aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2012-05-24es1370: Fix debug codeStefan Weil
When DEBUG_ES1370 is defined, the compiler shows these warnings: hw/es1370.c: In function ?es1370_update_voices?: hw/es1370.c:414: warning: format ?%d? expects type ?int?, but argument 3 has type ?size_t? hw/es1370.c: In function ?es1370_writel?: hw/es1370.c:582: warning: format ?%d? expects type ?int?, but argument 3 has type ?long int? hw/es1370.c:592: warning: format ?%d? expects type ?int?, but argument 3 has type ?long int? hw/es1370.c:609: warning: format ?%d? expects type ?int?, but argument 3 has type ?long int? hw/es1370.c: In function ?es1370_readl?: hw/es1370.c:751: warning: suggest braces around empty body in an ?if? statement Fix the format strings and add the missing braces. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: malc <av1474@comtv.ru>
2012-05-21xen: Fix PV-on-HVMAnthony PERARD
In the context of PV-on-HVM under Xen, the emulated nics are supposed to be unplug before the guest drivers are initialized, when the guest write to a specific IO port. Without this patch, the guest end up with two nics with the same MAC, the emulated nic and the PV nic. Acked-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-21qdev: Fix memory leakdunrong huang
The str allocated in visit_type_str was not freed. The visit_type_str function is an input visitor(<QMP/String/etc>-to-native) here, it will allocate memory for caller, so the caller is responsible for freeing the memory. Reviewed-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: dunrong huang <riegamaths@gmail.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-21virtio: check virtio_load return codeOrit Wassermann
Otherwise we crash on error. Signed-off-by: Ulrich Obergfell <uobergfe@redhat.com> Signed-off-by: Orit Wassermann <owasserm@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-21virtio-blk: always enable VIRTIO_BLK_F_SCSIPaolo Bonzini
VIRTIO_BLK_F_SCSI is supposed to mean whether the host can *parse* SCSI requests, not *execute* them. You could run QEMU with scsi=on and a file-backed disk, and QEMU would fail all SCSI requests even though it advertises VIRTIO_BLK_F_SCSI. Because we need to do this to fix a migration compatibility problem related to how QEMU is invoked by management, we must do this unconditionally even on older machine types. This more or less assumes that no one ever invoked QEMU with scsi=off. Here is how testing goes: - old QEMU, scsi=on -> new QEMU, scsi=on - new QEMU, scsi=on -> old QEMU, scsi=on - old QEMU, scsi=off -> new QEMU, scsi=on - new QEMU, scsi=off -> old QEMU, scsi=on ok (new QEMU has VIRTIO_BLK_F_SCSI, adding host features is fine) - old QEMU, scsi=off -> new QEMU, scsi=off ok (new QEMU has VIRTIO_BLK_F_SCSI, adding host features is fine) - old QEMU, scsi=on -> new QEMU, scsi=off ok, bug fixed - new QEMU, scsi=on -> old QEMU, scsi=off doesn't work (same as: old QEMU, scsi=on -> old QEMU, scsi=off) - new QEMU, scsi=off -> old QEMU, scsi=off broken by the patch Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-21virtio-blk: define VirtIOBlkConfPaolo Bonzini
We will have to add another field to the virtio-blk configuration in the next patch. Avoid a proliferation of arguments to virtio_blk_init. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-21virtio-blk: blockdev_mark_auto_del is transport-independentPaolo Bonzini
Move it from virtio_blk_exit_pci to virtio_blk_exit. This is included here because the next patch removes proxy->block. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-21virtio-blk: report non-zero status when failing SG_IO requestsPaolo Bonzini
Linux really looks only at scsi->errors for SG_IO requests; it does not look at the virtio request status at all. Because of this, when a SG_IO request is failed early with virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP), without writing hdr.status, it will look like a success to the guest. This is their bug, but we can make it safe for older guests now by forcing scsi->errors to have a non-zero value whenever a request has to be failed. But if we fix the bug in the guest driver, we will have another problem because QEMU returns VIRTIO_BLK_S_IOERR if the status is non-zero, and Linux translates that to -EIO. Rather, the guest should succeed the request and pass the non-zero status via the userspace-provided SG_IO structure. So, remove the case where virtio_blk_handle_scsi can return VIRTIO_BLK_S_IOERR. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-21use an uint64_t for the max_sz parameter in load_image_targphysMark Langsdorf
