From e7ebf057e6a1ca4f5599caea143daa2135175a87 Mon Sep 17 00:00:00 2001 From: Elazar Leibovich Date: Sun, 15 Mar 2020 15:26:34 +0200 Subject: [PATCH 01/15] hw/scsi/vmw_pvscsi: Remove assertion for kick after reset When running Ubuntu 3.13.0-65-generic guest, QEMU sometimes crashes during guest ACPI reset. It crashes on assert(s->rings_info_valid) in pvscsi_process_io(). Analyzing the crash revealed that it happens when userspace issues a sync during a reboot syscall. Below are backtraces we gathered from the guests. Guest backtrace when issuing PVSCSI_CMD_ADAPTER_RESET: pci_device_shutdown device_shutdown init_pid_ns init_pid_ns kernel_power_off SYSC_reboot Guest backtrace when issuing PVSCSI_REG_OFFSET_KICK_RW_IO: scsi_done scsi_dispatch_cmd blk_add_timer scsi_request_fn elv_rb_add __blk_run_queue queue_unplugged blk_flush_plug_list blk_finish_plug ext4_writepages set_next_entity do_writepages __filemap_fdatawrite_range filemap_write_and_wait_range ext4_sync_file ext4_sync_file do_fsync sys_fsync Since QEMU pvscsi should imitate VMware pvscsi device emulation, we decided to imitate VMware's behavior in this case. To check VMware behavior, we wrote a kernel module that issues a reset to the pvscsi device and then issues a kick. We ran it on VMware ESXi 6.5 and it seems that it simply ignores the kick. Hence, we decided to ignore the kick as well. Signed-off-by: Elazar Leibovich Signed-off-by: Liran Alon Message-Id: <20200315132634.113632-1-liran.alon@oracle.com> Signed-off-by: Paolo Bonzini --- hw/scsi/vmw_pvscsi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c index c91352cf46..ec5bf9ea34 100644 --- a/hw/scsi/vmw_pvscsi.c +++ b/hw/scsi/vmw_pvscsi.c @@ -719,7 +719,10 @@ pvscsi_process_io(PVSCSIState *s) PVSCSIRingReqDesc descr; hwaddr next_descr_pa; - assert(s->rings_info_valid); + if (!s->rings_info_valid) { + return; + } + while ((next_descr_pa = pvscsi_ring_pop_req_descr(&s->rings)) != 0) { /* Only read after production index verification */ From b822dfaecd89aa4f2036be9f3c098ec5ab1d27d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 12 Mar 2020 22:37:12 +0100 Subject: [PATCH 02/15] hw/isa/superio: Correct the license text MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The license is the 'GNU General Public License v2.0 or later', not 'and': This program is free software; you can redistribute it and/ori modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Fix the license comment. Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20200312213712.16671-1-philmd@redhat.com> Signed-off-by: Paolo Bonzini --- hw/isa/isa-superio.c | 2 +- hw/isa/smc37c669-superio.c | 2 +- include/hw/isa/superio.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/isa/isa-superio.c b/hw/isa/isa-superio.c index c4e391916c..180a8b9625 100644 --- a/hw/isa/isa-superio.c +++ b/hw/isa/isa-superio.c @@ -5,7 +5,7 @@ * Copyright (c) 2011-2012 Andreas Färber * Copyright (c) 2018 Philippe Mathieu-Daudé * - * This code is licensed under the GNU GPLv2 and later. + * This work is licensed under the terms of the GNU GPL, version 2 or later. * See the COPYING file in the top-level directory. * SPDX-License-Identifier: GPL-2.0-or-later */ diff --git a/hw/isa/smc37c669-superio.c b/hw/isa/smc37c669-superio.c index 901a9f8e65..18287741cb 100644 --- a/hw/isa/smc37c669-superio.c +++ b/hw/isa/smc37c669-superio.c @@ -3,7 +3,7 @@ * * Copyright (c) 2018 Philippe Mathieu-Daudé * - * This code is licensed under the GNU GPLv2 and later. + * This work is licensed under the terms of the GNU GPL, version 2 or later. * See the COPYING file in the top-level directory. * SPDX-License-Identifier: GPL-2.0-or-later */ diff --git a/include/hw/isa/superio.h b/include/hw/isa/superio.h index b151dcd753..147cc0a7b7 100644 --- a/include/hw/isa/superio.h +++ b/include/hw/isa/superio.h @@ -3,7 +3,7 @@ * * Copyright (c) 2018 Philippe Mathieu-Daudé * - * This code is licensed under the GNU GPLv2 and later. + * This work is licensed under the terms of the GNU GPL, version 2 or later. * See the COPYING file in the top-level directory. * SPDX-License-Identifier: GPL-2.0-or-later */ From 3b703feaf8a27451d756b5db6aeaa8276928b595 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 20 Mar 2020 11:41:24 +0100 Subject: [PATCH 03/15] virtio-iommu: depend on PCI The virtio-iommu device attaches itself to a PCI bus, so it makes no sense to include it unless PCI is supported---and in fact compilation fails without this change. Reported-by: Gerd Hoffmann Signed-off-by: Paolo Bonzini --- hw/virtio/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/virtio/Kconfig b/hw/virtio/Kconfig index d29525b36f..83122424fa 100644 --- a/hw/virtio/Kconfig +++ b/hw/virtio/Kconfig @@ -12,7 +12,7 @@ config VIRTIO_RNG config VIRTIO_IOMMU bool default y - depends on VIRTIO + depends on PCI && VIRTIO config VIRTIO_PCI bool From 4951247d8be253075e6e85104301a61525318d54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Mon, 9 Mar 2020 15:51:55 +0100 Subject: [PATCH 04/15] softmmu: fix crash with invalid -M memory-backend= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: fe64d06afc1c5d895f220c268cfe4d5f1e65d44e ("vl.c: ensure that ram_size matches size of machine.memory-backend") Signed-off-by: Marc-André Lureau Reviewed-by: Igor Mammedov Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20200309145155.168942-1-marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini --- softmmu/vl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/softmmu/vl.c b/softmmu/vl.c index a331fb5321..796a77e234 100644 --- a/softmmu/vl.c +++ b/softmmu/vl.c @@ -4298,6 +4298,11 @@ void qemu_init(int argc, char **argv, char **envp) backend = object_resolve_path_type(current_machine->ram_memdev_id, TYPE_MEMORY_BACKEND, NULL); + if (!backend) { + error_report("Memory backend '%s' not found", + current_machine->ram_memdev_id); + exit(EXIT_FAILURE); + } backend_size = object_property_get_uint(backend, "size", &error_abort); if (have_custom_ram_size && backend_size != ram_size) { error_report("Size specified by -m option must match size of " From 674fc21ff6200148675d8f13c192a4cf94d187c2 Mon Sep 17 00:00:00 2001 From: Roman Bolshakov Date: Mon, 16 Mar 2020 20:18:27 +0300 Subject: [PATCH 05/15] MAINTAINERS: Add an entry for the HVF accelerator Cc: Nikita Leshenko Cc: Sergio Andres Gomez Del Real Cc: Patrick Colp Cc: Cameron Esfahani Cc: Liran Alon Cc: Heiher Signed-off-by: Roman Bolshakov Message-Id: <20200316171825.42544-1-r.bolshakov@yadro.com> Signed-off-by: Paolo Bonzini --- MAINTAINERS | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index e580276603..7cb53ec138 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -412,6 +412,13 @@ S: Supported F: target/i386/kvm.c F: scripts/kvm/vmxcap +X86 HVF CPUs +M: Roman Bolshakov +S: Maintained +F: accel/stubs/hvf-stub.c +F: target/i386/hvf/ +F: include/sysemu/hvf.h + WHPX CPUs M: Sunil Muthuswamy S: Supported From b87c99d0731fa30f1f455b211cbcf385b0fe427c Mon Sep 17 00:00:00 2001 From: Robert Hoo Date: Wed, 25 Mar 2020 14:50:20 +0800 Subject: [PATCH 06/15] util/bufferiszero: assign length_to_accel value for each accelerator case Because in unit test, init_accel() will be called several times, each with different accelerator type. Signed-off-by: Robert Hoo Message-Id: <1585119021-46593-1-git-send-email-robert.hu@linux.intel.com> Signed-off-by: Paolo Bonzini --- util/bufferiszero.