Commit Graph

57539 Commits

Author SHA1 Message Date
Eric Blake
51ae4f8455 nbd/server: CVE-2017-15118 Stack smash on large export name
Introduced in commit f37708f6b8 (2.10).  The NBD spec says a client
can request export names up to 4096 bytes in length, even though
they should not expect success on names longer than 256.  However,
qemu hard-codes the limit of 256, and fails to filter out a client
that probes for a longer name; the result is a stack smash that can
potentially give an attacker arbitrary control over the qemu
process.

The smash can be easily demonstrated with this client:
$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)

If the qemu NBD server binary (whether the standalone qemu-nbd, or
the builtin server of QMP nbd-server-start) was compiled with
-fstack-protector-strong, the ability to exploit the stack smash
into arbitrary execution is a lot more difficult (but still
theoretically possible to a determined attacker, perhaps in
combination with other CVEs).  Still, crashing a running qemu (and
losing the VM) is bad enough, even if the attacker did not obtain
full execution control.

CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
2017-11-28 06:58:01 -06:00
Eric Blake
fdad35ef6c nbd/server: CVE-2017-15119 Reject options larger than 32M
The NBD spec gives us permission to abruptly disconnect on clients
that send outrageously large option requests, rather than having
to spend the time reading to the end of the option.  No real
option request requires that much data anyways; and meanwhile, we
already have the practice of abruptly dropping the connection on
any client that sends NBD_CMD_WRITE with a payload larger than 32M.

For comparison, nbdkit drops the connection on any request with
more than 4096 bytes; however, that limit is probably too low
(as the NBD spec states an export name can theoretically be up
to 4096 bytes, which means a valid NBD_OPT_INFO could be even
longer) - even if qemu doesn't permit exports longer than 256
bytes.

It could be argued that a malicious client trying to get us to
read nearly 4G of data on a bad request is a form of denial of
service.  In particular, if the server requires TLS, but a client
that does not know the TLS credentials sends any option (other
than NBD_OPT_STARTTLS or NBD_OPT_EXPORT_NAME) with a stated
payload of nearly 4G, then the server was keeping the connection
alive trying to read all the payload, tying up resources that it
would rather be spending on a client that can get past the TLS
handshake.  Hence, this warranted a CVE.

Present since at least 2.5 when handling known options, and made
worse in 2.6 when fixing support for NBD_FLAG_C_FIXED_NEWSTYLE
to handle unknown options.

CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
2017-11-28 06:42:26 -06:00
Peter Maydell
a914f04c23 Merge qio 2017/11/28 v1
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCAAGBQJaHT8kAAoJEL6G67QVEE/fAwsQAJ1v9Qa8jUaqC5G58hnpR++f
 wtBtp6+wO2xJhrwlIQwWwOZ6NJysljQ8gPekAMjsKXunFC8eoclfJFOLDkVMo88Q
 UREXbxDCjBpcBP/+WpdFmCS7TllWSu/vWlQBOPbgjB9ggQv/lvqJJLpcpkYKo2ea
 xR3cAvgKtHWZTW3X/Wkv45Co8NVKap3f4q4BXXKPCQyzIfbuM/JAV+AqvrCNCo6B
 2LNK7JWfHqnfuQQ7cZ/9ogBMuaLqN5XnX7+cyPI41v3WBaoktTqXjanwcAUXWXGN
 dsOfO4CdNdToOGgGV61gh2bKuuVuABLWmlIIVC2fwEAymzx+k70EWKXCzxYLTfr3
 VfBcXZlYMPWVRcZYFjJWS6YumYnCIT17u1+V0Rq7misIvJpPS3nwjtKzZtjStOwU
 +WZRRgz7zlyI/d1zQjl6PjqNaTScejRwZgs+snGZpYPvmYMVVh8S7SRlfGIif/PE
 3g86pezIWeDnLaWFI2/S6F4qiCtqk02tO21Xylg/LM9O9HZaDP9wIZ66IPVC6JLT
 QoTHECExlceGjV+wLX9T9CRkMeMNHpTp57rsH0K03rofe4DHPL66EiansFu4KGQn
 o4ayxQWn/rzS731h6V6otl4YWuhFFs7KRHuNe6IioenqBZX30/uh9DuKg4yORLOB
 6XUSZe4HcvaJcudTY1QM
 =Jm6n
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/berrange/tags/pull-qio-2017-11-28-1' into staging

Merge qio 2017/11/28 v1

# gpg: Signature made Tue 28 Nov 2017 10:49:08 GMT
# gpg:                using RSA key 0xBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>"
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>"
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E  8E3F BE86 EBB4 1510 4FDF

* remotes/berrange/tags/pull-qio-2017-11-28-1:
  sockets: avoid crash when cleaning up sockets for an invalid FD

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-28 11:52:11 +00:00
Daniel P. Berrange
2d7ad7c05e sockets: avoid crash when cleaning up sockets for an invalid FD
If socket_listen_cleanup is passed an invalid FD, then querying the socket
local address will fail. We must thus be prepared for the returned addr to
be NULL

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-11-28 10:48:04 +00:00
Peter Maydell
c7e1f823ae -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJaHN7TAAoJEO8Ells5jWIRkYYH/jUDWH5/LXVnA+2R8/k8/jQL
 wyXvVKdAJloU1MZ1N49dpPifkQjLcRZ2CD0o+5W91z1WSOj4966/+C9+nNsogJpn
 08hq01zdnquNQf/4z1Gl2hoIYQe/z1AaDCNuI1py/vUDh4+VwkxXBtf8DSeBveja
 1+qdg+NCWWrwp9f5cygR9F4tOI+HfYjqI6nqIBsITXeQ3zPUbs+1Ry1YRJ+kUKqI
 xixxKm2M2sYKHtEFTtHQpvEMbKxuuEaGGZ6uHgm6t7HIcGE1YOn1NIPa4AvTfeFO
 2tKcynR0c3Svhq07b3M/JrnPhjQgOfOUwzaLB5sHNThkjV65jS0/23M5cTvo5tI=
 =mazL
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Tue 28 Nov 2017 03:58:11 GMT
# gpg:                using RSA key 0xEF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 6211

* remotes/jasowang/tags/net-pull-request:
  virtio-net: don't touch virtqueue if vm is stopped

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-28 10:03:26 +00:00
Jason Wang
70e53e6e4d virtio-net: don't touch virtqueue if vm is stopped
Guest state should not be touched if VM is stopped, unfortunately we
didn't check running state and tried to drain tx queue unconditionally
in virtio_net_set_status(). A crash was then noticed as a migration
destination when user type quit after virtqueue state is loaded but
before region cache is initialized. In this case,
virtio_net_drop_tx_queue_data() tries to access the uninitialized
region cache.

