qemu.git
7 months agoUpdate version for v5.1.0-rc1 release v5.1.0-rc1
Peter Maydell [Tue, 21 Jul 2020 19:28:59 +0000 (20:28 +0100)] 
Update version for v5.1.0-rc1 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Peter Maydell [Tue, 21 Jul 2020 18:25:48 +0000 (19:25 +0100)] 
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches:

- file-posix: Handle `EINVAL` fallocate return value
- qemu-img convert -n: Keep qcow2 v2 target sparse

# gpg: Signature made Tue 21 Jul 2020 16:45:28 BST
# gpg:                using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6
# gpg:                issuer "kwolf@redhat.com"
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream:
  iotests: Test sparseness for qemu-img convert -n
  qcow2: Implement v2 zero writes with discard if possible
  file-posix: Handle `EINVAL` fallocate return value

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/armbru/tags/pull-qom-2020-07-21' into staging
Peter Maydell [Tue, 21 Jul 2020 17:31:52 +0000 (18:31 +0100)] 
Merge remote-tracking branch 'remotes/armbru/tags/pull-qom-2020-07-21' into staging

QOM patches for 2020-07-21

# gpg: Signature made Tue 21 Jul 2020 16:40:27 BST
# gpg:                using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg:                issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653

* remotes/armbru/tags/pull-qom-2020-07-21:
  qom: Make info qom-tree sort children more efficiently
  qom: Document object_get_canonical_path() returns malloced string
  qom: Change object_get_canonical_path_component() not to malloc

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/kraxel/tags/fixes-20200721-pull-request' into...
Peter Maydell [Tue, 21 Jul 2020 16:36:14 +0000 (17:36 +0100)] 
Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20200721-pull-request' into staging

fixes for xhci and modular builds.

# gpg: Signature made Tue 21 Jul 2020 15:02:33 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/fixes-20200721-pull-request:
  module: ignore NULL type
  qxl: fix modular builds with dtrace
  xhci: fix valid.max_access_size to access address registers

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
Peter Maydell [Tue, 21 Jul 2020 15:50:42 +0000 (16:50 +0100)] 
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Tue 21 Jul 2020 14:31:13 BST
# gpg:                using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 6211

* remotes/jasowang/tags/net-pull-request:
  hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
  hw/net: Added plen fix for IPv6

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoiotests: Test sparseness for qemu-img convert -n
Kevin Wolf [Tue, 21 Jul 2020 13:55:20 +0000 (15:55 +0200)] 
iotests: Test sparseness for qemu-img convert -n

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200721135520.72355-3-kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agoqom: Make info qom-tree sort children more efficiently
Markus Armbruster [Tue, 14 Jul 2020 16:02:02 +0000 (18:02 +0200)] 
qom: Make info qom-tree sort children more efficiently

Commit e8c9e65816 "qom: Make "info qom-tree" show children sorted"
sorts children the simple, stupid, quadratic way.  I thought the
number of children would be small enough for this not to matter.  I
was wrong: there are outliers with several hundred children, e.g ARM
machines nuri and smdkc210 each have a node with 513 children.

While n^2 sorting isn't noticeable in normal, human usage even for
n=513, it can be quite noticeable in certain automated tests.  In
particular, the sort made device-introspect-test even slower.  Commit
3e7b80f84d "tests: improve performance of device-introspect-test" just
fixed that by cutting back its excessive use of "info qom-tree".
Sorting more efficiently makes sense regardless, so do it.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200714160202.3121879-6-armbru@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
7 months agoMerge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2020-07-21' into staging
Peter Maydell [Tue, 21 Jul 2020 15:10:38 +0000 (16:10 +0100)] 
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2020-07-21' into staging

QAPI patches patches for 2020-07-21

# gpg: Signature made Tue 21 Jul 2020 14:05:05 BST
# gpg:                using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg:                issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653

* remotes/armbru/tags/pull-qapi-2020-07-21:
  qapi: Fix visit_type_STRUCT() not to fail for null object

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoqcow2: Implement v2 zero writes with discard if possible
Kevin Wolf [Tue, 21 Jul 2020 13:55:19 +0000 (15:55 +0200)] 
qcow2: Implement v2 zero writes with discard if possible

qcow2 version 2 images don't support the zero flag for clusters, so for
write_zeroes requests, we return -ENOTSUP and get explicit zero buffer
writes. If the image doesn't have a backing file, we can do better: Just
discard the respective clusters.

This is relevant for 'qemu-img convert -O qcow2 -n', where qemu-img has
to assume that the existing target image may contain any data, so it has
to write zeroes. Without this patch, this results in a fully allocated
target image, even if the source image was empty.

Reported-by: Nir Soffer <nsoffer@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200721135520.72355-2-kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agofile-posix: Handle `EINVAL` fallocate return value
Antoine Damhet [Fri, 17 Jul 2020 13:56:04 +0000 (15:56 +0200)] 
file-posix: Handle `EINVAL` fallocate return value

The `detect-zeroes=unmap` option may issue unaligned
`FALLOC_FL_PUNCH_HOLE` requests, raw block devices can (and will) return
`EINVAL`, qemu should then write the zeroes to the blockdev instead of
issuing an `IO_ERROR`.

The problem can be reprodced like this:

$ qemu-io -c 'write -P 0 42 1234' --image-opts driver=host_device,filename=/dev/loop0,detect-zeroes=unmap
write failed: Invalid argument

Signed-off-by: Antoine Damhet <antoine.damhet@blade-group.com>
Message-Id: <20200717135603.51180-1-antoine.damhet@blade-group.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agoqom: Document object_get_canonical_path() returns malloced string
Markus Armbruster [Tue, 14 Jul 2020 16:02:01 +0000 (18:02 +0200)] 
qom: Document object_get_canonical_path() returns malloced string

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200714160202.3121879-5-armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
7 months agoqom: Change object_get_canonical_path_component() not to malloc
Markus Armbruster [Tue, 14 Jul 2020 16:02:00 +0000 (18:02 +0200)] 
qom: Change object_get_canonical_path_component() not to malloc

object_get_canonical_path_component() returns a malloced copy of a
property name on success, null on failure.

19 of its 25 callers immediately free the returned copy.

Change object_get_canonical_path_component() to return the property
name directly.  Since modifying the name would be wrong, adjust the
return type to const char *.

Drop the free from the 19 callers become simpler, add the g_strdup()
to the other six.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200714160202.3121879-4-armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
7 months agohw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
Mauro Matteo Cascella [Fri, 10 Jul 2020 09:19:41 +0000 (11:19 +0200)] 
hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()

A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
occurs while sending an Ethernet frame due to missing break statements
and improper checking of the buffer size.

Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
7 months agohw/net: Added plen fix for IPv6
Andrew [Thu, 16 Jul 2020 03:53:24 +0000 (06:53 +0300)] 
hw/net: Added plen fix for IPv6

Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1708065
With network backend with 'virtual header' - there was an issue
in 'plen' field. Overall, during TSO, 'plen' would be changed,
but with 'vheader' this field should be set to the size of the
payload itself instead of '0'.

Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
7 months agoMerge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-07-21' into staging
Peter Maydell [Tue, 21 Jul 2020 13:03:45 +0000 (14:03 +0100)] 
Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-07-21' into staging

Block patches for 5.1:
- Let LUKS images only be shared between VMs if the guest device was
  configured to allow that
- Fix abort() from bdrv_aio_cancel() for guest devices without a BDS

# gpg: Signature made Tue 21 Jul 2020 12:47:17 BST
# gpg:                using RSA key 91BEB60A30DB3E8857D11829F407DB0061D5CF40
# gpg:                issuer "mreitz@redhat.com"
# gpg: Good signature from "Max Reitz <mreitz@redhat.com>" [full]
# Primary key fingerprint: 91BE B60A 30DB 3E88 57D1  1829 F407 DB00 61D5 CF40

* remotes/maxreitz/tags/pull-block-2020-07-21:
  block: fix bdrv_aio_cancel() for ENOMEDIUM requests
  qemu-iotests: add testcase for bz #1857490
  block/crypto: disallow write sharing by default

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoqapi: Fix visit_type_STRUCT() not to fail for null object
Markus Armbruster [Thu, 16 Jul 2020 15:06:17 +0000 (17:06 +0200)] 
qapi: Fix visit_type_STRUCT() not to fail for null object

To make deallocating partially constructed objects work, the
visit_type_STRUCT() need to succeed without doing anything when passed
a null object.

