qemu_chr_be_generic_open cannot be called with the write lock taken,
because it calls client code that may call qemu_chr_fe_write.  This
actually happens for the monitor:

    0x00007ffff27dbf79 in __GI_raise (sig=sig@entry=6)
    0x00007ffff27df388 in __GI_abort ()
    0x00005555555ef489 in error_exit (err=<optimized out>, msg=msg@entry=0x5555559796d0 <__func__.5959> "qemu_mutex_lock")
    0x00005555558f9080 in qemu_mutex_lock (mutex=mutex@entry=0x555556248a30)
    0x0000555555713936 in qemu_chr_fe_write (s=0x555556248a30, buf=buf@entry=0x5555563d8870 "QEMU 2.0.90 monitor - type 'help' for more information\r\n", len=56)
    0x00005555556217fd in monitor_flush_locked (mon=mon@entry=0x555556251fd0)
    0x0000555555621a12 in monitor_flush_locked (mon=0x555556251fd0)
    monitor_puts (mon=mon@entry=0x555556251fd0, str=0x55555634bfa7 "", str@entry=0x55555634bf70 "QEMU 2.0.90 monitor - type 'help' for more information\n")
    0x0000555555624359 in monitor_vprintf (mon=0x555556251fd0, fmt=<optimized out>, ap=<optimized out>)
    0x0000555555624414 in monitor_printf (mon=<optimized out>, fmt=fmt@entry=0x5555559105a0 "QEMU %s monitor - type 'help' for more information\n")
    0x0000555555629806 in monitor_event (opaque=0x555556251fd0, event=<optimized out>)
    0x000055555571343c in qemu_chr_be_generic_open (s=0x555556248a30)

To avoid this, defer the call to an idle callback, which will be
called as soon as the main loop is re-entered.  In order to simplify
the cleanup and do it in one place only, change pty_chr_close to
call pty_chr_state.

To reproduce, run with "-monitor pty", then try to read from the
slave /dev/pts/FOO that it creates.

Fixes: 9005b2a7
Reported-by: Li Liang <liangx.z.li@intel.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

In the case that the lun number is taken by another scsi device, don't
release the existing device siliently, but report an error to user.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

vga: some cirrus fixes.

# gpg: Signature made Fri 11 Jul 2014 10:38:32 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-20140711-1:
  cirrus: Fix host CPU blits
  cirrus: Fix build of debug code
  cirrus_vga: adding sanity check for vram size

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

mtp: linux guest detection fix

# gpg: Signature made Fri 11 Jul 2014 11:32:20 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20140711-1:
  mtp: linux guest detection fix.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

spice: auth fixes

# gpg: Signature made Fri 11 Jul 2014 10:17:15 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/spice/tags/pull-spice-20140711-1:
  spice: auth fixes

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

ui/gtk: Restore keyboard focus after Page change

# gpg: Signature made Fri 11 Jul 2014 09:46:21 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-20140711-1:
  ui/gtk: Restore keyboard focus after Page change

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Attach a name to the MTP interface (android phones have this too).

With this patch recent linux guests such as fedora 20 happily detect and
use the device.  It shows up in nautilus file manager automatically, and
simple-mtpfs can mount it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

(Resending for correct email addresses via MAINTAINERS ...)

In the GTK UI, after changing focus to the qemu monitor Notebook Page,
when restoring focus to the virtual machine page, the keyboard focus is lost
to a hidden GTK widget. Focus can only be restored to the virtual machine by
pressing "tab" or any of the four directional arrow keys.

Clicking in the window or grabbing/ungrabbing input does not restore keyboard
focus to the child widget.

This patch adjusts the Notebook page switching callback to automatically
steal keyboard focus on the Page switch event, so that keyboard input
does not appear to break or disappear after tabbing to the QEMU monitor.

Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Commit b2eb849d
"CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow" broke
cpu to video blits.

When the ROP function is called from cirrus_bitblt_cputovideo_next(),
we pass 0 for the pitch but only operate on one line at a time. The
added test was tripping because after the initial substraction, the
pitch becomes negative. Make the test only trip when the height is
larger than one (ie. the pitch is actually used).

