Permalink
Commits on May 24, 2016
  1. Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request'…

    … into staging
    
    X86 queue, 2016-05-23
    
    # gpg: Signature made Mon 23 May 2016 23:48:27 BST using RSA key ID 984DC5A6
    # gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"
    
    * remotes/ehabkost/tags/x86-pull-request:
      target-i386: kvm: Eliminate kvm_msr_entry_set()
      target-i386: kvm: Simplify MSR setting functions
      target-i386: kvm: Simplify MSR array construction
      target-i386: kvm: Increase MSR_BUF_SIZE
      target-i386: kvm: Allocate kvm_msrs struct once per VCPU
      target-i386: Call cpu_exec_init() on realize
      target-i386: Move TCG initialization to realize time
      target-i386: Move TCG initialization check to tcg_x86_init()
      cpu: Eliminate cpudef_init(), cpudef_setup()
      target-i386: Set constant model_id for qemu64/qemu32/athlon
      pc: Set CPU model-id on compat_props for pc <= 2.4
      osdep: Move default qemu_hw_version() value to a macro
      target-i386: kvm: Use X86XSaveArea struct for xsave save/load
      target-i386: Use xsave structs for ext_save_area
      target-i386: Define structs for layout of xsave area
    
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    pm215 committed May 24, 2016
  2. Merge remote-tracking branch 'remotes/amit-migration/tags/migration-2…

    ….7-1' into staging
    
    migration fixes:
    
    - ensure src block devices continue fine after a failed migration
    - fail on migration blockers; helps 9p savevm/loadvm
    - move autoconverge commands out of experimental state
    - move the migration-specific qjson in migration/
    
    # gpg: Signature made Mon 23 May 2016 18:15:09 BST using RSA key ID 657EF670
    # gpg: Good signature from "Amit Shah <amit@amitshah.net>"
    # gpg:                 aka "Amit Shah <amit@kernel.org>"
    # gpg:                 aka "Amit Shah <amitshah@gmx.net>"
    
    * remotes/amit-migration/tags/migration-2.7-1:
      migration: regain control of images when migration fails to complete
      savevm: fail if migration blockers are present
      migration: Promote improved autoconverge commands out of experimental state
      migration/qjson: Drop gratuitous use of QOM
      migration: Move qjson.[ch] to migration/
    
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    pm215 committed May 24, 2016
  3. Merge remote-tracking branch 'remotes/amit-virtio-rng/tags/rng-2.7-1'…

    … into staging
    
    rng: rename RndRandom to RndRandom
    
    # gpg: Signature made Mon 23 May 2016 16:44:58 BST using RSA key ID 657EF670
    # gpg: Good signature from "Amit Shah <amit@amitshah.net>"
    # gpg:                 aka "Amit Shah <amit@kernel.org>"
    # gpg:                 aka "Amit Shah <amitshah@gmx.net>"
    
    * remotes/amit-virtio-rng/tags/rng-2.7-1:
      rng-random: rename RndRandom to RngRandom
    
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    pm215 committed May 24, 2016
  4. Merge remote-tracking branch 'remotes/xtensa/tags/20160523-opencores_…

    …eth' into staging
    
    opencores_eth cleanups:
    - use mii.h
    - reduce stack usage in open_eth_start_xmit.
    
    # gpg: Signature made Mon 23 May 2016 20:14:20 BST using RSA key ID F83FA044
    # gpg: Good signature from "Max Filippov <max.filippov@cogentembedded.com>"
    # gpg:                 aka "Max Filippov <jcmvbkbc@gmail.com>"
    
    * remotes/xtensa/tags/20160523-opencores_eth:
      hw/net/opencores_eth: Allocating Large sized arrays to heap
      hw/net/opencores_eth: use mii.h
    
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    pm215 committed May 24, 2016
Commits on May 23, 2016
  1. target-i386: kvm: Eliminate kvm_msr_entry_set()

    Inline the function inside kvm_msr_entry_add().
    
    Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Dec 16, 2015
  2. target-i386: kvm: Simplify MSR setting functions

    Simplify kvm_put_tscdeadline_msr() and
    kvm_put_msr_feature_control() using kvm_msr_buf and the
    kvm_msr_entry_add() helper.
    
    Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Dec 16, 2015
  3. target-i386: kvm: Simplify MSR array construction

    Add a helper function that appends new entries to the MSR buffer
    and checks for the buffer size limit.
    
    Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Dec 16, 2015
  4. target-i386: kvm: Increase MSR_BUF_SIZE

    We are dangerously close to the array limits in kvm_put_msrs()
    and kvm_get_msrs(): with the default mcg_cap configuration, we
    can set up to 148 MSRs in kvm_put_msrs(), and if we allow mcg_cap
    to be changed, we can write up to 236 MSRs.
    