Commit cdd2b228b9 "qapi: Smooth visitor error checking in generated
code" broke that.  To reproduce, run tests/test-qobject-input-visitor
with AddressSanitizer:

    ==4353==ERROR: LeakSanitizer: detected memory leaks

    Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x7f192d0c5d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
#1 0x7f192cd21b10 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51b10)
#2 0x556725f6bbee in visit_next_list qapi/qapi-visit-core.c:86
#3 0x556725f49e15 in visit_type_UserDefOneList tests/test-qapi-visit.c:474
#4 0x556725f4489b in test_visitor_in_fail_struct_in_list tests/test-qobject-input-visitor.c:1086
#5 0x7f192cd42f29  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72f29)

    SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).

Test case /visitor/input/fail/struct-in-list feeds a list with a bad
element to the QObject input visitor.  Visiting that element duly
fails, and aborts the visit with the list only partially constructed:
the faulty object is null.  Cleaning up the partially constructed list
visits that null object, fails, and aborts the visit before the list
node gets freed.

Fix the the generated visit_type_STRUCT() to succeed for null objects.

Fixes: cdd2b228b973d2a29edf7696ef6e8b08ec329019
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200716150617.4027356-1-armbru@redhat.com>
Tested-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
7 months agoblock: fix bdrv_aio_cancel() for ENOMEDIUM requests
Stefan Hajnoczi [Mon, 20 Jul 2020 10:01:41 +0000 (11:01 +0100)] 
block: fix bdrv_aio_cancel() for ENOMEDIUM requests

bdrv_aio_cancel() calls aio_poll() on the AioContext for the given I/O
request until it has completed. ENOMEDIUM requests are special because
there is no BlockDriverState when the drive has no medium!

Define a .get_aio_context() function for BlkAioEmAIOCB requests so that
bdrv_aio_cancel() can find the AioContext where the completion BH is
pending. Without this function bdrv_aio_cancel() aborts on ENOMEDIUM
requests!

libFuzzer triggered the following assertion:

  cat << EOF | qemu-system-i386 -M pc-q35-5.0 \
    -nographic -monitor none -serial none \
    -qtest stdio -trace ide\*
  outl 0xcf8 0x8000fa24
  outl 0xcfc 0xe106c000
  outl 0xcf8 0x8000fa04
  outw 0xcfc 0x7
  outl 0xcf8 0x8000fb20
  write 0x0 0x3 0x2780e7
  write 0xe106c22c 0xd 0x1130c218021130c218021130c2
  write 0xe106c218 0x15 0x110010110010110010110010110010110010110010
  EOF
  ide_exec_cmd IDE exec cmd: bus 0x56170a77a2b8; state 0x56170a77a340; cmd 0xe7
  ide_reset IDEstate 0x56170a77a340
  Aborted (core dumped)

  (gdb) bt
  #1  0x00007ffff4f93895 in abort () at /lib64/libc.so.6
  #2  0x0000555555dc6c00 in bdrv_aio_cancel (acb=0x555556765550) at block/io.c:2745
  #3  0x0000555555dac202 in blk_aio_cancel (acb=0x555556765550) at block/block-backend.c:1546
  #4  0x0000555555b1bd74 in ide_reset (s=0x555557213340) at hw/ide/core.c:1318
  #5  0x0000555555b1e3a1 in ide_bus_reset (bus=0x5555572132b8) at hw/ide/core.c:2422
  #6  0x0000555555b2aa27 in ahci_reset_port (s=0x55555720eb50, port=2) at hw/ide/ahci.c:650
  #7  0x0000555555b29fd7 in ahci_port_write (s=0x55555720eb50, port=2, offset=44, val=16) at hw/ide/ahci.c:360
  #8  0x0000555555b2a564 in ahci_mem_write (opaque=0x55555720eb50, addr=556, val=16, size=1) at hw/ide/ahci.c:513
  #9  0x000055555598415b in memory_region_write_accessor (mr=0x55555720eb80, addr=556, value=0x7fffffffb838, size=1, shift=0, mask=255, attrs=...) at softmmu/memory.c:483

Looking at bdrv_aio_cancel:

2728 /* async I/Os */
2729
2730 void bdrv_aio_cancel(BlockAIOCB *acb)
2731 {
2732     qemu_aio_ref(acb);
2733     bdrv_aio_cancel_async(acb);
2734     while (acb->refcnt > 1) {
2735         if (acb->aiocb_info->get_aio_context) {
2736             aio_poll(acb->aiocb_info->get_aio_context(acb), true);
2737         } else if (acb->bs) {
2738             /* qemu_aio_ref and qemu_aio_unref are not thread-safe, so
2739              * assert that we're not using an I/O thread.  Thread-safe
2740              * code should use bdrv_aio_cancel_async exclusively.
2741              */
2742             assert(bdrv_get_aio_context(acb->bs) == qemu_get_aio_context());
2743             aio_poll(bdrv_get_aio_context(acb->bs), true);
2744         } else {
2745             abort();     <===============
2746         }
2747     }
2748     qemu_aio_unref(acb);
2749 }

Fixes: 02c50efe08736116048d5fc355043080f4d5859c ("block: Add bdrv_aio_cancel_async")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1878255
Originally-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20200720100141.129739-1-stefanha@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
7 months agoMerge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-07-21' into...
Peter Maydell [Tue, 21 Jul 2020 09:24:38 +0000 (10:24 +0100)] 
Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-07-21' into staging

* Fix memory leak in fuzzer
* Fuzzer documentation updates
* Some other minor fuzzer updates
* Fix "make check-qtest SPEED=slow" (bug in msf2 instance_init)

# gpg: Signature made Tue 21 Jul 2020 07:48:10 BST
# gpg:                using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg:                issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* remotes/huth-gitlab/tags/pull-request-2020-07-21:
  hw: Mark nd_table[] misuse in realize methods FIXME
  msf2: Unbreak device-list-properties for "msf-soc"
  MAINTAINERS: Extend the device fuzzing section
  docs/fuzz: add instructions for generating a coverage report
  docs/fuzz: add information about useful libFuzzer flags
  docs/fuzz: describe building fuzzers with enable-sanitizers
  fuzz: build without AddressSanitizer, by default
  gitlab-ci.yml: Add oss-fuzz build tests
  fuzz: Fix leak when assembling datadir path string
  scripts/oss-fuzz: Limit target list to i386-softmmu

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agomodule: ignore NULL type
Gerd Hoffmann [Mon, 20 Jul 2020 10:03:51 +0000 (12:03 +0200)] 
module: ignore NULL type

Just return in case module_load_qom_one(NULL) is called.
vga_interface_available() can do that.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20200720100352.2477-3-kraxel@redhat.com>

7 months agoqxl: fix modular builds with dtrace
Gerd Hoffmann [Mon, 20 Jul 2020 10:03:50 +0000 (12:03 +0200)] 
qxl: fix modular builds with dtrace

Checking the enable/disable state of tracepoints via
trace_event_get_state_backends() does not work for modules.

qxl checks the state for a small optimization (avoid g_strndup
call in case log_buf will not be used anyway), so we can just
drop that check for modular builds.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20200720100352.2477-2-kraxel@redhat.com>

7 months agoxhci: fix valid.max_access_size to access address registers
Laurent Vivier [Tue, 21 Jul 2020 08:33:22 +0000 (10:33 +0200)] 
xhci: fix valid.max_access_size to access address registers

QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
64-bit mode access in "runtime" and "operational" MemoryRegionOps.

Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.

XHCI specs:
"If the xHC supports 64-bit addressing (AC64 = ‘1’), then software
should write 64-bit registers using only Qword accesses.  If a
system is incapable of issuing Qword accesses, then writes to the
64-bit address fields shall be performed using 2 Dword accesses;
low Dword-first, high-Dword second.  If the xHC supports 32-bit
addressing (AC64 = ‘0’), then the high Dword of registers containing
64-bit address fields are unused and software should write addresses
using only Dword accesses"

The problem has been detected with SLOF, as linux kernel always accesses
registers using 32-bit access even if AC64 is set and revealed by
5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")

Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 20200721083322.90651-1-lvivier@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
7 months agoqemu-iotests: add testcase for bz #1857490
Maxim Levitsky [Sun, 19 Jul 2020 12:20:59 +0000 (15:20 +0300)] 
qemu-iotests: add testcase for bz #1857490

Test that we can't write-share raw luks images by default,
but we still can with share-rw=on

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Message-Id: <20200719122059.59843-3-mlevitsk@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
7 months agoblock/crypto: disallow write sharing by default
Maxim Levitsky [Sun, 19 Jul 2020 12:20:58 +0000 (15:20 +0300)] 
block/crypto: disallow write sharing by default

My commit 'block/crypto: implement the encryption key management'
accidently allowed raw luks images to be shared between different
qemu processes without share-rw=on explicit override.
Fix that.

