For the MIPS N64 ABI when QEMU reads the break/trap instruction so that
it can inspect the break/trap code it reads 8 rather than 4 bytes
which means it finds the code field from the instruction after the
break/trap instruction.  This then causes the break/trap handling
code to fail because it does not understand the code number.

The fix forces QEMU to always read 4 bytes of instruction data rather
than deciding how much to read based on the ABI.
Signed-off-by: NAndrew Bennett <andrew.bennett@imgtec.com>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

UHI assert and link operations call lock_user_string() twice to obtain two
strings pointed by gpr[4] and gpr[5]. If the second lock_user_string()
fails, then the first one won't get freed. Fix this by introducing another
macro responsible for obtaining two strings and handling allocation
failure.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

Make use of CMPOP in floating-point compare instructions.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

Fix Debug Mode flag clearing, and when DERET is placed between LL and SC
do not make SC fail.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

When syncing the task ASID with EntryHi, correctly or the value instead
of assigning it.
Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

In the Release 6 of the MIPS Architecture, LL, SC, LLD, SCD, PREF
and CACHE instructions have 9 bits offsets.
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

MSACSR.Cause bits are needed to be cleared before a vector floating-point
instructions.
FEXDO.df, FEXUPL.df and FEXUPR.df were missed out.
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

Fix core configuration for MIPS64R6-generic to make it as close as
I6400.
I6400 core has 48-bit of Virtual Address available (SEGBITS).
MIPS SIMD Architecture is available.
Rearrange order of bits to match the specification.
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

s390x fixes for 2.4:
- virtio migration regression
- missing diag288 watchdog resets

# gpg: Signature made Tue Jul 14 18:17:54 2015 BST using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"

* remotes/cohuck/tags/s390x-20150714:
  s390/virtio-ccw: Fix migration
  watchdog/diag288: correctly register for system reset requests
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

commit 213941d7 ("virtio-ccw: migrate ->revision") broke
migration:
2015-07-07T11:22:55.570968Z qemu-system-s390x: VQ 39 address 0x0 inconsistent with Host index 0x100
2015-07-07T11:22:55.571008Z qemu-system-s390x: error while loading state for instance 0x0 of

If thinint support is active, the config_load function returns early.
Make sure to load the revision all the time.
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Fixes: 213941d7 ("virtio-ccw: migrate ->revision")
Message-Id: <1436269643-66303-1-git-send-email-borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

The diag288 watchdog is no sysbus device, therefore it doesn't get
triggered on resets automatically using dc->reset.

Let's register the reset handler manually, so we get correctly notified
again when a system reset was requested. Also reset the watchdog on
subsystem resets that don't trigger a full system reset.
Signed-off-by: NXu Wang <gesaint@linux.vnet.ibm.com>
Reviewed-by: NDavid Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>
Tested-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>

Block layer patches for 2.4.0-rc1

# gpg: Signature made Tue Jul 14 16:15:35 2015 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  rbd: fix ceph settings precedence
  rbd: make qemu's cache setting override any ceph setting
  MAINTAINERS: update email address
  rbd: remove unused constants and fields
  block: Fix backing file child when modifying graph
  block: Reorder cleanups in bdrv_close()
  block: Introduce bdrv_unref_child()
  block: Introduce bdrv_open_child()
  block: Move bdrv_attach_child() calls up the call chain
  nvme: properly report volatile write caches
  nvme: implement the Flush command
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Apply the ceph settings from a config file before any ceph settings
from the command line. Since the ceph config file location may be
specified on the command line, parse it once to read the config file,
and do a second pass to apply the rest of the command line ceph
options.
Signed-off-by: NJosh Durgin <jdurgin@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

To be safe, when cache=none is used ceph settings should not be able
to override it to turn on caching. This was previously possible with
rbd_cache=true in the rbd device configuration or a ceph configuration
file. Similarly, rbd settings could have turned off caching when qemu
requested it, although this would just be a performance problem.

Fix this by changing rbd's cache setting to match qemu after all other
ceph settings have been applied.
Signed-off-by: NJosh Durgin <jdurgin@redhat.com>
Reviewed-by: NJeff Cody <jcody@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The old one still works for now, but will not work indefinitely.
Signed-off-by: NJosh Durgin <jdurgin@redhat.com>
Reviewed-by: NJeff Cody <jcody@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

RBDAIOCB.status was only used for cancel, which was removed in
7691e24d.

RBDAIOCB.sector_num was never used.

RADOSCB.done and rcbid were never used.

RBD_FD* are obsolete since the pipe was removed in
e04fb07f.
Signed-off-by: NJosh Durgin <jdurgin@redhat.com>
Reviewed-by: NJeff Cody <jcody@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

This patch moves bdrv_attach_child() from the individual places that add
a backing file to a BDS to bdrv_set_backing_hd(), which is called by all
of them. It also adds bdrv_detach_child() there.

