qemu.git
2 years agoMerge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2019-08-21' into staging
Peter Maydell [Thu, 22 Aug 2019 09:31:21 +0000 (10:31 +0100)] 
Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2019-08-21' into staging

Monitor patches for 2019-08-21

# gpg: Signature made Wed 21 Aug 2019 16:35:07 BST
# gpg:                using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg:                issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653

* remotes/armbru/tags/pull-monitor-2019-08-21:
  monitor/qmp: Update comment for commit 4eaca8de268
  qdev: Collect HMP handlers command handlers in qdev-monitor.c
  qapi: Move query-target from misc.json to machine.json
  hw/core: Move cpu.c, cpu.h from qom/ to hw/core/

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2 years agoMerge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into...
Peter Maydell [Wed, 21 Aug 2019 15:59:22 +0000 (16:59 +0100)] 
Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging

Various trivial fixes

# gpg: Signature made Wed 21 Aug 2019 12:19:11 BST
# gpg:                using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C
# gpg:                issuer "laurent@vivier.eu"
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full]
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>" [full]
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full]
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier2/tags/trivial-branch-pull-request:
  hw/display: Compile various display devices as common object
  hw/display/sm501: Remove unused include
  spapr_events: Rewrite a fall through comment
  vl: Rewrite a fall through comment
  target/ppc: Rewrite a fall through comment
  hw/ipmi: Rewrite a fall through comment
  hw/dma/omap_dma: Move switch 'fall through' comment to correct place
  json: Move switch 'fall through' comment to correct place
  hw/net/e1000: Fix erroneous comment
  .gitignore: ignore some vhost-user* related files
  configure: fix sdl detection using sdl2-config
  configure: remove obsoleted $sparc_cpu variable
  misc: fix naming scheme of compatiblity arrays
  test: Use g_strndup instead of plain strndup

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2 years agomonitor/qmp: Update comment for commit 4eaca8de268
Markus Armbruster [Fri, 16 Aug 2019 19:33:05 +0000 (21:33 +0200)] 
monitor/qmp: Update comment for commit 4eaca8de268

Commit 4eaca8de268 dropped monitor_qmp_respond()'s parameter @id
without updating its function comment.  Fix that.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20190816193305.12090-1-armbru@redhat.com>

2 years agoMerge remote-tracking branch 'remotes/kraxel/tags/audio-20190821-pull-request' into...
Peter Maydell [Wed, 21 Aug 2019 14:18:50 +0000 (15:18 +0100)] 
Merge remote-tracking branch 'remotes/kraxel/tags/audio-20190821-pull-request' into staging

audio: second batch of -audiodev support, adding support for multiple backends.

# gpg: Signature made Wed 21 Aug 2019 09:40:37 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/audio-20190821-pull-request:
  audio: fix memory leak reported by ASAN
  audio: use size_t where makes sense
  audio: remove read and write pcm_ops
  paaudio: fix playback glitches
  audio: do not run each backend in audio_run
  audio: remove audio_MIN, audio_MAX
  paaudio: properly disconnect streams in fini_*
  paaudio: do not move stream when sink/source name is specified
  audio: audiodev= parameters no longer optional when -audiodev present
  paaudio: prepare for multiple audiodev
  audio: add audiodev properties to frontends
  audio: add audiodev property to vnc and wav_capture
  audio: basic support for multi backend audio
  audio: reduce glob_audio_state usage
  audio: Add missing fall through comments

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2 years agoMerge remote-tracking branch 'remotes/dgibson/tags/ppc-for-4.2-20190821' into staging
Peter Maydell [Wed, 21 Aug 2019 13:04:16 +0000 (14:04 +0100)] 
Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-4.2-20190821' into staging

ppc patch queue for 2019-08-21

First ppc and spapr pull request for qemu-4.2.  Includes:
   * Some TCG emulation fixes and performance improvements
   * Support for the mffsl instruction in TCG
   * Added missing DPDES SPR
   * Some enhancements to the emulation of the XIVE interrupt
     controller
   * Cleanups to spapr MSI management
   * Some new suspend/resume infrastructure and a draft suspend
     implementation for spapr
   * New spapr hypercall for TPM communication (will be needed for
     secure guests under an Ultravisor)
   * Fix several memory leaks

And a few other assorted fixes.

# gpg: Signature made Wed 21 Aug 2019 08:24:44 BST
# gpg:                using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full]
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full]
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full]
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown]
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-4.2-20190821: (42 commits)
  ppc: Fix emulated single to double denormalized conversions
  ppc: Fix emulated INFINITY and NAN conversions
  ppc: conform to processor User's Manual for xscvdpspn
  ppc: Add support for 'mffsl' instruction
  target/ppc: Add Directed Privileged Door-bell Exception State (DPDES) SPR
  spapr/xive: Mask the EAS when allocating an IRQ
  spapr: Implement better workaround in spapr-vty device
  spapr/irq: Drop spapr_irq_msi_reset()
  spapr/pci: Free MSIs during reset
  spapr/pci: Consolidate de-allocation of MSIs
  ppc: remove idle_timer logic
  spapr: Implement ibm,suspend-me
  i386: use machine class ->wakeup method
  machine: Add wakeup method to MachineClass
  ppc/xive: Improve 'info pic' support
  ppc/xive: Provide silent escalation support
  ppc/xive: Provide unconditional escalation support
  ppc/xive: Provide escalation support
  ppc/xive: Provide backlog support
  ppc/xive: Implement TM_PULL_OS_CTX special command
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2 years agoqdev: Collect HMP handlers command handlers in qdev-monitor.c
Markus Armbruster [Tue, 9 Jul 2019 18:59:36 +0000 (20:59 +0200)] 
qdev: Collect HMP handlers command handlers in qdev-monitor.c

Move hmp_device_add(), hmp_device_del() from monitor/hmp-cmds.c to
qdev-monitor.c, where they are covered by MAINTAINERS section "QOM",
just like qapi/qdev.json.  hmp_info_qtree() and hmp_info_qdm() are
already there.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20190709185936.31335-1-armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2 years agoqapi: Move query-target from misc.json to machine.json
Markus Armbruster [Tue, 9 Jul 2019 15:20:53 +0000 (17:20 +0200)] 
qapi: Move query-target from misc.json to machine.json

Move query-target and its return type TargetInfo from misc.json to
machine.json, where they are covered by MAINTAINERS section "Machine
core".  Also move its implementation from arch_init.c to
hw/core/machine-qmp-cmds, where it is likewise covered.

All users of SysEmuTarget are now in machine.json.  Move it there from
common.json.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20190709152053.16670-3-armbru@redhat.com>

2 years agohw/core: Move cpu.c, cpu.h from qom/ to hw/core/
Markus Armbruster [Tue, 9 Jul 2019 15:20:52 +0000 (17:20 +0200)] 
hw/core: Move cpu.c, cpu.h from qom/ to hw/core/

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20190709152053.16670-2-armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
[Rebased onto merge commit 95a9457fd44; missed instances of qom/cpu.h
in comments replaced]

2 years agohw/display: Compile various display devices as common object
Philippe Mathieu-Daudé [Mon, 12 Aug 2019 11:37:38 +0000 (13:37 +0200)] 
hw/display: Compile various display devices as common object

Various display devices are not target-specific and can
be compiled once for all the targets.
After this commit, the 'make world' target is reduced by
54 objects

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20190812113739.16587-3-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agohw/display/sm501: Remove unused include
Philippe Mathieu-Daudé [Mon, 12 Aug 2019 11:37:37 +0000 (13:37 +0200)] 
hw/display/sm501: Remove unused include

The "cpu.h" include makes devices target-specific. Since it
is not used, remove it, so the device become generic (we can
now compile it once for all targets).

