The uint64_to_float32() conversion function was incorrectly always
returning numbers with the sign bit set (ie negative numbers). Correct
this so we return positive numbers instead.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit e744c06f)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Bit 10 of CPUID[8000_0001].EDX is not defined as an alias of
CPUID[1].EDX[10], so do not duplicate it on
kvm_arch_get_supported_cpuid().
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
Reviewed-By: NIgor Mammedov <imammedo@redhat.com>
Reviewed-by: NDon Slutz <Don@CloudSwitch.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit b1f46793)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

In the A series memory map (implemented in the Cortex A15 CoreTile), the
first NOR flash bank (flash 0) is mapped to address 0x08000000, while
address 0x00000000 can be configured as alias to either the first or the
second flash bank. This patch fixes the definition of flash 0 address,
and for simplicity removes the alias definition.
Signed-off-by: NFrancesco Lavra <francescolavra.fl@gmail.com>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 661bafb3)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

When setting up the NVIC memory regions the memory range
0x100..0xcff is aliased to an IO memory region that belongs
to the ARM GIC.  This aliased region should be added to the
NVIC memory container, but the actual GIC IO memory region
was being added instead.  This mixup was causing the wrong
IO memory access functions to be called when accessing parts
of the NVIC memory.
Signed-off-by: NMeador Inge <meadori@codesourcery.com>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 9892cae3)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Reading VECTADDR was causing us to set the current priority to
the wrong value, the most obvious effect of which was that we
would return the vector for the wrong interrupt as the result
of the read.
Signed-off-by: NBrendan Fennell <bfennell@skynet.ie>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 14c126ba)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NOrit Wasserman <owasserm@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3202beca)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

getaddrinfo can give us a list of addresses, but we only try to
connect to the first one. If that fails we never proceed to
the next one.  This is common on desktop setups that often have ipv6
configured but not actually working.

To fix this make inet_connect_nonblocking retry connection with a different
address.
callers on inet_nonblocking_connect register a callback function that will
be called when connect opertion completes, in case of failure the fd will have
a negative value
Signed-off-by: NOrit Wasserman <owasserm@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 233aa5c2)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

No need to add non blocking parameters to the blocking inet_connect
add block parameter for inet_connect_opts instead of using QemuOpt "block".
Signed-off-by: NOrit Wasserman <owasserm@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 5db5f44c)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

refactor address resolution code to fix nonblocking connect
remove getnameinfo call
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NOrit Wasserman <owasserm@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 05bc1d8a)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The old code aborted configure when no emulation target was selected.
Even after removing the 'exit 1', it tried to read from STDIN
when QEMU was configured with

    configure' '--disable-user' '--disable-system'

This is fixed here.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 8bdd3d49)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

I believe the bs->keep_read_only flag is supposed to reflect
the initial open state of the device. If the device is initially
opened R/O, then commit operations, or reopen operations changing
to R/W, are prohibited.

Currently, the keep_read_only flag is only accurate for the active
layer, and its backing file. Subsequent images end up always having
the keep_read_only flag set.

For instance, what happens now:

[  base  ]  kro = 1, ro = 1
    |
    v
[ snap-1 ]  kro = 1, ro = 1
    |
    v
[ snap-2 ]  kro = 0, ro = 1
    |
    v
[ active ]  kro = 0, ro = 0

What we want:

[  base  ]  kro = 0, ro = 1
    |
    v
[ snap-1 ]  kro = 0, ro = 1
    |
    v
[ snap-2 ]  kro = 0, ro = 1
    |
    v
[ active ]  kro = 0, ro = 0
Signed-off-by: NJeff Cody <jcody@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
(cherry picked from commit be028adc)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

If readonly=on is given at device creation time, the ->readonly flag
needs to be set in the block driver state for this device so that
readonly-ness is preserved across media changes (qmp change command).
Similarly, to preserve the snapshot property requires ->open_flags to
be correct.
Signed-off-by: NKevin Shanahan <kmshanah@disenchant.net>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
(cherry picked from commit 80dd1aae)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Those functions are missing in MinGW.