    Use 4096 bytes for the buffer, that can hold 255 kvm_msr_entry
    structs.
    
    Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Dec 16, 2015
  5. target-i386: kvm: Allocate kvm_msrs struct once per VCPU

    Instead of using 2400 bytes in the stack for 150 MSR entries in
    kvm_get_msrs() and kvm_put_msrs(), allocate a buffer once for
    each VCPU.
    
    Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Dec 16, 2015
  6. target-i386: Call cpu_exec_init() on realize

    QOM instance_init functions are not supposed to have any side-effects,
    as new objects may be created at any moment for querying property
    information (see qmp_device_list_properties()).
    
    Calling cpu_exec_init() also affects QEMU's ability to handle errors
    during CPU creation, as some actions done by cpu_exec_init() can't be
    reverted.
    
    Move cpu_exec_init() call to realize so a simple object_new() won't
    trigger it, and so that it is called after some basic validation of CPU
    parameters.
    
    Reviewed-by: Igor Mammedov <imammedo@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Feb 13, 2015
  7. target-i386: Move TCG initialization to realize time

    QOM instance_init functions are not supposed to have any side-effects,
    as new objects may be created at any moment for querying property
    information (see qmp_device_list_properties()).
    
    Move TCG initialization to realize time so it won't be called when just
    doing object_new() on a X86CPU subclass.
    
    Reviewed-by: Igor Mammedov <imammedo@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Feb 13, 2015
  8. target-i386: Move TCG initialization check to tcg_x86_init()

    Instead of requiring cpu.c to check if TCG was already initialized,
    simply let the function be called multiple times.
    
    Suggested-by: Igor Mammedov <imammedo@redhat.com>
    Reviewed-by: Igor Mammedov <imammedo@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Mar 5, 2015
  9. cpu: Eliminate cpudef_init(), cpudef_setup()

    x86_cpudef_init() doesn't do anything anymore, cpudef_init(),
    cpudef_setup(), and x86_cpudef_init() can be finally removed.
    
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Oct 30, 2015
  10. target-i386: Set constant model_id for qemu64/qemu32/athlon

    Newer PC machines don't set hw_version, and older machines set
    model-id on compat_props explicitly, so we don't need the
    x86_cpudef_setup() code that sets model_id using
    qemu_hw_version() anymore.
    
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Apr 9, 2016
  11. hw/net/opencores_eth: Allocating Large sized arrays to heap

    open_eth_start_xmit has a huge stack usage of 65536 bytes approx.
    Moving large arrays to heap to reduce stack usage.
    
    Reduce size of a buffer allocated on stack to 0x600 bytes, which is the
    maximal frame length when HUGEN bit is not set in MODER, only allocate
    buffer on heap when that is too small. Thus heap is not used in typical
    use case.
    
    Signed-off-by: Zhou Jie <zhoujie2011@cn.fujitsu.com>
    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
    Zhou Jie committed with jcmvbkbc Apr 27, 2016
  12. hw/net/opencores_eth: use mii.h

    Drop local definitions of MII registers and use constants from mii.h for
    registers and register bits. No functional changes.
    
    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
    jcmvbkbc committed Apr 3, 2016
  13. migration: regain control of images when migration fails to complete

    We currently have an error path during migration that can cause
    the source QEMU to abort:
    
    migration_thread()
      migration_completion()
        runstate_is_running() ----------------> true if guest is running
        bdrv_inactivate_all() ----------------> inactivate images
        qemu_savevm_state_complete_precopy()
         ... qemu_fflush()
               socket_writev_buffer() --------> error because destination fails
             qemu_fflush() -------------------> set error on migration stream
      migration_completion() -----------------> set migrate state to FAILED
    migration_thread() -----------------------> break migration loop
      vm_start() -----------------------------> restart guest with inactive
                                                images
    
    and you get:
    
    qemu-system-ppc64: socket_writev_buffer: Got err=104 for (32768/18446744073709551615)
    qemu-system-ppc64: /home/greg/Work/qemu/qemu-master/block/io.c:1342:bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed.
    Aborted (core dumped)
    
    If we try postcopy with a similar scenario, we also get the writev error
    message but QEMU leaves the guest paused because entered_postcopy is true.
    
    We could possibly do the same with precopy and leave the guest paused.
    But since the historical default for migration errors is to restart the
    source, this patch adds a call to bdrv_invalidate_cache_all() instead.
    
    Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
    Message-Id: <146357896785.6003.11983081732454362715.stgit@bahia.huguette.org>
    Signed-off-by: Amit Shah <amit.shah@redhat.com>
    gkurz committed with Amit Shah May 18, 2016
  14. pc: Set CPU model-id on compat_props for pc <= 2.4

    Instead of relying on x86_cpudef_setup() calling
    qemu_hw_version(), just make old machines set model-id explicitly
    on compat_props for qemu64, qemu32, and athlon. This will allow
    us to eliminate x86_cpudef_setup() later.
    
