QEMU will hang when fed the following command-line
qemu-system-mips -kernel vmlinux-2.6.32-5-4kc-malta -append "console=ttyS0" -nographic -net none
The -net none is important otherwise it seems some events are generated
causing the things to work. When it doesn't work, the guest hangs when
measuring the CPU frequency, after the following line:
[ 0.000000] NR_IRQS:256
Pressing a key on the serial port unblocks it, hinting that the problem
is due to the recent elimination of the 1 second timeout in the main
loop.
The problem is that because init_timer_alarm sets the timer's pending
flag to true, the alarm timer is never armed until after the first time
through the main loop. Thus the bug started when QEMU started testing
the pending flag in qemu_mod_timer (commit 1828be3, more alarm timer
cleanup, 2010-03-10).
But actually, it isn't true at all that a timer is pending when the
alarm timer is created, and the real bug has been latent forever: the
fix is to remove the bogus setting of pending flag.
Reported-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit de188751da)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This prevents guest from proceeding with uninitialised garbage returned
from unimplemented simcalls.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit e7eee62a90)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Quote from ISA, 2.1:
For most Xtensa instructions, bit numbering is irrelevant; only the BBC
and BBS instructions assign bit numbers to values on which the processor
operates. The BBC/BBS instructions use big-endian bit ordering (0 is the
most-significant bit) on a big-endian processor configuration.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 7ff7563fc1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
(cherry picked from commit 7ce86aa1aa)
Conflicts:
hw/usb/hcd-ehci.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The facility to use/unuse vectors dynamically is helpful
for virtio but little else: everyone just seems to use
vectors in their init function.
Avoid clearing msix vector use info on reset and load.
For virtio, clear it explicitly.
This should fix regressions reported with ivshmem - though
I didn't test this, I verified that virtio keeps
working like it did.
Tested-by: Cam Macdonell <cam@cs.ualberta.ca>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3cac001e5a)
Conflicts:
hw/msix.c
hw/virtio-pci.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The bug causes Windows + OVMF hang after reboot since OVMF
checks PMREGMISC to see if IO space is enabled and skip
configuration if it is.
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4d09d37c6a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
qemu_rearm_alarm_timer partially duplicates the code in
qemu_next_alarm_deadline to figure out if it needs to rearm the timer.
If it calls qemu_next_alarm_deadline, it always rearms the timer even if
the next deadline is INT64_MAX.
This patch simplifies the behavior of qemu_rearm_alarm_timer and removes
the duplicated code, always calling qemu_next_alarm_deadline and only
rearming the timer if the deadline is less than INT64_MAX.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Tested-by: Andreas Färber <andreas.faerber@web.de>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 8227421e04)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Clang reports this warning:
Null pointer passed as an argument to a 'nonnull' parameter
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4bdb1a3059)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The last argument of find_portio is "write", so this must be true here.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e2a62d82a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
setup_ioeventfds() is unnecessary and actually causes a segfault when used
ioeventfd=on is used on the command-line. Since ioeventfds are handled within
the memory API, it can be removed.
Signed-off-by: Cam Macdonell <cam@cs.ualberta.ca>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e7de876ae)
Conflicts:
hw/ivshmem.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Add the missing .class_size definition to the arm_gic_info TypeInfo.
This fixes the memory corruption and possible segfault that otherwise
results when the class struct is allocated at too small a size and
the class init function writes off the end of it.
Reported-by: Adam Lackorzynski <adam@os.inf.tu-dresden.de>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 998a74bcda)
- ARMGICClass isn't in 1.1, set class size to SysBusDeviceClass instead
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The CONFIG_TCG_PASS_AREG0 code for calling ld/st helpers was
broken in that it did not respect the ABI requirement that 64
bit values were passed in even-odd register pairs. The simplest
way to fix this is to implement some new utility functions
for marshalling function arguments into the correct registers
and stack, so that the code which sets up the address and
data arguments does not need to care whether there has been
a preceding env argument.
Based on commit 9716ef3b for ARM by Peter Maydell.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 18fec301cd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Winwave audio backend has problem with pausing and restart audio out.
Unlike other backends, Winwave pausing API does not flush audio buffer.
As a result, the previous audio data are played in front of
user expected sound when user restart audio.
So changes it to waveOutReset()
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit 13ef70f64e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The microMIPS SWP and SDP instructions do not modify GPRs. So their
behavior is well defined when RD equals BASE. The MIPS Architecture
Verification Programs (AVPs) check that they work as expected. This
is required for AVPs to pass.
