Commit Graph

86319 Commits

Author SHA1 Message Date
Peter Maydell
db55d2c923 Block patches for 6.0-rc3:
- Use-after-free fix for block/nbd.c
 -----BEGIN PGP SIGNATURE-----
 
 iQFGBAABCAAwFiEEkb62CjDbPohX0Rgp9AfbAGHVz0AFAmB1njQSHG1yZWl0ekBy
 ZWRoYXQuY29tAAoJEPQH2wBh1c9AMQUH/1JDtN+Sax5exC6RUbrraoo3akWHM7kj
 cU/setlBtFV7ovyhhQ74GCOy9uu23/uCluJIaCMriZgDkWo+stV6EM6KHND4hOiV
 mOW16+h5WkVOp521igMaXLrZ+MyXvTbOXtRKWEITZV49qAP0Qwyfg0T++VjMTSPB
 TYhM+tkC2wcIcE3Qwj2YFy9KCIWXOBVREvJycBHN2j7+OB+ngD5NW+qfh/bmzG8M
 0pD1qG+ye17rbXOSC60HrgPkVZr+NymROTVSjmEol59BowyIFlw3+ZChN/ti/A05
 irpogp6/nZWrceVJfbISDi7SBRZbYfCI7gNCPJRY3Hx031krkD3ox1w=
 =7zEh
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2021-04-13' into staging

Block patches for 6.0-rc3:
- Use-after-free fix for block/nbd.c

# gpg: Signature made Tue 13 Apr 2021 14:35:48 BST
# gpg:                using RSA key 91BEB60A30DB3E8857D11829F407DB0061D5CF40
# gpg:                issuer "mreitz@redhat.com"
# gpg: Good signature from "Max Reitz <mreitz@redhat.com>" [full]
# Primary key fingerprint: 91BE B60A 30DB 3E88 57D1  1829 F407 DB00 61D5 CF40

* remotes/maxreitz/tags/pull-block-2021-04-13:
  block/nbd: fix possible use after free of s->connect_thread

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-13 21:05:17 +01:00
Peter Maydell
1b66515334 target-arm queue:
* Fix MPC setting for AN524 SRAM block
  * sphinx: qapidoc: Wrap "If" section body in a paragraph node
 -----BEGIN PGP SIGNATURE-----
 
 iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmB1iXAZHHBldGVyLm1h
 eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3uofD/0UFqe/2dMyNjNMqCz2AN5q
 VFFrUXzdnpKCAbr/jZRlxe4JKmEVlrx9Az9SGjcsWFwL6KD72GK2ASsQGnijKcqp
 YpK/2qb8EZsNjo8yh4VAQw396sSrcqB8l/ebYsesClU6lJ4AfClHhNFRG2fddbe4
 NGh3ohxnHP1X7dcPsv/BMPHiyluf2JNVmlDHEf7OhQpZemgbLvz7RhCPz07cRnKw
 ghsi5LSEht9c9fRyZClWQBD3xf3Lfw7z2s2kgwIAbsi05cnjmdxcJ1WBzzMONBEj
 AkVdvZhgBXaenNPl7A5UumF4Gyh1kMjoeDJ4YkEMG73h2zx/+vsEBEa22yRJwK0g
 sHsnYzARx3KF/JtRMVQrlG5VPLYvoAm1rdm+EtfSznJ0DuyU6yrJuFBUddOwlJLS
 7lNsbd6mx5ZRokyqddJT353e/IYHQ1C198DV4i+/e1SilOdStZsHzMoi3edqrKKw
 g1/4tqaeuHgfpfhUuvUIF4JUH9AdvIeSFPqTRUIYNtLuXsrtpl4gWSPXyYHOiQmW
 f2YLO5WqOtn1g1h8CizhH2Lsc4LL9+j22xzCUhbguy5SDcuHMLfCyCRjVMwz79kB
 efnBD0KwUp7+qPbUAEcRMFQVIlZcfBx/hEuNJGIOWT1Ui9XMgmGa7S4MWSu1PL4G
 i0JbWCrf0bykN20hsH/iMw==
 =YniI
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20210413' into staging

target-arm queue:
 * Fix MPC setting for AN524 SRAM block
 * sphinx: qapidoc: Wrap "If" section body in a paragraph node

# gpg: Signature made Tue 13 Apr 2021 13:07:12 BST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20210413:
  sphinx: qapidoc: Wrap "If" section body in a paragraph node
  hw/arm/mps2-tz: Assert if more than one RAM is attached to an MPC
  hw/arm/mps2-tz: Fix MPC setting for AN524 SRAM block

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-13 17:08:13 +01:00
Anton Kuchin
ace66791cd vhost-user-fs: fix features handling
Make virtio-fs take into account server capabilities.

Just returning requested features assumes they all of then are implemented
by server and results in setting unsupported configuration if some of them
are absent.

Signed-off-by: Anton Kuchin <antonkuchin@yandex-team.ru>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
  With changes suggested by Stefan
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2021-04-13 16:13:41 +01:00
Vladimir Sementsov-Ogievskiy
0267101af6 block/nbd: fix possible use after free of s->connect_thread
If on nbd_close() we detach the thread (in
nbd_co_establish_connection_cancel() thr->state becomes
CONNECT_THREAD_RUNNING_DETACHED), after that point we should not use
s->connect_thread (which is set to NULL), as running thread may free it
at any time.

Still nbd_co_establish_connection() does exactly this: it saves
s->connect_thread to local variable (just for better code style) and
use it even after yield point, when thread may be already detached.

Fix that. Also check thr to be non-NULL on
nbd_co_establish_connection() start for safety.

