It's not checked currently, so something like:

  (qemu) balloon -100000000000001111114334234
  (qemu)

Will just "work" (in this case the balloon command will get a random
value).

Fix it by checking if strtoul()/strtoull() overflowed.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Check for the RUN_STATE_SUSPENDED state instead.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

QEMU enters in this state when the guest suspends to ram (S3).

This is important so that HMP users and QMP clients can know that
the guest is suspended. QMP also has an event for this, but events
are not reliable and are limited (ie. a client can connect to QEMU
after the event has been emitted).

Having a different state for S3 brings a new issue, though. Every
device that doesn't run when the VM is stopped but wants to run
when the VM is suspended has to check for RUN_STATE_SUSPENDED
explicitly. This is the case for the keyboard and mouse devices,
for example.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Acked-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

Wakeup the guest when the live part of the migation is finished.
This avoids being in suspended state on migration, so we don't
have to save the is_suspended bit.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>

* mst/tags/for_anthony:
  rtl8139: fix regression in TxStatus/TxAddr read

* kwolf/for-anthony:
  fdc: simplify media change handling
  qcow2: lock on prealloc
  block: make bdrv_create adopt coroutine
  qcow2: Limit COW to where it's needed
  sheepdog: switch to writethrough mode if cluster doesn't support flush

* bonzini/scsi-next:
  scsi: Add assertion for use-after-free errors
  scsi: remove useless debug messages
  scsi: set VALID bit to 0 in fixed format sense data
  scsi: do not require a minimum allocation length for REQUEST SENSE
  scsi: do not require a minimum allocation length for INQUIRY
  scsi: parse 16-byte tape CDBs
  scsi: do not report bogus overruns for commands in the 0x00-0x1F range
  scsi-disk: add dpofua property
  scsi: change "removable" field to host many features
  scsi: Specify the xfer direction for UNMAP and ATA_PASSTHROUGH commands
  scsi: fix WRITE SAME transfer length and direction
  scsi: fix refcounting for reads
  scsi: prevent data transfer overflow
  ISCSI: Add support for thin-provisioning via discard/UNMAP and bigger LUNs

* riku/linux-user-for-upstream:
  linux-user: fix emulation of /proc/self/maps
  linux-user: Clean up interim solution for exit syscall

* spice/spice.v54:
  qxl: don't assert on guest create_guest_primary
  qxl: ioport_write: remove guest trigerrable abort
  qxl: qxl_add_memslot: remove guest trigerrable panics
  qxl: interface_notify_update: remove guest trigerrable abort
  qxl: cleanup s/__FUNCTION__/__func__/
  qxl: don't abort on guest trigerrable ring indices mismatch
  qxl: fix > 80 chars line
  qxl: replace panic with guest bug in qxl_track_command
  qxl: check for NULL return from qxl_phys2virt
  hw/qxl.c: qxl_phys2virt: replace panics with guest_bug
  spice_info: add mouse_mode
  spice: require spice-protocol >= 0.8.1

* sweil/fixes:
  qemu-timer: Fix limits for w32 mmtimer
  qom: Fix memory leak in function container_get
  hw/pc_sysfw: Fix memory leak
  qdev: Fix memory leak in function set_pci_devfn
  arm-semi: Rename SYS_XXX macros to TARGET_SYS_XXX (fixes compiler warning)
  target-mips: Remove unused inline function

Commit afe0a595 added byte reads for TxStatus/TxAddr, but
broke 32-bit reads; the mask generation

   (1 << (8 * size)) - 1

is unspecified in C for size >= sizeof(int), and in fact returns 0
on x86.

Fix by using a larger type.

Fixes (at least) Fedora 9 i386 with -machine kernel_irqchip=on.  I
didn't see it with the qemu APIC implementation; may be due to timing
or (more likely) a tester error.
Signed-off-by: NAvi Kivity <avi@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

This also (partly) fixes IBM OS/2 Warp 4.0 floppy installation, where
not all floppies have the same format (2x80x18 for the first ones,
2x80x23 for the next ones).
Signed-off-by: NHervé Poussineau <hpoussin@reactos.org>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

preallocate() will be locked. This is required because
qcow2_alloc_cluster_link_l2() assumes that it runs under a lock that it
can drop while COW is being performed.
Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The current qemu.git introduces failure with preallocation and some
sizes:

qemu-img create -f qcow2 new.img 976563K -o preallocation=metadata
qemu-img: qemu-coroutine-lock.c:111: qemu_co_mutex_unlock: Assertion
`mutex->locked == 1' failed.

