git.osdn.net Git - qmiga/qemu.git/log

Merge remote-tracking branch 'remotes/cohuck/tags/stable-doc-20180219' into staging

Add some doc for the stable process.

# gpg: Signature made Mon 19 Feb 2018 10:01:19 GMT
# gpg:                using RSA key DECF6B93C6F02FAF
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>"
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>"
# gpg:                 aka "Cornelia Huck <cohuck@redhat.com>"
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck/tags/stable-doc-20180219:
  docs: document our stable process

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

docs: document our stable process

Some pointers on how to get a patch into stable.

[contains some suggestions by mdroth and eblake]
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20180216' into staging

HMP pull 2018-02-16

# gpg: Signature made Fri 16 Feb 2018 17:45:06 GMT
# gpg:                using RSA key 0516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <dgilbert@redhat.com>"
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A  9FA9 0516 331E BC5B FDE7

* remotes/dgilbert/tags/pull-hmp-20180216:
  monitor.c: Fix infinite loop in monitor's auto-complete
  monitor: Remove legacy "-mon default=on" parameter

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

cuda.h: Fix multiple typedef

RHEL6's compilers don't like the repeated typedef.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

monitor.c: Fix infinite loop in monitor's auto-complete

The QEMU monitor enters an infinite loop when trying to auto-complete commands
that accept only optional parameters. The commands currently affected by this
issue are 'info registers' and 'info mtree'.

Reported-by: Dimitris Karagkasidis <t.pagef.lt@gmail.com>
Fixes: 48fe86f6400574165979e0db6f5937ad487b6888
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20180213125143.23488-1-dgilbert@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

monitor: Remove legacy "-mon default=on" parameter

The "default" parameter of the "-mon" option is useless since
QEMU v2.4.0, and marked as deprecated since QEMU v2.8.0. That
should have been long enough to let people update their scripts,
so time to remove it now.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1513700253-10045-1-git-send-email-thuth@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Merge remote-tracking branch 'remotes/kraxel/tags/ui-20180216-pull-request' into staging

bugfixes for vnc and sdl2

# gpg: Signature made Fri 16 Feb 2018 11:53:37 GMT
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/ui-20180216-pull-request:
  ui: extend VNC trottling tracing to SASL codepaths
  ui: check VNC audio frequency limit at time of reading from client
  ui: avoid 'local_err' variable shadowing in VNC SASL auth
  ui: avoid risk of 32-bit int overflow in VNC buffer check
  sdl2: fix mouse grab
  sdl: restore optimized redraw
  vnc: fix segfault in closed connection handling
  vnc: add qapi/error.h include to stubs
  vnc: remove bogus object_unref on client socket

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.12-20180216' into staging

ppc patch queue 2018-02-16

Highlights of this batch:
  * Conversion to TranslatorOps (Emilio Cota)
  * Further bugfixes and cleanups to vcpu id allocation for pseries
    (Greg Kurz)
  * Another bugfix for HPT resizing (Daniel Henrique-Barboza)
  * Macintosh CUDA cleanups (Mark Cave-Ayland)
  * Further tweaks to Spectre/Meltdown mitigations (Suraj Singh)

# gpg: Signature made Fri 16 Feb 2018 10:00:02 GMT
# gpg:                using RSA key 6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.12-20180216:
  ppc4xx: Add device models found in PPC440 core SoCs
  ppc/spapr-caps: Disallow setting workaround for spapr-cap-ibs
  target/ppc: convert to TranslatorOps
  target/ppc: convert to DisasContextBase
  spapr: consolidate the VCPU id numbering logic in a single place
  spapr: rename spapr_vcpu_id() to spapr_get_vcpu_id()
  spapr: move VCPU calculation to core machine code
  spapr: use spapr->vsmt to compute VCPU ids
  ppc/spapr-caps: Change migration macro to take full spapr-cap name
  hw/char: remove legacy interface escc_init()
  hw/ppc/spapr_hcall: set htab_shift after kvmppc_resize_hpt_commit
  cuda: convert to trace-events
  ppc: move CUDAState and other CUDA-related definitions into separate cuda.h file
  cuda: convert to use the shared mos6522 device

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20180214a' into staging

Migration pull 20180214

Note that the 'Add test for migration to bad destination' displays
a 'Connection refused' during running, but still gives the correct exit
code and OK (It's checking that the source doesn't fail when
it can't connect, so that's the right error).
If it's particularly disliked that patch can be skipped individually.