Fix this by only dropping tx queue data when vm is running.

Fixes: 283e2c2adc ("net: virtio-net discards TX data after link down")
Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2017-11-28 11:54:50 +08:00
Kashyap Chamarthy
c117bb14ff QAPI & interop: Clarify events emitted by 'block-job-cancel'
When you cancel an in-progress 'mirror' job (or "active `block-commit`")
with QMP `block-job-cancel`, it emits the event: BLOCK_JOB_CANCELLED.
However, when `block-job-cancel` is issued *after* `drive-mirror` has
indicated (via the event BLOCK_JOB_READY) that the source and
destination have reached synchronization:

    [...] # Snip `drive-mirror` invocation & outputs
    {
      "execute":"block-job-cancel",
      "arguments":{
        "device":"virtio0"
      }
    }

    {"return": {}}

It (`block-job-cancel`) will counterintuitively emit the event
'BLOCK_JOB_COMPLETED':

    {
      "timestamp":{
        "seconds":1510678024,
        "microseconds":526240
      },
      "event":"BLOCK_JOB_COMPLETED",
      "data":{
        "device":"virtio0",
        "len":41126400,
        "offset":41126400,
        "speed":0,
        "type":"mirror"
      }
    }

But this is expected behaviour, where the _COMPLETED event indicates
that synchronization has successfully ended (and the destination now has
a point-in-time copy, which is at the time of cancel).

So add a small note to this effect in 'block-core.json'.  While at it,
also update the "Live disk synchronization -- drive-mirror and
blockdev-mirror" section in 'live-block-operations.rst'.

(Thanks: Max Reitz for reminding me of this caveat on IRC.)

Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-11-27 14:59:35 +01:00
Peter Maydell
5e19aed59a ppc patch queue 2017-11-27
This series contains a couple of migration fixes for hash guests on
 POWER9 radix MMU hosts.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEdfRlhq5hpmzETofcbDjKyiDZs5IFAloblCMACgkQbDjKyiDZ
 s5LHjRAAy/hpTIcZvrV48Rem48aI+aWP8f0CJBkywkqZIDZFpUPimSr7ETO6Bhhy
 bwLNY1oQSbEdsl7G/B1gpxLK2VkiNVkBUOZVP59yfydVXzw30b6pedoRJN3rpyax
 ex+rSNkfW/ZA4zmjHT2jvrokj+mxRSj1IvjLglfPgAiLaIaKVurWFkOQzP/LLbUB
 IleMRj2Jvh4WS9HIXNfErgyfiwHqdIKdAL5+a5v97J20qTy3Pvz6e8WSItQjUYF1
 RqN5lPDX3a+s0nXRxO4Nko1vLN2gFFqI5sK/M3TcwrMZnoiXfaY50rDQyxxA1Ycu
 leyuIqqopIQDRCAvkHYO6DCS2P2k+BTLQ0K7LcNRgOmMdyqMbOrTQVLQKyNFDQaZ
 4d2OSogJwEI1nFgsBnxXmIT8Lkyydc9j/nFg0q2xpV2ADdHzBv4bgrNW6go2OSkl
 RpV6kViB4Drhkt/oYJ6+NaObDUTPxoD9sAJ+wHFQcUvGgj41zHDDvOF1MuyKxNgc
 xVNE1oUZB4XjsXIIiY6FVR50+OX8ygZSOAjUlDg5cWA4B5k14g7IHQTMPsu4D6p0
 UiGyfNobuQfxV+lhF4kcm0OnlG+AD2EVOmgiwGumg39wzMFOaIw7qxcYbFjUCsAo
 2M0x9wrXw0pslhx2SsVQITtHdiQsOFWap4LqUBR5tmxxPYm5wmk=
 =F0lq
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.11-20171127' into staging

ppc patch queue 2017-11-27

This series contains a couple of migration fixes for hash guests on
POWER9 radix MMU hosts.

# gpg: Signature made Mon 27 Nov 2017 04:27:15 GMT
# gpg:                using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.11-20171127:
  target/ppc: Fix setting of cpu->compat_pvr on incoming migration
  target/ppc: Move setting of patb_entry on hash table init

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-27 11:16:20 +00:00
Fam Zheng
1878eaff9b qemu-options: Mention locking option of file driver
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-11-27 11:25:41 +01:00
Fam Zheng
b1d1cb2728 docs: Add image locking subsection
This documents the image locking feature and explains when and how
related options can be used.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-11-27 11:25:41 +01:00
John Snow
45f1882a9e iotests: fix 075 and 078
Both of these tests are for formats which now stipulate that they are
read-only. Adjust the tests to match.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Lukáš Doktor <ldoktor@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-11-27 11:25:41 +01:00
Suraj Jitindar Singh
e07cc19295 target/ppc: Fix setting of cpu->compat_pvr on incoming migration
cpu->compat_pvr is used to store the current compat mode of the cpu.

On the receiving side during incoming migration we check compatibility
with the compat mode by calling ppc_set_compat(). However we fail to set
the compat mode with the hypervisor since the "new" compat mode doesn't
differ from the current (due to a "cpu->compat_pvr != compat_pvr" check).
This means that kvm runs the vcpus without a compat mode, which is the
incorrect behaviour. The implication being that a compatibility mode
will never be in effect after migration.

To fix this so that the compat mode is correctly set with the
hypervisor, store the desired compat mode and reset cpu->compat_pvr to
zero before calling ppc_set_compat().

Fixes: 5dfaa532 ("ppc: fix ppc_set_compat() with KVM PR")

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-11-27 12:20:11 +11:00
Suraj Jitindar Singh
ee4d9ecc36 target/ppc: Move setting of patb_entry on hash table init
The patb_entry is used to store the location of the process table in
guest memory. The msb is also used to indicate the mmu mode of the
guest, that is patb_entry & 1 << 63 ? radix_mode : hash_mode.

Currently we set this to zero in spapr_setup_hpt_and_vrma() since if
this function gets called then we know we're hash. However some code
paths, such as setting up the hpt on incoming migration of a hash guest,
call spapr_reallocate_hpt() directly bypassing this higher level
function. Since we assume radix if the host is capable this results in
the msb in patb_entry being left set so in spapr_post_load() we call
kvmppc_configure_v3_mmu() and tell the host we're radix which as
expected means addresses cannot be translated once we actually run the cpu.

