Commit Graph

45316 Commits

Author SHA1 Message Date
Markus Armbruster
d9d3aaea0b replay: Fix dangling location bug in replay_configure()
replay_configure() pushes and pops a Location with automatic storage
duration.  Except it fails to pop when -icount parameter "rr" isn't
given.  cur_loc then points to unused stack space, and will most
likely get clobbered in short order.

Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
report bogus locations.

Broken in commit 890ad55.

I didn't take the time to find a reproducer.

Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1461767349-15329-3-git-send-email-armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
2016-04-28 08:19:20 +02:00
Markus Armbruster
37f32349ea QemuOpts: Fix qemu_opts_foreach() dangling location regression
qemu_opts_foreach() pushes and pops a Location with automatic storage
duration.  Except it fails to pop when @func() returns non-zero.
cur_loc then points to unused stack space, and will most likely get
clobbered in short order.

Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
report bogus locations.

Affects several qemu command line options as well as qemu-img,
qemu-io, qemu-nbd -object, and blkdebug's configuration file.

Broken in commit a4c7367, v2.4.0.

Reproducer:
    $ qemu-system-x86_64 -nodefaults -display none -object secret,id=foo,foo=bar

main() reports "Property '.foo' not found" like this:

    if (qemu_opts_foreach(qemu_find_opts("object"),
                          user_creatable_add_opts_foreach,
                          object_create_delayed, &err)) {
        error_report_err(err);
        exit(1);
    }

cur_loc then points to where qemu_opts_foreach()'s Location used to
be, i.e. unused stack space.  With optimization, this Location doesn't
get clobbered for me, and also happens to be the correct location.
Without optimization, it does get clobbered in a way that makes
error_report_err() report no location.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1461767349-15329-2-git-send-email-armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2016-04-28 08:18:56 +02:00
Gerd Hoffmann
f419a626c7 usb/uhci: move pid check
commit "5f77e06 usb: add pid check at the first of uhci_handle_td()"
moved the pid verification to the start of the uhci_handle_td function,
to simplify the error handling (we don't have to free stuff which we
didn't allocate in the first place ...).

Problem is now the check fires too often, it raises error IRQs even for
TDs which we are not going to process because they are not set active.

So, lets move down the check a bit, so it is done only for active TDs,
but still before we are going to allocate stuff to process the requested
transfer.

Reported-by: Joe Clifford <joe@thunderbug.co.uk>
Tested-by: Joe Clifford <joe@thunderbug.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1461321893-15811-1-git-send-email-kraxel@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-25 12:05:05 +01:00
Peter Maydell
3123bd8ebf ppc patch queue for 2016-03-23
A single fix for a bug in parameter handling for the spapr PCI host
 bridge.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXGxxhAAoJEGw4ysog2bOSw3gQAK5hAFuvnqE0Liu40kHISq2B
 jraL4o/pRFekNN/2EP0miaSk5/s21e/fP1N+MR4CFQKC+mF5n9HdqjHE4hUVWlbg
 wI1n1xElvd9oafxTjeSbtxX/2t7tZ+60nu1GRcfaQwZcyK5bN4bTDOOWMu9MdOD9
 Z1iw6aBpouIDS2OTCzvsUfyGl34flRgs1HPShBEqOkBUK0szqTj+16sngBkyWSiU
 9Rlz7dqu6ziMYIju1EYr6gGbP8o0taV+h4B0H3sPKMQ1axqAWIs2quXza9dOH+zn
 fD8pcv6ubfmIeoTnaO8HWV/a3ai4LLLtEOnlKuy1ec5CAz2o01dVAvKTOQ1ngvD0
 HZ/s1j8o0UpsJ2KnpctXZQjG1udB7NwV8CouuRVv/JNvt6b7V+TDQaP0dwW6X/ZA
 QB3VAgu0BFq67YAnKIMdxWMljeCTrmXbYGgUnKNFzLxFO20fJpaCmwACCVmZi856
 nA+LmFcO2NTH8o2On6G0jffnvcwO5Vj3zAhhslXjatcDcfctxui4+D38j+pbPxLb
 UQjJXCd1m2RKZ9IQ/rukXwmBO9Eis+8ClNZcGeDIRV2zBKrH4c6Xmd80xXeqIH9f
 erj7NX6aMbnqYRFSc9lCnRD6PkIbXqhDDjkzFboK896QLrQsnsmeEs3D6ujShRsN
 2Au36PbuVfbFFbnQDYc0
 =MxYq
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.6-20160423' into staging

ppc patch queue for 2016-03-23

A single fix for a bug in parameter handling for the spapr PCI host
bridge.

# gpg: Signature made Sat 23 Apr 2016 07:55:29 BST using RSA key ID 20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.6-20160423:
  hw/ppc/spapr: Fix crash when specifying bad parameters to spapr-pci-host-bridge

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-25 11:15:53 +01:00
Thomas Huth
da34fed707 hw/ppc/spapr: Fix crash when specifying bad parameters to spapr-pci-host-bridge
QEMU currently crashes when using bad parameters for the
spapr-pci-host-bridge device:

$ qemu-system-ppc64 -device spapr-pci-host-bridge,buid=0x123,liobn=0x321,mem_win_addr=0x1,io_win_addr=0x10
Segmentation fault

The problem is that spapr_tce_find_by_liobn() might return NULL, but
the code in spapr_populate_pci_dt() does not check for this condition
and then tries to dereference this NULL pointer.
Apart from that, the return value of spapr_populate_pci_dt() also
has to be checked for all PCI buses, not only for the last one, to
make sure we catch all errors.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-04-23 16:52:20 +10:00
Peter Maydell
53343338a6 Mirror block job fixes for 2.6.0-rc4
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXGjlRAAoJEH8JsnLIjy/WJJQQALIZnf9fSD7yIJcOYwM2+nBk
 EhQzoQfHz54lQHbB51IL0UyI5GYpM00waOpLNrPP2FiSN1o6BlGJ8Kf7+G5RGJKm
 h7a/0VDZu1BdIFmFN+KbBvPlZ5ZnICmgPwly0YwfuwL7SxGFiLCFB77sYLdU3dZ3
 JJVJgOe4GmpNTX2dvKxhqF4h/wUZi98UhGaJrsyGYZ4fnq08Qozd9tinDfaow93N
 zZLQrQQ1rFL+dyuMe7009Fob/oPtXqDSMCZliyNEd7hNv9X2b+/NM9vviAP4Fzgf
 fbbKJG630E8xAtD3eA/Q57G8SifilTNmAlMs90EtOjh6uMP4U5ADXxW7soKVD33f
 dU0ojMUu2/o6+sYQDJC6ud6FQgLHEH4TlCfo4/LT44y6IQimAmV1l2qbBpHmHb7J
 6dUsDlbcX5ZgFo9t3hSGWUBS0Yqhbrca5S6U/wiQE89QetQx7/JQFdEBAQU8v671
 rupLAASAZkpP9VsiCvNQnTnrGF/+kmb7NCrKR1hSGaSnV9qA+McATyCSCcfbLr0e
 SQsNNyRWEzvVvLxCCbb33+3jFBcOdL2UhWszG6AmWE9kjCVkxrwF/RmtTLiiVXrU
 G/H97Ew+7PzsDuH/Y8lU0n7FoV++0+6uw+FIJ+2+KxVtbLbbhTHUcn419vIQQzEL
 uWIk2Uj+b94cTMWWztGu
 =UwGA
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Mirror block job fixes for 2.6.0-rc4