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190812113739.16587-2-philmd@redhat.com>
[lv: fix conflict with 650d103d3ea9
     ("Include hw/hw.h exactly where needed")]
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agospapr_events: Rewrite a fall through comment
Philippe Mathieu-Daudé [Fri, 19 Jul 2019 13:14:25 +0000 (15:14 +0200)] 
spapr_events: Rewrite a fall through comment

GCC9 is confused by this comment when building with CFLAG
-Wimplicit-fallthrough=2:

    CC      ppc64-softmmu/hw/ppc/spapr_rtc.o
  hw/ppc/spapr_events.c: In function ‘rtas_event_log_to_source’:
  hw/ppc/spapr_events.c:312:12: error: this statement may fall through [-Werror=implicit-fallthrough=]
    312 |         if (spapr_ovec_test(spapr->ov5_cas, OV5_HP_EVT)) {
        |            ^
  hw/ppc/spapr_events.c:317:5: note: here
    317 |     case RTAS_LOG_TYPE_EPOW:
        |     ^~~~
  cc1: all warnings being treated as errors

Rewrite the comment using 'fall through' which is recognized by
GCC and static analyzers.

Reported-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20190719131425.10835-8-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agovl: Rewrite a fall through comment
Philippe Mathieu-Daudé [Fri, 19 Jul 2019 13:14:24 +0000 (15:14 +0200)] 
vl: Rewrite a fall through comment

GCC9 is confused by this comment when building with CFLAG
-Wimplicit-fallthrough=2:

  vl.c: In function ‘qemu_ref_timedate’:
  vl.c:773:15: error: this statement may fall through [-Werror=implicit-fallthrough=]
    773 |         value -= rtc_realtime_clock_offset;
        |         ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
  vl.c:775:5: note: here
    775 |     case QEMU_CLOCK_VIRTUAL:
        |     ^~~~
  cc1: all warnings being treated as errors

Rewrite the comment using 'fall through' which is recognized by
GCC and static analyzers.

Reported-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20190719131425.10835-7-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agotarget/ppc: Rewrite a fall through comment
Philippe Mathieu-Daudé [Fri, 19 Jul 2019 13:14:23 +0000 (15:14 +0200)] 
target/ppc: Rewrite a fall through comment

GCC9 is confused by this comment when building with CFLAG
-Wimplicit-fallthrough=2:

  target/ppc/mmu_helper.c: In function ‘dump_mmu’:
  target/ppc/mmu_helper.c:1349:12: error: this statement may fall through [-Werror=implicit-fallthrough=]
   1349 |         if (ppc64_v3_radix(env_archcpu(env))) {
        |            ^
  target/ppc/mmu_helper.c:1356:5: note: here
   1356 |     default:
        |     ^~~~~~~
  cc1: all warnings being treated as errors

Rewrite the comment using 'fall through' which is recognized by
GCC and static analyzers.

Reported-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20190719131425.10835-6-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agohw/ipmi: Rewrite a fall through comment
Philippe Mathieu-Daudé [Fri, 19 Jul 2019 13:14:22 +0000 (15:14 +0200)] 
hw/ipmi: Rewrite a fall through comment

GCC9 is confused by this comment when building with CFLAG
-Wimplicit-fallthrough=2:

  hw/ipmi/ipmi_bmc_extern.c: In function ‘addchar’:
  hw/ipmi/ipmi_bmc_extern.c:178:12: error: this statement may fall through [-Werror=implicit-fallthrough=]
    178 |         ch |= 0x10;
        |         ~~~^~~~~~~
  hw/ipmi/ipmi_bmc_extern.c:181:5: note: here
    181 |     default:
        |     ^~~~~~~
  cc1: all warnings being treated as errors
  make: *** [rules.mak:69: hw/ipmi/ipmi_bmc_extern.o] Error 1

Rewrite the comment using 'fall through' which is recognized by
GCC and static analyzers.

Reported-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Corey Minyard <cminyard@mvista.com>
Message-Id: <20190719131425.10835-5-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agohw/dma/omap_dma: Move switch 'fall through' comment to correct place
Philippe Mathieu-Daudé [Fri, 19 Jul 2019 13:14:20 +0000 (15:14 +0200)] 
hw/dma/omap_dma: Move switch 'fall through' comment to correct place

Reported by GCC9 when building with CFLAG -Wimplicit-fallthrough=2:

    CC      hw/dma/omap_dma.o
  hw/dma/omap_dma.c: In function ‘omap_dma_write’:
  hw/dma/omap_dma.c:1532:12: error: this statement may fall through [-Werror=implicit-fallthrough=]
   1532 |         if (s->model <= omap_dma_3_1)
        |            ^
  hw/dma/omap_dma.c:1534:5: note: here
   1534 |     case 0x400:
        |     ^~~~
  cc1: all warnings being treated as errors

Correctly place the 'fall through' comment.

Reported-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20190719131425.10835-3-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agojson: Move switch 'fall through' comment to correct place
Philippe Mathieu-Daudé [Fri, 19 Jul 2019 13:14:19 +0000 (15:14 +0200)] 
json: Move switch 'fall through' comment to correct place

Reported by GCC9 when building with CFLAG -Wimplicit-fallthrough=2:

  qobject/json-parser.c: In function ‘parse_literal’:
  qobject/json-parser.c:492:24: error: this statement may fall through [-Werror=implicit-fallthrough=]
    492 |     case JSON_INTEGER: {
        |                        ^
  qobject/json-parser.c:524:5: note: here
    524 |     case JSON_FLOAT:
        |     ^~~~

Correctly place the 'fall through' comment.

Reported-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20190719131425.10835-2-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agohw/net/e1000: Fix erroneous comment
Philippe Mathieu-Daudé [Mon, 15 Jul 2019 10:22:10 +0000 (12:22 +0200)] 
hw/net/e1000: Fix erroneous comment

Missed during the QOM convertion in 9af21dbee14.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20190715102210.31365-1-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years ago.gitignore: ignore some vhost-user* related files
Michal Privoznik [Fri, 12 Jul 2019 14:41:47 +0000 (16:41 +0200)] 
.gitignore: ignore some vhost-user* related files

Commit d52c454aadc creates
'/contrib/vhost-user-gpu/50-qemu-gpu.json' and '/vhost-user-gpu'
and commit 06914c97d3a creates '/vhost-user-input' neither of
which is ignored by git.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <db150a03315a89a849ab9968e4a5a26110d41424.1562942402.git.mprivozn@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agoconfigure: fix sdl detection using sdl2-config
Carlo Marcelo Arenas Belón [Wed, 10 Jul 2019 22:55:28 +0000 (15:55 -0700)] 
configure: fix sdl detection using sdl2-config

If SDL2 is requested but pkg-config doesn't have a module for it
configure should fallback to use sdl*-config, but wasn't able to
because and old variable (from SDL) was being used by mistake.

Correct the variable name and complete other related changes so
there are no more references to the old SDL.

Fixes: 0015ca5cbabe ("ui: remove support for SDL1.2 in favour of SDL2")
Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190710225528.409-1-carenas@gmail.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agoconfigure: remove obsoleted $sparc_cpu variable
Carlo Marcelo Arenas Belón [Tue, 9 Jul 2019 23:43:30 +0000 (16:43 -0700)] 
configure: remove obsoleted $sparc_cpu variable

9b9c37c364 ("tcg-sparc: Assume v9 cpu always, i.e. force v8plus in
32-bit mode.", 2012-09-21) removed the need for this variable and
most of the references to it, but this one.

Remove defunct code, no effect or functionality change expected.

Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20190709234330.89699-1-carenas@gmail.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agomisc: fix naming scheme of compatiblity arrays
Marc-André Lureau [Mon, 8 Jul 2019 20:49:09 +0000 (00:49 +0400)] 
misc: fix naming scheme of compatiblity arrays

Since merge 31ed41889e6e13699871040fe089a2884dca46cb ("Merge
remote-tracking branch
'remotes/elmarco/tags/machine-props-pull-request' into staging"), the
compat arrays are in lowercase.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20190708204909.10891-1-marcandre.lureau@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agotest: Use g_strndup instead of plain strndup
tony.nguyen@bt.com [Sat, 8 Jun 2019 05:25:52 +0000 (05:25 +0000)] 
test: Use g_strndup instead of plain strndup

Due to memory management rules. See HACKING.