# gpg: Signature made Wed 14 Feb 2018 15:33:04 GMT
# gpg:                using RSA key 0516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <dgilbert@redhat.com>"
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A  9FA9 0516 331E BC5B FDE7

* remotes/dgilbert/tags/pull-migration-20180214a:
  migration: pass MigrationState to migrate_init()
  migration: allow send_rq to fail
  migration: provide postcopy_fault_thread_notify()
  migration: reuse mis->userfault_quit_fd
  migration: better error handling with QEMUFile
  tests/migration: Add test for migration to bad destination
  migration: Fix early failure cleanup
  tests/migration: Add source to PC boot block
  migration: improve documentation of postcopy-ram
  migration/xen: Check return value of qemu_fclose

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

ui: extend VNC trottling tracing to SASL codepaths

In previous commit:

  commit 6aa22a29187e1908f5db738d27c64a9efc8d0bfa
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Mon Dec 18 19:12:27 2017 +0000

    ui: add trace events related to VNC client throttling

trace points related to unthrottling client I/O were missed from the
SASL codepaths.

Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 20180205114938.15784-5-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

ui: check VNC audio frequency limit at time of reading from client

The 'vs->as.freq' value is a signed integer, which is read from an
unsigned 32-bit int field on the wire. There is thus a risk of overflow
on 32-bit platforms. Move the frequency limit checking to be done at
time of read before casting to a signed integer.

Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180205114938.15784-4-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

ui: avoid 'local_err' variable shadowing in VNC SASL auth

The start_auth_sasl() method declares a 'Error *local_err' variable in
an inner if () {...} scope, which shadows a variable of the same name
declared at the start of the method. This is confusing for reviewers and
may trigger compiler warnings.

Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180205114938.15784-3-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

ui: avoid risk of 32-bit int overflow in VNC buffer check

For very large framebuffers, it is theoretically possible for the result
of 'vs->throttle_output_offset * VNC_THROTTLE_OUTPUT_LIMIT_SCALE' to
exceed the size of a 32-bit int. For this to happen in practice, the
video RAM would have to be set to a large enough value, which is not
likely today. None the less we can be paranoid against future growth by
using division instead of multiplication when checking the limits.

Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180205114938.15784-2-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

sdl2: fix mouse grab

When qemu mouse mode changes from relative to absolute
we must turn off sdl relative mouse mode too.

Fixes: https://bugs.launchpad.net/qemu/+bug/1703795
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20180202120803.11501-1-kraxel@redhat.com>

sdl: restore optimized redraw

The documentation on SDL_RenderPresent function states that
"the backbuffer should be considered invalidated after each present",
so copy the entire texture on each redraw.

On the other hand, SDL_UpdateTexture function is described as
"fairly slow function", so restrict it to just the changed pixels.

Also added SDL_RenderClear call, as suggested in the documentation
page on SDL_RenderPresent.

Signed-off-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Message-id: 20180205133228.25082-1-anatoly.trosinenko@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

vnc: fix segfault in closed connection handling

On one of our client's node, due to trying to read from closed ioc,
a segmentation fault occured. Corresponding backtrace:

0  object_get_class (obj=obj@entry=0x0)
1  qio_channel_readv_full (ioc=0x0, iov=0x7ffe55277180 ...
2  qio_channel_read (ioc=<optimized out> ...
3  vnc_client_read_buf (vs=vs@entry=0x55625f3c6000, ...
4  vnc_client_read_plain (vs=0x55625f3c6000)
5  vnc_client_read (vs=0x55625f3c6000)
6  vnc_client_io (ioc=<optimized out>, condition=G_IO_IN, ...
7  g_main_dispatch (context=0x556251568a50)
8  g_main_context_dispatch (context=context@entry=0x556251568a50)
9  glib_pollfds_poll ()
10 os_host_main_loop_wait (timeout=<optimized out>)
11 main_loop_wait (nonblocking=nonblocking@entry=0)
12 main_loop () at vl.c:1909
13 main (argc=<optimized out>, argv=<optimized out>, ...

Having analyzed the coredump, I understood that the reason is that
ioc_tag is reset on vnc_disconnect_start and ioc is cleaned
in vnc_disconnect_finish. Between these two events due to some
reasons the ioc_tag was set again and after vnc_disconnect_finish
the handler is running with freed ioc,
which led to the segmentation fault.

The patch checks vs->disconnecting in places where we call
qio_channel_add_watch and resets handler if disconnecting == TRUE
to prevent such an occurrence.

