qemu.git
5 years agoxen: fix ioreq handling
Jan Beulich [Tue, 22 Nov 2016 12:56:51 +0000 (05:56 -0700)] 
xen: fix ioreq handling

Avoid double fetches and bounds check size to avoid overflowing
internal variables.

This is CVE-2016-9381 / XSA-197.

Reported-by: yanghongke <yanghongke@huawei.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
5 years agoFix FreeBSD (10.x) build after 7dc9ae43
Ed Maste [Tue, 22 Nov 2016 01:32:45 +0000 (20:32 -0500)] 
Fix FreeBSD (10.x) build after 7dc9ae43

Include sys/user.h for declaration of 'struct kinfo_proc'.
Add -lutil to qemu-ga link for kinfo_getproc.

Signed-off-by: Ed Maste <emaste@freebsd.org>
Message-id: 1479778365-11315-1-git-send-email-emaste@freebsd.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'jtc/tags/block-pull-request' into staging
Stefan Hajnoczi [Tue, 22 Nov 2016 10:54:39 +0000 (10:54 +0000)] 
Merge remote-tracking branch 'jtc/tags/block-pull-request' into staging

# gpg: Signature made Mon 21 Nov 2016 10:12:43 PM GMT
# gpg:                using RSA key 0xBDBE7B27C0DE3057
# gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>"
# gpg:                 aka "Jeffrey Cody <jeff@codyprime.org>"
# gpg:                 aka "Jeffrey Cody <codyprime@gmail.com>"
# Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 3057

* jtc/tags/block-pull-request:
  gluster: Fix use after free in glfs_clear_preopened()

Message-id: 1479766499-29972-1-git-send-email-jcody@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agogluster: Fix use after free in glfs_clear_preopened()
Kevin Wolf [Thu, 17 Nov 2016 10:30:08 +0000 (11:30 +0100)] 
gluster: Fix use after free in glfs_clear_preopened()

This fixes a use-after-free bug introduced in commit 6349c154. We need
to use QLIST_FOREACH_SAFE() when freeing elements in the loop. Spotted
by Coverity.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-id: 1479378608-11962-1-git-send-email-kwolf@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoMerge remote-tracking branch 'sstabellini/tags/xen-20161108-tag' into staging
Stefan Hajnoczi [Mon, 21 Nov 2016 15:29:55 +0000 (15:29 +0000)] 
Merge remote-tracking branch 'sstabellini/tags/xen-20161108-tag' into staging

Xen 2016/11/08

# gpg: Signature made Tue 08 Nov 2016 07:48:12 PM GMT
# gpg:                using RSA key 0x894F8F4870E1AE90
# gpg: Good signature from "Stefano Stabellini <sstabellini@kernel.org>"
# gpg:                 aka "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"
# Primary key fingerprint: D04E 33AB A51F 67BA 07D3  0AEA 894F 8F48 70E1 AE90

* sstabellini/tags/xen-20161108-tag:
  xen: Fix xenpv machine initialisation

Message-id: alpine.DEB.2.10.1611081150170.3491@sstabellini-ThinkPad-X260
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'mst/tags/for_upstream' into staging
Stefan Hajnoczi [Mon, 21 Nov 2016 11:09:58 +0000 (11:09 +0000)] 
Merge remote-tracking branch 'mst/tags/for_upstream' into staging

virtio, vhost, pc: fixes

Most notably this fixes a regression with vhost introduced by the pull before
last.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Fri 18 Nov 2016 03:51:55 PM GMT
# gpg:                using RSA key 0x281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* mst/tags/for_upstream:
  acpi: Use apic_id_limit when calculating legacy ACPI table size
  ipmi: fix qemu crash while migrating with ipmi
  ivshmem: Fix 64 bit memory bar configuration
  virtio: set ISR on dataplane notifications
  virtio: access ISR atomically
  virtio: introduce grab/release_ioeventfd to fix vhost
  virtio-crypto: fix virtio_queue_set_notification() race

Message-id: 1479484366-7977-1-git-send-email-mst@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoacpi: Use apic_id_limit when calculating legacy ACPI table size
Eduardo Habkost [Fri, 11 Nov 2016 16:45:42 +0000 (14:45 -0200)] 
acpi: Use apic_id_limit when calculating legacy ACPI table size

The code that calculates the legacy ACPI table size for migration
compatibility uses max_cpus when calculating legacy_aml_len (the size of
the DSDT and SSDT tables). However, the SSDT grows according to APIC ID
limit, not max_cpus.

The bug is not triggered very often because of the 4k alignment on the
table size. But it can be triggered if you are unlucky enough to cross a
4k boundary.

Change the legacy_aml_len calculation to use apic_id_limit, to calculate
the right size.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agoipmi: fix qemu crash while migrating with ipmi
ZhuangYanying [Fri, 18 Nov 2016 08:22:48 +0000 (16:22 +0800)] 
ipmi: fix qemu crash while migrating with ipmi

Qemu crash in the source side while migrating, after starting ipmi service inside vm.

./x86_64-softmmu/qemu-system-x86_64 --enable-kvm -smp 4 -m 4096 \
-drive file=/work/suse/suse11_sp3_64_vt,format=raw,if=none,id=drive-virtio-disk0,cache=none \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0 \
-vnc :99 -monitor vc -device ipmi-bmc-sim,id=bmc0 -device isa-ipmi-kcs,bmc=bmc0,ioport=0xca2

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffec4268700 (LWP 7657)]
__memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2757
(gdb) bt
 #0  __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2757
 #1  0x00005555559ef775 in memcpy (__len=3, __src=0xc1421c, __dest=<optimized out>)
     at /usr/include/bits/string3.h:51
 #2  qemu_put_buffer (f=0x555557a97690, buf=0xc1421c <Address 0xc1421c out of bounds>, size=3)
     at migration/qemu-file.c:346
 #3  0x00005555559eef66 in vmstate_save_state (f=f@entry=0x555557a97690,
     vmsd=0x555555f8a5a0 <vmstate_ISAIPMIKCSDevice>, opaque=0x555557231160,
     vmdesc=vmdesc@entry=0x55555798cc40) at migration/vmstate.c:333
 #4  0x00005555557cfe45 in vmstate_save (f=f@entry=0x555557a97690, se=se@entry=0x555557231de0,
     vmdesc=vmdesc@entry=0x55555798cc40) at /mnt/sdb/zyy/qemu/migration/savevm.c:720
 #5  0x00005555557d2be7 in qemu_savevm_state_complete_precopy (f=0x555557a97690,
     iterable_only=iterable_only@entry=false) at /mnt/sdb/zyy/qemu/migration/savevm.c:1128
 #6  0x00005555559ea102 in migration_completion (start_time=<synthetic pointer>,
     old_vm_running=<synthetic pointer>, current_active_state=<optimized out>,
     s=0x5555560eaa80 <current_migration.44078>) at migration/migration.c:1707
 #7  migration_thread (opaque=0x5555560eaa80 <current_migration.44078>) at migration/migration.c:1855
 #8  0x00007ffff3900dc5 in start_thread (arg=0x7ffec4268700) at pthread_create.c:308
 #9  0x00007fffefc6c71d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Signed-off-by: Zhuang Yanying <ann.zhuangyanying@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agoivshmem: Fix 64 bit memory bar configuration
Zhuang Yanying [Thu, 17 Nov 2016 12:31:03 +0000 (20:31 +0800)] 
ivshmem: Fix 64 bit memory bar configuration

Device ivshmem property use64=0 is designed to make the device
expose a 32 bit shared memory BAR instead of 64 bit one.  The
default is a 64 bit BAR, except pc-1.2 and older retain a 32 bit
BAR.  A 32 bit BAR can support only up to 1 GiB of shared memory.

