| Age | Commit message (Collapse) | Author |
|---|
|
This is XSA-17 / CVE-2012-3515
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
|
QEMU will hang when fed the following command-line
qemu-system-mips -kernel vmlinux-2.6.32-5-4kc-malta -append "console=ttyS0" -nographic -net none
The -net none is important otherwise it seems some events are generated
causing the things to work. When it doesn't work, the guest hangs when
measuring the CPU frequency, after the following line:
[ 0.000000] NR_IRQS:256
Pressing a key on the serial port unblocks it, hinting that the problem
is due to the recent elimination of the 1 second timeout in the main
loop.
The problem is that because init_timer_alarm sets the timer's pending
flag to true, the alarm timer is never armed until after the first time
through the main loop. Thus the bug started when QEMU started testing
the pending flag in qemu_mod_timer (commit 1828be3, more alarm timer
cleanup, 2010-03-10).
But actually, it isn't true at all that a timer is pending when the
alarm timer is created, and the real bug has been latent forever: the
fix is to remove the bogus setting of pending flag.
Reported-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit de188751da8db3c77a681bf903035a0e5218c463)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
This prevents guest from proceeding with uninitialised garbage returned
from unimplemented simcalls.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit e7eee62a90c671d22d50964b7de05e3f4fd96f5f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Quote from ISA, 2.1:
For most Xtensa instructions, bit numbering is irrelevant; only the BBC
and BBS instructions assign bit numbers to values on which the processor
operates. The BBC/BBS instructions use big-endian bit ordering (0 is the
most-significant bit) on a big-endian processor configuration.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 7ff7563fc1c3c57914aafec1753219604346fe18)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
(cherry picked from commit 7ce86aa1aafaa65e7d3e572873bdf37bdb896f49)
Conflicts:
hw/usb/hcd-ehci.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The facility to use/unuse vectors dynamically is helpful
for virtio but little else: everyone just seems to use
vectors in their init function.
Avoid clearing msix vector use info on reset and load.
For virtio, clear it explicitly.
This should fix regressions reported with ivshmem - though
I didn't test this, I verified that virtio keeps
working like it did.
Tested-by: Cam Macdonell <cam@cs.ualberta.ca>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3cac001e5ae3c0ceb33e0a1978a48cb5e2482ab2)
Conflicts:
hw/msix.c
hw/virtio-pci.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The bug causes Windows + OVMF hang after reboot since OVMF
checks PMREGMISC to see if IO space is enabled and skip
configuration if it is.
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4d09d37c6aa9a02b44b1fdb6268820fab92499bd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
qemu_rearm_alarm_timer partially duplicates the code in
qemu_next_alarm_deadline to figure out if it needs to rearm the timer.
If it calls qemu_next_alarm_deadline, it always rearms the timer even if
the next deadline is INT64_MAX.
This patch simplifies the behavior of qemu_rearm_alarm_timer and removes
the duplicated code, always calling qemu_next_alarm_deadline and only
rearming the timer if the deadline is less than INT64_MAX.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Tested-by: Andreas Färber <andreas.faerber@web.de>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 8227421e0476d9caf2a9a089465bb40c23834e33)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Clang reports this warning:
Null pointer passed as an argument to a 'nonnull' parameter
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4bdb1a3059d7d3a931de0748a2eec39a0ab41b4e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The last argument of find_portio is "write", so this must be true here.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e2a62d82a3f1397acd67685c3008046eba8344b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
setup_ioeventfds() is unnecessary and actually causes a segfault when used
ioeventfd=on is used on the command-line. Since ioeventfds are handled within
the memory API, it can be removed.
Signed-off-by: Cam Macdonell <cam@cs.ualberta.ca>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e7de876ae9bdb1b994dee148c6dc009ce94c48e)
Conflicts:
hw/ivshmem.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Add the missing .class_size definition to the arm_gic_info TypeInfo.
This fixes the memory corruption and possible segfault that otherwise
results when the class struct is allocated at too small a size and
the class init function writes off the end of it.
Reported-by: Adam Lackorzynski <adam@os.inf.tu-dresden.de>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 998a74bcda7f3297813732ddc2f28ffe5a12e37a)
- ARMGICClass isn't in 1.1, set class size to SysBusDeviceClass instead
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The CONFIG_TCG_PASS_AREG0 code for calling ld/st helpers was
broken in that it did not respect the ABI requirement that 64
bit values were passed in even-odd register pairs. The simplest
way to fix this is to implement some new utility functions
for marshalling function arguments into the correct registers
and stack, so that the code which sets up the address and
data arguments does not need to care whether there has been
a preceding env argument.
