sdk/emulator/qemu.git
8 years agovfio: Enable sparse mmap capability
Alex Williamson [Thu, 26 May 2016 15:43:20 +0000 (09:43 -0600)]
vfio: Enable sparse mmap capability

The sparse mmap capability in a vfio region info allows vfio to tell
us which sub-areas of a region may be mmap'd.  Thus rather than
assuming a single mmap covers the entire region and later frobbing it
ourselves for things like the PCI MSI-X vector table, we can read that
directly from vfio.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agoMerge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Peter Maydell [Thu, 26 May 2016 13:29:29 +0000 (14:29 +0100)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches

# gpg: Signature made Wed 25 May 2016 18:32:40 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream: (31 commits)
  blockjob: Remove BlockJob.bs
  commit: Use BlockBackend for I/O
  backup: Use BlockBackend for I/O
  backup: Remove bs parameter from backup_do_cow()
  backup: Pack Notifier within BackupBlockJob
  backup: Don't leak BackupBlockJob in error path
  mirror: Use BlockBackend for I/O
  mirror: Allow target that already has a BlockBackend
  stream: Use BlockBackend for I/O
  block: Make blk_co_preadv/pwritev() public
  block: Convert block job core to BlockBackend
  block: Default to enabled write cache in blk_new()
  block: Cancel jobs first in bdrv_close_all()
  block: keep a list of block jobs
  block: Rename blk_write_zeroes()
  dma-helpers: change BlockBackend to opaque value in DMAIOFunc
  dma-helpers: change interface to byte-based
  block: Propagate .drained_begin/end callbacks
  block: Fix reconfiguring graph with drained nodes
  block: Make bdrv_drain() use bdrv_drained_begin/end()
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoqdev: Start disentangling bus from device
Andreas Färber [Mon, 13 Jul 2015 17:35:41 +0000 (19:35 +0200)]
qdev: Start disentangling bus from device

Move bus type and related APIs to a separate file bus.c.
This is a first step in breaking up qdev.c into more manageable chunks.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[AF: Rebased onto osdep.h]
Signed-off-by: Andreas Färber <afaerber@suse.de>
[PMM: added bus.o to link line for test-qdev-global-props]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agocpu-exec: Fix direct jump to TB spanning page
Sergey Fedorov [Mon, 16 May 2016 13:13:00 +0000 (16:13 +0300)]
cpu-exec: Fix direct jump to TB spanning page

It is not safe to make a direct jump to a TB spanning two pages in
system emulation because the mapping for the second page can get changed
but we don't take care of direct jumps in this case.

However in user mode emulation, this is not the case because there's
only static address translation and TBs are always invalidated properly.

Fixes: 5b053a4a2827 ("tcg: Clean up direct block chaining safety checks")
Reported-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Sergey Fedorov <serge.fdrv@gmail.com>
Signed-off-by: Sergey Fedorov <sergey.fedorov@linaro.org>
Tested-by: Max Filippov <jcmvbkbc@gmail.com>
Message-id: 1463404380-29302-1-git-send-email-sergey.fedorov@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/afaerber/tags/maintainers-for-peter' into staging
Peter Maydell [Thu, 26 May 2016 11:41:12 +0000 (12:41 +0100)]
Merge remote-tracking branch 'remotes/afaerber/tags/maintainers-for-peter' into staging

Andreas stepping down from most maintainer positions

# gpg: Signature made Wed 25 May 2016 16:53:45 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/maintainers-for-peter:
  MAINTAINERS: Drop Andreas as CPU maintainer
  MAINTAINERS: Drop Andreas as 0.15 maintainer
  MAINTAINERS: Drop Andreas as PReP maintainer
  MAINTAINERS: Drop Andreas as Cocoa maintainer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoblockjob: Remove BlockJob.bs
Kevin Wolf [Mon, 18 Apr 2016 15:30:17 +0000 (17:30 +0200)]
blockjob: Remove BlockJob.bs

There is a single remaining user in qemu-img, and another one in a test
case, both of which can be trivially converted to using BlockJob.blk
instead.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
8 years agocommit: Use BlockBackend for I/O
Kevin Wolf [Thu, 14 Apr 2016 11:09:53 +0000 (13:09 +0200)]
commit: Use BlockBackend for I/O

This changes the commit block job to use the job's BlockBackend for
performing its I/O. job->bs isn't used by the commit code any more
afterwards.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agobackup: Use BlockBackend for I/O
Kevin Wolf [Thu, 14 Apr 2016 11:09:53 +0000 (13:09 +0200)]
backup: Use BlockBackend for I/O

This changes the backup block job to use the job's BlockBackend for
performing its I/O. job->bs isn't used by the backup code any more
afterwards.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agobackup: Remove bs parameter from backup_do_cow()
Kevin Wolf [Thu, 14 Apr 2016 13:56:02 +0000 (15:56 +0200)]
backup: Remove bs parameter from backup_do_cow()

Now that we pass the job to the function, bs is implied by that.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
8 years agobackup: Pack Notifier within BackupBlockJob
John Snow [Tue, 26 Jan 2016 23:54:58 +0000 (18:54 -0500)]
backup: Pack Notifier within BackupBlockJob

Instead of relying on peeking at bs->job, we want to explicitly get
a reference to the job that was involved in this notifier callback.

Pack the Notifier inside of the BackupBlockJob so we can use
container_of to get a reference back to the BackupBlockJob object.

This cuts out one more case where we rely unnecessarily on bs->job.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agobackup: Don't leak BackupBlockJob in error path
Kevin Wolf [Thu, 14 Apr 2016 10:59:55 +0000 (12:59 +0200)]
backup: Don't leak BackupBlockJob in error path

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
8 years agomirror: Use BlockBackend for I/O
Kevin Wolf [Tue, 12 Apr 2016 14:17:41 +0000 (16:17 +0200)]
mirror: Use BlockBackend for I/O

This changes the mirror block job to use the job's BlockBackend for
performing its I/O. job->bs isn't used by the mirroring code any more
afterwards.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agomirror: Allow target that already has a BlockBackend
Kevin Wolf [Tue, 12 Apr 2016 14:20:59 +0000 (16:20 +0200)]
mirror: Allow target that already has a BlockBackend

We had to forbid mirroring to a target BDS that already had a BB
attached because the node swapping at job completion would add a second
BB and we didn't support multiple BBs on a single BDS at the time. Now
we do, so we can lift the restriction.

As we allow additional BlockBackends for the target, we must expect
other users to be sending requests. There may no requests be in flight
during the graph modification, so we have to drain those users now.