After this patch "case CONNECT_THREAD_RUNNING_DETACHED" becomes
impossible in the second switch in nbd_co_establish_connection().
Still, don't add extra abort() just before the release. If it somehow
possible to reach this "case:" it won't hurt. Anyway, good refactoring
of all this reconnect mess will come soon.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20210406155114.1057355-1-vsementsov@virtuozzo.com>
Reviewed-by: Roman Kagan <rvkagan@yandex-team.ru>
Signed-off-by: Max Reitz <mreitz@redhat.com>
2021-04-13 15:35:12 +02:00
Peter Maydell
2935f6f2c1 MIPS patches queue
- Fix invalid Kconfig dependency
 - Fix missing migrated value
 - Fix TCG temporary leak
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmB1bgMACgkQ4+MsLN6t
 wN7wlQ/9FMNjEaYnVUCsyGrxG9r2xxa9Cy55WHJly0woYs0SoqnpybbCW8LiAy5H
 HEDUItr3a4omh1ixaeqYDANYSa/u7duyyk3gxNizFTj19TUalM0bd9edNgwvZTvU
 U8I4GsD87RSuvLBzP+eg46XoMBWwuS4RF35dMN/NoK/Wrl24wwrJXhsv2ALwhS/F
 L/4e9/GO6B5Cz0eNeZPWSVFCrGupZf7dw5g6+k39a2W74G+iW1EGe4/rAhGsG2Vb
 yJOvZjuI3RGlWpdebTGBxEv4GQgvuiG5lf9Gtz/WaJbpcyOXvGY75jiQScz4hsGM
 O+avkY8Fi7ERLxt/r/prxj1bgUOym6LDPSBkHqiz30+ehNbigNRYjQaHQFEQqnUs
 37MN5XEd0j0NfBr0XVHy0oZmv/+Z9v/3BFifsKcj4fd+u6NhJIbMgIhUOgiu/xHm
 g4b4cZEGFeqAEcR6LEaOmYTGsluvf1tcqJTanvXkXRu/T5bJy+jQXlOHQnbfhvnl
 bHcZRDoDrCHbRrpPyBT3kDyoack5dH7PuV7EzSLqSANei1eHf9c2zcZDPMLVG5q5
 /7kAWz91+o38TRk+UL70rluwttABCjv3jZ+YepuXsKZieAjyEdBlW6hyopasvHWc
 SR6YXUcArS965/74ff2LDCA/3xLMR9b16NI/JS0wfu191MCgHhU=
 =YFeO
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/philmd/tags/mips-20210413' into staging

MIPS patches queue

- Fix invalid Kconfig dependency
- Fix missing migrated value
- Fix TCG temporary leak

# gpg: Signature made Tue 13 Apr 2021 11:10:11 BST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* remotes/philmd/tags/mips-20210413:
  target/mips: Fix TCG temporary leak in gen_cache_operation()
  hw/isa/piix4: Migrate Reset Control Register
  hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-13 14:32:44 +01:00
Peter Maydell
dce628a97f ppc patch queue for 2021-04-21
Here's what I hope is the last ppc related pull request for qemu-6.0.
 
 The 2 patches here revert a behavioural change that after further
 discussion we concluded was a bad idea (adding a timeout for
 possibly-failed hot unplug requests).  Instead it implements a
 different approach to the original problem: we again let unplug
 requests the guest doesn't respond to remain pending indefinitely, but
 no longer allow those to block attempts to retry the same unplug
 again.
 
 The change is a bit more complex than I'd like for this late in the
 freeze.  Nonetheless, I think it's important to merge this for 6.0, so
 we don't allow a release which has the probably-a-bad-idea timeout
 behaviour.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEdfRlhq5hpmzETofcbDjKyiDZs5IFAmBz2eYACgkQbDjKyiDZ
 s5L1bw//XYKENrHBOgP7TCU+q2895PpCn5jxarPMrpX1fee1mlu+ncskZtlMQr8b
 C8zaWiUO9V6ezknVvqTe/4Wx+DmahGyrHwJQ/Fqj6o7C+057jEumPqBTuQFrNwz+
 4noougivOn1bVR5+vwDqAvNvO2xe49RPVd3kchHUe6tYHEa/k2kwqHeSFLZtm52R
 MusDWOD8FTxfY5uIy2LH4i2/Qe4PMn7by9ZJuldDAegHP4qn+Ffv5fO3a+HlDpOC
 KLwIub/PkLl5dtP4lru+PDgIpYwzdzZBDT/wb+OCspb4/ujqufJixt9DglnWQjEW
 3MwNK8ZnaiyrC8v9mFHzmcIJaRFQE55cr8bviB1SupJYJKB5YKuWMKKA+5E3LUuV
 VEbGzdcjP8xv0F7GzARsj8tt5iH54UJYbWLVxNy33tIfLbBrdbOH28DRhnKNZ3Y8
 f8Tz4VOKrqFL2ybQXOmSpitf5/h0nUMFRt2jZdhZLhcQ09b49k9loxPGAQoqB3aW
 HuIF3JSWnyAfFRxQjTsjzBDlgGQlghUEKj0fAqIx6SBhWJq5fg+nJ5hM1BEZIKfa
 gsy/Whs458YcSS/ArPPJ3vWC/RU8JvAAQcgSQF4AAAu/3h4FVnPCJGE8d7Jdsqdr
 KK8Y4y1PsXg7Ar7L1qTGJNzM4PKaAh4m8Mm8LLp6sVr4bAOl654=
 =fIJT
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.0-20210412' into staging

ppc patch queue for 2021-04-21

Here's what I hope is the last ppc related pull request for qemu-6.0.

The 2 patches here revert a behavioural change that after further
discussion we concluded was a bad idea (adding a timeout for
possibly-failed hot unplug requests).  Instead it implements a
different approach to the original problem: we again let unplug
requests the guest doesn't respond to remain pending indefinitely, but
no longer allow those to block attempts to retry the same unplug
again.

The change is a bit more complex than I'd like for this late in the
freeze.  Nonetheless, I think it's important to merge this for 6.0, so
we don't allow a release which has the probably-a-bad-idea timeout
behaviour.

# gpg: Signature made Mon 12 Apr 2021 06:25:58 BST
# gpg:                using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full]
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full]
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full]
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown]
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dg-gitlab/tags/ppc-for-6.0-20210412:
  spapr.c: always pulse guest IRQ in spapr_core_unplug_request()
  spapr: rollback 'unplug timeout' for CPU hotunplugs

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-13 13:05:07 +01:00
Philippe Mathieu-Daudé
f4349ba966 target/mips: Fix TCG temporary leak in gen_cache_operation()
Fix a TCG temporary leak when translating CACHE opcode.

Fixes: 0d74a222c2 ("make ITC Configuration Tags accessible to the CPU")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210406202857.1440744-1-f4bug@amsat.org>
2021-04-13 12:07:00 +02:00
Philippe Mathieu-Daudé
62271205bc hw/isa/piix4: Migrate Reset Control Register
When adding the Reset register in commit 5790b757cf we
forgot to migrate it.

