Processing for READ_VQ_CONF needs to check whether the requested queue
value is actually in the supported range and post a channel program
check if not.

Cc: qemu-stable@nongnu.org
Reviewed-by: NDavid Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
able to trigger a write beyond the VirtQueue structure.

Cc: qemu-stable@nongnu.org
Reviewed-by: NDavid Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

# gpg: Signature made Fri Mar 27 22:19:31 2015 GMT using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 61EB
#      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 390E

* remotes/jnsnow/tags/ide-pull-request:
  AHCI: Protect cmd register
  AHCI: Do not (re)map FB/CLB buffers while not running
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Many bits in the CMD register are supposed to be strictly read-only.
We should not be deleting them on every write.

As a side-effect: pay explicit attention to when a guest marks off
the FIS Receive or Start bits, and disable the status bits ourselves,
instead of letting them implicitly fall off.
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Message-id: 1426283454-15590-3-git-send-email-jsnow@redhat.com

The FIS Receive Buffer and Command List Buffer pointers
should not be edited while the FIS receive engine or
Command Receive engines are running.

Currently, we attempt to re-map the buffers every time they
are adjusted, but while the AHCI engines are off, these registers
may contain stale values, so we should not attempt to re-map these
values until the engines are reactivated.
Reported-by: NJordan Hargrave <jharg93@gmail.com>
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Message-id: 1426283454-15590-2-git-send-email-jsnow@redhat.com

# gpg: Signature made Fri Mar 27 11:59:41 2015 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  hw/net/e1000: fix integer endianness
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

# gpg: Signature made Fri Mar 27 10:13:35 2015 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/block-pull-request:
  block: Document blockdev-add's immaturity
  qemu-iotests: Test unaligned 4k zero write
  block: Fix unaligned zero write
  nvme: Fix unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

It's detected by coverity.In is_vlan_packet s->mac_reg[VET] is
unsigned int but is dereferenced as a narrower unsigned short.
This may lead to unexpected results depending on machine
endianness.
Signed-off-by: NShannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: NShannon Zhao <shannon.zhao@linaro.org>
Message-id: 1426224119-8352-1-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-id: 1426858337-21423-1-git-send-email-armbru@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1427160230-4489-3-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

If the zero write is not aligned, bdrv_co_do_pwritev will segfault
because of accessing to the NULL qiov passed in by bdrv_co_write_zeroes.
Fix this by allocating a local qiov in bdrv_co_do_pwritev if the request
is not aligned. (In this case the padding iovs are necessary anyway, so
it doesn't hurt.)

Also add a check at the end of bdrv_co_do_pwritev to clear the zero flag
if padding is involved.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1427160230-4489-2-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The shift operation on nlb gives a 32 bit result if no type cast is
applied. This bug was reported by Coverity.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Message-id: 1426348844-8793-1-git-send-email-sw@weilnetz.de
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

gtk: do not call gtk_widget_get_window if drawing area is not initialized

# gpg: Signature made Thu Mar 26 16:59:55 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-20150326-1:
  gtk: do not call gtk_widget_get_window if drawing area is not initialized
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Bugfixes and making SCSI adapters IOMMU-friendly.

# gpg: Signature made Thu Mar 26 13:24:05 2015 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  virtio-scsi-dataplane: fix memory leak for VirtIOSCSIVring
  misc: fix typos in copyright declaration
  exec: avoid possible overwriting of mmaped area in qemu_ram_remap
  sparc: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory
  mips: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory
  m68k: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory
  nbd: Fix up comment after commit e140177d
  vmw_pvscsi: use PCI DMA APIs
  megasas: use PCI DMA APIs
  cpus: Don't kick un-realized cpus.
  i6300esb: Fix signed integer overflow
  i6300esb: Correct endiannness
  fw_cfg: factor out initialization of FW_CFG_ID (rev. number)
  rcu tests: fix compilation on 32-bit ppc
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Libseccomp dependency was mandating version 2.2.0 on all architectures
and this was causing configure and virt-test to break on non-updates
distros. This patch works-around it and give a more flexible way to
check the version, giving more time for other distros to update
libseccomp version.
Signed-off-by: NEduardo Otubo <eduardo.otubo@profitbricks.com>
Reported-by: NJuan Quintela <quintela@redhat.com>
Reviewed-by: NJuan Quintela <quintela@redhat.com>
Tested-by: NJuan Quintela <quintela@redhat.com>
Message-id: 1427385385-30571-1-git-send-email-eduardo.otubo@profitbricks.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This prevents gtk_widget_get_window to return a NULL pointer.
Signed-off-by: NHervé Poussineau <hpoussin@reactos.org>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

migration/next for 20150326

# gpg: Signature made Thu Mar 26 14:31:55 2015 GMT using RSA key ID 5872D723
# gpg: Can't check signature: public key not found

* remotes/juanquintela/tags/migration/20150326:
  migration:  remove last_sent_block from save_page_header
  rdma: Fix cleanup in error paths
  Avoid crashing on multiple -incoming
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Compression code (still not on tree) want to call this funtion from
outside the migration thread, so we can't write to last_sent_block.