This worked as designed until commit 5400c02 accidentally flipped
its sense: since then, we misinterpret use64=0 as use64=1 and vice
versa.  Worse, the default got flipped as well.  Devices
ivshmem-plain and ivshmem-doorbell are not affected.

Fix by restoring the test of IVShmemState member not_legacy_32bit
that got messed up in commit 5400c02.  Also update its
initialization for devices ivhsmem-plain and ivshmem-doorbell.
Without that, they'd regress to 32 bit BARs.

Cc: qemu-stable@nongnu.org
Signed-off-by: Zhuang Yanying <ann.zhuangyanying@huawei.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
5 years agovirtio: set ISR on dataplane notifications
Paolo Bonzini [Fri, 18 Nov 2016 15:07:02 +0000 (16:07 +0100)] 
virtio: set ISR on dataplane notifications

Dataplane has been omitting forever the step of setting ISR when
an interrupt is raised.  This caused little breakage, because the
specification actually says that ISR may not be updated in MSI mode.

Some versions of the Windows drivers however didn't clear MSI mode
correctly, and proceeded using polling mode (using ISR, not the used
ring index!) for crashdump and hibernation.  If it were just crashdump
and hibernation it would not be a big deal, but recent releases of
Windows do not really shut down, but rather log out and hibernate to
make the next startup faster.  Hence, this manifested as a more serious
hang during shutdown with e.g. Windows 8.1 and virtio-win 1.8.0 RPMs.
Newer versions fixed this, while older versions do not use MSI at all.

The failure has always been there for virtio dataplane, but it became
visible after commits 9ffe337 ("virtio-blk: always use dataplane path
if ioeventfd is active", 2016-10-30) and ad07cd6 ("virtio-scsi: always
use dataplane path if ioeventfd is active", 2016-10-30) made virtio-blk
and virtio-scsi always use the dataplane code under KVM.  The good news
therefore is that it was not a bug in the patches---they were doing
exactly what they were meant for, i.e. shake out remaining dataplane bugs.

The fix is not hard, so it's worth arranging for the broken drivers.
The virtio_should_notify+event_notifier_set pair that is common to
virtio-blk and virtio-scsi dataplane is replaced with a new public
function virtio_notify_irqfd that also sets ISR.  The irqfd emulation
code now need not set ISR anymore, so virtio_irq is removed.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Tested-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Tested-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovirtio: access ISR atomically
Paolo Bonzini [Fri, 18 Nov 2016 15:07:01 +0000 (16:07 +0100)] 
virtio: access ISR atomically

This will be needed once dataplane will be able to set it outside
the big QEMU lock.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Tested-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Tested-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovirtio: introduce grab/release_ioeventfd to fix vhost
Paolo Bonzini [Fri, 18 Nov 2016 15:07:00 +0000 (16:07 +0100)] 
virtio: introduce grab/release_ioeventfd to fix vhost

Following the recent refactoring of virtio notifiers [1], more specifically
the patch ed08a2a0b ("virtio: use virtio_bus_set_host_notifier to
start/stop ioeventfd") that uses virtio_bus_set_host_notifier [2]
by default, core virtio code requires 'ioeventfd_started' to be set
to true/false when the host notifiers are configured.

When vhost is stopped and started, however, there is a stop followed by
another start. Since ioeventfd_started was never set to true, the 'stop'
operation triggered by virtio_bus_set_host_notifier() will not result
in a call to virtio_pci_ioeventfd_assign(assign=false). This leaves
the memory regions with stale notifiers and results on the next start
triggering the following assertion:

  kvm_mem_ioeventfd_add: error adding ioeventfd: File exists
  Aborted

This patch reintroduces (hopefully in a cleaner way) the concept
that was present with ioeventfd_disabled before the refactoring.
When ioeventfd_grabbed>0, ioeventfd_started tracks whether ioeventfd
should be enabled or not, but ioeventfd is actually not started at
all until vhost releases the host notifiers.

[1] http://lists.nongnu.org/archive/html/qemu-devel/2016-10/msg07748.html
[2] http://lists.nongnu.org/archive/html/qemu-devel/2016-10/msg07760.html

Reported-by: Felipe Franciosi <felipe@nutanix.com>
Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reported-by: Alex Williamson <alex.williamson@redhat.com>
Fixes: ed08a2a0b ("virtio: use virtio_bus_set_host_notifier to start/stop ioeventfd")
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Tested-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Tested-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agoMerge remote-tracking branch 'public/tags/tracing-pull-request' into staging
Stefan Hajnoczi [Fri, 18 Nov 2016 15:24:26 +0000 (15:24 +0000)] 
Merge remote-tracking branch 'public/tags/tracing-pull-request' into staging

# gpg: Signature made Fri 18 Nov 2016 03:01:22 PM GMT
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* public/tags/tracing-pull-request:
  trace: fix generated code build break

Message-id: 1479481289-2479-1-git-send-email-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agovirtio-crypto: fix virtio_queue_set_notification() race
Stefan Hajnoczi [Wed, 16 Nov 2016 20:17:32 +0000 (20:17 +0000)] 
virtio-crypto: fix virtio_queue_set_notification() race

We must check for new virtqueue buffers after re-enabling notifications.
This prevents the race condition where the guest added buffers just
after we stopped popping the virtqueue but before we re-enabled
notifications.

I think the virtio-crypto code was based on virtio-net but this crucial
detail was missed.  virtio-net does not have the race condition because
it processes the virtqueue one more time after re-enabling
notifications.

Cc: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
5 years agoMerge remote-tracking branch 'remotes/elmarco/tags/ivshmem-pull-request' into staging
Stefan Hajnoczi [Fri, 18 Nov 2016 14:58:48 +0000 (14:58 +0000)] 
Merge remote-tracking branch 'remotes/elmarco/tags/ivshmem-pull-request' into staging

* remotes/elmarco/tags/ivshmem-pull-request:
  ivshmem: Fix 64 bit memory bar configuration

Message-id: 20161117152613.18578-1-marcandre.lureau@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'rth/tags/pull-axp-20161117' into staging
Stefan Hajnoczi [Fri, 18 Nov 2016 14:49:02 +0000 (14:49 +0000)] 
Merge remote-tracking branch 'rth/tags/pull-axp-20161117' into staging

Update alpha palcode for smp

# gpg: Signature made Thu 17 Nov 2016 02:57:29 PM GMT
# gpg:                using RSA key 0xAD1270CC4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"
# Primary key fingerprint: 9CB1 8DDA F8E8 49AD 2AFC  16A4 AD12 70CC 4DD0 279B

* rth/tags/pull-axp-20161117:
  target-alpha: Log cpuid with -d int
  target-alpha: Update palcode for smp

Message-id: 1479394965-11254-1-git-send-email-rth@twiddle.net
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agotrace: fix generated code build break
Greg Kurz [Thu, 17 Nov 2016 13:59:13 +0000 (14:59 +0100)] 
trace: fix generated code build break

If the QEMU source dir is

    /var/tmp/aaa-qemu-clone

and the build dir is

    /var/tmp/qemu-aio-poll-v2

Then I get an error as:

trace/generated-tracers.c:15950:13: error: invalid suffix "_trace_events"
 on integer constant
 TraceEvent *2_trace_events[] = {
             ^
trace/generated-tracers.c:15950:13: error: expected identifier or ‘(’ before
 numeric constant
trace/generated-tracers.c: In function ‘trace_2_register_events’:
trace/generated-tracers.c:17949:32: error: invalid suffix "_trace_events" on
 integer constant
     trace_event_register_group(2_trace_events);
                                ^
make: *** [trace/generated-tracers.o] Error 1

This patch fixes the issue.