And lock needs to work in coroutine context. So to fix this issue, we
need to make bdrv_create adopt coroutine at first.
Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

This fixes a regression introduced in commit 250196f1. The bug leads to
data corruption, found during an Autotest run with a Fedora 8 guest.

Consider a write request whose first part is covered by an already
allocated cluster, but additional clusters need to be newly allocated.
When counting the number of clusters to allocate, the qcow2 code would
decide to do COW for all remaining clusters of the write request, even
if some of them are already allocated.

If during this COW operation another write request is issued that touches
the same cluster, it will still refer to the old cluster. When the COW
completes, the first request will update the L2 table and the second
write request will be lost. Note that the requests need not overlap, it's
enough for them to touch the same cluster.

This patch ensures that only clusters that really require COW are
considered for allocation. In this case any other request writing to the
same cluster will be an allocating write and gets serialised.
Reported-by: NMarcelo Tosatti <mtosatti@redhat.com>
Tested-by: NMarcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

This is necessary for qemu to work with the older version of Sheepdog
which doesn't support SD_OP_FLUSH_VDI.
Signed-off-by: NMORITA Kazutaka <morita.kazutaka@gmail.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The Linux AC97 driver tests this bit to decide wether or not to show
an External amplifier toggle control.

This patch was also tested with a Windows XP guest without any issues.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nmalc <av1474@comtv.ru>

The Linux ac97 drivers does a number of register read/write tests to
see how much resolution a volume control actually has.

This patch takes this into account by masking out any bits written to
a volume control reg which should not be there according to the spec.

After this the Linux ac97 driver correctly uses a range of 0 - 0x1f for
the PCM out volume, as stated in the spec, and we can fix the FIXME
in update_combined_volume_out().

This patch was also tested with a Windows XP guest without any issues.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nmalc <av1474@comtv.ru>

After commit 19677a38:
"hw/ac97: add support for volume control"

We are (correctly) using AC97_Record_Gain_Mute and not AC97_Line_In_Volume_Mute
for recording volume, but various places in hw/ac97 were still assumimg that
we are using AC97_Line_In_Volume_Mute for record volume control, this patch
fixes this.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nmalc <av1474@comtv.ru>

The Linux ac97 driver tries to see if optional things like video input
volume control are available in 2 ways:
1) See if the mute bit is set after reset, if it is no further tests are done
2) If the mute bit is not set it does a write/read test of the mute bit

This patch changes our ac97 to conform to what the Linux driver expects, it
initializes registers for things which we don't emulate to 0 (so the mute bit
is not set) and makes them read only.

This causes Linux to now longer show the following (functionless)
controls in alsamixer:

Master Mono vol + mute
3d Control toggle
PCM out pre / post 3d select
Surround toggle
CD vol + mute
Mic vol + mute
Mic boost toggle
Mic mic1 / mic2 select
Video vol + mute
Phone vol + mute
Beep mono vol + mute
Aux vol + mute
Mono "output mic" / "mix" select
Sigmatel 4 speaker stereo toggle
Sigmatel ADC 6Db att toggle
Sigmatel DAC 6Db att toggle

This patch was also tested with a Windows XP guest and there it also makes
a number of functionless mixer controls go away.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nmalc <av1474@comtv.ru>

Fix a small copy and paste error in logging.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: Nmalc <av1474@comtv.ru>

The QEMU emulation which is currently used with Raspberry PI images
(qemu-system-arm -M versatilepb ...) accesses memory which was freed.

Valgrind output (extract):

==17857== Invalid write of size 4
==17857==    at 0x24EB06: scsi_req_unref (scsi-bus.c:1273)
==17857==    by 0x24FFAE: scsi_read_complete (scsi-disk.c:277)
==17857==    by 0x152ACC: bdrv_co_em_bh (block.c:3363)
==17857==    by 0x13D49C: qemu_bh_poll (async.c:71)
==17857==    by 0x211A8C: main_loop_wait (main-loop.c:503)
==17857==    by 0x207954: main_loop (vl.c:1555)
==17857==    by 0x20E9C9: main (vl.c:3653)
==17857==  Address 0x1c54383c is 12 bytes inside a block of size 260 free'd
==17857==    at 0x4824B3A: free (vg_replace_malloc.c:366)
==17857==    by 0x20ADFA: free_and_trace (vl.c:2250)
==17857==    by 0x4899FC5: g_free (in /lib/libglib-2.0.so.0.2400.1)
==17857==    by 0x24EB3B: scsi_req_unref (scsi-bus.c:1277)
==17857==    by 0x24F003: scsi_req_complete (scsi-bus.c:1383)
==17857==    by 0x25022A: scsi_read_data (scsi-disk.c:334)
==17857==    by 0x24EB9F: scsi_req_continue (scsi-bus.c:1289)
==17857==    by 0x1C7787: lsi_do_dma (lsi53c895a.c:575)
==17857==    by 0x1C8CDA: lsi_execute_script (lsi53c895a.c:1147)
==17857==    by 0x1C74EA: lsi_resume_script (lsi53c895a.c:510)
==17857==    by 0x1C7ECD: lsi_transfer_data (lsi53c895a.c:746)
==17857==    by 0x24EC90: scsi_req_data (scsi-bus.c:1307)

(There are some more similar messages.)