    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Apr 9, 2016
  15. osdep: Move default qemu_hw_version() value to a macro

    The macro will be used by code that will stop calling
    qemu_hw_version() at runtime and just need a constant value.
    
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Apr 9, 2016
  16. target-i386: kvm: Use X86XSaveArea struct for xsave save/load

    Instead of using offset macros and bit operations in a uint32_t
    array, use the X86XSaveArea struct to perform the loading/saving
    operations in kvm_put_xsave() and kvm_get_xsave().
    
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Nov 23, 2015
  17. target-i386: Use xsave structs for ext_save_area

    This doesn't introduce any change in the code, as the offsets and
    struct sizes match what was present in the table. This can be
    validated by the QEMU_BUILD_BUG_ON lines on target-i386/cpu.h,
    which ensures the struct sizes and offsets match the existing
    values in ext_save_area.
    
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Nov 28, 2015
  18. target-i386: Define structs for layout of xsave area

    Add structs that define the layout of the xsave areas used by
    Intel processors. Add some QEMU_BUILD_BUG_ON lines to ensure the
    structs match the XSAVE_* macros in target-i386/kvm.c and the
    offsets and sizes at target-i386/cpu.c:ext_save_areas.
    
    Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
    ehabkost committed Nov 19, 2015
  19. savevm: fail if migration blockers are present

    QEMU has currently two ways to prevent migration to occur:
    - migration blocker when it depends on runtime state
    - VMStateDescription.unmigratable when migration is not supported at all
    
    This patch gathers all the logic into a single function to be called from
    both the savevm and the migrate paths.
    
    This fixes a bug with 9p, at least, where savevm would succeed and the
    following would happen in the guest after loadvm:
    
    $ ls /host
    ls: cannot access /host: Protocol error
    
    With this patch:
    
    (qemu) savevm foo
    Migration is disabled when VirtFS export path '/' is mounted in the guest
    using mount_tag 'host'
    
    Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
    Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
    Message-Id: <146239057139.11271.9011797645454781543.stgit@bahia.huguette.org>
    
    [Update subject according to Paolo's suggestion - Amit]
    
    Signed-off-by: Amit Shah <amit.shah@redhat.com>
    gkurz committed with Amit Shah May 4, 2016
  20. Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into…

    … staging
    
    * NMI cleanups (Bandan)
    * RAMBlock/Memory cleanups and fixes (Dominik, Gonglei, Fam, me)
    * first part of linuxboot support for fw_cfg DMA (Richard)
    * IOAPIC fix (Peter Xu)
    * iSCSI SG_IO fix (Vadim)
    * Various infrastructure bug fixes (Zhijian, Peter M., Stefan)
    * CVE fixes (Prasad)
    
    # gpg: Signature made Mon 23 May 2016 16:06:18 BST using RSA key ID 78C7AE83
    # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
    # gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
    
    * remotes/bonzini/tags/for-upstream: (24 commits)
      cpus: call the core nmi injection function
      nmi: remove x86 specific nmi handling
      target-i386: add a generic x86 nmi handler
      coccinelle: add g_assert_cmp* to macro file
      iscsi: pass SCSI status back for SG_IO
      esp: check dma length before reading scsi command(CVE-2016-4441)
      esp: check command buffer length before write(CVE-2016-4439)
      scripts/signrom.py: Check for magic in option ROMs.
      scripts/signrom.py: Allow option ROM checksum script to write the size header.
      Remove config-devices.mak on 'make clean'
      cpus.c: Use pthread_sigmask() rather than sigprocmask()
      memory: remove unnecessary masking of MemoryRegion ram_addr
      memory: Drop FlatRange.romd_mode
      memory: Remove code for mr->may_overlap
      exec: adjust rcu_read_lock requirement
      memory: drop find_ram_block()
      vl: change runstate only if new state is different from current state
      ioapic: clear remote irr bit for edge-triggered interrupts
      ioapic: keep RO bits for IOAPIC entry
      target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2
      ...
    
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    pm215 committed May 23, 2016
  21. cpus: call the core nmi injection function

    We can call the common function here directly since
    x86 specific actions will be taken care of by the arch
    specific nmi handler
    
    Signed-off-by: Bandan Das <bsd@redhat.com>
    Message-Id: <1463761717-26558-4-git-send-email-bsd@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Bandan Das committed with bonzini May 20, 2016
  22. nmi: remove x86 specific nmi handling

    nmi_monitor_handle is wired to call the x86 nmi
    handler. So, we can directly use it at call sites.
    