To fix this move the zeroing of patb_entry into spapr_reallocate_hpt().

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-11-27 12:20:11 +11:00
Peter Maydell
e7b47c22e2 osdep.h: Make TIME_MAX handle different time_t types
In our various supported host OSes, the time_t type may be either 32
or 64 bit, and could in theory also be either signed or unsigned.
Notably, in OpenBSD time_t is a 64 bit type even if 'long' is 32
bits, so using LONG_MAX for TIME_MAX is incorrect.

Use an approach suggested by Paolo Bonzini which calculates
the maximum value of the type rather than hardcoding it;
to do this we use the TYPE_MAXIMUM macro from Gnulib.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1511452598-6077-1-git-send-email-peter.maydell@linaro.org
2017-11-24 13:23:36 +00:00
Eric Auger
79283dda30 hw/arm/virt: Add 2.11 machine type
Add virt-2.11 machine type.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1511516626-21178-1-git-send-email-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-24 11:28:56 +00:00
Peter Maydell
38e83b6bed Deal with the fallout from the deletion of the old s390 virtio header
in Linux master.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaF+zhAAoJEN7Pa5PG8C+vNEQQAIxXNq34DXYtuaJneEtUzybI
 HF3c/dltk3WzIZFfzeFMMG3cCuZ4bS46Y3OtpzB/7CyI3PtDae5a2Sc/6CkUPNVM
 3C4qcfIvWcHnmMfqAY+Eivc9etuVOEil8A/JAywLMtAGcMX5lesOy/jgsck3p3Gn
 JZkNOdnKGJBeJHnHh43pSaI3YeDevQCPYT0cSe3t/nDfuKXFns1/ID97ZY1n2cY3
 Mmopj0HsyEuE0oxUTOSKWFpb31AtlvnBkSWxJW0ch0RYlh5ZhCLBZ4m+QN8xVVvi
 0lRAZxMaBwtWm9YtlWZwWi4ikxCZNZMCgMXLTIGJk4K2g0zrV4c77iYOiV4oTHOu
 Y0ANkc2tftvF2SxYgeAA749RqtgZqUL8ydeedqrikO6MIKm2Awl2Jqd8RSje8tcR
 4SpgeFrOPPap4UYLkanoEPacBuLwpEei2TznJJIxJd1B8TkCIm3LCJqKroNANTtU
 2TAVavSPfxu3XWX+pgCU+ro3vB8/qCPZ+hQ02fDwDVMqTeDfMN0vxj4Ogt9JX0Uo
 J3NCsNDDSHkDMuqeFOoFzs+m8OOiIboTL7W1AIAqDsxvx/gDaZ/vuGBbyh7vpcO5
 eLtJgX/pt2H0srx+0mZ0UxDALdn/Yo6ebhfjEZeFJ/6cgX6GB5ZHvvWQnaDVDKHB
 lpUv6A+qoOQ/TIOsIfBZ
 =3Zen
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20171124' into staging

Deal with the fallout from the deletion of the old s390 virtio header
in Linux master.

# gpg: Signature made Fri 24 Nov 2017 09:56:49 GMT
# gpg:                using RSA key 0xDECF6B93C6F02FAF
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>"
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>"
# gpg:                 aka "Cornelia Huck <cohuck@redhat.com>"
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck/tags/s390x-20171124:
  s390/kvm_virtio/linux-headers: remove traces of old virtio transport

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-24 10:26:20 +00:00
Christian Borntraeger
c1c4c2192c s390/kvm_virtio/linux-headers: remove traces of old virtio transport
We no longer support the old s390 transport, neither does the newest
Linux kernel. Remove it from the linux header script as well as the
s390x virtio code.  We still should handle the VIRTIO_NOTIFY hypercall,
to tolerate early printk on older guest kernels without an sclp console.
We continue to ignore these events.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Message-Id: <20171115154223.109991-1-borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2017-11-24 10:52:05 +01:00
Brad Smith
c65d5e4e1d configure: Deal with OpenBSD/i386 emulation linker
OpenBSD/i386 uses elf_i386_obsd for the emulation linker.

Signed-off-by: Brad Smith <brad@comstyle.com>
Message-id: 20171107234608.GA395@humpty.home.comstyle.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-23 16:52:24 +00:00
Peter Maydell
54c85bebb5 migration/next for 20171122
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCAAGBQJaFTihAAoJEPSH7xhYctcj12AQAIFdsnLzOl5GlBOKgakwF3is
 09sHP0bV1S/1b8mW2z/Axrkj02qyUmXKXcl4vqwbSf6cYzwdXNhzWYCcXy+OBtQ2
 sQCYP83CjzFW6m79UJZZ3iHxJvoxduaH490XzLs25EwnHOPLIgdmkeEeQLLk1N3a
 yncZu65Psf+LqEx3BeWUYgUaFACszxZ7cv/IE68VLvk9V7xKFSDioo69DZHrKqE/
 Ov9D34/GMKf450jKdH0V4vFjz/8QT4+PJpcCnRmVelIDRGLDteolTXMb6hVLXz/O
 q8VrWFzHbqu4TDS8jvL1oxSXKK1f8VVOSnvUVIIcsnXvfsyfistjxoEUfVUCP+h3
 e95fFFYlYUrKgY3JVhSXx09b5VglsyF8VEHaW5HnJOQyDAxDi0FJHTWVF5g3/7ZQ
 1JY+KCU1WuPslTQiDfbS48EZ3brPPIJAWszFWa/L9yufQo6lUX3WZrqrIGbkxb70
 zDi60lXUJh8kD63Fn0tBT0pDMG/5kEjwruIt8pNb5dFBa5xHl9ZF2PowtLtokTBj
 9PTe23cuzksWqRn1oqEHSy0IuX1/IHNvEndIJrOo8GR4BWCPnHsWNKy9asahGJN9
 gcVLkmPKzjCfr8MeRogLJmDwYTVJvBocgPRBuTllHw77jJZM0ZN/RhVUtTXFxkNs
 GtL5tPSjTB5eUJmLFCnY
 =fmeh
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20171122' into staging

migration/next for 20171122

# gpg: Signature made Wed 22 Nov 2017 08:43:13 GMT
# gpg:                using RSA key 0xF487EF185872D723
# gpg: Good signature from "Juan Quintela <quintela@redhat.com>"
# gpg:                 aka "Juan Quintela <quintela@trasno.org>"
# Primary key fingerprint: 1899 FF8E DEBF 58CC EE03  4B82 F487 EF18 5872 D723