This patch adds an assertion which also detects those errors:

Calling scsi_req_unref is not allowed when the previous call
of that function has decremented refcount to 0, because in this
case req was freed.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Optional inquiry information is declared obsolete in the latest versions
of the standard; invalid CDBs or unsupported VPD pages are supported
can be diagnosed with trace_scsi_inquiry.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The INFORMATION field (bytes 3..6) is never set by QEMU, so the VALID
bit must be 0.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The requirements on the REQUEST SENSE buffer size are not in my copy of SPC
(SPC-4 r27) and not observed by LIO.  Rip them out.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The requirements on the INQUIRY buffer size are not in my copy of SPC
(SPC-4 r27) and not observed by LIO.  Rip them out.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The transfer length for these commands is different from the transfer
length of the corresponding disk commands, so parse it specially.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Interpreting cdb[4] == 0 as a request to transfer 256 blocks is only
needed for READ_6 and WRITE_6.  No other command in that range needs
that special-casing, and the resulting overrun breaks scsi-testsuite's
attempt to use command 2 as a known-invalid command.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Linux expects REQ_FUA to be advertised only if WRITE+FUA is faster than
WRITE+SYNCHRONIZE CACHE, so we should not set the DPOFUA bit.  However,
it is useful to have it for testing purposes, so add a qdev property to
set it.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

It is pointless to add a uint32_t field for every new feature.
Since we will need a new feature soon, convert accesses to "removable"
to look at bit 0 only.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

scsi_cmd_xfer_mode() is used to specify the xfer direction for SCSI
commands that come in from the guest.  If the direction is set incorrectly
this will eventually cause QEMU to kernel-panic the guest.

Add UNMAP and ATAPASSTHROUGH as commands that send data to the device.

Without this change, recent kernels will send both UNMAP as well
as ATAPASSTHROUGH commands to any /dev/sg* device, which due to the
incorrect xfer direction very quickly causes the guest kernel to crash.

Example causing a crash without the patch applied:

./x86_64-softmmu/qemu-system-x86_64 -m 1024 -enable-kvm -cdrom linuxmint-12-gnome-dvd-64bit.iso -drive file=/dev/sg4,if=scsi,bus=0,unit=6
Signed-off-by: NRonnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Recently introduced FUA support also gave us a use-after-free
of the BlockAcctCookie within a SCSIDiskReq, due to unbalanced
reference counting.

The patch fixes this by making scsi_do_read look like a combination
of scsi_*_complete + scsi_*_data.  It does both a ref (like
scsi_read_data) and an unref (like scsi_flush_complete).
Reported-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Avoid sending more than 2GB of data, as that can cause overflows
in int32_t variables.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Update the configure test for libiscsi support to detect version 1.3
or later.  Version 1.3 of libiscsi provides both READCAPACITY16 as well
as UNMAP commands.

Update the iscsi block layer to use READCAPACITY16 to detect the size of
the LUN instead of READCAPACITY10. This allows support for LUNs larger
than 2TB.

Update to implement bdrv_aio_discard() using the UNMAP command.
This allows us to use thin-provisioned LUNs from TGTD and other iSCSI
targets that support thin-provisioning.
Signed-off-by: NRonnie Sahlberg <ronniesahlberg@gmail.com>
[squashed in subsequent patch from Ronnie to fix off-by-one in LBA count]
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Nmalc <av1474@comtv.ru>

Improve the emulation of /proc/self/maps by reading the underlying
host maps file and passing lines through with addresses adjusted
to be guest addresses. This is necessary to avoid false triggers
of the glibc check that a format string containing '%n' is not in
writable memory. (For an example see the bug reported in
https://bugs.launchpad.net/qemu-linaro/+bug/947888 where gpg aborts.)
Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

After all target CPUs have been QOM'ified, we no longer need an #ifdef
to switch between object_delete() and g_free() in NPTL thread exit.
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

Signed-off-by: Nmalc <av1474@comtv.ru>