Signed-off-by: Klim Kireev <klim.kireev@virtuozzo.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20180207094844.21402-1-klim.kireev@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

vnc: add qapi/error.h include to stubs

Fixes --disable-vnc build failure.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20180213070526.22475-1-kraxel@redhat.com

vnc: remove bogus object_unref on client socket

vnc_listen_io() does not own the reference on the 'cioc' parameter is it
passed, so should not be unref'ing it.

Fixes: 13e1d0e71e78a925848258391a6e616b6b5ae219
Reported-by: Bandan Das <bsd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20180215102602.10864-1-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Merge remote-tracking branch 'remotes/berrange/tags/qio-next-pull-request' into staging

# gpg: Signature made Thu 15 Feb 2018 17:50:22 GMT
# gpg:                using RSA key BE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>"
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>"
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E  8E3F BE86 EBB4 1510 4FDF

* remotes/berrange/tags/qio-next-pull-request:
  allow to build with older sed
  io/channel-command: Do not kill the child process after closing the pipe
  io: Add /dev/fdset/ support to QIOChannelFile
  io: Don't call close multiple times in QIOChannelFile
  io: Fix QIOChannelFile when creating and opening read-write
  io/channel-websock: handle continuous reads without any data
  io: fix QIONetListener memory leak

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

tests/boot-serial-test: Fix problem with timeout due to dropped characters

Commit 92b540dac9fc3a5 introduce a counter to handle the timeouts in a
better way. But in case ccnt reaches 512, the current read character is
ignored - and if that character is part of the string that we are looking
for, the test fails to match the string.

Almost all of the tests look for a string within the first 512 bytes of
firmware output, so the problem never triggered there. But the hppa test
that has been added recently looks for a longer string at the very end of
a long output, thus there's a chance that we miss a character there so
that the test fails unexpectedly. Fix it by *not* reading and dropping a
character if the counter reaches 512.

Fixes: 92b540dac9fc3a572c7342edd0b073000f5a6abf
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1518761564-9899-1-git-send-email-thuth@redhat.com
[PMM: added initializer for nbd to silence false-positive warning
from OpenBSD 6 compiler]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

ppc4xx: Add device models found in PPC440 core SoCs

These devices are found in newer SoCs based on 440 core e.g. the 460EX
(http://www.embeddeddeveloper.com/assets/processors/amcc/datasheets/
PP460EX_DS2063.pdf)

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

ppc/spapr-caps: Disallow setting workaround for spapr-cap-ibs

The spapr-cap cap-ibs can only have values broken or fixed as there is
no explicit workaround required. Currently setting the value workaround
for this cap will hit an assert if the guest makes the hcall
h_get_cpu_characteristics.

Report an error when attempting to apply the setting with a more helpful
error message.

Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

target/ppc: convert to TranslatorOps

A few changes worth noting:

- Didn't migrate ctx->exception to DISAS_* since the exception field is
in many cases architecturally relevant.

- Moved the cross-page check from the end of translate_insn to tb_start.

- Removed the exit(1) after a TCG temp leak; changed the fprintf there to
qemu_log.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

target/ppc: convert to DisasContextBase

A couple of notes:

- removed ctx->nip in favour of base->pc_next. Yes, it is annoying,
but didn't want to waste its 4 bytes.

- ctx->singlestep_enabled does a lot more than
base.singlestep_enabled; this confused me at first.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

spapr: consolidate the VCPU id numbering logic in a single place

Several places in the code need to calculate a VCPU id:

    (cpu_index / smp_threads) * spapr->vsmt + cpu_index % smp_threads
    (core_id / smp_threads) * spapr->vsmt (1 user)
    index * spapr->vsmt (2 users)

or guess that the VCPU id of a given VCPU is the first thread of a virtual
core:

    index % spapr->vsmt != 0

Even if the numbering logic isn't that complex, it is rather fragile to
have these assumptions open-coded in several places. FWIW this was
proved with recent issues related to VSMT.

This patch moves the VCPU id formula to a single function to be called
everywhere the code needs to compute one. It also adds an helper to
guess if a VCPU is the first thread of a VCORE.

Signed-off-by: Greg Kurz <groug@kaod.org>
[dwg: Rename spapr_is_vcore() to spapr_is_thread0_in_vcore() for clarity]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

spapr: rename spapr_vcpu_id() to spapr_get_vcpu_id()

The spapr_vcpu_id() function is an accessor actually. Let's rename it
for symmetry with the recently added spapr_set_vcpu_id() helper.