    Signed-off-by: Bandan Das <bsd@redhat.com>
    Message-Id: <1463761717-26558-3-git-send-email-bsd@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Bandan Das committed with bonzini May 20, 2016
  23. target-i386: add a generic x86 nmi handler

    Instead of having x86 ifdefs in core nmi code, this
    change adds a arch specific handler that the nmi common
    code can call.
    
    Signed-off-by: Bandan Das <bsd@redhat.com>
    Message-Id: <1463761717-26558-2-git-send-email-bsd@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Bandan Das committed with bonzini May 20, 2016
  24. coccinelle: add g_assert_cmp* to macro file

    This helps applying semantic patches to unit tests.
    
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    bonzini committed May 18, 2016
  25. iscsi: pass SCSI status back for SG_IO

    Signed-off-by: Vadim Rozenfeld <vrozenfe@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Vadim Rozenfeld committed with bonzini May 13, 2016
  26. esp: check dma length before reading scsi command(CVE-2016-4441)

    The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
    FIFO buffer. It is used to handle command and data transfer.
    Routine get_cmd() uses DMA to read scsi commands into this buffer.
    Add check to validate DMA length against buffer size to avoid any
    overrun.
    
    Fixes CVE-2016-4441.
    
    Reported-by: Li Qiang <liqiang6-s@360.cn>
    Cc: qemu-stable@nongnu.org
    Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
    Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Prasad J Pandit committed with bonzini May 19, 2016
  27. esp: check command buffer length before write(CVE-2016-4439)

    The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
    FIFO buffer. It is used to handle command and data transfer. While
    writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
    was missing to validate input length. Add check to avoid OOB write
    access.
    
    Fixes CVE-2016-4439.
    
    Reported-by: Li Qiang <liqiang6-s@360.cn>
    Cc: qemu-stable@nongnu.org
    Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
    Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Prasad J Pandit committed with bonzini May 19, 2016
  28. scripts/signrom.py: Check for magic in option ROMs.

    Because of the risk that compilers might not emit the asm() block at
    the beginning of the option ROM, check that the ROM contains the
    required magic signature.
    
    Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
    Message-Id: <1463000807-18015-3-git-send-email-rjones@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    rwmjones committed with bonzini May 11, 2016
  29. scripts/signrom.py: Allow option ROM checksum script to write the siz…

    …e header.
    
    Modify the signrom.py script so that if the size byte in the header is
    0 (ie. not set) then the script will set the size.  If the size byte
    is non-zero then we do the same as before, so this doesn't require
    changes to any existing ROM sourcecode.
    
    Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
    Message-Id: <1463000807-18015-2-git-send-email-rjones@redhat.com>
    rwmjones committed with bonzini May 11, 2016
  30. Remove config-devices.mak on 'make clean'

    Our dependency mechanism works like this:
     * on first build there is neither a .o nor a .d
     * we create the .d as a side effect of creating the .o
     * for rebuilds we know when we need to update the .o,
       which also updates the .d
    
    This system requires that you're never in a situation where there is
    a .o file but no .d (because then we will never realise we need to
    build the .d, and we will not have the dependency information about
    when to rebuild the .o).
    
    This is working fine for our object files, but we also try to use it
    for $TARGET/config-devices.mak (where the dependency file is
    in $TARGET-config-devices.mak.d). Unfortunately "make clean" doesn't
    remove config-devices.mak, which means that it puts us in the
    forbidden situation of "object file exists but not its .d file".
    This in turn means that we will fail to notice when we need to rebuild:
      mkdir build/depbug
      (cd build/depbug && '../../configure')
      make -C build/depbug -j8
      make -C build/depbug clean
      echo "CONFIG_CANARY = y" >> default-configs/arm-softmmu.mak
      make -C build/depbug
      grep CANARY build/depbug/aarch64-softmmu/config-devices.mak
    
    The CANARY token should show up in config-devices.mak but does not.
    
    Fix this bug by making "make clean" delete the config-devices.mak files.
    config-all-devices.mak doesn't have the same problem since it has
    no .d file, but delete it too, since it is created by "make" and
    logically should be removed by "make clean".
    
    (Note that it is important not to remove config-devices.mak until
    after we have recursively run 'make clean' in the subdirectories.)
    
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    Message-Id: <1463484451-22979-1-git-send-email-peter.maydell@linaro.org>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    pm215 committed with bonzini May 17, 2016
  31. cpus.c: Use pthread_sigmask() rather than sigprocmask()

    On Linux, sigprocmask() and pthread_sigmask() are in practice the
    same thing (they only set the signal mask for the calling thread),
    but the documentation states that the behaviour of sigprocmask() in a
    multithreaded process is undefined. Use pthread_sigmask() instead
    (which is what we do in almost all places in QEMU that alter the
    signal mask already).
    
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    Message-Id: <1463420039-29761-1-git-send-email-peter.maydell@linaro.org>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    pm215 committed with bonzini May 16, 2016