The facility to use/unuse vectors dynamically is helpful
for virtio but little else: everyone just seems to use
vectors in their init function.

Avoid clearing msix vector use info on reset and load.
For virtio, clear it explicitly.
This should fix regressions reported with ivshmem - though
I didn't test this, I verified that virtio keeps
working like it did.
Tested-by: NCam Macdonell <cam@cs.ualberta.ca>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3cac001e)

Conflicts:

	hw/msix.c
	hw/virtio-pci.c
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The bug causes Windows + OVMF hang after reboot since OVMF
checks PMREGMISC to see if IO space is enabled and skip
configuration if it is.
Reviewed-by: NLaszlo Ersek <lersek@redhat.com>
Signed-off-by: NGleb Natapov <gleb@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4d09d37c)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

qemu_rearm_alarm_timer partially duplicates the code in
qemu_next_alarm_deadline to figure out if it needs to rearm the timer.
If it calls qemu_next_alarm_deadline, it always rearms the timer even if
the next deadline is INT64_MAX.

This patch simplifies the behavior of qemu_rearm_alarm_timer and removes
the duplicated code, always calling qemu_next_alarm_deadline and only
rearming the timer if the deadline is less than INT64_MAX.
Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: NStefan Weil <sw@weilnetz.de>
Tested-by: NAndreas Färber <andreas.faerber@web.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 8227421e)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Clang reports this warning:

Null pointer passed as an argument to a 'nonnull' parameter
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4bdb1a30)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The last argument of find_portio is "write", so this must be true here.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e2a62d8)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

setup_ioeventfds() is unnecessary and actually causes a segfault when used
ioeventfd=on is used on the command-line.  Since ioeventfds are handled within
the memory API, it can be removed.
Signed-off-by: NCam Macdonell <cam@cs.ualberta.ca>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e7de876)

Conflicts:

	hw/ivshmem.c
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Add the missing .class_size definition to the arm_gic_info TypeInfo.
This fixes the memory corruption and possible segfault that otherwise
results when the class struct is allocated at too small a size and
the class init function writes off the end of it.
Reported-by: NAdam Lackorzynski <adam@os.inf.tu-dresden.de>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 998a74bc)

 - ARMGICClass isn't in 1.1, set class size to SysBusDeviceClass instead
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The CONFIG_TCG_PASS_AREG0 code for calling ld/st helpers was
broken in that it did not respect the ABI requirement that 64
bit values were passed in even-odd register pairs. The simplest
way to fix this is to implement some new utility functions
for marshalling function arguments into the correct registers
and stack, so that the code which sets up the address and
data arguments does not need to care whether there has been
a preceding env argument.

Based on commit 9716ef3b for ARM by Peter Maydell.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 18fec301)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Winwave audio backend has problem with pausing and restart audio out.
Unlike other backends, Winwave pausing API does not flush audio buffer.
As a result, the previous audio data are played in front of
user expected sound when user restart audio.
So changes it to waveOutReset()
Signed-off-by: NMunkyu Im <munkyu.im@samsung.com>
Signed-off-by: Nmalc <av1474@comtv.ru>
(cherry picked from commit 13ef70f6)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The microMIPS SWP and SDP instructions do not modify GPRs.  So their
behavior is well defined when RD equals BASE.  The MIPS Architecture
Verification Programs (AVPs) check that they work as expected.  This
is required for AVPs to pass.
Signed-off-by: NEric Johnson <ericj@mips.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 36c6711b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The MIPS Architecture Verification Programs (AVPs) check privileged
instructions for the required privilege level.  These changes are needed
to pass the AVP suite.
Signed-off-by: NEric Johnson <ericj@mips.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 2e15497c)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The kernel will emulate this instruction if it's not supported
natively.  This insn is used for TLS, among other things, and
so is required by modern glibc.
Signed-off-by: NRichard Henderson <rth@twiddle.net>
Cc: Riku Voipio <riku.voipio@iki.fi>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit b3167288)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