Fixes: bbfdae91fb ("block/crypto: implement the encryption key management")
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1857490

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Message-Id: <20200719122059.59843-2-mlevitsk@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
7 months agohw: Mark nd_table[] misuse in realize methods FIXME
Markus Armbruster [Wed, 15 Jul 2020 14:04:40 +0000 (16:04 +0200)] 
hw: Mark nd_table[] misuse in realize methods FIXME

nd_table[] contains NIC configuration for boards to pick up.  Device
code has no business looking there.  Several devices do it anyway.
Two of them already have a suitable FIXME comment: "allwinner-a10" and
"msf2-soc".  Copy it to the others: "allwinner-h3", "xlnx-versal",
"xlnx,zynqmp", "sparc32-ledma", "riscv.sifive.u.soc".

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200715140440.3540942-3-armbru@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agomsf2: Unbreak device-list-properties for "msf-soc"
Markus Armbruster [Wed, 15 Jul 2020 14:04:39 +0000 (16:04 +0200)] 
msf2: Unbreak device-list-properties for "msf-soc"

Watch this:

    $ qemu-system-aarch64 -M ast2600-evb -S -display none -qmp stdio
    {"QMP": {"version": {"qemu": {"micro": 50, "minor": 0, "major": 5}, "package": "v5.0.0-2464-g3a9163af4e"}, "capabilities": ["oob"]}}
    {"execute": "qmp_capabilities"}
    {"return": {}}
    {"execute": "device-list-properties", "arguments": {"typename": "msf2-soc"}}
    Unsupported NIC model: ftgmac100
    armbru@dusky:~/work/images$ echo $?
    1

This is what breaks "make check SPEED=slow".

Root cause is m2sxxx_soc_initfn()'s messing with nd_table[] via
qemu_check_nic_model().  That's wrong.

We fixed the exact same bug for device "allwinner-a10" in commit
8aabc5437b "hw/arm/allwinner-a10: Do not use nd_table in instance_init
function".  Fix this instance the same way: move the offending code to
m2sxxx_soc_realize(), where it's less wrong, and add a FIXME comment.

Fixes: 05b7374a58 ("msf2: Add EMAC block to SmartFusion2 SoC")
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200715140440.3540942-2-armbru@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agoMAINTAINERS: Extend the device fuzzing section
Thomas Huth [Tue, 21 Jul 2020 05:36:09 +0000 (07:36 +0200)] 
MAINTAINERS: Extend the device fuzzing section

The file docs/devel/fuzzing.txt should be in this section, too, and add
myself as a reviewer (since I often take the fuzzer patches through the
qtest-next tree, I should be notified on patches, too).

Message-Id: <20200721053926.17197-1-thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agodocs/fuzz: add instructions for generating a coverage report
Alexander Bulekov [Mon, 6 Jul 2020 19:55:34 +0000 (15:55 -0400)] 
docs/fuzz: add instructions for generating a coverage report

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200706195534.14962-5-alxndr@bu.edu>
[thuth: Replaced --enable-sanitizers with --enable-fuzzing]
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agodocs/fuzz: add information about useful libFuzzer flags
Alexander Bulekov [Mon, 6 Jul 2020 19:55:33 +0000 (15:55 -0400)] 
docs/fuzz: add information about useful libFuzzer flags

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200706195534.14962-4-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agodocs/fuzz: describe building fuzzers with enable-sanitizers
Alexander Bulekov [Mon, 6 Jul 2020 19:55:32 +0000 (15:55 -0400)] 
docs/fuzz: describe building fuzzers with enable-sanitizers

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200706195534.14962-3-alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agofuzz: build without AddressSanitizer, by default
Alexander Bulekov [Mon, 6 Jul 2020 19:55:31 +0000 (15:55 -0400)] 
fuzz: build without AddressSanitizer, by default

We already have a nice --enable-sanitizers option to enable
AddressSanitizer. There is no reason to duplicate and force this
functionality in --enable-fuzzing. In the future, if more sanitizers are
added to --enable-sanitizers, it might be impossible to build with both
--enable-sanitizers and --enable-fuzzing, since not all sanitizers are
compatible with libFuzzer. In that case, we could enable ASAN with
--extra-cflags="-fsanitize=address"

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200706195534.14962-2-alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
[thuth: Added missing $CFLAGS]
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agogitlab-ci.yml: Add oss-fuzz build tests
Alexander Bulekov [Thu, 16 Jul 2020 16:33:30 +0000 (12:33 -0400)] 
gitlab-ci.yml: Add oss-fuzz build tests

This tries to build and run the fuzzers with the same build-script used
by oss-fuzz. This doesn't guarantee that the builds on oss-fuzz will
also succeed, since oss-fuzz provides its own compiler and fuzzer vars,
but it can catch changes that are not compatible with the the
./scripts/oss-fuzz/build.sh script.
The strange way of finding fuzzer binaries stems from the method used by
oss-fuzz:
https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-runner/targets_list

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200720073223.22945-1-thuth@redhat.com>
[thuth: Tweak the "script" to make it work, exclude slirp test, etc.]
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agofuzz: Fix leak when assembling datadir path string
Alexander Bulekov [Fri, 17 Jul 2020 16:35:23 +0000 (12:35 -0400)] 
fuzz: Fix leak when assembling datadir path string

We freed the string containing the final datadir path, but did not free
the path to the executable's directory that we get from
g_path_get_dirname(). Fix that.

Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200717163523.1591-1-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agoscripts/oss-fuzz: Limit target list to i386-softmmu
Thomas Huth [Fri, 17 Jul 2020 06:57:42 +0000 (08:57 +0200)] 
scripts/oss-fuzz: Limit target list to i386-softmmu

The build.sh script only copies qemu-fuzz-i386 to the destination folder,
so we can speed up the compilation step quite a bit by not compiling the
other targets here.

Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agoMerge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200720' into...
Peter Maydell [Mon, 20 Jul 2020 14:58:07 +0000 (15:58 +0100)] 
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200720' into staging

target-arm queue:
 * virt: Don't enable MTE emulation by default
 * virt: Diagnose attempts to use MTE with memory-hotplug or KVM
   (rather than silently not working correctly)
 * util: Implement qemu_get_thread_id() for OpenBSD
 * qdev: Add doc comments for qdev_unrealize and GPIO functions,
   and standardize on doc-comments-in-header-file
 * hw/arm/armsse: Assert info->num_cpus is in-bounds in armsse_realize()
 * docs/system: Document canon-a1100, collie, gumstix, virt boards

# gpg: Signature made Mon 20 Jul 2020 13:55:36 BST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20200720:
  docs/system: Document the arm virt board
  docs/system: Briefly document gumstix boards
  docs/system: Briefly document collie board
  docs/system: Briefly document canon-a1100 board
  hw/arm/armsse: Assert info->num_cpus is in-bounds in armsse_realize()
  qdev: Document GPIO related functions
  qdev: Document qdev_unrealize()
  qdev: Move doc comments from qdev.c to qdev-core.h
  util: Implement qemu_get_thread_id() for OpenBSD
  hw/arm/virt: Disable memory hotplug when MTE is enabled
  hw/arm/virt: Error for MTE enabled with KVM
  hw/arm/virt: Enable MTE via a machine property

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agodocs/system: Document the arm virt board
Peter Maydell [Mon, 13 Jul 2020 17:57:46 +0000 (18:57 +0100)] 
docs/system: Document the arm virt board

Document the arm 'virt' board, which has been undocumented
for far too long given that it is the main recommended board
type for arm guests.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20200713175746.5936-5-peter.maydell@linaro.org

7 months agodocs/system: Briefly document gumstix boards
Peter Maydell [Mon, 13 Jul 2020 17:57:45 +0000 (18:57 +0100)] 
docs/system: Briefly document gumstix boards

Add skeletal documentation of the gumstix boards
('connex' and 'verdex').