Reported-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Tested-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'vivier/tags/trivial-patches-pull-request' into staging
Stefan Hajnoczi [Fri, 18 Nov 2016 11:05:48 +0000 (11:05 +0000)] 
Merge remote-tracking branch 'vivier/tags/trivial-patches-pull-request' into staging

# gpg: Signature made Thu 17 Nov 2016 10:18:58 AM GMT
# gpg:                using RSA key 0xF30C38BD3F2FBE3C
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>"
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>"
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>"
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* vivier/tags/trivial-patches-pull-request:
  qapi-schema: clarify 'colo' state for MigrationStatus

Message-id: 1479378016-19022-1-git-send-email-laurent@vivier.eu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agotarget-alpha: Log cpuid with -d int
Richard Henderson [Sun, 13 Nov 2016 18:41:13 +0000 (19:41 +0100)] 
target-alpha: Log cpuid with -d int

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotarget-alpha: Update palcode for smp
Richard Henderson [Sun, 13 Nov 2016 18:22:18 +0000 (19:22 +0100)] 
target-alpha: Update palcode for smp

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agoivshmem: Fix 64 bit memory bar configuration
Zhuang Yanying [Thu, 17 Nov 2016 14:37:17 +0000 (18:37 +0400)] 
ivshmem: Fix 64 bit memory bar configuration

Device ivshmem property use64=0 is designed to make the device
expose a 32 bit shared memory BAR instead of 64 bit one.  The
default is a 64 bit BAR, except pc-1.2 and older retain a 32 bit
BAR.  A 32 bit BAR can support only up to 1 GiB of shared memory.

This worked as designed until commit 5400c02 accidentally flipped
its sense: since then, we misinterpret use64=0 as use64=1 and vice
versa.  Worse, the default got flipped as well.  Devices
ivshmem-plain and ivshmem-doorbell are not affected.

Fix by restoring the test of IVShmemState member not_legacy_32bit
that got messed up in commit 5400c02.  Also update its
initialization for devices ivhsmem-plain and ivshmem-doorbell.
Without that, they'd regress to 32 bit BARs.

Signed-off-by: Zhuang Yanying <ann.zhuangyanying@huawei.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <1479385863-7648-1-git-send-email-ann.zhuangyanying@huawei.com>

5 years agoqapi-schema: clarify 'colo' state for MigrationStatus
zhanghailiang [Wed, 2 Nov 2016 07:44:12 +0000 (15:44 +0800)] 
qapi-schema: clarify 'colo' state for MigrationStatus

VM can not get into colo state unless users enable 'x-colo'
capability for migration, Here it is necessary to clarify
this.

Suggested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Message-Id: <1478072652-9884-1-git-send-email-zhang.zhanghailiang@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
5 years agopc: fix FW_CFG_NB_CPUS to account for -device added CPUs
Igor Mammedov [Wed, 16 Nov 2016 13:04:41 +0000 (14:04 +0100)] 
pc: fix FW_CFG_NB_CPUS to account for -device added CPUs

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <1479301481-197333-1-git-send-email-imammedo@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
5 years agofw_cfg: move FW_CFG_NB_CPUS out of fw_cfg_init1()
Igor Mammedov [Tue, 15 Nov 2016 12:17:15 +0000 (13:17 +0100)] 
fw_cfg: move FW_CFG_NB_CPUS out of fw_cfg_init1()

PC will use this field in other way, so move it outside the common
code so PC could set a different value, i.e. all CPUs
regardless of where they are coming from (-smp X | -device cpu...).

It's quick and dirty hack as it could be implemented in more generic
way in MashineClass. But do it in simple way since only PC is affected
so far.

Later we can generalize it when another affected target gets support
for -device cpu.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <1479212236-183810-3-git-send-email-imammedo@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
5 years agoRevert "pc: Add 'etc/boot-cpus' fw_cfg file for machine with more than 255 CPUs"
Igor Mammedov [Tue, 15 Nov 2016 12:17:14 +0000 (13:17 +0100)] 
Revert "pc: Add 'etc/boot-cpus' fw_cfg file for machine with more than 255 CPUs"

This reverts commit 080ac219cc7d9c55adf925c3545b7450055ad625.

Legacy FW_CFG_NB_CPUS will be reused instead of 'etc/boot-cpus'
fw_cfg file since it does the same and there is no point
to maintaing duplicate guest ABI, if it can be helped.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <1479212236-183810-2-git-send-email-imammedo@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
5 years agoUpdate version for v2.8.0-rc0 release v2.8.0-rc0
Stefan Hajnoczi [Tue, 15 Nov 2016 20:55:12 +0000 (20:55 +0000)] 
Update version for v2.8.0-rc0 release

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
Stefan Hajnoczi [Tue, 15 Nov 2016 19:50:06 +0000 (19:50 +0000)] 
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio, vhost, pc, pci: documentation, fixes and cleanups

Lots of fixes all over the place.

Unfortunately, this does not yet fix a regression with vhost
introduced by the last pull, the issue is typically this error:
    kvm_mem_ioeventfd_add: error adding ioeventfd: File exists
followed by QEMU aborting.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* remotes/mst/tags/for_upstream: (28 commits)
  docs: add PCIe devices placement guidelines
  virtio: drop virtio_queue_get_ring_{size,addr}()
  vhost: drop legacy vring layout bits
  vhost: adapt vhost_verify_ring_mappings() to virtio 1 ring layout
  nvdimm acpi: introduce NVDIMM_DSM_MEMORY_SIZE
  nvdimm acpi: use aml_name_decl to define named object
  nvdimm acpi: rename nvdimm_dsm_reserved_root
  nvdimm acpi: fix two comments
  nvdimm acpi: define DSM return codes
  nvdimm acpi: rename nvdimm_acpi_hotplug
  nvdimm acpi: cleanup nvdimm_build_fit
  nvdimm acpi: rename nvdimm_plugged_device_list
  docs: improve the doc of Read FIT method
  nvdimm acpi: clean up nvdimm_build_acpi
  pc: memhp: stop handling nvdimm hotplug in pc_dimm_unplug
  pc: memhp: move nvdimm hotplug out of memory hotplug
  nvdimm acpi: drop the lock of fit buffer
  qdev: hotplug: drop HotplugHandler.post_plug callback
  vhost: migration blocker only if shared log is used
  virtio-net: mark VIRTIO_NET_F_GSO as legacy
  ...

Message-id: 1479237527-11846-1-git-send-email-mst@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'ehabkost/tags/machine-pull-request' into staging
Stefan Hajnoczi [Tue, 15 Nov 2016 19:02:08 +0000 (19:02 +0000)] 
Merge remote-tracking branch 'ehabkost/tags/machine-pull-request' into staging

qdev: Fix assert in PCI address property when used by vfio-pci

# gpg: Signature made Tue 15 Nov 2016 06:27:18 PM GMT
# gpg:                using RSA key 0x2807936F984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D C5A6

* ehabkost/tags/machine-pull-request:
  qdev: Fix assert in PCI address property when used by vfio-pci

Message-id: 1479234540-3192-1-git-send-email-ehabkost@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoqdev: Fix assert in PCI address property when used by vfio-pci
Daniel Oram [Thu, 10 Nov 2016 12:42:07 +0000 (12:42 +0000)] 
qdev: Fix assert in PCI address property when used by vfio-pci

Allow the PCIHostDeviceAddress structure to work as the host property
in vfio-pci when it has it's default value of all fields set to ~0. In
this form the property indicates a non-existant device but given the
field bit sizes gets asserted as excess (and invalid) precision
overflows the string buffer. The BDF of an invalid device
"FFFF:FF:FF.F" is returned instead.