The motivation behind this is that a later patch will consolidate
the VCPU id formula in a function and spapr_vcpu_id looks like an
appropriate name.

Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

spapr: move VCPU calculation to core machine code

The VCPU ids are currently computed and assigned to each individual
CPU threads in spapr_cpu_core_realize(). But the numbering logic
of VCPU ids is actually a machine-level concept, and many places
in hw/ppc/spapr.c also have to compute VCPU ids out of CPU indexes.

The current formula used in spapr_cpu_core_realize() is:

    vcpu_id = (cc->core_id * spapr->vsmt / smp_threads) + i

where:

    cc->core_id is a multiple of smp_threads
    cpu_index = cc->core_id + i
    0 <= i < smp_threads

So we have:

    cpu_index % smp_threads == i
    cc->core_id / smp_threads == cpu_index / smp_threads

hence:

    vcpu_id =
        (cpu_index / smp_threads) * spapr->vsmt + cpu_index % smp_threads;

This formula was used before VSMT at the time VCPU ids where computed
at the target emulation level. It has the advantage of being useable
to derive a VPCU id out of a CPU index only. It is fitted for all the
places where the machine code has to compute a VCPU id.

This patch introduces an accessor to set the VCPU id in a PowerPCCPU object
using the above formula. It is a first step to consolidate all the VCPU id
logic in a single place.

Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

spapr: use spapr->vsmt to compute VCPU ids

Since the introduction of VSMT in 2.11, the spacing of VCPU ids
between cores is controllable through a machine property instead
of being only dictated by the SMT mode of the host:

    cpu->vcpu_id = (cc->core_id * spapr->vsmt / smp_threads) + i

Until recently, the machine code would try to change the SMT mode
of the host to be equal to VSMT or exit. This allowed the rest of
the code to assume that kvmppc_smt_threads() == spapr->vsmt is
always true.

Recent commit "8904e5a75005 spapr: Adjust default VSMT value for
better migration compatibility" relaxed the rule. If the VSMT
mode cannot be set in KVM for some reasons, but the requested
CPU topology is compatible with the current SMT mode, then we
let the guest run with  kvmppc_smt_threads() != spapr->vsmt.

This breaks quite a few places in the code, in particular when
calculating DRC indexes.

This is what happens on a POWER host with subcores-per-core=2 (ie,
supports up to SMT4) when passing the following topology:

    -smp threads=4,maxcpus=16 \
    -device host-spapr-cpu-core,core-id=4,id=core1 \
    -device host-spapr-cpu-core,core-id=8,id=core2

qemu-system-ppc64: warning: Failed to set KVM's VSMT mode to 8 (errno -22)

This is expected since KVM is limited to SMT4, but the guest is started
anyway because this topology can run on SMT4 even with a VSMT8 spacing.

But when we look at the DT, things get nastier:

cpus {
        ...
        ibm,drc-indexes = <0x4 0x10000000 0x10000004 0x10000008 0x1000000c>;

This means that we have the following association:

CPU core device |     DRC    | VCPU id
-----------------+------------+---------
   boot core     | 0x10000000 | 0
   core1         | 0x10000004 | 4
   core2         | 0x10000008 | 8
   core3         | 0x1000000c | 12

But since the spacing of VCPU ids is 8, the DRC for core1 points to a
VCPU that doesn't exist, the DRC for core2 points to the first VCPU of
core1 and and so on...

        ...

        PowerPC,POWER8@0 {
                ...
                ibm,my-drc-index = <0x10000000>;
                ...
        };

        PowerPC,POWER8@8 {
                ...
                ibm,my-drc-index = <0x10000008>;
                ...
        };

        PowerPC,POWER8@10 {
                ...

No ibm,my-drc-index property for this core since 0x10000010 doesn't
exist in ibm,drc-indexes above.

                ...
        };
};

...

interrupt-controller {
        ...
        ibm,interrupt-server-ranges = <0x0 0x10>;

With a spacing of 8, the highest VCPU id for the given topology should be:
        16 * 8 / 4 = 32 and not 16

        ...
        linux,phandle = <0x7e7323b8>;
        interrupt-controller;
};

And CPU hot-plug/unplug is broken:

(qemu) device_del core1
pseries-hotplug-cpu: Cannot find CPU (drc index 10000004) to remove

(qemu) device_del core2
cpu 4 (hwid 8) Ready to die...
cpu 5 (hwid 9) Ready to die...
cpu 6 (hwid 10) Ready to die...
cpu 7 (hwid 11) Ready to die...