* remotes/juanquintela/tags/migration/20171122:
  migration/ram.c: do not set 'postcopy_running' in POSTCOPY_INCOMING_END
  migration, xen: Fix block image lock issue on live migration

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-23 13:50:00 +00:00
Peter Maydell
1b89975d42 ppc patch queue 2017-11-22
Several more fixes to merge for qemu-2.11.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEdfRlhq5hpmzETofcbDjKyiDZs5IFAloU/UUACgkQbDjKyiDZ
 s5IIzBAAl9r9G3JaJ4a56u8OhLwxIFQ9BM+RwehsPvzDZoDtWbAcD9UQvgLkatGh
 xvTpqnF3+6qhM7fVCBK7EeY9oEivHMQhOdr0480/LdG6pSQ2LH1rcRjw1qHj5aHl
 nY3sR97WuAJR4fBJRISZoYTO+0w1u77wjY+hsu57PZxX9M8S00veUQeu+xzQCY4A
 d0f3uvcvFRUPaMTJvBPok0NYz/6L5fAZ+cAUWma89erH2CLET3+VJAHd8mt8Z+22
 yaA+JIWEXBG98ufH5DeZVogZTbnBIlIjHeGwqhIkR0xL4xWTKyNFT9u+AzJfRAi+
 sKNAl/5QjwM5yoYmF9ibeK5pVJ8DVscdliuK0iHQyNzgJUaPaGoBVFbroG5XljXD
 96GAcz1PwxQKIDF8HdswselZx9zvMH4GQ6aba4we9xCjYdOmc6K6Gh9F3YEvPZ0A
 sTu66TckAbGO8WGdJgIy9K26XN2UryaocgPpWWjqJp2p/8RPGzYKhSk++lJ0bSzq
 egPSBRSUDmATjwu2ElUclx165jn3k+Jhy6aCMlL+CpZFRk2ZienN2Rqhsi59lU6q
 DKgXi9zqAs1rU2BmcUgIjmCoR9pDCBeskeQvHTj8B8bgAiGnEjDhvyLcQdM8kokN
 NKarazCJPIzNd4FTAwPU4FbduiPXQy5+6dVHmPeJcm+A3xWnDVU=
 =pUcm
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.11-20171122' into staging

ppc patch queue 2017-11-22

Several more fixes to merge for qemu-2.11.

# gpg: Signature made Wed 22 Nov 2017 04:29:57 GMT
# gpg:                using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.11-20171122:
  ppc: fix VTB migration
  spapr: Implement bug in spapr-vty device to be compatible with PowerVM
  hw/ppc/spapr: Fix virtio-scsi bootindex handling for LUNs >= 256

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-23 13:15:02 +00:00
Stefan Weil
2fe47fce78 Fix build of console and GUI executables for Windows
It was broken by commit 8ecc89f6e7 which
moved the SDL linker flags from macro libs_softmmu to macro SDL_LIBS.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-id: 20171116163732.31584-1-sw@weilnetz.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-23 10:46:42 +00:00
Juan Quintela
8f2c4cbc76 tcg: Fix compilation without TCG
Commit 2726627197 started to use tb_unlock() and tlb_set_dirty() on
non TCG code.  Add the functions as stubs, so that builds with TCG
disabled continue to compile.

Signed-off-by: Juan Quintela <quintela@redhat.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
[PMM: tweaked commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-23 10:02:44 +00:00
Daniel Henrique Barboza
acab30b85d migration/ram.c: do not set 'postcopy_running' in POSTCOPY_INCOMING_END
When migrating a VM with 'migrate_set_capability postcopy-ram on'
a postcopy_state is set during the process, ending up with the
state POSTCOPY_INCOMING_END when the migration is over. This
postcopy_state is taken into account inside ram_load to check
how it will load the memory pages. This same ram_load is called when
in a loadvm command.

Inside ram_load, the logic to see if we're at postcopy_running state
is:

postcopy_running = postcopy_state_get() >= POSTCOPY_INCOMING_LISTENING

postcopy_state_get() returns this enum type:

typedef enum {
    POSTCOPY_INCOMING_NONE = 0,
    POSTCOPY_INCOMING_ADVISE,
    POSTCOPY_INCOMING_DISCARD,
    POSTCOPY_INCOMING_LISTENING,
    POSTCOPY_INCOMING_RUNNING,
    POSTCOPY_INCOMING_END
} PostcopyState;

In the case where ram_load is executed and postcopy_state is
POSTCOPY_INCOMING_END, postcopy_running will be set to 'true' and
ram_load will behave like a postcopy is in progress. This scenario isn't
achievable in a migration but it is reproducible when executing
savevm/loadvm after migrating with 'postcopy-ram on', causing loadvm
to fail with Error -22:

Source:

(qemu) migrate_set_capability postcopy-ram on
(qemu) migrate tcp:127.0.0.1:4444

Dest:

(qemu) migrate_set_capability postcopy-ram on
(qemu)
ubuntu1704-intel login:
Ubuntu 17.04 ubuntu1704-intel ttyS0

ubuntu1704-intel login: (qemu)
(qemu) savevm test1
(qemu) loadvm test1
Unknown combination of migration flags: 0x4 (postcopy mode)
error while loading state for instance 0x0 of device 'ram'
Error -22 while loading VM state
(qemu)

This patch fixes this problem by changing the existing logic for
postcopy_advised and postcopy_running in ram_load, making them
'false' if we're at POSTCOPY_INCOMING_END state.

Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
CC: Juan Quintela <quintela@redhat.com>
CC: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Reported-by: Balamuruhan S <bala24@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2017-11-22 08:50:37 +01:00
Laurent Vivier
6dd836f5d3 ppc: fix VTB migration
Migration of a system under stress (for example, with
"stress-ng --numa 2") triggers on the destination
some kernel watchdog messages like:

NMI watchdog: BUG: soft lockup - CPU#0 stuck for 3489660870s!
NMI watchdog: BUG: soft lockup - CPU#1 stuck for 3489660884s!

This problem appears with the changes introduced by
    42043e4 spapr: clock should count only if vm is running

I think this commit only triggers the problem.

Kernel computes the soft lockup duration using the
Virtual Timebase register (VTB), not using the Timebase
Register (TBR, the one 42043e4 stops).