We've already eliminated both base and index being zero.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 05168674)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The FS input to CVT.PS.S is the high half and FT is the low half.
tcg_gen_concat_i32_i64 takes the low half first, so the operands
were in the wrong order.
Signed-off-by: NRichard Sandiford <rdsandiford@googlemail.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 13d24f49)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Read the second input operand of RECIP2.S and RECIP2.PS from FT rather
than FD.  RECIP2.D is already correct.
Signed-off-by: NRichard Sandiford <rdsandiford@googlemail.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d22d7289)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Store slow path has been broken in e141ab52:
- the arguments are shifted before the last one (mem_index) is written.
- the shift is done for both slow and fast paths.

Fix that. Also optimize a bit by bundling the move together. This still
can be optimized, but it's better to wait for a decision to be taken on
the arguments order.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d03c98d8)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Prologue and epilogue code has been broken in cea5f9a2.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 18d445b4)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The CONFIG_TCG_PASS_AREG0 code for calling ld/st helpers was
broken in that it did not respect the ABI requirement that 64
bit values were passed in even-odd register pairs. The simplest
way to fix this is to implement some new utility functions
for marshalling function arguments into the correct registers
and stack, so that the code which sets up the address and
data arguments does not need to care whether there has been
a preceding env argument.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 9716ef3b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

> This instruction is always treated as a register-to-register (MOD = 11)
> instruction, regardless of the encoding of the MOD field in the MODR/M
> byte.

Also, Microport UNIX System V/386 v 2.1 (ca 1987) runs fine on
real Intel 386 and 486 CPU's (at least), but does not run in qemu without
this patch.
Signed-off-by: NMatthew Ogilvie <mmogilvi_qemu@miniinfo.net>
Signed-off-by: Nmalc <av1474@comtv.ru>
(cherry picked from commit 5c73b757)

Conflicts:

	target-i386/translate.c
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

We do not register ioeventfds unless the IVSHMEM_IOEVENTFD feature
is set.  The same feature must be checked before releasing the eventfds.
Regression introduced by commit 563027cc (ivshmem: use EventNotifier and
memory API, 2012-07-05).
Reported-by: NCam Macdonnell <cam@cs.ualberta.ca>
Tested-by: NCam Macdonnell <cam@cs.ualberta.ca>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 98609cd8)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

object_deinit is only called when the reference count goes to zero,
and yet tries to do an object_unparent.  Now, object_unparent
either does nothing or it will decrease the reference count.
Because we know the reference count is zero, the object_unparent
call in object_deinit is useless.

Instead, we need to disconnect the object from its parent just
before we remove the last reference apart from the parent's.  This
happens in object_delete.  Once we do this, all calls to
object_unparent peppered through QEMU can go away.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit da5a44e8)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Reported-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 26efaca3)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Commits b5dc7732 and
be24bb4f optimized the code
and removed the correct setting of t0. Fix this.

gcc-4.7 detected this bug because parameter arg1 was unused
but set in set_HIT0_LO and set_HI_LOT0.

Cc: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 6fc97faf)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

While running in the usermode emulator all of the required*
MIPS32r2 RDHWR hardware registers should be accessible (the
Linux kernel enables access to these same registers).  Note
that these registers are still enabled when the MIPS ISA is
not release 2.  This is OK since the Linux kernel emulates
access to them when they are not available in hardware.

* There is also the ULR register which is only recommended
  for full release 2 compliance.  Incidentally, accessing
  this register in the current implementation works fine
  without flipping its access bit.
Signed-off-by: NMeador Inge <meadori@codesourcery.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 94159135)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

At some point in the past, the OPEN event was changed to be issued from a
bottom half.  This creates a small window whereas a data callback registered in
init may be invoked before the OPEN event has been issued.

This is reproducible with:

 echo "{'execute': 'qmp_capabilities'}" | qemu-system-x86_64 -M none -qmp stdio

We can fix this for the monitor by moving the parser initialization to init.