The core part of this patch is a revert of commit 40365552.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agostream: Use BlockBackend for I/O
Kevin Wolf [Tue, 12 Apr 2016 13:15:49 +0000 (15:15 +0200)]
stream: Use BlockBackend for I/O

This changes the streaming block job to use the job's BlockBackend for
performing the COR reads. job->bs isn't used by the streaming code any
more afterwards.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agoblock: Make blk_co_preadv/pwritev() public
Kevin Wolf [Thu, 14 Apr 2016 14:40:16 +0000 (16:40 +0200)]
block: Make blk_co_preadv/pwritev() public

Also add trace points now that the function can be directly called.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
8 years agoblock: Convert block job core to BlockBackend
Kevin Wolf [Fri, 8 Apr 2016 12:51:09 +0000 (14:51 +0200)]
block: Convert block job core to BlockBackend

This adds a new BlockBackend field to the BlockJob struct, which
coexists with the BlockDriverState while converting the individual jobs.

When creating a block job, a new BlockBackend is created on top of the
given BlockDriverState, and it is destroyed when the BlockJob ends. The
reference to the BDS is now held by the BlockBackend instead of calling
bdrv_ref/unref manually.

We have to be careful when we use bdrv_replace_in_backing_chain() in
block jobs because this changes the BDS that job->blk points to. At the
moment block jobs are too tightly coupled with their BDS, so that moving
a job to another BDS isn't easily possible; therefore, we need to just
manually undo this change afterwards.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agoblock: Default to enabled write cache in blk_new()
Kevin Wolf [Tue, 19 Apr 2016 15:27:24 +0000 (17:27 +0200)]
block: Default to enabled write cache in blk_new()

The existing users of the function are:

1. blk_new_open(), which already enabled the write cache
2. Some test cases that don't care about the setting
3. blockdev_init() for empty drives, where the cache mode is overridden
   with the value from the options when a medium is inserted

Therefore, this patch doesn't change the current behaviour. It will be
convenient, however, for additional users of blk_new() (like block
jobs) if the most sensible WCE setting is the default.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
8 years agoblock: Cancel jobs first in bdrv_close_all()
Kevin Wolf [Fri, 8 Apr 2016 16:26:37 +0000 (18:26 +0200)]
block: Cancel jobs first in bdrv_close_all()

So far, bdrv_close_all() first removed all root BlockDriverStates of
BlockBackends and monitor owned BDSes, and then assumed that the
remaining BDSes must be related to jobs and cancelled these jobs.

This order doesn't work that well any more when block jobs use
BlockBackends internally because then they will lose their BDS before
being cancelled.

This patch changes bdrv_close_all() to first cancel all jobs and then
remove all root BDSes from the remaining BBs.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agoblock: keep a list of block jobs
Alberto Garcia [Mon, 4 Apr 2016 13:43:51 +0000 (16:43 +0300)]
block: keep a list of block jobs

The current way to obtain the list of existing block jobs is to
iterate over all root nodes and check which ones own a job.

Since we want to be able to support block jobs in other nodes as well,
this patch keeps a list of jobs that is updated every time one is
created or destroyed.

Signed-off-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agoblock: Rename blk_write_zeroes()
Eric Blake [Tue, 24 May 2016 22:25:20 +0000 (16:25 -0600)]
block: Rename blk_write_zeroes()

Commit 983a1600 changed the semantics of blk_write_zeroes() to
be byte-based rather than sector-based, but did not change the
name, which is an open invitation for other code to misuse the
function.  Renaming to pwrite_zeroes() makes it more in line
with other byte-based interfaces, and will help make it easier
to track which remaining write_zeroes interfaces still need
conversion.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
8 years agodma-helpers: change BlockBackend to opaque value in DMAIOFunc
Paolo Bonzini [Mon, 23 May 2016 12:54:06 +0000 (14:54 +0200)]
dma-helpers: change BlockBackend to opaque value in DMAIOFunc

Callers of dma_blk_io have no way to pass extra data to the DMAIOFunc,
because the original callback and opaque are gone by the time DMAIOFunc
is called.  On the other hand, the BlockBackend is usually derived
from those extra data that you could pass to the DMAIOFunc (in the
next patch, that would be the SCSIRequest).

So change DMAIOFunc's prototype, decoupling it from blk_aio_readv
and blk_aio_writev's.  The new prototype loses the BlockBackend
and gains an extra opaque value which, in the case of dma_blk_readv
and dma_blk_writev, is of course used for the BlockBackend.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agodma-helpers: change interface to byte-based
Paolo Bonzini [Mon, 23 May 2016 12:54:05 +0000 (14:54 +0200)]
dma-helpers: change interface to byte-based

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Propagate .drained_begin/end callbacks
Kevin Wolf [Mon, 23 May 2016 16:46:59 +0000 (18:46 +0200)]
block: Propagate .drained_begin/end callbacks

When draining intermediate nodes (i.e. nodes that aren't the root node
for at least one of their parents; with node references, the user can
always configure the graph to create this situation), we need to
propagate the .drained_begin/end callbacks all the way up to the root
for the drain to be effective.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
8 years agoblock: Fix reconfiguring graph with drained nodes
Kevin Wolf [Tue, 17 May 2016 12:51:55 +0000 (14:51 +0200)]
block: Fix reconfiguring graph with drained nodes

When changing the BlockDriverState that a BdrvChild points to while the
node is currently drained, we must call the .drained_end() parent
callback. Conversely, when this means attaching a new node that is
already drained, we need to call .drained_begin().

bdrv_root_attach_child() takes now an opaque parameter, which is needed
because the callbacks must also be called if we're attaching a new child
to the BlockBackend when the root node is already drained, and they need
a way to identify the BlockBackend. Previously, child->opaque was set
too late and the callbacks would still see it as NULL.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
8 years agoblock: Make bdrv_drain() use bdrv_drained_begin/end()
Kevin Wolf [Mon, 23 May 2016 14:08:55 +0000 (16:08 +0200)]
block: Make bdrv_drain() use bdrv_drained_begin/end()

Until now, bdrv_drained_begin() used bdrv_drain() internally to drain
the queue. This is kind of backwards and caused quiescing code to be
duplicated because bdrv_drained_begin() had to ensure that no new
requests come in even after bdrv_drain() returns, whereas bdrv_drain()
had to have them because it could be called from other places.

Instead move the bdrv_drain() code to bdrv_drained_begin() and make
bdrv_drain() a simple wrapper around bdrv_drained_begin/end().