This fixes HW cursor support in Windows NT4.0 (which otherwise was
a white rectangle) and general display of icons in that OS when using
8bpp mode.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Use PRIu64 to print uint64_t

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

when configure a invalid vram size for cirrus card, such as less
2 MB, which will crash qemu. Follow the real hardware, the cirrus
card has 4 MB video memory. Also for backward compatibility, accept
8 MB and 16 MB vram size.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Set auth to sasl when sasl is enabled, this makes "info spice" correctly
display sasl auth.  Also throw an error in case someone tries to set
a spice password via monitor without auth mode being "spice".

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

* remotes/kvm/uq/master:
  qtest: fix vhost-user-test compilation with old GLib
  mc146818rtc: register the clock reset notifier on the right clock
  oslib-posix: Fix new compiler error with -Wclobbered
  target-i386: Add "kvmclock-stable-bit" feature bit name
  Enforce stack protector usage
  watchdog: fix deadlock with -watchdog-action pause
  mips_malta: Catch kernels linked at wrong address
  mips_malta: Remove incorrect KVM T&E references
  mips/kvm: Disable FPU on reset with KVM
  mips/kvm: Init EBase to correct KSEG0

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Mising G_TIME_SPAN_SECOND definition breaks the RHEL6 compilation as GLib
version before 2.26 does not have it. In such case just define it.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Nikolay Nikolaev <n.nikolaev@virtualopensystems.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Commit 884f17c2 (aio / timers: Convert rtc_clock to be a QEMUClockType,
2013-08-21) erroneously changed an occurrence of rtc_clock to
QEMU_CLOCK_REALTIME, which broke the RTC reset notifier in
mc146818rtc.  Fix this.

I redid the patch myself since the original reporter did not sign
off on his.

Cc: qemu-stable@nongnu.org
Reported-by: Lb peace <peaceustc@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Newer versions of gcc report a warning (or an error with -Werror) when
compiler option -Wclobbered (or -Wextra) is active:

util/oslib-posix.c:372:12: error:
 variable ‘hpagesize’ might be clobbered by ‘longjmp’ or ‘vfork’ [-Werror=clobbered]

The rewritten code fixes this warning: variable 'hpagesize' is now set and
used in a block without any call of sigsetjmp or similar functions.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

KVM_FEATURE_CLOCKSOURCE_STABLE_BIT is enabled by default and supported
by KVM. But not having a name defined makes QEMU treat it as an unknown
and unmigratable feature flag (as any unknown feature may possibly
require state to be migrated), and disable it by default on "-cpu host".

As a side-effect, the new name also makes the flag configurable,
allowing the user to disable it (which may be useful for testing or for
compatibility with old kernels).

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

If --enable-stack-protector is used is used, configure script try to use
--fstack-protector-strong. In case it's not supported, --fstack-protector-all
is enabled. If both protectors are not supported, configure does not use
any protector at all without any notification.

This patch reports error when user requests stack protector to be used and
both protector modes are not supported. Behavior is not changed in case
user do not use any of --enable-stack-protector/--disable-stack-protector.

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
[Fix non-POSIX operator in test. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

The buffer was being allocated of size string length plus two.
Around the string two quotes were being added, but no terminating NUL.
It was then compared using g_assert_cmpstr(), resulting in fairly random
assertion failures:

 ERROR:tests/test-string-output-visitor.c:213:test_visitor_out_enum: assertion failed (str == str_human): ("\"value1\"" == "\"value1\"\001EEEEEEEEEEEEEE\0171")

There is no g_assert_cmpnstr() counterpart, so use g_strdup_printf()
for safely assembling the string in the first place.

Cc: Hu Tao <hutao@cn.fujitsu.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Suggested-by: Eric Blake <eblake@redhat.com>
Fixes: b4900c0e tests: add human format test for string output visitor
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Hu Tao <hutao@cn.fujitsu.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

qemu_clock_enable says:

/* Disabling the clock will wait for related timerlists to stop
 * executing qemu_run_timers.  Thus, this functions should not
 * be used from the callback of a timer that is based on @clock.
 * Doing so would cause a deadlock.
 */

and it indeed does: vm_stop uses qemu_clock_enable on QEMU_CLOCK_VIRTUAL
and watchdogs are based on QEMU_CLOCK_VIRTUAL, and we get a deadlock.

Use qemu_system_vmstop_request_prepare()/qemu_system_vmstop_request()
instead; yet another alternative could be a BH.