Signed-off-by: Eric Johnson <ericj@mips.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 36c6711bbe)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The MIPS Architecture Verification Programs (AVPs) check privileged
instructions for the required privilege level. These changes are needed
to pass the AVP suite.
Signed-off-by: Eric Johnson <ericj@mips.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 2e15497c5b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The kernel will emulate this instruction if it's not supported
natively. This insn is used for TLS, among other things, and
so is required by modern glibc.
Signed-off-by: Richard Henderson <rth@twiddle.net>
Cc: Riku Voipio <riku.voipio@iki.fi>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit b316728836)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
We've already eliminated both base and index being zero.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 0516867450)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The FS input to CVT.PS.S is the high half and FT is the low half.
tcg_gen_concat_i32_i64 takes the low half first, so the operands
were in the wrong order.
Signed-off-by: Richard Sandiford <rdsandiford@googlemail.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 13d24f4972)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Read the second input operand of RECIP2.S and RECIP2.PS from FT rather
than FD. RECIP2.D is already correct.
Signed-off-by: Richard Sandiford <rdsandiford@googlemail.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d22d728987)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Store slow path has been broken in e141ab52d:
- the arguments are shifted before the last one (mem_index) is written.
- the shift is done for both slow and fast paths.
Fix that. Also optimize a bit by bundling the move together. This still
can be optimized, but it's better to wait for a decision to be taken on
the arguments order.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d03c98d80f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Prologue and epilogue code has been broken in cea5f9a28.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 18d445b443)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The CONFIG_TCG_PASS_AREG0 code for calling ld/st helpers was
broken in that it did not respect the ABI requirement that 64
bit values were passed in even-odd register pairs. The simplest
way to fix this is to implement some new utility functions
for marshalling function arguments into the correct registers
and stack, so that the code which sets up the address and
data arguments does not need to care whether there has been
a preceding env argument.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 9716ef3b1b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> This instruction is always treated as a register-to-register (MOD = 11)
> instruction, regardless of the encoding of the MOD field in the MODR/M
> byte.
Also, Microport UNIX System V/386 v 2.1 (ca 1987) runs fine on
real Intel 386 and 486 CPU's (at least), but does not run in qemu without
this patch.
Signed-off-by: Matthew Ogilvie <mmogilvi_qemu@miniinfo.net>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit 5c73b757e3)
Conflicts:
target-i386/translate.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
We do not register ioeventfds unless the IVSHMEM_IOEVENTFD feature
is set. The same feature must be checked before releasing the eventfds.
Regression introduced by commit 563027c (ivshmem: use EventNotifier and
memory API, 2012-07-05).
Reported-by: Cam Macdonnell <cam@cs.ualberta.ca>
Tested-by: Cam Macdonnell <cam@cs.ualberta.ca>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 98609cd8fc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
object_deinit is only called when the reference count goes to zero,
and yet tries to do an object_unparent. Now, object_unparent
either does nothing or it will decrease the reference count.
Because we know the reference count is zero, the object_unparent
call in object_deinit is useless.
Instead, we need to disconnect the object from its parent just
before we remove the last reference apart from the parent's. This
happens in object_delete. Once we do this, all calls to
object_unparent peppered through QEMU can go away.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit da5a44e8b0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 26efaca377)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Commits b5dc7732e1 and
be24bb4f30 optimized the code
and removed the correct setting of t0. Fix this.
gcc-4.7 detected this bug because parameter arg1 was unused
but set in set_HIT0_LO and set_HI_LOT0.
Cc: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 6fc97fafce)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
While running in the usermode emulator all of the required*
MIPS32r2 RDHWR hardware registers should be accessible (the
Linux kernel enables access to these same registers). Note
that these registers are still enabled when the MIPS ISA is
not release 2. This is OK since the Linux kernel emulates
access to them when they are not available in hardware.
* There is also the ULR register which is only recommended
for full release 2 compliance. Incidentally, accessing
this register in the current implementation works fine
without flipping its access bit.
Signed-off-by: Meador Inge <meadori@codesourcery.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 94159135cb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
At some point in the past, the OPEN event was changed to be issued from a
bottom half. This creates a small window whereas a data callback registered in
init may be invoked before the OPEN event has been issued.
This is reproducible with:
echo "{'execute': 'qmp_capabilities'}" | qemu-system-x86_64 -M none -qmp stdio
We can fix this for the monitor by moving the parser initialization to init.
The remaining state that is set in OPEN appears harmless.