# gpg: Signature made Fri 22 Apr 2016 15:46:41 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  mirror: Workaround for unexpected iohandler events during completion
  aio-posix: Skip external nodes in aio_dispatch
  virtio: Mark host notifiers as external
  event-notifier: Add "is_external" parameter
  iohandler: Introduce iohandler_get_aio_context

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-22 16:17:12 +01:00
Fam Zheng
ab27c3b5e7 mirror: Workaround for unexpected iohandler events during completion
Commit 5a7e7a0ba moved mirror_exit to a BH handler but didn't add any
protection against new requests that could sneak in just before the
BH is dispatched. For example (assuming a code base at that commit):

        main_loop_wait # 1
          os_host_main_loop_wait
            g_main_context_dispatch
              aio_ctx_dispatch
                aio_dispatch
                  ...
                    mirror_run
                      bdrv_drain
    (a)               block_job_defer_to_main_loop
          qemu_iohandler_poll
            virtio_queue_host_notifier_read
              ...
                virtio_submit_multiwrite
    (b)           blk_aio_multiwrite

        main_loop_wait # 2
          <snip>
                aio_dispatch
                  aio_bh_poll
    (c)             mirror_exit

At (a) we know the BDS has no pending request. However, the same
main_loop_wait call is going to dispatch iohandlers (EventNotifier
events), which may lead to a new I/O from guest. So the invariant is
already broken at (c). Data loss.

Commit f3926945c8 made iohandler to use aio API.  The order of
virtio_queue_host_notifier_read and block_job_defer_to_main_loop within
a main_loop_wait becomes unpredictable, and even worse, if the host
notifier event arrives at the next main_loop_wait call, the
unpredictable order between mirror_exit and
virtio_queue_host_notifier_read is also a trouble. As shown below, this
commit made the bug easier to trigger:

    - Bug case 1:

        main_loop_wait # 1
          os_host_main_loop_wait
            g_main_context_dispatch
              aio_ctx_dispatch (qemu_aio_context)
                ...
                  mirror_run
                    bdrv_drain
    (a)             block_job_defer_to_main_loop
              aio_ctx_dispatch (iohandler_ctx)
                virtio_queue_host_notifier_read
                  ...
                    virtio_submit_multiwrite
    (b)               blk_aio_multiwrite

        main_loop_wait # 2
          ...
                aio_dispatch
                  aio_bh_poll
    (c)             mirror_exit

    - Bug case 2:

        main_loop_wait # 1
          os_host_main_loop_wait
            g_main_context_dispatch
              aio_ctx_dispatch (qemu_aio_context)
                ...
                  mirror_run
                    bdrv_drain
    (a)             block_job_defer_to_main_loop

        main_loop_wait # 2
          ...
            aio_ctx_dispatch (iohandler_ctx)
              virtio_queue_host_notifier_read
                ...
                  virtio_submit_multiwrite
    (b)             blk_aio_multiwrite
              aio_dispatch
                aio_bh_poll
    (c)           mirror_exit

In both cases, (b) breaks the invariant wanted by (a) and (c).

Until then, the request loss has been silent. Later, 3f09bfbc7b added
asserts at (c) to check the invariant (in
bdrv_replace_in_backing_chain), and Max reported an assertion failure
first visible there, by doing active committing while the guest is
running bonnie++.

2.5 added bdrv_drained_begin at (a) to protect the dataplane case from
similar problems, but we never realize the main loop bug until now.

As a bandage, this patch disables iohandler's external events
temporarily together with bs->ctx.

Launchpad Bug: 1570134

Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-22 16:44:09 +02:00
Fam Zheng
37989ced44 aio-posix: Skip external nodes in aio_dispatch
aio_poll doesn't poll the external nodes so this should never be true,
but aio_ctx_dispatch may get notified by the events from GSource. To
make bdrv_drained_begin effective in main loop, we should check the
is_external flag here too.

Also do the check in aio_pending so aio_dispatch is not called
superfluously, when there is no events other than external ones.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-22 16:43:59 +02:00
Fam Zheng
14560d69e7 virtio: Mark host notifiers as external
The effect of this change is the block layer drained section can work,
for example when mirror job is being completed.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-22 16:43:58 +02:00
Fam Zheng
54e18d35e4 event-notifier: Add "is_external" parameter
All callers pass "false" keeping the old semantics. The windows
implementation doesn't distinguish the flag yet. On posix, it is passed
down to the underlying aio context.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-22 16:43:56 +02:00
Fam Zheng
bcd82a968f iohandler: Introduce iohandler_get_aio_context
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-22 16:43:42 +02:00
Christoffer Dall
ee1e0f8e5d util: align memory allocations to 2M on AArch64
For KVM to use Transparent Huge Pages (THP) we have to ensure that the
alignment of the userspace address of the KVM memory slot and the IPA
that the guest sees for a memory region have the same offset from the 2M
huge page size boundary.

One way to achieve this is to always align the IPA region at a 2M
boundary and ensure that the mmap alignment is also at 2M.

Unfortunately, we were only doing this for __arm__, not for __aarch64__,
so add this simple condition.

This fixes a performance regression using KVM/ARM on AArch64 platforms
that showed a performance penalty of more than 50%, introduced by the
following commit:

9fac18f (oslib: allocate PROT_NONE pages on top of RAM, 2015-09-10)

We were only lucky before the above commit, because we were allocating
large regions and naturally getting a 2M alignment on those allocations
then.

Cc: qemu-stable@nongnu.org
Reported-by: Shih-Wei Li <shihwei@cs.columbia.edu>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: wrapped long line]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-22 12:26:01 +01:00
Eric Blake
df7b97ff89 nbd: Don't mishandle unaligned client requests
The NBD protocol does not (yet) force any alignment constraints
on clients.  Even though qemu NBD clients always send requests
that are aligned to 512 bytes, we must be prepared for non-qemu
clients that don't care about alignment (even if it means they
are less efficient).  Our use of blk_read() and blk_write() was
silently operating on the wrong file offsets when the client
made an unaligned request, corrupting the client's data (but
as the client already has control over the file we are serving,
I don't think it is a security hole, per se, just a data
corruption bug).