Signed-off-by: Tony Nguyen <tony.nguyen@bt.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <dce313b46d294ada8826d34609a3447e@tpw09926dag18e.domain1.systemhost.net>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2 years agoMerge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
Peter Maydell [Wed, 21 Aug 2019 08:00:49 +0000 (09:00 +0100)] 
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

* New KVM PV features (Marcelo, Wanpeng)
* valgrind fixes (Andrey)
* Remove clock reset notifiers (David)
* KConfig and Makefile cleanups (Paolo)
* Replay and icount improvements (Pavel)
* x86 FP fixes (Peter M.)
* TCG locking assertions (Roman)
* x86 support for mmap-ed -kernel/-initrd (Stefano)
* Other cleanups (Wei Yang, Yan Zhao, Tony)
* LSI fix for infinite loop (Prasad)
* ARM migration fix (Catherine)
* AVX512_BF16 feature (Jing)

# gpg: Signature made Tue 20 Aug 2019 19:00:54 BST
# gpg:                using RSA key BFFBD25F78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream: (33 commits)
  x86: Intel AVX512_BF16 feature enabling
  scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
  test-bitmap: test set 1 bit case for bitmap_set
  migration: do not rom_reset() during incoming migration
  HACKING: Document 'struct' keyword usage
  kvm: vmxcap: Enhance with latest features
  cpus-common: nuke finish_safe_work
  icount: remove unnecessary gen_io_end calls
  icount: clean up cpu_can_io at the entry to the block
  replay: rename step-related variables and functions
  replay: refine replay-time module
  replay: fix replay shutdown
  util/qemu-timer: refactor deadline calculation for external timers
  replay: document development rules
  replay: add missing fix for internal function
  timer: last, remove last bits of last
  replay: Remove host_clock_last
  timer: Remove reset notifiers
  mc146818rtc: Remove reset notifiers
  memory: fix race between TCG and accesses to dirty bitmap
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2 years agoppc: Fix emulated single to double denormalized conversions
Paul A. Clarke [Mon, 19 Aug 2019 21:42:16 +0000 (16:42 -0500)] 
ppc: Fix emulated single to double denormalized conversions

helper_todouble() was not properly converting any denormalized 32 bit
float to 64 bit double.

Fix-suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paul A. Clarke <pc@us.ibm.com>
v2:
- Splitting patch "ppc: Three floating point fixes"; this is just one part.
- Original suggested "fix" was likely flawed.  v2 is rewritten by
  Richard Henderson (Thanks, Richard!); I reformatted the comments in a
  couple of places, compiled, and tested.
Message-Id: <1566250936-14538-1-git-send-email-pc@us.ibm.com>

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc: Fix emulated INFINITY and NAN conversions
Paul A. Clarke [Mon, 19 Aug 2019 19:19:48 +0000 (14:19 -0500)] 
ppc: Fix emulated INFINITY and NAN conversions

helper_todouble() was not properly converting INFINITY from 32 bit
float to 64 bit double.

(Normalized operand conversion is unchanged, other than indentation.)

Signed-off-by: Paul A. Clarke <pc@us.ibm.com>
Message-Id: <1566242388-9244-1-git-send-email-pc@us.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc: conform to processor User's Manual for xscvdpspn
Paul A. Clarke [Mon, 19 Aug 2019 17:43:21 +0000 (12:43 -0500)] 
ppc: conform to processor User's Manual for xscvdpspn

The POWER8 and POWER9 User's Manuals specify the implementation
behavior for what the ISA leaves "undefined" behavior for the
xscvdpspn and xscvdpsp instructions.  This patch corrects the QEMU
implementation to match the hardware implementation for that case.

ISA 3.0B has xscvdpspn leaving its result in word 0 of the target register,
with the other words of the target register left "undefined".

The User's Manuals specify:
  VSX scalar convert from double-precision to single-precision (xscvdpsp,
  xscvdpspn).
  VSR[32:63] is set to VSR[0:31].
So, words 0 and 1 both contain the result.

Note: this is important because GCC as of version 8 or so, assumes and takes
advantage of this behavior to optimize the following sequence:
  xscvdpspn vs0,vs1
  mffprwz   r8,f0
ISA 3.0B has xscvdpspn leaving its result in word 0 of the target register,
and mffprwz expecting its input to come from word 1 of the source register.
This sequence fails with QEMU, as a shift is required between those two
instructions.  However, since the hardware splats the result to both words 0
and 1 of its output register, the shift is not necessary.

Expect a future revision of the ISA to specify this behavior.

Signed-off-by: Paul A. Clarke <pc@us.ibm.com>
v2
- Splitting patch "ppc: Three floating point fixes"; this is just one part.
- Updated commit message to clarify behavior is documented in User's Manuals.
- Updated commit message to correct which words are in output and source of
  xscvdpspn and mffprz.
- No source changes to this part of the original patch.

Message-Id: <1566236601-22954-1-git-send-email-pc@us.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc: Add support for 'mffsl' instruction
Paul A. Clarke [Fri, 16 Aug 2019 19:03:23 +0000 (14:03 -0500)] 
ppc: Add support for 'mffsl' instruction

ISA 3.0B added a set of Floating-Point Status and Control Register (FPSCR)
instructions: mffsce, mffscdrn, mffscdrni, mffscrn, mffscrni, mffsl.
This patch adds support for 'mffsl'.

'mffsl' is identical to 'mffs', except it only returns mode, status, and enable
bits from the FPSCR.

On CPUs without support for 'mffsl' (below ISA 3.0), the 'mffsl' instruction
will execute identically to 'mffs'.

Note: I renamed FPSCR_RN to FPSCR_RN0 so I could create an FPSCR_RN mask which
is both bits of the FPSCR rounding mode, as defined in the ISA.

I also fixed a typo in the definition of FPSCR_FR.

Signed-off-by: Paul A. Clarke <pc@us.ibm.com>
v4:
- nit: added some braces to resolve a checkpatch complaint.

v3:
- Changed tcg_gen_and_i64 to tcg_gen_andi_i64, eliminating the need for a
  temporary, per review from Richard Henderson.

v2:
- I found that I copied too much of the 'mffs' implementation.
  The 'Rc' condition code bits are not needed for 'mffsl'.  Removed.
- I now free the (renamed) 'tmask' temporary.
- I now bail early for older ISA to the original 'mffs' implementation.

Message-Id: <1565982203-11048-1-git-send-email-pc@us.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agotarget/ppc: Add Directed Privileged Door-bell Exception State (DPDES) SPR
Alexey Kardashevskiy [Fri, 16 Aug 2019 06:17:33 +0000 (16:17 +1000)] 
target/ppc: Add Directed Privileged Door-bell Exception State (DPDES) SPR

DPDES stores a status of a doorbell message and if it is lost in
migration, the destination CPU won't receive it. This does not hit us
much as IPIs complete too quick to catch a pending one and even if
we missed one, broadcasts happen often enough to wake that CPU.

This defines DPDES and registers with KVM for migration.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Message-Id: <20190816061733.53572-1-aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr/xive: Mask the EAS when allocating an IRQ
Cédric Le Goater [Tue, 13 Aug 2019 16:44:20 +0000 (18:44 +0200)] 
spapr/xive: Mask the EAS when allocating an IRQ

If an IRQ is allocated and not configured, such as a MSI requested by
a PCI driver, it can be saved in its default state and possibly later
on restored using the same state. If not initially MASKED, KVM will
try to find a matching priority/target tuple for the interrupt and
fail to restore the VM because 0/0 is not a valid target.

When allocating a IRQ number, the EAS should be set to a sane default :
VALID and MASKED.

Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20190813164420.9829-1-clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr: Implement better workaround in spapr-vty device
Paul Mackerras [Wed, 31 Jul 2019 04:36:54 +0000 (14:36 +1000)] 
spapr: Implement better workaround in spapr-vty device

Linux guest kernels have code which scans the string of characters
returned from the H_GET_TERM_CHAR hypercall and removes any \0
character which comes immediately after a \r character.  This is to
work around a bug which was present in some ancient versions of
PowerVM.  In order to avoid the corruption of the console byte stream
that this introduced, commit 6c3bc244d3cb ("spapr: Implement bug in
spapr-vty device to be compatible with PowerVM") added a workaround
which adds a \0 character after every \r character.  Unfortunately,
this corrupts the console byte stream for those operating systems,
such as AIX, which don't remove the null bytes.