While it is possible a VM using the PIIX4 is migrated just
after requesting a system shutdown, it is very unlikely.
However when restoring a migrated VM, we might have the
RCR bit #4 set on the stack and when the VM resume it
directly shutdowns.

Add a post_load() migration handler and set the default
RCR value to 0 for earlier versions, assuming the VM was
not going to shutdown before migration.

Fixes: 5790b757cf ("piix4: Add the Reset Control Register")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20210324200334.729899-1-f4bug@amsat.org>
2021-04-13 12:06:59 +02:00
Philippe Mathieu-Daudé
50fab4cc67 hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM
TYPE_VIA_PM calls apm_init() in via_pm_realize(), so
requires APM to be selected.

Reported-by: BALATON Zoltan <balaton@eik.bme.hu>
Fixes: dd0ff8191a ("isa: express SuperIO dependencies with Kconfig")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210302080531.913802-1-f4bug@amsat.org>
2021-04-13 12:06:46 +02:00
Peter Maydell
1a66dab9dd qemu-sparc queue
-----BEGIN PGP SIGNATURE-----
 
 iQFSBAABCgA8FiEEzGIauY6CIA2RXMnEW8LFb64PMh8FAmB0xfgeHG1hcmsuY2F2
 ZS1heWxhbmRAaWxhbmRlLmNvLnVrAAoJEFvCxW+uDzIfoYsH/AgSa1ReFBRqa227
 cjdD2KRhYDA4HLj2ukaLAEtgbz57RfNyrBtEDkLcgN+lFjBlWB/1QZDTWA844OZb
 CkBm83jNMIXFpXknXBcMwGDJ7Yrnr1Cjc2AZwifyKswN7ILDtg1qsxu+aEO+L8v6
 YysH8aqxxet4tjFLTS1tYFzPzb2W1dMrNR/fLYFYY5rjgW04UNZIHqw66lOkkGBH
 wyO9dHr371B6b/40a99NBPOlxO/qfQCvIwk2FagmxBBmABRbWp8SIrNSDosFJ2md
 LdeVukGaIexI5ylIn+bvTuoJcuuTIoqaiUd1KdrHptvt2sH3UUGE6hBRWso9saJL
 1wZ3SI4=
 =O+4q
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-20210412' into staging

qemu-sparc queue

# gpg: Signature made Mon 12 Apr 2021 23:13:12 BST
# gpg:                using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F
# gpg:                issuer "mark.cave-ayland@ilande.co.uk"
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>" [full]
# Primary key fingerprint: CC62 1AB9 8E82 200D 915C  C9C4 5BC2 C56F AE0F 321F

* remotes/mcayland/tags/qemu-sparc-20210412:
  tests/qtest: add tests for am53c974 device
  esp: ensure that do_cmd is set to zero before submitting an ESP select command
  esp: don't reset async_len directly in esp_select() if cancelling request
  esp: don't overflow cmdfifo if TC is larger than the cmdfifo size
  esp: don't overflow cmdfifo in get_cmd()
  esp: don't underflow cmdfifo in do_cmd()
  esp: ensure cmdfifo is not empty and current_dev is non-NULL
  esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf()
  esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop()
  esp: consolidate esp_cmdfifo_push() into esp_fifo_push()
  esp: rework write_response() to avoid using the FIFO for DMA transactions
  esp: always check current_req is not NULL before use in DMA callbacks
  esp: fix setting of ESPState mig_version_id when launching QEMU with -S option

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-13 11:00:34 +01:00
John Snow
2d18b4ca02 sphinx: qapidoc: Wrap "If" section body in a paragraph node
These sections need to be wrapped in a block-level element, such as
Paragraph in order for them to be rendered into Texinfo correctly.

Before (e.g.):

<section ids="qapidoc-713">
  <title>If</title>
  <literal>defined(CONFIG_REPLICATION)</literal>
</section>

became:

  .SS If
  \fBdefined(CONFIG_REPLICATION)\fP.SS \fBBlockdevOptionsReplication\fP (Object)
  ...

After:

<section ids="qapidoc-713">
  <title>If</title>
  <paragraph>
    <literal>defined(CONFIG_REPLICATION)</literal>
  </paragraph>
</section>

becomes:

  .SS If
  .sp
  \fBdefined(CONFIG_REPLICATION)\fP
  .SS \fBBlockdevOptionsReplication\fP (Object)
  ...

Reported-by: Markus Armbruster <armbru@redhat.com>
Tested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210406141909.1992225-2-jsnow@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-13 10:14:58 +01:00
Mark Cave-Ayland
ce94fa7aa6 tests/qtest: add tests for am53c974 device
Use the autogenerated fuzzer test cases as the basis for a set of am53c974
regression tests.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-13-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:37:11 +01:00
Mark Cave-Ayland
607206948c esp: ensure that do_cmd is set to zero before submitting an ESP select command
When a CDB has been received and is about to be submitted to the SCSI layer
via one of the ESP select commands, ensure that do_cmd is set to zero before
executing the command.

Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI
.transfer_data callback again before do_cmd is set to zero by the callback
function triggering an assert at the start of esp_transfer_data().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:35:53 +01:00
Mark Cave-Ayland
324c880989 esp: don't reset async_len directly in esp_select() if cancelling request
Instead let the SCSI layer invoke the .cancel callback itself to cancel and
reset the request state.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:35:53 +01:00
Mark Cave-Ayland
0ebb5fd805 esp: don't overflow cmdfifo if TC is larger than the cmdfifo size
If a guest transfers the message out/command phase data using DMA with a TC
that is larger than the cmdfifo size then the cmdfifo overflows triggering
an assert. Limit the size of the transfer to the free space available in
cmdfifo.

Buglink: https://bugs.launchpad.net/qemu/+bug/1919036
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-10-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:35:53 +01:00
Mark Cave-Ayland
fbc6510e33 esp: don't overflow cmdfifo in get_cmd()
If the guest tries to read a CDB using DMA and cmdfifo is not empty then it is
possible to overflow cmdfifo.

Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of the CDB transferred to cmdfifo is
limited to the available free space within cmdfifo.

Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-9-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:35:53 +01:00
Mark Cave-Ayland
fa7505c154 esp: don't underflow cmdfifo in do_cmd()
If the guest tries to execute a CDB when cmdfifo is not empty before the start
of the message out phase then clearing the message out phase data will cause
cmdfifo to underflow due to cmdfifo_cdb_offset being larger than the amount of
data within.

Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of esp_fifo_pop_buf() is limited to
the size of the data within cmdfifo.

Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-8-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:35:53 +01:00
Mark Cave-Ayland
9954575173 esp: ensure cmdfifo is not empty and current_dev is non-NULL
When about to execute a SCSI command, ensure that cmdfifo is not empty and
current_dev is non-NULL. This can happen if the guest tries to execute a TI
(Transfer Information) command without issuing one of the select commands
first.

Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:35:53 +01:00
Mark Cave-Ayland
7b320a8e67 esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf()
The const pointer returned by fifo8_pop_buf() lies directly within the array used
to model the FIFO. Building with address sanitizers enabled shows that if the
caller expects a minimum number of bytes present then if the FIFO is nearly full,
the caller may unexpectedly access past the end of the array.

Introduce esp_fifo_pop_buf() which takes a destination buffer and performs a
memcpy() in it to guarantee that the caller cannot overwrite the FIFO array and
update all callers to use it. Similarly add underflow protection similar to
esp_fifo_push() and esp_fifo_pop() so that instead of triggering an assert()
the operation becomes a no-op.

Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20210407195801.685-6-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:35:19 +01:00
Mark Cave-Ayland
c5fef9112b esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop()
Each FIFO currently has its own pop functions with the only difference being
the capacity check. The original reason for this was that the fifo8
implementation doesn't have a formal API for retrieving the FIFO capacity,
however there are multiple examples within QEMU where the capacity field is
accessed directly.

Change esp_fifo_pop() to access the FIFO capacity directly and then consolidate
esp_cmdfifo_pop() into esp_fifo_pop().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-5-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:34:02 +01:00
Mark Cave-Ayland
e5455b8c1c esp: consolidate esp_cmdfifo_push() into esp_fifo_push()
Each FIFO currently has its own push functions with the only difference being
the capacity check. The original reason for this was that the fifo8
implementation doesn't have a formal API for retrieving the FIFO capacity,
however there are multiple examples within QEMU where the capacity field is
accessed directly.

Change esp_fifo_push() to access the FIFO capacity directly and then consolidate
esp_cmdfifo_push() into esp_fifo_push().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-4-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:34:02 +01:00
Mark Cave-Ayland
e392255766 esp: rework write_response() to avoid using the FIFO for DMA transactions
The code for write_response() has always used the FIFO to store the data for
the status/message in phases, even for DMA transactions. Switch to using a
separate buffer that can be used directly for DMA transactions and restrict
the FIFO use to the non-DMA case.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-3-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:33:50 +01:00
Mark Cave-Ayland
0db895361b esp: always check current_req is not NULL before use in DMA callbacks
After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
callback which resets both current_req and current_dev to NULL. If any data
is left in the transfer buffer (async_len != 0) then the next TI (Transfer
Information) command will attempt to reference the NULL pointer causing a
segfault.

Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:33:33 +01:00
Mark Cave-Ayland
ff4a1daba6 esp: fix setting of ESPState mig_version_id when launching QEMU with -S option
If QEMU is launched with the -S option then the ESPState mig_version_id property
is left unset due to the ordering of the VMState fields in the VMStateDescription
for sysbusespscsi and pciespscsi. If the VM is migrated and restored in this
stopped state, the version tests in the vmstate_esp VMStateDescription and
esp_post_load() become confused causing the migration to fail.

Fix the ordering problem by moving the setting of mig_version_id to a common
esp_pre_save() function which is invoked first by both sysbusespscsi and
pciespscsi rather than at the point where ESPState is itself serialised into the
migration stream.

Buglink: https://bugs.launchpad.net/qemu/+bug/1922611
Fixes: 0bd005be78 ("esp: add vmstate_esp version to embedded ESPState")
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210407124842.32695-1-mark.cave-ayland@ilande.co.uk>
2021-04-12 22:31:24 +01:00
Peter Maydell
91c0a79891 hw/arm/mps2-tz: Assert if more than one RAM is attached to an MPC
Each board in mps2-tz.c specifies a RAMInfo[] array providing
information about each RAM in the board.  The .mpc field of the
RAMInfo struct specifies which MPC, if any, the RAM is attached to.
We already assert if the array doesn't have any entry for an MPC, but
we don't diagnose the error of using the same MPC number twice (which
is quite easy to do by accident if copy-and-pasting structure
entries).

Enhance find_raminfo_for_mpc() so that it detects multiple entries
for the MPC as well as missing entries.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210409150527.15053-3-peter.maydell@linaro.org
2021-04-12 15:57:38 +01:00
Peter Maydell
db2fc83aa4 hw/arm/mps2-tz: Fix MPC setting for AN524 SRAM block
The AN524 has three MPCs: one for the BRAM, one for the QSPI flash,
and one for the DDR.  We incorrectly set the .mpc field in the
RAMInfo struct for the SRAM block to 1, giving it the same MPC we are
using for the QSPI.  The effect of this was that the QSPI didn't get
mapped into the system address space at all, via an MPC or otherwise,
and guest programs which tried to read from the QSPI would get a bus
error.  Correct the SRAM RAMInfo to indicate that it does not have an
associated MPC.