Note that in the case of NBD_CMD_READ, an unaligned length could
cause us to return up to 511 bytes of uninitialized trailing
garbage from blk_try_blockalign() - hopefully nothing sensitive
from the heap's prior usage is ever leaked in that manner.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Tested-by: Kevin Wolf <kwolf@redhat.com>
Message-id: 1461249750-31928-1-git-send-email-eblake@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-22 11:55:35 +01:00
Peter Maydell
8d0d9b9f67 Update version for v2.6.0-rc3 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-21 17:46:50 +01:00
Aurelien Jarno
8d8fdbae01 tcg: check for CONFIG_DEBUG_TCG instead of NDEBUG
Check for CONFIG_DEBUG_TCG instead of NDEBUG, drop now useless code.

Cc: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 1461228530-14852-2-git-send-email-aurelien@aurel32.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-21 15:43:20 +01:00
Aurelien Jarno
eabb7b91b3 tcg: use tcg_debug_assert instead of assert (fix performance regression)
The TCG code is quite performance sensitive, but at the same time can
also be quite tricky. That is why asserts that can be enabled with the
--enable-debug-tcg configure option.

This used to work the following way:

| #include "config.h"
|
| ...
|
| #if !defined(CONFIG_DEBUG_TCG) && !defined(NDEBUG)
| /* define it to suppress various consistency checks (faster) */
| #define NDEBUG
| #endif
|
| ...
|
| #include <assert.h>

Since commit 757e725b (tcg: Clean up includes) "config.h" as been
replaced by "qemu/osdep.h" which itself includes <assert.h>. As a
consequence the assertions are always enabled, even when using
--disable-debug-tcg, causing a performance regression, especially on
targets with many registers. For instance on qemu-system-ppc the
speed difference is about 15%.

tcg_debug_assert is controlled directly by CONFIG_DEBUG_TCG and already
uses in some places. This patch replaces all the calls to assert into
calss to tcg_debug_assert.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 1461228530-14852-1-git-send-email-aurelien@aurel32.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-21 15:41:47 +01:00
Sylvain Garrigues
b4850e5ae9 hw/arm/boot: always clear r0 when booting kernels
The 32-bit ARM Linux kernel booting ABI requires that r0 is 0
when calling the kernel image. A bug in commit 10b8ec73e6
meant that for boards which use the write_board_setup hook (which
means "highbank", "midway", "raspi2" and "xilinx-zynq-a9") we
were incorrectly skipping the "clear r0" instruction in the
mini-bootloader. Use the right offset in the "add lr, pc, #n"
instruction so that we return from the board-setup code to the
correct place.

Signed-off-by: Sylvain Garrigues <sylvain@sylvaingarrigues.com>
[PMM: Expanded commit message]
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-21 12:10:17 +01:00
Eduardo Habkost
81d9d1867f MAINTAINERS: Avoid using K: for NUMA section
When using K: in MAINTAINERS, false positives makes
get_maintainer.pl not use git history to find contributors. As
those patterns cause lots of false positives they are causing
more harm than good, so remove them.

Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-id: 1461164130-3847-1-git-send-email-ehabkost@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-21 11:40:57 +01:00
Peter Maydell
befbaf51ce Mirror block job fixes for 2.6.0-rc3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXF5irAAoJEH8JsnLIjy/WTfgP/1DtQEilrEx1XXdswkPwrgjN
 PmQmSwxUZTS8Pgy6Lul7SgXHUvghpWggLuCJyS5WnfTIOZVGo4NvD0rh+ajafgNt
 hCmlAiNB4u94u4j8lB50Yt7/6p0WGQa/1tm7OX41JlsOcs8s0UJHrnDcaaNhSRfq
 LJtcR1erTDD1H4jKjPvHQ921V0zG2TtSD1yZcqE2jNDsY4F4de4g60WAhYvyW5TE
 Oj6lj7VutpJ1nkpROdMbnZUdoSQaXFBJDCPGJupIpRhg520jtPi3nJlZk7zyGdx0
 kD4PLJ3ktMP6sritTZC5066fHau0zHBU+ozqm0Zu5fHMm2/jPvyV9HOdblZ6pEno
 2S7RzUE1s+OUczXqHZucgC41TjyQgKk1/ZmYS3xH6UcFYwOLIM/D00FFOYUg9JoI
 Uqe/xcu/GepxOqYi6flR9iS3wJ38b0wbVhDEUfcssA8rHRG1YG62fUt/B1tQniDZ
 SPmmcemD+So9fW+CNhonjFcuin7MofoaAvMj83Ig1qkCxLpKDR+sMtzp9STv4Cla
 g0oxR1a/iGM6Ap0edN7sl1cAiuz0lZLGm4VSGK3E1oY2EHkS3RIOY5CGnlDSNw5j
 4DdX6aqTwqBSpqYtLFecwlGIeEj1lt0EB5q+SXx/JawQpI7Lxe9daiVxX2mtNgfv
 JA5eT4P6Z8abgtofTNCg
 =LKGF
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Mirror block job fixes for 2.6.0-rc3

# gpg: Signature made Wed 20 Apr 2016 15:56:43 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  iotests: Test case for drive-mirror with unaligned image size
  iotests: Add iotests.image_size
  mirror: Don't extend the last sub-chunk
  block/mirror: Refresh stale bitmap iterator cache
  block/mirror: Revive dead yielding code

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-20 16:43:53 +01:00
Peter Maydell
fa59dd9582 Xen 2016/04/20
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXF2NIAAoJEIlPj0hw4a6QWekP/R80xwlEB5vsCpedpVy2fEmb
 RCYbskUmC89s/T0ADXY9SflNzCqA4SOPc45ANN0Awq1oSHMLi9qanNkJDyPhdCGZ
 jZ4DhfWEy/2N77VHEqM4F6ks4+SZl6aKtQEjkpejWg+cQWnfMGisUvKDoiLe0mFH
 Bi8q+0XloJDZUnQpN+VGSII21gAP4sM18UNrv7NyMPGWlZmEVdf/ocxKxLplw7C5
 REDasr35TBBsOKxjleRlBXqPOu8sGR0KMWGrjW3KrCaXPTkgc/Wu6CIarW6hAIuh
 VMJQ5qQZvuTNa+c/B9kKLZ4+tzb+8E+tsrKDx57MLiGftmpQNwZHy3SIQ4ByTZRT
 nFtoEZMlN4kOK2kEFxzHavzfrw6UXhe66GGD4cZ5M7fq0pV/B9qQme07VpLh9t/R
 ydx8S1dHjNKuLAMwnGfeC4Vca6ae5JxB0gvtfvKvIsYCOq2kz22pK8oHX9cV+PWH
 3kVPWF94kPgsPIszWRWfdz4tKe3WQaOrtrAzBmhl9zHezDnuwRYSQvaf+FvI0vI3
 6+Y9QAxV33aOqgDI59ibuitfHPbzI93VOWA1StL++MGET2aVDdsFwuvetW1H5M8J
 0cr0lTo7Ij7iLJISYYEOkwrQZPxxW3p7NKrq9uq/7+hG1F85vQDjvdlnp0jV9g1O
 a2gTRPfMmghtWkVV+fdE
 =p2hJ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/sstabellini/tags/xen-2016-04-20' into staging

Xen 2016/04/20

# gpg: Signature made Wed 20 Apr 2016 12:08:56 BST using RSA key ID 70E1AE90
# gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"

* remotes/sstabellini/tags/xen-2016-04-20:
  xenfb: use the correct condition to avoid excessive looping

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-20 16:16:55 +01:00
Fam Zheng
8ca92f3c06 iotests: Test case for drive-mirror with unaligned image size
This is the regression test for the virtual size mismatch issue between
target and source images.