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20200713175746.5936-4-peter.maydell@linaro.org

7 months agodocs/system: Briefly document collie board
Peter Maydell [Mon, 13 Jul 2020 17:57:44 +0000 (18:57 +0100)] 
docs/system: Briefly document collie board

Add skeletal documentation of the collie board.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20200713175746.5936-3-peter.maydell@linaro.org

7 months agodocs/system: Briefly document canon-a1100 board
Peter Maydell [Mon, 13 Jul 2020 17:57:43 +0000 (18:57 +0100)] 
docs/system: Briefly document canon-a1100 board

Add skeletal documentation of the canon-a1100 board.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20200713175746.5936-2-peter.maydell@linaro.org

7 months agohw/arm/armsse: Assert info->num_cpus is in-bounds in armsse_realize()
Peter Maydell [Mon, 13 Jul 2020 14:37:16 +0000 (15:37 +0100)] 
hw/arm/armsse: Assert info->num_cpus is in-bounds in armsse_realize()

In armsse_realize() we have a loop over [0, info->num_cpus), which
indexes into various fixed-size arrays in the ARMSSE struct.  This
confuses Coverity, which warns that we might overrun those arrays
(CID 1430326, 1430337, 1430371, 1430414, 1430430).  This can't
actually happen, because the info struct is always one of the entries
in the armsse_variants[] array and num_cpus is either 1 or 2; we also
already assert in armsse_init() that num_cpus is not too large.
However, adding an assert to armsse_realize() like the one in
armsse_init() should help Coverity figure out that these code paths
aren't possible.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200713143716.9881-1-peter.maydell@linaro.org

7 months agoqdev: Document GPIO related functions
Peter Maydell [Sat, 11 Jul 2020 14:24:25 +0000 (15:24 +0100)] 
qdev: Document GPIO related functions

Add documentation comments for the various qdev functions
related to creating and connecting GPIO lines.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200711142425.16283-4-peter.maydell@linaro.org

7 months agoqdev: Document qdev_unrealize()
Peter Maydell [Sat, 11 Jul 2020 14:24:24 +0000 (15:24 +0100)] 
qdev: Document qdev_unrealize()

Add a doc comment for qdev_unrealize(), to go with the new
documentation for the realize part of the qdev lifecycle.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200711142425.16283-3-peter.maydell@linaro.org

7 months agoqdev: Move doc comments from qdev.c to qdev-core.h
Peter Maydell [Sat, 11 Jul 2020 14:24:23 +0000 (15:24 +0100)] 
qdev: Move doc comments from qdev.c to qdev-core.h

The doc-comments which document the qdev API are split between the
header file and the C source files, because as a project we haven't
been consistent about where we put them.

Move all the doc-comments in qdev.c to the header files, so that
users of the APIs don't have to look at the implementation files for
this information.

In the process, unify them into our doc-comment format and expand on
them in some cases to clarify expected use cases.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200711142425.16283-2-peter.maydell@linaro.org

7 months agoutil: Implement qemu_get_thread_id() for OpenBSD
David CARLIER [Mon, 20 Jul 2020 09:25:36 +0000 (10:25 +0100)] 
util: Implement qemu_get_thread_id() for OpenBSD

Implement qemu_get_thread_id() for OpenBSD hosts, using
getthrid().

Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Brad Smith <brad@comstyle.com>
Message-id: CA+XhMqxD6gQDBaj8tX0CMEj3si7qYKsM8u1km47e_-U7MC37Pg@mail.gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: tidied up commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agohw/arm/virt: Disable memory hotplug when MTE is enabled
Richard Henderson [Mon, 20 Jul 2020 09:25:36 +0000 (10:25 +0100)] 
hw/arm/virt: Disable memory hotplug when MTE is enabled

When MTE is enabled, tag memory must exist for all RAM.

It might be possible to simultaneously hot plug tag memory
alongside the corresponding normal memory, but for now just
disable hotplug.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200713213341.590275-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agohw/arm/virt: Error for MTE enabled with KVM
Richard Henderson [Mon, 20 Jul 2020 09:25:36 +0000 (10:25 +0100)] 
hw/arm/virt: Error for MTE enabled with KVM

While we expect KVM to support MTE at some future point,
it certainly won't be ready in time for qemu 5.1.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200713213341.590275-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agohw/arm/virt: Enable MTE via a machine property
Richard Henderson [Mon, 20 Jul 2020 09:25:36 +0000 (10:25 +0100)] 
hw/arm/virt: Enable MTE via a machine property

Control this cpu feature via a machine property, much as we do
with secure=on, since both require specialized support in the
machine setup to be functional.

Default MTE to off, since this feature implies extra overhead.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200713213341.590275-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/dgibson/tags/ppc-for-5.1-20200720' into staging
Peter Maydell [Mon, 20 Jul 2020 10:34:10 +0000 (11:34 +0100)] 
Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-5.1-20200720' into staging

ppc patch queue 20200720

Here are some assorted fixes for qemu-5.1:
 * SLOF update with improved TPM handling, and fix for possible stack
   overflows on many-vcpu machines
 * Fix for NUMA distances on NVLink2 attached GPU memory nodes
 * Fixes to fail more gracefully on attempting to plug unsupported PCI bridge types
 * Don't allow pnv-psi device to be user created

# gpg: Signature made Mon 20 Jul 2020 06:29:21 BST
# gpg:                using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full]
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full]
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full]
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown]
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-5.1-20200720:
  pseries: Update SLOF firmware image
  spapr: Add a new level of NUMA for GPUs
  spapr_pci: Robustify support of PCI bridges
  ppc/pnv: Make PSI device types not user creatable

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/cminyard/tags/for-qemu-i2c-5' into staging
Peter Maydell [Mon, 20 Jul 2020 10:03:07 +0000 (11:03 +0100)] 
Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-i2c-5' into staging

Minor changes to:

Add an SMBus config entry

Cleanup/simplify/document some I2C interfaces

# gpg: Signature made Thu 16 Jul 2020 18:46:55 BST
# gpg:                using RSA key FD0D5CE67CE0F59A6688268661F38C90919BFF81
# gpg: Good signature from "Corey Minyard <cminyard@mvista.com>" [unknown]
# gpg:                 aka "Corey Minyard <minyard@acm.org>" [unknown]
# gpg:                 aka "Corey Minyard <corey@minyard.net>" [unknown]
# gpg:                 aka "Corey Minyard <minyard@mvista.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FD0D 5CE6 7CE0 F59A 6688  2686 61F3 8C90 919B FF81

* remotes/cminyard/tags/for-qemu-i2c-5:
  hw/i2c: Document the I2C qdev helpers
  hw/i2c: Rename i2c_create_slave() as i2c_slave_create_simple()
  hw/i2c: Rename i2c_realize_and_unref() as i2c_slave_realize_and_unref()
  hw/i2c: Rename i2c_try_create_slave() as i2c_slave_new()
  hw/i2c/aspeed_i2c: Simplify aspeed_i2c_get_bus()
  hw/i2c/Kconfig: Add an entry for the SMBus

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMakefile: Remove config-devices.mak on "make clean"
Peter Maydell [Fri, 17 Jul 2020 15:25:08 +0000 (16:25 +0100)] 
Makefile: Remove config-devices.mak on "make clean"

The config-devices.mak files are generated by "make", and so they
should be deleted by "make clean".

(This is different from config-host.mak and config-all-disas.mak,
which are created by "configure" and so only deleted by
"make distclean".)

If we don't delete these files on "make clean", then the build
tree is left in a state where it has the config-devices.mak
file but not the config-devices.mak.d file, and make will not
realize that it needs to rebuild config-devices.mak if, for
instance, hw/sd/Kconfig changes.

NB: config-all-devices.mak is also generated by "make", but we
already remove it on "make clean".

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200717152508.10272-1-peter.maydell@linaro.org

7 months agopseries: Update SLOF firmware image
Alexey Kardashevskiy [Fri, 17 Jul 2020 01:15:31 +0000 (11:15 +1000)] 
pseries: Update SLOF firmware image

This adds tcgbios (this was posted earlier [1] but got lost)
and fixes FDT update at ibm,client-architecture-support
for huge guests.

The full list of changes:

Alexey Kardashevskiy (4):
      make: Define default rule for .c when V=1 or V=2
      version: update to 20200513
      fdt: Avoid recursion when traversing tree
      version: update to 20200717

Gustavo Romero (1):
      board-qemu: Fix comment about SLOF start address

Stefan Berger (6):
      tcgbios: Only write logs for PCRs that are allocated
      tcgbios: Fix the vendorInfoSize to be of type uint8_t
      tcgbios: Add support for SHA3 type of algorithms
      elf: Implement elf_get_file_size to determine size of an ELF image
      tcgbios: Implement tpm_hash_log_extend_event_buffer
      tcgbios: Measure the bootloader file read from disk

[1] https://patchwork.ozlabs.org/project/qemu-devel/patch/20200513024355.121476-1-aik@ozlabs.ru/

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
7 months agospapr: Add a new level of NUMA for GPUs
Reza Arbab [Thu, 16 Jul 2020 22:56:55 +0000 (17:56 -0500)] 
spapr: Add a new level of NUMA for GPUs

NUMA nodes corresponding to GPU memory currently have the same
affinity/distance as normal memory nodes. Add a third NUMA associativity
reference point enabling us to give GPU nodes more distance.

This is guest visible information, which shouldn't change under a
running guest across migration between different qemu versions, so make
the change effective only in new (pseries > 5.0) machine types.

Before, `numactl -H` output in a guest with 4 GPUs (nodes 2-5):

node distances:
node   0   1   2   3   4   5
  0:  10  40  40  40  40  40
  1:  40  10  40  40  40  40
  2:  40  40  10  40  40  40
  3:  40  40  40  10  40  40
  4:  40  40  40  40  10  40
  5:  40  40  40  40  40  10

After:

node distances:
node   0   1   2   3   4   5
  0:  10  40  80  80  80  80
  1:  40  10  80  80  80  80
  2:  80  80  10  80  80  80
  3:  80  80  80  10  80  80
  4:  80  80  80  80  10  80
  5:  80  80  80  80  80  10

These are the same distances as on the host, mirroring the change made
to host firmware in skiboot commit f845a648b8cb ("numa/associativity:
Add a new level of NUMA for GPU's").