It appears VTB is not migrated, so this patch adds it in
the list of the SPRs to migrate, and fixes the problem.

For the migration, I've tested a migration from qemu-2.8.0 and
pseries-2.8.0 to a patched master (qemu-2.11.0-rc1). The received
VTB is 0 (as is it not initialized by qemu-2.8.0), but the value
seems to be ignored by KVM and a non zero VTB is used by the kernel.
I have no explanation for that, but as the original problem appears
only with SMP system under stress I suspect some problems in KVM
(I think because VTB is shared by all threads of a core).

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-11-22 15:28:37 +11:00
David Gibson
6c3bc244d3 spapr: Implement bug in spapr-vty device to be compatible with PowerVM
The spapr-vty device implements the PAPR defined virtual console,
which is also implemented by IBM's proprietary PowerVM hypervisor.

PowerVM's implementation has a bug where it inserts an extra \0 after
every \r going to the guest.  Because of that Linux's guest side
driver has a workaround which strips \0 characters that appear
immediately after a \r.

That means that when running under qemu, sending a binary stream from
host to guest via spapr-vty which happens to include a \r\0 sequence
will get corrupted by that workaround.

To deal with that, this patch duplicates PowerVM's bug, inserting an
extra \0 after each \r.  Ugly, but the best option available.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
2017-11-22 15:28:37 +11:00
Thomas Huth
bac658d1a4 hw/ppc/spapr: Fix virtio-scsi bootindex handling for LUNs >= 256
LUNs >= 256 have to be encoded with the so-called "flat space
addressing method" for virtio-scsi, where an additional bit has to
be set. SLOF already took care of this with the following commit:

 https://git.qemu.org/?p=SLOF.git;a=commitdiff;h=f72a37713fea47da
 (see https://bugzilla.redhat.com/show_bug.cgi?id=1431584 for details)

But QEMU does not use this encoding yet for device tree paths
that have to be handed over to SLOF to deal with the "bootindex"
property, so SLOF currently fails to boot from virtio-scsi devices
with LUNs >= 256 in the right boot order. Fix it by using the bit
to indicate the "flat space addressing method" for LUNs >= 256.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-11-22 15:28:37 +11:00
Anthony PERARD
5d6c599fe1 migration, xen: Fix block image lock issue on live migration
When doing a live migration of a Xen guest with libxl, the images for
block devices are locked by the original QEMU process, and this prevent
the QEMU at the destination to take the lock and the migration fail.

>From QEMU point of view, once the RAM of a domain is migrated, there is
two QMP commands, "stop" then "xen-save-devices-state", at which point a
new QEMU is spawned at the destination.

Release locks in "xen-save-devices-state" so the destination can takes
them, if it's a live migration.

This patch add the "live" parameter to "xen-save-devices-state" which
default to true so older version of libxenlight can work with newer
version of QEMU.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2017-11-21 19:42:26 +01:00
Peter Maydell
a15d835f00 Update version for v2.11.0-rc2 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 17:50:36 +00:00
Peter Maydell
64807cd779 -----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJaFFvtAAoJEL2+eyfA3jBXHgoP/2Hw6ksjPOUKwuRvOWJYvS27
 Vfr5S5yjayS3fB+6mSZJ4cX77ais0d7kyQgPyRfOI7ecMsgQXphYSJlf1ROM5VGY
 4Jn3d/jrJ1ZiN3bdQyFH4x0T8+/UuHILc5Hu0C0Jekk1sxGI/8j+k8J9pDVZ7j/8
 BvYLMqpnV+W1tGAXUlu8SwB3JqAjy8orO05bd9zN6Q0zPrrJuW+4evijHrB/LJwG
 HPSttN7khlCt+bPHSx1qDNKYr2lVE2RmaS6Nk3KS/lJgnmEerGCPTbLpno7IdQGu
 MJ+Lq2FzFNRJ2Il/7bqGio2KN3CmWlm2Kw1n6DuvjUjYXv1m4RlQ8x6EIZCcicN1
 sDARn3qm6in3v85WV0uav1ARyqn3XM2YDhDSx3VBQcvgm9pgQYuJ6ztOx3tfVJPz
 9T2R272CvOnlOFHyi5C9vZ1XEo9eJMgUNLVXPud+oMAjPodpOv04tK2IsoNOYfk0
 OX2aVuV/AvsLMD3xol3bcIOFNhVrv/ePV7J5n8TLZxOpJfbPLYkgC/gTTMkOLce3
 bO+W8YCp7GMPCmba6wx7x1frZOY5yg4gA4MVisN7vnnggr1LUU0AvkNw2CDZWj/m
 K6ZDJwTuBO1OjAUKURHxrRlcnqILaNeR3T7dS+7fS5tpkxxDkZlGZgBmJhw4/21K
 LvGpqDNcljvowdlKPKgB
 =s4RK
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into staging

# gpg: Signature made Tue 21 Nov 2017 17:01:33 GMT
# gpg:                using RSA key 0xBDBE7B27C0DE3057
# gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>"
# gpg:                 aka "Jeffrey Cody <jeff@codyprime.org>"
# gpg:                 aka "Jeffrey Cody <codyprime@gmail.com>"
# Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 3057

* remotes/cody/tags/block-pull-request:
  qemu-iotest: add test for blockjob coroutine race condition
  qemu-iotests: add option in common.qemu for mismatch only
  coroutine: abort if we try to schedule or enter a pending coroutine
  blockjob: do not allow coroutine double entry or entry-after-completion

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 17:05:49 +00:00
Jeff Cody
d975301dc8 qemu-iotest: add test for blockjob coroutine race condition
Signed-off-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-11-21 11:58:12 -05:00
Jeff Cody
a2339699c3 qemu-iotests: add option in common.qemu for mismatch only
Add option to echo response to QMP / HMP command only on mismatch.

Useful for ignore all normal responses, but catching things like
segfaults.

Signed-off-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-11-21 11:58:12 -05:00
Jeff Cody
6133b39f3c coroutine: abort if we try to schedule or enter a pending coroutine
The previous patch fixed a race condition, in which there were
coroutines being executing doubly, or after coroutine deletion.

We can detect common scenarios when this happens, and print an error
message and abort before we corrupt memory / data, or segfault.

This patch will abort if an attempt to enter a coroutine is made while
it is currently pending execution, either in a specific AioContext bh,
or pending execution via a timer.  It will also abort if a coroutine
is scheduled, before a prior scheduled run has occurred.