I checked other occurrences of vm_stop and they should not have this
problem.  RUN_STATE_IO_ERROR could in principle (it depends on the
code in the drivers) but it has been fixed by commit 2bd3bce8, "block:
asynchronously stop the VM on I/O errors", 2014-06-05.

Tested-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Add error reporting if the wrong type of kernel is provided for the
current mode of acceleration.

Currently a KVM kernel linked at 0x40000000 can't be used with TCG, and
a normal kernel linked at 0x80000000 can't be used with KVM.

Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Fix the error message and code comments relating to KVM not supporting
booting from the flash mapping when no kernel is provided. The issue is
a general MIPS KVM issue and isn't specific to the Trap & Emulate
version of MIPS KVM.

Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

KVM doesn't yet support the MIPS FPU, or writing to the guest's Config1
register which contains the FPU implemented bit. Clear QEMU's version of
that bit on reset and display a warning that the FPU has been disabled.

The previous incorrect Config1 CP0 register value wasn't being passed to
KVM yet, however we should ensure it is set correctly now to reduce the
risk of breaking migration/loadvm to a future version of QEMU/Linux that
does support it.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Add ULL suffix to 64 bit constant to prevent compiler warnings
on some 32 bit platforms.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Bugfixes for s390x: set subsystem id in the lowcore when booting from the
s390-ccw bios, and set the channel-program address after I/O completion,
when applicable.

# gpg: Signature made Tue 08 Jul 2014 14:18:20 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found

* remotes/cohuck/tags/s390x-20140708:
  s390x/css: reflect cpa in scsw
  pc-bios/s390-ccw: update binary
  pc-bios/s390-ccw: store proper subsystem information word

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

We neglected to update the the channel-program-address field of the scsw
after completion of the start or the halt function: Fortunately, Linux
didn't miss it so far. Let's update it for the cases where the cpa is
expected to be valid; in some cases, the cpa is 'unpredictable', so we
leave it untouched.

Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

POP chapter 17 requires to store a subsystem information word at 184
during IPL. Furthermore bytes 188-191 should be zero. The bootmap might
contain data blocks that are written to the first page. We have to
write these values after we processed the bootmap and before the final
IPL.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

target-arm queue:
 * fix handling of KVM reset for 32-bit ARM CPUs
 * implement NOR flash alias for vexpress-a9
 * make sure libvixl gets its own utils.h rather than somebody else's

# gpg: Signature made Tue 08 Jul 2014 13:12:05 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20140708:
  target-arm: Implement vCPU reset via KVM_ARM_VCPU_INIT for 32-bit CPUs
  hw/arm/vexpress: Alias NOR flash at 0 for vexpress-a9
  disas/libvixl: prepend the include path of libvixl header files

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Implement kvm_arm_vcpu_init() as a simple call to arm_arm_vcpu_init()
(which uses the KVM_ARM_VCPU_INIT vcpu ioctl to tell the kernel
to re-initialize the vCPU), rather than via the complicated code
which saves a copy of the register state on first init and then
writes it back to the kernel. This is much simpler and brings the
32-bit KVM code into line with the 64-bit code.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1403802973-20841-1-git-send-email-peter.maydell@linaro.org

Make the vexpress-a9 board alias the first NOR flash region at
address zero, like vexpress-a15. This makes "-bios" actually usable
on this board.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1404310070-3561-1-git-send-email-peter.maydell@linaro.org
Reviewed-by: Greg Bellows <greg.bellows@linaro.org>

Currently the Makefile of disas/libvixl appends
-I$(SRC_PATH)/disas/libvixl to QEMU_CFLAGS. As a consequence C++ files
that #include "utils.h", such as disas/libvixl/a64/instructions-a64.cc,
are going to look for utils.h on all the other include paths first.