Instead of reverting full patch:

[PULL 07/11] save_block_hdr: we can recalculate

Just revert the parts that touch last_sent_block.
Signed-off-by: NJuan Quintela <quintela@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>

As part of commit e325b49a,
order in which resources are destroyed was changed for fixing
a seg fault. Due to this change, CQ will never get destroyed as
CQ should be destroyed after QP destruction. Seg fault is caused
improper cleanup when connection fails. Fixing cleanup after
connection failure and order in which resources are destroyed
in qemu_rdma_cleanup() routine.
Signed-off-by: NMeghana Cheripady <meghana.cheripady@emulex.com>
Signed-off-by: NPadmanabh Ratnakar <padmanabh.ratnakar@emulex.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

Passing multiple -incoming options used to crash qemu (due to
an invalid state transition incoming->incoming).  Instead we now
take the last -incoming option, e.g.:

qemu-system-x86_64 -nographic -incoming tcp::4444 -incoming defer

ends up doing the defer.
Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NAmit Shah <amit.shah@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

Patch queue for 2.3 ppc - 2015-03-25

Just a few bug fixes before 2.3 gets released:

  - pseries: Firmware update, bugfixes
  - remove POWER5+ v0.0 that we incorrectly introduced in 2.3
  - Fix -machine usb=no
  - Fix -boot once=foo in pseries
  - Add NULL pointer check in pseries machine init

# gpg: Signature made Wed Mar 25 21:53:20 2015 GMT using RSA key ID 03FEDC60
# gpg: Good signature from "Alexander Graf <agraf@suse.de>"
# gpg:                 aka "Alexander Graf <alex@csgraf.de>"

* remotes/agraf/tags/signed-ppc-for-upstream:
  powerpc: fix -machine usb=no for newworld and pseries machines
  PPC: pseries: Implement boot once=foo
  target-ppc: Remove POWER5+ v0.0 that never existed
  spapr: Add missing checks for NULL pointers and report failures
  pseries: Update SLOF firmware image to qemu-slof-20150313
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

VirtIOSCSIVring which allocated in virtio_scsi_vring_init
should be free when dataplane has been stopped or failed to start.
Signed-off-by: NTing Wang <kathy.wangting@huawei.com>
Message-Id: <1427355752-25844-1-git-send-email-kathy.wangting@huawei.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Add a space after comma.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Message-Id: <1427374663-10168-1-git-send-email-arei.gonglei@huawei.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

pc, virtio bugfixes for 2.3

Several bugfixes, nothing stands out especially.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Wed Mar 25 12:42:10 2015 GMT using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  virtio-net: validate backend queue numbers against bus limitation
  virtio-serial: fix virtio config size
  acpi: Add missing GCC_FMT_ATTR to local function
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

seccomp branch queue

# gpg: Signature made Wed Mar 25 10:09:29 2015 GMT using RSA key ID 12F8BD2F
# gpg: Can't check signature: public key not found

* remotes/otubo/tags/pull-seccomp-20150325:
  seccomp: update libseccomp version and remove arch restriction
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

It is not necessary to munmap an area before remapping it with MAP_FIXED;
if the memory region specified by addr and len overlaps pages of any
existing mapping, then the overlapped part of the existing mapping will
be discarded.

On the other hand, if QEMU does munmap the pages, there is a small
probability that another mmap sneaks in and catches the just-freed
portion of the address space.  In effect, munmap followed by
mmap(MAP_FIXED) is a use-after-free error, and Coverity flags it
as such.  Fix it.
Reviewed-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Capture the explicit setting of "usb=no" into a separate bool, and
use it to skip the update of machine->usb in the board init function.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

On sPAPR we haven't supported boot once ever since it emerged, but
recently grew need for it. This patch implements boot once logic
to it.

While at it, we also move to the new bootdevice handling that got
introduced to the tree recently.
Reported-by: NDinar Valeev <dvaleev@suse.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>

IBM uses low 16bits to specify the chip version of a POWER CPU.
So there has never been an actual silicon with PVR = 0x003B0000.
The first silicon would have PVR 0x003B0100 but it is very unlikely
to find it in any machine shipped to any customer as it was too raw.

