6.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 2583ba97)

Clients not associated with a VLAN exist since commit d80b9fc6.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit a0104e0e)

Clients not associated with a VLAN exist since commit d80b9fc6.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit efe32fdd)

net_check_clients() prints this when an VLAN has host devices, but no
guest devices.  It uses VLANState members nb_guest_devs and
nb_host_devs to keep track of these devices.  However, -device does
not update nb_guest_devs, only net_init_nic() does that, for -net nic.

Check the VLAN clients directly, and remove the counters.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 62112d18)

Call it right after -device devices get created.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 668680f7)

Unused since commit 9ad4531e.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7f76abe1)

Most of these are obvious NULL-deref bug fixes, for example,
the ones in these files:

  block/curl.c
  net.c
  slirp/misc.c

and the first one in block/vvfat.c.
The others in block/vvfat.c may not lead to an immediate segfault, but I
traced the two schedule_rename(..., strdup(path)) uses, and a failed
strdup would appear to trigger this assertion in handle_renames_and_mkdirs:

	    assert(commit->path);

The conversion to use qemu_strdup in envlist_to_environ is not technically
needed, but does avoid a theoretical leak in the caller when strdup fails
for one value, but later succeeds in allocating another buffer(plausible,
if one string length is much larger than the others).  The caller does
not know the length of the returned list, and as such can only free
pointers until it hits the first NULL.  If there are non-NULL pointers
beyond the first, their buffers would be leaked.  This one is admittedly
far-fetched.

The two in linux-user/main.c are worth fixing to ensure that an
OOM error is diagnosed up front, rather than letting it provoke some
harder-to-diagnose secondary error, in case of exec failure, or worse, in
case the exec succeeds but with an invalid list of command line options.
However, considering how unlikely it is to encounter a failed strdup early
in main, this isn't a big deal.  Note that adding the required uses of
qemu_strdup here and in envlist.c induce link failures because qemu_strdup
is not currently in any library they're linked with.  So for now, I've
omitted those changes, as well as the fixes in target-i386/helper.c
and target-sparc/helper.c.

If you'd like to see the above discussion (or anything else)
in the commit log, just let me know and I'll be happy to adjust.

>From 9af42864fd1ea666bd25e2cecfdfae74c20aa8c7 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Mon, 8 Feb 2010 18:29:29 +0100
Subject: [PATCH] don't dereference NULL after failed strdup

Handle failing strdup by replacing each use with qemu_strdup,
so as not to dereference NULL or trigger a failing assertion.
* block/curl.c (curl_open): s/\bstrdup\b/qemu_strdup/
* block/vvfat.c (init_directories): Likewise.
(get_cluster_count_for_direntry, check_directory_consistency): Likewise.
* net.c (parse_host_src_port): Likewise.
* slirp/misc.c (fork_exec): Likewise.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 6265eb26)

Fix a race condition where qemu finds that there are not enough virtio
ring buffers available and the guest make more buffers available before
qemu can enable notifications.
Signed-off-by: NTom Lendacky <toml@us.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 06b12970)

OK we are fooled by the json lexer and parser. As we use %I64d to
print 'long long' variables in Win32, but lexer and parser only deal
with %lld but not %I64d, this patch add support for %I64d and solve
'info pci', 'powser_reset' and 'power_powerdown' assert failure in
Win32.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 2c0d4b36)

qemu_opt_set wants on/off, not yes/no.
Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 2198a62e)

Round robin vcpus in tcg_cpu_next even if the vm stopped. This
allows all cpus to enter stopped state.
Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit c37cc7b0)

This fixes a segfault due to buffer overrun in the usb-serial device.
The memcpy was incrementing the start location by recv_used yet, the
computation of first_size (how much to write at the end of the buffer
before wrapping to the front) was not accounting for it. This causes the
next element after the receive buffer (recv_ptr) to get overwritten with
random data.
Signed-off-by: NDavid Ahern <daahern@cisco.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4ab4183d)

Checking for return codes < 0 isn't really going to work with unsigned
types. Use signed types instead.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f4f0d391)

In case, when qemu is executed with option like
-serial /dev/ttyS0, report if there are problems with
opening of devices. At now errors are silently ignoring.
Signed-off-by: NEvgeniy Dushistov <dushistov@mail.ru>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit afc535ac)

 - 9fb3f4d Fix PkgLength calculation for the SSDT.
 - 6d75be2 Go back to using 0xf0000000 for PCI memory start.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>