Based on commit 9716ef3b for ARM by Peter Maydell.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 18fec301cd2a38f72a5eeba2656a0c5b4fa69fb7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Winwave audio backend has problem with pausing and restart audio out.
Unlike other backends, Winwave pausing API does not flush audio buffer.
As a result, the previous audio data are played in front of
user expected sound when user restart audio.
So changes it to waveOutReset()
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit 13ef70f64e9e4d7583fbd9918d8ea76194023d37)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The microMIPS SWP and SDP instructions do not modify GPRs. So their
behavior is well defined when RD equals BASE. The MIPS Architecture
Verification Programs (AVPs) check that they work as expected. This
is required for AVPs to pass.
Signed-off-by: Eric Johnson <ericj@mips.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 36c6711bbe79642b0102416a9dd4243505e874a6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The MIPS Architecture Verification Programs (AVPs) check privileged
instructions for the required privilege level. These changes are needed
to pass the AVP suite.
Signed-off-by: Eric Johnson <ericj@mips.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 2e15497c5b8d0d172dece0cf56e2d2e977a6b679)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The kernel will emulate this instruction if it's not supported
natively. This insn is used for TLS, among other things, and
so is required by modern glibc.
Signed-off-by: Richard Henderson <rth@twiddle.net>
Cc: Riku Voipio <riku.voipio@iki.fi>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit b3167288367f79754b74ad933146e37938ebff13)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
We've already eliminated both base and index being zero.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 05168674505153a641c7bfddb691d2eda11d13d1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The FS input to CVT.PS.S is the high half and FT is the low half.
tcg_gen_concat_i32_i64 takes the low half first, so the operands
were in the wrong order.
Signed-off-by: Richard Sandiford <rdsandiford@googlemail.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 13d24f49720a3e7b35a21222ef182c8513f139db)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Read the second input operand of RECIP2.S and RECIP2.PS from FT rather
than FD. RECIP2.D is already correct.
Signed-off-by: Richard Sandiford <rdsandiford@googlemail.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d22d7289877ecd3ef86570f6f6d0574da40711dc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Store slow path has been broken in e141ab52d:
- the arguments are shifted before the last one (mem_index) is written.
- the shift is done for both slow and fast paths.
Fix that. Also optimize a bit by bundling the move together. This still
can be optimized, but it's better to wait for a decision to be taken on
the arguments order.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d03c98d80ffb7c561d9e6874580f52fe7ecc8c6c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Prologue and epilogue code has been broken in cea5f9a28.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 18d445b443a5fa06a7c2819a170623b970afb3fb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The CONFIG_TCG_PASS_AREG0 code for calling ld/st helpers was
broken in that it did not respect the ABI requirement that 64
bit values were passed in even-odd register pairs. The simplest
way to fix this is to implement some new utility functions
for marshalling function arguments into the correct registers
and stack, so that the code which sets up the address and
data arguments does not need to care whether there has been
a preceding env argument.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 9716ef3b1b48ebbb4b6515fb4685a5db96ce41d9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
> This instruction is always treated as a register-to-register (MOD = 11)
> instruction, regardless of the encoding of the MOD field in the MODR/M
> byte.
Also, Microport UNIX System V/386 v 2.1 (ca 1987) runs fine on
real Intel 386 and 486 CPU's (at least), but does not run in qemu without
this patch.
Signed-off-by: Matthew Ogilvie <mmogilvi_qemu@miniinfo.net>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit 5c73b757e3aa80dc84352b2ede0d8bdea5419f6d)
Conflicts:
target-i386/translate.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
We do not register ioeventfds unless the IVSHMEM_IOEVENTFD feature
is set. The same feature must be checked before releasing the eventfds.
Regression introduced by commit 563027c (ivshmem: use EventNotifier and
memory API, 2012-07-05).
Reported-by: Cam Macdonnell <cam@cs.ualberta.ca>
Tested-by: Cam Macdonnell <cam@cs.ualberta.ca>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 98609cd8fcf755c0ba7049d751353b8b2e243b65)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
object_deinit is only called when the reference count goes to zero,
and yet tries to do an object_unparent. Now, object_unparent
either does nothing or it will decrease the reference count.
Because we know the reference count is zero, the object_unparent
call in object_deinit is useless.