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/util/bufferiszero.c b/util/bufferiszero.c index 663903553a..b8012532e4 100644 --- a/util/bufferiszero.c +++ b/util/bufferiszero.c @@ -254,13 +254,16 @@ static void init_accel(unsigned cache) bool (*fn)(const void *, size_t) = buffer_zero_int; if (cache & CACHE_SSE2) { fn = buffer_zero_sse2; + length_to_accel = 64; } #ifdef CONFIG_AVX2_OPT if (cache & CACHE_SSE4) { fn = buffer_zero_sse4; + length_to_accel = 64; } if (cache & CACHE_AVX2) { fn = buffer_zero_avx2; + length_to_accel = 64; } #endif #ifdef CONFIG_AVX512F_OPT From 8f13a39dc02ea8a3e923102a8444185630c635ea Mon Sep 17 00:00:00 2001 From: Robert Hoo Date: Wed, 25 Mar 2020 14:50:21 +0800 Subject: [PATCH 07/15] util/bufferiszero: improve avx2 accelerator By increasing avx2 length_to_accel to 128, we can simplify its logic and reduce a branch. The authorship of this patch actually belongs to Richard Henderson , I just fixed a boundary case on his original patch. Suggested-by: Richard Henderson Signed-off-by: Robert Hoo Message-Id: <1585119021-46593-2-git-send-email-robert.hu@linux.intel.com> Signed-off-by: Paolo Bonzini --- util/bufferiszero.c | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/util/bufferiszero.c b/util/bufferiszero.c index b8012532e4..695bb4ce28 100644 --- a/util/bufferiszero.c +++ b/util/bufferiszero.c @@ -158,27 +158,19 @@ buffer_zero_avx2(const void *buf, size_t len) __m256i *p = (__m256i *)(((uintptr_t)buf + 5 * 32) & -32); __m256i *e = (__m256i *)(((uintptr_t)buf + len) & -32); - if (likely(p <= e)) { - /* Loop over 32-byte aligned blocks of 128. */ - do { - __builtin_prefetch(p); - if (unlikely(!_mm256_testz_si256(t, t))) { - return false; - } - t = p[-4] | p[-3] | p[-2] | p[-1]; - p += 4; - } while (p <= e); - } else { - t |= _mm256_loadu_si256(buf + 32); - if (len <= 128) { - goto last2; + /* Loop over 32-byte aligned blocks of 128. */ + while (p <= e) { + __builtin_prefetch(p); + if (unlikely(!_mm256_testz_si256(t, t))) { + return false; } - } + t = p[-4] | p[-3] | p[-2] | p[-1]; + p += 4; + } ; /* Finish the last block of 128 unaligned. */ t |= _mm256_loadu_si256(buf + len - 4 * 32); t |= _mm256_loadu_si256(buf + len - 3 * 32); - last2: t |= _mm256_loadu_si256(buf + len - 2 * 32); t |= _mm256_loadu_si256(buf + len - 1 * 32); @@ -263,7 +255,7 @@ static void init_accel(unsigned cache) } if (cache & CACHE_AVX2) { fn = buffer_zero_avx2; - length_to_accel = 64; + length_to_accel = 128; } #endif #ifdef CONFIG_AVX512F_OPT From 622e99c5cfcb43d89dc39ed780ab43f48bf748c6 Mon Sep 17 00:00:00 2001 From: Igor Mammedov Date: Thu, 26 Mar 2020 07:28:29 -0400 Subject: [PATCH 08/15] vl: fix broken IPA range for ARM -M virt with KVM enabled Commit a1b18df9a4848, broke virt_kvm_type() logic, which depends on maxram_size, ram_size, ram_slots being parsed/set on machine instance at the time accelerator (KVM) is initialized. set_memory_options() part was already reverted by commit 2a7b18a3205b, so revert remaining initialization of above machine fields to make virt_kvm_type() work as it used to. Signed-off-by: Igor Mammedov Reported-by: Auger Eric Reviewed-by: Eric Auger Tested-by: Eric Auger Message-Id: <20200326112829.19989-1-imammedo@redhat.com> Signed-off-by: Paolo Bonzini --- softmmu/vl.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/softmmu/vl.c b/softmmu/vl.c index 796a77e234..4f71ac10fd 100644 --- a/softmmu/vl.c +++ b/softmmu/vl.c @@ -4137,6 +4137,9 @@ void qemu_init(int argc, char **argv, char **envp) machine_opts = qemu_get_machine_opts(); qemu_opt_foreach(machine_opts, machine_set_property, current_machine, &error_fatal); + current_machine->ram_size = ram_size; + current_machine->maxram_size = maxram_size; + current_machine->ram_slots = ram_slots; /* * Note: uses machine properties such as kernel-irqchip, must run @@ -4320,10 +4323,6 @@ void qemu_init(int argc, char **argv, char **envp) } } - current_machine->ram_size = ram_size; - current_machine->maxram_size = maxram_size; - current_machine->ram_slots = ram_slots; - parse_numa_opts(current_machine); if (machine_class->default_ram_id && current_machine->ram_size && From ddd31732a7379e056749836ff37ff57718083ddb Mon Sep 17 00:00:00 2001 From: Roman Bolshakov Date: Sat, 28 Mar 2020 20:44:12 +0300 Subject: [PATCH 09/15] i386: hvf: Reset IRQ inhibition after moving RIP The sequence of instructions exposes an issue: sti hlt Interrupts cannot be delivered to hvf after hlt instruction cpu because HF_INHIBIT_IRQ_MASK is set just before hlt is handled and never reset after moving instruction pointer beyond hlt. So, after hvf_vcpu_exec() returns, CPU thread gets locked up forever in qemu_wait_io_event() (cpu_thread_is_idle() evaluates inhibition flag and considers the CPU idle if the flag is set). Cc: Cameron Esfahani Signed-off-by: Roman Bolshakov Message-Id: <20200328174411.51491-1-r.bolshakov@yadro.com> Signed-off-by: Paolo Bonzini --- target/i386/hvf/vmx.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/i386/hvf/vmx.h b/target/i386/hvf/vmx.h index 03d2c79b9c..ce2a1532d5 100644 --- a/target/i386/hvf/vmx.h +++ b/target/i386/hvf/vmx.h @@ -167,6 +167,8 @@ static inline void macvm_set_cr4(hv_vcpuid_t vcpu, uint64_t cr4) static inline void macvm_set_rip(CPUState *cpu, uint64_t rip) { + X86CPU *x86_cpu = X86_CPU(cpu); + CPUX86State *env = &x86_cpu->env; uint64_t val; /* BUG, should take considering overlap.. */ @@ -176,6 +178,7 @@ static inline void macvm_set_rip(CPUState *cpu, uint64_t rip) val = rvmcs(cpu->hvf_fd, VMCS_GUEST_INTERRUPTIBILITY); if (val & (VMCS_INTERRUPTIBILITY_STI_BLOCKING | VMCS_INTERRUPTIBILITY_MOVSS_BLOCKING)) { + env->hflags &= ~HF_INHIBIT_IRQ_MASK; wvmcs(cpu->hvf_fd, VMCS_GUEST_INTERRUPTIBILITY, val & ~(VMCS_INTERRUPTIBILITY_STI_BLOCKING | VMCS_INTERRUPTIBILITY_MOVSS_BLOCKING)); From f602d047ac21fc10bc325bf12fe61f4f5c4360d4 Mon Sep 17 00:00:00 2001 From: "Dr. David Alan Gilbert" Date: Mon, 30 Mar 2020 17:47:12 +0100 Subject: [PATCH 10/15] serial: Fix double migration data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After c9808d60281 we have both an object representing the serial-isa device and a separate object representing the underlying common serial uart. Both of these have vmsd's associated with them and thus the migration stream ends up with two copies of the migration data - the serial-isa includes the vmstate of the core serial. Besides being wrong, it breaks backwards migration compatibility. Fix this by removing the dc->vmsd from the core device, so it only gets migrated by any parent devices including it. Add a vmstate_serial_mm so that any device that uses serial_mm_init rather than creating a device still gets migrated. (That doesn't fix backwards migration for serial_mm_init users, but does seem to work forwards for ppce500). Fixes: c9808d60281 ('serial: realize the serial device') Buglink: https://bugs.launchpad.net/qemu/+bug/1869426 Signed-off-by: Dr. David Alan Gilbert Message-Id: <20200330164712.198282-1-dgilbert@redhat.com> Reviewed-by: Marc-André Lureau Signed-off-by: Paolo Bonzini --- hw/char/serial.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/hw/char/serial.c b/hw/char/serial.c index 2ab8b69e03..c822a9ae6c 100644 --- a/hw/char/serial.c +++ b/hw/char/serial.c @@ -1043,7 +1043,6 @@ static void serial_class_init(ObjectClass *klass, void* data) dc->user_creatable = false; dc->realize = serial_realize; dc->unrealize = serial_unrealize; - dc->vmsd = &vmstate_serial; device_class_set_props(dc, serial_properties); } @@ -1113,6 +1112,16 @@ static void serial_mm_realize(DeviceState *dev, Error **errp) sysbus_init_irq(SYS_BUS_DEVICE(smm), &smm->serial.irq); } +static const VMStateDescription vmstate_serial_mm = { + .name = "serial", + .version_id = 3, + .minimum_version_id = 2, + .fields = (VMStateField[]) { + VMSTATE_STRUCT(serial, SerialMM, 0, vmstate_serial, SerialState), + VMSTATE_END_OF_LIST() + } +}; + SerialMM *serial_mm_init(MemoryRegion *address_space, hwaddr base, int regshift, qemu_irq irq, int baudbase, @@ -1162,6 +1171,7 @@ static void serial_mm_class_init(ObjectClass *oc, void *data) device_class_set_props(dc, serial_mm_properties); dc->realize = serial_mm_realize; + dc->vmsd = &vmstate_serial_mm; } static const TypeInfo serial_mm_info = { From 4a910e1f6ab4155ec8b24c49b2585cc486916985 Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Tue, 31 Mar 2020 18:27:52 +0200 Subject: [PATCH 11/15] target/i386: do not set unsupported VMX secondary execution controls Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls") added a workaround for KVM pre-dating commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm KVM_GET_MSRS") which wasn't setting certain available controls. The workaround uses generic CPUID feature bits to set missing VMX controls. It was found that in some cases it is possible to observe hosts which have certain CPUID features but lack the corresponding VMX control. In particular, it was reported that Azure VMs have RDSEED but lack VMX_SECONDARY_EXEC_RDSEED_EXITING; attempts to enable this feature bit result in QEMU abort. Resolve the issue but not applying the workaround when we don't have to. As there is no good way to find out if KVM has the fix itself, use 95c5c7c77c ("KVM: nVMX: list VMX MSRs in KVM_GET_MSR_INDEX_LIST") instead as these [are supposed to] come together. Fixes: 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls") Suggested-by: Paolo Bonzini Signed-off-by: Vitaly Kuznetsov Message-Id: <20200331162752.1209928-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini --- target/i386/kvm.c | 41 ++++++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/target/i386/kvm.c b/target/i386/kvm.c index 69eb43d796..4901c6dd74 100644 --- a/target/i386/kvm.c +++ b/target/i386/kvm.c @@ -106,6 +106,7 @@ static bool has_msr_arch_capabs; static bool has_msr_core_capabs; static bool has_msr_vmx_vmfunc; static bool has_msr_ucode_rev; +static bool has_msr_vmx_procbased_ctls2; static uint32_t has_architectural_pmu_version; static uint32_t num_architectural_pmu_gp_counters; @@ -490,21 +491,28 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index) value = msr_data.entries[0].data; switch (index) { case MSR_IA32_VMX_PROCBASED_CTLS2: - /* KVM forgot to add these bits for some time, do this ourselves. */ - if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & CPUID_XSAVE_XSAVES) { - value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32; - } - if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & CPUID_EXT_RDRAND) { - value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32; - } - if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_INVPCID) { - value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32; - } - if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_RDSEED) { - value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32; - } - if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & CPUID_EXT2_RDTSCP) { - value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32; + if (!has_msr_vmx_procbased_ctls2) { + /* KVM forgot to add these bits for some time, do this ourselves. */ + if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & + CPUID_XSAVE_XSAVES) { + value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32; + } + if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & + CPUID_EXT_RDRAND) { + value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32; + } + if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & + CPUID_7_0_EBX_INVPCID) { + value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32; + } + if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & + CPUID_7_0_EBX_RDSEED) { + value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32; + } + if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & + CPUID_EXT2_RDTSCP) { + value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32; + } } /* fall