We cannot rely on the existing co->caller check for recursive re-entry
to catch this, as the coroutine may run and exit with
COROUTINE_TERMINATE before the scheduled coroutine executes.

(This is the scenario that was occurring and fixed in the previous
patch).

This patch also re-orders the Coroutine struct elements in an attempt to
optimize caching.

Signed-off-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-11-21 11:58:07 -05:00
Jeff Cody
4afeffc857 blockjob: do not allow coroutine double entry or entry-after-completion
When block_job_sleep_ns() is called, the co-routine is scheduled for
future execution.  If we allow the job to be re-entered prior to the
scheduled time, we present a race condition in which a coroutine can be
entered recursively, or even entered after the coroutine is deleted.

The job->busy flag is used by blockjobs when a coroutine is busy
executing. The function 'block_job_enter()' obeys the busy flag,
and will not enter a coroutine if set.  If we sleep a job, we need to
leave the busy flag set, so that subsequent calls to block_job_enter()
are prevented.

This changes the prior behavior of block_job_cancel() being able to
immediately wake up and cancel a job; in practice, this should not be an
issue, as the coroutine sleep times are generally very small, and the
cancel will occur the next time the coroutine wakes up.

This fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1508708

Signed-off-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-11-21 11:51:18 -05:00
Peter Maydell
fc7dbc119e Block layer patches for 2.11.0-rc2
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaFEGYAAoJEH8JsnLIjy/WiNYP/2kkepEzCiDpuMlzJVoyzBV0
 wy3AIfZkdbLTBrsGTfGhdCNJB8dLKrOeZPW/YhhfnKoOpNV50PAG7r51y6/clavq
 6QRO7tFq4OzIaNlVXzftNfFK96hWyUV1f+AazCoCdDxEL1PSOpKj8jvedUzfq8bq
 mxbGeGY7romGmJ3ahPUZ/U1U7KbkpSm6Mcri+YnD4/xcT20b8FoC7mgPCDV/kOgi
 sVGR858F54+Os/Gy1+VlvEmUxosOVA8ZBtRjwRQhS3b2/oIVbJR15Y2RHAK1TfzJ
 4OAXkKpBNh6kybO9hsbfSXujK5aWuseov4gdy+c11msshkTt6YnLPZuH1HETYQ4M
 wMYaIKcY54VF8jFFrh3aFqvZCdpvxtdZFYzuWq8vvubDSt1RkTGjZ0EpWpy+693o
 IDrjdEqd18lU56K9/R57nwAYQKmocrWO8zzqPQrr2w2c3vo+TpoJENMV/4AQOUtJ
 rV8p7AD8oKOtDWLCacDBM1sHXarTr6olFFFyZ1wMzxsdqo968mmWUbPARxygYj3C
 9zfSomp5l7heDwFm19Qyd9z0Ah0ubQOqy5DSEtqqHg84OyOezcnLas0gXfH7Tc5C
 zROup2vkB2y+cgDI/SS894QViJeaqLynuoga8cz5/XEImZhmM7s6mwmTj1n3wdYn
 GcI52qfslBTZyovjJtvr
 =qdJf
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches for 2.11.0-rc2

# gpg: Signature made Tue 21 Nov 2017 15:09:12 GMT
# gpg:                using RSA key 0x7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream:
  iotests: Fix 176 on 32-bit host
  block: Close a BlockDriverState completely even when bs->drv is NULL
  block: Error out on load_vm with active dirty bitmaps
  block: Add errp to bdrv_all_goto_snapshot()
  block: Add errp to bdrv_snapshot_goto()
  block: Don't request I/O permission with BDRV_O_NO_IO
  block: Don't use BLK_PERM_CONSISTENT_READ for format probing

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 15:50:13 +00:00
Daniel P. Berrange
7c3d1917fd build: disarm the TCG unit test trap
Developers sometimes mistakenly run 'make test' instead of 'make check'.
'make test' triggers the ancient, unmaintained tcg unit tests in
tests/tcg/Makefile which have long since ceased compiling.

Even if someone fixes the TCG tests, it makes little sense to put
them in a 'make test' target, rather they should be 'make check-tcg',
possibly wired up as a dependency of 'make check'.

In the meantime, this patch disarms the 'make test' trap by simply
deleting it so users get an immediate error. This should be enough
for them to remember to type 'make check' instead (or 'make help'
to learn). It also deletes 'make speed' which is another route
into the tcg tests.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
Message-id: 20171121142538.22072-1-berrange@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 15:42:47 +00:00
Kevin Wolf
4fd0295c15 Block patches for 2.11.0-rc2
-----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJaFDAUAAoJEPQH2wBh1c9AMkoIAKllh3qWiPZXHiHfafehc7V+
 5lcQFkEmOWuNbfz/cL0malNlSIgfVQ7q8ZAs8Vs29JcWqhyxI5+gHdsImHP/UHIT
 g/hrJdzlknVC5GVsVuVesM2LHQTu4b/uUJ+WbqD2gsgqRBJBn3vTnj+V9pSTCTBu
 LwZDro2jsc9p673wvfW7fhKTxhXPiHtpeXcShKV6PbmQluFiDrlYSSuGPIujLVHi
 gnWPS2UIohDXLVdfOm8q8YfEAgudqq/6isZ0jWadU+rXeH1PuM7+eFbj+tdyPjRs
 6hnXfkd4Wje8QNIcYRuEKaX0hpFVnksmB1UQLxKG7KqD05/jtCz+Ugo7cTGiazM=
 =WnI+
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'mreitz/tags/pull-block-2017-11-21' into queue-block

Block patches for 2.11.0-rc2

# gpg: Signature made Tue Nov 21 14:54:28 2017 CET
# gpg:                using RSA key F407DB0061D5CF40
# gpg: Good signature from "Max Reitz <mreitz@redhat.com>"
# Primary key fingerprint: 91BE B60A 30DB 3E88 57D1  1829 F407 DB00 61D5 CF40

* mreitz/tags/pull-block-2017-11-21:
  iotests: Fix 176 on 32-bit host
  block: Close a BlockDriverState completely even when bs->drv is NULL

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-11-21 15:09:54 +01:00
Eric Blake
2807746ff1 iotests: Fix 176 on 32-bit host
The contents of a qcow2 bitmap are rounded up to a size that
matches the number of bits available for the granularity, but
that granularity differs for 32-bit hosts (our default 64k
cluster allows for 2M bitmap coverage per 'long') and 64-bit
hosts (4M bitmap per 'long').  If the image is a multiple of
2M but not 4M, then the number of bytes occupied by the array
of longs in memory differs between architecture, thus
resulting in different SHA256 hashes.