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
8 years agoblock: Introduce bdrv_replace_child()
Kevin Wolf [Mon, 23 May 2016 13:52:26 +0000 (15:52 +0200)]
block: Introduce bdrv_replace_child()

This adds a common function that is called when attaching a new child to
a parent, removing a child from a parent and when reconfiguring the
graph so that an existing child points to a different node now.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
8 years agoblock: Drop errp parameter from blk_new()
Max Reitz [Tue, 17 May 2016 14:41:34 +0000 (16:41 +0200)]
block: Drop errp parameter from blk_new()

blk_new() cannot fail so its Error ** parameter has become superfluous.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Drop bdrv_parent_cb_...() from bdrv_close()
Max Reitz [Tue, 17 May 2016 14:41:33 +0000 (16:41 +0200)]
block: Drop bdrv_parent_cb_...() from bdrv_close()

bdrv_close() now asserts that the BDS's refcount is 0, therefore it
cannot have any parents and the bdrv_parent_cb_change_media() call is a
no-op.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Assert !bs->refcnt in bdrv_close()
Max Reitz [Tue, 17 May 2016 14:41:32 +0000 (16:41 +0200)]
block: Assert !bs->refcnt in bdrv_close()

The only caller of bdrv_close() left is bdrv_delete(). We may as well
assert that, in a way (there are some things in bdrv_close() that make
more sense under that assumption, such as the call to
bdrv_release_all_dirty_bitmaps() which in turn assumes that no frozen
bitmaps are attached to the BDS).

In addition, being called only in bdrv_delete() means that we can drop
bdrv_close()'s forward declaration at the top of block.c.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Make bdrv_open() return a BDS
Max Reitz [Tue, 17 May 2016 14:41:31 +0000 (16:41 +0200)]
block: Make bdrv_open() return a BDS

There are no callers to bdrv_open() or bdrv_open_inherit() left that
pass a pointer to a non-NULL BDS pointer as the first argument of these
functions, so we can finally drop that parameter and just make them
return the new BDS.

Generally, the following pattern is applied:

    bs = NULL;
    ret = bdrv_open(&bs, ..., &local_err);
    if (ret < 0) {
        error_propagate(errp, local_err);
        ...
    }

by

    bs = bdrv_open(..., errp);
    if (!bs) {
        ret = -EINVAL;
        ...
    }

Of course, there are only a few instances where the pattern is really
pure.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Drop bdrv_new_root()
Max Reitz [Tue, 17 May 2016 14:41:30 +0000 (16:41 +0200)]
block: Drop bdrv_new_root()

It is unused now, so we may just as well drop it.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Drop blk_new_with_bs()
Max Reitz [Tue, 17 May 2016 14:41:29 +0000 (16:41 +0200)]
block: Drop blk_new_with_bs()

Its only caller is blk_new_open(), so we can just inline it there.

The bdrv_new_root() call is dropped in the process because we can just
let bdrv_open() create the BDS.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agotests: Drop BDS from test-throttle.c
Max Reitz [Tue, 17 May 2016 14:41:28 +0000 (16:41 +0200)]
tests: Drop BDS from test-throttle.c

Now that throttling has been moved to the BlockBackend level, we do not
need to create a BDS along with the BB in the I/O throttling test.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Let bdrv_open_inherit() return the snapshot
Max Reitz [Tue, 17 May 2016 14:41:27 +0000 (16:41 +0200)]
block: Let bdrv_open_inherit() return the snapshot

If bdrv_open_inherit() creates a snapshot BDS and *pbs is NULL, that
snapshot BDS should be returned instead of the BDS under it.

This has worked so far because (nearly) all users of BDRV_O_SNAPSHOT use
blk_new_open() to create the BDS tree. bdrv_append() (which is called by
bdrv_append_temp_snapshot()) redirects pointers from parents (i.e. the
BB in this case) to the newly appended child (i.e. the overlay),
therefore, while bdrv_open_inherit() did not return the root BDS, the BB
still pointed to it.

The only instance where BDRV_O_SNAPSHOT is used but blk_new_open() is
not is in blockdev_init() if no BDS tree is created, and instead
blk_new() is used and the flags are stored in the BB root state.
However, qmp_blockdev_change_medium() filters the BDRV_O_SNAPSHOT flag
before invoking bdrv_open(), so it will not have any effect.

In any case, it would be nicer if bdrv_open_inherit() could just always
return the root of the BDS tree that has been created.

To this end, bdrv_append_temp_snapshot() now returns the snapshot BDS
instead of just appending it on top of the snapshotted BDS. Also, it
calls bdrv_ref() before bdrv_append() (which bdrv_open_inherit() has to
undo if not returning the overlay).

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Drop useless bdrv_new() call
Max Reitz [Tue, 17 May 2016 14:41:26 +0000 (16:41 +0200)]
block: Drop useless bdrv_new() call

bdrv_append_temp_snapshot() uses bdrv_new() to create an empty BDS
before invoking bdrv_open() on that BDS. This is probably a relict from
when it used to do some modifications on that empty BDS, but now that is
unnecessary, so we can just set bs_snapshot to NULL and let bdrv_open()
do the rest.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
8 years agoblock: Fix bdrv_next() memory leak
Kevin Wolf [Fri, 20 May 2016 16:49:07 +0000 (18:49 +0200)]
block: Fix bdrv_next() memory leak

The bdrv_next() users all leaked the BdrvNextIterator after completing
the iteration. Simply changing bdrv_next() to free the iterator before
returning NULL at the end of list doesn't work because some callers exit
the loop before looking at all BDSes.

This patch moves the BdrvNextIterator from the heap to the stack of
the caller and switches to a bdrv_first()/bdrv_next() interface for
initialising the iterator.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
8 years agoMAINTAINERS: Drop Andreas as CPU maintainer
Andreas Färber [Wed, 25 May 2016 15:21:59 +0000 (17:21 +0200)]
MAINTAINERS: Drop Andreas as CPU maintainer

Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agoMAINTAINERS: Drop Andreas as 0.15 maintainer
Andreas Färber [Wed, 25 May 2016 15:16:39 +0000 (17:16 +0200)]
MAINTAINERS: Drop Andreas as 0.15 maintainer

Downgrade to orphan status, like all other remaining stable entries.

Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agoMAINTAINERS: Drop Andreas as PReP maintainer
Andreas Färber [Wed, 25 May 2016 15:18:14 +0000 (17:18 +0200)]
MAINTAINERS: Drop Andreas as PReP maintainer

Signed-off-by: Andreas Färber <andreas.faerber@web.de>
8 years agoMAINTAINERS: Drop Andreas as Cocoa maintainer
Andreas Färber [Wed, 25 May 2016 15:14:56 +0000 (17:14 +0200)]
MAINTAINERS: Drop Andreas as Cocoa maintainer

Peter has taken over Cocoa maintainership.

Signed-off-by: Andreas Färber <andreas.faerber@web.de>
8 years agoMerge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' into staging
Peter Maydell [Tue, 24 May 2016 12:06:32 +0000 (13:06 +0100)]
Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' into staging

X86 queue, 2016-05-23

# gpg: Signature made Mon 23 May 2016 23:48:27 BST using RSA key ID 984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"

* remotes/ehabkost/tags/x86-pull-request:
  target-i386: kvm: Eliminate kvm_msr_entry_set()
  target-i386: kvm: Simplify MSR setting functions
  target-i386: kvm: Simplify MSR array construction
  target-i386: kvm: Increase MSR_BUF_SIZE
  target-i386: kvm: Allocate kvm_msrs struct once per VCPU
  target-i386: Call cpu_exec_init() on realize
  target-i386: Move TCG initialization to realize time
  target-i386: Move TCG initialization check to tcg_x86_init()
  cpu: Eliminate cpudef_init(), cpudef_setup()
  target-i386: Set constant model_id for qemu64/qemu32/athlon
  pc: Set CPU model-id on compat_props for pc <= 2.4
  osdep: Move default qemu_hw_version() value to a macro
  target-i386: kvm: Use X86XSaveArea struct for xsave save/load
  target-i386: Use xsave structs for ext_save_area
  target-i386: Define structs for layout of xsave area

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/amit-migration/tags/migration-2.7-1' into staging
Peter Maydell [Tue, 24 May 2016 11:21:07 +0000 (12:21 +0100)]
Merge remote-tracking branch 'remotes/amit-migration/tags/migration-2.7-1' into staging

migration fixes:

- ensure src block devices continue fine after a failed migration
- fail on migration blockers; helps 9p savevm/loadvm
- move autoconverge commands out of experimental state
- move the migration-specific qjson in migration/

# gpg: Signature made Mon 23 May 2016 18:15:09 BST using RSA key ID 657EF670
# gpg: Good signature from "Amit Shah <amit@amitshah.net>"
# gpg:                 aka "Amit Shah <amit@kernel.org>"
# gpg:                 aka "Amit Shah <amitshah@gmx.net>"

* remotes/amit-migration/tags/migration-2.7-1:
  migration: regain control of images when migration fails to complete
  savevm: fail if migration blockers are present
  migration: Promote improved autoconverge commands out of experimental state
  migration/qjson: Drop gratuitous use of QOM
  migration: Move qjson.[ch] to migration/

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/amit-virtio-rng/tags/rng-2.7-1' into staging
Peter Maydell [Tue, 24 May 2016 10:38:22 +0000 (11:38 +0100)]
Merge remote-tracking branch 'remotes/amit-virtio-rng/tags/rng-2.7-1' into staging

rng: rename RndRandom to RndRandom

# gpg: Signature made Mon 23 May 2016 16:44:58 BST using RSA key ID 657EF670
# gpg: Good signature from "Amit Shah <amit@amitshah.net>"
# gpg:                 aka "Amit Shah <amit@kernel.org>"
# gpg:                 aka "Amit Shah <amitshah@gmx.net>"

* remotes/amit-virtio-rng/tags/rng-2.7-1:
  rng-random: rename RndRandom to RngRandom

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/xtensa/tags/20160523-opencores_eth' into staging
Peter Maydell [Tue, 24 May 2016 09:19:45 +0000 (10:19 +0100)]
Merge remote-tracking branch 'remotes/xtensa/tags/20160523-opencores_eth' into staging

opencores_eth cleanups:
- use mii.h
- reduce stack usage in open_eth_start_xmit.

# gpg: Signature made Mon 23 May 2016 20:14:20 BST using RSA key ID F83FA044
# gpg: Good signature from "Max Filippov <max.filippov@cogentembedded.com>"
# gpg:                 aka "Max Filippov <jcmvbkbc@gmail.com>"

* remotes/xtensa/tags/20160523-opencores_eth:
  hw/net/opencores_eth: Allocating Large sized arrays to heap
  hw/net/opencores_eth: use mii.h

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agotarget-i386: kvm: Eliminate kvm_msr_entry_set()
Eduardo Habkost [Wed, 16 Dec 2015 19:06:46 +0000 (17:06 -0200)]
target-i386: kvm: Eliminate kvm_msr_entry_set()

Inline the function inside kvm_msr_entry_add().

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: kvm: Simplify MSR setting functions
Eduardo Habkost [Wed, 16 Dec 2015 19:06:45 +0000 (17:06 -0200)]
target-i386: kvm: Simplify MSR setting functions

Simplify kvm_put_tscdeadline_msr() and
kvm_put_msr_feature_control() using kvm_msr_buf and the
kvm_msr_entry_add() helper.

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: kvm: Simplify MSR array construction
Eduardo Habkost [Wed, 16 Dec 2015 19:06:44 +0000 (17:06 -0200)]
target-i386: kvm: Simplify MSR array construction

Add a helper function that appends new entries to the MSR buffer
and checks for the buffer size limit.

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: kvm: Increase MSR_BUF_SIZE
Eduardo Habkost [Wed, 16 Dec 2015 19:06:43 +0000 (17:06 -0200)]
target-i386: kvm: Increase MSR_BUF_SIZE

We are dangerously close to the array limits in kvm_put_msrs()
and kvm_get_msrs(): with the default mcg_cap configuration, we
can set up to 148 MSRs in kvm_put_msrs(), and if we allow mcg_cap
to be changed, we can write up to 236 MSRs.

Use 4096 bytes for the buffer, that can hold 255 kvm_msr_entry
structs.

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: kvm: Allocate kvm_msrs struct once per VCPU
Eduardo Habkost [Wed, 16 Dec 2015 19:06:42 +0000 (17:06 -0200)]
target-i386: kvm: Allocate kvm_msrs struct once per VCPU

Instead of using 2400 bytes in the stack for 150 MSR entries in
kvm_get_msrs() and kvm_put_msrs(), allocate a buffer once for
each VCPU.