Instead, we need to disconnect the object from its parent just
before we remove the last reference apart from the parent's. This
happens in object_delete. Once we do this, all calls to
object_unparent peppered through QEMU can go away.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit da5a44e8b0b727681fc33e8d94832d1cae48a788)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 26efaca377e004b79ff50a6e936d029a0c095b8b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Commits b5dc7732e1cc2fb549e48b7b5d664f2c79628e2e and
be24bb4f3007c3e07cbf1934f7e781493d876ab7 optimized the code
and removed the correct setting of t0. Fix this.
gcc-4.7 detected this bug because parameter arg1 was unused
but set in set_HIT0_LO and set_HI_LOT0.
Cc: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 6fc97fafce05eee76479ca6d289241772d21b370)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
While running in the usermode emulator all of the required*
MIPS32r2 RDHWR hardware registers should be accessible (the
Linux kernel enables access to these same registers). Note
that these registers are still enabled when the MIPS ISA is
not release 2. This is OK since the Linux kernel emulates
access to them when they are not available in hardware.
* There is also the ULR register which is only recommended
for full release 2 compliance. Incidentally, accessing
this register in the current implementation works fine
without flipping its access bit.
Signed-off-by: Meador Inge <meadori@codesourcery.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 94159135cb59684853dcd45ff70d6dbc54a29209)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
At some point in the past, the OPEN event was changed to be issued from a
bottom half. This creates a small window whereas a data callback registered in
init may be invoked before the OPEN event has been issued.
This is reproducible with:
echo "{'execute': 'qmp_capabilities'}" | qemu-system-x86_64 -M none -qmp stdio
We can fix this for the monitor by moving the parser initialization to init.
The remaining state that is set in OPEN appears harmless.
Reported-by: Daniel Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 58617a795c8067b2f9800cffce60f38707d3aa31)
Conflicts:
monitor.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Return NULL upon malloc failure.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 15d9e3bc6af8a56af8c61911aab8453a54795db1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Always call unlock_user before returning.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 396bef4b3846bf4e80a2bee38e9a2d8554d0f251)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit a7e47d4bfcbf256fae06891a8599950ff8e1b61b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Also, use g_malloc to avoid NULL-deref upon OOM.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0d07fe47d4986271a21ed4ff5237275ff55dd93f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4144f122b477164cf466ca69be24cf4ef5c218d3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
If the two multiply operands are int and uint types separately,
the int type will be transformed to uint firstly, which is not the
intent in our code piece. The fix is to add (int64_t) transform
for the uint type before the multiply.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit 14d40183725361e6350166099556c7661063921b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
When memory is mapped in qemu_map_cache with lock != 0 a reverse mapping
is created pointing to the virtual address of location requested.
The cached mapped entry is saved in last_address_vaddr with the memory
location of the base virtual address (without bucket offset).
However when this entry is invalidated the virtual address saved in the
reverse mapping is used. This cause that the mapping is freed but the
last_address_vaddr is not reset.
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit 27b7652ef515bb4c694f79d657d2052c72b19536)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
This MMIO area is an entry gate to legacy PC ISA devices, addressed via
PIO over there. Quite a few of the PIO ports have side effects on access
like starting/stopping timers that must be executed properly ordered
/wrt the CPU. So we have to remove the coalescing mark.
Acked-by: Hervé Poussineau <hpoussin@reactos.org>
Acked-by: Andreas Färber <andreas.faerber@web.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0ec64507a5e6366e6d8070a82c866b935f687ed9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
QEMU uses IO handlers to run select() in the main loop.
The handlers list is managed by qemu_set_fd_handler() helper
which works fine when called from the main thread as it is
called when select() is not waiting.
However IO handlers list can be changed in the thread other than
the main one doing os_host_main_loop_wait(), for example, as a result
of a hypercall which changes PCI config space (VFIO on POWER is the case)
and enables/disabled MSI/MSIX which closes/creates eventfd handles.
As the main loop should be waiting on the newly created eventfds,
it has to be restarted.
The patch adds the qemu_notify_event() call to interrupt select()
to make main_loop() restart select() with the updated IO handlers
list.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 55ce75faf253d4369670f60409c608e665e8dde9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
This patch fixes two main issues with block/iscsi.c:
1) iscsi_task_mgmt_abort_task_async calls iscsi_scsi_task_cancel which
was also directly called in iscsi_aio_cancel
2) a race between task completion and task abortion could happen cause
the scsi_free_scsi_task were done before iscsi_schedule_bh has finished.
