Commit Graph

16150 Commits

Author SHA1 Message Date
Alex Williamson
4225f2b670 vfio/pci: Fix return of vfio_populate_vga()
This function returns success if either we setup the VGA region or
the host vfio doesn't return enough regions to support the VGA index.
This latter case doesn't make any sense.  If we're asked to populate
VGA, fail if it doesn't exist and let the caller decide if that's
important.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-26 11:11:56 -06:00
Alex Williamson
e61a424f05 vfio: Create device specific region info helper
Given a device specific region type and sub-type, find it.  Also
cleanup return point on error in vfio_get_region_info() so that we
always return 0 with a valid pointer or -errno and NULL.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-26 11:04:50 -06:00
Alex Williamson
b53b0f696b vfio: Enable sparse mmap capability
The sparse mmap capability in a vfio region info allows vfio to tell
us which sub-areas of a region may be mmap'd.  Thus rather than
assuming a single mmap covers the entire region and later frobbing it
ourselves for things like the PCI MSI-X vector table, we can read that
directly from vfio.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-26 09:43:20 -06:00
Peter Maydell
aef11b8d33 migration: add TLS support to the migration data channel
This is a big refactoring of the migration backend code - moving away from
 QEMUFile to the new QIOChannel framework introduced here.  This brings a
 good level of abstraction and reduction of many lines of code.
 
 This series also adds the ability for many backends (all except RDMA) to
 use TLS for encrypting the migration data between the endpoints.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJXRpKMAAoJEOsLTfxlfvZw2FMQAJmrp8ijvJNtdBa51bNY+xVx
 zvrHDpWco/HxxqyBIGxG7g8Iq+wpNsdgoRxoQkfgIz9RkZiNrzb1kGRiqNFFBKFX
 ziK1QQQ12ETUXwQ6VguBuwLDvCCenyUti0HfKkceG+Zu5263fyp+VzL+PuEtteT3
 M0pZRrifj/TQqCBXR8yhBAo2dCiFETLVoruE+iNg2ipI3JDizxy8bdOU2gfnTayf
 na7lE53pI+Wy8KE+qrhtsEgjHFp48uJ0HwQIIumvVndXFpIhRzCcN/aeVCjNYRjo
 GeI18OJxcimRDwsnfuOwuZKhRcjWfa8WEIKsi8LdRTZFpFL6y9R57XNTBIFfbjOF
 0lkmFTqJTBi3OTPjj0hMjpjOfXhyKUnwdqCAYlAxeuWHhqPDDhtEcnNtGdmQzx4Z
 KvYzc3t31o1gPin024UUfA528PNREszaXhTM90/Dj0dhVSMoG1VQsQjxzkPXxdM1
 wemfic+77Bk4oUrSplhdvvk4nySDWeseEjfdyVU2ixqldy8Ib1+6H+PCjWNotpQ0
 YiDOHBy3rrUh6NhIqb0C2PWvd/9Aqs0nHQHJ8QKYK574MDbVo8mKTACFdoSYoZ1u
 wuif7NL6qkyS55szf0dm8zPBCJ5nIR5SQE98E7+ptXNa8AipfFsTkZrr3aOjcdey
 98AWF9KaZOWRfwgIm3Ft
 =AYEK
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/amit-migration/tags/migration-2.7-2' into staging

migration: add TLS support to the migration data channel

This is a big refactoring of the migration backend code - moving away from
QEMUFile to the new QIOChannel framework introduced here.  This brings a
good level of abstraction and reduction of many lines of code.

This series also adds the ability for many backends (all except RDMA) to
use TLS for encrypting the migration data between the endpoints.

# gpg: Signature made Thu 26 May 2016 07:07:08 BST using RSA key ID 657EF670
# gpg: Good signature from "Amit Shah <amit@amitshah.net>"
# gpg:                 aka "Amit Shah <amit@kernel.org>"
# gpg:                 aka "Amit Shah <amitshah@gmx.net>"

* remotes/amit-migration/tags/migration-2.7-2: (28 commits)
  migration: remove qemu_get_fd method from QEMUFile
  migration: remove support for non-iovec based write handlers
  migration: add support for encrypting data with TLS
  migration: define 'tls-creds' and 'tls-hostname' migration parameters
  migration: don't use an array for storing migrate parameters
  migration: move definition of struct QEMUFile back into qemu-file.c
  migration: delete QEMUFile stdio implementation
  migration: delete QEMUFile sockets implementation
  migration: delete QEMUSizedBuffer struct
  migration: delete QEMUFile buffer implementation
  migration: convert savevm to use QIOChannel for writing to files
  migration: convert RDMA to use QIOChannel interface
  migration: convert exec socket protocol to use QIOChannel
  migration: convert fd socket protocol to use QIOChannel
  migration: convert tcp socket protocol to use QIOChannel
  migration: rename unix.c to socket.c
  migration: convert unix socket protocol to use QIOChannel
  migration: convert post-copy to use QIOChannelBuffer
  migration: add reporting of errors for outgoing migration
  migration: add helpers for creating QEMUFile from a QIOChannel
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-26 16:09:27 +01:00
Peter Maydell
2c56d06baf Block layer patches
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXReG4AAoJEH8JsnLIjy/WKv0P/0Bevm3ahvJuStRdl+u0MgZ7
 9jM69CN3wxH8SVwCJ3zBndWVOrsAbXB+SFTu/0Dr+tq+dw901AN8lspzf1TFiYnL
 5M8B1syjOXUxuOcwl18ytuDu9aQhxbbCIC9pzWqxizm8N2nXP9r/VlNiztm4T2nn
 RV0DyD5XVoV2v3rpFPerv1EgOtO0lmfgSABwk31a5ftULdy1QzDOliLm/l7W7Oke
 xMFJ93OOBd/p0jmLrULM3V/tipRpxcnvijfVoLJb3895/0G7mJ1PCRYl3uokd+cy
 DxmWw9Fil/kfpwmQhpvpWeOeSkh/NXVNDH5fLfl7V1dPyYcs2xZOJz3mNtuMDU2N
 kBxkWtOQivr/q9cIK6sEacDRtTjouRi/DoccR6S8IXs9nY1fJoLBvXufo2mQrwsy
 5heUhrvZ+AD/eZVjQXQyIc9jCLltU12lW1Z+KrVO7HICcT/Z+UGqeROrRrhzjRRl
 iuO2iHXI7I4KSB2Xgrx5WMYZu8GbxHJmfe20O2bupJ5PHRHLF0ySZ0MW3Gbs1W5E
 5e5tU4D4x5JYJ1KYsMg2FsuejqMBh25coqywT7I3XOEOnN8opOPVKoHb86gZOjXD
 wckrSGHkX9rfvRgy+vG/d3RqQOvxtaH1kbWCHikVjHpnVPzz6uPPD1H8/T5s2IGB
 49PdfL0SIOQsl9U/3WPk
 =g40O
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches

# gpg: Signature made Wed 25 May 2016 18:32:40 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream: (31 commits)
  blockjob: Remove BlockJob.bs
  commit: Use BlockBackend for I/O
  backup: Use BlockBackend for I/O
  backup: Remove bs parameter from backup_do_cow()
  backup: Pack Notifier within BackupBlockJob
  backup: Don't leak BackupBlockJob in error path
  mirror: Use BlockBackend for I/O
  mirror: Allow target that already has a BlockBackend
  stream: Use BlockBackend for I/O
  block: Make blk_co_preadv/pwritev() public
  block: Convert block job core to BlockBackend
  block: Default to enabled write cache in blk_new()
  block: Cancel jobs first in bdrv_close_all()
  block: keep a list of block jobs
  block: Rename blk_write_zeroes()
  dma-helpers: change BlockBackend to opaque value in DMAIOFunc
  dma-helpers: change interface to byte-based
  block: Propagate .drained_begin/end callbacks
  block: Fix reconfiguring graph with drained nodes
  block: Make bdrv_drain() use bdrv_drained_begin/end()
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-26 14:29:30 +01:00
Andreas Färber
a62c89117f qdev: Start disentangling bus from device
Move bus type and related APIs to a separate file bus.c.
This is a first step in breaking up qdev.c into more manageable chunks.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[AF: Rebased onto osdep.h]
Signed-off-by: Andreas Färber <afaerber@suse.de>
[PMM: added bus.o to link line for test-qdev-global-props]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-26 14:06:41 +01:00
Daniel P. Berrange
1fd791f007 s390: use FILE instead of QEMUFile for creating text file
The s390 skeys monitor command needs to write out a plain text
file. Currently it is using the QEMUFile class for this, but
work is ongoing to refactor QEMUFile and eliminate much code
related to it. The only feature qemu_fopen() gives over fopen()
is support for QEMU FD passing, but this can be achieved with
qemu_open() + fdopen() too. Switching to regular stdio FILE
APIs avoids the need to sprintf via an intermedia buffer which
slightly simplifies the code.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Message-Id: <1461751518-12128-2-git-send-email-berrange@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
2016-05-26 11:31:05 +05:30
Eric Blake
d004bd52aa block: Rename blk_write_zeroes()
Commit 983a1600 changed the semantics of blk_write_zeroes() to
be byte-based rather than sector-based, but did not change the
name, which is an open invitation for other code to misuse the
function.  Renaming to pwrite_zeroes() makes it more in line
with other byte-based interfaces, and will help make it easier
to track which remaining write_zeroes interfaces still need
conversion.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
2016-05-25 19:04:21 +02:00
Paolo Bonzini
8a8e63ebdd dma-helpers: change BlockBackend to opaque value in DMAIOFunc
Callers of dma_blk_io have no way to pass extra data to the DMAIOFunc,
because the original callback and opaque are gone by the time DMAIOFunc
is called.  On the other hand, the BlockBackend is usually derived
from those extra data that you could pass to the DMAIOFunc (in the
next patch, that would be the SCSIRequest).

So change DMAIOFunc's prototype, decoupling it from blk_aio_readv
and blk_aio_writev's.  The new prototype loses the BlockBackend
and gains an extra opaque value which, in the case of dma_blk_readv
and dma_blk_writev, is of course used for the BlockBackend.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-25 19:04:11 +02:00
Paolo Bonzini
cbe0ed6247 dma-helpers: change interface to byte-based
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-25 19:04:11 +02:00
Prasad J Pandit
3af9187fc6 net: mipsnet: check packet length against buffer
When receiving packets over MIPSnet network device, it uses
receive buffer of size 1514 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.

Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-05-25 15:46:07 +08:00
Peter Maydell
287db79df8 X86 queue, 2016-05-23
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJXQ4i7AAoJECgHk2+YTcWmkhsQAIELcp/4Kj/9TBqurmicXrBm
 sEfLGThc94NZv6tDNUg4d96x83263RJPUsJqOP7TGSavO5xWD8J4A1yf8x6tI71l
 /kr064fZzYZGgKyaIvFBqmNT8uy3CVZ1+5algaYh4pOBD3y0hrTBmwB2vIHZeKDC
 6ljLuOVV2/n3SlhthK4Me9DiNPTwmMolfq2EG+5jBHmFXnbXRmApXaiX4a3qNvI+
 Aqz9btyJgTReepPcpuxF3o/h+Dx0JgC1gT4bPkIDV0wx00adUWufhRqc3D1QaOBr
 AREMSpeepuHNrkPpc7ITvyMK9q+bW8OzB0koXQW6Q50DtM7DRsxkqsr3TDvkSGG+
 ZyxsL6UdDoSKwJaDcbkhRL82P6U+MvfMBLMbo4V+S1728maUVRx74Ah+axRVX6wb
 hWtEYPvFUKp03lY82hXDoZJC+WLu+mhuAqS6a74/OG47lV2V61X8i3zrZ54RVHMh
 1fkr4MXkPvrRTH+ifjJlH6leWg5JA6OCPPMqO0fujUIxlMGA9QAHK6Fs0ReKEUyy
 WNXQ/CMfHcZv3WIJWH2NEBTJHfQwP4KWM6nIoO8Z4WT7tFpqUGULabJ9jt5t3NB5
 lW586UT6pCnqUwh89yTYLg0+Q+rmgmIlAwjVL6q0tRXXL98kosng2jgzlu7gpSBJ
 2lXFSzoqr+Ux3GbNF6E4
 =Rh0Q
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' into staging

X86 queue, 2016-05-23

# gpg: Signature made Mon 23 May 2016 23:48:27 BST using RSA key ID 984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"

* remotes/ehabkost/tags/x86-pull-request:
  target-i386: kvm: Eliminate kvm_msr_entry_set()
  target-i386: kvm: Simplify MSR setting functions
  target-i386: kvm: Simplify MSR array construction
  target-i386: kvm: Increase MSR_BUF_SIZE
  target-i386: kvm: Allocate kvm_msrs struct once per VCPU
  target-i386: Call cpu_exec_init() on realize
  target-i386: Move TCG initialization to realize time
  target-i386: Move TCG initialization check to tcg_x86_init()
  cpu: Eliminate cpudef_init(), cpudef_setup()
  target-i386: Set constant model_id for qemu64/qemu32/athlon
  pc: Set CPU model-id on compat_props for pc <= 2.4
  osdep: Move default qemu_hw_version() value to a macro
  target-i386: kvm: Use X86XSaveArea struct for xsave save/load
  target-i386: Use xsave structs for ext_save_area
  target-i386: Define structs for layout of xsave area

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-24 13:06:33 +01:00
Zhou Jie
ea4d824168 hw/net/opencores_eth: Allocating Large sized arrays to heap
open_eth_start_xmit has a huge stack usage of 65536 bytes approx.
Moving large arrays to heap to reduce stack usage.

Reduce size of a buffer allocated on stack to 0x600 bytes, which is the
maximal frame length when HUGEN bit is not set in MODER, only allocate
buffer on heap when that is too small. Thus heap is not used in typical
use case.

Signed-off-by: Zhou Jie <zhoujie2011@cn.fujitsu.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
2016-05-23 22:10:16 +03:00
Max Filippov
aa8e0ab975 hw/net/opencores_eth: use mii.h
Drop local definitions of MII registers and use constants from mii.h for
registers and register bits. No functional changes.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
2016-05-23 22:10:16 +03:00
Eduardo Habkost
cd6c1b7057 pc: Set CPU model-id on compat_props for pc <= 2.4
Instead of relying on x86_cpudef_setup() calling
qemu_hw_version(), just make old machines set model-id explicitly
on compat_props for qemu64, qemu32, and athlon. This will allow
us to eliminate x86_cpudef_setup() later.

Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-05-23 13:19:36 -03:00
Peter Maydell
c915854761 * NMI cleanups (Bandan)
* RAMBlock/Memory cleanups and fixes (Dominik, Gonglei, Fam, me)
 * first part of linuxboot support for fw_cfg DMA (Richard)
 * IOAPIC fix (Peter Xu)
 * iSCSI SG_IO fix (Vadim)
 * Various infrastructure bug fixes (Zhijian, Peter M., Stefan)
 * CVE fixes (Prasad)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJXQxxqAAoJEL/70l94x66DDxsH/ivM720+5xfAOjPmOzSrzwYf
 wGqsP5Z1kxbvQ9KSFq+DNb3aooqyiPLkv8lDqn+RAy7Hba3d61NW8exYGB/sMn59
 lKaEOcs+1eUFYF+G5K2wH+O/7l7cowqIMNmlN5sLKfmEjK7CsBAZyBYYRPl4Stft
 pLYGfnu9BWPXynwJS1aNpAsHXE2XvPHimCc2+wKad/g72Sk21Mls6nohM2yn7bip
 J511t4IAIcsQ8x81NDUDIzVX/1YoMUWhNDygHskgn0dEP6b5vLod0yZmAsaJWxxm
 xMgyZAV5W71rOKt8cVek/dESncPBXgR5FDjvO8Ec3Z7gOBCcKZYG/p7VGBhrI0E=
 =RNrL
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

* NMI cleanups (Bandan)
* RAMBlock/Memory cleanups and fixes (Dominik, Gonglei, Fam, me)
* first part of linuxboot support for fw_cfg DMA (Richard)
* IOAPIC fix (Peter Xu)
* iSCSI SG_IO fix (Vadim)
* Various infrastructure bug fixes (Zhijian, Peter M., Stefan)
* CVE fixes (Prasad)

# gpg: Signature made Mon 23 May 2016 16:06:18 BST using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"

* remotes/bonzini/tags/for-upstream: (24 commits)
  cpus: call the core nmi injection function
  nmi: remove x86 specific nmi handling
  target-i386: add a generic x86 nmi handler
  coccinelle: add g_assert_cmp* to macro file
  iscsi: pass SCSI status back for SG_IO
  esp: check dma length before reading scsi command(CVE-2016-4441)
  esp: check command buffer length before write(CVE-2016-4439)
  scripts/signrom.py: Check for magic in option ROMs.
  scripts/signrom.py: Allow option ROM checksum script to write the size header.
  Remove config-devices.mak on 'make clean'
  cpus.c: Use pthread_sigmask() rather than sigprocmask()
  memory: remove unnecessary masking of MemoryRegion ram_addr
  memory: Drop FlatRange.romd_mode
  memory: Remove code for mr->may_overlap
  exec: adjust rcu_read_lock requirement
  memory: drop find_ram_block()
  vl: change runstate only if new state is different from current state
  ioapic: clear remote irr bit for edge-triggered interrupts
  ioapic: keep RO bits for IOAPIC entry
  target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-23 16:15:52 +01:00
Bandan Das
f7e981f295 nmi: remove x86 specific nmi handling
nmi_monitor_handle is wired to call the x86 nmi
handler. So, we can directly use it at call sites.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <1463761717-26558-3-git-send-email-bsd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23 16:53:46 +02:00
Bandan Das
1255166b99 target-i386: add a generic x86 nmi handler
Instead of having x86 ifdefs in core nmi code, this
change adds a arch specific handler that the nmi common
code can call.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <1463761717-26558-2-git-send-email-bsd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23 16:53:46 +02:00
Prasad J Pandit
6c1fef6b59 esp: check dma length before reading scsi command(CVE-2016-4441)
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.

Fixes CVE-2016-4441.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23 16:53:46 +02:00
Prasad J Pandit
c98c6c105f esp: check command buffer length before write(CVE-2016-4439)
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer. While
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
was missing to validate input length. Add check to avoid OOB write
access.

Fixes CVE-2016-4439.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23 16:53:45 +02:00
Peter Xu
ed1263c363 ioapic: clear remote irr bit for edge-triggered interrupts
This is to better emulate IOAPIC version 0x1X hardware. Linux kernel
leveraged this "feature" to do explicit EOI since EOI register is still
not introduced at that time. This will also fix the issue that level
triggered interrupts failed to work when IR enabled (tested with Linux
kernel version 4.5).

Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <1462875682-1349-3-git-send-email-peterx@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23 16:53:43 +02:00
Peter Xu
479c2a1cb7 ioapic: keep RO bits for IOAPIC entry
Currently IOAPIC RO bits can be written. To be better aligned with
hardware, we should let them read-only.

Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <1462875682-1349-2-git-send-email-peterx@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23 16:53:43 +02:00
Prasad J Pandit
691a02e2ce i386: kvmvapic: initialise imm32 variable
When processing Task Priorty Register(TPR) access, it could leak
automatic stack variable 'imm32' in patch_instruction().
Initialise the variable to avoid it.

Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23 16:53:43 +02:00
Peter Maydell
2b5f477789 usb: add xen pvUSB backend, add num-ports check to ohci.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXQv9hAAoJEEy22O7T6HE4OYAP/060jKX9OMBDYS1JtHuwwR1s
 62UIGKAIv1pidoHL3v0H3eq0Mtr/P16Rb7fCkmTlfccC++tc0S7BR7HqlQhrAJPB
 YYWCLnvj8tVAON6sb+ohsarVqTCmu4g2n+VfIShFne7yEUitsSBbXHOvsWn5gST8
 QjteOFkWZ6GDQ96hgoOadA0SiyoE77wuvYDI/Fn7mbgLKrBbGLekiGAjQ0GeCEBA
 0te+HKhR/k+2ZmSpQK5JswAr8gfA/pOIi7hwD6s45AIPpHGvw9MfKBMzFTHCBWeH
 lPsKNA0h24yOZfZVfs3z7DE93jJIsgpayNjHpp/cEojoKXdLii8637YMGO8vh00m
 zeCDqb1MGOAa3XcDG8JZHAUHAU8ya9spOCX36heDAqLdOaWNcstCNgHTlPpSl/NF
 esf/zHB0nDtbjEFqvEC0ewFENAgzR3VWr7n2KvJFsfYaFigdWO4ebI7xlNq+Jf0h
 O1rl6kowm4o8nrzgpKS+oNO4uTdB64gFDvcSdo1hI3XluiY/9ZIkp2rE3KbCCLQm
 Fk8m74+CvmpTH8vHj3TYW+gebP1Ov4ioGrnzYGfr0hQdOeb5BkW3h8Fm8acAfCE2
 tVd/Z1iQEqUvDwRpyEp5pOzv/dZQGFHrL8xhdyXdE55UzZXCNgtHJoIufvcxJDzf
 rHNMGiS/Z58nkoVjnzWp
 =qLbp
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160523-1' into staging

usb: add xen pvUSB backend, add num-ports check to ohci.

# gpg: Signature made Mon 23 May 2016 14:02:25 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20160523-1:
  usb/ohci: Fix crash with when specifying too many num-ports
  xen: add pvUSB backend
  xen: write information about supported backends
  xen: introduce dummy system device

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-23 15:53:02 +01:00
Thomas Huth
d400fc018b usb/ohci: Fix crash with when specifying too many num-ports
QEMU currently crashes when an OHCI controller is instantiated with
too many ports, e.g. "-device pci-ohci,num-ports=100,masterbus=1".
Thus add a proper check in usb_ohci_init() to make sure that we
do not use more than OHCI_MAX_PORTS = 15 ports here.

Ticket: https://bugs.launchpad.net/qemu/+bug/1581308
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1463995387-11710-1-git-send-email-thuth@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 14:59:40 +02:00
Gerd Hoffmann
94ef4f337f vga: add sr_vbe register set
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.

This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[].  Normal vga register reads and
writes go to sr[].  Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.

This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.

Cc: qemu-stable@nongnu.org
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
2016-05-23 14:28:25 +02:00
Juergen Gross
816ac92ef7 xen: add pvUSB backend
Add a backend for para-virtualized USB devices for xen domains.

The backend is using host-libusb to forward USB requests from a
domain via libusb to the real device(s) passed through.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Message-id: 1463062421-613-4-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
6b860806c0 virtio-gpu: fix ui idx check
Fix off-by-one value check (0 is the first scanout).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-7-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Juergen Gross
637c53ffcb xen: write information about supported backends
Add a Xenstore directory for each supported pv backend. This will allow
Xen tools to decide which backend type to use in case there are
multiple possibilities.

The information is added under
/local/domain/<backend-domid>/device-model/<domid>/backends
before the "running" state is written to Xenstore. Using a directory
for each backend enables us to add parameters for specific backends
in the future.

This interface is documented in the Xen source repository in the file
docs/misc/qemu-backends.txt

In order to reuse the Xenstore directory creation already present in
hw/xen/xen_devconfig.c move the related functions to
hw/xen/xen_backend.c where they fit better.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Message-id: 1463062421-613-3-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
acfc484650 virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS
The value is defined in virtio_gpu.h already (changing from 4 to 16).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-6-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Juergen Gross
9432e53a5b xen: introduce dummy system device
Introduce a new dummy system device serving as parent for virtual
buses. This will enable new pv backends to introduce virtual buses
which are removable again opposed to system buses which are meant
to stay once added.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Message-id: 1463062421-613-2-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
2fe760554e virtio-gpu: check max_outputs only
The scanout id should not be above the configured num_scanouts.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-5-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
5e3d741c6a virtio-gpu: check max_outputs value
The value must be less than VIRTIO_GPU_MAX_SCANOUT.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-4-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
d0f0c8654a virtio-vga: propagate on gpu realized error
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-3-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
fe89fdebca virtio-gpu: check early scanout id
Before accessing the g->scanout array, in order to avoid potential
out-of-bounds access.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-2-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Igor Mammedov
bacc344c54 machine: add properties to compat_props incrementaly
Switch to adding compat properties incrementaly instead of
completly overwriting compat_props per machine type.
That removes data duplication which we have due to nested
[PC|SPAPR]_COMPAT_* macros.

It also allows to set default device properties from
default foo_machine_options() hook, which will be used
in following patch for putting VMGENID device as
a function if ISA bridge on pc/q35 machines.

Suggested-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
[ehabkost: Fixed CCW_COMPAT_* and PC_COMPAT_0_* defines]
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-05-20 14:28:54 -03:00
Eduardo Habkost
cfc58cf373 vl: Replace DT_NOGRAPHIC with machine option
All DisplayType values are just UI options that don't affect any
hardware emulation code, except for DT_NOGRAPHIC. Replace
DT_NOGRAPHIC with DT_NONE plus a new "-machine graphics=on|off"
option, so hardware emulation code don't need to use the
display_type variable.

Cc: Michael Walle <michael@walle.cc>
Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-05-20 14:28:54 -03:00
Eduardo Habkost
cf3dc71eb5 milkymist: Move DT_NOGRAPHIC check outside milkymist_tmu2_create()
DT_NOGRAPHIC handling will be moved to a MachineState field, and
it will be easier to change milkymist_init() to check that field.

Cc: Michael Walle <michael@walle.cc>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-05-20 14:28:54 -03:00
Paolo Bonzini
22b31af26f aspeed: include qemu/log.h
This is not visible with the default "log" trace backend.  With other
backends however trace.h does not include qemu/log.h, resulting in
build failures.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1463745452-25831-2-git-send-email-pbonzini@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-20 13:09:22 +01:00
Paolo Bonzini
df43d49cb8 hw: clean up hw/hw.h includes
Include qom/object.h and exec/memory.h instead of exec/ioport.h;
exec/ioport.h was almost everywhere required only for those two
includes, not for the content of the header itself.

Remove block/aio.h, everybody is already including it through
another path.

With this change, include/hw/hw.h is freed from qemu-common.h.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:30 +02:00
Paolo Bonzini
89a80e7400 hw: remove pio_addr_t
pio_addr_t is almost unused, because these days I/O ports are simply
accessed through the address space.  cpu_{in,out}[bwl] themselves are
almost unused; monitor.c and xen-hvm.c could use address_space_read/write
directly, since they have an integer size at hand.  This leaves qtest as
the only user of those functions.

On the other hand even portio_* functions use this type; the only
interesting use of pio_addr_t thus is include/hw/sysbus.h.  I guess I
could move it there, but I don't see much benefit in that either.  Using
uint32_t is enough and avoids the need to include ioport.h everywhere.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:30 +02:00
Paolo Bonzini
63c915526d cpu: move exec-all.h inclusion out of cpu.h
exec-all.h contains TCG-specific definitions.  It is not needed outside
TCG-specific files such as translate.c, exec.c or *helper.c.

One generic function had snuck into include/exec/exec-all.h; move it to
include/qom/cpu.h.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:29 +02:00
Paolo Bonzini
03dd024ff5 hw: explicitly include qemu/log.h
Move the inclusion out of hw/hw.h, most files do not need it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:29 +02:00
Paolo Bonzini
33c11879fd qemu-common: push cpu.h inclusion out of qemu-common.h
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:29 +02:00
Paolo Bonzini
35c5a52d1d acpi: do not use TARGET_PAGE_SIZE
This is a #define used by the CPU.  NVDIMM can just use 4K
unconditionally.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Paolo Bonzini
bd3f16ac30 s390x: reorganize CSS bits between cpu.h and other headers
Move cpu_inject_* to the only C file where they are used.

Move ioinst.h declarations that need S390CPU to cpu.h, to make
ioinst.h independent of cpu.h.

Move channel declarations that only need SubchDev from cpu.h
to css.h, to make more channel users independent of cpu.h.

Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Paolo Bonzini
77ac58ddc6 dma: do not depend on kvm_enabled()
Memory barriers are needed also by Xen and, when the ioeventfd
bugs are fixed, by TCG as well.

sysemu/kvm.h is not anymore needed in sysemu/dma.h, move it to
the actual users.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Paolo Bonzini
87776ab72b qemu-common: stop including qemu/host-utils.h from qemu-common.h
Move it to the actual users.  There are some inclusions of
qemu/host-utils.h in headers, but they are all necessary.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Paolo Bonzini
58369e22cf qemu-common: stop including qemu/bswap.h from qemu-common.h
Move it to the actual users.  There are still a few includes of
qemu/bswap.h in headers; removing them is left for future work.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Paolo Bonzini
cbd62f8616 hw: do not use VMSTATE_*TL
Reserve this to CPU state serialization.

Luckily, they were only used by sPAPR devices and these are ppc64
only.  So there is no change to migration format.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Paolo Bonzini
bdd902277c include: poison symbols in osdep.h
Ensure that all target-independent files ignore poisoned symbols,
and fix the fallout.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Paolo Bonzini
d613f8cc33 apic: move target-dependent definitions to cpu.h
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Paolo Bonzini
e81096b1c8 explicitly include linux/kvm.h
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:27 +02:00
Paolo Bonzini
7d0c99a9d8 explicitly include qom/cpu.h
exec/cpu-all.h includes qom/cpu.h.  Explicit inclusion
will keep things working when cpu.h will not be included
indirectly almost everywhere (either directly or through
qemu-common.h).

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:27 +02:00
Paolo Bonzini
aa5a9e2484 ppc: use PowerPCCPU instead of CPUPPCState
This changes a cpu.h dependency for hw/ppc/ppc.h into a cpu-qom.h
dependency.  For it to compile we also need to clean up a few unused
definitions.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:27 +02:00
Paolo Bonzini
5a975d435a mips: use MIPSCPU instead of CPUMIPSState
This changes a cpu.h dependency into a cpu-qom.h dependency.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:27 +02:00
Paolo Bonzini
0774831d08 alpha: include cpu-qom.h in files that require AlphaCPU
This will keep things working when cpu.h will not be included
indirectly almost everywhere (either directly or through
qemu-common.h).

