Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

* MIPS-KVM fixes.
* Coverity fixes.
* Nettle function prototype fixes.
* Memory API refcount fix.

# gpg: Signature made Thu Jul 16 19:01:27 2015 BST using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  crypto: avoid undefined behavior in nettle calls
  crypto: fix build with nettle >= 3.0.0
  memory: fix refcount leak in memory_region_present
  RDMA: Fix error exits
  arm/xlnx-zynqmp: fix memory leak
  ppc/spapr_drc: fix memory leak
  mips/kvm: Sign extend registers written to KVM
  mips/kvm: Fix Big endian 32-bit register access
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Calling a function pointer that was cast from an incompatible function
results in undefined behavior.  'void *' isn't compatible with 'struct
XXX *', so we can't cast to nettle_cipher_func, but have to provide a
wrapper.  (Conversion from 'void *' to 'struct XXX *' might require
computation, which won't be done if we drop argument's true type, and
pointers can have different sizes so passing arguments on stack would
bug.)

Having two different prototypes based on nettle version doesn't make
this solution any nicer.
Reported-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
Message-Id: <1437062641-12684-3-git-send-email-rkrcmar@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

In nettle 3, cbc_encrypt() accepts 'nettle_cipher_func' instead of
'nettle_crypt_func' and these two differ in 'const' qualifier of the
first argument.  The build fails with:

  In file included from crypto/cipher.c:71:0:
  ./crypto/cipher-nettle.c: In function ‘qcrypto_cipher_encrypt’:
  ./crypto/cipher-nettle.c:154:38: error: passing argument 2 of
  ‘nettle_cbc_encrypt’ from incompatible pointer type
           cbc_encrypt(ctx->ctx_encrypt, ctx->alg_encrypt,
                                               ^
  In file included from ./crypto/cipher-nettle.c:24:0,
                   from crypto/cipher.c:71:
  /usr/include/nettle/cbc.h:48:1: note: expected
  ‘void (*)(const void *, size_t, uint8_t *, const uint8_t *)
  but argument is of type
  ‘void (*)(      void *, size_t, uint8_t *, const uint8_t *)

To allow both versions, we switch to the new definition and #if typedef
it for old versions.
Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
Message-Id: <1436548682-9315-2-git-send-email-rkrcmar@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

memory_region_present() leaks a reference to a MemoryRegion in the
case "mr == container".  While fixing it, avoid reference counting
altogether for memory_region_present(), by using RCU only.

The return value could in principle be already invalid immediately
after memory_region_present returns, but presumably the caller knows
that and it's using memory_region_present to probe for devices that
are unpluggable, or something like that.  The RCU critical section
is needed anyway, because it protects as->current_map.
Reported-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The error checks I added used 'break' after the error, but I'm
in a switch inside the while loop, so they need to be 'goto out'.

Spotted by coverity; entries 1311368 and 1311369

Fixes: afcddefdSigned-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <1436555332-19076-1-git-send-email-dgilbert@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

fix CID 1311372.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Message-Id: <1436489490-236-4-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

fix CID 1311373.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Message-Id: <1436489490-236-3-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

In case we're running on a 64-bit host, be sure to sign extend the
general purpose registers and hi/lo/pc before writing them to KVM, so as
to take advantage of MIPS32/MIPS64 compatibility.
Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: kvm@vger.kernel.org
Cc: qemu-stable@nongnu.org
Message-Id: <1429871214-23514-3-git-send-email-james.hogan@imgtec.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Fix access to 32-bit registers on big endian targets. The pointer passed
to the kernel must be for the actual 32-bit value, not a temporary
64-bit value, otherwise on big endian systems the kernel will only
interpret the upper half.
Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: kvm@vger.kernel.org
Cc: qemu-stable@nongnu.org
Message-Id: <1429871214-23514-2-git-send-email-james.hogan@imgtec.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

qxl: allow to specify head limit to qxl driver

# gpg: Signature made Thu Jul 16 16:31:40 2015 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/spice/tags/pull-spice-20150716-1:
  qxl: allow to specify head limit to qxl driver
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This patch allow to limit number of heads using qxl driver. By default
qxl driver is not limited on any kind on head use so can decide to use
as much heads.

libvirt has this as a video card parameter (actually set to 1 but not
used). This parameter will allow to limit setting a use can do (which
could be confusing).
Signed-off-by: NFrediano Ziglio <fziglio@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

MIPS patches 2015-07-16

Changes:
* bug fixes

# gpg: Signature made Thu Jul 16 09:04:56 2015 BST using RSA key ID 0B29DA6B
# gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 DA6B

* remotes/lalrae/tags/mips-20150716:
  target-mips: fix page fault address for LWL/LWR/LDL/LDR
  linux-user: Fix MIPS N64 trap and break instruction bug
  target-mips: fix resource leak reported by Coverity
  target-mips: fix logically dead code reported by Coverity
  target-mips: correct DERET instruction
  target-mips: fix ASID synchronisation for MIPS MT
  disas/mips: fix disassembling R6 instructions
  target-mips: fix to clear MSACSR.Cause
  target-mips: fix MIPS64R6-generic configuration
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