We can avoid triggering the Linux kernel workaround if we avoid
returning a buffer which contains a \0 after a \r.  We can do that by
breaking out of the loop in vty_getchars() if we are about to insert a
\0 and the previous character in the buffer is a \r.  That means we
return the characters up to the \r for the current H_GET_TERM_CHAR,
and the characters starting with the \0 for the next one.

With this workaround, we don't insert any spurious characters and we
avoid triggering the Linux kernel workaround, so the guest will
receive an uncorrupted stream whether or not they have the workaround.

Fixes: 6c3bc244d3cb ("spapr: Implement bug in spapr-vty device to be compatible with PowerVM")
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Message-Id: <20190731043653.shdi5sizjp4t65op@oak.ozlabs.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr/irq: Drop spapr_irq_msi_reset()
Greg Kurz [Fri, 26 Jul 2019 14:44:49 +0000 (16:44 +0200)] 
spapr/irq: Drop spapr_irq_msi_reset()

PHBs already take care of clearing the MSIs from the bitmap during reset
or unplug. No need to do this globally from the machine code. Rather add
an assert to ensure that PHBs have acted as expected.

Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <156415228966.1064338.190189424190233355.stgit@bahia.lan>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
[dwg: Fix crash in qtest case where spapr->irq_map can be NULL at the
 new assert()]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr/pci: Free MSIs during reset
Greg Kurz [Fri, 26 Jul 2019 14:44:44 +0000 (16:44 +0200)] 
spapr/pci: Free MSIs during reset

When the machine is reset, the MSI bitmap is cleared but the allocated
MSIs are not freed. Some operating systems, such as AIX, can detect the
previous configuration and assert.

Empty the MSI cache, this performs the needed cleanup.

Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <156415228410.1064338.4486161194061636096.stgit@bahia.lan>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr/pci: Consolidate de-allocation of MSIs
Greg Kurz [Fri, 26 Jul 2019 14:44:38 +0000 (16:44 +0200)] 
spapr/pci: Consolidate de-allocation of MSIs

When freeing MSIs, we need to:
- remove them from the machine's MSI bitmap
- remove them from the IC backend
- remove them from the PHB's MSI cache

This is currently open coded in two places in rtas_ibm_change_msi(),
and we're about to need this in spapr_phb_reset() as well. Instead of
duplicating this code again, make it a destroy function for the PHB's
MSI cache. Removing an MSI device from the cache will call the destroy
function internally.

Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <156415227855.1064338.5657793835271464648.stgit@bahia.lan>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc: remove idle_timer logic
Shivaprasad G Bhat [Thu, 25 Jul 2019 14:15:08 +0000 (09:15 -0500)] 
ppc: remove idle_timer logic

The logic is broken for multiple vcpu guests, also causing memory leak.
The logic is in place to handle kvm not having KVM_CAP_PPC_IRQ_LEVEL,
which is part of the kernel now since 2.6.37. Instead of fixing the
leak, drop the redundant logic which is not excercised on new kernels
anymore. Exit with error on older kernels.

Signed-off-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Message-Id: <156406409479.19996.7606556689856621111.stgit@lep8c.aus.stglabs.ibm.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr: Implement ibm,suspend-me
Nicholas Piggin [Mon, 22 Jul 2019 06:17:52 +0000 (16:17 +1000)] 
spapr: Implement ibm,suspend-me

This has been useful to modify and test the Linux pseries suspend
code but it requires modification to the guest to call it (due to
being gated by other unimplemented features). It is not otherwise
used by Linux yet, but work is slowly progressing there.

This allows a (lightly modified) guest kernel to suspend with
`echo mem > /sys/power/state` and be resumed with system_wakeup
monitor command.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190722061752.22114-2-npiggin@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoi386: use machine class ->wakeup method
Nicholas Piggin [Mon, 22 Jul 2019 06:17:51 +0000 (16:17 +1000)] 
i386: use machine class ->wakeup method

Move the i386 suspend_wakeup logic out of the fallback path, and into
the new ->wakeup method.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190722061752.22114-1-npiggin@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agomachine: Add wakeup method to MachineClass
Nicholas Piggin [Mon, 22 Jul 2019 05:32:13 +0000 (15:32 +1000)] 
machine: Add wakeup method to MachineClass

Waking from suspend is not logically a machine reset on all machines,
particularly in the paravirtualized case rather than hardware
emulated. The ppc spapr machine for example just invokes hypervisor
to suspend, and expects that call to return with the machine in the
same state (modulo some possible migration and reconfiguration
details).

Implement a machine ->wakeup method and use that if it exists.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190722053215.20808-2-npiggin@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc/xive: Improve 'info pic' support
Cédric Le Goater [Thu, 18 Jul 2019 11:54:11 +0000 (13:54 +0200)] 
ppc/xive: Improve 'info pic' support

Provide a better output of the XIVE END structures including the
escalation information and extend the PowerNV machine 'info pic'
command with a dump of the END EAS table used for escalations.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20190718115420.19919-9-clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc/xive: Provide silent escalation support
Cédric Le Goater [Thu, 18 Jul 2019 11:54:10 +0000 (13:54 +0200)] 
ppc/xive: Provide silent escalation support

When the 's' bit is set the escalation is said to be 'silent' or
'silent/gather'. In such configuration, the notification sequence is
skipped and only the escalation sequence is performed. This is used to
configure all the EQs of a vCPU to escalate on a single EQ which will
then target the hypervisor.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20190718115420.19919-8-clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc/xive: Provide unconditional escalation support
Cédric Le Goater [Thu, 18 Jul 2019 11:54:09 +0000 (13:54 +0200)] 
ppc/xive: Provide unconditional escalation support

When the 'u' bit is set the escalation is said to be 'unconditional'
which means that the ESe PQ bits are not used. Introduce a
xive_router_end_es_notify() routine to share code with the ESn
notification.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20190718115420.19919-7-clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc/xive: Provide escalation support
Cédric Le Goater [Thu, 18 Jul 2019 11:54:08 +0000 (13:54 +0200)] 
ppc/xive: Provide escalation support

If the XIVE presenter can not find the NVT dispatched on any of the HW
threads, it can not deliver the interrupt. XIVE offers an escalation
mechanism to handle such scenarios and inform the hypervisor that an
action should be taken.

Escalation is configured by setting the 'e' bit and the EAS in word 4
& 5 to let the HW look for the escalation END on which to trigger a
new event.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20190718115420.19919-6-clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc/xive: Provide backlog support
Cédric Le Goater [Thu, 18 Jul 2019 11:54:07 +0000 (13:54 +0200)] 
ppc/xive: Provide backlog support

If backlog is activated ('b' bit) on the END, the pending priority of
a missed event is recorded in the IPB field of the NVT for a later
resend.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20190718115420.19919-5-clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc/xive: Implement TM_PULL_OS_CTX special command
Cédric Le Goater [Thu, 18 Jul 2019 11:54:06 +0000 (13:54 +0200)] 
ppc/xive: Implement TM_PULL_OS_CTX special command

When a vCPU is not dispatched anymore on a HW thread, the Hypervisor
(KVM on Linux) invalidates the OS interrupt context of a vCPU with
this special command. It returns the OS CAM line value and resets the
VO bit.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20190718115420.19919-4-clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc/xive: use an abstract type for XiveNotifier
Cédric Le Goater [Thu, 18 Jul 2019 11:54:04 +0000 (13:54 +0200)] 
ppc/xive: use an abstract type for XiveNotifier

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20190718115420.19919-2-clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agopseries: Update SLOF firmware image
Alexey Kardashevskiy [Fri, 19 Jul 2019 01:47:59 +0000 (11:47 +1000)] 
pseries: Update SLOF firmware image

The only change that SLOF does not rely on QEMU providing an RTAS blob
and provides one itself:
https://git.qemu.org/?p=SLOF.git;a=commitdiff;h=5e4ed1fd0f39e

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr: initial implementation for H_TPM_COMM/spapr-tpm-proxy
Michael Roth [Wed, 17 Jul 2019 20:58:42 +0000 (15:58 -0500)] 
spapr: initial implementation for H_TPM_COMM/spapr-tpm-proxy

This implements the H_TPM_COMM hypercall, which is used by an
Ultravisor to pass TPM commands directly to the host's TPM device, or
a TPM Resource Manager associated with the device.