Reported-by: Daniel Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 58617a795c)
Conflicts:
monitor.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Return NULL upon malloc failure.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 15d9e3bc6a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Always call unlock_user before returning.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 396bef4b38)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit a7e47d4bfc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Also, use g_malloc to avoid NULL-deref upon OOM.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0d07fe47d4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4144f122b4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
If the two multiply operands are int and uint types separately,
the int type will be transformed to uint firstly, which is not the
intent in our code piece. The fix is to add (int64_t) transform
for the uint type before the multiply.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit 14d4018372)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
When memory is mapped in qemu_map_cache with lock != 0 a reverse mapping
is created pointing to the virtual address of location requested.
The cached mapped entry is saved in last_address_vaddr with the memory
location of the base virtual address (without bucket offset).
However when this entry is invalidated the virtual address saved in the
reverse mapping is used. This cause that the mapping is freed but the
last_address_vaddr is not reset.
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit 27b7652ef5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This MMIO area is an entry gate to legacy PC ISA devices, addressed via
PIO over there. Quite a few of the PIO ports have side effects on access
like starting/stopping timers that must be executed properly ordered
/wrt the CPU. So we have to remove the coalescing mark.
Acked-by: Hervé Poussineau <hpoussin@reactos.org>
Acked-by: Andreas Färber <andreas.faerber@web.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0ec64507a5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
QEMU uses IO handlers to run select() in the main loop.
The handlers list is managed by qemu_set_fd_handler() helper
which works fine when called from the main thread as it is
called when select() is not waiting.
However IO handlers list can be changed in the thread other than
the main one doing os_host_main_loop_wait(), for example, as a result
of a hypercall which changes PCI config space (VFIO on POWER is the case)
and enables/disabled MSI/MSIX which closes/creates eventfd handles.
As the main loop should be waiting on the newly created eventfds,
it has to be restarted.
The patch adds the qemu_notify_event() call to interrupt select()
to make main_loop() restart select() with the updated IO handlers
list.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 55ce75faf2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This patch fixes two main issues with block/iscsi.c:
1) iscsi_task_mgmt_abort_task_async calls iscsi_scsi_task_cancel which
was also directly called in iscsi_aio_cancel
2) a race between task completion and task abortion could happen cause
the scsi_free_scsi_task were done before iscsi_schedule_bh has finished.
To fix this, all the freeing of IscsiTasks and releasing of the AIOCBs
is centralized in iscsi_bh_cb, independent of whether the SCSI command
has completed or was cancelled.
3) iscsi_aio_cancel was not synchronously waiting for the end of the
command.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1bd075f29e)
Conflicts:
block/iscsi.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
It is always used with the same callback, remove the argument. And
its return value is never used, assume allocation succeeds.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cfb3f5064a)
Conflicts:
block/iscsi.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Put these functions at the beginning, to avoid forward references
in the next patches.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 27cbd828c6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
People have repeatedly expected that you can do things like snapshotting
an image with qemu-img while a qemu instance is running. Maybe we need
to consider locking the files while they are in use, but having a
warning in the qemu-img manpage is doable for 1.2 and can't hurt anyway.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 48467328c6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The footer takes precedence over the header when it exists. It contains
the real grain directory offset that is missing in the header. Without
this patch, streamOptimized images with a footer cannot be read.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
(cherry picked from commit 65bd155c73)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Commit bb45ded9 swapped gd_offset and rgd_offset. This is wrong.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 7a736bfa4e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Partial pages make little sense and don't work. Ensure the RAM size
is a multiple of any possible target's page size.
Fixes
$ qemu-system-x86_64 -nodefaults -S -vnc :0 -m 0.8
qemu-system-x86_64: /work/armbru/qemu/exec.c:2255: register_subpage: Assertion `existing->mr->subpage || existing->mr == &io_mem_unassigned' failed.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit ff96101552)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
pc_cmos_init() always claims 640KiB base memory, and ram_size - 1MiB
extended memory. The latter can underflow to "lots of extended
memory". Fix both, and clean up some.
Note: SeaBIOS currently requires 1MiB of RAM, and doesn't check
whether it got enough.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit e89001f72e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
0cdd3d1444 fixed reading back the counter load time from the kernel
while assuming the kernel would always update its load time on writing
the state. That is only true for channel 1, and so pit_get_channel_info
returned wrong output pin states for high counter values.
Fix this by applying the offset also on kvm_pit_put. Now we also need to
update the offset when we write the state while the VM is stopped as it
keeps on changing in that state.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
(cherry picked from commit 050a46065d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
To prepare the final fix for clock calibration issues with the in-kernel
PIT, we want to cache the offset between vmclock and the clock used by
the in-kernel PIT. So far, we only need to update it when the VM state
changes between running and stopped because we only read the in-kernel
PIT state while the VM is running.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
(cherry picked from commit 205df4d1a8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