The remaining state that is set in OPEN appears harmless.
Reported-by: NDaniel Berrange <berrange@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 58617a79)

Conflicts:

	monitor.c
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Return NULL upon malloc failure.
Signed-off-by: NJim Meyering <meyering@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 15d9e3bc)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Always call unlock_user before returning.
Signed-off-by: NJim Meyering <meyering@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 396bef4b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NJim Meyering <meyering@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit a7e47d4b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Also, use g_malloc to avoid NULL-deref upon OOM.
Signed-off-by: NJim Meyering <meyering@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0d07fe47)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NJim Meyering <meyering@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4144f122)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

If the two multiply operands are int and uint types separately,
the int type will be transformed to uint firstly, which is not the
intent in our code piece. The fix is to add (int64_t) transform
for the uint type before the multiply.
Signed-off-by: NDongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit 14d40183)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

When memory is mapped in qemu_map_cache with lock != 0 a reverse mapping
is created pointing to the virtual address of location requested.
The cached mapped entry is saved in last_address_vaddr with the memory
location of the base virtual address (without bucket offset).
However when this entry is invalidated the virtual address saved in the
reverse mapping is used. This cause that the mapping is freed but the
last_address_vaddr is not reset.
Signed-off-by: NFrediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit 27b7652e)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

This MMIO area is an entry gate to legacy PC ISA devices, addressed via
PIO over there. Quite a few of the PIO ports have side effects on access
like starting/stopping timers that must be executed properly ordered
/wrt the CPU. So we have to remove the coalescing mark.
Acked-by: NHervé Poussineau <hpoussin@reactos.org>
Acked-by: NAndreas Färber <andreas.faerber@web.de>
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0ec64507)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

QEMU uses IO handlers to run select() in the main loop.
The handlers list is managed by qemu_set_fd_handler() helper
which works fine when called from the main thread as it is
called when select() is not waiting.

However IO handlers list can be changed in the thread other than
the main one doing os_host_main_loop_wait(), for example, as a result
of a hypercall which changes PCI config space (VFIO on POWER is the case)
and enables/disabled MSI/MSIX which closes/creates eventfd handles.
As the main loop should be waiting on the newly created eventfds,
it has to be restarted.

The patch adds the qemu_notify_event() call to interrupt select()
to make main_loop() restart select() with the updated IO handlers
list.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 55ce75fa)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

This patch fixes two main issues with block/iscsi.c:

1) iscsi_task_mgmt_abort_task_async calls iscsi_scsi_task_cancel which
was also directly called in iscsi_aio_cancel

2) a race between task completion and task abortion could happen cause
the scsi_free_scsi_task were done before iscsi_schedule_bh has finished.
To fix this, all the freeing of IscsiTasks and releasing of the AIOCBs
is centralized in iscsi_bh_cb, independent of whether the SCSI command
has completed or was cancelled.

3) iscsi_aio_cancel was not synchronously waiting for the end of the
command.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1bd075f2)

Conflicts:

	block/iscsi.c
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

It is always used with the same callback, remove the argument.  And
its return value is never used, assume allocation succeeds.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cfb3f506)

Conflicts:

	block/iscsi.c
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Put these functions at the beginning, to avoid forward references
in the next patches.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 27cbd828)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

People have repeatedly expected that you can do things like snapshotting
an image with qemu-img while a qemu instance is running. Maybe we need
to consider locking the files while they are in use, but having a
warning in the qemu-img manpage is doable for 1.2 and can't hurt anyway.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
(cherry picked from commit 48467328)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The footer takes precedence over the header when it exists. It contains
the real grain directory offset that is missing in the header. Without
this patch, streamOptimized images with a footer cannot be read.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Reviewed-by: NJeff Cody <jcody@redhat.com>
(cherry picked from commit 65bd155c)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Commit bb45ded9 swapped gd_offset and rgd_offset. This is wrong.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
(cherry picked from commit 7a736bfa)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>