aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)AuthorFilesLines
2012-05-08Merge remote-tracking branch 'mst/tags/for_anthony' into stagingAnthony Liguori1-1/+1
* mst/tags/for_anthony: rtl8139: fix regression in TxStatus/TxAddr read
2012-05-08Merge remote-tracking branch 'kwolf/for-anthony' into stagingAnthony Liguori1-18/+11
* kwolf/for-anthony: fdc: simplify media change handling qcow2: lock on prealloc block: make bdrv_create adopt coroutine qcow2: Limit COW to where it's needed sheepdog: switch to writethrough mode if cluster doesn't support flush
2012-05-08Merge remote-tracking branch 'bonzini/scsi-next' into stagingAnthony Liguori3-73/+94
* bonzini/scsi-next: scsi: Add assertion for use-after-free errors scsi: remove useless debug messages scsi: set VALID bit to 0 in fixed format sense data scsi: do not require a minimum allocation length for REQUEST SENSE scsi: do not require a minimum allocation length for INQUIRY scsi: parse 16-byte tape CDBs scsi: do not report bogus overruns for commands in the 0x00-0x1F range scsi-disk: add dpofua property scsi: change "removable" field to host many features scsi: Specify the xfer direction for UNMAP and ATA_PASSTHROUGH commands scsi: fix WRITE SAME transfer length and direction scsi: fix refcounting for reads scsi: prevent data transfer overflow ISCSI: Add support for thin-provisioning via discard/UNMAP and bigger LUNs
2012-05-08Merge remote-tracking branch 'spice/spice.v54' into stagingAnthony Liguori4-54/+162
* spice/spice.v54: qxl: don't assert on guest create_guest_primary qxl: ioport_write: remove guest trigerrable abort qxl: qxl_add_memslot: remove guest trigerrable panics qxl: interface_notify_update: remove guest trigerrable abort qxl: cleanup s/__FUNCTION__/__func__/ qxl: don't abort on guest trigerrable ring indices mismatch qxl: fix > 80 chars line qxl: replace panic with guest bug in qxl_track_command qxl: check for NULL return from qxl_phys2virt hw/qxl.c: qxl_phys2virt: replace panics with guest_bug spice_info: add mouse_mode spice: require spice-protocol >= 0.8.1
2012-05-08Merge remote-tracking branch 'sweil/fixes' into stagingAnthony Liguori2-0/+4
* sweil/fixes: qemu-timer: Fix limits for w32 mmtimer qom: Fix memory leak in function container_get hw/pc_sysfw: Fix memory leak qdev: Fix memory leak in function set_pci_devfn arm-semi: Rename SYS_XXX macros to TARGET_SYS_XXX (fixes compiler warning) target-mips: Remove unused inline function
2012-05-08rtl8139: fix regression in TxStatus/TxAddr readAvi Kivity1-1/+1
Commit afe0a595356192 added byte reads for TxStatus/TxAddr, but broke 32-bit reads; the mask generation (1 << (8 * size)) - 1 is unspecified in C for size >= sizeof(int), and in fact returns 0 on x86. Fix by using a larger type. Fixes (at least) Fedora 9 i386 with -machine kernel_irqchip=on. I didn't see it with the qemu APIC implementation; may be due to timing or (more likely) a tester error. Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2012-05-07fdc: simplify media change handlingHervé Poussineau1-18/+11
This also (partly) fixes IBM OS/2 Warp 4.0 floppy installation, where not all floppies have the same format (2x80x18 for the first ones, 2x80x23 for the next ones). Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-05-07hw/ac97: Mask out the EAPD bit on Powerdown Ctrl/Stat writesHans de Goede1-1/+1
The Linux AC97 driver tests this bit to decide wether or not to show an External amplifier toggle control. This patch was also tested with a Windows XP guest without any issues. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07hw/ac97: Mask out unused bits of volume controlsHans de Goede1-5/+15
The Linux ac97 drivers does a number of register read/write tests to see how much resolution a volume control actually has. This patch takes this into account by masking out any bits written to a volume control reg which should not be there according to the spec. After this the Linux ac97 driver correctly uses a range of 0 - 0x1f for the PCM out volume, as stated in the spec, and we can fix the FIXME in update_combined_volume_out(). This patch was also tested with a Windows XP guest without any issues. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07hw/ac97: Use AC97_Record_Gain_Mute not AC97_Line_In_Volume_MuteHans de Goede1-4/+5