Fixes: 25ff112a8c ("hw/arm/mps2-tz: Add new mps3-an524 board")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210409150527.15053-2-peter.maydell@linaro.org
2021-04-12 15:57:18 +01:00
Peter Maydell
c1e90def01 target-arm queue:
* hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts
  * hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs
  * accel/tcg: Preserve PAGE_ANON when changing page permissions
  * target/arm: Check PAGE_WRITE_ORG for MTE writeability
  * exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1
 -----BEGIN PGP SIGNATURE-----
 
 iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmB0IXMZHHBldGVyLm1h
 eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3jXoD/9XnA+/RELoDZAuCw1h10At
 M7QhbMc1ySgxbq15a5lTMNyE/FDd4sGoDkmK/VI0kxYlsoYyXmirFkQUG31p/ypp
 +Md0JnA5YTo32zB1wfzkors+dkKpTMq97QvboQGlsjdu3fz5t7eARzwq9jyM+iG/
 eieN/mdQU/X82TPc+v7zr3EVbmeXl2ocAVWBuvQ7HBftqIbqiAa/pEErCfbuZ33r
 F0j6AsXQUT/b8CH3jNRBtQTdG1wXBbhh+gxViR0kLS3WZMPT3vwemlYPWTE291b1
 k8ha08Bfvq6Qf3KqxozLxtJjqLedIq3qEfZl24Qtg0vtBsP/aggOhxfBJspaYQzn
 ZgfC8+25mZVDAItgg3cwcLjgzZ+Aq+4zrgvNJ+jjMN5TBhQXwTzNzBc54Uik2JEh
 /sFs9aMqDiSJrZYM1DF5DDfnI5TGILZQA9L8bgvqoLXehHrdbPPptBH5+s7DsDnw
 O+4P7Pikv17dHwAnT2k4cjsiZ+oCV1xJjVjPBQ1i7Iyl2T24cMtTywazdGNefG6V
 q/C62/8ml92PmEWadIk1i2QEyjiqNifXO2zYUicPwI2WAIK3urVIbTVwInbmNiCT
 +BeqmZyBlWxr3BZgLexoA/asGUOffe3iRzuQojfCAIv8lqZAqrATAf1Qrw1+sx9S
 Cye0AIOZokOIusHxie/BGA==
 =T96G
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20210412' into staging

target-arm queue:
 * hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts
 * hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs
 * accel/tcg: Preserve PAGE_ANON when changing page permissions
 * target/arm: Check PAGE_WRITE_ORG for MTE writeability
 * exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1

# gpg: Signature made Mon 12 Apr 2021 11:31:15 BST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20210412:
  exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1
  target/arm: Check PAGE_WRITE_ORG for MTE writeability
  accel/tcg: Preserve PAGE_ANON when changing page permissions
  hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs
  hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-12 12:12:09 +01:00
Richard Henderson
52c01ada86 exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1
Unfortuately, the elements of PAGE_* were not in numerical
order and so PAGE_ANON was added to an "unused" bit.
As an arbitrary choice, move PAGE_TARGET_{1,2} together.

Cc: Laurent Vivier <laurent@vivier.eu>
Fixes: 26bab757d4 ("linux-user: Introduce PAGE_ANON")
Buglink: https://bugs.launchpad.net/bugs/1922617
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Tested-by: Laurent Vivier <laurent@vivier.eu>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-12 11:06:24 +01:00
Richard Henderson
ff38bca7d6 target/arm: Check PAGE_WRITE_ORG for MTE writeability
We can remove PAGE_WRITE when (internally) marking a page
read-only because it contains translated code.

This can be triggered by tests/tcg/aarch64/bti-2, after
having serviced SIGILL trampolines on the stack.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-12 11:06:24 +01:00
Richard Henderson
eb42297a59 accel/tcg: Preserve PAGE_ANON when changing page permissions
Using mprotect() to change PROT_* does not change the MAP_ANON
previously set with mmap().  Our linux-user version of MTE only
works with MAP_ANON pages, so losing PAGE_ANON caused MTE to
stop working.

Reported-by: Stephen Long <steplong@quicinc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-12 11:06:24 +01:00
Zenghui Yu
017a913af4 hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs
In emulation of the CFGI_STE_RANGE command, we now take StreamID as the
start of the invalidation range, regardless of whatever the Range is,
whilst the spec clearly states that

 - "Invalidation is performed for an *aligned* range of 2^(Range+1)
    StreamIDs."

 - "The bottom Range+1 bits of the StreamID parameter are IGNORED,
    aligning the range to its size."

Take CFGI_ALL (where Range == 31) as an example, if there are some random
bits in the StreamID field, we'll fail to perform the full invalidation but
get a strange range (e.g., SMMUSIDRange={.start=1, .end=0}) instead. Rework
the emulation a bit to get rid of the discrepancy with the spec.

Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Acked-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210402100449.528-1-yuzenghui@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-12 11:06:24 +01:00
Zenghui Yu
0c38f60783 hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts
The GSIV values in SMMUv3 IORT node are not correct as they don't match
the SMMUIrq enumeration, which describes the IRQ<->PIN mapping used by
our emulated vSMMU.

Fixes: a703b4f6c1 ("hw/arm/virt-acpi-build: Add smmuv3 node in IORT table")
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Acked-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210402084731.93-1-yuzenghui@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-12 11:06:24 +01:00
Peter Maydell
f2afdc2ad9 emulated nvme docs and fixes for -rc3
- documentation
 - fixes
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmBz7wkACgkQTeGvMW1P
 DelIZgf9H3XReeMUBtXL7vftG4tfrdBMmJn1uyaqdlxiwJSuAbIgefwFgUaebkmO
 zKcu6NEUCoyDfpOqES3RNmEUFbyTau1+nhjVQvde6Ewt/tle+XyVJLp6G7VHQY1u
 DKxsT1bqP7Mu1QHxn3F03spdvwMXNXlGNyOLec6TA2yxOmWDSwr4GVapB2YhBrzH
 u6DHmbsh2nmOxX+UWrlJf+F0t61ZxogBevaXTkM5bYAPlPgeJdQBRKSHE6Z4Ta9B
 Xj46XC/wHXQsrTTAJ9eAiXfyA5nDYco5RtB8GtjElHPZ3CqJKkvQPISW+noCve/D
 ldVRXAO3CHxvg9WY3UzAQMvQ7Muaeg==
 =o+in
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/nvme/tags/nvme-fixes-20210412-pull-request' into staging

emulated nvme docs and fixes for -rc3

- documentation
- fixes

# gpg: Signature made Mon 12 Apr 2021 07:56:09 BST
# gpg:                using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9
# gpg: Good signature from "Klaus Jensen <its@irrelevant.dk>" [unknown]
# gpg:                 aka "Klaus Jensen <k.jensen@samsung.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468  4272 63D5 6FC5 E55D A838
#      Subkey fingerprint: 5228 33AA 75E2 DCE6 A247  66C0 4DE1 AF31 6D4F 0DE9

* remotes/nvme/tags/nvme-fixes-20210412-pull-request:
  hw/block/nvme: drain namespaces on sq deletion
  hw/block/nvme: store aiocb in compare
  hw/block/nvme: map prp fix if prp2 contains non-zero offset
  docs: add nvme emulation documentation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-12 10:41:11 +01:00
Klaus Jensen
98f84f5a4e hw/block/nvme: drain namespaces on sq deletion
For most commands, when issuing an AIO, the BlockAIOCB is stored in the
NvmeRequest aiocb pointer when the AIO is issued. The main use of this
is cancelling AIOs when deleting submission queues (it is currently not
used for Abort).