Some versions of MinGW-w64 include defines for gmtime_r and localtime_r.
Older versions of these macros are buggy (they return a pointer to a
static variable), therefore we don't want them. Newer versions are
similar to the code used here, but without the memset.

The implementation which is used here is not strictly reentrant,
but sufficiently good for QEMU on w32 or w64.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
[blauwirbel@gmail.com: added comment about locking]
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit d3e8f957)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

GLib 2.0 include files use __printf__ for the format attribute
which resolves to native format strings on w32 hosts.

QEMU wants standard format strings instead of native format
strings, so we simply change any declaration with __printf__
to use __gnu_printf__.

This works because all basic printf functions support both
kinds of format strings.

This fixes a compiler warning:

qapi/string-output-visitor.c: In function ‘print_type_int’:
qapi/string-output-visitor.c:34:5: warning: unknown conversion type character ‘l’ in format [-Wformat]
qapi/string-output-visitor.c:34:5: warning: too many arguments for format [-Wformat-extra-args]
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 95df51a4)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Commit 213fd508 removed a type cast
which is needed for MinGW:

net/socket.c:136: warning:
 pointer targets in passing argument 2 of ‘sendto’ differ in signedness
/usr/lib/gcc/amd64-mingw32msvc/4.4.4/../../../../amd64-mingw32msvc/include/winsock2.h:1313: note:
 expected ‘const char *’ but argument is of type ‘const uint8_t *’

Add a 'qemu_sendto' macro which provides that type cast where needed
and use the new macro instead of 'sendto'.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 73062dfe)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Report from smatch:

linux-user/syscall.c:3632 do_ioctl_dm(220) info:
 redundant null check on big_buf calling free()

'big_buf' was allocated by g_malloc0, therefore free was also
replaced by g_free.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit ad11ad77)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit c10600af)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Current qemu initializes curses even if -daemonize option is
passed. This cause problem because shell prompt appears without
calling endwin().

This patch adds new function, is_daemonized(), to OS dependent
code. With this function, curses_display_init() can check that qemu is
daemonized or not. If daemonized, curses_display_init() isn't called
and the problem is avoided.

Of course, -daemonize && -curses doesn't make sense. Users shouldn't
pass the arguments at the same time. But the problem is very painful
because Ctrl-C cannot be delivered to the terminal.

Cc: Andrzej Zaborowski  <balrog@zabor.org>
Cc: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Anthony Liguori <aliguori@us.ibm.com>
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NHitoshi Mitake <h.mitake@gmail.com>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 995ee2bf)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Report from smatch:
hw/pflash_cfi01.c:431 pflash_write(180) info: ignoring unreachable code.

Instead of removing the return statement after the switch statement,
the patch replaces the return statements in the switch statement by
break statements. Other switch statements in the same code do it also
like that.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 12dabc79)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Report from smatch:
hw/ioh3420.c:128 ioh3420_initfn(35) info: ignoring unreachable code.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Reviewed-by: NJuan Quintela <quintela@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 997f1567)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Report from smatch:
lm4549.c:234 lm4549_write_samples(14) error:
 buffer overflow 's->buffer' 1024 <= 1024

There must be enough space to add two entries starting with index
s->buffer_level, therefore the old check was wrong.

[Peter Maydell <peter.maydell@linaro.org> clarifies the nature of the
analyser warning:

I don't object to making the change to placate the analyser,
but I don't think this is actually a buffer overrun. We always
add and remove samples from the buffer two at a time, so it's
not possible to get here with s->buffer_level == BUFFER_SIZE-1
(which is the only case where the old and new conditions
give different answers).]
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 81396266)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Report from smatch:
hw/cadence_uart.c:413 uart_read(13) error: buffer overflow 's->r' 18 <= 18

This fixes read access to s->r[R_MAX] which is behind the limits of s->r.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 5d40097f)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The old code leaks variable 'peer'.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 39b38459)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Report from smatch:
qemu-ga.c:117 register_signal_handlers(11) info: ignoring unreachable code.
qemu-ga.c:122 register_signal_handlers(16) info: ignoring unreachable code.

g_error calls abort which terminates the program.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit b5488288)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

smatch report:
audio/audio_template.h:416 AUD_open_out(18) warn:
 variable dereferenced before check 'as' (see line 414)

Moving the ldebug statement after the statement which checks 'as'
fixes that warning.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: Nmalc <av1474@comtv.ru>
(cherry picked from commit 93b65997)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

QEMU as far as I know only reports LUN numbers using the modes that
are described in SAM4.
As such, since all LUN numbers generated by the SCSI emulation in QEMU
follow SAM4, we should set the HiSup bit in the standard INQUIRY data
to indicate such.