After commit 19677a380a70348134ed7650b294522617eb03fc: "hw/ac97: add support for volume control" We are (correctly) using AC97_Record_Gain_Mute and not AC97_Line_In_Volume_Mute for recording volume, but various places in hw/ac97 were still assumimg that we are using AC97_Line_In_Volume_Mute for record volume control, this patch fixes this. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07hw/ac97: Make a bunch of mixer registers read onlyHans de Goede1-7/+27
The Linux ac97 driver tries to see if optional things like video input volume control are available in 2 ways: 1) See if the mute bit is set after reset, if it is no further tests are done 2) If the mute bit is not set it does a write/read test of the mute bit This patch changes our ac97 to conform to what the Linux driver expects, it initializes registers for things which we don't emulate to 0 (so the mute bit is not set) and makes them read only. This causes Linux to now longer show the following (functionless) controls in alsamixer: Master Mono vol + mute 3d Control toggle PCM out pre / post 3d select Surround toggle CD vol + mute Mic vol + mute Mic boost toggle Mic mic1 / mic2 select Video vol + mute Phone vol + mute Beep mono vol + mute Aux vol + mute Mono "output mic" / "mix" select Sigmatel 4 speaker stereo toggle Sigmatel ADC 6Db att toggle Sigmatel DAC 6Db att toggle This patch was also tested with a Windows XP guest and there it also makes a number of functionless mixer controls go away. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07hw/ac97: Fix log message in mixer_loadHans de Goede1-1/+1
Fix a small copy and paste error in logging. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: malc <av1474@comtv.ru>
2012-05-07scsi: Add assertion for use-after-free errorsStefan Weil1-0/+1
The QEMU emulation which is currently used with Raspberry PI images (qemu-system-arm -M versatilepb ...) accesses memory which was freed. Valgrind output (extract): ==17857== Invalid write of size 4 ==17857== at 0x24EB06: scsi_req_unref (scsi-bus.c:1273) ==17857== by 0x24FFAE: scsi_read_complete (scsi-disk.c:277) ==17857== by 0x152ACC: bdrv_co_em_bh (block.c:3363) ==17857== by 0x13D49C: qemu_bh_poll (async.c:71) ==17857== by 0x211A8C: main_loop_wait (main-loop.c:503) ==17857== by 0x207954: main_loop (vl.c:1555) ==17857== by 0x20E9C9: main (vl.c:3653) ==17857== Address 0x1c54383c is 12 bytes inside a block of size 260 free'd ==17857== at 0x4824B3A: free (vg_replace_malloc.c:366) ==17857== by 0x20ADFA: free_and_trace (vl.c:2250) ==17857== by 0x4899FC5: g_free (in /lib/libglib-2.0.so.0.2400.1) ==17857== by 0x24EB3B: scsi_req_unref (scsi-bus.c:1277) ==17857== by 0x24F003: scsi_req_complete (scsi-bus.c:1383) ==17857== by 0x25022A: scsi_read_data (scsi-disk.c:334) ==17857== by 0x24EB9F: scsi_req_continue (scsi-bus.c:1289) ==17857== by 0x1C7787: lsi_do_dma (lsi53c895a.c:575) ==17857== by 0x1C8CDA: lsi_execute_script (lsi53c895a.c:1147) ==17857== by 0x1C74EA: lsi_resume_script (lsi53c895a.c:510) ==17857== by 0x1C7ECD: lsi_transfer_data (lsi53c895a.c:746) ==17857== by 0x24EC90: scsi_req_data (scsi-bus.c:1307) (There are some more similar messages.) This patch adds an assertion which also detects those errors: Calling scsi_req_unref is not allowed when the previous call of that function has decremented refcount to 0, because in this case req was freed. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: remove useless debug messagesPaolo Bonzini1-13/+0
Optional inquiry information is declared obsolete in the latest versions of the standard; invalid CDBs or unsupported VPD pages are supported can be diagnosed with trace_scsi_inquiry. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: set VALID bit to 0 in fixed format sense dataPaolo Bonzini1-2/+2
The INFORMATION field (bytes 3..6) is never set by QEMU, so the VALID bit must be 0. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: do not require a minimum allocation length for REQUEST SENSEPaolo Bonzini1-5/+2