However, some commands like Dataset Management Zone Management Send
(zone reset) may involve more than one AIO and here the AIOs are issued
without saving a reference to the BlockAIOCB. This is a problem since
nvme_del_sq() will attempt to cancel outstanding AIOs, potentially with
an invalid BlockAIOCB since the aiocb pointer is not NULL'ed when the
request structure is recycled.

Fix this by

  1. making sure the aiocb pointer is NULL'ed when requests are recycled
  2. only attempt to cancel the AIO if the aiocb is non-NULL
  3. if any AIOs could not be cancelled, drain all aio as a last resort.

Fixes: dc04d25e2f ("hw/block/nvme: add support for the format nvm command")
Fixes: c94973288c ("hw/block/nvme: add broadcast nsid support flush command")
Fixes: e4e430b3d6 ("hw/block/nvme: add simple copy command")
Fixes: 5f5dc4c6a9 ("hw/block/nvme: zero out zones on reset")
Fixes: 2605257a26 ("hw/block/nvme: add the dataset management command")
Cc: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Cc: Minwoo Im <minwoo.im@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
2021-04-12 08:55:23 +02:00
Klaus Jensen
5cefe28708 hw/block/nvme: store aiocb in compare
nvme_compare() fails to store the aiocb from the blk_aio_preadv() call.
Fix this.

Fixes: 0a384f923f ("hw/block/nvme: add compare command")
Cc: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
2021-04-12 08:55:23 +02:00
Padmakar Kalghatgi
d357230b20 hw/block/nvme: map prp fix if prp2 contains non-zero offset
nvme_map_prp needs to calculate the number of list entries based on the
offset value. For the subsequent PRP2 list, need to ensure the number of
entries is within the MAX number of PRP entries for a page.

Signed-off-by: Padmakar Kalghatgi <p.kalghatgi@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
2021-04-12 08:55:20 +02:00
Klaus Jensen
a3d9f3a962 docs: add nvme emulation documentation
Remove the docs/specs/nvme.txt and replace it with proper documentation
in docs/system/nvme.rst.

Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2021-04-12 07:05:31 +02:00
Daniel Henrique Barboza
2b18fc794f spapr.c: always pulse guest IRQ in spapr_core_unplug_request()
Commit 47c8c915b1 fixed a problem where multiple spapr_drc_detach()
requests were breaking QEMU. The solution was to just spapr_drc_detach()
once, and use spapr_drc_unplug_requested() to filter whether we already
detached it or not. The commit also tied the hotplug request to the
guest in the same condition.

Turns out that there is a reliable way for a CPU hotunplug to fail. If a
guest with one CPU hotplugs a CPU1, then offline CPU0s via 'echo 0 >
/sys/devices/system/cpu/cpu0/online', then attempts to hotunplug CPU1,
the kernel will refuse it because it's the last online CPU of the
system. Given that we're pulsing the IRQ only in the first try, in a
failed attempt, all other CPU1 hotunplug attempts will fail, regardless
of the online state of CPU1 in the kernel, because we're simply not
letting the guest know that we want to hotunplug the device.

Let's move spapr_hotplug_req_remove_by_index() back out of the "if
(!spapr_drc_unplug_requested(drc))" conditional, allowing for multiple
'device_del' requests to the same CPU core to reach the guest, in case
the CPU core didn't fully hotunplugged previously.

Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20210401000437.131140-3-danielhb413@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-04-12 12:27:14 +10:00
Daniel Henrique Barboza
d522cb52e6 spapr: rollback 'unplug timeout' for CPU hotunplugs
The pseries machines introduced the concept of 'unplug timeout' for CPU
hotunplugs. The idea was to circunvent a deficiency in the pSeries
specification (PAPR), that currently does not define a proper way for
the hotunplug to fail. If the guest refuses to release the CPU (see [1]
for an example) there is no way for QEMU to detect the failure.

Further discussions about how to send a QAPI event to inform about the
hotunplug timeout [2] exposed problems that weren't predicted back when
the idea was developed. Other QEMU machines don't have any type of
hotunplug timeout mechanism for any device, e.g. ACPI based machines
have a way to make hotunplug errors visible to the hypervisor. This
would make this timeout mechanism exclusive to pSeries, which is not
ideal.

The real problem is that a QAPI event that reports hotunplug timeouts
puts the management layer (namely Libvirt) in a weird spot. We're not
telling that the hotunplug failed, because we can't be 100% sure of
that, and yet we're resetting the unplug state back, preventing any
DEVICE_DEL events to reach out in case the guest decides to release the
device. Libvirt would need to inspect the guest itself to see if the
device was released or not, otherwise the internal domain states will be
inconsistent.  Moreover, Libvirt already has an 'unplug timeout'
concept, and a QEMU side timeout would need to be juggled together with
the existing Libvirt timeout.

All this considered, this solution ended up creating more trouble than
it solved. This patch reverts the 3 commits that introduced the timeout
mechanism for CPU hotplugs in pSeries machines.