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:27 +02:00
Paolo Bonzini
16fd646182 arm: include cpu-qom.h in files that require ARMCPU
This will keep things working when cpu.h will not be included
indirectly almost everywhere (either directly or through
qemu-common.h).

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:27 +02:00
Stefan Weil
cb8d4c8f54 Fix some typos found by codespell
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-05-18 15:04:27 +03:00
Greg Kurz
d506dc87b9 9p: drop unused declaration from coth.h
Commit "ebac1202c95a virtio-9p: use QEMU thread pool" dropped function
v9fs_init_worker_threads.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-05-18 15:04:27 +03:00
Alberto Garcia
b996aed510 ipack: Update e-mail address
I'm not really using the old one anymore.

Signed-off-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-05-18 15:04:27 +03:00
Cao jin
ed2f3bc1fa loader: fix potential memory leak
Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-05-18 15:04:26 +03:00
Michael Tokarev
f35c1f66ad s390: remove misleading comment
The comment talks about a non-ELF object while the
example gives ELF object.

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-05-18 15:04:26 +03:00
Peter Maydell
a257c74149 First batch of s390x patches for 2.7:
- The new machine for 2.7
 - Make use of the runtime instrumentation support introduced in
   the kernel
 - Enhance our ipl (boot) process: We can now start from devices
   in subchannel sets > 0 as well. As a bonus, the conversion to
   diag308 in the bios allows us to get rid of the gr7 hack.
 - Xiaoqiang Zhao's SCLP qomification patches
 - Several fixes in the s390x pci implementation
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXOyw0AAoJEN7Pa5PG8C+v2fkQAI+woDEWJ9a1DtOw/sdIicX2
 wlXdzadtGM1/g0HWvmF1smMLCUcNtEA77+R5o0yE5cPnOBWI0WzuNPZmiMbkMROm
 gCC9OU9WOVDTPrrxfOGp4yhZkbZdz/K7TQUUB0bRRC+RTBJFNOqHSKrIDl+4AgkS
 v83hwYHcGEku53++BOrstlMcVY9gzGnL3E2KH6m1Rvhtac8bkjps5qzgmmQVCmL9
 EZCFZn0rH0LYq6Sdq3Fa6x89tdKsZ4ktnT76UJvJ4XGagHvOq9yojJixYQQnvfK4
 m5OlHadJdA/op4JxXxCM4TZbdxDQWo/r+pivULOmEA/cvwbQo+Ap1pDnp7BzByR+
 xjSzak7vSvfF+p8L7va/J9IZqSsMmTcrpBoRrhP6vGgDUZz53XzsZIOd/Q7haNFW
 5JeL3Qr7YqCi7//SQJAX0y1Q0JpyzZrZvwewAN1qyNeMSbW8lZOuj9Do2dHBvfkG
 l3C99V42idycu4DAVlmyULpirURg43XUjvztOjwEn9yXrnp3g+tThmwIdecDY4zQ
 IvTgIs5HEKFqy/HODZj7sCzY8YIJHhbGLmAzwqhtzemiH2ozsQFoN3tOITyMRL7F
 5T/l2C4COZJBevGtQyd/uAGrrVU/57Ro9Ly7qchHINpWYFbnE5YkKTA3IyUIWQdz
 9i36Szd8WGXgngh1z0Mz
 =bYQm
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20160517' into staging

First batch of s390x patches for 2.7:
- The new machine for 2.7
- Make use of the runtime instrumentation support introduced in
  the kernel
- Enhance our ipl (boot) process: We can now start from devices
  in subchannel sets > 0 as well. As a bonus, the conversion to
  diag308 in the bios allows us to get rid of the gr7 hack.
- Xiaoqiang Zhao's SCLP qomification patches
- Several fixes in the s390x pci implementation

# gpg: Signature made Tue 17 May 2016 15:35:32 BST using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"

* remotes/cohuck/tags/s390x-20160517:
  s390x/pci: remove whitespace
  s390x/pci: add length checking for pci sclp handlers
  s390x/pci: enhance mpcifc_service_call
  s390x/pci: fix s390_pci_sclp_deconfigure
  s390x/pci: introduce S390PCIBusDevice.iommu_enabled
  s390x/pci: export pci_dereg_ioat and pci_dereg_irqs
  s390x/pci: separate s390_pcihost_iommu_configure function
  s390x/pci: separate s390_sclp_configure function
  s390x/pci: fix reg_irqs()
  hw/char: QOM'ify sclpconsole.c
  hw/char: QOM'ify sclpconsole-lm.c
  s390x/ipl: Remove redundant usage of gr7
  s390-ccw.img: rebuild image
  pc-bios/s390-ccw: Get device address via diag 308/6
  s390x/ipl: Add ssid field to IplParameterBlock
  s390x/ipl: Provide ipl parameter block
  s390x/ipl: Add type and length checks for IplParameterBlock values
  s390x/ipl: Extend the IplParameterBlock struct
  s390x: enable runtime instrumentation
  s390x: add compat machine for 2.7

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-17 16:49:11 +01:00
Yi Min Zhao
c26916942a s390x/pci: remove whitespace
Fix indentation of PciCfgSccb struct.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Yi Min Zhao
3b40ea2957 s390x/pci: add length checking for pci sclp handlers
The configure/deconfigure sclp commands need a SCCB with a length of
at least 16. Indicate in the response code if this is not fulfilled.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Yi Min Zhao
a6d9d4f26a s390x/pci: enhance mpcifc_service_call
Enhance error handling for mpcifc_service_call() to propagate errors
to guest by setting status codes or triggering program interrupts.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Yi Min Zhao
259a4f0a76 s390x/pci: fix s390_pci_sclp_deconfigure
When deconfiguring a s390 pci device, we should deconfigure the
corresponding IOMMU memory region and the IRQs for the device.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Yi Min Zhao
df6a050c82 s390x/pci: introduce S390PCIBusDevice.iommu_enabled
We introduce iommu_enabled field for S390PCIBusDevice struct to
track whether the iommu has been enabled for the device. This allows
us to stop temporarily changing ->configured while en/disabling the
iommu and to do conditional cleanup later.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Yi Min Zhao
e141dbadfa s390x/pci: export pci_dereg_ioat and pci_dereg_irqs
dereg_irqs and dereg_ioat are needed by external functions. Let's
rename and export both of them in s390-pci-inst.h.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Yi Min Zhao
715838881f s390x/pci: separate s390_pcihost_iommu_configure function
Split s390_pcihost_iommu_configure() into separate functions for
configuring and deconfiguring in order to make the code more readable.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Yi Min Zhao
8f5cb69313 s390x/pci: separate s390_sclp_configure function
Split s390_sclp_configure() into separate functions for sclp
configuring and deconfiguring in order to make the code more readable.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Yi Min Zhao
bac45d5147 s390x/pci: fix reg_irqs()
In reg_irqs(), present code assumes that map_indicator() always issues
successfully. Let's check it and return the error to caller in order to
inform guest.

Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Reviewed-by: Dong Jia Shi <bjsdjshi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
xiaoqiang zhao
3f6ec642ae hw/char: QOM'ify sclpconsole.c
Drop the DO_UPCAST macro

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-Id: <1459237645-17227-7-git-send-email-zxq_yx_007@163.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
xiaoqiang zhao
e563c59b6a hw/char: QOM'ify sclpconsole-lm.c
Drop the DO_UPCAST macro

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-Id: <1459237645-17227-6-git-send-email-zxq_yx_007@163.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Alexander Yarygin
010d45d279 s390x/ipl: Remove redundant usage of gr7
We don't need to pass device address for pc-bios using gr7 anymore as
the pcbios completely relies on diag308 now, so we can remove it from
qemu. devno, ssid and cssid are migrated but the value was never reused,
so we can safely ignore these fields and migrate 0.

Signed-off-by: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Alexander Yarygin
3041e3bead s390x/ipl: Add ssid field to IplParameterBlock
Add the ssid field to the ipl parameter block struct and fill it when
necessary so the guest can use it.

Signed-off-by: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Alexander Yarygin
6aed958978 s390x/ipl: Provide ipl parameter block
Right now we return the ipl parameter block only if the guest
specified one. Let's fill in the parameter block when bootindex
parameter is available and not booting from an external kernel.

Signed-off-by: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Alexander Yarygin
9946a9113c s390x/ipl: Add type and length checks for IplParameterBlock values
We can check for valid type and lengths of the IplParameterBlock fields
when receiving the struct from the guest.

Length of the IplParameterBlock can be less than 4K. To play safe we can
read and write only required amount of data.

Signed-off-by: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Reviewed-by: David Hildenband <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Alexander Yarygin
04ca4b92ec s390x/ipl: Extend the IplParameterBlock struct
The IplParameterBlock struct currently has only 200 bytes filled, but it
can be up to 4K.

This patch converts the struct to union with a fully populated struct
inside it and second struct with old values.

For compatibility reasons we disable migration of the extended iplb
field for pre-2.7 machines. Also a guest still can read/write only the
first 200 bytes of IPLB for now.

Signed-off-by: Alexander Yarygin <yarygin@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Fan Zhang
9700230b0d s390x: enable runtime instrumentation
Introduce run-time-instrumentation support when running under kvm for
virtio-ccw 2.7 machine and make sure older machines can not enable it.

The new ri_allowed field in the s390MachineClass serves as an indicator
whether the feature can be used by the machine and should therefore be
activated if available.

riccb_needed() is used to check whether riccb is needed or not in live
migration.

Signed-off-by: Fan Zhang <zhangfan@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Cornelia Huck
946e55f3c7 s390x: add compat machine for 2.7
Also add some of the option cascading we were missing.

Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-05-17 15:50:29 +02:00
Hollis Blanchard
2531088f6c hw/intc/arm_gic: add tracepoints
These are obviously critical to understanding interrupt delivery:
gic_enable_irq
gic_disable_irq
gic_set_irq (inbound irq from device models)
gic_update_set_irq (outbound irq to CPU)
gic_acknowledge_irq

The only one that I think might raise eyebrows is gic_update_bestirq, but I've
(sadly) debugged problems that ended up being caused by unexpected priorities.
Knowing that the GIC has an irq ready, but doesn't deliver to the CPU due to
priority, has also proven important.

Signed-off-by: Hollis Blanchard <hollis_blanchard@mentor.com>
Message-id: 1461252281-22399-1-git-send-email-hollis_blanchard@mentor.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-05-16 17:20:41 -07:00
Peter Maydell
14fccfa91e MIPS patches 2016-05-13
Changes:
 * fix zeroing CP0.WatchLo registers in soft reset
 * QOMify Jazz led
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJXNaaUAAoJEFIRjjwLKdpre/sIAIhtHFxtzlNEBq27CG0Rsp2l
 7EN8O/NqVmhiq2NU5Xt6wJ100GjKftMM9f49aRhz05q7kgKIs+M0PC3RB2wvIYzQ
 lk4zbreiBdZYWA/m38SBSU2CJvEs+8FpthBtfNi/gN701lQ45K9oJdzl0jsURIh/
 /dLQhzPmHrf4NImQzxqybhX8ta80TUXLWOv/ZbuGEFEEXnp+db7+eajIw4kgqCT+
 J/XpqeFrZ/aJfT3Ag7LLsAimmTP439JIO1goIei8POvEXgkm1AmxpvIk6Aq1bGiz
 BnTm80lj5JSHImbObOu4WKIu8wRcWZb5rEIl2oMfnzAx6iPhRPOS8JNP+565Tes=
 =0B4r
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/lalrae/tags/mips-20160513' into staging

MIPS patches 2016-05-13

Changes:
* fix zeroing CP0.WatchLo registers in soft reset
* QOMify Jazz led

# gpg: Signature made Fri 13 May 2016 11:04:04 BST using RSA key ID 0B29DA6B
# gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"

* remotes/lalrae/tags/mips-20160513:
  hw/display: QOM'ify jazz_led.c
  target-mips: fix call to memset in soft reset code

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-13 11:50:42 +01:00
xiaoqiang.zhao
7fe91a5b33 hw/display: QOM'ify jazz_led.c
* Drop the old SysBus init function and use instance_init
* Move graphic_console_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2016-05-13 09:33:38 +01:00
Sergey Fedorov
3213525f8a tcg: Remove needless CPUState::current_tb
This field was used for telling cpu_interrupt() to unlink a chain of TBs
being executed when it worked that way. Now, cpu_interrupt() don't do
this anymore. So we don't need this field anymore.

Signed-off-by: Sergey Fedorov <serge.fdrv@gmail.com>
Signed-off-by: Sergey Fedorov <sergey.fedorov@linaro.org>
Message-Id: <1462273462-14036-1-git-send-email-sergey.fedorov@linaro.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>
2016-05-12 14:06:42 -10:00
Emilio G. Cota
89fee74a0f tb: consistently use uint32_t for tb->flags
We are inconsistent with the type of tb->flags: usage varies loosely
between int and uint64_t. Settle to uint32_t everywhere, which is
superior to both: at least one target (aarch64) uses the most significant
bit in the u32, and uint64_t is wasteful.

Compile-tested for all targets.