[ kwolf: Added test_unaligned_with_update ]

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
2016-04-20 16:52:55 +02:00
Fam Zheng
74f69050fe iotests: Add iotests.image_size
This retrieves the virtual size of the image out of qemu-img info.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-20 16:52:55 +02:00
Fam Zheng
4150ae60eb mirror: Don't extend the last sub-chunk
The last sub-chunk is rounded up to the copy granularity in the target
image, resulting in a larger size than the source.

Add a function to clip the copied sectors to the end.

This undoes the "wrong" changes to tests/qemu-iotests/109.out in
e5b43573e2. The remaining two offset changes are okay.

[ kwolf: Use DIV_ROUND_UP to calculate nb_chunks now ]

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
2016-04-20 16:52:55 +02:00
Max Reitz
f27a274259 block/mirror: Refresh stale bitmap iterator cache
If the drive's dirty bitmap is dirtied while the mirror operation is
running, the cache of the iterator used by the mirror code may become
stale and not contain all dirty bits.

This only becomes an issue if we are looking for contiguously dirty
chunks on the drive. In that case, we can easily detect the discrepancy
and just refresh the iterator if one occurs.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-20 16:52:55 +02:00
Max Reitz
9c83625bdd block/mirror: Revive dead yielding code
mirror_iteration() is supposed to wait if the current chunk is subject
to a still in-flight mirroring operation. However, it mixed checking
this conflict situation with checking the dirty status of a chunk. A
simplification for the latter condition (the first chunk encountered is
always dirty) led to neglecting the former: We just skip the first chunk
and thus never test whether it conflicts with an in-flight operation.

To fix this, pull out the code which waits for in-flight operations on
the first chunk of the range to be mirrored to settle.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-04-20 16:52:55 +02:00
Peter Maydell
4113b0532d qemu-ga patch queue for 2.6
* fixes inadvertant change that unconditionally disables qemu-ga unit test
 * fixes make check failures when building with --disable-guest-agent that
   were present visible before the unit test was inadvertantly disabled.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXFrFxAAoJEDNTyc7xCLWEfyQH/0BvK/wpiPxGUwVBdlVJeTGW
 +PbkoB337KAyJj8AgHwACjN8KMZ2cGWVazsMRsDgFc5+RntPwLgeq/s9OFOeUoPX
 oonH9oaMa4V8DR1XfnfbU9sPUiaupwzUQ85NZVNB1CsRtRKY/VhHf2I2ay0IEPDZ
 0AM6VDbLrk5D2mVcbQk05khKjx6F1UpFHGlrynHTVYICmc4G9zUUanXO2I2QmdgF
 H+SA3yEyVuwJj2R9jjlVJkykymzowIO5a1rjrR2bVXnsKlIYwtHF4UdtnhuslFxP
 ONt3v3nRCN557yQMkXYaKaABYKgYQl0kKuueUXmlYY0EFHI5EkL8iphQlwYCssk=
 =OvH2
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mdroth/tags/qga-pull-2016-04-19-tag' into staging

qemu-ga patch queue for 2.6

* fixes inadvertant change that unconditionally disables qemu-ga unit test
* fixes make check failures when building with --disable-guest-agent that
  were present visible before the unit test was inadvertantly disabled.

# gpg: Signature made Tue 19 Apr 2016 23:30:09 BST using RSA key ID F108B584
# gpg: Good signature from "Michael Roth <flukshun@gmail.com>"
# gpg:                 aka "Michael Roth <mdroth@utexas.edu>"
# gpg:                 aka "Michael Roth <mdroth@linux.vnet.ibm.com>"

* remotes/mdroth/tags/qga-pull-2016-04-19-tag:
  qemu-ga: do not run qga test when guest agent disabled

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-20 15:05:19 +01:00
Peter Maydell
fe98b18b6f -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQIcBAABAgAGBQJXFlyRAAoJEL2+eyfA3jBXVSoP/iU/1FzrNeDTKtCkmUAXdzb4
 ixhvEvwhAQJQ19SHIK31FTD+hfEZO7hV9XKIDlzOPG5Qy4K2dVQEEjrgruWp3eHs
 2wrOVUqN366KVw2db2JFrd2aGMJq3d84nYHlGauYa/hTxAEoptGIuyHE0ACMrF76
 Kv0APsYlAPwU1Qmkr0GnNz7Cbfrlec+gq7ZL7vxj4odOcdQCtc1JdUpvK3BmFunh
 k+hIooUEzK7/6EUjpgjEjlbNQELdXhm8fnLXAS7/RA32LML1heg7W696BS4EkFcI
 NospLIzwmQU+6HkSaq3TDK4rf7f84N3Cxf8aFFZB+aatmhfu37lacKYsGJXga10M
 GWkj7T6JNZMH9eB5J67Garv0lwYxVSGxK+VrNqH/EcHGkzFerGAQbTXzzfkfrr5J
 rGrcD+bctjLWk4HXU1MyZ0PLjgva9dRinYBCSIM5KK1v6yc4mwSAwuIuf4uQIlkL
 gDBvqtzd9BPHWwOjO20Txk+sinz+No+ZPOHdPw1yRU/zJR0gtFytFnxx1xvtOvfX
 k94/aOQq+BBFY/hx3bI2fWI5zz0uS8Yf8WQ21Da2oirCLTOQqbpRd+7ZprcyugCE
 MQzY2om4y5b6aIKvvnU2e5BZbiHkagOmlTdf8nBietixEi8anizJT4AGLCGPgMeE
 Ur+TxJYxnm5yavYnB5/e
 =QJoE
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into staging

# gpg: Signature made Tue 19 Apr 2016 17:28:01 BST using RSA key ID C0DE3057
# gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>"
# gpg:                 aka "Jeffrey Cody <jeff@codyprime.org>"
# gpg:                 aka "Jeffrey Cody <codyprime@gmail.com>"

* remotes/cody/tags/block-pull-request:
  block/gluster: prevent data loss after i/o error
  block/gluster: code movement of qemu_gluster_close()
  block/gluster: return correct error value

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-20 14:42:09 +01:00
Yang Hongyang
fb91f30bb9 qemu-ga: do not run qga test when guest agent disabled
When configure with --disable-guest-agent, make check will fail with:
ERROR:tests/test-qga.c:74:fixture_setup: assertion failed (error == NULL):
 Failed to execute child process "/home/xx/qemu/qemu-ga" (No such file or
directory) (g-exec-error-quark, 8)
make: *** [check-tests/test-qga] Error 1

This check was commented out by bab47d9a75. I think that was by
mistake, because the commit message of that commit didn't mention
this change.