The requirements on the REQUEST SENSE buffer size are not in my copy of SPC (SPC-4 r27) and not observed by LIO. Rip them out. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: do not require a minimum allocation length for INQUIRYPaolo Bonzini2-19/+0
The requirements on the INQUIRY buffer size are not in my copy of SPC (SPC-4 r27) and not observed by LIO. Rip them out. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: parse 16-byte tape CDBsPaolo Bonzini2-0/+11
The transfer length for these commands is different from the transfer length of the corresponding disk commands, so parse it specially. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: do not report bogus overruns for commands in the 0x00-0x1F rangePaolo Bonzini1-6/+10
Interpreting cdb[4] == 0 as a request to transfer 256 blocks is only needed for READ_6 and WRITE_6. No other command in that range needs that special-casing, and the resulting overrun breaks scsi-testsuite's attempt to use command 2 as a known-invalid command. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi-disk: add dpofua propertyPaolo Bonzini1-1/+6
Linux expects REQ_FUA to be advertised only if WRITE+FUA is faster than WRITE+SYNCHRONIZE CACHE, so we should not set the DPOFUA bit. However, it is useful to have it for testing purposes, so add a qdev property to set it. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-07scsi: change "removable" field to host many featuresPaolo Bonzini1-8/+15
It is pointless to add a uint32_t field for every new feature. Since we will need a new feature soon, convert accesses to "removable" to look at bit 0 only. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-04scsi: Specify the xfer direction for UNMAP and ATA_PASSTHROUGH commandsRonnie Sahlberg1-0/+2
scsi_cmd_xfer_mode() is used to specify the xfer direction for SCSI commands that come in from the guest. If the direction is set incorrectly this will eventually cause QEMU to kernel-panic the guest. Add UNMAP and ATAPASSTHROUGH as commands that send data to the device. Without this change, recent kernels will send both UNMAP as well as ATAPASSTHROUGH commands to any /dev/sg* device, which due to the incorrect xfer direction very quickly causes the guest kernel to crash. Example causing a crash without the patch applied: ./x86_64-softmmu/qemu-system-x86_64 -m 1024 -enable-kvm -cdrom linuxmint-12-gnome-dvd-64bit.iso -drive file=/dev/sg4,if=scsi,bus=0,unit=6 Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-04scsi: fix WRITE SAME transfer length and directionPaolo Bonzini2-7/+12
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-04scsi: fix refcounting for readsPaolo Bonzini1-0/+7
Recently introduced FUA support also gave us a use-after-free of the BlockAcctCookie within a SCSIDiskReq, due to unbalanced reference counting. The patch fixes this by making scsi_do_read look like a combination of scsi_*_complete + scsi_*_data. It does both a ref (like scsi_read_data) and an unref (like scsi_flush_complete). Reported-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-04scsi: prevent data transfer overflowPaolo Bonzini1-12/+26
Avoid sending more than 2GB of data, as that can cause overflows in int32_t variables. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-05-03qxl: don't assert on guest create_guest_primaryAlon Levy1-1/+4
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03qxl: ioport_write: remove guest trigerrable abortAlon Levy1-2/+1
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03qxl: qxl_add_memslot: remove guest trigerrable panicsAlon Levy1-7/+20
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03qxl: interface_notify_update: remove guest trigerrable abortAlon Levy1-2/+7
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03qxl: cleanup s/__FUNCTION__/__func__/Alon Levy1-1/+1
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03qxl: don't abort on guest trigerrable ring indices mismatchAlon Levy1-12/+39
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03qxl: fix > 80 chars lineAlon Levy1-2/+2
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03qxl: replace panic with guest bug in qxl_track_commandAlon Levy1-1/+5