For normal operation (starting with one backing file chain and not
changing it until the topmost image is closed) and live snapshots, this
constitutes no change in behaviour.

For all other cases, this is a fix for the bug that the old backing file
was still referenced as a child, and the new one wasn't referenced.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMax Reitz <mreitz@redhat.com>

Block drivers may still want to access their child nodes in their
.bdrv_close handler. If they unref and/or detach a child by themselves,
this should not result in a double free.

There is additional code for backing files, which are just a special
case of child nodes. The same applies for them.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMax Reitz <mreitz@redhat.com>

This is the counterpart for bdrv_open_child(). It decreases the
reference count of the child BDS and removes it from the list of
children of the given parent BDS.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMax Reitz <mreitz@redhat.com>

It is the same as bdrv_open_image(), except that it doesn't only return
success or failure, but the newly created BdrvChild object for the new
child node.

As the BdrvChild object already contains a BlockDriverState pointer (and
this is supposed to become the only pointer so that bdrv_append() and
friends can just change a single pointer in BdrvChild), the pbs
parameter is removed for bdrv_open_child().
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMax Reitz <mreitz@redhat.com>

Let the callers of bdrv_open_inherit() call bdrv_attach_child(). It
needs to be called in all cases where bdrv_open_inherit() succeeds (i.e.
returns 0) and a child_role is given.

bdrv_attach_child() is moved upwards to avoid a forward declaration.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMax Reitz <mreitz@redhat.com>

Implement support in Identify and Get/Set Features to properly report
and allow to change the Volatile Write Cache status reported by the
virtual NVMe device.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Acked-by: NKeith Busch <keith.busch@intel.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Implement a real flush instead of faking it.  This is especially important
as Qemu assume Write back cashing by default and thus requires a working
cache flush operation for data integrity.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Acked-by: NKeith Busch <keith.busch@intel.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

vnc: fix vnc client authentication

# gpg: Signature made Tue Jul 14 14:38:48 2015 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20150714-1:
  vnc: fix vnc client authentication
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Commit 800567a6 updated the code to the generic crypto API
and mixed up encrypt and decrypt functions in
procotol_client_auth_vnc.
(Used to be: deskey(key, EN0) which encrypts, and was
changed to qcrypto_cipher_decrypt in 800567a6.)
Changed it to qcrypto_cipher_encrypt now.
Signed-off-by: NWolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

pc,virtio: fixes for 2.4

pc and virtio changes, bugfixes only.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon Jul 13 13:03:38 2015 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  pc: fix reuse of pc-i440fx-2.4 in pc-i440fx-2.3
  Revert "virtio-net: enable virtio 1.0"
  virtio-pci: don't crash on illegal length
  qdev: fix 64 bit properties
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

commit fddd179a,
    "pc: Convert *_MACHINE_OPTIONS macros into functions"
broke the chaining of *_machine_options() functions on
pc-i440fx-2.3, at:

  -#define PC_I440FX_2_3_MACHINE_OPTIONS \
  -    PC_I440FX_2_4_MACHINE_OPTIONS, \
  -    .alias = NULL, \
  -    .is_default = 0
  +static void pc_i440fx_2_3_machine_options(QEMUMachine *m)
  +{
  +    pc_i440fx_machine_options(m);
  +    m->alias = NULL;
  +    m->is_default = 0;
  +}

I have replaced PC_I440FX_2_4_MACHINE_OPTIONS with a
pc_i440fx_machine_options() call, instead of calling
pc_i440fx_2_4_machine_options(). This broke the setting of default_machine_opts
and default_display on pc-i440fx-{2.0,2,1,2.2,2.3}.

Fix this by making pc_i440fx_2_3_machine_options() reuse
pc_i440fx_2_4_machine_options().
Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NLaszlo Ersek <lersek@redhat.com>

This reverts commit df91055d.

This is because:
- vhost support virtio 1.0 now
- transport code (e.g virtio-pci) set this feature when modern is
  enabled, setting this unconditionally will break disable-modern=on.

Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Some guests seem to access cfg with an illegal length value.
It's worth fixing them but debugging is easier if
qemu does not crash.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

64 bit props used 32 bit callbacks in two places, leading to broken
feature bits on virtio (example: got 0x31000000000006d4 which is
obviously bogus). Fix this.