Signed-off-by: Yang Hongyang <hongyang.yang@easystack.cn>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
2016-04-19 16:51:15 -05:00
Peter Maydell
1f7685fafa Update language files for QEMU 2.6.0
Update translation files (change created via 'make -C po update').

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1461059023-14470-1-git-send-email-peter.maydell@linaro.org
Reviewed-by: Stefan Weil <sw@weilnetz.de>
2016-04-19 18:41:25 +01:00
Jeff Cody
d85fa9eb87 block/gluster: prevent data loss after i/o error
Upon receiving an I/O error after an fsync, by default gluster will
dump its cache.  However, QEMU will retry the fsync, which is especially
useful when encountering errors such as ENOSPC when using the werror=stop
option.  When using caching with gluster, however, the last written data
will be lost upon encountering ENOSPC.  Using the write-behind-cache
xlator option of 'resync-failed-syncs-after-fsync' should cause gluster
to retain the cached data after a failed fsync, so that ENOSPC and other
transient errors are recoverable.

Unfortunately, we have no way of knowing if the
'resync-failed-syncs-after-fsync' xlator option is supported, so for now
close the fd and set the BDS driver to NULL upon fsync error.

Signed-off-by: Jeff Cody <jcody@redhat.com>
2016-04-19 12:24:59 -04:00
Jeff Cody
5d4343e6c2 block/gluster: code movement of qemu_gluster_close()
Move qemu_gluster_close() further up in the file, in preparation
for the next patch, to avoid a forward declaration.

Signed-off-by: Jeff Cody <jcody@redhat.com>
2016-04-19 12:24:59 -04:00
Jeff Cody
a882745356 block/gluster: return correct error value
Upon error, gluster will call the aio callback function with a
ret value of -1, with errno set to the proper error value.  If
we set the acb->ret value to the return value in the callback,
that results in every error being EPERM (i.e. 1).  Instead, set
it to the proper error result.

Reviewed-by: Niels de Vos <ndevos@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
2016-04-19 12:24:59 -04:00
Peter Maydell
d4dffa4a3f fw_cfg: Adopt /opt/RFQDN convention
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXFj08AAoJEDhwtADrkYZTvk0QALsga9BxGqPdCySItAab/cKf
 3GbGYJw/R8SbeG7Ewnqu6+TKV0/5ubXAePCJHNQ/J7CF43Y8LwQDkYHuxvejiedy
 qTF3380vRWIK+cHvRZigXMeT81pvXRy33axB+d4eAelUHtw5+OPFVNfmBiH64s9t
 Z9MeVXvVk4ue76QcdzMQi8Gdv0/VJAt7iT4Qt9ZVYoDHfZzKCgfxplPLsJOAIgCx
 NWxIFpkSI8WOT42miIyYMxJwwVi7bz30Ql/BjC2kSX9hjfCjhBorhOF+cMCU4t5C
 jo0qqqafUSBe1eMU62wvbB3rjcLGXOs254S5Hsdf8Hjs6yzzod+c04EF/ZeU51sP
 LHc/GL6t3T9jjuXQJLVOyKxvSkwnouIfS1JLZ5u026ATWN9HkKAlvTOnAcd42LBB
 6Hmm5wicsax9faIXUfpCTYN/MOoK11sCjk8PAr35oZ+p2p+hyJPrmO3FZh815P3n
 pfphqAYFtEzMcFidAzenTK7EPE3P6fTmgpiRJinNIu6yGkgkyIKFYI3UkdYKm16j
 9s6d0I//LM5Ot5z3xZJp/MrdpA+olEEapAvhmqFaM+ONuUI/PXGeP/6Ob+pgHbZI
 RMbT8UXVj7X6WvWq7YP+IlzWcUMgrQfG998VUEcerzIsKh+fJ8OzqsZWSmDHQB5l
 Vr4ARfcxiaF6VCenK83y
 =doRe
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/armbru/tags/pull-fw_cfg-2016-04-19' into staging

fw_cfg: Adopt /opt/RFQDN convention

# gpg: Signature made Tue 19 Apr 2016 15:14:20 BST using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>"

* remotes/armbru/tags/pull-fw_cfg-2016-04-19:
  fw_cfg: Adopt /opt/RFQDN convention

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-19 15:25:20 +01:00
Markus Armbruster
63d3145aad fw_cfg: Adopt /opt/RFQDN convention
FW CFG's primary user is QEMU, which uses it to expose configuration
information (in the widest sense) to Firmware.  Thus the name FW CFG.

FW CFG can also be used by others for their own purposes.  QEMU is
merely acting as transport then.  Names starting with opt/ are
reserved for such uses.  There is no provision, however, to guide safe
sharing among different such users.

Fix that, loosely following QMP precedence: names should start with
opt/RFQDN/, where RFQDN is a reverse fully qualified domain name you
control.

Based on a more ambitious patch from Michael Tsirkin.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Gabriel L. Somlo <somlo@cmu.edu>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Gabriel Somlo <somlo@cmu.edu>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2016-04-19 16:09:50 +02:00
Peter Maydell
ef5d5641f5 ehci: fix (s)iTD looping issue (CVE-2015-8558) in a different way.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXFc6eAAoJEEy22O7T6HE4jOsQAInCKNSK7UbHEqAxcNt9v9jB
 7wrv87tiNYRQrFE46oLcvQdVfggW0Dml2xX8Isrmm44DKd7pZzliklHqlAIiyX2Z
 KyjrEjpTLJ3hMAHD9UbiCg4u69W4gWNTGhHtzYUCfRMwTfIawhKwUSce61ZscZEo
 Brb9hJa6mPULSey7LvFTlqEAH9qMiKTV53jZ4t/mcBNwICtOmPzxoQkegNxoFP6u
 k0gHdI9V2uwfDGlnyXKY38CytE08C+JB2CL4OggGeF6VFZDxeYZJc6pEiGhepFyE
 PPt5blBNyHxPvYXtCJp+K94IfhJB2iDGuBFL8SuMVtmE6FGDKGlCgZrV32TcCxxU
 nDK7hdbhz3wnpvlcc5L5xXe3bAyFyasWQ5BGtamgwyG/U+3WYm9A+j5nNXyI8f3A
 IWfR84XfuynNIHn+eCrHZHkby7x+U9IQ2yeb/2vwUj4ddGGo2nCnqjqVnh2CFWoW
 HWPLhQi0sjCN2/Sfokxh8Dm9lTDrUTz5tyZhPQUw4xzrpPdDbkQkAruO9MJmulRz
 D24s8AObL4s/0CKRbN/U3dzE9oxqJ0V++zGbdPyg8QFaPczXruGSrHCPxQjY3rto
 JEjNanI01Nl0TcA7EquTxjVsZdeGSEGuhBnx7qJO2LtjMbcOrHZg4vGXIyI1Oc6N
 F0RYHVSQibOwLG0r9pQi
 =Y5Gl
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160419-1' into staging