Signed-off-by: Daniel Oram <daniel.oram@gmail.com>
Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
Message-Id: <71f06765c4ba16dcd71cbf78e877619948f04ed9.1478777270.git.daniel.oram@gmail.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
5 years agoMerge remote-tracking branch 'public/tags/block-pull-request' into staging
Stefan Hajnoczi [Tue, 15 Nov 2016 16:17:13 +0000 (16:17 +0000)] 
Merge remote-tracking branch 'public/tags/block-pull-request' into staging

# gpg: Signature made Tue 15 Nov 2016 03:42:29 PM GMT
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* public/tags/block-pull-request:
  test-replication: fix leaks

Message-id: 1479224556-19367-1-git-send-email-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agotest-replication: fix leaks
Marc-André Lureau [Wed, 9 Nov 2016 10:45:47 +0000 (14:45 +0400)] 
test-replication: fix leaks

ASAN spotted:
SUMMARY: AddressSanitizer: 301990288 byte(s) leaked in 33 allocation(s).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20161109104547.23861-1-marcandre.lureau@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agodocs: add PCIe devices placement guidelines
Marcel Apfelbaum [Tue, 1 Nov 2016 13:39:47 +0000 (15:39 +0200)] 
docs: add PCIe devices placement guidelines

Proposes best practices on how to use PCI Express/PCI device
in PCI Express based machines and explain the reasoning behind them.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovirtio: drop virtio_queue_get_ring_{size,addr}()
Greg Kurz [Fri, 4 Nov 2016 08:39:29 +0000 (09:39 +0100)] 
virtio: drop virtio_queue_get_ring_{size,addr}()

These are not used anymore.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovhost: drop legacy vring layout bits
Greg Kurz [Fri, 4 Nov 2016 08:39:22 +0000 (09:39 +0100)] 
vhost: drop legacy vring layout bits

The legacy vring layout is not used anymore as we use the separate
mappings even for legacy devices.
This patch simply removes it.

This also fixes a bug with virtio 1 devices when the vring descriptor table
is mapped at a higher address than the used vring because the following
function may return an insanely great value:

hwaddr virtio_queue_get_ring_size(VirtIODevice *vdev, int n)
{
    return vdev->vq[n].vring.used - vdev->vq[n].vring.desc +
           virtio_queue_get_used_size(vdev, n);
}

and the mapping fails.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovhost: adapt vhost_verify_ring_mappings() to virtio 1 ring layout
Greg Kurz [Fri, 4 Nov 2016 08:39:15 +0000 (09:39 +0100)] 
vhost: adapt vhost_verify_ring_mappings() to virtio 1 ring layout

With virtio 1, the vring layout is split in 3 separate regions of
contiguous memory for the descriptor table, the available ring and the
used ring, as opposed with legacy virtio which uses a single region.

In case of memory re-mapping, the code ensures it doesn't affect the
vring mapping. This is done in vhost_verify_ring_mappings() which assumes
the device is legacy.

This patch changes vhost_verify_ring_mappings() to check the mappings of
each part of the vring separately.

This works for legacy mappings as well.

Cc: qemu-stable@nongnu.org
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agonvdimm acpi: introduce NVDIMM_DSM_MEMORY_SIZE
Xiao Guangrong [Mon, 7 Nov 2016 11:13:49 +0000 (19:13 +0800)] 
nvdimm acpi: introduce NVDIMM_DSM_MEMORY_SIZE

and use it to replace the raw number

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: use aml_name_decl to define named object
Xiao Guangrong [Mon, 7 Nov 2016 11:13:48 +0000 (19:13 +0800)] 
nvdimm acpi: use aml_name_decl to define named object

to make the code more clearer

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: rename nvdimm_dsm_reserved_root
Xiao Guangrong [Mon, 7 Nov 2016 11:13:47 +0000 (19:13 +0800)] 
nvdimm acpi: rename nvdimm_dsm_reserved_root

Rename it to nvdimm_dsm_handle_reserved_root_method

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: fix two comments
Xiao Guangrong [Mon, 7 Nov 2016 11:13:46 +0000 (19:13 +0800)] 
nvdimm acpi: fix two comments

fixed the English issue and code-style issue

Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: define DSM return codes
Xiao Guangrong [Mon, 7 Nov 2016 11:13:45 +0000 (19:13 +0800)] 
nvdimm acpi: define DSM return codes

and use these codes to refine the code

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: rename nvdimm_acpi_hotplug
Xiao Guangrong [Mon, 7 Nov 2016 11:13:44 +0000 (19:13 +0800)] 
nvdimm acpi: rename nvdimm_acpi_hotplug

Rename it to nvdimm_plug()

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: cleanup nvdimm_build_fit
Xiao Guangrong [Mon, 7 Nov 2016 11:13:43 +0000 (19:13 +0800)] 
nvdimm acpi: cleanup nvdimm_build_fit

inline buf_size to refine the code a bit

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: rename nvdimm_plugged_device_list
Xiao Guangrong [Mon, 7 Nov 2016 11:13:42 +0000 (19:13 +0800)] 
nvdimm acpi: rename nvdimm_plugged_device_list

Its behavior has been changed as the nvdimm device which is being
realized also will be handled in this function, so rename it to
reflect the fact

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agodocs: improve the doc of Read FIT method
Xiao Guangrong [Mon, 7 Nov 2016 11:13:41 +0000 (19:13 +0800)] 
docs: improve the doc of Read FIT method

Improve the description and clearly document the length field

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: clean up nvdimm_build_acpi
Xiao Guangrong [Mon, 7 Nov 2016 11:13:40 +0000 (19:13 +0800)] 
nvdimm acpi: clean up nvdimm_build_acpi

To make the code more clearer, we
1) check ram_slots first, and build ssdt & nfit only when it is available
2) use nvdimm_get_plugged_device_list() to check if there is nvdimm device
   plugged

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agopc: memhp: stop handling nvdimm hotplug in pc_dimm_unplug
Xiao Guangrong [Mon, 7 Nov 2016 11:13:39 +0000 (19:13 +0800)] 
pc: memhp: stop handling nvdimm hotplug in pc_dimm_unplug

as it is never called when nvdimm hotplug happens

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agopc: memhp: move nvdimm hotplug out of memory hotplug
Xiao Guangrong [Mon, 7 Nov 2016 11:13:38 +0000 (19:13 +0800)] 
pc: memhp: move nvdimm hotplug out of memory hotplug

as they use completely different way to handle hotplug event

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agonvdimm acpi: drop the lock of fit buffer
Xiao Guangrong [Mon, 7 Nov 2016 11:13:37 +0000 (19:13 +0800)] 
nvdimm acpi: drop the lock of fit buffer

as there is a global lock to protect vm-exit handlers and
QMP/monitor, this lock can be dropped

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agoqdev: hotplug: drop HotplugHandler.post_plug callback
Xiao Guangrong [Mon, 7 Nov 2016 11:13:36 +0000 (19:13 +0800)] 
qdev: hotplug: drop HotplugHandler.post_plug callback

as nvdimm acpi is okay to build fit when the nvdimm device
has not been 'realized'

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
5 years agovhost: migration blocker only if shared log is used
Rafael David Tinoco [Mon, 24 Oct 2016 15:35:03 +0000 (15:35 +0000)] 
vhost: migration blocker only if shared log is used

Commit 31190ed7 added a migration blocker in vhost_dev_init() to
check if memfd would succeed. It is better if this blocker first
checks if vhost backend requires shared log. This will avoid a
situation where a blocker is added inappropriately (e.g. shared
log allocation fails when vhost backend doesn't support it).

Signed-off-by: Rafael David Tinoco <rafael.tinoco@canonical.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovirtio-net: mark VIRTIO_NET_F_GSO as legacy
Michael S. Tsirkin [Fri, 4 Nov 2016 10:27:52 +0000 (12:27 +0200)] 
virtio-net: mark VIRTIO_NET_F_GSO as legacy

virtio 1.0 spec says this is a legacy feature bit,
hide it from guests in modern mode.