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03qxl: check for NULL return from qxl_phys2virtAlon Levy4-20/+64
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03hw/qxl.c: qxl_phys2virt: replace panics with guest_bugAlon Levy1-6/+19
Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-05-03hw/pc_sysfw: Fix memory leakStefan Weil1-0/+3
Valgrind reported this memory leak which occured a few times. Test scenario: qemu-system-i386 (no arguments), only BIOS started, terminate with monitor command (quit). Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Andreas Färber <afaerber@suse.de>
2012-05-03qdev: Fix memory leak in function set_pci_devfnStefan Weil1-0/+1
Valgrind reported this memory leak which occured very often. Test scenario: qemu-system-i386 (no arguments), only BIOS started, terminate with monitor command (quit). v2: Use error_free instead of g_free (hint from Andreas Färber, thanks). Signed-off-by: Stefan Weil <sw@weilnetz.de> Acked-by: Andreas Färber <afaerber@suse.de>
2012-05-02ATA: Allow WIN_SECURITY_FREEZE_LOCK as nopAlexander Graf1-1/+6
When using Windows 8 with an AHCI disk drive, it issues a blue screen. The reason is that WIN_SECURITY_FREEZE_LOCK / CFA_WEAR_LEVEL is not supported by our ATA implementation, but Windows expects it to be there. Since without security stuff implemented, the lock would be a nop anyway and CFA_WEAR_LEVEL already is treated as a nop, let's just allow the cmd for HD drives as well. That way Windows is happy. Signed-off-by: Alexander Graf <agraf@suse.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-05-01Merge remote-tracking branch 'agraf/s390-for-upstream' into stagingAnthony Liguori3-2/+45
* agraf/s390-for-upstream: s390: reset avail and used index on reboot S390: dont call system_shutdown on disabled wait S390: remove default cdrom, sd-card and floppy support S390: support reboot for kvm on s390 S390: reboot: reset device pages on reboot S390: fix error handling on kernel and initrd failures S390: fix kernel_commandline handling
2012-05-01ppce500_spin: Replace assert by hw_error (fixes compiler warning)Stefan Weil1-1/+1
The default case in function spin_read should never be reached, therefore the old code used assert(0) to abort QEMU. This does not work when QEMU is compiled with macro NDEBUG defined. In this case (and also when the compiler does not know that assert never returns), there is a compiler warning because of the missing return value. Using hw_error allows an improved error message and aborts always. Signed-off-by: Stefan Weil <sw@weilnetz.de> [agraf: use __func__] Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01pseries: Fix use of global CPU statePeter Portante1-1/+1
Commit ed120055c7f9b26b5707d3ceabbe5a3f06aaf937 (Implement PAPR VPA functions for pSeries shared processor partitions) introduced the deregister_dtl() function and typo "emv" as name of its argument. This went unnoticed because the code in that function can access the global variable "env" so that no build failure resulted. Fix the argument to read "env". Resolves LP#986241. Signed-off-by: Peter Portante <peter.portante@redhat.com> Acked-by: Andreas Färber <afaerber@suse.de> [agraf: fixed typo in commit message] Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01pseries: Use the same interrupt swizzling for host bridges as p2p bridgesDavid Gibson2-24/+30
Currently the pseries PCI code uses a somewhat strange scheme of PCI irq allocation - one per slot up to a maximum that's greater than the usual 4. This scheme more or less worked, because we were able to tell the guest the irq mapping in the device tree, however it's a bit odd and may break assumptions in the future. Worse, the array used to construct the dev tree interrupt map was mis-sized, we got away with it only because it happened that our SPAPR_PCI_NUM_LSI value was greater than 7. This patch changes the pseries PCI code to use the same interrupt swizzling scheme as is standardized for PCI to PCI bridges. This makes for better consistency, deals better with any devices which use multiple interrupt pins and will make life easier in the future when we add passthrough of what may be either a host bridge or a PCI to PCI bridge. This won't break existing guests, because they don't assume a particular mapping scheme for host bridges, but just follow what we tell them in the device tree (also updated to match, of course). This patch also fixes the allocation of the irq map. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01pseries: Implement automatic PAPR VIO address allocationDavid Gibson6-40/+49