This also introduces a new virtual device, spapr-tpm-proxy, which
is used to configure the host TPM path to be used to service
requests sent by H_TPM_COMM hcalls, for example:

  -device spapr-tpm-proxy,id=tpmp0,host-path=/dev/tpmrm0

By default, no spapr-tpm-proxy will be created, and hcalls will return
H_FUNCTION.

The full specification for this hypercall can be found in
docs/specs/ppc-spapr-uv-hcalls.txt

Since SVM-related hcalls like H_TPM_COMM use a reserved range of
0xEF00-0xEF80, we introduce a separate hcall table here to handle
them.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com
Message-Id: <20190717205842.17827-3-mdroth@linux.vnet.ibm.com>
[dwg: Corrected #include for upstream change]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agodocs/specs: initial spec summary for Ultravisor-related hcalls
Michael Roth [Wed, 17 Jul 2019 20:58:41 +0000 (15:58 -0500)] 
docs/specs: initial spec summary for Ultravisor-related hcalls

For now this only covers hcalls relating to TPM communication since
it's the only one particularly important from a QEMU perspective atm,
but others can be added here where it makes sense.

The full specification for all hcalls/ucalls will eventually be made
available in the public/OpenPower version of the PAPR specification.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Message-Id: <20190717205842.17827-2-mdroth@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr: Implement H_JOIN
Nicholas Piggin [Thu, 18 Jul 2019 03:42:14 +0000 (13:42 +1000)] 
spapr: Implement H_JOIN

This has been useful to modify and test the Linux pseries suspend
code but it requires modification to the guest to call it (due to
being gated by other unimplemented features). It is not otherwise
used by Linux yet, but work is slowly progressing there.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190718034214.14948-5-npiggin@gmail.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr: Implement H_CONFER
Nicholas Piggin [Thu, 18 Jul 2019 03:42:13 +0000 (13:42 +1000)] 
spapr: Implement H_CONFER

This does not do directed yielding and is not quite as strict as PAPR
specifies in terms of precise dispatch behaviour. This generally will
mean suboptimal performance, rather than guest misbehaviour. Linux
does not rely on exact dispatch behaviour.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190718034214.14948-4-npiggin@gmail.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr: Implement H_PROD
Nicholas Piggin [Thu, 18 Jul 2019 03:42:12 +0000 (13:42 +1000)] 
spapr: Implement H_PROD

H_PROD is added, and H_CEDE is modified to test the prod bit
according to PAPR.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190718034214.14948-3-npiggin@gmail.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr: Implement dispatch tracking for tcg
Nicholas Piggin [Thu, 18 Jul 2019 03:42:11 +0000 (13:42 +1000)] 
spapr: Implement dispatch tracking for tcg

Implement cpu_exec_enter/exit on ppc which calls into new methods of
the same name in PPCVirtualHypervisorClass. These are used by spapr
to implement the splpar VPA dispatch counter initially.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190718034214.14948-2-npiggin@gmail.com>
[dwg: Removed unnecessary CONFIG_USER_ONLY checks as suggested by gkurz]
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc: fix leak in h_client_architecture_support
Shivaprasad G Bhat [Wed, 17 Jul 2019 08:20:31 +0000 (03:20 -0500)] 
ppc: fix leak in h_client_architecture_support

Free all SpaprOptionVector local pointers after use.

Signed-off-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Message-Id: <156335160761.82682.11912058325777251614.stgit@lep8c.aus.stglabs.ibm.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc: fix memory leak in spapr_dt_drc()
Shivaprasad G Bhat [Wed, 17 Jul 2019 08:20:01 +0000 (03:20 -0500)] 
ppc: fix memory leak in spapr_dt_drc()

Leaking the drc_name while preparing the DT properties.
Fixing that.

Also, remove the const qualifier from spapr_drc_name().

Signed-off-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Message-Id: <156335159028.82682.5404622104535818162.stgit@lep8c.aus.stglabs.ibm.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoppc: fix memory leak in spapr_caps_add_properties
Shivaprasad G Bhat [Wed, 17 Jul 2019 08:19:43 +0000 (03:19 -0500)] 
ppc: fix memory leak in spapr_caps_add_properties

Free the capability name string after setting
the capability.

Signed-off-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Message-Id: <156335156198.82682.8756968724044750843.stgit@lep8c.aus.stglabs.ibm.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agotarget/ppc: Optimize emulation of vclzw instruction
Stefan Brankovic [Mon, 15 Jul 2019 14:22:52 +0000 (16:22 +0200)] 
target/ppc: Optimize emulation of vclzw instruction

Optimize Altivec instruction vclzw (Vector Count Leading Zeros Word).
This instruction counts the number of leading zeros of each word element
in source register and places result in the appropriate word element of
destination register.

Counting is to be performed in four iterations of for loop(one for each
word elemnt of source register vB). Every iteration consists of loading
appropriate word element from source register, counting leading zeros
with tcg_gen_clzi_i32, and saving the result in appropriate word element
of destination register.

Signed-off-by: Stefan Brankovic <stefan.brankovic@rt-rk.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <1563200574-11098-7-git-send-email-stefan.brankovic@rt-rk.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agotarget/ppc: Optimize emulation of vclzd instruction
Stefan Brankovic [Mon, 15 Jul 2019 14:22:51 +0000 (16:22 +0200)] 
target/ppc: Optimize emulation of vclzd instruction

Optimize Altivec instruction vclzd (Vector Count Leading Zeros Doubleword).
This instruction counts the number of leading zeros of each doubleword element
in source register and places result in the appropriate doubleword element of
destination register.

Using tcg-s count leading zeros instruction two times(once for each
doubleword element of source register vB) and placing result in
appropriate doubleword element of destination register vD.

Signed-off-by: Stefan Brankovic <stefan.brankovic@rt-rk.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <1563200574-11098-6-git-send-email-stefan.brankovic@rt-rk.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agotarget/ppc: Optimize emulation of vgbbd instruction
Stefan Brankovic [Mon, 15 Jul 2019 14:22:50 +0000 (16:22 +0200)] 
target/ppc: Optimize emulation of vgbbd instruction

Optimize altivec instruction vgbbd (Vector Gather Bits by Bytes by Doubleword)
All ith bits (i in range 1 to 8) of each byte of doubleword element in
source register are concatenated and placed into ith byte of appropriate
doubleword element in destination register.

Following solution is done for both doubleword elements of source register
in parallel, in order to reduce the number of instructions needed(that's why
arrays are used):
First, both doubleword elements of source register vB are placed in
appropriate element of array avr. Bits are gathered in 2x8 iterations(2 for
loops). In first iteration bit 1 of byte 1, bit 2 of byte 2,... bit 8 of
byte 8 are in their final spots so avr[i], i={0,1} can be and-ed with
tcg_mask. For every following iteration, both avr[i] and tcg_mask variables
have to be shifted right for 7 and 8 places, respectively, in order to get
bit 1 of byte 2, bit 2 of byte 3.. bit 7 of byte 8 in their final spots so
shifted avr values(saved in tmp) can be and-ed with new value of tcg_mask...
After first 8 iteration(first loop), all the first bits are in their final
places, all second bits but second bit from eight byte are in their places...
only 1 eight bit from eight byte is in it's place). In second loop we do all
operations symmetrically, in order to get other half of bits in their final
spots. Results for first and second doubleword elements are saved in
result[0] and result[1] respectively. In the end those results are saved in
appropriate doubleword element of destination register vD.