Fixes: fdba6d96 ("qdev: add 64bit properties")
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Tested-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>

Commit 59227d5d did not update the
code in tcg/tci/tcg-target.c for those two cases.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Message-id: 1436556159-3002-1-git-send-email-sw@weilnetz.de
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Compilation of TCI was accidentally broken by the recent disassembler
changes:

  CC    x86_64-softmmu/arch_init.o
In file included from target-i386/cpu-qom.h:23:0,
                 from target-i386/cpu.h:986,
                 from include/qemu-common.h:122,
                 from include/disas/bfd.h:12,
                 from disas/tci.c:20:
include/qom/cpu.h:178:43: error: unknown type name ‘disassemble_info’
     void (*disas_set_info)(CPUState *cpu, disassemble_info *info);
                                           ^
include/qom/cpu.h:179:1: error:
no semicolon at end of struct or union [-Werror]
 } CPUClass;
 ^
cc1: all warnings being treated as errors

The underlying cause of this is an include loop:
 bfd.h -> qemu-common.h -> target-arm/cpu.h ->  target-arm/cpu-qom.h
  -> qom/cpu.h -> bfd.h

which means that if bfd.h is included first then qom/cpu.h doesn't
get the definition of the disassemble_info type that it wanted.
The easiest fix for this is to include qemu-common.h from tci.c
before including disas/bfd.h.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Fixes for two bad bugs.  For 2.4-rc0.

# gpg: Signature made Thu Jul  9 15:54:19 2015 BST using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  crypto: fix builtin qcrypto_cipher_free
  migration: fix RCU deadlock
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This was dereferencing a pointer before checking if it was NULL.
Reported-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Reported-by: NAurelien Jarno <aurelien@aurel32.net>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

QOM CPUState and X86CPU

* Further QOM'ification of CPU initialization
* Propagation of CPUState arguments and elimination of ENV_GET_CPU() usage
* cpu_set_pc() abstraction
* CPUClass::disas_set_info() hook

# gpg: Signature made Thu Jul  9 14:23:12 2015 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qom-cpu-for-peter: (22 commits)
  disas: cris: QOMify target specific disas setup
  disas: cris: Fix 0 buffer length case
  disas: microblaze: QOMify target specific disas setup
  disas: arm: QOMify target specific disas setup
  disas: arm-a64: Make printfer and stream variable
  disas: QOMify target specific setup
  disas: Add print_insn to disassemble info
  microblaze: boot: Use cpu_set_pc()
  hw/arm/boot: Use cpu_set_pc()
  gdbstub: Use cpu_set_pc() helper
  cpu: Add wrapper for the set_pc() hook
  cpu-exec: Purge all uses of ENV_GET_CPU()
  cpu: Change cpu_exec_init() arg to cpu, not env
  cpu: Change tcg_cpu_exec() arg to cpu, not env
  gdbstub: Change gdbserver_fork() to accept cpu instead of env
  translate-all: Change tb_flush() env argument to cpu
  target-ppc: Move cpu_exec_init() call to realize function
  cpu: Convert cpu_index into a bitmap
  cpu: Add Error argument to cpu_exec_init()
  cpu: Reorder cpu->as, cpu->thread_id, cpu->memory_dispatch init
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Move the target_disas() cris specifics to the QOM disas_set_info() hook
and delete the cris specific code in disas.c.

This also now adds support for monitor_disas() to cris.

E.g.
(qemu) xp 0x40004000
0000000040004000: 0x1e6f25f0

And before this patch:
(qemu) xp/i 0x40004000
0x40004000: Asm output not supported on this arch

After:
(qemu) xp/i 0x40004000
0x40004000:  di
(qemu) xp/i 0x40004002
0x40004002:  move.d 0xb003c004,$r1

Note: second example is 6-byte misaligned instruction!
Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: NPeter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Cris has the complication of variable length instructions and has
a check in place to clamp memory reads in case the disas request
doesn't have enough bytes for the instruction being disas'd. This
breaks down in the case where disassembling for the monitor where
the buffer length is defaulted to 0.

The buffer length should never be zero for a regular target_disas,
so we can safely assume the 0 case is for the monitor in which case
consider the buffer length to be the max for cris instructions.
Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: NPeter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Move the target_disas() MB specifics to the QOM disas_set_info hook
and delete the MB specific code in disas.c.

This also now adds support for monitor_disas() to Microblaze.

E.g.
(qemu) xp 0x90000000
0000000090000000: 0x94208001

And before this patch:
(qemu) xp/i 0x90000000
0x90000000: Asm output not supported on this arch

After:
(qemu) xp/i 0x90000000
0x90000000:  mfs    r1, rmsr
Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: NPeter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Move the target_disas() ARM specifics to the QOM disas_set_info hook
and delete the ARM specific code in disas.c.

This has the extra advantage of the more fully featured target_disas()
implementation now applying to monitor_disas().

Currently, target_disas() has multi-endian, thumb and AArch64
support whereas the existing monitor_disas() support only has vanilla
AA32 support.

E.G. Running an AA64 linux kernel the following -d in_asm disas happens
(taget_disas()):

IN:
0x0000000040000000:  580000c0      ldr x0, pc+24 (addr 0x40000018)
0x0000000040000004:  aa1f03e1      mov x1, xzr

However before this patch, disasing the same from the monitor:

(qemu) xp/i 0x40000000
0x0000000040000000:  580000c0      stmdapl  r0, {r6, r7}

After this patch:
(qemu) xp/i 0x40000000
0x0000000040000000:  580000c0      ldr x0, pc+24 (addr 0x40000018)
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NPeter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>