PAPR virtual IO (VIO) devices require a unique, but otherwise arbitrary, "address" used as a token to the hypercalls which manipulate them. Currently the pseries machine code does an ok job of allocating these addresses when the legacy -net nic / -serial and so forth options are used but will fail to allocate them properly when using -device. Specifically, you can use -device if all addresses are explicitly assigned. Without explicit assignment, only one VIO device of each type (network, console, SCSI) will be assigned properly, any further ones will attempt to take the same address leading to a fatal error. This patch fixes the situation by adding a proper address allocator to the VIO "bus" code. This is used both by -device and the legacy options and default devices. Addresses can still be explicitly assigned with -device options if desired. This patch changes the (guest visible) numbering of VIO devices, but since their addresses are discovered using the device tree and already differ from the numbering found on existing PowerVM systems, this does not break compatibility. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01booke:Use MMU API for creating initial mapping for secondary cpusBharat Bhushan1-0/+1
Initial Mapping creation for secondary CPU in SMP was missing new MMU API. Signed-off-by: Bharat Bhushan <bharat.bhushan@freescale.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01s390: reset avail and used index on rebootJens Freimann3-1/+23
reset the guest vring avail/used idx fields, otherwise it's possible that old values remain in memory which would cause a reboot to fail with a "Guest moved used index" message Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01S390: remove default cdrom, sd-card and floppy supportEinar Lueck1-0/+3
This patch simply disables CDROM, SD card and floppy support for the s390 virtio machine. Without this patch, a default CDROM drive would get added which has currently no backing on s390. Signed-off-by: Einar Lueck <elelueck@de.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01S390: reboot: reset device pages on rebootJens Freimann1-0/+7
This patch fixes reboot on s390 by resetting the device page on reboot. Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01S390: fix error handling on kernel and initrd failuresChristian Borntraeger1-0/+11
If the user specifies a non-existing or non-accessable kernel or initrd qemu does not fail, instead it ipls into the system, which then falls into a program check loop due to the zeroed memory with no kernel. Lets add some sanity checks. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01S390: fix kernel_commandline handlingChristian Borntraeger1-1/+1
The current handling of kernel parameters is broken. The pointer is always valid, even if no -kernel or -append is specified. We must check if the kernel rom address is valid instead, otherwise qemu might segfault. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2012-05-01vga: Don't switch to 1 x 1 character text screenStefan Weil1-0/+4
Initially, vga_get_text_resolution returns a text resolution of 1 x 1 (vga register values are 0). This is visible during MIPS Malta boot with SDL. It also occurs with the i386 or x86_64 system emulation when it runs in single step mode: QEMU changes the size of the SDL window to the smallest possible value which is supported by the window manager. As this is not the calculated size, QEMU switches to scaled mode. When the BIOS or the VGA driver sets the normal text resolution, the window stays small and displays microscopic characters. Ignoring text resolutions of 1 x 1 or less avoids these problems. A similar workaround already exists for too large resolutions. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>