Suggested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Suggested-by: Richard Henderson <rth@twiddle.net>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>
Message-Id: <1460049562-23517-1-git-send-email-cota@braap.org>
2016-05-12 14:06:40 -10:00
Peter Maydell
f68419eee9 Block layer patches
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXNIcBAAoJEH8JsnLIjy/WiUQP/Rzfo8pe7TWA2InxdcDOPsx4
 2/tHHJdVkffnNX5rdBvc0mOUZNJxej0NtJu2e63BB+ydYju//xw8gruKU7TR+Nd3
 nPNSsqk80prK3RNgWu7qymBvIkHDDcDQhlp48HKq+dxrfConXtHmoXapGsqc0S47
 xu03oC6WzSIyLf7TLytcjUmEprQSaCGOwsb/XaHAWL750fFAGcdy/K5PWBpUv6DN
 T0jZ3u4UneE1jeabRmqAwjgDJXC9l6riH9fP/ZtYhgNlNj84zlMXajUHSULhGknP
 cTGjwwg9tOvhcjTdhdRmWlvG1m0T77ZX3icfZLhcTdb/Uz68NXVqs8P25IGV9McD
 DPrb3T/M8JUoqLXJxIpxUm2Levof5v0dUF1PHmN5bT7pshcqv/1J7v8Fdtf9l9mp
 zI0+FK1TZ102C0H2F7AWYZSlo2EfNUSd02QQx6MbfDokDIlIxY+EgP1/Es5XlkqC
 wc7HrJvq+uix2zXw9bn9Vg9p/nDuxlRx+ppRRarNNRonaqTrx/1qAaas4bsqc9Gz
 H6gxw7BHybm0TZFdHqAdIonpesecYw6yWUXT/mQehbfphsmQmu/d2HvF2C9uUm4X
 O0JduBlKOTm2hMcg5qL6Gko8WaQIctdCJH/1Onts92cZnm8Vr/9zcmMgwGoCd7sE
 +t6Yg0jqpTUJwhZhIuCw
 =NbjJ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches

# gpg: Signature made Thu 12 May 2016 14:37:05 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream: (69 commits)
  qemu-iotests: iotests: fail hard if not run via "check"
  block: enable testing of LUKS driver with block I/O tests
  block: add support for encryption secrets in block I/O tests
  block: add support for --image-opts in block I/O tests
  qemu-io: Add 'write -z -u' to test MAY_UNMAP flag
  qemu-io: Add 'write -f' to test FUA flag
  qemu-io: Allow unaligned access by default
  qemu-io: Use bool for command line flags
  qemu-io: Make 'open' subcommand more like command line
  qemu-io: Add missing option documentation
  qmp: add monitor command to add/remove a child
  quorum: implement bdrv_add_child() and bdrv_del_child()
  Add new block driver interface to add/delete a BDS's child
  qemu-img: check block status of backing file when converting.
  iotests: fix the redirection order in 083
  block: Inactivate all children
  block: Drop superfluous invalidating bs->file from drivers
  block: Invalidate all children
  nbd: Simplify client FUA handling
  block: Honor BDRV_REQ_FUA during write_zeroes
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 16:33:40 +01:00
Peter Maydell
e4f70d6358 target-arm queue:
* blizzard, omap_lcdc: code cleanup to remove DEPTH != 32 dead code
  * QOMify various ARM devices
  * bcm2835_property: use cached values when querying framebuffer
  * hw/arm/nseries: don't allocate large sized array on the stack
  * fix LPAE descriptor address masking (only visible for EL2)
  * fix stage 2 exec permission handling for AArch32
  * first part of supporting syndrome info for data aborts to EL2
  * virt: NUMA support
  * work towards i.MX6 support
  * avoid unnecessary TLB flush on TCR_EL2, TCR_EL3 writes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJXNIUqAAoJEDwlJe0UNgzeYmMP/05g/rzOekjL4c41MvN8zUrB
 z8CFRmySbTNda/gyY/o8DDUvJOq637g1Arw82o3jYJBTVx/EjFTK4ENe7zN99Xay
 fzzUtOp+TY40k9ZUQ3FtdAiN/Y54WHuozX3CKOu47W7hErkNn4/GVG68IW93AHe7
 AIxVDUrNUCsMPGFy0YBOTWM5u9kwrosH6vb+EvBSDXJTrdALidf0CWBGp58Ik79g
 T3dAKE9EuVTWVKnR3J6QTxD97Xmvsj/2dVtNOGXRw7ZL/utmtCG/uO1V06VMmf8R
 5LPY56RemhhF4CftYnk9+kzdftFJKt2kHsmfoEHSfsrhpp51Ro9/3WnFGstOjjQL
 OUFwpmHKpaINRTs6zudMTiUoI3JtzNI7cefSWuu0+O8ErLnqxfJEQgnZStUpi/JG
 V/YAoEiA+ZYTv8gm3X7a6+cb+g/DiqLlPorpE4xFFR4gbzIujjAsFQMmsqlTisNl
 j0yjflQAcUCTgo9wzoi5DxHZ69OfpZXL6gAU4HKhTum+w0436WyPLtVxD7bCxe71
 ki0Mol61Hh62p0swUkBv9YHNOj2PKghQwVFTOtxtUs4jPfOTItg795A/cDJGXGe8
 zcAUNdwnKp/OsbaVMEOirko02qlS+F3FaOcg/qAchDgCZcOliUlSQTKoNnMyKMhC
 PjQVUfYpU/59r+ESJ6OL
 =RL/g
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160512' into staging

target-arm queue:
 * blizzard, omap_lcdc: code cleanup to remove DEPTH != 32 dead code
 * QOMify various ARM devices
 * bcm2835_property: use cached values when querying framebuffer
 * hw/arm/nseries: don't allocate large sized array on the stack
 * fix LPAE descriptor address masking (only visible for EL2)
 * fix stage 2 exec permission handling for AArch32
 * first part of supporting syndrome info for data aborts to EL2
 * virt: NUMA support
 * work towards i.MX6 support
 * avoid unnecessary TLB flush on TCR_EL2, TCR_EL3 writes

# gpg: Signature made Thu 12 May 2016 14:29:14 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"

* remotes/pmaydell/tags/pull-target-arm-20160512: (43 commits)
  hw/arm: QOM'ify versatilepb.c
  hw/arm: QOM'ify strongarm.c
  hw/arm: QOM'ify stellaris.c
  hw/arm: QOM'ify spitz.c
  hw/arm: QOM'ify pxa2xx_pic.c
  hw/arm: QOM'ify pxa2xx.c
  hw/arm: QOM'ify integratorcp.c
  hw/arm: QOM'ify highbank.c
  hw/arm: QOM'ify armv7m.c
  target-arm: Avoid unnecessary TLB flush on TCR_EL2, TCR_EL3 writes
  hw/display/blizzard: Remove blizzard_template.h
  hw/display/blizzard: Expand out macros
  i.MX: Add sabrelite i.MX6 emulation.
  i.MX: Add i.MX6 SOC implementation.
  i.MX: Add the Freescale SPI Controller
  FIFO: Add a FIFO32 implementation
  i.MX: Add i.MX6 System Reset Controller device.
  ARM: Factor out ARM on/off PSCI control functions
  ACPI: Virt: Generate SRAT table
  ACPI: move acpi_build_srat_memory to common place
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 15:55:45 +01:00
Peter Maydell
6ddeeffffe QAPI patches for 2016-05-12
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXNDVwAAoJEDhwtADrkYZTMgUP/2lm5d7rrbk25x/vOvbah2Mu
 I6CrQsNN7RLqNrq2v/wHSdraiKhwIaIkpgiJqaznEIawbGWrd8alV7Ae1AoPh7Ng
 fObNKTlmaWD7OJxFvXDnJZueB+XLjeVE4cWEJ+aAN/THaDDeXm1WfbvcVAtJnsnj
 wdzt0kJze+Waj2lYcn2pC2WrgCksufE7ye/P/ouVXh8yPFG74j5RkEaGgU1YYG57
 Mc1cjTlI4IpEE4AdtZj7W96ozKk8DbQG6rR64lY2t2xFf4DOTGnPvDxbFRtqk/K8
 WZ9CQ2ZEWvxJ2VFQGWcE6UK2U1uilBGrLeGFDuxJcz3b6ShytqQ0kVeZ2o0uuPof
 wH/23XrB3p8ZuTbSLBUtMPw0FjHKbgBHLOE/18xHA7G0rZiKUISpNzClNo939S7g
 sbKvohSMLLei6GZ++eBAHotSa7bI48Vw0dXuXlI0GEEQmZpRkxLywQsJRBJ+Qw1V
 VdqW667BV4Opof93YGAeUSeioJ51v+usGG2qF/5IKPHI3NVbj8FIqc4hMZgek+2j
 aukYdDOha7Ml3FHfkHet5nNMrx59mI1+wnRe/KDjSxRZKdlB2G/6L8TWgaDV9MJj
 qeytuOvyu/TC7UI9kere+DLy9PeyTXoeKmWqyxBGEZv5DO1XkBPam/tIob8e7x9r
 Dx8iCThc7FwlZrWRof/h
 =1WHk
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2016-05-12' into staging

QAPI patches for 2016-05-12

# gpg: Signature made Thu 12 May 2016 08:49:04 BST using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>"

* remotes/armbru/tags/pull-qapi-2016-05-12: (23 commits)
  qapi: Change visit_type_FOO() to no longer return partial objects
  qapi: Simplify semantics of visit_next_list()
  qapi: Fix string input visitor handling of invalid list
  tests/string-input-visitor: Add negative integer tests
  qapi: Split visit_end_struct() into pieces
  qmp: Tighten output visitor rules
  qmp: Don't reuse qmp visitor after grabbing output
  spapr_drc: Expose 'null' in qom-get when there is no fdt
  qmp: Support explicit null during visits
  qapi: Add visit_type_null() visitor
  tests: Add check-qnull
  qapi: Document visitor interfaces, add assertions
  qmp-input: Refactor when list is advanced
  qmp-input: Require struct push to visit members of top dict
  qom: Wrap prop visit in visit_start_struct
  qapi-commands: Wrap argument visit in visit_start_struct
  qmp-input: Don't consume input when checking has_member
  qapi: Use strict QMP input visitor in more places
  qapi: Consolidate QMP input visitor creation
  qmp-input: Clean up stack handling
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 15:06:38 +01:00
Eric Blake
26a122d3d4 atapi: Switch to byte-based block access
Sector-based blk_read() should die; switch to byte-based
blk_pread() instead.

Add new defines ATAPI_SECTOR_BITS and ATAPI_SECTOR_SIZE to
use anywhere we were previously scaling BDRV_SECTOR_* by 4,
for better legibility.

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
243e6f69c1 m25p80: Switch to byte-based block access
Sector-based blk_read() should die; switch to byte-based
blk_pread() instead.

Likewise for blk_aio_readv() and blk_aio_writev().

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
12c125cba9 sd: Switch to byte-based block access
Sector-based blk_write() should die; switch to byte-based
blk_pwrite() instead.  Likewise for blk_read().

Greatly simplifies the code, now that we let the block layer
take care of alignment and read-modify-write on our behalf :)
In fact, we no longer need to include 'buf' in the migration
stream (although we do have to ensure that the stream remains
compatible).

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
098e732dbe pflash: Switch to byte-based block access
Sector-based blk_write() should die; switch to byte-based
blk_pwrite() instead.  Likewise for blk_read().

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
441692ddd8 onenand: Switch to byte-based block access
Sector-based blk_write() should die; switch to byte-based
blk_pwrite() instead.  Likewise for blk_read().

This particular device picks its size during onenand_initfn(),
and can be at most 0x80000000 bytes; therefore, shifting an
'int sec' request to get back to a byte offset should never
overflow 32 bits.  But adding assertions to document that point
should not hurt.

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
9fc0d361cc nand: Switch to byte-based block access
Sector-based blk_write() should die; switch to byte-based
blk_pwrite() instead.  Likewise for blk_read().

This file is doing some complex computations to map various
flash page sizes (256, 512, and 2048) atop generic uses of
512-byte sector operations.  Perhaps someone will want to tidy
up the file for fewer gymnastics in managing addresses and
offsets, and less wasteful visits of 256-byte pages, but it
was out of scope for this series, where I just went with the
mechanical conversion.

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
a7a5b7c0fc fdc: Switch to byte-based block access
Sector-based blk_write() should die; switch to byte-based
blk_pwrite() instead.  Likewise for blk_read().

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
d00000f901 xen_disk: Switch to byte-based aio block access
Sector-based blk_aio_readv() and blk_aio_writev() should die; switch
to byte-based blk_aio_preadv() and blk_aio_pwritev() instead.

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
b5772fdde4 virtio: Switch to byte-based aio block access
Sector-based blk_aio_readv() and blk_aio_writev() should die; switch
to byte-based blk_aio_preadv() and blk_aio_pwritev() instead.

The trace is modified at the same time, and nb_sectors is now
unused.  Fix a comment typo while in the vicinity.

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
03c90063cc scsi-disk: Switch to byte-based aio block access
Sector-based blk_aio_readv() and blk_aio_writev() should die; switch
to byte-based blk_aio_preadv() and blk_aio_pwritev() instead.

As part of the cleanup, scsi_init_iovec() no longer needs to return
a value, and reword a comment.

[ kwolf: Fix read accounting change ]

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:09 +02:00
Eric Blake
d4f510eb3f ide: Switch to byte-based aio block access
Sector-based blk_aio_readv() and blk_aio_writev() should die; switch
to byte-based blk_aio_preadv() and blk_aio_pwritev() instead.

The patch had to touch multiple files at once, because dma_blk_io()
takes pointers to the functions, and ide_issue_trim() piggybacks on
the same interface (while ignoring offset under the hood).

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:08 +02:00
Eric Blake
983a160050 block: Switch blk_*write_zeroes() to byte interface
Sector-based blk_write() should die; convert the one-off
variant blk_write_zeroes() to use an offset/count interface
instead.  Likewise for blk_co_write_zeroes() and
blk_aio_write_zeroes().

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:08 +02:00
Eric Blake
b7d17f9fa4 block: Switch blk_read_unthrottled() to byte interface
Sector-based blk_read() should die; convert the one-off
variant blk_read_unthrottled().

Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:08 +02:00
Eric Blake
8341f00dc2 block: Allow BDRV_REQ_FUA through blk_pwrite()
We have several block drivers that understand BDRV_REQ_FUA,
and emulate it in the block layer for the rest by a full flush.
But without a way to actually request BDRV_REQ_FUA during a
pass-through blk_pwrite(), FUA-aware block drivers like NBD are
forced to repeat the emulation logic of a full flush regardless
of whether the backend they are writing to could do it more
efficiently.

This patch just wires up a flags argument; followup patches
will actually make use of it in the NBD driver and in qemu-io.

Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-05-12 15:22:08 +02:00
Kevin Wolf
cab3a3563c block: Rename bdrv_co_do_preadv/writev to bdrv_co_preadv/writev
It used to be an internal helper function just for implementing
bdrv_co_do_readv/writev(), but now that it's a public interface, it
deserves a name without "do" in it.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
2016-05-12 15:22:08 +02:00
xiaoqiang.zhao
0bc91ab3bb hw/arm: QOM'ify versatilepb.c
Drop the use of old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:42:12 +01:00
xiaoqiang.zhao
5a67508c7a hw/arm: QOM'ify strongarm.c
Drop the use of old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:42:11 +01:00
xiaoqiang.zhao
15c4fff5d8 hw/arm: QOM'ify stellaris.c
* Drop the use of old SysBus init function and use instance_init
* Use DeviceClass::vmsd instead of 'vmstate_register' function

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:42:10 +01:00
xiaoqiang zhao
f68575c956 hw/arm: QOM'ify spitz.c
Drop the use of old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:42:09 +01:00
xiaoqiang.zhao
08ba3fde1d hw/arm: QOM'ify pxa2xx_pic.c
Remove the empty 'pxa2xx_pic_initfn' and it's
setup code in the 'pxa2xx_pic_class_init'

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:42:08 +01:00
xiaoqiang.zhao
16fb31a382 hw/arm: QOM'ify pxa2xx.c
Drop the use of old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:42:07 +01:00
xiaoqiang.zhao
a1f42e0c9a hw/arm: QOM'ify integratorcp.c
* Drop the use of old SysBus init function and use instance_init
* Remove the empty 'icp_pic_class_init' from Typeinfo

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:42:06 +01:00
xiaoqiang.zhao
ff7a27c15a hw/arm: QOM'ify highbank.c
Drop the use of old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:42:06 +01:00
xiaoqiang.zhao
3f5ab25490 hw/arm: QOM'ify armv7m.c
Drop the use of old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:40:48 +01:00
Peter Maydell
4274d821ff hw/display/blizzard: Remove blizzard_template.h
We no longer need to do the "multiply include this header" trick with
blizzard_template.h, and it is only used in a single .c file, so just
put its contents inline in blizzard.c.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1462371352-21498-3-git-send-email-peter.maydell@linaro.org
2016-05-12 13:22:30 +01:00
Peter Maydell
5c8759087d hw/display/blizzard: Expand out macros
Now that we can assume that only depth 32 is possible, there's no need
for the COPY_PIXEL1 and PIXEL_TYPE macros, and the SKIP_PIXEL, COPY_PIXEL
and SWAP_WORDS macros aren't used at all. Expand out COPY_PIXEL1 and
PIXEL_TYPE where they are used, delete the unused macro definitions, and
expand out the uses of glue(name_prefix, DEPTH).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1462371352-21498-2-git-send-email-peter.maydell@linaro.org
2016-05-12 13:22:29 +01:00
Jean-Christophe DUBOIS
3a0f31bcb8 i.MX: Add sabrelite i.MX6 emulation.
The sabrelite supports one SPI FLASH memory on SPI1

Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:29 +01:00
Jean-Christophe DUBOIS
ec46eaa83a i.MX: Add i.MX6 SOC implementation.
For now we only support the following devices:
* up to 4 Cortex A9 cores
* A9 MPCORE (SCU, GIC, TWD)
* 5 i.MX UARTs
* 2 EPIT timers
* 1 GPT timer
* 3 I2C controllers
* 7 GPIO controllers
* 6 SDHC controllers
* 5 SPI controllers
* 1 CCM device
* 1 SRC device
* various ROM/RAM areas.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:29 +01:00
Jean-Christophe DUBOIS
c906a3a015 i.MX: Add the Freescale SPI Controller
Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:29 +01:00
Jean-Christophe DUBOIS
1983057470 i.MX: Add i.MX6 System Reset Controller device.
This controller is also present in i.MX5X devices but they are not
yet emulated by QEMU.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:28 +01:00
Shannon Zhao
2b302e1e3c ACPI: Virt: Generate SRAT table
To support NUMA, it needs to generate SRAT ACPI table.

Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 1461667229-9216-6-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:28 +01:00
Shannon Zhao
64b831367b ACPI: move acpi_build_srat_memory to common place
Move acpi_build_srat_memory to common place so that it could be reused
by ARM. Rename it to build_srat_memory.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 1461667229-9216-5-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:28 +01:00
Shannon Zhao
ea9fcbd7d0 ACPI: Fix the definition of proximity in AcpiSratMemoryAffinity
ACPI spec says that Proximity Domain is an "Integer that represents
the proximity domain to which the processor belongs". So define it as a
uint32_t.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 1461667229-9216-4-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:28 +01:00
Shannon Zhao
e6e400d54f ACPI: Add GICC Affinity Structure
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 1461667229-9216-3-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:27 +01:00
Shannon Zhao
9695200ad8 ARM: Virt: Set numa-node-id for cpu and memory nodes
Generate memory nodes according to NUMA topology. Set numa-node-id
property for cpu and memory nodes.

Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 1461667229-9216-2-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:27 +01:00
xiaoqiang zhao
3c09d6caad hw/display: QOM'ify exynos4210_fimd.c
* Drop the old SysBus init function and use instance_init
* Move graphic_console_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1462417489-28603-2-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:27 +01:00
Zhou Jie
0b062eb090 hw/arm/nseries: Allocating Large sized arrays to heap
n8x0_init has a huge stack usage of 65536 bytes approx.
Moving large arrays to heap to reduce stack usage.

Signed-off-by: Zhou Jie <zhoujie2011@cn.fujitsu.com>
Message-id: 1461651308-894-1-git-send-email-zhoujie2011@cn.fujitsu.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:25 +01:00
Sylvain Garrigues
27a5dc7be6 bcm2835_property: use cached values when querying framebuffer
As the framebuffer settings are copied into the result message before it is
reconfigured, inconsistent behavior can happen when, for instance, you set with
a single message the width, height, and depth, and ask at the same time to
allocate the buffer and get the pitch and the size.

In this case, the reported pitch and size would be incorrect as they were
computed with the initial values of width, height and depth, not the ones the
client requested.

Signed-off-by: Sylvain Garrigues <sylvain@sylvaingarrigues.com>
Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Message-id: 1461325343-24995-1-git-send-email-sylvain@sylvaingarrigues.com
[PMM: folded a couple of long lines]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:25 +01:00
xiaoqiang zhao
0a750e2a78 hw/intc: QOM'ify omap_intc.c
* Split the old SysBus init into an instance_init and a
  DeviceClass::realize function
* Drop the old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:25 +01:00
xiaoqiang.zhao
22c70d8a6a hw/intc: QOM'ify grlib_irqmp.c
* Split the old SysBus init into an instance_init and a
  DeviceClass::realize function
* Drop the old SysBus init function

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: corrected "can not" to "cannot" in error message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:25 +01:00
xiaoqiang.zhao
c09008d2d3 hw/intc: QOM'ify slavio_intctl.c
Drop the old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:25 +01:00
xiaoqiang.zhao
e3be8b4f4f hw/intc: QOM'ify pl190.c
Drop the old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:25 +01:00
xiaoqiang.zhao
f777bda60f hw/intc: QOM'ify imx_avic.c
Drop the old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
xiaoqiang.zhao
68d71616c0 hw/intc: QOM'ify exynos4210_gic.c
* Drop the old SysBus init function and use instance_init
* Split the exynos4210_irq_gate_init into an instance_init
  and a DeviceClass::realize function

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
xiaoqiang.zhao
d3d5a6febd hw/intc: QOM'ify exynos4210_combiner.c
Drop the old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
xiaoqiang.zhao
b46818e9e7 hw/intc: QOM'ify etraxfs_pic.c
Drop the old SysBus init function and use instance_init

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
Pooja Dhannawat
ea644cf343 omap_lcdc: Remove support for DEPTH != 32
surface_bits_per_pixel() always returns 32
so, removing other dead code which is
based on DEPTH !== 32

Signed-off-by: Pooja Dhannawat <dhannawatpooja1@gmail.com>
Message-id: 1459260142-9144-1-git-send-email-dhannawatpooja1@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
Pooja Dhannawat
5c87c4089a blizzard: Remove support for DEPTH != 32
Removing support for DEPTH != 32 from blizzard template header
and file that includes it, as macro DEPTH == 32 only used.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Pooja Dhannawat <dhannawatpooja1@gmail.com>
Message-id: 1458971873-2768-1-git-send-email-dhannawatpooja1@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
Eric Blake
d9f62dde13 qapi: Simplify semantics of visit_next_list()
The semantics of the list visit are somewhat baroque, with the
following pseudocode when FooList is used:

start()
for (prev = head; cur = next(prev); prev = &cur) {
    visit(&cur->value)
}

Note that these semantics (advance before visit) requires that
the first call to next() return the list head, while all other
calls return the next element of the list; that is, every visitor
implementation is required to track extra state to decide whether
to return the input as-is, or to advance.  It also requires an
argument of 'GenericList **' to next(), solely because the first
iteration might need to modify the caller's GenericList head, so
that all other calls have to do a layer of dereferencing.

Thankfully, we only have two uses of list visits in the entire
code base: one in spapr_drc (which completely avoids
visit_next_list(), feeding in integers from a different source
than uint8List), and one in qapi-visit.py.  That is, all other
list visitors are generated in qapi-visit.c, and share the same
paradigm based on a qapi FooList type, so we can refactor how
lists are laid out with minimal churn among clients.

We can greatly simplify things by hoisting the special case
into the start() routine, and flipping the order in the loop
to visit before advance:

start(head)
for (tail = *head; tail; tail = next(tail)) {
    visit(&tail->value)
}

With the simpler semantics, visitors have less state to track,
the argument to next() is reduced to 'GenericList *', and it
also becomes obvious whether an input visitor is allocating a
FooList during visit_start_list() (rather than the old way of
not knowing if an allocation happened until the first
visit_next_list()).  As a minor drawback, we now allocate in
two functions instead of one, and have to pass the size to
both functions (unless we were to tweak the input visitors to
cache the size to start_list for reuse during next_list, but
that defeats the goal of less visitor state).

The signature of visit_start_list() is chosen to match
visit_start_struct(), with the new parameters after 'name'.

The spapr_drc case is a virtual visit, done by passing NULL for
list, similarly to how NULL is passed to visit_start_struct()
when a qapi type is not used in those visits.  It was easy to
provide these semantics for qmp-output and dealloc visitors,
and a bit harder for qmp-input (several prerequisite patches
refactored things to make this patch straightforward).  But it
turned out that the string and opts visitors munge enough other
state during visit_next_list() to make it easier to just
document and require a GenericList visit for now; an assertion
will remind us to adjust things if we need the semantics in the
future.

Several pre-requisite cleanup patches made the reshuffling of
the various visitors easier; particularly the qmp input visitor.

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1461879932-9020-24-git-send-email-eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-05-12 09:47:55 +02:00
Eric Blake
15c2f669e3 qapi: Split visit_end_struct() into pieces
As mentioned in previous patches, we want to call visit_end_struct()
functions unconditionally, so that visitors can release resources
tied up since the matching visit_start_struct() without also having
to worry about error priority if more than one error occurs.

Even though error_propagate() can be safely used to ignore a second
error during cleanup caused by a first error, it is simpler if the
cleanup cannot set an error.  So, split out the error checking
portion (basically, input visitors checking for unvisited keys) into
a new function visit_check_struct(), which can be safely skipped if
any earlier errors are encountered, and leave the cleanup portion
(which never fails, but must be called unconditionally if
visit_start_struct() succeeded) in visit_end_struct().

Generated code in qapi-visit.c has diffs resembling:

|@@ -59,10 +59,12 @@ void visit_type_ACPIOSTInfo(Visitor *v,
|         goto out_obj;
|     }
|     visit_type_ACPIOSTInfo_members(v, obj, &err);
|-    error_propagate(errp, err);
|-    err = NULL;
|+    if (err) {
|+        goto out_obj;
|+    }
|+    visit_check_struct(v, &err);
| out_obj:
|-    visit_end_struct(v, &err);
|+    visit_end_struct(v);
| out:

and in qapi-event.c:

@@ -47,7 +47,10 @@ void qapi_event_send_acpi_device_ost(ACP
|         goto out;
|     }
|     visit_type_q_obj_ACPI_DEVICE_OST_arg_members(v, &param, &err);
|-    visit_end_struct(v, err ? NULL : &err);
|+    if (!err) {
|+        visit_check_struct(v, &err);
|+    }
|+    visit_end_struct(v);
|     if (err) {
|         goto out;

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1461879932-9020-20-git-send-email-eblake@redhat.com>
[Conflict with a doc fixup resolved]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-05-12 09:47:55 +02:00
Eric Blake
a543a554cf spapr_drc: Expose 'null' in qom-get when there is no fdt
Now that the QMP output visitor supports an explicit null
output, we should utilize it to make it easier to diagnose
the difference between a missing fdt ('null') vs. a
present-but-empty one ('{}').

(Note that this reverts the behavior of commit ab8bf1d, taking
us back to the behavior of commit 6c2f9a1 [which in turn
stemmed from a crash fix in 1d10b44]; but that this time,
the change is intentional and not an accidental side-effect.)

Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <1461879932-9020-17-git-send-email-eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-05-12 09:47:54 +02:00
Stefan Weil
a277c3e094 usb: Support compilation without poll.h
This is a hack to support compilation with Mingw-w64 which provides
a libusb-1.0 package, but no poll.h.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-id: 1458630800-10088-1-git-send-email-sw@weilnetz.de
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-11 10:37:39 +02:00
Isaac Lozano
1f66fe5778 usb-mtp: fix usb_mtp_get_device_info so that libmtp on the guest doesn't complain
If an application uses libmtp on the guest system,
it will complain with the warning message:
LIBMTP WARNING: VendorExtensionID: ffffffff
LIBMTP WARNING: VendorExtensionDesc: (null)
LIBMTP WARNING: this typically means the device is PTP (i.e. a camera) but
not a MTP device at all. Trying to continue anyway.

This is because libmtp expects a MTP Vendor Extension ID of 0x00000006 and a
MTP Version of 0x0064. These numbers are taken from Microsoft's MTP Vendor
Extension Identification Message page and are what most physical devices
show.

Signed-off-by: Isaac Lozano <109lozanoi@gmail.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1460892593-5908-1-git-send-email-109lozanoi@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-11 10:33:49 +02:00
Roman Kagan
491d68d938 usb:xhci: no DMA on HC reset
This patch is a rough fix to a memory corruption we are observing when
running VMs with xhci USB controller and OVMF firmware.

Specifically, on the following call chain

xhci_reset
  xhci_disable_slot
    xhci_disable_ep
      xhci_set_ep_state

QEMU overwrites guest memory using stale guest addresses.

This doesn't happen when the guest (firmware) driver sets up xhci for
the first time as there are no slots configured yet.  However when the
firmware hands over the control to the OS some slots and endpoints are
already set up with their context in the guest RAM.  Now the OS' driver
resets the controller again and xhci_set_ep_state then reads and writes
that memory which is now owned by the OS.

As a quick fix, skip calling xhci_set_ep_state in xhci_disable_ep if the
device context base address array pointer is zero (indicating we're in
the HC reset and no DMA is possible).

Cc: qemu-stable@nongnu.org
Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
Message-id: 1462384435-1034-1-git-send-email-rkagan@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-11 10:29:28 +02:00
Peter Maydell
53db932604 vga security fixes (CVE-2016-3710, CVE-2016-3712)
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXMIUCAAoJEEy22O7T6HE4uacP/1IwxsNr7oAc8Mb1x95r3aLe
 Q7KAh8Nei9VMcNLvUMweAaRSNgrrM+ic84oTNqWTGL5fgbV3oa4JlbTnGlWs174W
 acCH6tMSG21SqukxnMdO79X/Ldi7IhQEVMHvAm0bq7jwHYYLjdwAhIBOXs5G5oJX
 5UcosiGJenrT5USICv5Cr5sMvPgy3wS9qvJVbdGzxZzJ3I7274teS4Y8JjlMrxj0
 JIIQ2dDMFI2twlzJbmpXqMlZ3l+RhB4AXA47T8SZW2MSgBv+zI2BZEBuEIS7bQqj
 debIWA9Rl2lbsroJUHsjqgxyLD89jyKaunt2rhyEo0F6e12jzfuXfP9qdqKSaz9T
 5PZ98PDTWD+1K7pAq88TvuQApwawoIIfIyGaNYjktmWiDRZ/607uxtILp7MI8M0v
 K04K0SBbqM/0whUyAVcjrZkbd7p7hGcN6vn2m2i6vWcqcNkiP3S8kz+coV1fCpXu
 YSzo1yg8+e6UZMpLxz/VgCdRpwEtRgiLq0CkI6gdhu88gSjldWml5qa/MibuAwYJ
 NWmtDmaqM1TBburDTHI2EbQ7UGDDPH3NbHBfH21fd73YONJ3PFqnDdTTytdKoXd0
 /kinn6YN9au3NcQHLJojCcXKIiGsCfQwIPuXl9aF/oT46f8TweHZJ9WyeMyP35Kh
 Yg3itPanlsN4PrrGmyMO
 =v5wH
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160509-1' into staging

vga security fixes (CVE-2016-3710, CVE-2016-3712)

# gpg: Signature made Mon 09 May 2016 13:39:30 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-20160509-1:
  vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
  vga: update vga register setup on vbe changes
  vga: factor out vga register setup
  vga: add vbe_enabled() helper
  vga: fix banked access bounds checking (CVE-2016-3710)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-09 13:42:25 +01:00
Gerd Hoffmann
1beb99f787 Revert "acpi: mark PMTIMER as unlocked"
This reverts commit 7070e085d4.