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: Call cpu_exec_init() on realize
Eduardo Habkost [Fri, 13 Feb 2015 01:04:50 +0000 (23:04 -0200)]
target-i386: Call cpu_exec_init() on realize

QOM instance_init functions are not supposed to have any side-effects,
as new objects may be created at any moment for querying property
information (see qmp_device_list_properties()).

Calling cpu_exec_init() also affects QEMU's ability to handle errors
during CPU creation, as some actions done by cpu_exec_init() can't be
reverted.

Move cpu_exec_init() call to realize so a simple object_new() won't
trigger it, and so that it is called after some basic validation of CPU
parameters.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: Move TCG initialization to realize time
Eduardo Habkost [Fri, 13 Feb 2015 00:57:44 +0000 (22:57 -0200)]
target-i386: Move TCG initialization to realize time

QOM instance_init functions are not supposed to have any side-effects,
as new objects may be created at any moment for querying property
information (see qmp_device_list_properties()).

Move TCG initialization to realize time so it won't be called when just
doing object_new() on a X86CPU subclass.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: Move TCG initialization check to tcg_x86_init()
Eduardo Habkost [Thu, 5 Mar 2015 16:43:16 +0000 (13:43 -0300)]
target-i386: Move TCG initialization check to tcg_x86_init()

Instead of requiring cpu.c to check if TCG was already initialized,
simply let the function be called multiple times.

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agocpu: Eliminate cpudef_init(), cpudef_setup()
Eduardo Habkost [Fri, 30 Oct 2015 20:10:57 +0000 (18:10 -0200)]
cpu: Eliminate cpudef_init(), cpudef_setup()

x86_cpudef_init() doesn't do anything anymore, cpudef_init(),
cpudef_setup(), and x86_cpudef_init() can be finally removed.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: Set constant model_id for qemu64/qemu32/athlon
Eduardo Habkost [Sat, 9 Apr 2016 19:44:20 +0000 (16:44 -0300)]
target-i386: Set constant model_id for qemu64/qemu32/athlon

Newer PC machines don't set hw_version, and older machines set
model-id on compat_props explicitly, so we don't need the
x86_cpudef_setup() code that sets model_id using
qemu_hw_version() anymore.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agohw/net/opencores_eth: Allocating Large sized arrays to heap
Zhou Jie [Wed, 27 Apr 2016 02:07:48 +0000 (10:07 +0800)]
hw/net/opencores_eth: Allocating Large sized arrays to heap

open_eth_start_xmit has a huge stack usage of 65536 bytes approx.
Moving large arrays to heap to reduce stack usage.

Reduce size of a buffer allocated on stack to 0x600 bytes, which is the
maximal frame length when HUGEN bit is not set in MODER, only allocate
buffer on heap when that is too small. Thus heap is not used in typical
use case.

Signed-off-by: Zhou Jie <zhoujie2011@cn.fujitsu.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
8 years agohw/net/opencores_eth: use mii.h
Max Filippov [Sun, 3 Apr 2016 23:12:51 +0000 (02:12 +0300)]
hw/net/opencores_eth: use mii.h

Drop local definitions of MII registers and use constants from mii.h for
registers and register bits. No functional changes.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
8 years agomigration: regain control of images when migration fails to complete
Greg Kurz [Wed, 18 May 2016 13:44:36 +0000 (15:44 +0200)]
migration: regain control of images when migration fails to complete

We currently have an error path during migration that can cause
the source QEMU to abort:

migration_thread()
  migration_completion()
    runstate_is_running() ----------------> true if guest is running
    bdrv_inactivate_all() ----------------> inactivate images
    qemu_savevm_state_complete_precopy()
     ... qemu_fflush()
           socket_writev_buffer() --------> error because destination fails
         qemu_fflush() -------------------> set error on migration stream
  migration_completion() -----------------> set migrate state to FAILED
migration_thread() -----------------------> break migration loop
  vm_start() -----------------------------> restart guest with inactive
                                            images

and you get:

qemu-system-ppc64: socket_writev_buffer: Got err=104 for (32768/18446744073709551615)
qemu-system-ppc64: /home/greg/Work/qemu/qemu-master/block/io.c:1342:bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed.
Aborted (core dumped)

If we try postcopy with a similar scenario, we also get the writev error
message but QEMU leaves the guest paused because entered_postcopy is true.

We could possibly do the same with precopy and leave the guest paused.
But since the historical default for migration errors is to restart the
source, this patch adds a call to bdrv_invalidate_cache_all() instead.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Message-Id: <146357896785.6003.11983081732454362715.stgit@bahia.huguette.org>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
8 years agopc: Set CPU model-id on compat_props for pc <= 2.4
Eduardo Habkost [Sat, 9 Apr 2016 19:26:38 +0000 (16:26 -0300)]
pc: Set CPU model-id on compat_props for pc <= 2.4

Instead of relying on x86_cpudef_setup() calling
qemu_hw_version(), just make old machines set model-id explicitly
on compat_props for qemu64, qemu32, and athlon. This will allow
us to eliminate x86_cpudef_setup() later.

Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agoosdep: Move default qemu_hw_version() value to a macro
Eduardo Habkost [Sat, 9 Apr 2016 19:42:44 +0000 (16:42 -0300)]
osdep: Move default qemu_hw_version() value to a macro

The macro will be used by code that will stop calling
qemu_hw_version() at runtime and just need a constant value.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: kvm: Use X86XSaveArea struct for xsave save/load
Eduardo Habkost [Mon, 23 Nov 2015 12:43:26 +0000 (10:43 -0200)]
target-i386: kvm: Use X86XSaveArea struct for xsave save/load

Instead of using offset macros and bit operations in a uint32_t
array, use the X86XSaveArea struct to perform the loading/saving
operations in kvm_put_xsave() and kvm_get_xsave().

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: Use xsave structs for ext_save_area
Eduardo Habkost [Sat, 28 Nov 2015 16:32:26 +0000 (14:32 -0200)]
target-i386: Use xsave structs for ext_save_area

This doesn't introduce any change in the code, as the offsets and
struct sizes match what was present in the table. This can be
validated by the QEMU_BUILD_BUG_ON lines on target-i386/cpu.h,
which ensures the struct sizes and offsets match the existing
values in ext_save_area.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agotarget-i386: Define structs for layout of xsave area
Eduardo Habkost [Thu, 19 Nov 2015 18:52:33 +0000 (16:52 -0200)]
target-i386: Define structs for layout of xsave area

Add structs that define the layout of the xsave areas used by
Intel processors. Add some QEMU_BUILD_BUG_ON lines to ensure the
structs match the XSAVE_* macros in target-i386/kvm.c and the
offsets and sizes at target-i386/cpu.c:ext_save_areas.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
8 years agosavevm: fail if migration blockers are present
Greg Kurz [Wed, 4 May 2016 19:44:19 +0000 (21:44 +0200)]
savevm: fail if migration blockers are present

QEMU has currently two ways to prevent migration to occur:
- migration blocker when it depends on runtime state
- VMStateDescription.unmigratable when migration is not supported at all

This patch gathers all the logic into a single function to be called from
both the savevm and the migrate paths.