Signed-off-by: Reza Arbab <arbab@linux.ibm.com>
Message-Id: <20200716225655.24289-1-arbab@linux.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
7 months agospapr_pci: Robustify support of PCI bridges
Greg Kurz [Thu, 9 Jul 2020 17:12:47 +0000 (19:12 +0200)] 
spapr_pci: Robustify support of PCI bridges

Some recent error handling cleanups unveiled issues with our support of
PCI bridges:

1) QEMU aborts when using non-standard PCI bridge types,
   unveiled by commit 7ef1553dac "spapr_pci: Drop some dead error handling"

$ qemu-system-ppc64 -M pseries -device pcie-pci-bridge
Unexpected error in object_property_find() at qom/object.c:1240:
qemu-system-ppc64: -device pcie-pci-bridge: Property '.chassis_nr' not found
Aborted (core dumped)

This happens because we assume all PCI bridge types to have a "chassis_nr"
property. This property only exists with the standard PCI bridge type
"pci-bridge" actually. We could possibly revert 7ef1553dac but it seems
much simpler to check the presence of "chassis_nr" earlier.

2) QEMU abort if same "chassis_nr" value is used several times,
   unveiled by commit d2623129a7de "qom: Drop parameter @errp of
   object_property_add() & friends"

$ qemu-system-ppc64 -M pseries -device pci-bridge,chassis_nr=1 \
                        -device pci-bridge,chassis_nr=1
Unexpected error in object_property_try_add() at qom/object.c:1167:
qemu-system-ppc64: -device pci-bridge,chassis_nr=1: attempt to add duplicate property '40000100' to object (type 'container')
Aborted (core dumped)

This happens because we assume that "chassis_nr" values are unique, but
nobody enforces that and we end up generating duplicate DRC ids. The PCI
code doesn't really care for duplicate "chassis_nr" properties since it
is only used to initialize the "Chassis Number Register" of the bridge,
with no functional impact on QEMU. So, even if passing the same value
several times might look weird, it never broke anything before, so
I guess we don't necessarily want to enforce strict checking in the PCI
code now.

Workaround both issues in the PAPR code: check that the bridge has a
unique and non null "chassis_nr" when plugging it into its parent bus.

Fixes: 05929a6c5dfe ("spapr: Don't use bus number for building DRC ids")
Fixes: 7ef1553dac ("spapr_pci: Drop some dead error handling")
Fixes: d2623129a7de ("qom: Drop parameter @errp of object_property_add() & friends")
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <159431476748.407044.16711294833569014964.stgit@bahia.lan>
[dwg: Move check slightly to a better place]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
7 months agoppc/pnv: Make PSI device types not user creatable
Greg Kurz [Tue, 7 Jul 2020 16:35:57 +0000 (18:35 +0200)] 
ppc/pnv: Make PSI device types not user creatable

QEMU aborts with -device pnv-psi-POWER8:

$ qemu-system-ppc64 -device pnv-psi-POWER8
qemu-system-ppc64: hw/intc/xics.c:605: ics_realize: Assertion
`ics->xics' failed.
Aborted (core dumped)

The Processor Service Interface Controller is an internal device.
It should only be instantiated by the chip, which takes care of
configuring the link required by the ICS object in the case of
POWER8. It doesn't make sense for a user to specify it on the
command line.

Note that the PSI model for POWER8 was added 3 yrs ago but the
devices weren't available on the command line because of a bug
that was fixed by recent commit 2f35254aa0 ("pnv/psi: Correct
the pnv-psi* devices not to be sysbus devices").

Fixes: 54f59d786c ("ppc/pnv: Add cut down PSI bridge model and hookup external interrupt")
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <159413975752.169116.5808968580649255382.stgit@bahia.lan>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
7 months agoMerge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200717' into staging
Peter Maydell [Sun, 19 Jul 2020 09:29:05 +0000 (10:29 +0100)] 
Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200717' into staging

Fix vector min/max fallback expansion
Fix singlestep from exception and interrupt

# gpg: Signature made Fri 17 Jul 2020 19:13:32 BST
# gpg:                using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg:                issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A  05C0 64DF 38E8 AF7E 215F

* remotes/rth/tags/pull-tcg-20200717:
  tcg/cpu-exec: precise single-stepping after an interrupt
  tcg/cpu-exec: precise single-stepping after an exception
  tcg: Save/restore vecop_list around minmax fallback

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/cminyard/tags/for-qemu-ipmi-5' into staging
Peter Maydell [Sat, 18 Jul 2020 22:59:03 +0000 (23:59 +0100)] 
Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-ipmi-5' into staging

Man page update and new set sensor command

Some minor man page updates for fairly obvious things.

The set sensor command addition has been in the Power group's tree for a
long time and I have neglected to submit it.

-corey

# gpg: Signature made Fri 17 Jul 2020 17:45:32 BST
# gpg:                using RSA key FD0D5CE67CE0F59A6688268661F38C90919BFF81
# gpg: Good signature from "Corey Minyard <cminyard@mvista.com>" [unknown]
# gpg:                 aka "Corey Minyard <minyard@acm.org>" [unknown]
# gpg:                 aka "Corey Minyard <corey@minyard.net>" [unknown]
# gpg:                 aka "Corey Minyard <minyard@mvista.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FD0D 5CE6 7CE0 F59A 6688  2686 61F3 8C90 919B FF81

* remotes/cminyard/tags/for-qemu-ipmi-5:
  ipmi: add SET_SENSOR_READING command
  ipmi: Fix a man page entry
  ipmi: Add man page pieces for the IPMI PCI devices

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/ericb/tags/pull-bitmaps-2020-07-17' into staging
Peter Maydell [Sat, 18 Jul 2020 21:24:34 +0000 (22:24 +0100)] 
Merge remote-tracking branch 'remotes/ericb/tags/pull-bitmaps-2020-07-17' into staging

bitmaps patches for 2020-07-17

- improve corner-case of bitmap migration

# gpg: Signature made Fri 17 Jul 2020 16:10:07 BST
# gpg:                using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>" [full]
# gpg:                 aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" [full]
# gpg:                 aka "[jpeg image of size 6874]" [full]
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A

* remotes/ericb/tags/pull-bitmaps-2020-07-17:
  migration/block-dirty-bitmap: fix add_bitmaps_to_list

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/cohuck/tags/s390x-20200717' into staging
Peter Maydell [Sat, 18 Jul 2020 16:27:34 +0000 (17:27 +0100)] 
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20200717' into staging

Fix typo in newly added documentation.

# gpg: Signature made Fri 17 Jul 2020 14:54:20 BST
# gpg:                using RSA key C3D0D66DC3624FF6A8C018CEDECF6B93C6F02FAF
# gpg:                issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [marginal]
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>" [marginal]
# gpg:                 aka "Cornelia Huck <cohuck@redhat.com>" [marginal]
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck/tags/s390x-20200717:
  docs/s390x: fix vfio-ccw type

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agotcg/cpu-exec: precise single-stepping after an interrupt
Richard Henderson [Fri, 17 Jul 2020 16:26:59 +0000 (09:26 -0700)] 
tcg/cpu-exec: precise single-stepping after an interrupt

When single-stepping with a debugger attached to QEMU, and when an
interrupt is raised, the debugger misses the first instruction after
the interrupt.

Tested-by: Luc Michel <luc.michel@greensocs.com>
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/757702
Message-Id: <20200717163029.2737546-1-richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
7 months agoipmi: add SET_SENSOR_READING command
Cédric Le Goater [Mon, 18 Nov 2019 09:24:29 +0000 (10:24 +0100)] 
ipmi: add SET_SENSOR_READING command

SET_SENSOR_READING is a complex IPMI command (see IPMI spec 35.17)
which enables the host software to set the reading value and the event
status of sensors supporting it.