Furthermore (but untested by me), if our computation of the
SHA256 hash is at all endian-dependent because of how we store
data in memory, that's another variable we'd have to account
for (ideally, we specified the bitmap stored in qcow2 as
fixed-endian on disk, because the same qcow2 file must be
usable across any architecture; but that says nothing about
how we represent things in memory).  But we already have test
165 to validate that bitmaps are stored correctly on disk,
while this test is merely testing that the bitmap exists.

So for this test, the easiest solution is to filter out the
actual hash value.  Broken in commit 4096974e.

Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-id: 20171117190422.23626-1-eblake@redhat.com
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
2017-11-21 14:54:02 +01:00
Alberto Garcia
50a3efb0f0 block: Close a BlockDriverState completely even when bs->drv is NULL
bdrv_close() skips much of its logic when bs->drv is NULL. This is
fine when we're closing a BlockDriverState that has just been created
(because e.g the initialization process failed), but it's not enough
in other cases.

For example, when a valid qcow2 image is found to be corrupted then
QEMU marks it as such in the file header and then sets bs->drv to
NULL in order to make the BlockDriverState unusable. When that BDS is
later closed then many of its data structures are not freed (leaking
their memory) and none of its children are detached. This results in
bdrv_close_all() failing to close all BDSs and making this assertion
fail when QEMU is being shut down:

   bdrv_close_all: Assertion `QTAILQ_EMPTY(&all_bdrv_states)' failed.

This patch makes bdrv_close() do the full uninitialization process
in all cases. This fixes the problem with corrupted images and still
works fine with freshly created BDSs.

Signed-off-by: Alberto Garcia <berto@igalia.com>
Message-id: 20171106145345.12038-1-berto@igalia.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
2017-11-21 14:54:02 +01:00
Kevin Wolf
70a5afedd6 block: Error out on load_vm with active dirty bitmaps
Loading a snapshot invalidates the bitmap. Just marking all blocks dirty
is not a useful response in practice, instead the user needs to be aware
that we switch to a completely different state. If they are okay with
losing the dirty bitmap, they can just explicitly delete it.

This effectively reverts commit 04dec3c3ae.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: John Snow <jsnow@redhat.com>
2017-11-21 14:48:23 +01:00
Kevin Wolf
2b624fe079 block: Add errp to bdrv_all_goto_snapshot()
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: John Snow <jsnow@redhat.com>
2017-11-21 14:48:22 +01:00
Kevin Wolf
0b62bcbc61 block: Add errp to bdrv_snapshot_goto()
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: John Snow <jsnow@redhat.com>
2017-11-21 14:48:22 +01:00
Kevin Wolf
1f4ad7d3b8 block: Don't request I/O permission with BDRV_O_NO_IO
'qemu-img info' makes sense even when BLK_PERM_CONSISTENT_READ cannot be
granted because of a block job in a running qemu process. It already
sets BDRV_O_NO_IO to indicate that it doesn't access the guest visible
data at all.

Check the BDRV_O_NO_IO flags in blk_new_open(), so that I/O related
permissions are not unnecessarily requested and 'qemu-img info' can work
even if BLK_PERM_CONSISTENT_READ cannot be granted.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
2017-11-21 14:48:22 +01:00
Kevin Wolf
dacaa16238 block: Don't use BLK_PERM_CONSISTENT_READ for format probing
For format probing, we don't really care whether all of the image
content is consistent. The only thing we're looking at is the image
header, and specifically the magic numbers that are expected to never
change, no matter how inconsistent the guest visible disk content is.

Therefore, don't request BLK_PERM_CONSISTENT_READ. This allows to use
format probing, e.g. in the context of 'qemu-img info', even while the
guest visible data in the image is inconsistent during a running block
job.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
2017-11-21 14:48:22 +01:00
Stefan Hajnoczi
70b7fba987 Use HTTPS for qemu.org and other domains
qemu.org enabled HTTPS in 2017 and it should be used instead of HTTP.
There are also URLs to json.org, openvpn.net, and other domains that
support HTTPS.

This patch updates the qemu.org domains everywhere and also third-party
domains that I have checked.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20171121120435.28728-3-stefanha@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 13:34:13 +00:00
Stefan Hajnoczi
1b3bbc6887 Use qemu.org domain name
The owner of qemu.org has delegated authority to modify DNS records to
the QEMU Project.  This has allowed us to use the domain name without
worries about IP address changes or technical issues disrupting service.
The issues described in commit 8593898109
("Use qemu-project.org domain name") have therefore been mitigated.

This patch switches back to consistently using qemu.org instead of
qemu-project.org in documentation, version.rc, and the Windows installer
script.

The git submodules and SeaBIOS still use qemu-project.org for the time
being.  This will be fixed in the QEMU 2.12 release cycle.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20171121120435.28728-2-stefanha@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 13:34:13 +00:00
Michael Roth
d0dead3b6d scripts/make-release: ship u-boot source as a tarball
The u-boot sources we ship currently cause problems with unpacking on
a case-insensitive filesystem due to path conflicts. This has been
fixed in upstream u-boot via commit 610eec7f, but since it is not
yet included in an official release we implement this approach as a
temporary workaround.

Once we move to a u-boot containing commit 610eec7f we should revert
this patch.

Cc: qemu-stable@nongnu.org
Cc: Alexander Graf <agraf@suse.de>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Thomas Huth <thuth@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20171107205201.10207-1-mdroth@linux.vnet.ibm.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 12:48:20 +00:00
Peter Maydell
34d49937e4 accel/tcg: Handle atomic accesses to notdirty memory correctly
To do a write to memory that is marked as notdirty, we need
to invalidate any TBs we have cached for that memory, and
update the cpu physical memory dirty flags for VGA and migration.
The slowpath code in notdirty_mem_write() does all this correctly,
but the new atomic handling code in atomic_mmu_lookup() doesn't
do anything at all, it just clears the dirty bit in the TLB.

The effect of this bug is that if the first write to a notdirty
page for which we have cached TBs is by a guest atomic access,
we fail to invalidate the TBs and subsequently will execute
incorrect code. This can be seen by trying to run 'javac' on AArch64.