through */ case MSR_IA32_VMX_TRUE_PINBASED_CTLS: @@ -2060,6 +2068,9 @@ static int kvm_get_supported_msrs(KVMState *s) case MSR_IA32_UCODE_REV: has_msr_ucode_rev = true; break; + case MSR_IA32_VMX_PROCBASED_CTLS2: + has_msr_vmx_procbased_ctls2 = true; + break; } } } From 9cbc36497c9c0ab92008f3dc71748640035be3af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Wed, 25 Mar 2020 19:47:21 +0100 Subject: [PATCH 12/15] migration: fix cleanup_bh leak on resume MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since commit 8c6b0356b53977bcfdea5299db07884915425b0c ("util/async: make bh_aio_poll() O(1)"), migration-test reveals a leak: QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 tests/qtest/migration-test -p /x86_64/migration/postcopy/recovery tests/qtest/libqtest.c:140: kill_qemu() tried to terminate QEMU process but encountered exit status 1 (expected 0) ================================================================= ==2082571==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f25971dfc58 in __interceptor_malloc (/lib64/libasan.so.5+0x10dc58) #1 0x7f2596d08358 in g_malloc (/lib64/libglib-2.0.so.0+0x57358) #2 0x560970d006f8 in qemu_bh_new /home/elmarco/src/qemu/util/main-loop.c:532 #3 0x5609704afa02 in migrate_fd_connect /home/elmarco/src/qemu/migration/migration.c:3407 #4 0x5609704b6b6f in migration_channel_connect /home/elmarco/src/qemu/migration/channel.c:92 #5 0x5609704b2bfb in socket_outgoing_migration /home/elmarco/src/qemu/migration/socket.c:108 #6 0x560970b9bd6c in qio_task_complete /home/elmarco/src/qemu/io/task.c:196 #7 0x560970b9aa97 in qio_task_thread_result /home/elmarco/src/qemu/io/task.c:111 #8 0x7f2596cfee3a (/lib64/libglib-2.0.so.0+0x4de3a) Signed-off-by: Marc-André Lureau Message-Id: <20200325184723.2029630-2-marcandre.lureau@redhat.com> Reviewed-by: Juan Quintela Signed-off-by: Paolo Bonzini --- migration/migration.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/migration/migration.c b/migration/migration.c index c4c9aee15e..187ac0410c 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -3478,7 +3478,12 @@ void migrate_fd_connect(MigrationState *s, Error *error_in) bool resume = s->state == MIGRATION_STATUS_POSTCOPY_PAUSED; s->expected_downtime = s->parameters.downtime_limit; - s->cleanup_bh = qemu_bh_new(migrate_fd_cleanup_bh, s); + if (resume) { + assert(s->cleanup_bh); + } else { + assert(!s->cleanup_bh); + s->cleanup_bh = qemu_bh_new(migrate_fd_cleanup_bh, s); + } if (error_in) { migrate_fd_error(s, error_in); migrate_fd_cleanup(s); From b3fbb328123575e5b39e35e13ecbd4927569a82b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Wed, 25 Mar 2020 19:47:22 +0100 Subject: [PATCH 13/15] qmp: fix leak on callbacks that return both value and error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Direct leak of 4120 byte(s) in 1 object(s) allocated from: #0 0x7fa114931887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887) #1 0x7fa1144ad8f0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x588f0) #2 0x561e3c9c8897 in qmp_object_add /home/elmarco/src/qemu/qom/qom-qmp-cmds.c:291 #3 0x561e3cf48736 in qmp_dispatch /home/elmarco/src/qemu/qapi/qmp-dispatch.c:155 #4 0x561e3c8efb36 in monitor_qmp_dispatch /home/elmarco/src/qemu/monitor/qmp.c:145 #5 0x561e3c8f09ed in monitor_qmp_bh_dispatcher /home/elmarco/src/qemu/monitor/qmp.c:234 #6 0x561e3d08c993 in aio_bh_call /home/elmarco/src/qemu/util/async.c:136 #7 0x561e3d08d0a5 in aio_bh_poll /home/elmarco/src/qemu/util/async.c:164 #8 0x561e3d0a535a in aio_dispatch /home/elmarco/src/qemu/util/aio-posix.c:380 #9 0x561e3d08e3ca in aio_ctx_dispatch /home/elmarco/src/qemu/util/async.c:298 #10 0x7fa1144a776e in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x5276e) Signed-off-by: Marc-André Lureau Message-Id: <20200325184723.2029630-3-marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster Signed-off-by: Paolo Bonzini --- qapi/qmp-dispatch.