ehci: fix (s)iTD looping issue (CVE-2015-8558) in a different way.

# gpg: Signature made Tue 19 Apr 2016 07:22:22 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20160419-1:
  Revert "ehci: make idt processing more robust"
  ehci: apply limit to iTD/sidt descriptors

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-19 12:10:30 +01:00
Peter Maydell
bb97bfd901 ppc patch queueu for 2016-04-19
A single fix for a regression since 2.5.  This should be the last ppc
 pull request for 2.6.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXFY5uAAoJEGw4ysog2bOS1MgQAIKbBZPcKZeu7k8zVik6tObc
 N7T3xrzZC0zMJEB9uu8m2ULsHhk7NMs2nl951q8ofHeufYtMUVwrmvML90+09wrL
 brq08o0fHxyzWLmadwyHW8YuY5rTB1rsPTfUM+nUblS8n3LdcI2C8xBR6+Zvdjfj
 /4znUujytbxyncVgQR624Y0TXDFD3+EzYSnF9mEGMpXG4DLoIZpltFR1XwSf0Izz
 MkUeyPuXacapXofIKtJTPwmHDjetsElJTt4u85kw4XrjVeo9vXjBfZnbRIqd6jrM
 1dPz2oDYjNLU1TrpQtaXM54DXYyy+klpBbZbEBp0O43GRNWAtVDvK6XSpwHsScuE
 C/7wAIoMzNuGHrUnhmpkDJuJpulJuGiY0df+8me+K52NDaPgTeW0ZF1heGnMBQ3t
 7P2aSZ06Us047isGHYQpmvzf0ptLwn54i0Hh35ChXyrkCBHfA0DyRXhDbI+7GurA
 42quB8NZ8JeIoCtP0EPjYn532bDa8DKCegnNR6au+pkr9Ato4cDxO02JiINT4Y94
 +fMtvlWeHVGLuFVul/WRPYhzP7cRPvrcswpL/iABjCXKpfyRrg11Pe0Wvmn1JLnX
 tMjPCd2K1fqwYMtJ2uCIlv4NpDofJIdKF+kgVe8/VAFlKM4SpA6F+IILOqIsZUR1
 pE+nmQ6KAfIhnH2rfxy6
 =+Eci
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.6-20160419' into staging

ppc patch queueu for 2016-04-19

A single fix for a regression since 2.5.  This should be the last ppc
pull request for 2.6.

# gpg: Signature made Tue 19 Apr 2016 02:48:30 BST using RSA key ID 20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.6-20160419:
  cuda: fix off-by-one error in SET_TIME command

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-19 11:15:32 +01:00
Michael S. Tsirkin
5eb0b194e9 cadence_uart: bounds check write offset
cadence_uart_init() initializes an I/O memory region of size 0x1000
bytes.  However in uart_write(), the 'offset' parameter (offset within
region) is divided by 4 and then used to index the array 'r' of size
CADENCE_UART_R_MAX which is much smaller: (0x48/4).  If 'offset>>=2'
exceeds CADENCE_UART_R_MAX, this will cause an out-of-bounds memory
write where the offset and the value are controlled by guest.

This will corrupt QEMU memory, in most situations this causes the vm to
crash.

Fix by checking the offset against the array size.

Cc: qemu-stable@nongnu.org
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20160418100735.GA517@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-19 11:13:59 +01:00
Peter Maydell
a087cc589d X86 fix for 2.6.0-rc3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJXFS83AAoJECgHk2+YTcWmsY0P/i0mp5enDW96iZpn9QjSX2ic
 lxqBLbLJSzCitWItrorlPiIdfkkxlOlREqvnGWL/TaB6HVgZy+nSLqa1+pa/xRAy
 d5rzoRECSN3vfhCg2E0/NdYYCmKkKlDL6shid34UxMe0QWR3bcvw/OxSiDRZZvw0
 uggADw4V5R7/XkcAWB8FyNXATDjaZx9kHKrpOJ6l7+yBTAXLwzI5rE7y2NleZ05l
 BJ02PcTF8RrUhHzDfGRBcYu4osoXSVKgMMNpzWA04gxxeVien7C6tT+MJrQ0xYd4
 Oj38IT96SPadnWjp6x7JKrvoAALBuaBasFp6M5LlhDO3Ir2SWnXQ4UcW046J75nw
 hQZ/cEDqOIk1v1tJtZZ8mNhMVyWTid7Qq73Ey29ALmVJnDBzga9bsjqjRs+5kAIy
 vCgLbU+xFYeqeiyKFkHis4gp2AYAxyt30s6CL6gPY1z1M8Idhkf8adlcj26jA1VW
 xF14AmDa2AyBwzP2CylJbazN6ZrNwz3qn2h5fPgqUmKp7pYIe84L9LVybM0HlXN4
 MgkA2WUkeX53Ghg3j07dw0L1vW5UYUNeZE1O1q5TS62mCUJWHdi/G83b6LnFfnJY
 xMzBOOBPgdlMRe5IXaL3RdTOm78MuOhOGVs1OQzyxe9GgJa2OiOftYOHDcuVDQmj
 KLJ82Z/2jxnjr5fO5AUc
 =9YsB
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' into staging

X86 fix for 2.6.0-rc3

# gpg: Signature made Mon 18 Apr 2016 20:02:15 BST using RSA key ID 984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"

* remotes/ehabkost/tags/x86-pull-request:
  target-i386: Set AMD alias bits after filtering CPUID data

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-19 10:11:17 +01:00
Gerd Hoffmann
a49923d283 Revert "ehci: make idt processing more robust"
This reverts commit 156a2e4dbf.

Breaks FreeBSD.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-19 08:20:56 +02:00
Gerd Hoffmann
1ae3f2f178 ehci: apply limit to iTD/sidt descriptors
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
DoS by the guest (create a circular iTD queue and let qemu ehci
emulation run in circles forever).  Unfortunately this has two problems:
First it misses the case of siTDs, and second it reportedly breaks
FreeBSD.