Signed-off-by: Stefan Brankovic <stefan.brankovic@rt-rk.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <1563200574-11098-5-git-send-email-stefan.brankovic@rt-rk.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agotarget/ppc: move opcode decode tables to PowerPCCPU
Alex Bennée [Tue, 16 Jul 2019 12:13:52 +0000 (13:13 +0100)] 
target/ppc: move opcode decode tables to PowerPCCPU

The opcode decode tables aren't really part of the CPUPPCState but an
internal implementation detail for the translator. This can cause
problems with memcpy in cpu_copy as any table created during
ppc_cpu_realize get written over causing a memory leak. To avoid this
move the tables into PowerPCCPU which is better suited to hold
internal implementation details.

Attempts to fix: https://bugs.launchpad.net/qemu/+bug/1836558
Cc: 1836558@bugs.launchpad.net
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20190716121352.302-1-alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agotarget/ppc: Optimize emulation of vsl and vsr instructions
Stefan Brankovic [Mon, 15 Jul 2019 14:22:48 +0000 (16:22 +0200)] 
target/ppc: Optimize emulation of vsl and vsr instructions

Optimization of altivec instructions vsl and vsr(Vector Shift Left/Rigt).
Perform shift operation (left and right respectively) on 128 bit value of
register vA by value specified in bits 125-127 of register vB. Lowest 3
bits in each byte element of register vB must be identical or result is
undefined.

For vsl instruction, the first step is bits 125-127 of register vB have
to be saved in variable sh. Then, the highest sh bits of the lower
doubleword element of register vA are saved in variable shifted,
in order not to lose those bits when shift operation is performed on
the lower doubleword element of register vA, which is the next
step. After shifting the lower doubleword element shift operation
is performed on higher doubleword element of vA, with replacement of
the lowest sh bits(that are now 0) with bits saved in shifted.

For vsr instruction, firstly, the bits 125-127 of register vB have
to be saved in variable sh. Then, the lowest sh bits of the higher
doubleword element of register vA are saved in variable shifted,
in odred not to lose those bits when the shift operation is
performed on the higher doubleword element of register vA, which is
the next step. After shifting higher doubleword element, shift operation
is performed on lower doubleword element of vA, with replacement of
highest sh bits(that are now 0) with bits saved in shifted.

Signed-off-by: Stefan Brankovic <stefan.brankovic@rt-rk.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <1563200574-11098-3-git-send-email-stefan.brankovic@rt-rk.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agotarget/ppc: Optimize emulation of lvsl and lvsr instructions
Stefan Brankovic [Mon, 15 Jul 2019 14:22:47 +0000 (16:22 +0200)] 
target/ppc: Optimize emulation of lvsl and lvsr instructions

Adding simple macro that is calling tcg implementation of appropriate
instruction if altivec support is active.

Optimization of altivec instruction lvsl (Load Vector for Shift Left).
Place bytes sh:sh+15 of value 0x00 || 0x01 || 0x02 || ... || 0x1E || 0x1F
in destination register. Sh is calculated by adding 2 source registers and
getting bits 60-63 of result.

First, the bits [28-31] are placed from EA to variable sh. After that,
the bytes are created in the following way:
sh:(sh+7) of X(from description) by multiplying sh with 0x0101010101010101
followed by addition of the result with 0x0001020304050607. Value obtained
is placed in higher doubleword element of vD.
(sh+8):(sh+15) by adding the result of previous multiplication with
0x08090a0b0c0d0e0f. Value obtained is placed in lower doubleword element
of vD.

Optimization of altivec instruction lvsr (Load Vector for Shift Right).
Place bytes 16-sh:31-sh of value 0x00 || 0x01 || 0x02 || ... || 0x1E ||
0x1F in destination register. Sh is calculated by adding 2 source
registers and getting bits 60-63 of result.

First, the bits [28-31] are placed from EA to variable sh. After that,
the bytes are created in the following way:
sh:(sh+7) of X(from description) by multiplying sh with 0x0101010101010101
followed by substraction of the result from 0x1011121314151617. Value
obtained is placed in higher doubleword element of vD.
(sh+8):(sh+15) by substracting the result of previous multiplication from
0x18191a1b1c1d1e1f. Value obtained is placed in lower doubleword element
of vD.

Signed-off-by: Stefan Brankovic <stefan.brankovic@rt-rk.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <1563200574-11098-2-git-send-email-stefan.brankovic@rt-rk.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agomigration: Do not re-read the clock on pre_save in case of paused guest
Maxiwell S. Garcia [Thu, 11 Jul 2019 19:47:02 +0000 (16:47 -0300)] 
migration: Do not re-read the clock on pre_save in case of paused guest

Re-read the timebase before migrate was ported from x86 commit:
   6053a86fe7bd: kvmclock: reduce kvmclock difference on migration

The clock move makes the guest knows about the paused time between
the stop and migrate commands. This is an issue in an already-paused
VM because some side effects, like process stalls, could happen
after migration.

So, this patch checks the runstate of guest in the pre_save handler and
do not re-reads the timebase in case of paused state (cold migration).

Signed-off-by: Maxiwell S. Garcia <maxiwell@linux.ibm.com>
Message-Id: <20190711194702.26598-1-maxiwell@linux.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr_pci: Allow 2MiB and 16MiB IOMMU pagesizes by default
David Gibson [Fri, 5 Jul 2019 05:03:05 +0000 (15:03 +1000)] 
spapr_pci: Allow 2MiB and 16MiB IOMMU pagesizes by default

We've had the qemu and kernel KVM infrastructure to handle larger TCE
page sizes for a while, but forgot to update the defaults to actually
allow them.  This turns that change on.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agoaudio: fix memory leak reported by ASAN
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:59 +0000 (01:06 +0200)] 
audio: fix memory leak reported by ASAN

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: ed35e9e72aa77c9376e9c8a8f3a5443703fe6fbe.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: use size_t where makes sense
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:58 +0000 (01:06 +0200)] 
audio: use size_t where makes sense

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Message-id: c5193e687fc6cc0f60cb3e90fe69ddf2027d0df1.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: remove read and write pcm_ops
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:57 +0000 (01:06 +0200)] 
audio: remove read and write pcm_ops

They just called audio_pcm_sw_read/write anyway, so it makes no sense
to have them too.  (The noaudio's read is the only exception, but it
should work with the generic code too.)

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Message-id: 92ddc98133bc4b687c6e4608b9321e7b64c0e496.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agopaaudio: fix playback glitches
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:56 +0000 (01:06 +0200)] 
paaudio: fix playback glitches

Pulseaudio normally assumes that when the server wants it, the client
can generate the audio samples and send it right away.  Unfortunately
this is not the case with QEMU -- it's up to the emulated system when
does it generate the samples.  Buffering the samples and sending them
from a background thread is just a workaround, that doesn't work too
well.  Instead enable pa's compatibility support and let pa worry about
the details.

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Message-id: aa4e3613122ccbaa62b1feb4e427260731f7477c.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: do not run each backend in audio_run
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:55 +0000 (01:06 +0200)] 
audio: do not run each backend in audio_run

audio_run is called manually by alsa and oss backends when polling.
In this case only the requesting backend should be run, not all of them.

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 10221fcea2028fa18d95cf531526ffe3b1d9b21a.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: remove audio_MIN, audio_MAX
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:54 +0000 (01:06 +0200)] 
audio: remove audio_MIN, audio_MAX

There's already a MIN and MAX macro in include/qemu/osdep.h, use them
instead.

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 303222477df6f7373217e0df768635fab5855745.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agopaaudio: properly disconnect streams in fini_*
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:53 +0000 (01:06 +0200)] 
paaudio: properly disconnect streams in fini_*

Currently this needs a workaround due to bug #247 in pulseaudio.

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: c81019d550d9c3518185d3d08bd463ae3ccdc392.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agopaaudio: do not move stream when sink/source name is specified
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:52 +0000 (01:06 +0200)] 
paaudio: do not move stream when sink/source name is specified

Unless we disable stream moving, pulseaudio can easily move the stream
on connect, effectively ignoring the source/sink specified by the user.