Below is a proposal for all the operations (reading, assert, deassert,
event data) with the following limitations :

 - No event are generated for threshold-based sensors.
 - The case in which the BMC needs to generate its own events is not
   supported.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Corey Minyard <cminyard@mvista.com>
Message-Id: <20191118092429.16149-1-clg@kaod.org>
[Moved the break statement for case SENSOR_GEN_EVENT_DATA above the
 closing brace to keep the indention consistent.]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agoipmi: Fix a man page entry
Corey Minyard [Fri, 17 Jul 2020 16:37:02 +0000 (11:37 -0500)] 
ipmi: Fix a man page entry

The line was too long, and some of the entries were wrong (fur instead
of fru).  Just use the prop=val thing tha other entries use.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agoipmi: Add man page pieces for the IPMI PCI devices
Corey Minyard [Mon, 23 Sep 2019 18:50:33 +0000 (13:50 -0500)] 
ipmi: Add man page pieces for the IPMI PCI devices

This was forgotten when the devices were added.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agoMerge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Peter Maydell [Fri, 17 Jul 2020 13:58:13 +0000 (14:58 +0100)] 
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches:

- file-posix: Fix read-only Linux block devices with auto-read-only
- Require aligned image size with O_DIRECT to avoid assertion failure
- Allow byte-aligned direct I/O on NFS instead of guessing 4k alignment
- Fix nbd_export_close_all() crash
- Fix race in iotests case 030
- qemu-img resize: Require --shrink for shrinking all image formats
- crypto: use a stronger private key for tests
- Remove VXHS block device
- MAINTAINERS: vvfat: set status to odd fixes

# gpg: Signature made Fri 17 Jul 2020 13:31:18 BST
# gpg:                using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6
# gpg:                issuer "kwolf@redhat.com"
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream:
  file-posix: Fix leaked fd in raw_open_common() error path
  file-posix: Fix check_hdev_writable() with auto-read-only
  file-posix: Move check_hdev_writable() up
  file-posix: Allow byte-aligned O_DIRECT with NFS
  block: Require aligned image size to avoid assertion failure
  iotests: test shutdown when bitmap is exported through NBD
  nbd: make nbd_export_close_all() synchronous
  iotests/030: Reduce job speed to make race less likely
  crypto: use a stronger private key for tests
  qemu-img resize: Require --shrink for shrinking all image formats
  Remove VXHS block device
  vvfat: set status to odd fixes

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agomigration/block-dirty-bitmap: fix add_bitmaps_to_list
Vladimir Sementsov-Ogievskiy [Fri, 26 Jun 2020 13:06:58 +0000 (16:06 +0300)] 
migration/block-dirty-bitmap: fix add_bitmaps_to_list

We shouldn't fail when finding an unnamed bitmap in a unnamed node or
node with auto-generated node name, as bitmap migration ignores such
bitmaps in the first place.

Fixes: 82640edb88faa
Fixes: 4ff5cc121b089
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200626130658.76498-1-vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[eblake: commit message grammar tweaks]
Signed-off-by: Eric Blake <eblake@redhat.com>
7 months agofile-posix: Fix leaked fd in raw_open_common() error path
Kevin Wolf [Fri, 17 Jul 2020 10:54:26 +0000 (12:54 +0200)] 
file-posix: Fix leaked fd in raw_open_common() error path

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200717105426.51134-4-kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agofile-posix: Fix check_hdev_writable() with auto-read-only
Kevin Wolf [Fri, 17 Jul 2020 10:54:25 +0000 (12:54 +0200)] 
file-posix: Fix check_hdev_writable() with auto-read-only

For Linux block devices, being able to open the device read-write
doesn't necessarily mean that the device is actually writable (one
example is a read-only LV, as you get with lvchange -pr <device>). We
have check_hdev_writable() to check this condition and fail opening the
image read-write if it's not actually writable.

However, this check doesn't take auto-read-only into account, but
results in a hard failure instead of downgrading to read-only where
possible.

Fix this and do the writable check not based on BDRV_O_RDWR, but only
when this actually results in opening the file read-write. A second
check is inserted in raw_reconfigure_getfd() to have the same check when
dynamic auto-read-only upgrades an image file from read-only to
read-write.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200717105426.51134-3-kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agofile-posix: Move check_hdev_writable() up
Kevin Wolf [Fri, 17 Jul 2020 10:54:24 +0000 (12:54 +0200)] 
file-posix: Move check_hdev_writable() up

We'll need to call it in raw_open_common(), so move the function to
avoid a forward declaration.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200717105426.51134-2-kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agofile-posix: Allow byte-aligned O_DIRECT with NFS
Kevin Wolf [Thu, 16 Jul 2020 14:26:01 +0000 (16:26 +0200)] 
file-posix: Allow byte-aligned O_DIRECT with NFS

Since commit a6b257a08e3 ('file-posix: Handle undetectable alignment'),
we assume that if we open a file with O_DIRECT and alignment probing
returns 1, we just couldn't find out the real alignment requirement
because some filesystems make the requirement only for allocated blocks.
In this case, a safe default of 4k is used.

This is too strict for NFS, which does actually allow byte-aligned
requests even with O_DIRECT. Because we can't distinguish both cases
with generic code, let's just look at the file system magic and disable
s->needs_alignment for NFS. This way, O_DIRECT can still be used on NFS
for images that are not aligned to 4k.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200716142601.111237-3-kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agoblock: Require aligned image size to avoid assertion failure
Kevin Wolf [Thu, 16 Jul 2020 14:26:00 +0000 (16:26 +0200)] 
block: Require aligned image size to avoid assertion failure

Unaligned requests will automatically be aligned to bl.request_alignment
and we can't extend write requests to access space beyond the end of the
image without resizing the image, so if we have the WRITE permission,
but not the RESIZE one, it's required that the image size is aligned.

Failing to meet this requirement could cause assertion failures like
this if RESIZE permissions weren't requested:

qemu-img: block/io.c:1910: bdrv_co_write_req_prepare: Assertion `end_sector <= bs->total_sectors || child->perm & BLK_PERM_RESIZE' failed.

This was e.g. triggered by qemu-img converting to a target image with 4k
request alignment when the image was only aligned to 512 bytes, but not
to 4k.

Turn this into a graceful error in bdrv_check_perm() so that WRITE
without RESIZE can only be taken if the image size is aligned. If a user
holds both permissions and drops only RESIZE, the function will return
an error, but bdrv_child_try_set_perm() will ignore the failure silently
if permissions are only requested to be relaxed and just keep both
permissions while returning success.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200716142601.111237-2-kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agoiotests: test shutdown when bitmap is exported through NBD
Vladimir Sementsov-Ogievskiy [Tue, 14 Jul 2020 16:22:34 +0000 (19:22 +0300)] 
iotests: test shutdown when bitmap is exported through NBD

Test shutdown when bitmap is exported through NBD and active client
exists. The previous patch fixes a crash, provoked by this scenario.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Tested-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200714162234.13113-3-vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agonbd: make nbd_export_close_all() synchronous
Vladimir Sementsov-Ogievskiy [Tue, 14 Jul 2020 16:22:33 +0000 (19:22 +0300)] 
nbd: make nbd_export_close_all() synchronous

Consider nbd_export_close_all(). The call-stack looks like this:
 nbd_export_close_all() -> nbd_export_close -> call client_close() for
each client.

client_close() doesn't guarantee that client is closed: nbd_trip()
keeps reference to it. So, nbd_export_close_all() just reduce
reference counter on export and removes it from the list, but doesn't
guarantee that nbd_trip() finished neither export actually removed.

Let's wait for all exports actually removed.

Without this fix, the following crash is possible:

- export bitmap through internal Qemu NBD server
- connect a client
- shutdown Qemu

On shutdown nbd_export_close_all is called, but it actually don't wait
for nbd_trip() to finish and to release its references. So, export is
not release, and exported bitmap remains busy, and on try to remove the
bitmap (which is part of bdrv_close()) the assertion fails:

bdrv_release_dirty_bitmap_locked: Assertion `!bdrv_dirty_bitmap_busy(bitmap)' failed

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200714162234.13113-2-vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agoiotests/030: Reduce job speed to make race less likely
Kevin Wolf [Thu, 16 Jul 2020 13:28:29 +0000 (15:28 +0200)] 
iotests/030: Reduce job speed to make race less likely

It can happen that the throttling of the stream job doesn't make it slow
enough that we can be sure that it still exists when it is referenced
again. Just use a much smaller speed to make this very unlikely to
happen again.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200716132829.20127-1-kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agocrypto: use a stronger private key for tests
Daniel P. Berrangé [Wed, 15 Jul 2020 15:47:01 +0000 (16:47 +0100)] 
crypto: use a stronger private key for tests

The unit tests using the x509 crypto functionality have started
failing in Fedora 33 rawhide with a message like

      The certificate uses an insecure algorithm

This is result of Fedora changes to support strong crypto [1]. RSA
with 1024 bit key is viewed as legacy and thus insecure. Generate
a new private key which is 3072 bits long and reasonable future
proof.

[1] https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20200715154701.1041325-1-berrange@redhat.com>
Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agoqemu-img resize: Require --shrink for shrinking all image formats
Kevin Wolf [Fri, 10 Jul 2020 12:17:17 +0000 (14:17 +0200)] 
qemu-img resize: Require --shrink for shrinking all image formats

QEMU 2.11 introduced the --shrink option for qemu-img resize to avoid
accidentally shrinking images (commit 4ffca8904a3). However, for
compatibility reasons, it was not enforced for raw images yet, but only
a deprecation warning was printed. This warning has existed for long
enough that we can now finally require --shrink for raw images, too, and
error out if it's not given.