Commit message claims locking is not needed, but that appears
to not be true, seabios ehci driver runs into timekeeping problems
with this, see
	https://bugzilla.redhat.com/show_bug.cgi?id=1322713

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1460702609-25971-1-git-send-email-kraxel@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-02 17:19:13 +01:00
Gerd Hoffmann
fd3c136b3e vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
registers, to make sure the vga registers will always have the
values needed by vbe mode.  This makes sure the sanity checks
applied by vbe_fixup_regs() are effective.

Without this guests can muck with shift_control, can turn on planar
vga modes or text mode emulation while VBE is active, making qemu
take code paths meant for CGA compatibility, but with the very
large display widths and heigts settable using VBE registers.

Which is good for one or another buffer overflow.  Not that
critical as they typically read overflows happening somewhere
in the display code.  So guests can DoS by crashing qemu with a
segfault, but it is probably not possible to break out of the VM.

Fixes: CVE-2016-3712
Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
Reported-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann
2068192dcc vga: update vga register setup on vbe changes
Call the new vbe_update_vgaregs() function on vbe configuration
changes, to make sure vga registers are up-to-date.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann
7fa5c2c5dc vga: factor out vga register setup
When enabling vbe mode qemu will setup a bunch of vga registers to make
sure the vga emulation operates in correct mode for a linear
framebuffer.  Move that code to a separate function so we can call it
from other places too.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann
bfa0f151a5 vga: add vbe_enabled() helper
Makes code a bit easier to read.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann
3bf1817079 vga: fix banked access bounds checking (CVE-2016-3710)
vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.

The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register.  The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.

Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.

Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.

Fixes: CVE-2016-3710
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Igor Mammedov
1dbfd7892b acpi: fix bios linker loadder COMMAND_ALLOCATE on bigendian host
'make check' fails with:

ERROR:tests/bios-tables-test.c:493:load_expected_aml:
   assertion failed: (g_file_test(aml_file, G_FILE_TEST_EXISTS))

since commit:
caf50c7166
tests: pc: acpi: drop not needed 'expected SSDT' blobs

Assert happens because qemu-system-x86_64 generates
SSDT table and test looks for a corresponding expected
table to compare with.

However there is no expected SSDT blob anymore, since
QEMU souldn't generate one. As it happens BIOS is not
able to read ACPI tables from QEMU and fallbacks to
embeded legacy ACPI codepath, which generates SSDT.
That happens due to wrongly sized endiannes conversion
which makes
 uint8_t BiosLinkerLoaderEntry.alloc.zone
end up with 0 due to truncation of 32 bit integer
which on host is 1 or 2.

Fix it by dropping invalid cpu_to_le32() as uint8_t
doesn't require any conversion.

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1330174

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-05-01 15:42:13 +03:00
Michael Roth
df18b2db69 spapr_drc: fix aborts during DRC-count based hotplug
CPU/memory resources can be signalled en-masse via
spapr_hotplug_req_add_by_count(), and when doing so, actually change
the meaning of the 'drc' parameter passed to
spapr_hotplug_req_event() to be a count rather than an index.

f40eb92 added a hook in spapr_hotplug_req_event() to record when a
device had been 'signalled' to the guest, but that code assumes that
drc is always an index. In cases where it's a count, such as memory
hotplug, the DRC lookup will fail, leading to an assert.

Fix this by only explicitly setting the signalled state for cases where
we are doing PCI hotplug.

For other resources types, since we cannot selectively track whether a
resource has been signalled in cases where we signal attach as a count,
set the 'signalled' state to true immediately upon making the
resource available via drck->attach().

Reported-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Cc: Bharata B Rao <bharata@linux.vnet.ibm.com>
Cc: david@gibson.dropbear.id.au
Cc: qemu-ppc@nongnu.org
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-04-26 11:16:08 +10:00
Gerd Hoffmann
f419a626c7 usb/uhci: move pid check
commit "5f77e06 usb: add pid check at the first of uhci_handle_td()"
moved the pid verification to the start of the uhci_handle_td function,
to simplify the error handling (we don't have to free stuff which we
didn't allocate in the first place ...).

Problem is now the check fires too often, it raises error IRQs even for
TDs which we are not going to process because they are not set active.

So, lets move down the check a bit, so it is done only for active TDs,
but still before we are going to allocate stuff to process the requested
transfer.

Reported-by: Joe Clifford <joe@thunderbug.co.uk>
Tested-by: Joe Clifford <joe@thunderbug.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1461321893-15811-1-git-send-email-kraxel@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-25 12:05:05 +01:00
Thomas Huth
da34fed707 hw/ppc/spapr: Fix crash when specifying bad parameters to spapr-pci-host-bridge
QEMU currently crashes when using bad parameters for the
spapr-pci-host-bridge device:

$ qemu-system-ppc64 -device spapr-pci-host-bridge,buid=0x123,liobn=0x321,mem_win_addr=0x1,io_win_addr=0x10
Segmentation fault

The problem is that spapr_tce_find_by_liobn() might return NULL, but
the code in spapr_populate_pci_dt() does not check for this condition
and then tries to dereference this NULL pointer.
Apart from that, the return value of spapr_populate_pci_dt() also
has to be checked for all PCI buses, not only for the last one, to
make sure we catch all errors.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-04-23 16:52:20 +10:00
Fam Zheng
14560d69e7 virtio: Mark host notifiers as external
The effect of this change is the block layer drained section can work,
for example when mirror job is being completed.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-22 16:43:58 +02:00
Fam Zheng
54e18d35e4 event-notifier: Add "is_external" parameter
All callers pass "false" keeping the old semantics. The windows
implementation doesn't distinguish the flag yet. On posix, it is passed
down to the underlying aio context.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-22 16:43:56 +02:00
Sylvain Garrigues
b4850e5ae9 hw/arm/boot: always clear r0 when booting kernels
The 32-bit ARM Linux kernel booting ABI requires that r0 is 0
when calling the kernel image. A bug in commit 10b8ec73e6
meant that for boards which use the write_board_setup hook (which
means "highbank", "midway", "raspi2" and "xilinx-zynq-a9") we
were incorrectly skipping the "clear r0" instruction in the
mini-bootloader. Use the right offset in the "add lr, pc, #n"
instruction so that we return from the board-setup code to the
correct place.

Signed-off-by: Sylvain Garrigues <sylvain@sylvaingarrigues.com>
[PMM: Expanded commit message]
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-21 12:10:17 +01:00
Peter Maydell
fa59dd9582 Xen 2016/04/20
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXF2NIAAoJEIlPj0hw4a6QWekP/R80xwlEB5vsCpedpVy2fEmb
 RCYbskUmC89s/T0ADXY9SflNzCqA4SOPc45ANN0Awq1oSHMLi9qanNkJDyPhdCGZ
 jZ4DhfWEy/2N77VHEqM4F6ks4+SZl6aKtQEjkpejWg+cQWnfMGisUvKDoiLe0mFH
 Bi8q+0XloJDZUnQpN+VGSII21gAP4sM18UNrv7NyMPGWlZmEVdf/ocxKxLplw7C5
 REDasr35TBBsOKxjleRlBXqPOu8sGR0KMWGrjW3KrCaXPTkgc/Wu6CIarW6hAIuh
 VMJQ5qQZvuTNa+c/B9kKLZ4+tzb+8E+tsrKDx57MLiGftmpQNwZHy3SIQ4ByTZRT
 nFtoEZMlN4kOK2kEFxzHavzfrw6UXhe66GGD4cZ5M7fq0pV/B9qQme07VpLh9t/R
 ydx8S1dHjNKuLAMwnGfeC4Vca6ae5JxB0gvtfvKvIsYCOq2kz22pK8oHX9cV+PWH
 3kVPWF94kPgsPIszWRWfdz4tKe3WQaOrtrAzBmhl9zHezDnuwRYSQvaf+FvI0vI3
 6+Y9QAxV33aOqgDI59ibuitfHPbzI93VOWA1StL++MGET2aVDdsFwuvetW1H5M8J
 0cr0lTo7Ij7iLJISYYEOkwrQZPxxW3p7NKrq9uq/7+hG1F85vQDjvdlnp0jV9g1O
 a2gTRPfMmghtWkVV+fdE
 =p2hJ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/sstabellini/tags/xen-2016-04-20' into staging

Xen 2016/04/20

# gpg: Signature made Wed 20 Apr 2016 12:08:56 BST using RSA key ID 70E1AE90
# gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"

* remotes/sstabellini/tags/xen-2016-04-20:
  xenfb: use the correct condition to avoid excessive looping

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-20 16:16:55 +01:00
Peter Maydell
ef5d5641f5 ehci: fix (s)iTD looping issue (CVE-2015-8558) in a different way.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXFc6eAAoJEEy22O7T6HE4jOsQAInCKNSK7UbHEqAxcNt9v9jB
 7wrv87tiNYRQrFE46oLcvQdVfggW0Dml2xX8Isrmm44DKd7pZzliklHqlAIiyX2Z
 KyjrEjpTLJ3hMAHD9UbiCg4u69W4gWNTGhHtzYUCfRMwTfIawhKwUSce61ZscZEo
 Brb9hJa6mPULSey7LvFTlqEAH9qMiKTV53jZ4t/mcBNwICtOmPzxoQkegNxoFP6u
 k0gHdI9V2uwfDGlnyXKY38CytE08C+JB2CL4OggGeF6VFZDxeYZJc6pEiGhepFyE
 PPt5blBNyHxPvYXtCJp+K94IfhJB2iDGuBFL8SuMVtmE6FGDKGlCgZrV32TcCxxU
 nDK7hdbhz3wnpvlcc5L5xXe3bAyFyasWQ5BGtamgwyG/U+3WYm9A+j5nNXyI8f3A
 IWfR84XfuynNIHn+eCrHZHkby7x+U9IQ2yeb/2vwUj4ddGGo2nCnqjqVnh2CFWoW
 HWPLhQi0sjCN2/Sfokxh8Dm9lTDrUTz5tyZhPQUw4xzrpPdDbkQkAruO9MJmulRz
 D24s8AObL4s/0CKRbN/U3dzE9oxqJ0V++zGbdPyg8QFaPczXruGSrHCPxQjY3rto
 JEjNanI01Nl0TcA7EquTxjVsZdeGSEGuhBnx7qJO2LtjMbcOrHZg4vGXIyI1Oc6N
 F0RYHVSQibOwLG0r9pQi
 =Y5Gl
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160419-1' into staging

ehci: fix (s)iTD looping issue (CVE-2015-8558) in a different way.

# gpg: Signature made Tue 19 Apr 2016 07:22:22 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20160419-1:
  Revert "ehci: make idt processing more robust"
  ehci: apply limit to iTD/sidt descriptors

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-19 12:10:30 +01:00
Peter Maydell
bb97bfd901 ppc patch queueu for 2016-04-19
A single fix for a regression since 2.5.  This should be the last ppc
 pull request for 2.6.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXFY5uAAoJEGw4ysog2bOS1MgQAIKbBZPcKZeu7k8zVik6tObc
 N7T3xrzZC0zMJEB9uu8m2ULsHhk7NMs2nl951q8ofHeufYtMUVwrmvML90+09wrL
 brq08o0fHxyzWLmadwyHW8YuY5rTB1rsPTfUM+nUblS8n3LdcI2C8xBR6+Zvdjfj
 /4znUujytbxyncVgQR624Y0TXDFD3+EzYSnF9mEGMpXG4DLoIZpltFR1XwSf0Izz
 MkUeyPuXacapXofIKtJTPwmHDjetsElJTt4u85kw4XrjVeo9vXjBfZnbRIqd6jrM
 1dPz2oDYjNLU1TrpQtaXM54DXYyy+klpBbZbEBp0O43GRNWAtVDvK6XSpwHsScuE
 C/7wAIoMzNuGHrUnhmpkDJuJpulJuGiY0df+8me+K52NDaPgTeW0ZF1heGnMBQ3t
 7P2aSZ06Us047isGHYQpmvzf0ptLwn54i0Hh35ChXyrkCBHfA0DyRXhDbI+7GurA
 42quB8NZ8JeIoCtP0EPjYn532bDa8DKCegnNR6au+pkr9Ato4cDxO02JiINT4Y94
 +fMtvlWeHVGLuFVul/WRPYhzP7cRPvrcswpL/iABjCXKpfyRrg11Pe0Wvmn1JLnX
 tMjPCd2K1fqwYMtJ2uCIlv4NpDofJIdKF+kgVe8/VAFlKM4SpA6F+IILOqIsZUR1
 pE+nmQ6KAfIhnH2rfxy6
 =+Eci
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.6-20160419' into staging

ppc patch queueu for 2016-04-19

A single fix for a regression since 2.5.  This should be the last ppc
pull request for 2.6.

# gpg: Signature made Tue 19 Apr 2016 02:48:30 BST using RSA key ID 20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.6-20160419:
  cuda: fix off-by-one error in SET_TIME command

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-19 11:15:32 +01:00
Michael S. Tsirkin
5eb0b194e9 cadence_uart: bounds check write offset
cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes.  However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4).  If 'offset>>=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.

This will corrupt QEMU memory, in most situations this causes the vm to
crash.

Fix by checking the offset against the array size.

Cc: qemu-stable@nongnu.org
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20160418100735.GA517@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-19 11:13:59 +01:00
Gerd Hoffmann
a49923d283 Revert "ehci: make idt processing more robust"
This reverts commit 156a2e4dbf.

Breaks FreeBSD.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-19 08:20:56 +02:00
Gerd Hoffmann
1ae3f2f178 ehci: apply limit to iTD/sidt descriptors
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
DoS by the guest (create a circular iTD queue and let qemu ehci
emulation run in circles forever).  Unfortunately this has two problems:
First it misses the case of siTDs, and second it reportedly breaks
FreeBSD.

So lets go for a different approach: just count the number of iTDs and
siTDs we have seen per frame and apply a limit.  That should really
catch all cases now.

Reported-by: 杜少博 <dushaobo@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-19 08:18:27 +02:00
Aurelien Jarno
ed3d807b0a cuda: fix off-by-one error in SET_TIME command
With the new framework the cuda_cmd_set_time command directly receive
the data, without the command byte. Therefore the time is stored at
in_data[0], not at in_data[1].

This fixes the "hwclock --systohc" command in a guest.

Cc: Hervé Poussineau <hpoussin@reactos.org>
Cc: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Hervé Poussineau <hpoussin@reactos.org>
[this fixes a regression introduced by e647317 "cuda: port SET_TIME
 command to new framework"]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-04-19 11:39:23 +10:00
Dr. David Alan Gilbert
90c647db8d Fix pflash migration
Pflash migration (e.g. q35 + EFI variable storage) fails
with the assert:

bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed.

This avoids the problem by delaying the pflash update until after
the device loads complete.