Note: for cross-version migration compatibility,
we keep the bit set in host_features.
The result will be that a guest migrating cross-version
will see host features change under it.
As guests only seem to read it once, this should
not be an issue. Meanwhile, will work to fix guests to
ignore this bit in virtio1 mode, too.

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
5 years agovirtio: allow per-device-class legacy features
Michael S. Tsirkin [Fri, 4 Nov 2016 10:04:23 +0000 (12:04 +0200)] 
virtio: allow per-device-class legacy features

Legacy features are those that transitional devices only
expose on the legacy interface.
Allow different ones per device class.

Cc: qemu-stable@nongnu.org # dependency for the next patch
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
5 years agoacpi: fix DMAR device scope for IOAPIC
Peter Xu [Mon, 31 Oct 2016 07:34:39 +0000 (15:34 +0800)] 
acpi: fix DMAR device scope for IOAPIC

We should not use cpu_to_le16() here, instead each of device/function
value is stored in a 8 byte field.

Signed-off-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agointel_iommu: fix incorrect assert
Peter Xu [Mon, 31 Oct 2016 07:34:40 +0000 (15:34 +0800)] 
intel_iommu: fix incorrect assert

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agointel_iommu: fix several incorrect endianess and bit fields
Peter Xu [Mon, 31 Oct 2016 07:34:38 +0000 (15:34 +0800)] 
intel_iommu: fix several incorrect endianess and bit fields

Signed-off-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovirtio-crypto: tag as not hotpluggable and migration
Gonglei [Mon, 31 Oct 2016 14:08:00 +0000 (22:08 +0800)] 
virtio-crypto: tag as not hotpluggable and migration

Currently the virtio-crypto device hasn't supported
hotpluggable and live migration well. Let's tag it
as not hotpluggable and migration actively and reopen
them once we support them well.

Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovirtio: make virtqueue_alloc_element static
Ladi Prosek [Thu, 3 Nov 2016 08:55:50 +0000 (09:55 +0100)] 
virtio: make virtqueue_alloc_element static

The function does not fully initialize the returned VirtQueueElement and should
be used only internally from the virtio module.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agovirtio: rename virtqueue_discard to virtqueue_unpop
Ladi Prosek [Thu, 3 Nov 2016 08:55:49 +0000 (09:55 +0100)] 
virtio: rename virtqueue_discard to virtqueue_unpop

The function undoes the effect of virtqueue_pop and doesn't do anything
destructive or irreversible so virtqueue_unpop is a more fitting name.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agointel_iommu: fixing source id during IOTLB hash key calculation
Jason Wang [Thu, 3 Nov 2016 01:22:23 +0000 (09:22 +0800)] 
intel_iommu: fixing source id during IOTLB hash key calculation

Using uint8_t for source id will lose bus num and get the
wrong/invalid IOTLB entry. Fixing by using uint16_t instead and
enlarge level shift.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
5 years agoMerge remote-tracking branch 'jasowang/tags/net-pull-request' into staging
Stefan Hajnoczi [Tue, 15 Nov 2016 12:07:53 +0000 (12:07 +0000)] 
Merge remote-tracking branch 'jasowang/tags/net-pull-request' into staging

# gpg: Signature made Tue 15 Nov 2016 07:37:27 AM GMT
# gpg:                using RSA key 0xEF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 6211

* jasowang/tags/net-pull-request:
  docs: fix COLO architecture diagram
  net: fix sending of data with -net socket, listen backend
  net: skip virtio-net config of deleted nic's peers

Message-id: 1479195830-4725-1-git-send-email-jasowang@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'jtc/tags/block-pull-request' into staging
Stefan Hajnoczi [Tue, 15 Nov 2016 12:00:13 +0000 (12:00 +0000)] 
Merge remote-tracking branch 'jtc/tags/block-pull-request' into staging

# gpg: Signature made Tue 15 Nov 2016 04:10:29 AM GMT
# gpg:                using RSA key 0xBDBE7B27C0DE3057
# gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>"
# gpg:                 aka "Jeffrey Cody <jeff@codyprime.org>"
# gpg:                 aka "Jeffrey Cody <codyprime@gmail.com>"
# Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 3057

* jtc/tags/block-pull-request:
  mirror: do not flush every time the disks are synced
  block/curl: Do not wait for data beyond EOF
  block/curl: Remember all sockets
  block/curl: Fix return value from curl_read_cb
  block/curl: Use BDRV_SECTOR_SIZE
  block/curl: Drop TFTP "support"
  qemu-iotests: avoid spurious failure on test 109
  iotests: add transactional failure race test
  blockjob: refactor backup_start as backup_job_create
  blockjob: add block_job_start
  blockjob: add .start field
  blockjob: add .clean property
  blockjob: fix dead pointer in txn list

Message-id: 1479183291-14086-1-git-send-email-jcody@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'dgibson/tags/ppc-for-2.8-20161115' into staging
Stefan Hajnoczi [Tue, 15 Nov 2016 11:59:40 +0000 (11:59 +0000)] 
Merge remote-tracking branch 'dgibson/tags/ppc-for-2.8-20161115' into staging

ppc patch queue 2016-11-15

Latest set of ppc and spapr related patches.  Highlights are:
   * More POWER9 instructions
   * Fix some subtle outstanding bugs
   * Add some extra tests

One patch affects bitops.h, so isn't strictly ppc related.

# gpg: Signature made Tue 15 Nov 2016 02:46:48 AM GMT
# gpg:                using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* dgibson/tags/ppc-for-2.8-20161115:
  boot-serial-test: Add a test for the powernv machine
  tests: add XSCOM tests for the PowerNV machine
  ppc/pnv: Fix fatal bug on 32-bit hosts
  ppc/pnv: fix xscom address translation for POWER9
  ppc/pnv: add a 'xscom_core_base' field to PnvChipClass
  spapr-vty: Fix bad assert() statement
  FU exceptions should carry a cause (IC)
  spapr: Fix migration of PCI host bridges from qemu-2.7
  target-ppc: Implement bcdctz. instruction
  target-ppc: Implement bcdcfz. instruction
  target-ppc: Implement bcdctn. instruction
  target-ppc: Implement bcdcfn. instruction
  ppc: Remove some stub POWER6 models
  ppc/pnv: fix compile breakage on old gcc
  powernv: CPU compatibility modes don't make sense for powernv
  target-ppc: add vprtyb[w/d/q] instructions
  target-ppc: add vrldnm and vrlwnm instructions
  target-ppc: add vrldnmi and vrlwmi instructions
  bitops: fix rol/ror when shift is zero

Message-id: 1479178144-28153-1-git-send-email-david@gibson.dropbear.id.au
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'sthibault/tags/samuel-thibault' into staging
Stefan Hajnoczi [Tue, 15 Nov 2016 11:50:04 +0000 (11:50 +0000)] 
Merge remote-tracking branch 'sthibault/tags/samuel-thibault' into staging

slirp updates

# gpg: Signature made Mon 14 Nov 2016 08:19:16 PM GMT
# gpg:                using RSA key 0xA003196827414880
# gpg: Good signature from "Samuel Thibault <samuel.thibault@u-bordeaux.fr>"
# gpg:                 aka "Samuel Thibault <sthibault@debian.org>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@gnu.org>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@inria.fr>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@labri.fr>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@ens-lyon.org>"
# Primary key fingerprint: 900C B024 B679 31D4 0F82  304B D017 8C76 7D06 9EE6
#      Subkey fingerprint: 6B0F AC21 8566 46E9 4AA2  D200 A003 1968 2741 4880