Documentation already describes the state as it is after this patch.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20200710121717.28339-1-kwolf@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agoRemove VXHS block device
Marc-André Lureau [Sat, 11 Jul 2020 06:59:26 +0000 (10:59 +0400)] 
Remove VXHS block device

The vxhs code doesn't compile since v2.12.0. There's no point in fixing
and then adding CI for a config that our users have demonstrated that
they do not use; better to just remove it.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200711065926.2204721-1-marcandre.lureau@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agovvfat: set status to odd fixes
Prasad J Pandit [Fri, 10 Jul 2020 19:04:51 +0000 (00:34 +0530)] 
vvfat: set status to odd fixes

Virtual VFAT driver is quite old and rarely used. Set its status
to Odd Fixes.

Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20200710190451.761286-1-ppandit@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
7 months agoMerge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-07-17' into...
Peter Maydell [Fri, 17 Jul 2020 11:06:02 +0000 (12:06 +0100)] 
Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-07-17' into staging

* Leak fixes
* One fix for running with --enable-werror on macOS
* Add fuzzer test to the Gitlab-CI

# gpg: Signature made Fri 17 Jul 2020 10:53:07 BST
# gpg:                using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg:                issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* remotes/huth-gitlab/tags/pull-request-2020-07-17:
  gitlab-ci.yml: Add fuzzer tests
  qom: Plug memory leak in "info qom-tree"
  configure: Fix for running with --enable-werror on macOS
  fuzz: Expect the cmdline in a freeable GString
  tests: qmp-cmd-test: fix memory leak
  qtest: bios-tables-test: fix a memory leak

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agodocs/s390x: fix vfio-ccw type
Cornelia Huck [Thu, 16 Jul 2020 14:50:31 +0000 (16:50 +0200)] 
docs/s390x: fix vfio-ccw type

Fix the type name in the mdevctl example.

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20200716145031.771476-1-cohuck@redhat.com>

7 months agogitlab-ci.yml: Add fuzzer tests
Thomas Huth [Wed, 15 Jul 2020 04:32:48 +0000 (06:32 +0200)] 
gitlab-ci.yml: Add fuzzer tests

So far we neither compile-tested nor run any of the new fuzzers in our CI,
which led to some build failures of the fuzzer code in the past weeks.
To avoid this problem, add a job to compile the fuzzer code and run some
loops (which likely don't find any new bugs via fuzzing, but at least we
know that the code can still be run).

A nice side-effect of this test is that the leak tests are enabled here,
so we should now notice some of the memory leaks in our code base earlier.

Message-Id: <20200716100950.27396-1-thuth@redhat.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agoqom: Plug memory leak in "info qom-tree"
Markus Armbruster [Tue, 14 Jul 2020 16:01:59 +0000 (18:01 +0200)] 
qom: Plug memory leak in "info qom-tree"

Commit e8c9e65816 "qom: Make "info qom-tree" show children sorted"
created a memory leak, because I didn't realize
object_get_canonical_path_component()'s value needs to be freed.

Reproducer:

    $ qemu-system-x86_64 -nodefaults -display none -S -monitor stdio
    QEMU 5.0.50 monitor - type 'help' for more information
    (qemu) info qom-tree

This leaks some 4500 path components, 12-13 characters on average,
i.e. roughly 100kBytes depending on the allocator.  A couple of
hundred "info qom-tree" here, a couple of hundred there, and soon
enough we're talking about real memory.

Plug the leak.

Fixes: e8c9e65816f5dbfe18ad3b2be938d0d8192d459a
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reported-by: Reviewed-by: Li Qiang <liq3ea@gmail.com> [sent same patch]
Message-Id: <20200714160202.3121879-3-armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agoconfigure: Fix for running with --enable-werror on macOS
Thomas Huth [Thu, 16 Jul 2020 05:12:22 +0000 (07:12 +0200)] 
configure: Fix for running with --enable-werror on macOS

The configure script currently refuses to succeed when run on macOS
with --enable-werror:

 ERROR: configure test passed without -Werror but failed with -Werror.

The information in config.log indicates:

 config-temp/qemu-conf.c:3:55: error: control reaches end of non-void
 function [-Werror,-Wreturn-type]
 static void *f(void *p) { pthread_setname_np("QEMU"); }
                                                      ^
And indeed, the return statement is missing here.

Fixes: 479a57475e ("util: Implement debug-threads for macOS")
Message-Id: <20200716055655.24507-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agofuzz: Expect the cmdline in a freeable GString
Alexander Bulekov [Tue, 14 Jul 2020 17:46:16 +0000 (13:46 -0400)] 
fuzz: Expect the cmdline in a freeable GString

In the initial FuzzTarget, get_init_cmdline returned a char *. With this
API, we had no guarantee about where the string came from. For example,
i440fx-qtest-reboot-fuzz simply returned a pointer to a string literal,
while the QOS-based targets build the arguments out in a GString an
return the gchar *str pointer. Since we did not try to free the cmdline,
we have a leak for any targets that do not simply return string
literals. Clean up this mess by forcing fuzz-targets to return
a GString, that we can free.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200714174616.20709-1-alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agotests: qmp-cmd-test: fix memory leak
Li Qiang [Wed, 15 Jul 2020 15:41:17 +0000 (08:41 -0700)] 
tests: qmp-cmd-test: fix memory leak

Properly free each test response to avoid memory leak and separate
qtest_qmp() calls with spare lines, in a consistent manner.

Fixes: 5b88849e7b9("tests/qmp-cmd-test: Add qmp/object-add-failure-modes")
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Li Qiang <liq3ea@163.com>
Message-Id: <20200715154117.15456-1-liq3ea@163.com>
Fixes: 9fc719b869 ("tests/qmp-cmd-test: Add qmp/object-add-duplicate-id")
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agoqtest: bios-tables-test: fix a memory leak
Li Qiang [Tue, 14 Jul 2020 15:35:36 +0000 (08:35 -0700)] 
qtest: bios-tables-test: fix a memory leak

Fixes: 5da7c35e25a("bios-tables-test: Add Q35/TPM-TIS test")
Signed-off-by: Li Qiang <liq3ea@163.com>
Message-Id: <20200714153536.66060-1-liq3ea@163.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
7 months agotcg/cpu-exec: precise single-stepping after an exception
Luc Michel [Thu, 16 Jul 2020 19:39:47 +0000 (21:39 +0200)] 
tcg/cpu-exec: precise single-stepping after an exception

When single-stepping with a debugger attached to QEMU, and when an
exception is raised, the debugger misses the first instruction after the
exception:

$ qemu-system-aarch64 -M virt -display none -cpu cortex-a53 -s -S

$ aarch64-linux-gnu-gdb
GNU gdb (GDB) 9.2
[...]
(gdb) tar rem :1234
Remote debugging using :1234
warning: No executable has been specified and target does not support
determining executable automatically.  Try using the "file" command.
0x0000000000000000 in ?? ()
(gdb) # writing nop insns to 0x200 and 0x204
(gdb) set *0x200 = 0xd503201f
(gdb) set *0x204 = 0xd503201f
(gdb) # 0x0 address contains 0 which is an invalid opcode.
(gdb) # The CPU should raise an exception and jump to 0x200
(gdb) si
0x0000000000000204 in ?? ()

With this commit, the same run steps correctly on the first instruction
of the exception vector:

(gdb) si
0x0000000000000200 in ?? ()

Buglink: https://bugs.launchpad.net/qemu/+bug/757702
Signed-off-by: Luc Michel <luc.michel@greensocs.com>
Message-Id: <20200716193947.3058389-1-luc.michel@greensocs.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
7 months agoMerge remote-tracking branch 'remotes/ehabkost/tags/x86-next-pull-request' into staging
Peter Maydell [Thu, 16 Jul 2020 20:46:18 +0000 (21:46 +0100)] 
Merge remote-tracking branch 'remotes/ehabkost/tags/x86-next-pull-request' into staging

x86 fixes for -rc1

Fixes for x86 that missed hard freeze:
* Don't trigger warnings for features set by
  CPU model versions (Xiaoyao Li)
* Missing features in Icelake-Server, Skylake-Server,
  Cascadelake-Server CPU models (Chenyi Qiang)
* Fix hvf x86_64 guest boot crash (Roman Bolshakov)

# gpg: Signature made Thu 16 Jul 2020 19:17:18 BST
# gpg:                using RSA key 5A322FD5ABC4D3DBACCFD1AA2807936F984DC5A6
# gpg:                issuer "ehabkost@redhat.com"
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>" [full]
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D C5A6

* remotes/ehabkost/tags/x86-next-pull-request:
  i386: hvf: Explicitly set CR4 guest/host mask
  target/i386: add the missing vmx features for Skylake-Server and Cascadelake-Server CPU models
  target/i386: fix model number and add missing features for Icelake-Server CPU model
  target/i386: add fast short REP MOV support
  i386/cpu: Don't add unavailable_features to env->user_features
  i368/cpu: Clear env->user_features after loading versioned CPU model

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agotcg: Save/restore vecop_list around minmax fallback
Richard Henderson [Tue, 9 Jun 2020 23:32:09 +0000 (16:32 -0700)] 
tcg: Save/restore vecop_list around minmax fallback

Forgetting this asserts when tcg_gen_cmp_vec is called from
within tcg_gen_cmpsel_vec.