From SAM4:
  4.6.3 LUNs overview
  All LUN formats described in this standard are hierarchical in
  structure even when only a single level in that hierarchy is used.
  The HISUP bit shall be set to one in the standard INQUIRY data
  (see SPC-4) when any LUN format described in this standard is used.
  Non-hierarchical formats are outside the scope of this standard.
Signed-off-by: NRonnie Sahlberg <ronniesahlberg@gmail.com>
(cherry picked from commit 1109c894)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

This fix is needed to correctly handle 0-block read and writes.
Without it, a 0-block access at LBA 0 would underflow.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 12ca76fc)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Abstract the test for an out-of-range (starting block, block count)
pair.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 444bc908)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

We no longer need to explicitely call qemu_notify_event() any more
since this is now done automatically any time the filehandles we listen
to change.
Signed-off-by: NRonnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 40a13ca8)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

We need to support SG_IO from the synchronous iscsi_ioctl() since
scsi-block uses this to do an INQ to the device to discover its properties
This patch makes scsi-block work with iscsi.
Signed-off-by: NRonnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit f1a12821)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NAndreas Färber <afaerber@suse.de>
(cherry picked from commit f2ca0524)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

pflash_cfi01 announces a version number of 1.1, which implies
"Protection Register Information" and "Burst Read information"
sections, which are not provided.

Decrease the version number to 1.0 so that only the "Protection
Register Information" section is needed.

Set the number of protection fields (0x3f) to 0x01, as 0x00 means 256
protections field, which makes the CFI table bigger than the current
implementation, causing some kernels to fail to read it.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 262e1eaa)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

There was a missing include of qemu-log and a variable name in a printf was out
of date.
Signed-off-by: NChris Wulff <crwulff@gmail.com>
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
(cherry picked from commit 8354cd72)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Assert that the ethernet and dma controller are sucessfully linked to their
peers.
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
(cherry picked from commit 4b5e5210)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
(cherry picked from commit e03377ae)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Fixes an error in a61e4b07Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
(cherry picked from commit c0a1dcb9)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

For architectures which don't set HAS_AUDIO_CHOICE, improve the
'-soundhw help' message so that it doesn't simply print an empty
list, implying no sound support at all.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: Nmalc <av1474@comtv.ru>
(cherry picked from commit 55d4fd3c)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

cpu_physical_memory_write_rom(), despite the name, can also be used to
write images into RAM - and will often be used that way if the machine
uses load_image_targphys() into RAM addresses.

However, cpu_physical_memory_write_rom(), unlike cpu_physical_memory_rw()
doesn't invalidate any cached TBs which might be affected by the region
written.

This was breaking reset (under full emu) on the pseries machine - we loaded
our firmware image into RAM, and while executing it rewrite the code at
the entry point (correctly causing a TB invalidate/refresh).  When we
reset the firmware image was reloaded, but the TB from the rewrite was
still active and caused us to get an illegal instruction trap.

This patch fixes the bug by duplicating the tb invalidate code from
cpu_physical_memory_rw() in cpu_physical_memory_write_rom().
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0b57e287)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2().  If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour.  On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.

This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit bbdd2ad0)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

    commit c3767ed0
    qemu-char: (Re-)connect for tcp_chr_write() unconnected writing

Has no hope of working because tcp_chr_connect() does not actually connect.

455aa1e0 just fixes the SEGV with server() but the attempt to connect a client
socket is still completely broken.

This patch reverts both.
Reported-by: NRichard W.M. Jones <rjones@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 6db0fdce)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>