X86 queue, 2015-07-15

Two bug fixes:
* Memory leak due to extra g_strdup() when registering X86CPU alias properties
* Fix CPUID levels so that W10 insider can run as guest OS

# gpg: Signature made Wed Jul 15 21:26:59 2015 BST using RSA key ID 984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D C5A6

* remotes/ehabkost/tags/x86-pull-request:
  target-i386: emulate CPUID level of real hardware
  target-i386: Don't strdup() alias property name
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

NUMA queue, 2015-07-15

# gpg: Signature made Wed Jul 15 21:01:37 2015 BST using RSA key ID 984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D C5A6

* remotes/ehabkost/tags/numa-pull-request:
  numa: Fix memory leak in numa_set_mem_node_id()
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

W10 insider has a bug where it ignores CPUID level and interprets
CPUID.(EAX=07H, ECX=0H) incorrectly, because CPUID in fact returned
CPUID.(EAX=04H, ECX=0H);  this resulted in execution of unsupported
instructions.

While it's a Windows bug, there is no reason to emulate incorrect level.

I used http://instlatx64.atw.hu/ as a source of CPUID and checked that
it matches Penryn Xeon X5472, Westmere Xeon W3520, SandyBridge i5-2540M,
and Haswell i5-4670T.

kvm64 and qemu64 were bumped to 0xD to allow all available features for
them (and to avoid the same Windows bug).
Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
Reviewed-by: NEduardo Habkost <ehabkost@redhat.com>
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>

Now object_property_add_alias() calls g_strdup() on the target property
name, so we don't need to call g_strdup() ourselves.
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>

Fix a memory leak in numa_set_mem_node_id().
Signed-off-by: NBharata B Rao <bharata@linux.vnet.com>
Reported-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NEduardo Habkost <ehabkost@redhat.com>
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>

target arm queue:
 * handle broken AArch64 kernels which assume DTB won't cross a 2MB boundary
 * correct broken SCTLR_EL3 reset value

# gpg: Signature made Wed Jul 15 17:24:24 2015 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20150715:
  hw/arm/boot: Increase fdt alignment
  target-arm: Fix broken SCTLR_EL3 reset
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The Linux kernel on aarch64 creates a page table entry at early bootup
that spans the 2MB range on memory spanning the fdt start address:

  [ ALIGN_DOWN(fdt, 2MB) ... ALIGN_DOWN(fdt, 2MB) + 2MB ]

This means that when our current 4k alignment happens to fall at the end
of the aligned region, Linux tries to access memory that is not mapped.

The easy fix is to instead increase the alignment to 2MB, making Linux's
logic always succeed.

We leave the existing 4k alignment for 32bit kernels to not cause any
regressions due to space constraints.
Reported-by: NAndreas Schwab <schwab@suse.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The SCTLR_EL3 cpreg definition was implicitly resetting the
register state to 0, which is both wrong and clashes with
the reset done via the SCTLR definition (since sctlr[3]
is unioned with sctlr_s). This went unnoticed until recently,
when an unrelated change (commit a903c449) happened to
perturb the order of enumeration through the cpregs hashtable for
reset such that the erroneous reset happened after the correct one
rather than before it. Fix this by marking SCTLR_EL3 as an alias,
so its reset is left up to the AArch32 view.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>

# gpg: Signature made Wed Jul 15 03:25:16 2015 BST using RSA key ID C0DE3057
# gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>"
# gpg:                 aka "Jeffrey Cody <jeff@codyprime.org>"
# gpg:                 aka "Jeffrey Cody <codyprime@gmail.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 3057

* remotes/cody/tags/jtc-for-upstream-pull-request:
  block/curl: Don't lose original error when a connection fails.
  mirror: correct buf_size
  block: keep bitmap if incremental backup job is cancelled
  blockdev: no need to drain in qmp_block_commit
  block/mirror: Sleep periodically during bitmap scanning
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

When a LWL, LWR, LDL or LDR instruction triggers a page fault, QEMU
currently reports the aligned address in CP0 BadVAddr, while the Windows
NT kernel expects the unaligned address.

This patch adds a byte access with the unaligned address at the
beginning of the LWL/LWR/LDL/LDR instructions to possibly trigger a page
fault and fill the QEMU TLB.

Cc: Leon Alrae <leon.alrae@imgtec.com>
Reported-by: NHervé Poussineau <hpoussin@reactos.org>
Tested-by: NHervé Poussineau <hpoussin@reactos.org>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

For the MIPS N64 ABI when QEMU reads the break/trap instruction so that
it can inspect the break/trap code it reads 8 rather than 4 bytes
which means it finds the code field from the instruction after the
break/trap instruction.  This then causes the break/trap handling
code to fail because it does not understand the code number.