Fixes: 72b4c792c7a
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
7 months agoi386: hvf: Explicitly set CR4 guest/host mask
Roman Bolshakov [Tue, 14 Jul 2020 09:07:27 +0000 (12:07 +0300)] 
i386: hvf: Explicitly set CR4 guest/host mask

Removal of register reset omitted initialization of CR4 guest/host mask.
x86_64 guests aren't booting without it.

Fixes: 5009ef22c6bb2 ("i386: hvf: Don't duplicate register reset")
Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
Message-Id: <20200714090726.41082-1-r.bolshakov@yadro.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
7 months agoMerge remote-tracking branch 'remotes/kraxel/tags/fixes-20200716-pull-request' into...
Peter Maydell [Thu, 16 Jul 2020 17:50:51 +0000 (18:50 +0100)] 
Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20200716-pull-request' into staging

fixes: usb storage regression, vfio display ramfb bug

# gpg: Signature made Thu 16 Jul 2020 10:30:58 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/fixes-20200716-pull-request:
  usb: fix storage regression
  vfio: fix use-after-free in display

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 months agohw/i2c: Document the I2C qdev helpers
Philippe Mathieu-Daudé [Sun, 5 Jul 2020 22:41:54 +0000 (00:41 +0200)] 
hw/i2c: Document the I2C qdev helpers

In commit d88c42ff2c we added new prototype but neglected to
add their documentation. Fix that.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200705224154.16917-6-f4bug@amsat.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agohw/i2c: Rename i2c_create_slave() as i2c_slave_create_simple()
Philippe Mathieu-Daudé [Sun, 5 Jul 2020 22:41:53 +0000 (00:41 +0200)] 
hw/i2c: Rename i2c_create_slave() as i2c_slave_create_simple()

We use "create_simple" names for functions that allocate, initialize,
configure and realize device objects: pci_create_simple(),
isa_create_simple(), usb_create_simple(). For consistency, rename
i2c_create_slave() as i2c_slave_create_simple(). Since we have
to update all the callers, also let it return a I2CSlave object.

Suggested-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200705224154.16917-5-f4bug@amsat.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agohw/i2c: Rename i2c_realize_and_unref() as i2c_slave_realize_and_unref()
Philippe Mathieu-Daudé [Sun, 5 Jul 2020 22:41:52 +0000 (00:41 +0200)] 
hw/i2c: Rename i2c_realize_and_unref() as i2c_slave_realize_and_unref()

The other i2c functions are called i2c_slave_FOO(). Rename as
i2c_slave_realize_and_unref() to be consistent.

Suggested-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200705224154.16917-4-f4bug@amsat.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agohw/i2c: Rename i2c_try_create_slave() as i2c_slave_new()
Philippe Mathieu-Daudé [Sun, 5 Jul 2020 22:41:51 +0000 (00:41 +0200)] 
hw/i2c: Rename i2c_try_create_slave() as i2c_slave_new()

We use "new" names for functions that allocate and initialize
device objects: pci_new(), isa_new(), usb_new().
Let's call this one i2c_slave_new(). Since we have to update
all the callers, also let it return a I2CSlave object.

Suggested-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200705224154.16917-3-f4bug@amsat.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agohw/i2c/aspeed_i2c: Simplify aspeed_i2c_get_bus()
Philippe Mathieu-Daudé [Sun, 5 Jul 2020 22:41:50 +0000 (00:41 +0200)] 
hw/i2c/aspeed_i2c: Simplify aspeed_i2c_get_bus()

All the callers of aspeed_i2c_get_bus() have a AspeedI2CState and
cast it to a DeviceState with DEVICE(), then aspeed_i2c_get_bus()
cast the DeviceState to an AspeedI2CState with ASPEED_I2C()...

Simplify aspeed_i2c_get_bus() callers by using AspeedI2CState
argument.

Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200705224154.16917-2-f4bug@amsat.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agohw/i2c/Kconfig: Add an entry for the SMBus
Philippe Mathieu-Daudé [Tue, 31 Dec 2019 18:32:07 +0000 (19:32 +0100)] 
hw/i2c/Kconfig: Add an entry for the SMBus

The System Management Bus is more or less a derivative of the I2C
bus, thus the Kconfig entry depends of I2C.
Not all boards providing an I2C bus support SMBus.
Use two different Kconfig entries to be able to select I2C without
selecting SMBus.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20191231183216.6781-6-philmd@redhat.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
7 months agotarget/i386: add the missing vmx features for Skylake-Server and Cascadelake-Server...
Chenyi Qiang [Tue, 14 Jul 2020 08:41:48 +0000 (16:41 +0800)] 
target/i386: add the missing vmx features for Skylake-Server and Cascadelake-Server CPU models

Add the missing vmx features in Skylake-Server and Cascadelake-Server
CPU models based on the output of Paolo's script.

Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Message-Id: <20200714084148.26690-4-chenyi.qiang@intel.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
7 months agotarget/i386: fix model number and add missing features for Icelake-Server CPU model
Chenyi Qiang [Tue, 14 Jul 2020 08:41:47 +0000 (16:41 +0800)] 
target/i386: fix model number and add missing features for Icelake-Server CPU model

Add the missing features(sha_ni, avx512ifma, rdpid, fsrm,
vmx-rdseed-exit, vmx-pml, vmx-eptp-switching) and change the model
number to 106 in the Icelake-Server-v4 CPU model.

Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Message-Id: <20200714084148.26690-3-chenyi.qiang@intel.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
7 months agotarget/i386: add fast short REP MOV support
Chenyi Qiang [Tue, 14 Jul 2020 08:41:46 +0000 (16:41 +0800)] 
target/i386: add fast short REP MOV support

For CPUs support fast short REP MOV[CPUID.(EAX=7,ECX=0):EDX(bit4)], e.g
Icelake and Tigerlake, expose it to the guest VM.

Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Message-Id: <20200714084148.26690-2-chenyi.qiang@intel.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
7 months agoi386/cpu: Don't add unavailable_features to env->user_features
Xiaoyao Li [Mon, 13 Jul 2020 17:44:36 +0000 (01:44 +0800)] 
i386/cpu: Don't add unavailable_features to env->user_features

Features unavailable due to absent of their dependent features should
not be added to env->user_features. env->user_features only contains the
feature explicity specified with -feature/+feature by user.

Fixes: 99e24dbdaa68 ("target/i386: introduce generic feature dependency mechanism")
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Message-Id: <20200713174436.41070-3-xiaoyao.li@intel.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
7 months agoi368/cpu: Clear env->user_features after loading versioned CPU model
Xiaoyao Li [Mon, 13 Jul 2020 17:44:35 +0000 (01:44 +0800)] 
i368/cpu: Clear env->user_features after loading versioned CPU model

Features defined in versioned CPU model are recorded in env->user_features
since they are updated as property. It's unwated because they are not
user specified.

Simply clear env->user_features as a fix. It won't clear user specified
features because user specified features are filled to
env->user_features later in x86_cpu_expand_features().

Cc: Chenyi Qiang <chenyi.qiang@intel.com>
Suggested-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Message-Id: <20200713174436.41070-2-xiaoyao.li@intel.com>
[ehabkost: fix coding style]
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
7 months agoMerge remote-tracking branch 'remotes/stefanberger/tags/pull-tpm-2020-07-15-1' into...
Peter Maydell [Thu, 16 Jul 2020 13:46:47 +0000 (14:46 +0100)] 
Merge remote-tracking branch 'remotes/stefanberger/tags/pull-tpm-2020-07-15-1' into staging

Merge tpm 2020/07/15 v1

# gpg: Signature made Wed 15 Jul 2020 20:16:21 BST
# gpg:                using RSA key B818B9CADF9089C2D5CEC66B75AD65802A0B4211
# gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B818 B9CA DF90 89C2 D5CE  C66B 75AD 6580 2A0B 4211

* remotes/stefanberger/tags/pull-tpm-2020-07-15-1:
  tests: tpm: Skip over pcrUpdateCounter byte in result comparison
  tpm: tpm_spapr: Exit on TPM backend failures

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>