* sthibault/tags/samuel-thibault:
  slirp: Fix access to freed memory

Message-id: 20161114202030.17685-1-samuel.thibault@ens-lyon.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'quintela/tags/migration/20161114' into staging
Stefan Hajnoczi [Tue, 15 Nov 2016 11:49:46 +0000 (11:49 +0000)] 
Merge remote-tracking branch 'quintela/tags/migration/20161114' into staging

migration/next for 20161114

# gpg: Signature made Mon 14 Nov 2016 07:55:42 PM GMT
# gpg:                using RSA key 0xF487EF185872D723
# gpg: Good signature from "Juan Quintela <quintela@redhat.com>"
# gpg:                 aka "Juan Quintela <quintela@trasno.org>"
# Primary key fingerprint: 1899 FF8E DEBF 58CC EE03  4B82 F487 EF18 5872 D723

* quintela/tags/migration/20161114:
  migration: Fix return code of ram_save_iterate()
  tests/test-vmstate.c: add array of pointer to struct
  tests/test-vmstate.c: add save_buffer util func
  migration: fix missing assignment for has_x_checkpoint_delay

Message-id: 1479153474-2401-1-git-send-email-quintela@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agodocs: fix COLO architecture diagram
Zhang Chen [Tue, 1 Nov 2016 03:38:12 +0000 (11:38 +0800)] 
docs: fix COLO architecture diagram

Fix COLO-Proxy part of COLO architecture diagram

Signed-off-by: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
Reviewed-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
5 years agonet: fix sending of data with -net socket, listen backend
Daniel P. Berrange [Fri, 4 Nov 2016 15:46:33 +0000 (15:46 +0000)] 
net: fix sending of data with -net socket, listen backend

The use of -net socket,listen was broken in the following
commit

  commit 16a3df403b10c4ac347159e39005fd520b2648bb
  Author: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
  Date:   Fri May 13 15:35:19 2016 +0800

    net/net: Add SocketReadState for reuse codes

    This function is from net/socket.c, move it to net.c and net.h.
    Add SocketReadState to make others reuse net_fill_rstate().
    suggestion from jason.

This refactored the state out of NetSocketState into a
separate SocketReadState. This refactoring requires
that a callback is provided to be triggered upon
completion of a packet receive from the guest.

The patch only registered this callback in the codepaths
hit by -net socket,connect, not -net socket,listen. So
as a result packets sent by the guest in the latter case
get dropped on the floor.

This bug is hidden because net_fill_rstate() silently
does nothing if the callback is not set.

This patch adds in the middle callback registration
and also adds an assert so that QEMU aborts if there
are any other codepaths hit which are missing the
callback.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
5 years agonet: skip virtio-net config of deleted nic's peers
Yuri Benditovich [Mon, 31 Oct 2016 22:01:17 +0000 (00:01 +0200)] 
net: skip virtio-net config of deleted nic's peers

https://bugzilla.redhat.com/show_bug.cgi?id=1373816
qemu core dump happens during repetitive unpug-plug
with multiple queues and Windows RSS-capable guest.
If back-end delete requested during virtio-net device
initialization, driver still can try configure the device
for multiple queues. The virtio-net device is expected
to be removed as soon as the initialization is done.

Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
5 years agomirror: do not flush every time the disks are synced
Paolo Bonzini [Wed, 9 Nov 2016 16:20:08 +0000 (17:20 +0100)] 
mirror: do not flush every time the disks are synced

This puts a huge strain on the disks when there are many concurrent
migrations.  With this patch we only flush twice: just before issuing
the event, and just before pivoting to the destination.  If management
will complete the job close to the BLOCK_JOB_READY event, the cost of
the second flush should be small anyway.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20161109162008.27287-2-pbonzini@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblock/curl: Do not wait for data beyond EOF
Max Reitz [Tue, 25 Oct 2016 02:54:31 +0000 (04:54 +0200)] 
block/curl: Do not wait for data beyond EOF

libcurl will only give us as much data as there is, not more. The block
layer will deny requests beyond the end of file for us; but since this
block driver is still using a sector-based interface, we can still get
in trouble if the file size is not a multiple of 512.

While we have already made sure not to attempt transfers beyond the end
of the file, we are currently still trying to receive data from there if
the original request exceeds the file size. This patch fixes this issue
and invokes qemu_iovec_memset() on the iovec's tail.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 20161025025431.24714-5-mreitz@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblock/curl: Remember all sockets
Max Reitz [Tue, 25 Oct 2016 02:54:30 +0000 (04:54 +0200)] 
block/curl: Remember all sockets

For some connection types (like FTP, generally), more than one socket
may be used (in FTP's case: control vs. data stream). As of commit
838ef602498b8d1985a231a06f5e328e2946a81d ("curl: Eliminate unnecessary
use of curl_multi_socket_all"), we have to remember all of the sockets
used by libcurl, but in fact we only did that for a single one. Since
one libcurl connection may use multiple sockets, however, we have to
remember them all.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 20161025025431.24714-4-mreitz@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblock/curl: Fix return value from curl_read_cb
Max Reitz [Tue, 25 Oct 2016 02:54:29 +0000 (04:54 +0200)] 
block/curl: Fix return value from curl_read_cb

While commit 38bbc0a580f9f10570b1d1b5d3e92f0e6feb2970 is correct in that
the callback is supposed to return the number of bytes handled; what it
does not mention is that libcurl will throw an error if the callback did
not "handle" all of the data passed to it.

Therefore, if the callback receives some data that it cannot handle
(either because the receive buffer has not been set up yet or because it
would not fit into the receive buffer) and we have to ignore it, we
still have to report that the data has been handled.

Obviously, this should not happen normally. But it does happen at least
for FTP connections where some data (that we do not expect) may be
generated when the connection is established.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20161025025431.24714-3-mreitz@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblock/curl: Use BDRV_SECTOR_SIZE
Max Reitz [Tue, 25 Oct 2016 02:54:28 +0000 (04:54 +0200)] 
block/curl: Use BDRV_SECTOR_SIZE

Currently, curl defines its own constant SECTOR_SIZE. There is no
advantage over using the global BDRV_SECTOR_SIZE, so drop it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20161025025431.24714-2-mreitz@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblock/curl: Drop TFTP "support"
Max Reitz [Wed, 2 Nov 2016 17:55:37 +0000 (18:55 +0100)] 
block/curl: Drop TFTP "support"

Because TFTP does not support byte ranges, it was never usable with our
curl block driver. Since apparently nobody has ever complained loudly
enough for someone to take care of the issue until now, it seems
reasonable to assume that nobody has ever actually used it.

Therefore, it should be safe to just drop it from curl's protocol list.

[Jeff Cody: Below is additional summary pulled, with some rewording,
            from followup emails between Max and Markus, to explain what
            worked and what didn't]

TFTP would sometimes work, to a limited extent, for images <= the curl
"readahead" size, so long as reads started at offset zero.  By default,
that readahead size is 256KB.

Reads starting at a non-zero offset would also have returned data from a
zero offset.  It can become more complicated still, with mixed reads at
zero offset and non-zero offsets, due to data buffering.

In short, TFTP could only have worked before in very specific scenarios
with unrealistic expectations and constraints.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Message-id: 20161102175539.4375-4-mreitz@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoqemu-iotests: avoid spurious failure on test 109
Paolo Bonzini [Wed, 9 Nov 2016 16:20:07 +0000 (17:20 +0100)] 
qemu-iotests: avoid spurious failure on test 109

In some cases it is possible that query-io-status is called just
before the job is completed, causing

    -{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "BLOCK_JOB_COMPLETED", "data": {"device": "src", "len": 31457280, "offset": OFFSET, "speed": 0, "type": "mirror", "error": "Operation not permitted"}}
    -{"return": []}
    +{"return": [{"io-status": "ok", "device": "src", "busy": true, "len": 31457280, "offset": OFFSET, "paused": false, "speed": 0, "ready": false, "type": "mirror"}]}

Assert that the completeion event eventually happens.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20161109162008.27287-1-pbonzini@redhat.com
Reviewed-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoiotests: add transactional failure race test
John Snow [Tue, 8 Nov 2016 06:50:39 +0000 (01:50 -0500)] 
iotests: add transactional failure race test

Add a regression test for the case found by Vladimir.

