The inquiry command, for the case of VPD=1, was returning short
responses; the number of returned bytes was just the number of bytes
in the request, without padding to the specified allocation length
with zero bytes.  This is usually harmless, but it is a violation
of the SCSI specification.

To fix this, always pad with zero bytes to r->cmd.xfer in
scsi_disk_emulate_command, and return at most r->buflen bytes
(the size of the buffer for command data) rather than at most
buflen bytes (the number of bytes that was filled in).

Before this patch, "strace sg_inq -p0x83 /dev/sda" would report a
non-zero resid value.  After this patch, it reports resid=0.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Fix typo introduced in b3a1be87.
Reported-by: NRuslan Savchenko <ruslan.savchenko@gmail.com>
Signed-off-by: NKirill Batuzov <batuzovk@ispras.ru>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

The call to gen_logic_imm for OPC_LUI passes -1 for rs.  This
causes the MIPS_DEBUG statement to seg fault due to the deference
of regnames[rs].  This patch fixes that.
Signed-off-by: NEric Johnson <ericj@mips.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(aurel32: replaced static string formating by a static string)

Pass around CPUArchState instead of using global cpu_single_env.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>

Pass around CPUArchState instead of using global cpu_single_env.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
Acked-by: NMax Filippov <jcmvbkbc@gmail.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>

Pass around CPUArchState instead of using global cpu_single_env.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
Acked-by: NGuan Xuetao <gxt@mprc.pku.edu.cn>
Reviewed-by: NAndreas Färber <afaerber@suse.de>

Pass around CPUArchState instead of using global cpu_single_env.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>

Pass around CPUArchState instead of using global cpu_single_env.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
Acked-by: NRichard Henderson <rth@twiddle.net>
Acked-by: NAurelien Jarno <aurelien@aurel32.net>
Acked-by: NGuan Xuetao <gxt@mprc.pku.edu.cn>

Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

This is setting the stage for a cleanup of FPREM and FPREM1 helpers while being
sure that they behave same as bare metal.

The test constructs operands using combinations of corner cases for the
floating-point bitfields and prints operands, result and FPU status word for
FPREM and FPREM1. The outputs can then be compared between bare metal and QEMU.
The 'run-test-i386-fprem' make target does just that.
Signed-off-by: NCatalin Patulea <catalinp@google.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

This makes "info mtree" output readable again.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Cirrus is triggering this, e.g. during Win2k boot: Changes only on
disabled regions require no topology update when transaction depth drops
to 0 again.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

A compiler warning is caused by the unused local function reinit_timers
on non-POSIX hosts. Include that function only for POSIX hosts.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Keep saving display surface parameters at init and using these cached
values instead of getting them when needed. Not sure why this is
needed (maybe due to the interaction with the vga device) but not
doing this broke the Xorg vmware driver at least.
Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu>
Tested-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Since 0b57e287, cpu_memory_rw_debug already triggers a TB invalidation.
As it doesn't (and cannot) set is_cpu_write_access=1 but "consumes" the
currently executed TB, the tb_invalidate_phys_page_range call from
patch_instruction didn't work anymore.

Fix this by open-coding the required bits to restore the CPU state from
the current TB position before patching and resume execution on the
patched instruction afterward.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Tested-by: NHervé Poussineau <hpoussin@reactos.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The swaph instruction was not decoding correctly. s/1e1/1e2 on the
9 LSBs on the instruction decode.
Reported-by: NDavid Holsgrove <david.holsgrove@xilinx.com>
Signed-off-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Tools were broken because they initialized the block layer while
qemu_aio_context was still NULL.
Reported-by: Nmalc <av1474@comtv.ru>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Nmalc <av1474@comtv.ru>

mmu access looks something like:

<check tlb>
if miss goto slow_path
<fast path>
done:
...

; end of the TB
slow_path:
 <pre process>
 mr r3, r27         ; move areg0 to r3
                    ; (r3 holds the first argument for all the PPC32 ABIs)
 <call mmu_helper>
 b $+8
 .long done
 <post process>
 b done

On ppc32 <call mmu_helper> is:

(SysV and Darwin)

mmu_helper is most likely not within direct branching distance from
the call site, necessitating

a. moving 32 bit offset of mmu_helper into a GPR ; 8 bytes
b. moving GPR to CTR/LR                          ; 4 bytes
c. (finally) branching to CTR/LR                 ; 4 bytes

r3 setting              - 4 bytes
call                    - 16 bytes
dummy jump over retaddr - 4 bytes
embedded retaddr        - 4 bytes
         Total overhead - 28 bytes

(PowerOpen (AIX))
a. moving 32 bit offset of mmu_helper's TOC into a GPR1 ; 8 bytes
b. loading 32 bit function pointer into GPR2            ; 4 bytes
c. moving GPR2 to CTR/LR                                ; 4 bytes
d. loading 32 bit small area pointer into R2            ; 4 bytes
e. (finally) branching to CTR/LR                        ; 4 bytes

r3 setting              - 4 bytes
call                    - 24 bytes
dummy jump over retaddr - 4 bytes
embedded retaddr        - 4 bytes
         Total overhead - 36 bytes

Following is done to trim the code size of slow path sections:

In tcg_target_qemu_prologue trampolines are emitted that look like this:

trampoline:
mfspr r3, LR
addi  r3, 4
mtspr LR, r3      ; fixup LR to point over embedded retaddr
mr    r3, r27
<jump mmu_helper> ; tail call of sorts

And slow path becomes:

slow_path:
 <pre process>
 <call trampoline>
 .long done
 <post process>
 b done

call                    - 4 bytes (trampoline is within code gen buffer
                                   and most likely accessible via
                                   direct branch)
embedded retaddr        - 4 bytes
         Total overhead - 8 bytes

In the end the icache pressure is decreased by 20/28 bytes at the cost
of an extra jump to trampoline and adjusting LR (to skip over embedded
retaddr) once inside.
Signed-off-by: Nmalc <av1474@comtv.ru>

Fix build on a 32 bit host:
  CC    mips-softmmu/target-mips/dsp_helper.o
/src/qemu/target-mips/dsp_helper.c: In function 'helper_dextr_rs_w':
/src/qemu/target-mips/dsp_helper.c:3556: error: integer constant is too large for 'long' type
/src/qemu/target-mips/dsp_helper.c: In function 'helper_extr_s_h':
/src/qemu/target-mips/dsp_helper.c:3656: error: integer constant is too large for 'long' type
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: Nmalc <av1474@comtv.ru>

Postpone stopping the dirty log to the point where the command fifo is
configured to allow drivers which don't use the fifo to work too.
(Without this the picture rendered into the vram never got to the
screen and the DIRECT_VRAM option meant to support this case was
removed a year ago.)
Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

According to the documentation drivers using this device should read
FB_SIZE before enabling the device to know what memory to map. This
would not work if we return 0 before enabled. The docs also mention
reading SVGA_REG_DEPTH but not writing it. (Only SVGA_REG_BITS_PER_PIXEL
can be written but we don't really support that either.)
Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Removed info from vmsvga_state that is available from elsewhere and
thus was duplicated here unnecessarily.
Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Fix coding style as suggested by checkpatch.pl
Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

* 'trivial-patches' of git://github.com/stefanha/qemu:
  pc: Drop redundant test for ROM memory region
  exec: make some functions static
  target-ppc: make some functions static
  ppc: add missing static
  vnc: add missing static
  vl.c: add missing static
  target-sparc: make do_unaligned_access static
  m68k: Return semihosting errno values correctly
  cadence_uart: More debug information

Conflicts:
	target-m68k/m68k-semi.c

Add optimized TCG qemu_ld/st generation which locates the code of TLB miss
cases at the end of a block after generating the other IRs.
Currently, this optimization supports only i386 and x86_64 hosts.
Signed-off-by: NYeongkyoon Lee <yeongkyoon.lee@samsung.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Add GETPC_EXT which is used by MMU helpers to selectively calculate the code
address of accessing guest memory when called from a qemu_ld/st optimized code
or a C function. Currently, it supports only i386 and x86-64 hosts.
Signed-off-by: NYeongkyoon Lee <yeongkyoon.lee@samsung.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Enable CONFIG_QEMU_LDST_OPTIMIZATION for TCG qemu_ld/st optimization only when
a host is i386 or x86_64.
Signed-off-by: NYeongkyoon Lee <yeongkyoon.lee@samsung.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Abstract out the use of put_user for returning semihosting call results,
so that we can log when a guest erroneously attempts a semihosting call
with an unwritable argument block.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Handle failure of get_user accessing the semihosting
argument block, rather than simply ignoring the failures.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Fixing a simple typo, s/errno/err/, that caused
the error status from GDB semihosted system calls
to be returned incorrectly.
Signed-off-by: NMeador Inge <meadori@codesourcery.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Commit ac4119c0 (chardev: Use timer instead of bottom-half to postpone
open event, 2012-10-12) moved the alarm timer initialization to an earlier
point but failed to consider that it depends on qemu_init_main_loop.

Later, commit 1c53786f (vl: init main loop earlier, 2012-10-30) fixed
this, but left -daemonize in two different ways.  First, timers need to
be reinitialized after forking.  Second, the global mutex was being held
by the parent, and thus dropped after forking.

The first is now fixed using pthread_atfork.  For the second part,
make sure that the global mutex is not taken before daemonization,
and similarly delay qemu_thread_self.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

init_timer_alarm was being called twice.  This is not needed.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Timers are not inherited by the child of a fork(2), so just use
pthread_atfork to reinstate them after daemonize.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

OpenBSD and Darwin do not have sem_timedwait.  Implement a fallback
for them.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Weakrefs only tell you if the symbol was defined elsewhere, so you
need a further check at runtime to pick the default definition
when needed.

This could be automated by the compiler, but it does not do it.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

* bonzini/migr-coroutine:
  migration: move process_incoming_migration to a coroutine
  migration: handle EAGAIN while reading QEMUFile
  migration: move qemu_fclose to process_incoming_migration
  migration: close socket QEMUFile from socket_close
  migration: xxx_close will only be called once
  migration: use closesocket, not close
  migration: use migrate_fd_close in migrate_fd_cleanup
  migration: clean up server sockets and handlers before invoking process_incoming_migration
  migration: replace qemu_stdio_fd with qemu_get_fd
  migration: add qemu_get_fd
  migration: consolidate QEMUFile methods in a single QEMUFileOps struct
  migration: unify stdio-based QEMUFile operations