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: c245929463e6e46a48b2875a150815e2ccba11b4.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: audiodev= parameters no longer optional when -audiodev present
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:51 +0000 (01:06 +0200)] 
audio: audiodev= parameters no longer optional when -audiodev present

This means you should probably stop using -soundhw (as it doesn't allow
you to specify any options) and add the device manually with -device.
The exception is pcspk, it's currently not possible to manually add it.
To use it with audiodev, use something like this:

    -audiodev id=foo,... -global isa-pcspk.audiodev=foo -soundhw pcspk

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Message-id: 9072b955acffda13976bca7b61f86d7f708c9269.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agopaaudio: prepare for multiple audiodev
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:50 +0000 (01:06 +0200)] 
paaudio: prepare for multiple audiodev

Have a pool of refcounted connections per server, so if the user creates
multiple audiodevs to the same pa server, it will use a single connection.  (It
will still create different streams, so the user can manage those streams
separately in pulseaudio.)

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Message-id: d43218f327c62cdbd16ea0c922612025fbc4805e.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: add audiodev properties to frontends
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:49 +0000 (01:06 +0200)] 
audio: add audiodev properties to frontends

Finally add audiodev= options to audio frontends so users can specify
which backend to use when multiple backends exist.  Not specifying an
audiodev= option currently causes the first audiodev to be used, this is
fixed in the next commit.

Example usage: -audiodev pa,id=foo -device AC97,audiodev=foo

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: d64db52dda2d0e9d97bc5ab1dd9adf724280fea1.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: add audiodev property to vnc and wav_capture
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:48 +0000 (01:06 +0200)] 
audio: add audiodev property to vnc and wav_capture

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Message-id: 8cbc9e865bbf40850c14340fc0549e6ac2d5fe9c.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: basic support for multi backend audio
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:47 +0000 (01:06 +0200)] 
audio: basic support for multi backend audio

Audio functions no longer access glob_audio_state, instead they get an
AudioState as a parameter.  This is required in order to support
multiple backends.

glob_audio_state is also gone, and replaced with a tailq so we can store
more than one states.

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Message-id: 67aef54f9e729a7160fe95c465351115e392164b.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: reduce glob_audio_state usage
Kővágó, Zoltán [Sun, 18 Aug 2019 23:06:46 +0000 (01:06 +0200)] 
audio: reduce glob_audio_state usage

Remove glob_audio_state from functions, where possible without breaking
the API.  This means that most static functions in audio.c now take an
AudioState pointer instead of implicitly using glob_audio_state.  Also
included a pointer in SWVoice*, HWVoice* structs, so that functions
dealing them can know the audio state without having to pass it around
separately.

This is required in order to support multiple simultaneous audio
backends (added in a later commit).

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: b5e241f24e795267b145bcde7c6a72dd5e6037ea.1566168923.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoaudio: Add missing fall through comments
Stefan Weil [Thu, 18 Jul 2019 19:34:41 +0000 (21:34 +0200)] 
audio: Add missing fall through comments

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190718193441.12490-1-sw@weilnetz.de
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agohw: add compat machines for 4.2
Cornelia Huck [Wed, 24 Jul 2019 10:35:24 +0000 (12:35 +0200)] 
hw: add compat machines for 4.2

Add 4.2 machine types for arm/i440fx/q35/s390x/spapr.

For i440fx and q35, unversioned cpu models are still translated
to -v1, as 0788a56bd1ae ("i386: Make unversioned CPU models be
aliases") states this should only transition to the latest cpu
model version in 4.3 (or later).

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <20190724103524.20916-1-cohuck@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr_iommu: Fix xlate trace to print translated address
Alexey Kardashevskiy [Mon, 12 Aug 2019 05:42:02 +0000 (15:42 +1000)] 
spapr_iommu: Fix xlate trace to print translated address

Currently we basically print IO address twice, fix this.

Fixes: 7e472264e9e2 ("PPC: spapr: iommu: rework traces")
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Message-Id: <20190812054202.125492-1-aik@ozlabs.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agospapr: quantify error messages regarding capability settings
Daniel Black [Mon, 12 Aug 2019 07:10:44 +0000 (17:10 +1000)] 
spapr: quantify error messages regarding capability settings

Its not immediately obvious how cap-X=Y setting need to be applied
to the command line so, for spapr capability error messages, this
has been clarified to:

 appending -machine cap-X=Y

The wrong value messages have been left as is, as the user has found
the right location.

Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Daniel Black <daniel@linux.ibm.com>
Message-Id: <20190812071044.30806-1-daniel@linux.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2 years agox86: Intel AVX512_BF16 feature enabling
Jing Liu [Thu, 25 Jul 2019 06:14:16 +0000 (14:14 +0800)] 
x86: Intel AVX512_BF16 feature enabling

Intel CooperLake cpu adds AVX512_BF16 instruction, defining as
CPUID.(EAX=7,ECX=1):EAX[bit 05].

The patch adds a property for setting the subleaf of CPUID leaf 7 in
case that people would like to specify it.

The release spec link as follows,
https://software.intel.com/sites/default/files/managed/c5/15/\
architecture-instruction-set-extensions-programming-reference.pdf

Signed-off-by: Jing Liu <jing2.liu@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agoscsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
Paolo Bonzini [Wed, 14 Aug 2019 12:05:21 +0000 (17:35 +0530)] 
scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)

When executing script in lsi_execute_script(), the LSI scsi adapter
emulator advances 's->dsp' index to read next opcode. This can lead
to an infinite loop if the next opcode is empty. Move the existing
loop exit after 10k iterations so that it covers no-op opcodes as
well.

Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agotest-bitmap: test set 1 bit case for bitmap_set
Wei Yang [Wed, 14 Aug 2019 00:27:23 +0000 (08:27 +0800)] 
test-bitmap: test set 1 bit case for bitmap_set

All current bitmap_set test cases set range across word, while the
handle of a range within one word is different from that.

Add case to set 1 bit as a represent for set range within one word.

Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agomigration: do not rom_reset() during incoming migration
Catherine Ho [Mon, 8 Apr 2019 08:42:13 +0000 (04:42 -0400)] 
migration: do not rom_reset() during incoming migration

Commit 18269069c310 ("migration: Introduce ignore-shared capability")
addes ignore-shared capability to bypass the shared ramblock (e,g,
membackend + numa node). It does good to live migration.

As told by Yury,this commit expectes that QEMU doesn't write to guest RAM
until VM starts, but it does on aarch64 qemu:
Backtrace:
1  0x000055f4a296dd84 in address_space_write_rom_internal () at
exec.c:3458
2  0x000055f4a296de3a in address_space_write_rom () at exec.c:3479
3  0x000055f4a2d519ff in rom_reset () at hw/core/loader.c:1101
4  0x000055f4a2d475ec in qemu_devices_reset () at hw/core/reset.c:69
5  0x000055f4a2c90a28 in qemu_system_reset () at vl.c:1675
6  0x000055f4a2c9851d in main () at vl.c:4552

Actually, on arm64 virt marchine, ramblock "dtb" will be filled into ram
druing rom_reset. In ignore-shared incoming case, this rom filling
is not required since all the data has been stored in memory backend
file.

Further more, as suggested by Peter Xu, if we do rom_reset() now with
these ROMs then the RAM data should be re-filled again too with the
migration stream coming in.

Fixes: commit 18269069c310 ("migration: Introduce ignore-shared
capability")
Suggested-by: Yury Kotov <yury-kotov@yandex-team.ru>
Suggested-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Catherine Ho <catherine.hecx@gmail.com>
Acked-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agoHACKING: Document 'struct' keyword usage
Eduardo Habkost [Mon, 12 Aug 2019 23:46:30 +0000 (20:46 -0300)] 
HACKING: Document 'struct' keyword usage

Sometimes we use the 'struct' keyword in headers to help us
reduce dependencies between header files.  Document that
practice.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agokvm: vmxcap: Enhance with latest features
Jan Kiszka [Tue, 13 Aug 2019 06:29:33 +0000 (08:29 +0200)] 
kvm: vmxcap: Enhance with latest features

Based on SDM from May 2019.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agocpus-common: nuke finish_safe_work
Roman Kagan [Thu, 23 May 2019 10:54:48 +0000 (10:54 +0000)] 
cpus-common: nuke finish_safe_work

It was introduced in commit ab129972c8b41e15b0521895a46fd9c752b68a5e,
with the following motivation:

  Because start_exclusive uses CPU_FOREACH, merge exclusive_lock with
  qemu_cpu_list_lock: together with a call to exclusive_idle (via
  cpu_exec_start/end) in cpu_list_add, this protects exclusive work
  against concurrent CPU addition and removal.