Reported-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Message-id: 1478587839-9834-7-git-send-email-jsnow@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblockjob: refactor backup_start as backup_job_create
John Snow [Tue, 8 Nov 2016 06:50:38 +0000 (01:50 -0500)] 
blockjob: refactor backup_start as backup_job_create

Refactor backup_start as backup_job_create, which only creates the job,
but does not automatically start it. The old interface, 'backup_start',
is not kept in favor of limiting the number of nearly-identical interfaces
that would have to be edited to keep up with QAPI changes in the future.

Callers that wish to synchronously start the backup_block_job can
instead just call block_job_start immediately after calling
backup_job_create.

Transactions are updated to use the new interface, calling block_job_start
only during the .commit phase, which helps prevent race conditions where
jobs may finish before we even finish building the transaction. This may
happen, for instance, during empty block backup jobs.

Reported-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 1478587839-9834-6-git-send-email-jsnow@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblockjob: add block_job_start
John Snow [Tue, 8 Nov 2016 06:50:37 +0000 (01:50 -0500)] 
blockjob: add block_job_start

Instead of automatically starting jobs at creation time via backup_start
et al, we'd like to return a job object pointer that can be started
manually at later point in time.

For now, add the block_job_start mechanism and start the jobs
automatically as we have been doing, with conversions job-by-job coming
in later patches.

Of note: cancellation of unstarted jobs will perform all the normal
cleanup as if the job had started, particularly abort and clean. The
only difference is that we will not emit any events, because the job
never actually started.

Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 1478587839-9834-5-git-send-email-jsnow@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblockjob: add .start field
John Snow [Tue, 8 Nov 2016 06:50:36 +0000 (01:50 -0500)] 
blockjob: add .start field

Add an explicit start field to specify the entrypoint. We already have
ownership of the coroutine itself AND managing the lifetime of the
coroutine, let's take control of creation of the coroutine, too.

This will allow us to delay creation of the actual coroutine until we
know we'll actually start a BlockJob in block_job_start. This avoids
the sticky question of how to "un-create" a Coroutine that hasn't been
started yet.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Message-id: 1478587839-9834-4-git-send-email-jsnow@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblockjob: add .clean property
John Snow [Tue, 8 Nov 2016 06:50:35 +0000 (01:50 -0500)] 
blockjob: add .clean property

Cleaning up after we have deferred to the main thread but before the
transaction has converged can be dangerous and result in deadlocks
if the job cleanup invokes any BH polling loops.

A job may attempt to begin cleaning up, but may induce another job to
enter its cleanup routine. The second job, part of our same transaction,
will block waiting for the first job to finish, so neither job may now
make progress.

To rectify this, allow jobs to register a cleanup operation that will
always run regardless of if the job was in a transaction or not, and
if the transaction job group completed successfully or not.

Move sensitive cleanup to this callback instead which is guaranteed to
be run only after the transaction has converged, which removes sensitive
timing constraints from said cleanup.

Furthermore, in future patches these cleanup operations will be performed
regardless of whether or not we actually started the job. Therefore,
cleanup callbacks should essentially confine themselves to undoing create
operations, e.g. setup actions taken in what is now backup_start.

Reported-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Message-id: 1478587839-9834-3-git-send-email-jsnow@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoblockjob: fix dead pointer in txn list
Vladimir Sementsov-Ogievskiy [Tue, 8 Nov 2016 06:50:34 +0000 (01:50 -0500)] 
blockjob: fix dead pointer in txn list

Though it is not intended to be reached through normal circumstances,
if we do not gracefully deconstruct the transaction QLIST, we may wind
up with stale pointers in the list.

The rest of this series attempts to address the underlying issues,
but this should fix list inconsistencies.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Tested-by: John Snow <jsnow@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 1478587839-9834-2-git-send-email-jsnow@redhat.com
[Rewrote commit message. --js]
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
5 years agoboot-serial-test: Add a test for the powernv machine
Thomas Huth [Tue, 8 Nov 2016 12:36:53 +0000 (13:36 +0100)] 
boot-serial-test: Add a test for the powernv machine

The new powernv machine ships with a firmware that outputs
some text to the serial console, so we can automatically
test this machine type in the boot-serial tester, too.
And to get some (very limited) test coverage for the new
POWER9 CPU emulation, too, this test is also started with
"-cpu POWER9".

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agotests: add XSCOM tests for the PowerNV machine
David Gibson [Mon, 14 Nov 2016 23:09:46 +0000 (10:09 +1100)] 
tests: add XSCOM tests for the PowerNV machine

Add a couple of tests on the XSCOM bus of the PowerNV machine for the
the POWER8 and POWER9 CPUs. The first tests reads the CFAM identifier
of the chip. The second test goes further in the XSCOM address space
and reaches the cores to read their DTS registers.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
[dwg: Fixed an incorrect indentation, and a Makefile problem]]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agoppc/pnv: Fix fatal bug on 32-bit hosts
David Gibson [Mon, 14 Nov 2016 09:12:57 +0000 (10:12 +0100)] 
ppc/pnv: Fix fatal bug on 32-bit hosts

If the pnv machine type is compiled on a 32-bit host, the unsigned long
(host) type is 32-bit.  This means that the hweight_long() used to
calculate the number of allowed cores only considers the low 32 bits of
the cores_mask variable, and can thus return 0 in some circumstances.

This corrects the bug.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Suggested-by: Richard Henderson <rth@twiddle.net>
[clg: replaced hweight_long() by ctpop64() ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agoppc/pnv: fix xscom address translation for POWER9
Cédric Le Goater [Mon, 14 Nov 2016 09:12:56 +0000 (10:12 +0100)] 
ppc/pnv: fix xscom address translation for POWER9

High addresses can overflow the uint32_t pcba variable after the 8byte
shift.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agoppc/pnv: add a 'xscom_core_base' field to PnvChipClass
Cédric Le Goater [Mon, 14 Nov 2016 09:12:55 +0000 (10:12 +0100)] 
ppc/pnv: add a 'xscom_core_base' field to PnvChipClass

The XSCOM addresses for the core registers are encoded in a slightly
different way on POWER8 and POWER9.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agospapr-vty: Fix bad assert() statement
Thomas Huth [Thu, 10 Nov 2016 20:16:01 +0000 (21:16 +0100)] 
spapr-vty: Fix bad assert() statement

When using the serial console in the GTK interface of QEMU (and
QEMU has been compiled with CONFIG_VTE), it is possible to trigger
the assert() statement in vty_receive() in spapr_vty.c by pasting
a chunk of text with length > 16 into the QEMU window.
Most of the other serial backends seem to simply drop characters
that they can not handle, so I think we should also do the same in
spapr-vty to fix this issue.

Buglink: https://bugs.launchpad.net/qemu/+bug/1639322
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agoFU exceptions should carry a cause (IC)
Balbir Singh [Thu, 10 Nov 2016 04:37:31 +0000 (15:37 +1100)] 
FU exceptions should carry a cause (IC)

As per the ISA we need a cause and executing a tabort r9 in libc
for example causes a EXCP_FU exception, we don't wire up the
IC (cause) when we post the exception. The cause is required
for the kernel to do the right thing. The fix applies only to 64
bit ppc targets.

Signed-off-by: Balbir singh <bsingharora@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agospapr: Fix migration of PCI host bridges from qemu-2.7
David Gibson [Mon, 14 Nov 2016 23:08:42 +0000 (10:08 +1100)] 
spapr: Fix migration of PCI host bridges from qemu-2.7

daa2369 "spapr_pci: Add a 64-bit MMIO window" subtly broke migration from
qemu-2.7 to the current version.  It split the device's MMIO window into
two pieces for 32-bit and 64-bit MMIO.