When building QEMU as part of the Xen make system, another unrelated
utils.h file is going to be chosen for inclusion, causing a build
failure:

In file included from disas/libvixl/a64/instructions-a64.cc:27:0:
/qemu/disas/libvixl/a64/instructions-a64.h:88:64: error:
'rawbits_to_float' was not declared in this scope
 const float kFP32PositiveInfinity = rawbits_to_float(0x7f800000);

Fix the problem by prepending (rather than appending) the libvixl
include path to QEMU_CFLAGS.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Patch queue for ppc - 2014-07-08

A few bug fixes for 2.1:

  - Fix e500* TLB emulation with qemu-system-ppc
  - Update SLOF to current upstream (good number of bugfixes)
  - Make POWER7 / POWER8 PVR match more agnostic (needed in 2.1 for cmdline compat)
  - Fix u-boot.e500 install (how did that happen?)
  - Fix H_CAS on LE hosts
  - ppc64le-linux-user fixes

# gpg: Signature made Tue 08 Jul 2014 11:18:58 BST using RSA key ID 03FEDC60
# gpg: Can't check signature: public key not found

* remotes/agraf/tags/signed-ppc-for-upstream:
  PPC: e500: Actually install u-boot.e500
  target-ppc: Remove POWER7+ and POWER8E families
  target-ppc: Add pvr_match() callback
  pseries: Update SLOF firmware image to qemu-slof-20140630
  PPC: Fix booke206 TLB with phys addrs > 32bit
  target-ppc: Fix gdbstub for ppc64le-linux-user
  target-ppc: Change default cpu for ppc64le-linux-user
  target-ppc: KVMPPC_H_CAS fix cpu-version endianess

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Alexander Graf <agraf@suse.de>

POWER8E is architecturally equal to POWER8 and POWER7+ is equal to
POWER7. Also no user space tool makes any difference for CPU node name
in the device tree (such as PowerPC,POWER7@0 vs. PowerPC,POWER7+@0).
So there is no point in emulating POWER7+ and POWER8E apart from POWER7
and POWER8. Also, the previos patch implemented multiple PVR mask support
per CPU class so POWER7 class now covers both POWER7 and POWER7+ CPUs,
same is valid for POWER8/8E.

This removes POWER7+ and POWER8E classes. This replaces references
to POWER7P/POWER8E families with POWER7/POWER8 families.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Alexander Graf <agraf@suse.de>

So far it was enough to have a base PVR value and mask per CPU
family such as POWER7 or POWER8. However there CPUs which are
completely architecturally compatible but have different PVRs such
as POWER7/POWER7+ and POWER8/POWER8E. For these CPUs, top 16 bits
are CPU family and low 16 bits are the version. The families have
PVR base values different enough so defining a mask which
would cover both (or potentially more) CPUs within the family is
not possible.

This adds a pvr_match() callback to PowerPCCPUClass. The default
handler simply compares PVR defined in the class.

This implements ppc_pvr_match_power7/ppc_pvr_match_power8 callbacks
for POWER7/8 families. These check for POWER7/POWER7+ and POWER8/POWER8E.

This changes ppc_cpu_compare_class_pvr_mask() not to check masks but
use the pvr_match() callback.

Since all server CPUs use the same mask, this defines one mask
value - CPU_POWERPC_POWER_SERVER_MASK - which is used everywhere now.
This removes other mask definitions.

This removes pvr_mask from PowerPCCPUClass as it is not used anymore.
This removes pvr initialization for POWER7/8 families as it is not used
to find the class, the pvr_match() callback is used instead.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Alexander Graf <agraf@suse.de>

The changelog is:
  > Quieten the grub warning
  > Add boot menu support
  > boot from disk having chrp-boot file
  > fat16: fix read and remove debug messages
  > dhcparch define missing in compilation
  > pci-scan: reserve memory for pci-bridge without devices
  > pci-bridge: Fix ranges when no device beyond the bridge
  > Set dhcp arch in board-qemu config file
  > xhci: fix controller stop
  > dhcp: support client architecture code 93
  > virtio-blk: support variable block size
  > usb: use common pci dma alloc/mapping routines
  > Remove unused SLOF code
  > pci-bridge: generic bridge needs to support pci dma functions
  > pci: extract dma functions as separate file
  > e1000: fix usage of multiple nics

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Alexander Graf <agraf@suse.de>

We were truncating physical addresses to 32bit when using qemu-system-ppc
with a booke206 TLB implementation. This patch fixes that and makes the full
address space available.

Signed-off-by: Alexander Graf <agraf@suse.de>

The bswap that's needed for system mode isn't required for
user mode, and in fact breaks debugging.

Signed-off-by: Richard Henderson <rth@twiddle.net>
[agraf: fix apple gdbstub implementation]
Signed-off-by: Alexander Graf <agraf@suse.de>