This removes CPU_POWERPC_POWER5P_v00 definition and changes
POWER5+ and POWERgs aliases (which are synonyms) to point to
POWER5+_v2.1 which can still be found in real machines.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
[agraf: fix commit message]
Signed-off-by: NAlexander Graf <agraf@suse.de>

This fixes potential runtime crashes and two warnings from Coverity.

The new error message does not add  a prefix "qemu:" because that is
already done in function hw_error. It also starts with an uppercase
letter because that seems to be the mostly used form.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
[agraf: fix typo]
Signed-off-by: NAlexander Graf <agraf@suse.de>

The changelog is:
  > virtio: Fix vring allocation
  > helpers: Fix SLOF_alloc_mem_aligned to meet callers expectation
  > Set default palette according to "16-color Text Extension" document
  > Fix rectangle drawing functions to work also with higher bit depths
  > Fix the x86emu patch file
  > Silence compiler warning when building the biosemu
  > Use device-type Forth word to set up the corresponding property
  > Improve /openprom node
  > pci-properties: Remove redundant call to device-type
  > cas: reconfigure memory nodes
  > pci: use 64bit bar ranges
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Commit 0b183fc8:"memory: move mem_path handling to
memory_region_allocate_system_memory" split memory_region_init_ram and
memory_region_init_ram_from_file. Also it moved mem-path handling a step
up from memory_region_init_ram to memory_region_allocate_system_memory.

Therefore for any board that uses memory_region_init_ram directly,
-mem-path is not supported.

Fix this by replacing memory_region_init_ram with
memory_region_allocate_system_memory.
Signed-off-by: NDirk Mueller <dmueller@suse.com>
Message-Id: <CAL5wTH7o8uA59Ep0n41i0M19VFWa73n9m172j2W3fjz6=PSVBA@mail.gmail.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Commit 0b183fc8:"memory: move mem_path handling to
memory_region_allocate_system_memory" split memory_region_init_ram and
memory_region_init_ram_from_file. Also it moved mem-path handling a step
up from memory_region_init_ram to memory_region_allocate_system_memory.

Therefore for any board that uses memory_region_init_ram directly,
-mem-path is not supported.

Fix this by replacing memory_region_init_ram with
memory_region_allocate_system_memory.
Signed-off-by: NDirk Mueller <dmueller@suse.com>
Message-Id: <CAL5wTH4-=HJUvwBu+2o6jGanJesJOyNf3sL8-5+d_-6C3cWBfA@mail.gmail.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Acked-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Commit 0b183fc8:"memory: move mem_path handling to
memory_region_allocate_system_memory" split memory_region_init_ram and
memory_region_init_ram_from_file. Also it moved mem-path handling a step
up from memory_region_init_ram to memory_region_allocate_system_memory.

Therefore for any board that uses memory_region_init_ram directly,
-mem-path is not supported.

Fix this by replacing memory_region_init_ram with
memory_region_allocate_system_memory.
Signed-off-by: NDirk Mueller <dmueller@suse.com>
Message-Id: <CAL5wTH6X-GsT1AA8kEtP_e7oZWGZgi=fCcDfSs3wLgJN30DbUw@mail.gmail.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

We don't validate the backend queue numbers against bus limitation,
this will easily crash qemu if it exceeds the limitation which will
hit the abort() in virtio_del_queue(). An example is trying to
starting a virtio-net device with 256 queues. E.g:

./qemu-system-x86_64 -netdev tap,id=hn0,queues=256 -device
virtio-net-pci,netdev=hn0

Fixing this by doing the validation and fail early.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

commit 9b70c179
    virtio-serial: switch to standard-headers

changes virtio_console_config size from 8 to 12 bytes:
it adds an optional 4 byte emerg_wr field.

As this crosses a power of two boundary, this changes the PCI BAR size,
which breaks migration compatibility with old qemu machine types.
It's probably a problem for other transports as well.

As a temporary fix, as we don't yet support this new field anyway,
simply make the config size smaller at init time.

Long terms we probably want something along the lines
of virtio_net_set_config_size.
Reported-by: NCole Robinson <crobinso@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Tested-by: NCole Robinson <crobinso@redhat.com>

This fixes these gcc warnings (not enabled in default build):

hw/acpi/aml-build.c:83:5: warning:
 function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format]
hw/acpi/aml-build.c:88:5: warning:
 function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format]

Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Message-Id: <1427271528-11624-1-git-send-email-armbru@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

It is wrong to use address_space_memory directly, because there could be an
IOMMU in the middle.  Passing the entire PVSCSIRingInfo to RS_GET_FIELD
and RS_SET_FIELD makes it easy to go back to the PVSCSIState.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

It is wrong to use address_space_memory directly, because there could be an
IOMMU in the middle.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>