The patch included backwards compatibility code to convert the old property
into the new format.  However, the property value was also transferred in
the migration stream and compared with a (probably unwise) VMSTATE_EQUAL.
So, the "raw" value from 2.7 is compared to the new style converted value
from (pre-)2.8 giving a mismatch and migration failure.

Although it would be technically possible to fix this in a way allowing
backwards migration, that would leave an ugly legacy around indefinitely.
This patch takes the simpler approach of bumping the migration version,
dropping the unwise VMSTATE_EQUAL (and some equally unwise ones around it)
and ignoring them on an incoming migration.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
5 years agotarget-ppc: Implement bcdctz. instruction
Jose Ricardo Ziviani [Tue, 8 Nov 2016 16:50:25 +0000 (14:50 -0200)] 
target-ppc: Implement bcdctz. instruction

bcdctz. converts from BCD to Zoned numeric format. Zoned format uses
a byte to represent a digit where the most significant nibble is 0x3
or 0xf, depending on the preferred signal.

Signed-off-by: Jose Ricardo Ziviani <joserz@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agotarget-ppc: Implement bcdcfz. instruction
Jose Ricardo Ziviani [Tue, 8 Nov 2016 16:50:24 +0000 (14:50 -0200)] 
target-ppc: Implement bcdcfz. instruction

bcdcfz. converts from Zoned numeric format to BCD. Zoned format uses
a byte to represent a digit where the most significant nibble is 0x3
or 0xf, depending on the preferred signal.

Signed-off-by: Jose Ricardo Ziviani <joserz@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agotarget-ppc: Implement bcdctn. instruction
Jose Ricardo Ziviani [Tue, 8 Nov 2016 16:50:23 +0000 (14:50 -0200)] 
target-ppc: Implement bcdctn. instruction

bcdctn. converts from BCD to National numeric format. National format
uses a byte to represent a digit where the most significant nibble is
always 0x3 and the least sign. nibbles is the digit itself.

Signed-off-by: Jose Ricardo Ziviani <joserz@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agotarget-ppc: Implement bcdcfn. instruction
Jose Ricardo Ziviani [Tue, 8 Nov 2016 16:50:22 +0000 (14:50 -0200)] 
target-ppc: Implement bcdcfn. instruction

bcdcfn. converts from National numeric format to BCD. National format
uses a byte to represent a digit where the most significant nibble is
always 0x3 and the least sign. nibbles is the digit itself.

Signed-off-by: Jose Ricardo Ziviani <joserz@linux.vnet.ibm.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agoppc: Remove some stub POWER6 models
David Gibson [Fri, 28 Oct 2016 11:30:29 +0000 (22:30 +1100)] 
ppc: Remove some stub POWER6 models

The CPU model table includes stub (commented out) definitions for
CPU_POWERPC_POWER6_5 and CPU_POWERPC_POWER6A.  These are not real cpu
models, but represent the POWER6 in some compatiblity modes.  If we ever
do implement POWER6 (unlikely), we'll implement its compatibility modes in
a different way (similar to what we do for POWER7 and POWER8).  So these
stub definitions can be removed.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Thomas Huth <thuth@redhat.com>
5 years agoppc/pnv: fix compile breakage on old gcc
Cédric Le Goater [Mon, 7 Nov 2016 18:03:02 +0000 (19:03 +0100)] 
ppc/pnv: fix compile breakage on old gcc

PnvChip is defined twice and this can confuse old compilers :

  CC      ppc64-softmmu/hw/ppc/pnv_xscom.o
In file included from qemu.git/hw/ppc/pnv.c:29:
qemu.git/include/hw/ppc/pnv.h:60: error: redefinition of typedef ‘PnvChip’
qemu.git/include/hw/ppc/pnv_xscom.h:24: note: previous declaration of ‘PnvChip’ was here
make[1]: *** [hw/ppc/pnv.o] Error 1
make[1]: *** Waiting for unfinished jobs....

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agopowernv: CPU compatibility modes don't make sense for powernv
David Gibson [Mon, 31 Oct 2016 23:25:29 +0000 (10:25 +1100)] 
powernv: CPU compatibility modes don't make sense for powernv

powernv has some code (derived from the spapr equivalent) used in device
tree generation which depends on the CPU's compatibility mode / logical
PVR.  However, compatibility modes don't make sense on powernv - at least
not as a property controlled by the host - because the guest in powernv
has full hypervisor level access to the virtual system, and so owns the
PCR (Processor Compatibility Register) which implements compatiblity modes.

Note: the new logic doesn't take into account kvmppc_smt_threads() like the
old version did.  However, if core->nr_threads exceeds kvmppc_smt_threads()
then things will already be broken and clamping the value in the device
tree isn't going to save us.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
5 years agotarget-ppc: add vprtyb[w/d/q] instructions
Ankit Kumar [Sun, 30 Oct 2016 03:14:58 +0000 (08:44 +0530)] 
target-ppc: add vprtyb[w/d/q] instructions

Add following POWER ISA 3.0 instructions.
vprtybw: Vector Parity Byte Word
vprtybd: Vector Parity Byte Double Word
vprtybq: Vector Parity Byte Quad Word

Signed-off-by: Ankit Kumar <ankit@linux.vnet.ibm.com>
Signed-off-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agotarget-ppc: add vrldnm and vrlwnm instructions
Bharata B Rao [Sun, 30 Oct 2016 03:14:57 +0000 (08:44 +0530)] 
target-ppc: add vrldnm and vrlwnm instructions

vrldnm: Vector Rotate Left Doubleword then AND with Mask
vrlwnm: Vector Rotate Left Word then AND with Mask

Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Signed-off-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agotarget-ppc: add vrldnmi and vrlwmi instructions
Gautham R. Shenoy [Sun, 30 Oct 2016 03:14:56 +0000 (08:44 +0530)] 
target-ppc: add vrldnmi and vrlwmi instructions

vrldmi: Vector Rotate Left Dword then Mask Insert
vrlwmi: Vector Rotate Left Word then Mask Insert

Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
( use extract[32,64] and rol[32,64], introduce mask helpers in
  internal.h )
Signed-off-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agobitops: fix rol/ror when shift is zero
Nikunj A Dadhania [Sun, 30 Oct 2016 03:14:55 +0000 (08:44 +0530)] 
bitops: fix rol/ror when shift is zero

All the variants for rol/ror have a bug in case where the shift == 0.
For example rol32, would generate:

    return (word << 0) | (word >> 32);

Which though works, would be flagged as a runtime error on clang's
sanitizer.

Suggested-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
5 years agomigration: Fix return code of ram_save_iterate()
Thomas Huth [Fri, 4 Nov 2016 13:10:17 +0000 (14:10 +0100)] 
migration: Fix return code of ram_save_iterate()

qemu_savevm_state_iterate() expects the iterators to return 1
when they are done, and 0 if there is still something left to do.
However, ram_save_iterate() does not obey this rule and returns
the number of saved pages instead. This causes a fatal hang with
ppc64 guests when you run QEMU like this (also works with TCG):

 qemu-img create -f qcow2  /tmp/test.qcow2 1M
 qemu-system-ppc64 -nographic -nodefaults -m 256 \
                   -hda /tmp/test.qcow2 -serial mon:stdio

... then switch to the monitor by pressing CTRL-a c and try to
save a snapshot with "savevm test1" for example.

After the first iteration, ram_save_iterate() always returns 0 here,
so that qemu_savevm_state_iterate() hangs in an endless loop and you
can only "kill -9" the QEMU process.
Fix it by using proper return values in ram_save_iterate().

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>