Tested by:
  Migrating Q35/EFI vm.
  Changing efi variable content (with efiboot in the guest)
  md5sum'ing the variable file before migration and after.

This is a fix that Paolo posted in the message
  570244B3.4070105@redhat.com

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-15 17:27:34 +02:00
Peter Maydell
3e7cac31d6 tpm, vhost, virtio: fixes for 2.6
Minor fixes all over the place.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXD58TAAoJECgfDbjSjVRpDCAH/iZXlMxl4j23qH4mqJa88HJq
 UHqsuU6NGHXhsYUzGy9wQp7RTNnMlwF1GC+vsIlZzr1XPu/U/GwUZVPf1Ca0xZ0Q
 ukRzd7nvAaHnUEC26AJul8CgoThmPf5ip4LqAqQvSUrrAsQ1viR49HHCtmFC2w33
 iOg9ZznZM+Prlh8IGMCSF93ER9l4s7T2CvDPmlKtC5iXepU8J47V2EmPg3VjCd3B
 jeQ6RIF0RtJQCvUxLW3FcUnM6bmIszqPEwmBkiOfJcvuNisNMZGavAyzzoXfMmQ9
 YkrGEnDwLa5a3qMTptmxDvPzy4ksc7OzVIw0bcBnqnGmDJwGz44mBjYJ555zJi8=
 =ufoF
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

tpm, vhost, virtio: fixes for 2.6

Minor fixes all over the place.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Thu 14 Apr 2016 14:45:55 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  hw/virtio/balloon: Replace TARGET_PAGE_SIZE with BALLOON_PAGE_SIZE
  tpm: Fix write to file descriptor function
  tpm: acpi: remove IRQ from TPM's CRS to make Windows not see conflict
  pc: acpi: tpm: add missing MMIO resource to PCI0._CRS
  specs/vhost-user: spelling fix
  specs/vhost-user: improve VHOST_SET_VRING_NUM documentation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-14 14:55:25 +01:00
Thomas Huth
01310e2aa7 hw/virtio/balloon: Replace TARGET_PAGE_SIZE with BALLOON_PAGE_SIZE
The balloon code currently calls madvise() with TARGET_PAGE_SIZE as
length parameter. Since the virtio-balloon protocol is always based
on 4k pages, no matter what the host and guest are using as page size,
this could cause problems: If TARGET_PAGE_SIZE is bigger than 4k, the
madvise call also destroys the 4k areas after the current one - which
might be wrong since the guest did not want free that area yet (in
case the guest used as smaller MMU page size than the hard-coded
TARGET_PAGE_SIZE). So to fix this issue, introduce a proper define
called BALLOON_PAGE_SIZE (which is 4096) to use this as the size
parameter for the madvise() call instead.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-04-14 16:44:42 +03:00
Peter Maydell
33e5702889 virtio-input; live migration support, various bugfixes.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXDminAAoJEEy22O7T6HE4aawP/2iK9EmCdH20+rIBEbSjbC8t
 ReXI3TO5knGhFSmgaEsgq8AtiqalVV5nk14SVSAZfE5QRRKYohvj0xT1J2yTJ5hB
 1Y0aD6sC+agzxDcOPm9ZZ/6q80bbTw8LxCr2sBTZ+Rvof8igdsVHawwow4eEbpzk
 U1ijjT76eqvGOzCAM9tryiMDniV0uN9vRHgEyxl1g1ctKBonj7B8VXIiwsBwY7L5
 EKFpMv8mBTTuoyvMl485YBX/p8k4D/NFYhUvAwvuWspsV1bgyuqcsdBxPMtK2mqb
 Et2Zu484S0ere090G+X83NmkR+1X1OlgA+47BQB/ekC6lUTaCXHux4jvwgggLICT
 zp0jOV/xiXeNn/+Dm49/Od2qJZlEMNM3LbFAr9/T6Zmais2YGZHGSHA1BUC5hb1H
 rd/dWhxVd+7MEI/wVIhlXHnlCH12Na+WYr3gy+rrweQ0ItpZVNfo0POrBEKLYf1n
 MZSZ5AnxfQ19setY5TL1hjDuAkMUThXqvco8VcSoVfGdzXWcYYCMzfB7VGGUyBjV
 g6N7EuJihnnTTJ+lQisKveo7o5VXdg8IOoE7/zihWjiD5Ohf9tAEi3/6yncin2G2
 0KSiv6ZJ/TJfrrnWNNNtHMAImIWWX8JyBl1yXz1h/fXvAXBMzHIy8raWr6WTSRMG
 GoXYoaCz9McVTvTalsk1
 =p3bE
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20160413-1' into staging

virtio-input; live migration support, various bugfixes.

# gpg: Signature made Wed 13 Apr 2016 16:41:27 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-input-20160413-1:
  virtio-input: support absolute axis config in pass-through
  input-linux: refine mouse detection
  virtio-input: fix emulated tablet axis ranges
  virtio-input: add live migration support
  virtio-input: implement pass-through evdev writes
  virtio-input: retrieve EV_LED host config bits
  virtio-input: add missing key mappings
  move const_le{16, 23} to qemu/bswap.h, add comment
  virtio-input: add parenthesis to const_le{16, 32}

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-13 20:35:23 +01:00
Peter Maydell
8b4aaba736 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQIcBAABAgAGBQJXDhnDAAoJENro4Ql1lpzlon0QALYjBrRo1BFBle+llRxvj0h/
 DtbB7uKbsmUv11GF6C03j+1od+tPIR+czkynkzpzkwqfZQl3PNtI0W0YPHGWl0eF
 VFpwO/fnt01aTtpXkgzQ8izFTyl3QhtipMRC/5PtOAjM53GG9t+ESdjQjFk6Lw3a
 KBNE/Ge+PfXJ4S5huLOig85utWG+e28ZL/d6opWWMyeGNoAJSg59kN2Wo3cmFhi/
 DJWvOEs1RWnvwJGVxrW0NHA80Ht7Lrk4MokPmVYIvr04LOYD/Vzu/f2KOp5ZVo6i
 Vo4kPv/1pDeqT9Tw3IIaVt6Sd4dQ2M2g9lvNoobJl3dAk8xBwNtuvPj5v0azArew
 hpzdRxXJOmo/14RgzlDlToD9haUiMNsqHY0iSXA53jUzi5pbw+AJFgmW2BcMqCqw
 MBxjfqoiQjLiw0NRVkWu7CId82Rmj53Xv75898QOEjvKZq4paLRNEx+Qyl9wd/q0
 GYz0Mc24/iY2Px7YPqe8tvJlV0QTTlcGKycdmpMqtNN6QuJYpC0cUbVWBUXibZhx
 uY9u7wFNoAZBnpxghUf7rlhH8oQEikONxIJVTz/MVjuWLmE6wOfdEP8KkndFyjlu
 +fHY8RO2BsJCw+V3/LpvSXBEwmkCsIkBJ3BLEwfON+0Vew1C0hzXeWFnbshe1l1I
 L4H5POEMiAf9vG0E/Nl7
 =eX10
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/elmarco/tags/ivshmem-fix-pull-request' into staging

# gpg: Signature made Wed 13 Apr 2016 11:04:51 BST using RSA key ID 75969CE5
# gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>"
# gpg:                 aka "Marc-André Lureau <marcandre.lureau@gmail.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 87A9 BD93 3F87 C606 D276  F62D DAE8 E109 7596 9CE5

* remotes/elmarco/tags/ivshmem-fix-pull-request:
  ivshmem: fix ivshmem-{plain,doorbell} crash without arg

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-13 18:48:28 +01:00
Stefan Berger
e7658fcc4c tpm: Fix write to file descriptor function
Fix a bug introduced in commit 46f296c while moving send_all to the
tpm_passthrough code. Fix the name of the variable used in the loop.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-04-13 19:52:34 +03:00
Igor Mammedov
52e38eb051 tpm: acpi: remove IRQ from TPM's CRS to make Windows not see conflict
IRQ 5 used by TPM conflicts with PNP0C0F IRQs,
as result Windows fails driver initialization with reason
  'device cannot find enough free resources'
But if TPM._CRS.IRQ entry is commented out, Windows
seems to initialize driver without errors as it doesn't
notice possible conflict and it seems to work
probably due to a link with IRQ 5 being unused/disabled.

So temporary comment out TPM._CRS.IRQ to 'fix'
regression in TPM, with intent to fix it correctly
later i.e.:
  1. pick unused IRQ as default one for TPM
  2. fetch IRQ value from device model so that user
     could override default one if it conflicts with
     some other device.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-04-13 19:52:34 +03:00
Igor Mammedov
2b1c2e8e5f pc: acpi: tpm: add missing MMIO resource to PCI0._CRS
Windows will fail initialize TMP driver with the reason:
  'device cannot find enough free resources'
That happens because parent BUS doesn't describe
MMIO resources used by TPM child device.
Fix it by describing it in top-most parent bus scope PCI0.

It was 'regressed' by commit
  5cb18b3d TPM2 ACPI table support
with following fixup
  9e472263 acpi: add missing ssdt
which did the right thing by moving TPM to BUS
it belongs to but lacked a proper resource declaration.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-04-13 19:52:34 +03:00
Ladi Prosek
b065e275a8 virtio-input: support absolute axis config in pass-through
VIRTIO_INPUT_CFG_ABS_INFO was not implemented for pass-through input
devices. This patch follows the existing design and pre-fetches the
config for all absolute axes using EVIOCGABS at realize time.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Message-id: 1460558603-18331-1-git-send-email-lprosek@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-13 17:26:12 +02:00
Ladi Prosek
0263b3a72f virtio-input: fix emulated tablet axis ranges
The reported maximum was wrong. The X and Y coordinates are 0-based
so if size is 8000 maximum must be 7FFF.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Message-id: 1460128893-10244-1-git-send-email-lprosek@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-13 15:52:28 +02:00
Gerd Hoffmann
2d73837466 virtio-input: add live migration support
virtio-input is simple enough that it doesn't need to xfer any state.
Still we have to wire up savevm manually, so the generic pci and virtio
are saved correctly.

Additionally we need to do some post-load processing to figure whenever
the guest uses the device or not, so we can give input routing hints to
the qemu input layer using qemu_input_handler_{activate,deactivate}.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1459859501-16965-1-git-send-email-kraxel@redhat.com
2016-04-13 15:52:28 +02:00
Ladi Prosek
1a782629f6 virtio-input: implement pass-through evdev writes
The write path for pass-through devices, commonly used for controlling
keyboard LEDs via EV_LED, was not implemented. This commit adds the
necessary plumbing to connect the status virtio queue to the host evdev
file descriptor.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Message-id: 1459511146-12060-1-git-send-email-lprosek@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-13 15:52:28 +02:00
Ladi Prosek
848c4d4480 virtio-input: retrieve EV_LED host config bits
VIRTIO_INPUT_CFG_EV_BITS with subsel of EV_LED was always
returning an empty bitmap for pass-through input devices.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Message-id: 1459418028-7473-1-git-send-email-lprosek@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-13 15:52:28 +02:00
Ladi Prosek
27a7bbcdf9 virtio-input: add missing key mappings
KEY_PAUSE is flat out missing. KEY_SYSRQ already has a keycode
assigned but it's not what I'm seeing on my system. The mapping
doesn't appear to have to be unique so both keycodes now map to
KEY_SYSRQ which is what the "Keyboard PrintScreen", HID usage ID
0x46, translates to.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Message-id: 1459343240-19483-1-git-send-email-lprosek@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-13 15:52:28 +02:00
Marc-André Lureau
6dc64780c2 ivshmem: fix ivshmem-{plain,doorbell} crash without arg
"qemu -device ivshmem-{plain,doorbell}" will crash, because the device
doesn't check that the required argument is provided. (screwed up in
commit 5400c02)

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
2016-04-13 12:01:47 +02:00
Pavel Butsykin
502356eeeb ide: really restart pending and in-flight atapi dma
Restart of ATAPI DMA used to be unreachable, because the request to do
so wasn't indicated in bus->error_status due to the lack of spare bits, and
ide_restart_bh() would return early doing nothing.

This patch makes use of the observation that not all bit combinations were
possible in ->error_status. In particular, IDE_RETRY_READ only made sense
together with IDE_RETRY_DMA or IDE_RETRY_PIO. This allows to re-use
IDE_RETRY_READ alone as an indicator of ATAPI DMA restart request.

To makes things more uniform, ATAPI DMA gets its own value for ->dma_cmd.
As a means against confusion, macros are added to test the state of
->error_status.

The patch fixes the restart of both in-flight and pending ATAPI DMA,
following the scheme similar to that of IDE DMA.

[Including a fixup patch:
Message-id: 1460465594-15777-1-git-send-email-pbutsykin@virtuozzo.com
--js]

Signed-off-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
Signed-off-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Roman Kagan <rkagan@virtuozzo.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 1459924806-306-4-git-send-email-den@openvz.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-04-12 18:48:15 -04:00
Pavel Butsykin
9a41826f38 ide: restart atapi dma by re-evaluating command packet
ide_atapi_dma_restart() used to just complete the DMA with an error,
under the assumption that there isn't enough information to restart it.

However, as the contents of the ->io_buffer is preserved, it looks safe to
just re-evaluate it and dispatch the ATAPI command again.

Signed-off-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
Reviewed-by: Roman Kagan <rkagan@virtuozzo.com>
Signed-off-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 1459924806-306-3-git-send-email-den@openvz.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-04-12 16:47:52 -04:00
Pavel Butsykin
218fd37c68 ide: don't lose pending dma state
If the migration occurs after the IDE DMA has been set up but before it
has been initiated, the state gets lost upon save/restore. Specifically,
->dma_cb callback gets cleared, so, when the guest eventually starts bus
mastering, the DMA never completes, causing the guest to time out the
operation.

OTOH all the infrastructure is already in place to restart the DMA if
the migration happens while the DMA is in progress.

So reuse that infrastructure, by setting bus->error_status based on
->dma_cmd in pre_save if ->dma_cb callback is already set but DMAING is
clear. This will indicate the need for restart and make sure ->dma_cb
is restored in ide_restart_bh(); howeover since DMAING is clear the state
upon restore will be exactly "ready for DMA" as before the save.

Signed-off-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
Reviewed-by: Roman Kagan <rkagan@virtuozzo.com>
Signed-off-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 1459924806-306-2-git-send-email-den@openvz.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-04-12 16:47:52 -04:00
Anthony PERARD
d1fc684f36 xen: Fix IDE unplug
After commit e5e7855 (blockdev: Separate BB name management), starting a
guest with PVHVM support result in this assert:
qemu-system-i386: block/block-backend.c:173: blk_delete: Assertion `!blk->name' failed.

A backtrace show that a caller is pci_piix3_xen_ide_unplug().

This patch fix it.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Message-id: 1460382666-29885-1-git-send-email-anthony.perard@citrix.com
Signed-off-by: John Snow <jsnow@redhat.com>
2016-04-12 16:47:52 -04:00
Wei Liu
4df26e88ee xenfb: use the correct condition to avoid excessive looping
In commit ac0487e1 ("xenfb.c: avoid expensive loops when prod <=
out_cons"), ">=" was used. In fact, a full ring is a legit state.
Correct the test to use ">".