So lets go for a different approach: just count the number of iTDs and
siTDs we have seen per frame and apply a limit.  That should really
catch all cases now.

Reported-by: 杜少博 <dushaobo@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-19 08:18:27 +02:00
Aurelien Jarno
ed3d807b0a cuda: fix off-by-one error in SET_TIME command
With the new framework the cuda_cmd_set_time command directly receive
the data, without the command byte. Therefore the time is stored at
in_data[0], not at in_data[1].

This fixes the "hwclock --systohc" command in a guest.

Cc: Hervé Poussineau <hpoussin@reactos.org>
Cc: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Hervé Poussineau <hpoussin@reactos.org>
[this fixes a regression introduced by e647317 "cuda: port SET_TIME
 command to new framework"]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-04-19 11:39:23 +10:00
Eduardo Habkost
9997cf7bda target-i386: Set AMD alias bits after filtering CPUID data
QEMU complains about -cpu host on an AMD machine:
  warning: host doesn't support requested feature: CPUID.80000001H:EDX [bit 0]
For bits 0,1,3,4,5,6,7,8,9,12,13,14,15,16,17,23,24.

KVM_GET_SUPPORTED_CPUID and and x86_cpu_get_migratable_flags()
don't handle the AMD CPUID aliases bits, making
x86_cpu_filter_features() print warnings and clear those CPUID
bits incorrectly.

To avoid hacking x86_cpu_get_migratable_flags() to handle
CPUID_EXT2_AMD_ALIASES (just like the existing hack inside
kvm_arch_get_supported_cpuid()), simply move the
CPUID_EXT2_AMD_ALIASES code in x86_cpu_realizefn() after the
x86_cpu_filter_features() call.

This will probably make the CPUID_EXT2_AMD_ALIASES hack in
kvm_arch_get_supported_cpuid() unnecessary, too. The hack will be
removed in a follow-up patch after v2.6.0.

Reported-by: Radim Krčmář <rkrcmar@redhat.com>
Tested-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-04-18 15:49:17 -03:00
Peter Maydell
92b674b62a QOM CPUState and X86CPU
* MAINTAINERS cleanup
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJXFQn0AAoJEPou0S0+fgE/Mg8P/3y8/GsHMILGYoj8rrQdZrkP
 VAa06TELj6QQkk1A4R3NkceJD8CHPRcQfOlMC9Weo/z5ft81zv/55x152kVgz4r+
 H1VPvlvq0TTlv8ovTqQmbZNRNNySp3H4xLg3Cs+UbD9mFn2Zg147D5PXSYpb69q/
 W/YVRTU5DmcbH0KaukC3L2fYOHsj+gtQ3Mo9ibcpLnam2d3L1w4M7lJj1QZ19IjB
 dfdV4VvV4JBJ3havzosX7OMl2fJr7Y2zdEEoRR0n2Fx/jM5rFbLWPQkONKQO1CLU
 y/tIgOeN4BWfhSh4WcV5BdCja5rjgY/YxXVtnObRQcJrVZfIURHD23OelWxIfz9h
 ZK1NGW/qzpzq3GZcI+jLHZw1Q54ooNc62pIBfqRC20Dt+AUXtPEfKT/B2j9g4nMj
 /i2M5apzvSfre+615niJ91CD+K5QHbXpNrwvgjdYcn5bLwzhqJQDapTvk2dgv5RG
 AQ3WOCpw5Yfy0TxMe6Ks2dhqNOT+fLSx1W1OC1VdQXH6T9f87mVrN/zOUVGEWTte
 Oqy/+Q03Ns0uvoPcP2okf/9mopHyZ2mV6FfP2YOIYjEJ0NvDd0c0hGn5AnvER3CG
 DoyhYYz/WWqo3aY08gCIMMIagsIkRYKhGow7qgT3XLzJqXUTbIMfUBqFvx7GMEUz
 wibSkDRctzBe/MO8EQaz
 =Xnob
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/afaerber/tags/qom-cpu-for-peter' into staging

QOM CPUState and X86CPU

* MAINTAINERS cleanup

# gpg: Signature made Mon 18 Apr 2016 17:23:16 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qom-cpu-for-peter:
  MAINTAINERS: Drop target-i386 from CPU subsystem

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-18 17:42:59 +01:00
Andreas Färber
2e4cad2833 MAINTAINERS: Drop target-i386 from CPU subsystem
X86CPU QOM type is in good hands and actively maintained these days, so
drop it from the generic QOM CPU subsystem.

Some refactorings and design questions will still intersect, but review
and discussions of individual series can still take place while opting out
of general X86CPU patch review.

Acked-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2016-04-18 18:14:52 +02:00
Peter Maydell
6a6fa68ae2 Update OpenBIOS images
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQEcBAABAgAGBQJXFJ1DAAoJEFvCxW+uDzIfNz8H/2u5WrFM1OO2Xz+8zMU9BOhu
 RQOuxA4w7hlt4q4Eztfz74v0bCLlM3B6BRyAert4og1LEtloLXgfGBgVqdw+2OOd
 UTYz1D/T0Ke+Zthp4h1B6+9tAIz1N9J/wgJy5GXOD3Ckm/fgLNUwo9lFxdgkHY+u
 NTWVNrSdB7AVLyWMtG7nmDVhPB9tCLns5AZUS+J9KaBRSH3nLE/8hddEGAq6hX2x
 bTFhxp5BRS9nY6BY1h2x7vQFdEjbkq7QBAFzxpfmQrT+G9Wmk3gQfFq0LlKdOZPq
 lnNd+Smt0K2WJvIgyKaUU2JTnwZ/mJCx2CafkMd9ZdcZPd1qqbCiInzk1cGHf8U=
 =UN9W
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' into staging

Update OpenBIOS images

# gpg: Signature made Mon 18 Apr 2016 09:39:31 BST using RSA key ID AE0F321F
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>"

* remotes/mcayland/tags/qemu-openbios-signed:
  Update OpenBIOS images

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-18 11:55:10 +01:00
Peter Maydell
ba3899507a ppc patch queue for 2-16-04-18
Three bugfixe patches for 2.6 here.
 * Two for bad implementation of some of the strong load/store
   instructions
 