This fixes a bug with 9p, at least, where savevm would succeed and the
following would happen in the guest after loadvm:

$ ls /host
ls: cannot access /host: Protocol error

With this patch:

(qemu) savevm foo
Migration is disabled when VirtFS export path '/' is mounted in the guest
using mount_tag 'host'

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <146239057139.11271.9011797645454781543.stgit@bahia.huguette.org>

[Update subject according to Paolo's suggestion - Amit]

Signed-off-by: Amit Shah <amit.shah@redhat.com>
8 years agoMerge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
Peter Maydell [Mon, 23 May 2016 15:15:51 +0000 (16:15 +0100)]
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

* NMI cleanups (Bandan)
* RAMBlock/Memory cleanups and fixes (Dominik, Gonglei, Fam, me)
* first part of linuxboot support for fw_cfg DMA (Richard)
* IOAPIC fix (Peter Xu)
* iSCSI SG_IO fix (Vadim)
* Various infrastructure bug fixes (Zhijian, Peter M., Stefan)
* CVE fixes (Prasad)

# gpg: Signature made Mon 23 May 2016 16:06:18 BST using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"

* remotes/bonzini/tags/for-upstream: (24 commits)
  cpus: call the core nmi injection function
  nmi: remove x86 specific nmi handling
  target-i386: add a generic x86 nmi handler
  coccinelle: add g_assert_cmp* to macro file
  iscsi: pass SCSI status back for SG_IO
  esp: check dma length before reading scsi command(CVE-2016-4441)
  esp: check command buffer length before write(CVE-2016-4439)
  scripts/signrom.py: Check for magic in option ROMs.
  scripts/signrom.py: Allow option ROM checksum script to write the size header.
  Remove config-devices.mak on 'make clean'
  cpus.c: Use pthread_sigmask() rather than sigprocmask()
  memory: remove unnecessary masking of MemoryRegion ram_addr
  memory: Drop FlatRange.romd_mode
  memory: Remove code for mr->may_overlap
  exec: adjust rcu_read_lock requirement
  memory: drop find_ram_block()
  vl: change runstate only if new state is different from current state
  ioapic: clear remote irr bit for edge-triggered interrupts
  ioapic: keep RO bits for IOAPIC entry
  target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agocpus: call the core nmi injection function
Bandan Das [Fri, 20 May 2016 16:28:37 +0000 (12:28 -0400)]
cpus: call the core nmi injection function

We can call the common function here directly since
x86 specific actions will be taken care of by the arch
specific nmi handler

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <1463761717-26558-4-git-send-email-bsd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agonmi: remove x86 specific nmi handling
Bandan Das [Fri, 20 May 2016 16:28:36 +0000 (12:28 -0400)]
nmi: remove x86 specific nmi handling

nmi_monitor_handle is wired to call the x86 nmi
handler. So, we can directly use it at call sites.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <1463761717-26558-3-git-send-email-bsd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agotarget-i386: add a generic x86 nmi handler
Bandan Das [Fri, 20 May 2016 16:28:35 +0000 (12:28 -0400)]
target-i386: add a generic x86 nmi handler

Instead of having x86 ifdefs in core nmi code, this
change adds a arch specific handler that the nmi common
code can call.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <1463761717-26558-2-git-send-email-bsd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agococcinelle: add g_assert_cmp* to macro file
Paolo Bonzini [Wed, 18 May 2016 09:11:55 +0000 (11:11 +0200)]
coccinelle: add g_assert_cmp* to macro file

This helps applying semantic patches to unit tests.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoiscsi: pass SCSI status back for SG_IO
Vadim Rozenfeld [Fri, 13 May 2016 11:03:22 +0000 (13:03 +0200)]
iscsi: pass SCSI status back for SG_IO

Signed-off-by: Vadim Rozenfeld <vrozenfe@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoesp: check dma length before reading scsi command(CVE-2016-4441)
Prasad J Pandit [Thu, 19 May 2016 10:39:31 +0000 (16:09 +0530)]
esp: check dma length before reading scsi command(CVE-2016-4441)

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.

Fixes CVE-2016-4441.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoesp: check command buffer length before write(CVE-2016-4439)
Prasad J Pandit [Thu, 19 May 2016 10:39:30 +0000 (16:09 +0530)]
esp: check command buffer length before write(CVE-2016-4439)

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer. While
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
was missing to validate input length. Add check to avoid OOB write
access.

Fixes CVE-2016-4439.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoscripts/signrom.py: Check for magic in option ROMs.
Richard W.M. Jones [Wed, 11 May 2016 21:06:46 +0000 (22:06 +0100)]
scripts/signrom.py: Check for magic in option ROMs.

Because of the risk that compilers might not emit the asm() block at
the beginning of the option ROM, check that the ROM contains the
required magic signature.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Message-Id: <1463000807-18015-3-git-send-email-rjones@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoscripts/signrom.py: Allow option ROM checksum script to write the size header.
Richard W.M. Jones [Wed, 11 May 2016 21:06:45 +0000 (22:06 +0100)]
scripts/signrom.py: Allow option ROM checksum script to write the size header.

Modify the signrom.py script so that if the size byte in the header is
0 (ie. not set) then the script will set the size.  If the size byte
is non-zero then we do the same as before, so this doesn't require
changes to any existing ROM sourcecode.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Message-Id: <1463000807-18015-2-git-send-email-rjones@redhat.com>

8 years agoRemove config-devices.mak on 'make clean'
Peter Maydell [Tue, 17 May 2016 11:27:31 +0000 (12:27 +0100)]
Remove config-devices.mak on 'make clean'

Our dependency mechanism works like this:
 * on first build there is neither a .o nor a .d
 * we create the .d as a side effect of creating the .o
 * for rebuilds we know when we need to update the .o,
   which also updates the .d

This system requires that you're never in a situation where there is
a .o file but no .d (because then we will never realise we need to
build the .d, and we will not have the dependency information about
when to rebuild the .o).