This reverts commit 4515a5f786
"qemu_timer.c: add timer_deadline_ms() helper"

This reverts commit d1c2e3ce3d
"spapr_drc.c: add hotunplug timeout for CPUs"

This reverts commit 51254ffb32
"spapr_drc.c: introduce unplug_timeout_timer"

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1911414
[2] https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg04682.html

CC: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20210401000437.131140-2-danielhb413@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-04-12 12:27:14 +10:00
Peter Maydell
555249a59e x86 and CPU bug fixes for 6.0-rc3
* Add missing features to EPYC-Rome CPU model (Babu Moger)
 * Fix crash with "-device ...-cpu-core,help" (Greg Kurz)
 -----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEEWjIv1avE09usz9GqKAeTb5hNxaYFAmBwtwIUHGVoYWJrb3N0
 QHJlZGhhdC5jb20ACgkQKAeTb5hNxaaNqBAAh+v/wxP3Rx2K58Da2FDfk9+he3cB
 ggBE/XbtRZl2awMiiO7Dthxjogika4tqN9Xo6x1T20/IZRsZur7waKE8goJoka/e
 5fni3Vq2A+DUFYZvfoUdsYBgBohZcoD3UlXjcSNl0G1liPGqGgR66XgD4e4eNT+C
 nd80VtwacK/xo/lW/mO+fk8j9zoiuGHjIoophyK8axurPxCC3WWXY5KGjZEAq7NA
 1pBHdHAZDB//oNdmm1FIcHhPDZpJ2OIrhYkrH4MEY2qe4NfP6KA71kCAHgfyrbX3
 d8/qa2bMg8CfvqABkWj1jKRUJPmwxJxpuTW1V5ve6u5GD1BIXeOaTzuD1NCp77ry
 o4FwFewpJtHQDbWXUAMbIQ/rBH4Rl1l3ABAPNliUY85Y4odXquU0hPk/4Jfj68v3
 3mbYECkD24N7Kev+cAec6BRplu2WkDSYKPpaiXr0Nu5IOcL5huT2qDORvTJDF3lz
 At7KDcmd+B+IyorL/A6eWIJ42qte+4zG1ILBRTcR0FyqHCFWv5yqjbfFEkYgBImf
 UBmxCdROnKz0Q1TSZporzm19kPBSo692kNWl8EtwTooEB+YjZOBSIC+AhjbNRWZu
 7UrUPRc2Vbu7P/C52XVUIpY52RS09Afv1FcARj621h0HzWibqWUYMmG5zXt9y33k
 GJrN/YwFZTpgSbY=
 =KMA5
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/ehabkost-gl/tags/x86-next-pull-request' into staging

x86 and CPU bug fixes for 6.0-rc3

* Add missing features to EPYC-Rome CPU model (Babu Moger)
* Fix crash with "-device ...-cpu-core,help" (Greg Kurz)

# gpg: Signature made Fri 09 Apr 2021 21:20:18 BST
# gpg:                using RSA key 5A322FD5ABC4D3DBACCFD1AA2807936F984DC5A6
# gpg:                issuer "ehabkost@redhat.com"
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>" [full]
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D C5A6

* remotes/ehabkost-gl/tags/x86-next-pull-request:
  cpu/core: Fix "help" of CPU core device types
  i386: Add missing cpu feature bits in EPYC-Rome model

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-10 16:58:56 +01:00
Greg Kurz
0b47ec4b95 cpu/core: Fix "help" of CPU core device types
Calling qdev_get_machine() from a QOM instance_init function is
fragile because we can't be sure the machine object actually
exists. And this happens to break when passing ",help" on the
command line to get the list of properties for a CPU core
device types :

$ ./qemu-system-ppc64 -device power8_v2.0-spapr-cpu-core,help
qemu-system-ppc64: ../../hw/core/machine.c:1290:
 qdev_get_machine: Assertion `machine != NULL' failed.
Aborted (core dumped)

This used to work before QEMU 5.0, but commit 3df261b667
unwillingly introduced a subtle regression : the above command
line needs to create an instance but the instance_init function
of the base class calls qdev_get_machine() before
qemu_create_machine() has been called, which is a programming bug.

Use current_machine instead. It is okay to skip the setting of
nr_thread in this case since only its type is displayed.

Fixes: 3df261b667 ("softmmu/vl.c: Handle '-cpu help' and '-device help' before 'no default machine'")
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Cc: peter.maydell@linaro.org
Message-Id: <20210409160339.500167-3-groug@kaod.org>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2021-04-09 16:05:16 -04:00
Babu Moger
cdeaed2778 i386: Add missing cpu feature bits in EPYC-Rome model
Found the following cpu feature bits missing from EPYC-Rome model.
ibrs    : Indirect Branch Restricted Speculation
ssbd    : Speculative Store Bypass Disable

These new features will be added in EPYC-Rome-v2. The -cpu help output
after the change.

x86 EPYC-Rome             (alias configured by machine type)
x86 EPYC-Rome-v1          AMD EPYC-Rome Processor
x86 EPYC-Rome-v2          AMD EPYC-Rome Processor

Reported-by: Pankaj Gupta <pankaj.gupta@cloud.ionos.com>
Signed-off-by: Babu Moger <babu.moger@amd.com>
Signed-off-by: Pankaj Gupta <pankaj.gupta@cloud.ionos.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: David Edmondson <david.edmondson@oracle.com>
Message-Id: <161478622280.16275.6399866734509127420.stgit@bmoger-ubuntu>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2021-04-09 16:02:18 -04:00
Peter Maydell
836b36af93 Block layer fixes
- mirror: Fix job-complete race condition causing unexpected errors
 - fdc: Fix 'fallback' property on sysbus floppy disk controllers
 - rbd: Fix memory leaks
 - iotest improvements
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEE3D3rFZqa+V09dFb+fwmycsiPL9YFAmBwfRcRHGt3b2xmQHJl
 ZGhhdC5jb20ACgkQfwmycsiPL9afvA/9Ek5sr95gYMWz+4XuuaeVYjCwyrcEv3WX
 +zZNCwT/lcbmKAmkKwuHcU9nDpEfeRZ2nmJB1rhCKIdya/qWhLyJKRY7s8Ip8W8h
 uhWz+LIoo8q/ZGcxIDlkyazr8s5qQMSZtvBkb/QSi2h8yhwY8wf1dIk2J3IgB2wf
 JjZaZIyGpUYnfDmYncnTduGUOKrgHPNaSagGbis9OFqd8jqdcCt9vb+jDNYa29st
 e5223MUpjHilhdvrM7lCNX8wTcximTeZfXnBvZd87MQXIoitl3jb9Da0qTLZyo/b
 uGORfRs2DXldFgdHAf699KDWjVGieGnMKUQkP3vgFtrUDd4xfj1lRWBmnKolBwng
 4ku9cP8tqRIA7y6LFJX/ExxeR48AwbbMbsQIJNj3mjez49HRlGPMGVRYonCWK9B6
 /XQF8FD+Xk9Ivua6rMRXK7IHMqdJGKIiTvDf1frwg1qbYPrPOAOu9F3h/ybGQQhb
 GxQHQccAinmcDco0PSoJnqe/3ukyuSOrV4Bf/JZpo9pIJau3By4XphLmu35JdBhh
 B+xVUBr7k3SQ/s/DLRnuunRPZGHMGY+Cf9v0dqvTKDEmStdrctfyTshjP01LDsex
 zBmDLFIyzmFwwz14atNP6kusce8H4XIbC6x51DV2jNG01OL4PcTVQaCDmDTsYqlY
 Yi3HfzSG9Ng=
 =948n
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer fixes