Use the new notdirty_call_before() and notdirty_call_after()
functions to correctly handle the update to notdirty memory
in the atomic codepath.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1511201308-23580-3-git-send-email-peter.maydell@linaro.org
2017-11-21 12:09:25 +00:00
Peter Maydell
2726627197 exec.c: Factor out before/after actions for notdirty memory writes
The function notdirty_mem_write() has a sequence of actions
it has to do before and after the actual business of writing
data to host RAM to ensure that dirty flags are correctly
updated and we flush any TCG translations for the region.
We need to do this also in other places that write directly
to host RAM, most notably the TCG atomic helper functions.
Pull out the before and after pieces into their own functions.

We use an API where the prepare function stashes the various
bits of information about the write into a struct for the
complete function to use, because in the calls for the atomic
helpers the place where the complete function will be called
doesn't have the information to hand.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1511201308-23580-2-git-send-email-peter.maydell@linaro.org
2017-11-21 12:09:25 +00:00
Peter Maydell
a61d343986 qemu-ga patch queue for 2.11
* fix potential overflow in network interface stats reporting
 -----BEGIN PGP SIGNATURE-----
 
 iQE3BAABCAAhBQJaE0FlGhxtZHJvdGhAbGludXgudm5ldC5pYm0uY29tAAoJEDNT
 yc7xCLWEr8oH/3P7maloO7NE9+i23jrxQvVPoIlWxnABzDEJhjMFlfMEj39z67um
 4/hRuao0v0qmImGqEbq7WYiseFRIytAgXZRDQ+ra7bwsOxyfxZs8x9voqNtLu5ua
 cu6rPJ2Z3xkAyaW+nwx3od5qHvhBL4fn2SVzo14k2a6nKeNR53jlqk2Q4iwTh/Yd
 KWuOUjIRjR0ffeRD/A5Y8+j4HU9lbO/3qW9aYCiCfPuGmWCjCZli0bvlDem9hiSC
 Rgs2c7+7v08xXUH9QiVnkKUcvJm656pRWksoODKyThPV0zyRCUU/KDBGEZxzWlyb
 unrnenRy7GMd/3bMDwt3Rd5a0IfUgjmrFmo=
 =b/7c
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mdroth/tags/qga-pull-2017-11-20-tag' into staging

qemu-ga patch queue for 2.11

* fix potential overflow in network interface stats reporting

# gpg: Signature made Mon 20 Nov 2017 20:56:05 GMT
# gpg:                using RSA key 0x3353C9CEF108B584
# gpg: Good signature from "Michael Roth <flukshun@gmail.com>"
# gpg:                 aka "Michael Roth <mdroth@utexas.edu>"
# gpg:                 aka "Michael Roth <mdroth@linux.vnet.ibm.com>"
# Primary key fingerprint: CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584

* remotes/mdroth/tags/qga-pull-2017-11-20-tag:
  qga: replace GetIfEntry with GetIfEntry2 for interface stats

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 11:20:06 +00:00
Peter Maydell
1b4e6e8cf8 late linux-user fixes for Qemu 2.11
-----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCAA1FiEE/4IDyMORmK4FgUHvtEiQ3t48m8AFAloTRsQXHHJpa3Uudm9p
 cGlvQGxpbmFyby5vcmcACgkQtEiQ3t48m8AFrQ//SZRfvk7DASsXvGP55p8Iyql2
 Xw2aaRDlaP5HVJwOnOh1E5wzvERJouvaS2czi2YLTOl9T8pt6mYeyUriU+gBNDQp
 M6hmrvw3yTA6QAcf+s6oIaJeOSY6ymnrTRrnEezbxmDvDyaukcgydlDSh2jk36Ez
 d3R9HLkcLHT4g9wfA6i0DbXI/2jbZQgBOQ0iPyEBzft/dRqflo3qxyzKGRQBLFip
 R2dYl5t0p0gSbc0sIz5cr0R1aCk6JOIua1BqW3t6EClxNt5IKI277JLcI/++cnlW
 BY006iMsrZeR9cRuHsE/1lctqzq0pCZT/XYQmrQdq7XWvKnMWHXfP0Ue5H1UUN1l
 +SnHkQAdW4W12aoC1zgae7YzIrN5jcI5CtuEVZGk7EETt6sJAd8Qs5jcEpGyUViJ
 yh8I99iA5tb1QSCDbEwZTljmA4kyD+tvO4WMOrl9n19QeFXB9qwzFCIpfN/lvuyn
 iZEC94O3IbxfbIpAzrn0ZDgFamusqy8MRrIxmki3QzCdA0m8IUMIfI9qK4X4lOsk
 gSxQnNFuiJLr5AUzQu5OuIeEm9ehwdB3m2UztV8qE5JUKo+slfje9LPNh18TWBf9
 q6bMH5TYm2jvMl6efDN6aVkheMv+T4Yux1kTA4tWbY2zIo9avGgBVprVW+QCq9rP
 L0KJ54c8tjoFcEn1Wow=
 =dddR
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20171120' into staging

late linux-user fixes for Qemu 2.11

# gpg: Signature made Mon 20 Nov 2017 21:19:00 GMT
# gpg:                using RSA key 0xB44890DEDE3C9BC0
# gpg: Good signature from "Riku Voipio <riku.voipio@iki.fi>"
# gpg:                 aka "Riku Voipio <riku.voipio@linaro.org>"
# Primary key fingerprint: FF82 03C8 C391 98AE 0581  41EF B448 90DE DE3C 9BC0

* remotes/riku/tags/pull-linux-user-20171120:
  linux-user: Fix calculation of auxv length
  linux-user: Handle rt_sigaction correctly for SPARC
  linux-user/sparc: Put address for data faults where linux-user expects it
  linux-user/ppc: Report correct fault address for data faults
  linux-user/s390x: Mask si_addr for SIGSEGV
  linux-user: return EINVAL from prctl(PR_*_SECCOMP)
  linux-user: fix 'finshed' typo in comment
  linux-user/syscall.c: Handle SH4's exceptional alignment for p{read, write}64
  linux-user: Handle TARGET_MAP_STACK and TARGET_MAP_HUGETLB
  linux-user/hppa: Fix TARGET_F_RDLCK, TARGET_F_WRLCK, TARGET_F_UNLCK
  linux-user/hppa: Fix TARGET_MAP_TYPE
  linux-user/hppa: Fix typo for TARGET_NR_epoll_wait
  linux-user/hppa: Fix cpu_clone_regs
  linux-user/hppa: Fix TARGET_SA_* defines
  linux-user: Restrict usage of sa_restorer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-11-21 10:44:44 +00:00