Allow load_image_targphys to load files on systems with more than 2G of emulated memory by changing the max_sz parameter from an int to an uint64_t. Reviewed-by: Andreas F=E4rber <afaerber@suse.de> Acked-by: Alexander Graf <agraf@suse.de> Signed-off-by: Mark Langsdorf <mark.langsdorf@calxeda.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-19virtio-pci: add missing 'static'Blue Swirl
There are no outside references to virtio_portio. Add missing 'static' specifier. Reviewed-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2012-05-19sparc64: fix initrd loadingBlue Swirl
Initrd load address is too low, it conflicts with kernel load address: rom: requested regions overlap (rom phdr #0: /tmp/vmlinux-debian-6.0.4-sparc64. free=0x0000000000742519, addr=0x0000000000400000) rom loading failed Fix by making the initrd address variable, load initrd after kernel image. Use 64 bit variables instead of longs or 32 bit types. Tested-by: Artyom Tarasenko <atar4qemu@gmail.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2012-05-14Merge remote-tracking branch 'afaerber-or/qom-1.1' into stagingAnthony Liguori
* afaerber-or/qom-1.1: mips_fulong2e: Don't register "cpu" VMState twice pc: Add back PCI.rombar compat property qdev: Fix adding of ptr properties qdev: Use object_property_print() in info qtree target-i386: Defer MCE init qom: Documentation addition for object_class_by_name() target-mips: Remove commented-out function declaration
2012-05-14Merge remote-tracking branch 'kraxel/usb.50' into stagingAnthony Liguori
* kraxel/usb.50: usb-host: handle guest-issued clear halt
2012-05-14Merge remote-tracking branch 'spice/spice.v55' into stagingAnthony Liguori
* spice/spice.v55: qxl: set size of PCI IO BAR correctly (16) for revision 2
2012-05-14Merge remote-tracking branch 'sweil/for-1.1' into stagingAnthony Liguori
* sweil/for-1.1: qemu-doc: Use QEMU instead of qemu for product name qemu-doc: Fix executable name in examples qemu-doc: Add missing parameter in description of -D option configure: Use QEMU instead of Qemu fix some common typos qemu-timer: Fix wrong error message
2012-05-14qdev: fix -device foo,?Paolo Bonzini
Since most property types do not have a parse property now, this was broken. Fix it by looking at the setter instead. Reviewed-by: Anthony Liguori <aliguori@us.ibm.com> Acked-by: Andreas F=E4rber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-14usb-host: handle guest-issued clear haltGerd Hoffmann
Most important here is to update our internal endpoint state so we know the endpoint isn't in halted state any more. Without this usb-host tries to clear halt again with the next data transfer submitted. Doing this twice is (a) not correct and (b) confuses some usb devices, rendering them non-functional in the guest. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-14qxl: set size of PCI IO BAR correctly (16) for revision 2Uri Lublin
Also move it up into switch(qxl->revision) block Signed-off-by: Uri Lublin <uril@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-14fix some common typosJim Meyering
These were identified using: http://github.com/lyda/misspell-check and run like this to create a bourne shell script using GNU sed's -i option: git ls-files|grep -vF .bin | misspellings -f - |grep -v '^ERROR:' |perl \ -pe 's/^(.*?)\[(\d+)\]: (\w+) -> "(.*?)"$/sed -i '\''${2}s!$3!$4!'\'' $1/' Manually eliding the FP, "rela->real" and resolving "addres" to address (not "adders") we get this: sed -i '450s!thru!through!' Changelog sed -i '260s!neccessary!necessary!' coroutine-sigaltstack.c sed -i '54s!miniscule!minuscule!' disas.c sed -i '1094s!thru!through!' hw/usb/hcd-ehci.c sed -i '1095s!thru!through!' hw/usb/hcd-ehci.c sed -i '21s!unecessary!unnecessary!' qapi-schema-guest.json sed -i '307s!explictly!explicitly!' qemu-ga.c sed -i '490s!preceeding!preceding!' qga/commands-posix.c sed -i '792s!addres!address!' qga/commands-posix.c sed -i '6s!beeing!being!' tests/tcg/test-mmap.c Also, manually fix "arithmentic", spotted by Peter Maydell: sed -i 's!arithmentic!arithmetic!' coroutine-sigaltstack.c Signed-off-by: Jim Meyering <meyering@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2012-05-13mips_fulong2e: Don't register "cpu" VMState twiceJuan Quintela