- mirror: Fix job-complete race condition causing unexpected errors
- fdc: Fix 'fallback' property on sysbus floppy disk controllers
- rbd: Fix memory leaks
- iotest improvements

# gpg: Signature made Fri 09 Apr 2021 17:13:11 BST
# gpg:                using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6
# gpg:                issuer "kwolf@redhat.com"
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream:
  test-blockjob: Test job_wait_unpaused()
  job: Allow complete for jobs on standby
  mirror: Do not enter a paused job on completion
  mirror: Move open_backing_file to exit_common
  hw/block/fdc: Fix 'fallback' property on sysbus floppy disk controllers
  iotests: Test mirror-top filter permissions
  iotests: add test for removing persistent bitmap from backing file
  iotests/qsd-jobs: Filter events in the first test
  block/rbd: fix memory leak in qemu_rbd_co_create_opts()
  block/rbd: fix memory leak in qemu_rbd_connect()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-09 19:26:42 +01:00
Peter Maydell
471387aa14 One s390x fix:
- correctly handle the case where the guest ccw payload points to
   invalid memory areas
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEEw9DWbcNiT/aowBjO3s9rk8bwL68FAmBwaCESHGNvaHVja0By
 ZWRoYXQuY29tAAoJEN7Pa5PG8C+vcJsQAKJO6tlZx/dEr00FeuXN0J1o25pw1PtQ
 N2wgWn7hQ5KEvfppNxiiARlZY13ki94hoPNKGW+XISEoyZ9Zx1HsbhCYE80oa1SZ
 4paCbGj5sauTNjjMhuwrl3FlchszoC9oUg9Ev7GeGsFbtHP+gvR7X9giE3xfHjO4
 2AlghUVxo2N5IL3yEgmdTBWEbpSlqMm18yDn7cZsgYRr+s/cUNlTvhTcwR7PmYsK
 KnBFeM1PbOXl+8MqdP5xZevXpzhlUpIR+Dwfo1TcNKscj6hHE1GHJhAUGMDvDG/K
 4dair5/l4HxxaF2G4HvVU5dr4pJwZ1QXEvfpIykN2vGW6dwwP15xIknqgMCtEcU8
 MD7lpvGpq1x2ScEs2AIlK5ElD2vZiK3zZSYNah634f034RSIz6T3RFAKEMdVYmKJ
 6r3NqYp7ZCsIDHttOSzE9b+5mwU0FYx21XNCC2YNe1cHNqegfxCFefvggN+c7RGv
 /AZA7URPW11wj760ySeg1pzeTygtlpkwDU39UYTz/lG0vhkMPwOrd0R2njuL3jJy
 pIXAJZ9Ha6hYLNPFie81VrGLu/dBoLeKwqe70HYDMdPTafPtJRDAlvo8r6oc4FwG
 1y8fqrafSpFVZsmO0qWkoCUmObq+aQY1MnuASA8MoRDS+xVT6LXJVv/PWf1m0DjR
 wxYGQaRrFsnT
 =6cYM
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/cohuck-gitlab/tags/s390x-20210409' into staging

One s390x fix:
- correctly handle the case where the guest ccw payload points to
  invalid memory areas

# gpg: Signature made Fri 09 Apr 2021 15:43:45 BST
# gpg:                using RSA key C3D0D66DC3624FF6A8C018CEDECF6B93C6F02FAF
# gpg:                issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown]
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>" [unknown]
# gpg:                 aka "Cornelia Huck <cohuck@redhat.com>" [unknown]
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck-gitlab/tags/s390x-20210409:
  s390x: css: report errors from ccw_dstream_read/write

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-09 17:21:18 +01:00
Max Reitz
c2c731a4d3 test-blockjob: Test job_wait_unpaused()
Create a job that remains on STANDBY after a drained section, and see
that invoking job_wait_unpaused() will get it unstuck.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20210409120422.144040-5-mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2021-04-09 18:00:29 +02:00
Max Reitz
53ddb9c892 job: Allow complete for jobs on standby
The only job that implements .complete is the mirror job, and it can
handle completion requests just fine while the job is paused.

Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1945635
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20210409120422.144040-4-mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2021-04-09 18:00:29 +02:00
Max Reitz
00769414cd mirror: Do not enter a paused job on completion
Currently, it is impossible to complete jobs on standby (i.e. paused
ready jobs), but actually the only thing in mirror_complete() that does
not work quite well with a paused job is the job_enter() at the end.

If we make it conditional, this function works just fine even if the
mirror job is paused.

So technically this is a no-op, but obviously the intention is to accept
block-job-complete even for jobs on standby, which we need this patch
for first.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20210409120422.144040-3-mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2021-04-09 18:00:29 +02:00
Max Reitz
c41f5b96ee mirror: Move open_backing_file to exit_common
This is a graph change and therefore should be done in job-finalize
(which is what invokes mirror_exit_common()).

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20210409120422.144040-2-mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2021-04-09 18:00:29 +02:00
Philippe Mathieu-Daudé
da64789d3a hw/block/fdc: Fix 'fallback' property on sysbus floppy disk controllers
Setting the 'fallback' property corrupts the QOM instance state
(FDCtrlSysBus) because it accesses an incorrect offset (it uses
the offset of the FDCtrlISABus state).

Cc: qemu-stable@nongnu.org
Fixes: a73275dd6f ("fdc: Add fallback option")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407133742.1680424-1-f4bug@amsat.org>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2021-04-09 18:00:29 +02:00
Max Reitz
f940b0ac6f iotests: Test mirror-top filter permissions
Add a test accompanying commit 53431b9086
("block/mirror: Fix mirror_top's permissions").

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20210331122815.51491-1-mreitz@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2021-04-09 18:00:29 +02:00