The fix forces QEMU to always read 4 bytes of instruction data rather
than deciding how much to read based on the ABI.
Signed-off-by: NAndrew Bennett <andrew.bennett@imgtec.com>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

UHI assert and link operations call lock_user_string() twice to obtain two
strings pointed by gpr[4] and gpr[5]. If the second lock_user_string()
fails, then the first one won't get freed. Fix this by introducing another
macro responsible for obtaining two strings and handling allocation
failure.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

Make use of CMPOP in floating-point compare instructions.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

Fix Debug Mode flag clearing, and when DERET is placed between LL and SC
do not make SC fail.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

When syncing the task ASID with EntryHi, correctly or the value instead
of assigning it.
Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

In the Release 6 of the MIPS Architecture, LL, SC, LLD, SCD, PREF
and CACHE instructions have 9 bits offsets.
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

MSACSR.Cause bits are needed to be cleared before a vector floating-point
instructions.
FEXDO.df, FEXUPL.df and FEXUPR.df were missed out.
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

Fix core configuration for MIPS64R6-generic to make it as close as
I6400.
I6400 core has 48-bit of Virtual Address available (SEGBITS).
MIPS SIMD Architecture is available.
Rearrange order of bits to match the specification.
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

migration/next for 20150715

# gpg: Signature made Wed Jul 15 11:23:33 2015 BST using RSA key ID 5872D723
# gpg: Good signature from "Juan Quintela <quintela@redhat.com>"
# gpg:                 aka "Juan Quintela <quintela@trasno.org>"

* remotes/juanquintela/tags/migration/20150715-1:
  migration: We also want to store the global state for savevm
  migration: reduce the count of strlen call
  migration: Register global state section before loadvm
  migration: Write documetation for events capabilites
  migration: Trace event and migration event are different things
  migration: Only change state after migration has finished
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Commit df4b1024 introduced global_state
section.  But it only filled the state while doing migration.  While
doing a savevm, we stored an empty string as state.  So when we did a
loadvm, it complained that state was invalid.

Fedora 21, 4.1.1, qemu 2.4.0-rc0
> ../../configure --target-list="x86_64-softmmu"

068 2s ... - output mismatch (see 068.out.bad)
--- /home/bos/jhuston/src/qemu/tests/qemu-iotests/068.out	2015-07-08
17:56:18.588164979 -0400
+++ 068.out.bad	2015-07-09 17:39:58.636651317 -0400
@@ -6,6 +6,8 @@
 QEMU X.Y.Z monitor - type 'help' for more information
 (qemu) savevm 0
 (qemu) quit
+qemu-system-x86_64: Unknown savevm section or instance 'globalstate' 0
+qemu-system-x86_64: Error -22 while loading VM state
 QEMU X.Y.Z monitor - type 'help' for more information
 (qemu) quit
 *** done
Failures: 068
Failed 1 of 1 tests

Actually, there were two problems here:
- we registered global_state too late for load_vm (fixed on another
  patch on the list)
- we didn't store a valid state for savevm (fixed by this patch).
Reported-by: NJohn Snow <jsnow@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: NAmit Shah <amit.shah@redhat.com>
Tested-by: NChristian Borntraeger <borntraeger@de.ibm.com>

'strlen' is called three times in 'save_page_header', it's
inefficient.
Signed-off-by: NLiang Li <liang.z.li@intel.com>
Reviewed-by: NJuan Quintela <quintela@redhat.com>
Reviewed-by: NAmit Shah <amit.shah@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

Otherwise, it is not found
Signed-off-by: NJuan Quintela <quintela@redhat.com>

Reported-by: NJiri Denemark <jdenemar@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

We can want the trace event even without migration events enabled.
Reported-by: NWen Congyang <ghostwcy@gmail.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>

On previous change, we changed state at post load time if it was not
running, special casing the "running" change.  Now, we change any states
at the end of the migration.
Signed-off-by: NJuan Quintela <quintela@redhat.com>
Tested-by: NChristian Borntraeger <borntraeger@de.ibm.com>

Currently if qemu is connected to a curl source (eg. web server), and
the web server fails / times out / dies, you always see a bogus EIO
"Input/output error".

For example, choose a large file located on any local webserver which
you control:

  $ qemu-img convert -p http://example.com/large.iso /tmp/test

Once it starts copying the file, stop the webserver and you will see
qemu-img fail with:

  qemu-img: error while reading sector 61440: Input/output error

This patch does two things: Firstly print the actual error from curl
so it doesn't get lost.  Secondly, change EIO to EPROTO.  EPROTO is a
POSIX.1 compatible errno which more accurately reflects that there was
a protocol error, rather than some kind of hardware failure.

After this patch is applied, the error changes to:

  $ qemu-img convert -p http://example.com/large.iso /tmp/test
  qemu-img: curl: transfer closed with 469989 bytes remaining to read
  qemu-img: error while reading sector 16384: Protocol error
Signed-off-by: NRichard W.M. Jones <rjones@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NJeff Cody <jcody@redhat.com>

If bus_size is less than 0, the command fails.
If buf_size is 0, use DEFAULT_MIRROR_BUF_SIZE.
If buf_size % granularity is not 0, mirror_free_init() will
do dangerous things.
Signed-off-by: NWen Congyang <wency@cn.fujitsu.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Message-id: 5555A588.3080907@cn.fujitsu.com
Signed-off-by: NJeff Cody <jcody@redhat.com>