We have the following simplified callgraph in mips_fulong2e_init(): cpu_init() => cpu_mips_init() object_new() mips_cpu_initfn() cpu_exec_init() register_savevm(NULL, "cpu", cpu_index, CPU_SAVE_VERSION, cpu_save, cpu_load, env) register_savevm(NULL, "cpu", 0, 3, cpu_save, cpu_load, env) CPU_SAVE_VERSION is defined as 3 in target-mips/cpu.h. fulong2e instantiates one CPU, so its cpu_index is 0. Thus the two are fully identical. Therefore just remove the second call in fulong2e. Signed-off-by: Juan Quintela <quintela@redhat.com> [AF: Extend explanation in commit message] Signed-off-by: Andreas Färber <afaerber@suse.de>
2012-05-13pc: Add back PCI.rombar compat propertyPaolo Bonzini
This was erroneously dropped in d6c730086cbf24382eb8cff25551798769edfd84 (pc: reduce duplication in compat machine types). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de> Acked-by: Michael S. Tsirkin <mst@redhat.com>
2012-05-12qdev: Fix adding of ptr propertiesAnthony Liguori
ptr properties have neither a get/set or a print/parse which means that when they're added they aren't treated as static or legacy properties. Just assume properties like this are legacy properties and treat them as such. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2012-05-12qdev: Use object_property_print() in info qtreePaolo Bonzini
Otherwise, non-string properties without a legacy counterpart are missed. Also fix error propagation in object_property_print() itself. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Anthony Liguori <aliguori@us.ibm.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2012-05-12sun4u: implement interrupt clearing registersArtyom Tarasenko
Implement registers for clearing OBIO and PCI interrupts Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2012-05-12sun4u: initialize OBIO interrupt mappingsArtyom Tarasenko
Similarly to PCI interrupt mappings, the OBIO ones have to be initialized. Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2012-05-08Merge remote-tracking branch 'mst/tags/for_anthony' into stagingAnthony Liguori
* mst/tags/for_anthony: rtl8139: fix regression in TxStatus/TxAddr read
2012-05-08Merge remote-tracking branch 'kwolf/for-anthony' into stagingAnthony Liguori
* kwolf/for-anthony: fdc: simplify media change handling qcow2: lock on prealloc block: make bdrv_create adopt coroutine qcow2: Limit COW to where it's needed sheepdog: switch to writethrough mode if cluster doesn't support flush
2012-05-08Merge remote-tracking branch 'bonzini/scsi-next' into stagingAnthony Liguori
* bonzini/scsi-next: scsi: Add assertion for use-after-free errors scsi: remove useless debug messages scsi: set VALID bit to 0 in fixed format sense data scsi: do not require a minimum allocation length for REQUEST SENSE scsi: do not require a minimum allocation length for INQUIRY scsi: parse 16-byte tape CDBs scsi: do not report bogus overruns for commands in the 0x00-0x1F range scsi-disk: add dpofua property scsi: change "removable" field to host many features scsi: Specify the xfer direction for UNMAP and ATA_PASSTHROUGH commands scsi: fix WRITE SAME transfer length and direction scsi: fix refcounting for reads scsi: prevent data transfer overflow ISCSI: Add support for thin-provisioning via discard/UNMAP and bigger LUNs
2012-05-08Merge remote-tracking branch 'spice/spice.v54' into stagingAnthony Liguori
* spice/spice.v54: qxl: don't assert on guest create_guest_primary qxl: ioport_write: remove guest trigerrable abort qxl: qxl_add_memslot: remove guest trigerrable panics qxl: interface_notify_update: remove guest trigerrable abort qxl: cleanup s/__FUNCTION__/__func__/ qxl: don't abort on guest trigerrable ring indices mismatch qxl: fix > 80 chars line qxl: replace panic with guest bug in qxl_track_command qxl: check for NULL return from qxl_phys2virt hw/qxl.c: qxl_phys2virt: replace panics with guest_bug spice_info: add mouse_mode spice: require spice-protocol >= 0.8.1
2012-05-08Merge remote-tracking branch 'sweil/fixes' into stagingAnthony Liguori
* sweil/fixes: qemu-timer: Fix limits for w32 mmtimer qom: Fix memory leak in function container_get hw/pc_sysfw: Fix memory leak qdev: Fix memory leak in function set_pci_devfn arm-semi: Rename SYS_XXX macros to TARGET_SYS_XXX (fixes compiler warning) target-mips: Remove unused inline function
2012-05-08rtl8139: fix regression in TxStatus/TxAddr readAvi Kivity