 * One for bad migration of the XER register.  This is a regression
   from 2.5, cause by a change in the way we represent at XER during
   runtime.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXFG3PAAoJEGw4ysog2bOSK/sQAL4jHiB83e2ob5pah7NviaWX
 3pwbvS2IrZkyeaNGVP4Qv1sghukX9E2FO1LlzqhsRGPt+W7MpfAC5kI3AC48Ivbx
 8JmPNl9o/fkXpK5p+BI503v1dLg1hy8H8sQXCXyzmyjK/+rv7gJP/3xpgTnGxT58
 aFxIevEYxK6noesMJVlxcDRt1WU/YxXfcYSXJvR4lNYqOKMYAL+jOMCcGCFYnTN3
 VOQpbp4koLrJ76ULK6t4cSieQZPp+ofSh3Y6VBvFg8SctNTXK4q3ZaC/pE00KuUd
 AIWhsKe7D1qmL5iyhqeys9JVrTdVIzG25m5U1hhpKLtv1jV9G5EgTYHsDx2cZF/9
 0hqMP7APhtCdH0ol2Qb83uBErupNzXkytnHJbqhBc+3RAUPM/VizUv3PiGGXqhuy
 tJCxdRkp2L4fWYByN0/8/3BgA3kxHszJbhTOWX3VhiEBjSygfPWH0p6rciJrrQYC
 IaPBIlIkAyoxCRIv9xjEwHHshRL1O5FpAGRgxEm4TqC7z/dyQCV0bYOzMA+7NbCJ
 dXEhRusagqE8ooa+9lZVs2PvzcbcCQIbPYtjnF4phBsxut/cK/YuSC7wWw49CjWj
 EWL3VVuzbdE9v01QkAjKvIwtLboO2yPhmnrvsn6YmsmB999Do4hpJnZ536SAGXOF
 jqDjSiDKIzKoiCfmtBUX
 =AnCp
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.6-20160418' into staging

ppc patch queue for 2-16-04-18

Three bugfixe patches for 2.6 here.
* Two for bad implementation of some of the strong load/store
  instructions

* One for bad migration of the XER register.  This is a regression
  from 2.5, cause by a change in the way we represent at XER during
  runtime.

# gpg: Signature made Mon 18 Apr 2016 06:17:03 BST using RSA key ID 20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.6-20160418:
  ppc: Fix migration of the XER register
  ppc: Fix the bad exception NIP value and the range check in LSWX
  ppc: Fix the range check in the LSWI instruction

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-18 11:11:45 +01:00
Peter Maydell
adde0204e4 seccomp branch queue
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXEotmAAoJEP0M/1sS+L0vzAEIAImgDVmrNVPLfN+JZ6JGbbPG
 VqcU2jJLF5caOv+VoGXgvfL03a7AlSAjoZ2ghf3ncokB7+81Z2h9kiskbR07VRNR
 bTCQley1xZyU2O8l8ckI5Lyc8vm+UmVwiDiMg93cH/kcbOaltz9xYu+PPrQTEQXG
 lvikpI/wIsyo3nveKBCvnzKUnz8mX7dyHwUD5J7cDAqfa6XuEkJLMbHAjIS3kr9Z
 UPC0olxrVil+HxCQUkQemwO+mhhgA6l+oqRNlDIwJU2d/e5HX43YWp6ETNkW8Bnd
 vI5tIM/tjjX32pqcMbcfpLC8wqSZPocxCSZgKV8a1OQyFXPu/v9QaP/qqGDezrI=
 =oVhZ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20160416' into staging

seccomp branch queue

# gpg: Signature made Sat 16 Apr 2016 19:58:46 BST using RSA key ID 12F8BD2F
# gpg: Good signature from "Eduardo Otubo (Software Engineer @ ProfitBricks) <eduardo.otubo@profitbricks.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 1C96 46B6 E1D1 C38A F2EC  3FDE FD0C FF5B 12F8 BD2F

* remotes/otubo/tags/pull-seccomp-20160416:
  seccomp: adding sysinfo system call to whitelist
  seccomp: Whitelist cacheflush since 2.2.0 not 2.2.3
  configure: Enable seccomp sandbox for MIPS

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-18 10:22:44 +01:00
Peter Maydell
c6c598ca5f wxx patch queue
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJXESapAAoJEOCMIdVndFCtXcQP/2BM8Plo6IdkkToXrw01eZeN
 jnTBxFrFU1WCt/kNT1w9OXCm0YdQzzoi3iD5zt/PNjw13x7E8CPx0UeD2RHaFG3A
 qYLvSOXTIp7K7oumbVcwFtyIrf1uzG0Qn5A4iMGpUDFZTguYm4cW+uyJypyni9l9
 zcU1F/U1PcyCQi73j6uHsQUvCDk9oacc/TRTWKa5HPGlhzvNXWpSnfM34pmYperC
 bdOswH1DsqWL3LSkTVvcSNENE698whr8D7GlayBsAE2liRtUfrF3FlOT0Eo5Cg8v
 E/aLSSmfuTorPA23bY/158j5yF+oAlMl4DR/Nmv1+tA1d/gqxObU712JSO5zpFYj
 D2TZPCjjUXgqagcnz9QQ364jh4G9TETQwL6+mJkbiMxji/mO4R7yJIrHIzNwJ7v7
 xtLmxEqKqQr0tloRLjD1810kfQH0IZtp+lQM0s6BMWCVqspoDqtgpQVb7Xcmue4e
 Jerr5iXyKKvAoJXqIYLf5Eq3+jQJPdfgbkOhFZ0E6CYxMPP9AlJ9KizSkB+TEjHb
 qQvVB4m/BzmiuFzLRZyv4DWbkXyD0j+dQ54G4O32deu9BGxCBaKv7m5cwZV1XyMI
 A3qFK72LqakHRmMzZIEvHkze+ndNK82Ng5nJqBlrSIYU6l5H2RtY3Mp7EyiYVqJ3
 Mo3fzSN8sVjFQZCBj/1S
 =WMAY
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/weil/tags/pull-wxx-20160415' into staging

wxx patch queue

# gpg: Signature made Fri 15 Apr 2016 18:36:41 BST using RSA key ID 677450AD
# gpg: Good signature from "Stefan Weil <sw@weilnetz.de>"
# gpg:                 aka "Stefan Weil <stefan.weil@weilnetz.de>"
# gpg:                 aka "Stefan Weil <stefan.weil@bib.uni-mannheim.de>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4923 6FEA 75C9 5D69 8EC2  B78A E08C 21D5 6774 50AD

* remotes/weil/tags/pull-wxx-20160415:
  wxx: Fix broken TCP networking (regression)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-04-18 09:55:16 +01:00
Mark Cave-Ayland
afc474863f Update OpenBIOS images
Update OpenBIOS images to SVN r1395 built from submodule.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2016-04-18 09:38:55 +01:00
Thomas Huth
aa378598fe ppc: Fix migration of the XER register
env->xer only holds the lower bits of the XER register nowadays, the
SO, OV and CA bits are stored in separate variables (see the function
cpu_write_xer() for details). Since the migration code currently only
reads the "xer" variable, the upper bits are lost during migration.
Fix it by using cpu_read_xer() instead.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-04-18 15:14:38 +10:00