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c index c30c7ff9e1..79347e0864 100644 --- a/qapi/qmp-dispatch.c +++ b/qapi/qmp-dispatch.c @@ -155,6 +155,8 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request, cmd->fn(args, &ret, &err); qobject_unref(args); if (err) { + /* or assert(!ret) after reviewing all handlers: */ + qobject_unref(ret); goto out; } From 7f5d9b206d1e86425faa5b84b551068bf044b823 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Thu, 26 Mar 2020 10:41:21 +0100 Subject: [PATCH 14/15] object-add: don't create return value if failed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit No need to return an empty value from object-add (it would also leak if the command failed). While at it, remove the "if" around object_unref since object_unref handles NULL arguments just fine. Reported-by: Marc-André Lureau Message-Id: <20200325184723.2029630-4-marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini --- qom/qom-qmp-cmds.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c index 435193b036..e47ebe8ed1 100644 --- a/qom/qom-qmp-cmds.c +++ b/qom/qom-qmp-cmds.c @@ -285,10 +285,7 @@ void qmp_object_add(QDict *qdict, QObject **ret_data, Error **errp) v = qobject_input_visitor_new(QOBJECT(qdict)); obj = user_creatable_add_type(type, id, qdict, v, errp); visit_free(v); - if (obj) { - object_unref(obj); - } - *ret_data = QOBJECT(qdict_new()); + object_unref(obj); } void qmp_object_del(const char *id, Error **errp) From 0dc0389fa5455bb264866701892ed06bc3eb06e4 Mon Sep 17 00:00:00 2001 From: Igor Mammedov Date: Thu, 2 Apr 2020 10:54:18 -0400 Subject: [PATCH 15/15] xen: fixup RAM memory region initialization Since bd457782b3b0 ("x86/pc: use memdev for RAM") Xen machine fails to start with: qemu-system-i386: xen: failed to populate ram at 0 The reason is that xen_ram_alloc() which is called by memory_region_init_ram(), compares memory region with statically allocated 'global' ram_memory memory region that it uses for RAM, and does nothing in case it matches. While it's possible feed machine->ram to xen_ram_alloc() in the same manner to keep that hack working, I'd prefer not to keep that circular dependency and try to untangle that. However it doesn't look trivial to fix, so as temporary fixup opt out Xen machine from memdev based RAM allocation, and let xen_ram_alloc() do its trick for now. Reported-by: Anthony PERARD Signed-off-by: Igor Mammedov Message-Id: <20200402145418.5139-1-imammedo@redhat.com> Signed-off-by: Paolo Bonzini --- hw/xen/xen-common.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/xen/xen-common.c b/hw/xen/xen-common.c index 15650d7f6a..a15070f7f6 100644 --- a/hw/xen/xen-common.c +++ b/hw/xen/xen-common.c @@ -19,6 +19,7 @@ #include "sysemu/runstate.h" #include "migration/misc.h" #include "migration/global_state.h" +#include "hw/boards.h" //#define DEBUG_XEN @@ -151,6 +152,8 @@ static void xen_setup_post(MachineState *ms, AccelState *accel) static int xen_init(MachineState *ms) { + MachineClass *mc = MACHINE_GET_CLASS(ms); + xen_xc = xc_interface_open(0, 0, 0); if (xen_xc == NULL) { xen_pv_printf(NULL, 0, "can't open xen interface\n"); @@ -170,6 +173,10 @@ static int xen_init(MachineState *ms) return -1; } qemu_add_vm_change_state_handler(xen_change_state_handler, NULL); + /* + * opt out of system RAM being allocated by generic code + */ + mc->default_ram_id = NULL; return 0; }