However, it seems to be redundant, because the cpu-exclusive
infrastructure provides suffificent protection against the newly added
CPU starting execution while the cpu-exclusive work is running, and the
aforementioned traversing of the cpu list is protected by
qemu_cpu_list_lock.

Besides, this appears to be the only place where the cpu-exclusive
section is entered with the BQL taken, which has been found to trigger
AB-BA deadlock as follows:

    vCPU thread                             main thread
    -----------                             -----------
async_safe_run_on_cpu(self,
                      async_synic_update)
...                                         [cpu hot-add]
process_queued_cpu_work()
  qemu_mutex_unlock_iothread()
                                            [grab BQL]
  start_exclusive()                         cpu_list_add()
  async_synic_update()                        finish_safe_work()
    qemu_mutex_lock_iothread()                  cpu_exec_start()

So remove it.  This paves the way to establishing a strict nesting rule
of never entering the exclusive section with the BQL taken.

Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
Message-Id: <20190523105440.27045-2-rkagan@virtuozzo.com>

2 years agoicount: remove unnecessary gen_io_end calls
Pavel Dovgalyuk [Thu, 25 Jul 2019 08:44:55 +0000 (11:44 +0300)] 
icount: remove unnecessary gen_io_end calls

Prior patch resets can_do_io flag at the TB entry. Therefore there is no
need in resetting this flag at the end of the block.
This patch removes redundant gen_io_end calls.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Message-Id: <156404429499.18669.13404064982854123855.stgit@pasha-Precision-3630-Tower>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@gmail.com>
2 years agoicount: clean up cpu_can_io at the entry to the block
Pavel Dovgalyuk [Thu, 25 Jul 2019 08:44:49 +0000 (11:44 +0300)] 
icount: clean up cpu_can_io at the entry to the block

Most of IO instructions can be executed only at the end of the block in
icount mode. Therefore translator can set cpu_can_io flag when translating
the last instruction.
But when the blocks are chained, then this flag is not reset and may
remain set at the beginning of the next block.
This patch resets the flag at the entry of any translation block,
making I/O operations impossible by default.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
--

v2 changes:
 - reset can_do_io at the start of every TB (suggested by Paolo Bonzini)
Message-Id: <156404428943.18669.15747009371169578935.stgit@pasha-Precision-3630-Tower>

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agoreplay: rename step-related variables and functions
Pavel Dovgalyuk [Thu, 25 Jul 2019 08:44:43 +0000 (11:44 +0300)] 
replay: rename step-related variables and functions

This patch renames replay_get_current_step() and related variables
to make these names consistent with existing 'icount' command line
option and future record/replay hmp/qmp commands.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Message-Id: <156404428377.18669.15476429889039912070.stgit@pasha-Precision-3630-Tower>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agoreplay: refine replay-time module
Pavel Dovgalyuk [Thu, 25 Jul 2019 08:44:38 +0000 (11:44 +0300)] 
replay: refine replay-time module

This patch removes refactoring artifacts from the replay/replay-time.c

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Message-Id: <156404427799.18669.8072341590511911277.stgit@pasha-Precision-3630-Tower>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agoreplay: fix replay shutdown
Pavel Dovgalyuk [Thu, 25 Jul 2019 08:44:32 +0000 (11:44 +0300)] 
replay: fix replay shutdown

This patch fixes shutdown of the replay process, which is terminated with
the assert when shutdown event is read from the log.
replay_finish_event reads new data_kind and therefore the value of data_kind
should be preserved to be valid at qemu_system_shutdown_request call.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Message-Id: <156404427238.18669.12378772823692338069.stgit@pasha-Precision-3630-Tower>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agoutil/qemu-timer: refactor deadline calculation for external timers
Pavel Dovgalyuk [Thu, 25 Jul 2019 08:44:26 +0000 (11:44 +0300)] 
util/qemu-timer: refactor deadline calculation for external timers

icount-based record/replay uses qemu_clock_deadline_ns_all to measure
the period until vCPU may be interrupted.
This function takes in account the virtual timers, because they belong
to the virtual devices that may generate interrupt request or affect
the virtual machine state.
However, there are a subset of virtual timers, that are marked with
'external' flag. These do not change the virtual machine state and
only based on virtual clock. Calculating the deadling using the external
timers breaks the determinism, because they do not belong to the replayed
part of the virtual machine.
This patch fixes the deadline calculation for this case by adding
new parameter for skipping the external timers when it is needed.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
--

v2 changes:
 - added new parameter for timer attribute mask
Message-Id: <156404426682.18669.17014100602930969222.stgit@pasha-Precision-3630-Tower>

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agoreplay: document development rules
Pavel Dovgalyuk [Thu, 25 Jul 2019 08:44:21 +0000 (11:44 +0300)] 
replay: document development rules

This patch introduces docs/devel/replay.txt which describes the rules
that should be followed to make virtual devices usable in record/replay mode.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgauk@ispras.ru>
--

v9: fixed external virtual clock description (reported by Artem Pisarenko)
Message-Id: <156404426119.18669.6707258931552832854.stgit@pasha-Precision-3630-Tower>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
2 years agoreplay: add missing fix for internal function
Pavel Dovgalyuk [Thu, 25 Jul 2019 08:44:15 +0000 (11:44 +0300)] 
replay: add missing fix for internal function

This is a fix which was missed by patch
74c0b816adfc6aa1b01b4426fdf385e32e35cbac, which added current_step
parameter to the replay_advance_current_step function.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Message-Id: <156404425561.18669.13015037579222450241.stgit@pasha-Precision-3630-Tower>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agotimer: last, remove last bits of last
Dr. David Alan Gilbert [Wed, 24 Jul 2019 11:58:23 +0000 (12:58 +0100)] 
timer: last, remove last bits of last

The reset notifiers kept a 'last' counter to notice jumps;
now that we've remove the notifier we don't need to keep 'last'.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20190724115823.4199-5-dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agoreplay: Remove host_clock_last
Dr. David Alan Gilbert [Wed, 24 Jul 2019 11:58:22 +0000 (12:58 +0100)] 
replay: Remove host_clock_last

Now we're not using the 'last' field in the timer, remove it from
replay.

Bump the version number of the replay structure since we've
removed the field.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20190724115823.4199-4-dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agotimer: Remove reset notifiers
Dr. David Alan Gilbert [Wed, 24 Jul 2019 11:58:21 +0000 (12:58 +0100)] 
timer: Remove reset notifiers

Remove the reset notifer from the core qemu-timer code.
The only user was mc146818 and we've just remove it's use.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20190724115823.4199-3-dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agomc146818rtc: Remove reset notifiers
Dr. David Alan Gilbert [Wed, 24 Jul 2019 11:58:20 +0000 (12:58 +0100)] 
mc146818rtc: Remove reset notifiers

The reset notifiers are unreliable and recalculating the offsets
after boot causes problems with migration in cases where explicit
base times are set on the destination.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20190724115823.4199-2-dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2 years agomemory: fix race between TCG and accesses to dirty bitmap
Paolo Bonzini [Tue, 6 Feb 2018 17:37:39 +0000 (18:37 +0100)] 
memory: fix race between TCG and accesses to dirty bitmap

There is a race between TCG and accesses to the dirty log:

      vCPU thread                  reader thread
      -----------------------      -----------------------
      TLB check -> slow path
        notdirty_mem_write
          write to RAM
          set dirty flag
                                   clear dirty flag
      TLB check -> fast path
                                   read memory
        write to RAM

Fortunately, in order to fix it, no change is required to the
vCPU thread.  However, the reader thread must delay the read after
the vCPU thread has finished the write.  This can be approximated
conservatively by run_on_cpu, which waits for the end of the current
translation block.

A similar technique is used by KVM, which has to do a synchronous TLB
flush after doing a test-and-clear of the dirty-page flags.

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>