Commit afe0a595356192 added byte reads for TxStatus/TxAddr, but broke 32-bit reads; the mask generation (1 << (8 * size)) - 1 is unspecified in C for size >= sizeof(int), and in fact returns 0 on x86. Fix by using a larger type. Fixes (at least) Fedora 9 i386 with -machine kernel_irqchip=on. I didn't see it with the qemu APIC implementation; may be due to timing or (more likely) a tester error. Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2012-05-07fdc: simplify media change handlingHervé Poussineau
This also (partly) fixes IBM OS/2 Warp 4.0 floppy installation, where not all floppies have the same format (2x80x18 for the first ones, 2x80x23 for the next ones). Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-05-07hw/ac97: Mask out the EAPD bit on Powerdown Ctrl/Stat writesHans de Goede
The Linux AC97 driver tests this bit to decide wether or not to show an External amplifier toggle control. This patch was also tested with a Windows XP guest without any issues. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07hw/ac97: Mask out unused bits of volume controlsHans de Goede
The Linux ac97 drivers does a number of register read/write tests to see how much resolution a volume control actually has. This patch takes this into account by masking out any bits written to a volume control reg which should not be there according to the spec. After this the Linux ac97 driver correctly uses a range of 0 - 0x1f for the PCM out volume, as stated in the spec, and we can fix the FIXME in update_combined_volume_out(). This patch was also tested with a Windows XP guest without any issues. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07hw/ac97: Use AC97_Record_Gain_Mute not AC97_Line_In_Volume_MuteHans de Goede
After commit 19677a380a70348134ed7650b294522617eb03fc: "hw/ac97: add support for volume control" We are (correctly) using AC97_Record_Gain_Mute and not AC97_Line_In_Volume_Mute for recording volume, but various places in hw/ac97 were still assumimg that we are using AC97_Line_In_Volume_Mute for record volume control, this patch fixes this. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07hw/ac97: Make a bunch of mixer registers read onlyHans de Goede
The Linux ac97 driver tries to see if optional things like video input volume control are available in 2 ways: 1) See if the mute bit is set after reset, if it is no further tests are done 2) If the mute bit is not set it does a write/read test of the mute bit This patch changes our ac97 to conform to what the Linux driver expects, it initializes registers for things which we don't emulate to 0 (so the mute bit is not set) and makes them read only. This causes Linux to now longer show the following (functionless) controls in alsamixer: Master Mono vol + mute 3d Control toggle PCM out pre / post 3d select Surround toggle CD vol + mute Mic vol + mute Mic boost toggle Mic mic1 / mic2 select Video vol + mute Phone vol + mute Beep mono vol + mute Aux vol + mute Mono "output mic" / "mix" select Sigmatel 4 speaker stereo toggle Sigmatel ADC 6Db att toggle Sigmatel DAC 6Db att toggle This patch was also tested with a Windows XP guest and there it also makes a number of functionless mixer controls go away. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07hw/ac97: Fix log message in mixer_loadHans de Goede
Fix a small copy and paste error in logging. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07scsi: Add assertion for use-after-free errorsStefan Weil
The QEMU emulation which is currently used with Raspberry PI images (qemu-system-arm -M versatilepb ...) accesses memory which was freed. Valgrind output (extract): ==17857== Invalid write of size 4 ==17857== at 0x24EB06: scsi_req_unref (scsi-bus.c:1273) ==17857== by 0x24FFAE: scsi_read_complete (scsi-disk.c:277) ==17857== by 0x152ACC: bdrv_co_em_bh (block.c:3363) ==17857== by 0x13D49C: qemu_bh_poll (async.c:71) ==17857== by 0x211A8C: main_loop_wait (main-loop.c:503) ==17857== by 0x207954: main_loop (vl.c:1555) ==17857== by 0x20E9C9: main (vl.c:3653) ==17857== Address 0x1c54383c is 12 bytes inside a block of size 260 free'd ==17857== at 0x4824B3A: free (vg_replace_malloc.c:366) ==17857== by 0x20ADFA: free_and_trace (vl.c:2250) ==17857== by 0x4899FC5: g_free (in /lib/libglib-2.0.so.0.2400.1) ==17857== by 0x24EB3B: scsi_req_unref (scsi-bus.c:1277) ==17857== by 0x24F003: scsi_req_complete (scsi-bus.c:1383) ==17857== by 0x25022A: scsi_read_data (scsi-disk.c:334) ==17857== by 0x24EB9F: scsi_req_continue (scsi-bus.c:1289) ==17857== by 0x1C7787: lsi_do_dma (lsi53c895a.c:575) ==17857== by 0x1C8CDA: lsi_execute_script (lsi53c895a.c:1147) ==17857== by 0x1C74EA: lsi_resume_script (lsi53c895a.c:510) ==17857== by 0x1C7ECD: lsi_transfer_data (lsi53c895a.c:746) ==17857== by 0x24EC90: scsi_req_data (scsi-bus.c:1307) (There are some more similar messages.) This patch adds an assertion which also detects those errors: Calling scsi_req_unref is not allowed when the previous call of that function has decremented refcount to 0, because in this case req was freed. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: remove useless debug messagesPaolo Bonzini
Optional inquiry information is declared obsolete in the latest versions of the standard; invalid CDBs or unsupported VPD pages are supported can be diagnosed with trace_scsi_inquiry. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: set VALID bit to 0 in fixed format sense dataPaolo Bonzini
The INFORMATION field (bytes 3..6) is never set by QEMU, so the VALID bit must be 0. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: do not require a minimum allocation length for REQUEST SENSEPaolo Bonzini
The requirements on the REQUEST SENSE buffer size are not in my copy of SPC (SPC-4 r27) and not observed by LIO. Rip them out. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: do not require a minimum allocation length for INQUIRYPaolo Bonzini
The requirements on the INQUIRY buffer size are not in my copy of SPC (SPC-4 r27) and not observed by LIO. Rip them out. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: parse 16-byte tape CDBsPaolo Bonzini
The transfer length for these commands is different from the transfer length of the corresponding disk commands, so parse it specially. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: do not report bogus overruns for commands in the 0x00-0x1F rangePaolo Bonzini
Interpreting cdb[4] == 0 as a request to transfer 256 blocks is only needed for READ_6 and WRITE_6. No other command in that range needs that special-casing, and the resulting overrun breaks scsi-testsuite's attempt to use command 2 as a known-invalid command. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi-disk: add dpofua propertyPaolo Bonzini
Linux expects REQ_FUA to be advertised only if WRITE+FUA is faster than WRITE+SYNCHRONIZE CACHE, so we should not set the DPOFUA bit. However, it is useful to have it for testing purposes, so add a qdev property to set it. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: change "removable" field to host many featuresPaolo Bonzini
It is pointless to add a uint32_t field for every new feature. Since we will need a new feature soon, convert accesses to "removable" to look at bit 0 only. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-04scsi: Specify the xfer direction for UNMAP and ATA_PASSTHROUGH commandsRonnie Sahlberg
scsi_cmd_xfer_mode() is used to specify the xfer direction for SCSI commands that come in from the guest. If the direction is set incorrectly this will eventually cause QEMU to kernel-panic the guest. Add UNMAP and ATAPASSTHROUGH as commands that send data to the device. Without this change, recent kernels will send both UNMAP as well as ATAPASSTHROUGH commands to any /dev/sg* device, which due to the incorrect xfer direction very quickly causes the guest kernel to crash. Example causing a crash without the patch applied: ./x86_64-softmmu/qemu-system-x86_64 -m 1024 -enable-kvm -cdrom linuxmint-12-gnome-dvd-64bit.iso -drive file=/dev/sg4,if=scsi,bus=0,unit=6 Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-04scsi: fix WRITE SAME transfer length and directionPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-04scsi: fix refcounting for readsPaolo Bonzini
Recently introduced FUA support also gave us a use-after-free of the BlockAcctCookie within a SCSIDiskReq, due to unbalanced reference counting. The patch fixes this by making scsi_do_read look like a combination of scsi_*_complete + scsi_*_data. It does both a ref (like scsi_read_data) and an unref (like scsi_flush_complete). Reported-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-04scsi: prevent data transfer overflowPaolo Bonzini
Avoid sending more than 2GB of data, as that can cause overflows in int32_t variables. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>