To fix this, all the freeing of IscsiTasks and releasing of the AIOCBs
is centralized in iscsi_bh_cb, independent of whether the SCSI command
has completed or was cancelled.
3) iscsi_aio_cancel was not synchronously waiting for the end of the
command.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1bd075f29ea6d11853475c7c42734595720c3ac6)
Conflicts:
block/iscsi.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
It is always used with the same callback, remove the argument. And
its return value is never used, assume allocation succeeds.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cfb3f5064af2d2e29c976e292c9472dfe9d61e31)
Conflicts:
block/iscsi.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Put these functions at the beginning, to avoid forward references
in the next patches.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 27cbd828c617944c0f9603763fdf4fa87e7ad923)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
People have repeatedly expected that you can do things like snapshotting
an image with qemu-img while a qemu instance is running. Maybe we need
to consider locking the files while they are in use, but having a
warning in the qemu-img manpage is doable for 1.2 and can't hurt anyway.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 48467328c6dccc9c7be6628ed0ef0810f83be2a9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
The footer takes precedence over the header when it exists. It contains
the real grain directory offset that is missing in the header. Without
this patch, streamOptimized images with a footer cannot be read.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
(cherry picked from commit 65bd155c7356d448ffee7f89149c4d473076b0ba)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Commit bb45ded9 swapped gd_offset and rgd_offset. This is wrong.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 7a736bfa4e0a58087054cad68a1d4b3804bbb708)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
Partial pages make little sense and don't work. Ensure the RAM size
is a multiple of any possible target's page size.
Fixes
$ qemu-system-x86_64 -nodefaults -S -vnc :0 -m 0.8
qemu-system-x86_64: /work/armbru/qemu/exec.c:2255: register_subpage: Assertion `existing->mr->subpage || existing->mr == &io_mem_unassigned' failed.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit ff961015529437f4b83fca0a92069aebcf533c9c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
pc_cmos_init() always claims 640KiB base memory, and ram_size - 1MiB
extended memory. The latter can underflow to "lots of extended
memory". Fix both, and clean up some.
Note: SeaBIOS currently requires 1MiB of RAM, and doesn't check
whether it got enough.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit e89001f72edde37fb36fa7c964daa1bbeb2eca26)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
0cdd3d1444 fixed reading back the counter load time from the kernel
while assuming the kernel would always update its load time on writing
the state. That is only true for channel 1, and so pit_get_channel_info
returned wrong output pin states for high counter values.
Fix this by applying the offset also on kvm_pit_put. Now we also need to
update the offset when we write the state while the VM is stopped as it
keeps on changing in that state.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
(cherry picked from commit 050a46065de8e3d4ee5a04f5598d666f63d34800)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
To prepare the final fix for clock calibration issues with the in-kernel
PIT, we want to cache the offset between vmclock and the clock used by
the in-kernel PIT. So far, we only need to update it when the VM state
changes between running and stopped because we only read the in-kernel
PIT state while the VM is running.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
(cherry picked from commit 205df4d1a87cbb14a50655fb2c0a987467fb29d6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
While testing q35, which has its cdrom attached to the ahci controller, I found
that the Fedora 17 install would panic on boot. The panic occurs while
squashfs is trying to read from the cdrom. The errors are:
[ 8.622711] SQUASHFS error: xz_dec_run error, data probably corrupt
[ 8.625180] SQUASHFS error: squashfs_read_data failed to read block
0x20be48a
I was also able to produce corrupt data reads using an installed piix based
qemu machine, using 'dd'. I found that the corruptions were only occuring when
then read size was greater than 128k. For example, the following command
results in corrupted reads:
dd if=/dev/sr0 of=/tmp/blah bs=256k iflag=direct
The > 128k size reads exercise a different code path than 128k and below. In
ide_atapi_cmd_read_dma_cb() s->io_buffer_size is capped at 128k. Thus,
ide_atapi_cmd_read_dma_cb() is called a second time when the read is > 128k.
However, ahci_dma_rw_buf() restart the read from offset 0, instead of at 128k.
Thus, resulting in a corrupted read.
To fix this, I've introduced 'io_buffer_offset' field in IDEState to keep
track of the offset. I've also modified ahci_populate_sglist() to take a new
3rd offset argument, so that the sglist is property initialized.
I've tested this patch using 'dd' testing, and Fedora 17 now correctly boots
and installs on q35 with the cdrom ahci controller.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Tested-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 61f52e06f0a21bab782f98ef3ea789aa6d0aa046)
Conflicts:
hw/ide/ahci.c
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