This is working fine for our object files, but we also try to use it
for $TARGET/config-devices.mak (where the dependency file is
in $TARGET-config-devices.mak.d). Unfortunately "make clean" doesn't
remove config-devices.mak, which means that it puts us in the
forbidden situation of "object file exists but not its .d file".
This in turn means that we will fail to notice when we need to rebuild:
  mkdir build/depbug
  (cd build/depbug && '../../configure')
  make -C build/depbug -j8
  make -C build/depbug clean
  echo "CONFIG_CANARY = y" >> default-configs/arm-softmmu.mak
  make -C build/depbug
  grep CANARY build/depbug/aarch64-softmmu/config-devices.mak

The CANARY token should show up in config-devices.mak but does not.

Fix this bug by making "make clean" delete the config-devices.mak files.
config-all-devices.mak doesn't have the same problem since it has
no .d file, but delete it too, since it is created by "make" and
logically should be removed by "make clean".

(Note that it is important not to remove config-devices.mak until
after we have recursively run 'make clean' in the subdirectories.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <1463484451-22979-1-git-send-email-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agocpus.c: Use pthread_sigmask() rather than sigprocmask()
Peter Maydell [Mon, 16 May 2016 17:33:59 +0000 (18:33 +0100)]
cpus.c: Use pthread_sigmask() rather than sigprocmask()

On Linux, sigprocmask() and pthread_sigmask() are in practice the
same thing (they only set the signal mask for the calling thread),
but the documentation states that the behaviour of sigprocmask() in a
multithreaded process is undefined. Use pthread_sigmask() instead
(which is what we do in almost all places in QEMU that alter the
signal mask already).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <1463420039-29761-1-git-send-email-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agomemory: remove unnecessary masking of MemoryRegion ram_addr
Paolo Bonzini [Tue, 1 Mar 2016 09:44:50 +0000 (10:44 +0100)]
memory: remove unnecessary masking of MemoryRegion ram_addr

mr->ram_block->offset is already aligned to both host and target size
(see qemu_ram_alloc_internal).  Remove further masking as it is
unnecessary.

Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agomemory: Drop FlatRange.romd_mode
Fam Zheng [Fri, 25 Mar 2016 10:10:29 +0000 (18:10 +0800)]
memory: Drop FlatRange.romd_mode

Its value is alway set to mr->romd_mode, so the removed comparisons are
fully superseded by "a->mr == b->mr".

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1458900629-2334-3-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agomemory: Remove code for mr->may_overlap
Fam Zheng [Fri, 25 Mar 2016 10:10:28 +0000 (18:10 +0800)]
memory: Remove code for mr->may_overlap

The collision check does nothing and hasn't been used. Remove the
variable together with related code.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1458900629-2334-2-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoexec: adjust rcu_read_lock requirement
Gonglei [Tue, 10 May 2016 02:05:00 +0000 (10:05 +0800)]
exec: adjust rcu_read_lock requirement

qemu_ram_unset_idstr() doesn't need rcu lock anymore,
meanwhile make the range of rcu lock in
qemu_ram_set_idstr() as small as possible.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Message-Id: <1462845901-89716-3-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agomemory: drop find_ram_block()
Gonglei [Tue, 10 May 2016 02:04:59 +0000 (10:04 +0800)]
memory: drop find_ram_block()

On the one hand, we have already qemu_get_ram_block() whose function
is similar. On the other hand, we can directly use mr->ram_block but
searching RAMblock by ram_addr which is a kind of waste.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-Id: <1462845901-89716-2-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agovl: change runstate only if new state is different from current state
Li Zhijian [Thu, 14 Apr 2016 03:25:52 +0000 (11:25 +0800)]
vl: change runstate only if new state is different from current state

Previously, qemu will abort at following scenario:
(qemu) stop
(qemu) system_reset
(qemu) system_reset
(qemu) 2016-04-13T20:54:38.979158Z qemu-system-x86_64: invalid runstate transition: 'prelaunch' -> 'prelaunch'

Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1460604352-18630-1-git-send-email-lizhijian@cn.fujitsu.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoioapic: clear remote irr bit for edge-triggered interrupts
Peter Xu [Tue, 10 May 2016 10:21:22 +0000 (18:21 +0800)]
ioapic: clear remote irr bit for edge-triggered interrupts

This is to better emulate IOAPIC version 0x1X hardware. Linux kernel
leveraged this "feature" to do explicit EOI since EOI register is still
not introduced at that time. This will also fix the issue that level
triggered interrupts failed to work when IR enabled (tested with Linux
kernel version 4.5).

Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <1462875682-1349-3-git-send-email-peterx@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoioapic: keep RO bits for IOAPIC entry
Peter Xu [Tue, 10 May 2016 10:21:21 +0000 (18:21 +0800)]
ioapic: keep RO bits for IOAPIC entry

Currently IOAPIC RO bits can be written. To be better aligned with
hardware, we should let them read-only.

Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <1462875682-1349-2-git-send-email-peterx@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agotarget-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2
Paolo Bonzini [Mon, 16 May 2016 09:11:29 +0000 (11:11 +0200)]
target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2

sfence was introduced before lfence and mfence.  This fixes Linux
2.4's measurement of checksumming speeds for the pIII_sse
algorithm:

md: linear personality registered as nr 1
md: raid0 personality registered as nr 2
md: raid1 personality registered as nr 3
md: raid5 personality registered as nr 4
raid5: measuring checksumming speed
   8regs     :   384.400 MB/sec
   32regs    :   259.200 MB/sec
invalid operand: 0000
CPU:    0
EIP:    0010:[<c0240b2a>]    Not tainted
EFLAGS: 00000246
eax: c15d8000   ebx: 00000000   ecx: 00000000   edx: c15d5000
esi: 8005003b   edi: 00000004   ebp: 00000000   esp: c15bdf50
ds: 0018   es: 0018   ss: 0018
Process swapper (pid: 1, stackpage=c15bd000)
Stack: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
       00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
       00000000 00000206 c0241c6c 00001000 c15d4000 c15d7000 c15d4000
c15d4000
Call Trace:    [<c0241c6c>] [<c0105000>] [<c0241db4>] [<c010503b>]
[<c0105000>]
  [<c0107416>] [<c0105030>]

Code: 0f ae f8 0f 10 04 24 0f 10 4c 24 10 0f 10 54 24 20 0f 10 5c
 <0>Kernel panic: Attempted to kill init!