Reported-by: "Hao, Xudong" <xudong.hao@intel.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Tested-by: "Hao, Xudong" <xudong.hao@intel.com>
Acked-by: Anthony Perard <anthony.perard@citrix.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
2016-04-12 10:16:08 -07:00
Prasad J Pandit
3a15cc0e1e net: stellaris_enet: check packet length against receive buffer
When receiving packets over Stellaris ethernet controller, it
uses receive buffer of size 2048 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.

Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-11 14:22:33 +01:00
Gerd Hoffmann
fa49e4656a virtio-gpu: block live migration
Feeling a bit nervous putting the full live migration support
patch (https://patchwork.ozlabs.org/patch/606902/) in that
late in the 2.6 devel cycle as it carries some non-trivial
changes.  So disable migration in case virtio-gpu is present
for now.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-11 12:36:34 +02:00
Gerd Hoffmann
ca58b45fbe ui/virtio-gpu: add and use qemu_create_displaysurface_pixman
Add a the new qemu_create_displaysurface_pixman function, to create
a DisplaySurface backed by an existing pixman image.  In that case
there is no need to create a new pixman image pointing to the same
backing storage.  We can just use the existing image directly.

This does not only simplify things a bit, but most importantly it
gets the reference counting right, so the backing storage for the
pixman image wouldn't be released underneath us.

Use new function in virtio-gpu, where using it actually fixes
use-after-free crashes.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1459499240-742-1-git-send-email-kraxel@redhat.com
2016-04-11 12:32:01 +02:00
Peter Maydell
9628af036f MIPS patches 2016-04-08
Changes:
 * fix off-by-one error in ITU
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJXB300AAoJEFIRjjwLKdprPP4IAJIP7DyeQz9fQhckk+oKWvUo
 4h2W5Rx+6KhWE+kvdi1cNwWuIGdwByjodC8mS5hQjJyPs/NIWE8q+8YoxrfTxFaS
 2OkTr4IKb1l+8myVk36MThsw+PXkI4XA3PP3paTJ5u6rxyZgLcpMlfzx4Mn1cNYh
 SVQ3zjO6q49ZuqJbXyUTEMu+Fpqzp1ejHz+GLKeGvLMAW559XBsMOQurtXIGKN1w
 ZOc214FIdx4K5Ywtl7nLt1xwiRocnORdYOjqW09PhELxMM+sg/3tse5UJMZV5Moi
 WYk4dt8wVUIxoMTu9I1cn7afiVN53u2YO6bvyESTf+z9bBYuwWCOiFnIEegf0FA=
 =ZPQ1
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/lalrae/tags/mips-20160408' into staging

MIPS patches 2016-04-08

Changes:
* fix off-by-one error in ITU

# gpg: Signature made Fri 08 Apr 2016 10:43:16 BST using RSA key ID 0B29DA6B
# gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"

* remotes/lalrae/tags/mips-20160408:
  hw/mips_itu: fix off-by-one reported by Coverity

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-08 13:45:52 +01:00
Peter Maydell
8227e2d167 pci, virtio, acpi: fixes for 2.6
Fixes all over the place. Most notably, fixes migration
 for systems with pci express bridges, and random crashes
 observed with virtio blk and scsi dataplane.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXB2OKAAoJECgfDbjSjVRpcfkH/jRxiCmaC2hArYS+xK1HXJuf
 FUuI6JpbrvcuxdoNNm3E3BLM+vweYJ2JsVfY47l7zFcQVnBCmdRw4JMUetpqvt5C
 ekEwuokvWcSwdCT6y3mUW3euZ5iBoiFxYAvjwtM4p2Aut6urZUA3oeBSsSikGWJj
 itKsdeaaGN5bzC7BJYROUIs8VuK4VfIPpRBGF20smfMjXZq2liOnW7NK5mQ8BClg
 klXfLnZ39IdR+MQ37J1uo9TgY/HcdOGRK1KYezq+6nsO4jlAfGrDr99+D9bsheLJ
 G1jZLDEa+oTjfoCvqVkCK3+8O2vvHQe2BeR9sCEipYY9401gQPCqq4fmhv8/+O0=
 =U4yU
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

pci, virtio, acpi: fixes for 2.6

Fixes all over the place. Most notably, fixes migration
for systems with pci express bridges, and random crashes
observed with virtio blk and scsi dataplane.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Fri 08 Apr 2016 08:53:46 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  hw/pci-bridge: Add missing unref in case register-bus fails
  virtio: merge virtio_queue_aio_set_host_notifier_handler with virtio_queue_set_aio
  virtio-scsi: use aio handler for data plane
  virtio-blk: use aio handler for data plane
  virtio: add aio handler
  virtio-scsi: fix disabled mode
  virtio-blk: fix disabled mode
  virtio: make virtio_queue_notify_vq static
  tests/bios-tables-test: fix assert
  virtio-balloon: reset the statistic timer to load device
  Migration: Add i82801b11 migration data
  Sort the fw_cfg file list
  xen: piix reuse pci generic class init function
  pci-testdev: fast mmio support
  acpi: Add missing GCC_FMT_ATTR

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-08 12:45:53 +01:00
Peter Maydell
3be4f4d724 ppc patch queue for 2016-04-08
Just a single bugfix for spapr in this batch, but I want to make sure
 it gets in for 2.6.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXBzt1AAoJEGw4ysog2bOSyGQQAIL4aADwOhNoVLjtvBN3eoPQ
 cP+Ps3DCK/9Z9l00cMR6/8zk5Q2Nb1FLf2Y3f3c2JVEFER8XCnsYPIyYfOZaMex4
 /8DUfVueTh0RmpxhWwA4vQJtDqrilB0tUkkqgWFPE2luJcTVTUU7mig788d2yrmp
 J35ncNaMcrXGy0Uh/wBlnOpfHD17ds8Sgpw02TT9QusqIjq8MWIkgat0v+h4RmRL
 lzEE5N1Vp8vOvJENTEnuuKFbFTxcvhBS+A2K1y+s10k7c1CuFFJpAZY7g3T4hpqU
 NZAirty5WeMlSYk9A0gQhgHWq2XSgbDWWj6tMGd5sCEQH5D6Kty0TPWnCpzSxjgu
 aqGr7BqAV+NV/Rr/jGy4gvE432f1pZWUIxq271OH9H5aniCWSYFBR7w4UEaM1BPQ
 I5tzkp7P1PMWIm/K5ryFVo083kU08KFXZDSbQR/vu4O+DuohPUKYid5cv4wJj/W+
 GSzBwTwtp8iY2rs/nbMptSYHKYFYtd5PuALf4BoK62sF72NtWq+41X3QV8I4cIQd
 hM03NyuObgnY7aygPmo9OGsvW/Dx8DKKoEO0QX+2gFa22rJ+j7RLSu7pHFW1JEXa
 5VkVlTtN8L5NeeG0PdkgkChcgiqahUA6bRjekpFzdoncfsmmiPkiP5xQqK1DVKhW
 SoJacddcj86QGpT1aioU
 =4ZAr
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.6-20160408' into staging

ppc patch queue for 2016-04-08

Just a single bugfix for spapr in this batch, but I want to make sure
it gets in for 2.6.

# gpg: Signature made Fri 08 Apr 2016 06:02:45 BST using RSA key ID 20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.6-20160408:
  spapr: Fix ibm,lrdr-capacity

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-08 11:54:19 +01:00
Peter Maydell
24790aefe0 Xtensa-related fixes:
- fix networking on xtfpga platform in linux v4.5 by indicating
   autonegotiation completion in opencores_eth MII BMSR.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXBuBXAAoJEFH5zJH4P6BEwAwP/0+MvaQCwv0IXKA6lPgUgDFl
 oofrkJhC/4eV+n0LF7v6kl2WeZvK+kG4qJHDqp9ARlGel5qzGQ8pORqx+S7U3TrD
 Qxw6xwbYNOf+vstDnN36fnd7rUlRwl5QjaWXA3zemya9uaFKX748mq5AV52T6GU+
 C3jmUiMMlE/2B5EkLiR6D1K/MkAsf41plvfIhTozxcxQqjNkeIzYRwli7TAKiDxI
 KZZGCIC0Jh1ZHevvbX3bdrj+0xf+pDeB5tG26ZnXjf2zbrnft589PqNsNZ2TcZ6m
 RBNYOJBqQx+h0FHCNonMveZKNZ6HvIMC+AHmwM8nfmRxPMeqWyLwyiI0w5x0vhW5
 bnsAcPY67BaVJddDDD+udfMGUAHAb1QttcwNYUOTal3SJGDGbUmKb2OVyeRmXpoH
 4DIOlhno45bd7pagkefENR9MuOqwxrzm4qkkyazYogwyXilLPOrVgYHW2COQRsJ8
 PG180PDsY0FYmmf1i/64LJDKXOIjf1VnFDTC3lWoVbibDiNtvAEvAMgAdnNqmTHT
 Xl1RuDdZke28TmsU4gRKiLsGIwentiTJxNMiKCjpDYsrTIN7f2GwirL8wNnYuz79
 iNKPcWOh/fNxTnLVkheoyzc1fOPUzq36I+RALxA2WkvEmOUdKobXCmABDz0ByQBh
 Z+/B0kXXQ0hAK84qR6eB
 =otcW
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/xtensa/tags/20160408-xtensa' into staging

Xtensa-related fixes:

- fix networking on xtfpga platform in linux v4.5 by indicating
  autonegotiation completion in opencores_eth MII BMSR.

# gpg: Signature made Thu 07 Apr 2016 23:33:59 BST using RSA key ID F83FA044
# gpg: Good signature from "Max Filippov <max.filippov@cogentembedded.com>"
# gpg:                 aka "Max Filippov <jcmvbkbc@gmail.com>"

* remotes/xtensa/tags/20160408-xtensa:
  opencores_eth: indicate autonegotiation completion

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-08 11:28:49 +01:00
Peter Maydell
28ee01269e * NBD fixes from Alex and Eric
* Debug code bitrot from Emilio
 * HPET fix from Bill
 * ps2kbd fix from Hervé
 * PKU fix from myself
 * Coverity fixes from Gonglei
 * More memory.txt update from Jiangang
 * .gitignore maintenance from Changlong
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJXBtpMAAoJEL/70l94x66Dz18H/im1nR9+DII3V4Ch2DOA/xaL
 gCDHOr+KOXnzLcKQytfBCRjVsXZKnd2kayxtDrFc6ebCh7+Uar5+Z21P0wzCry5a
 Z/LohJXg7rdHCNaF+9yW7uVbvDjuaepnS1fO9PaMnLviLjqxbIhZixYvuYRPwXD7
 oFp88+cbgONIFTe7riXaVGBjjjsyTV8DyXyyS7zlBsuaTihfSYDuYy8upgrCk3Af
 k9P/VqHxoNpnR1dMPVJdjyN6UQwWYB6i1g4GOEFessRu3H7wz0zCtzUuFL8dGIEs
 3VZ7pQ/1QCPr5zaMn7EXofusxeZhU+gZwDnp/bsgGSI73MnMZkTB4Ws8CPf6AXA=
 =1rhX
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

* NBD fixes from Alex and Eric
* Debug code bitrot from Emilio
* HPET fix from Bill
* ps2kbd fix from Hervé
* PKU fix from myself
* Coverity fixes from Gonglei
* More memory.txt update from Jiangang
* .gitignore maintenance from Changlong

# gpg: Signature made Thu 07 Apr 2016 23:08:12 BST using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"

* remotes/bonzini/tags/for-upstream:
  target-i386: check for PKU even for non-writable pages
  tests: ignore test-logging
  translate-all: add missing fold of tb_ctx into tcg_ctx
  hostmem-file: fix memory leak
  spapr: fix possible Negative array index read
  nbd: do not hang nbd_wr_syncv if outside a coroutine and no available data
  nbd: Don't kill server when client requests unknown option
  nbd: Fix NBD unsupported options
  qemu-nbd: Document -x option
  nbd: Improve debug traces on little-endian
  nbd: Avoid bitrot in TRACE() usage
  nbd: Return correct error for write to read-only export
  docs: fix typo in memory.txt
  hw/timer: Revert "hpet: inverse polarity when pin above ISA_NUM_IRQS"
  ps2kbd: default to scancode_set 2, as with KBD_CMD_RESET

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-08 10:25:22 +01:00
Leon Alrae
f2eb665a11 hw/mips_itu: fix off-by-one reported by Coverity
Fix off-by-one error in ITC Tag read.

Remove the switch as we just want to check if index is in valid range
rather than test against list of values.

Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2016-04-08 09:19:26 +01:00
Bharata B Rao
a110655a06 spapr: Fix ibm,lrdr-capacity
ibm,lrdr-capacity has a field to describe the maximum address in bytes
and therefore, the most memory that can be allocated to this guest. We
are using maxmem for this field, but instead should use the actual RAM
address corresponding to the end of hotplug region.

Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-04-08 11:18:10 +10:00
Gonglei
1a5512bb7e spapr: fix possible Negative array index read
fix CID 1351391.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Message-Id: <1456998223-12356-6-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-04-08 00:07:56 +02:00
Bill Paul
ecba19935a hw/timer: Revert "hpet: inverse polarity when pin above ISA_NUM_IRQS"
This reverts commit 0d63b2dd31.

This change was originally intended to correct the HPET behavior
in conjunction with Linux, however the behavior that it actually creates
is not compatible with the ioapic.c implementation; it used to be
compatible with KVM's own IOAPIC but it is not anymore.

Signed-off-by: Bill Paul <wpaul@windriver.com>
CC: Paolo Bonzini <pbonzini@redhat.com>
CC: Richard Henderson <rth@twiddle.net>
CC: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <201604051558.20070.wpaul@windriver.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-04-08 00:07:43 +02:00
Hervé Poussineau
089adafdc6 ps2kbd: default to scancode_set 2, as with KBD_CMD_RESET
This line has been added in commit ef74679a81 with
other initializations. However, scancode set 0 doesn't exist (only 1, 2, 3).
This works well as long as operating system is resetting keyboard, or overwriting
the current scancode set with the one it wants.

This fixes IBM 40p firmware, which doesn't bother sending KBD_CMD_RESET or KBD_CMD_SCANCODE.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-Id: <1458714100-28885-1-git-send-email-hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-04-08 00:07:36 +02:00
Wei Jiangang
2e4278b534 hw/pci-bridge: Add missing unref in case register-bus fails
The error paths after a successful qdev_create/pci_bus_new
should contain a object_unref/object_unparent.
pxb_dev_init_common() did not yet, so add it.

Signed-off-by: Wei Jiangang <weijg.fnst@cn.fujitsu.com>
Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
2016-04-07 19:57:33 +03:00
Paolo Bonzini
a378b49a43 virtio: merge virtio_queue_aio_set_host_notifier_handler with virtio_queue_set_aio
Eliminating the reentrancy is actually a nice thing that we can do
with the API that Michael proposed, so let's make it first class.
This also hides the complex assign/set_handler conventions from
callers of virtio_queue_aio_set_host_notifier_handler, which in
fact was always called with assign=true.

Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-04-07 19:57:33 +03:00