Reported-by: Stefan Weil <sw@weilnetz.de>
Fixes: 121f3157887f92268a3d6169e2d4601f9292020b
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoconfigure: Allow builds with extra warnings
Stefan Weil [Thu, 28 Apr 2016 21:33:41 +0000 (23:33 +0200)]
configure: Allow builds with extra warnings

The clang compiler supports a useful compiler option -Weverything,
and GCC also has other warnings not enabled by -Wall.

If glib header files trigger a warning, however, testing glib with
-Werror will always fail. A size mismatch is also detected without
-Werror, so simply remove it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-Id: <1461879221-13338-1-git-send-email-sw@weilnetz.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoi386: kvmvapic: initialise imm32 variable
Prasad J Pandit [Thu, 7 Apr 2016 07:20:08 +0000 (12:50 +0530)]
i386: kvmvapic: initialise imm32 variable

When processing Task Priorty Register(TPR) access, it could leak
automatic stack variable 'imm32' in patch_instruction().
Initialise the variable to avoid it.

Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agodocs/atomics.txt: Update pointer to linux macro
Pranith Kumar [Mon, 2 May 2016 14:20:52 +0000 (10:20 -0400)]
docs/atomics.txt: Update pointer to linux macro

Add a missing end brace and update doc to point to the latest access
macro. ACCESS_ONCE() is deprecated.

Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
Message-Id: <1462198852-28694-1-git-send-email-bobby.prani@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoexec.c: Ensure right alignment also for file backed ram
Dominik Dingel [Mon, 25 Apr 2016 11:55:38 +0000 (13:55 +0200)]
exec.c: Ensure right alignment also for file backed ram

While in the anonymous ram case we already take care of the right alignment
such an alignment gurantee does not exist for file backed ram allocation.

Instead, pagesize is used for alignment. On s390 this is not enough for gmap,
as we need to satisfy an alignment up to segments.

Reported-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Message-Id: <1461585338-45863-1-git-send-email-dingel@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160523-1' into staging
Peter Maydell [Mon, 23 May 2016 14:53:02 +0000 (15:53 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160523-1' into staging

usb: add xen pvUSB backend, add num-ports check to ohci.

# gpg: Signature made Mon 23 May 2016 14:02:25 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20160523-1:
  usb/ohci: Fix crash with when specifying too many num-ports
  xen: add pvUSB backend
  xen: write information about supported backends
  xen: introduce dummy system device

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160523-1' into staging
Peter Maydell [Mon, 23 May 2016 13:50:40 +0000 (14:50 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160523-1' into staging

vga: fix CVE-2016-3712 regression, misc virtio-gpu fixes.

# gpg: Signature made Mon 23 May 2016 13:30:26 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-20160523-1:
  vga: add sr_vbe register set
  virtio-gpu: fix ui idx check
  virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS
  virtio-gpu: check max_outputs only
  virtio-gpu: check max_outputs value
  virtio-vga: propagate on gpu realized error
  virtio-gpu: check early scanout id

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agousb/ohci: Fix crash with when specifying too many num-ports
Thomas Huth [Mon, 23 May 2016 09:23:07 +0000 (11:23 +0200)]
usb/ohci: Fix crash with when specifying too many num-ports

QEMU currently crashes when an OHCI controller is instantiated with
too many ports, e.g. "-device pci-ohci,num-ports=100,masterbus=1".
Thus add a proper check in usb_ohci_init() to make sure that we
do not use more than OHCI_MAX_PORTS = 15 ports here.

Ticket: https://bugs.launchpad.net/qemu/+bug/1581308
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1463995387-11710-1-git-send-email-thuth@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agovga: add sr_vbe register set
Gerd Hoffmann [Tue, 17 May 2016 08:54:54 +0000 (10:54 +0200)]
vga: add sr_vbe register set

Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.

This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[].  Normal vga register reads and
writes go to sr[].  Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.

This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.

Cc: qemu-stable@nongnu.org
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com

8 years agoxen: add pvUSB backend
Juergen Gross [Thu, 12 May 2016 14:13:41 +0000 (16:13 +0200)]
xen: add pvUSB backend

Add a backend for para-virtualized USB devices for xen domains.

The backend is using host-libusb to forward USB requests from a
domain via libusb to the real device(s) passed through.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Message-id: 1463062421-613-4-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agovirtio-gpu: fix ui idx check
Marc-André Lureau [Thu, 19 May 2016 10:26:00 +0000 (12:26 +0200)]
virtio-gpu: fix ui idx check

Fix off-by-one value check (0 is the first scanout).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-7-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agoxen: write information about supported backends
Juergen Gross [Thu, 12 May 2016 14:13:40 +0000 (16:13 +0200)]
xen: write information about supported backends

Add a Xenstore directory for each supported pv backend. This will allow
Xen tools to decide which backend type to use in case there are
multiple possibilities.

The information is added under
/local/domain/<backend-domid>/device-model/<domid>/backends
before the "running" state is written to Xenstore. Using a directory
for each backend enables us to add parameters for specific backends
in the future.

This interface is documented in the Xen source repository in the file
docs/misc/qemu-backends.txt

In order to reuse the Xenstore directory creation already present in
hw/xen/xen_devconfig.c move the related functions to
hw/xen/xen_backend.c where they fit better.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Message-id: 1463062421-613-3-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agovirtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS
Marc-André Lureau [Thu, 19 May 2016 10:25:59 +0000 (12:25 +0200)]
virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS

The value is defined in virtio_gpu.h already (changing from 4 to 16).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-6-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agoxen: introduce dummy system device
Juergen Gross [Thu, 12 May 2016 14:13:39 +0000 (16:13 +0200)]
xen: introduce dummy system device

Introduce a new dummy system device serving as parent for virtual
buses. This will enable new pv backends to introduce virtual buses
which are removable again opposed to system buses which are meant
to stay once added.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Message-id: 1463062421-613-2-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agovirtio-gpu: check max_outputs only
Marc-André Lureau [Thu, 19 May 2016 10:25:58 +0000 (12:25 +0200)]
virtio-gpu: check max_outputs only

The scanout id should not be above the configured num_scanouts.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-5-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agovirtio-gpu: check max_outputs value
Marc-André Lureau [Thu, 19 May 2016 10:25:57 +0000 (12:25 +0200)]
virtio-gpu: check max_outputs value

The value must be less than VIRTIO_GPU_MAX_SCANOUT.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-4-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
8 years agovirtio-vga: propagate on gpu realized error
Marc-André Lureau [Thu, 19 May 2016 10:25:56 +0000 (12:25 +0200)]
virtio-vga: propagate on gpu realized error

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-3-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>