These are the VCPU ids of core1 actually

(qemu) device_add host-spapr-cpu-core,core-id=12,id=core3
(qemu) device_del core3
pseries-hotplug-cpu: Cannot find CPU (drc index 1000000c) to remove

This patches all the code in hw/ppc/spapr.c to assume the VSMT
spacing when manipulating VCPU ids.

Fixes: 8904e5a75005
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

ppc/spapr-caps: Change migration macro to take full spapr-cap name

Change the macro that generates the vmstate migration field and the needed
function for the spapr-caps to take the full spapr-cap name. This has
the benefit of meaning this instance will be picked up when greping
for the spapr-caps and making it more obvious what this macro is doing.

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

hw/char: remove legacy interface escc_init()

Move necessary stuff in escc.h and update type names.
Remove slavio_serial_ms_kbd_init().
Fix code style problems reported by checkpatch.pl
Update mac_newworld, mac_oldworld and sun4m to use directly the
QDEV interface.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

hw/ppc/spapr_hcall: set htab_shift after kvmppc_resize_hpt_commit

Newer kernels have a htab resize capability when adding or remove
memory. At these situations, the guest kernel might reallocate its
htab to a more suitable size based on the resulting memory.

However, we're not setting the new value back into the machine state
when a KVM guest resizes its htab. At first this doesn't seem harmful,
but when migrating or saving the guest state (via virsh managedsave,
for instance) this mismatch between the htab size of QEMU and the
kernel makes the guest hangs when trying to load its state.

Inside h_resize_hpt_commit, the hypercall that commits the hash page
resize changes, let's set spapr->htab_shift to the new value if we're
sure that kvmppc_resize_hpt_commit were successful.

While we're here, add a "not RADIX" sanity check as it is already done
in the related hypercall h_resize_hpt_prepare.

Fixes: https://github.com/open-power-host-os/qemu/issues/28
Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

cuda: convert to trace-events

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

ppc: move CUDAState and other CUDA-related definitions into separate cuda.h file

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

cuda: convert to use the shared mos6522 device

Add the relevant hooks as required for the MacOS timer calibration and delayed
SR interrupt.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20180215-1' into staging

target-arm queue:
* aspeed: code cleanup to use unimplemented_device
* preparatory work for 'raspi3' RaspberryPi 3 machine model
* more SVE prep work
* v8M: add minor missing registers
* v7M: fix bug where we weren't migrating v7m.other_sp
* v7M: fix bugs in handling of interrupt registers for
   external interrupts beyond 32

# gpg: Signature made Thu 15 Feb 2018 18:34:40 GMT
# gpg:                using RSA key 3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20180215-1:
  raspi: Raspberry Pi 3 support
  bcm2836: Make CPU type configurable
  target/arm: Implement v8M MSPLIM and PSPLIM registers
  target/arm: Migrate v7m.other_sp
  target/arm: Add AIRCR to vmstate struct
  hw/intc/armv7m_nvic: Fix byte-to-interrupt number conversions
  target/arm: Implement writing to CONTROL_NS for v8M
  hw/intc/armv7m_nvic: Implement SCR
  hw/intc/armv7m_nvic: Implement cache ID registers
  hw/intc/armv7m_nvic: Implement v8M CPPWR register
  hw/intc/armv7m_nvic: Implement M profile cache maintenance ops
  hw/intc/armv7m_nvic: Fix ICSR PENDNMISET/CLR handling
  hw/intc/armv7m_nvic: Don't hardcode M profile ID registers in NVIC
  target/arm: Handle SVE registers when using clear_vec_high
  target/arm: Enforce access to ZCR_EL at translation
  target/arm: Suppress TB end for FPCR/FPSR
  target/arm: Enforce FP access to FPCR/FPSR
  target/arm: Remove ARM_CP_64BIT from ZCR_EL registers
  hw/arm/aspeed: simplify using the 'unimplemented device' for aspeed_soc.io
  hw/arm/aspeed: directly map the serial device to the system address space

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

raspi: Raspberry Pi 3 support

This patch adds Raspberry Pi 3 support to hw/arm/raspi.c. The
differences to Pi 2 are:

- Firmware address
- Board ID
- Board revision

The CPU is different too, but that's going to be configured as part of
the machine default CPU when we introduce a new machine type.

The patch was written from scratch by me but the logic is similar to
Zoltán Baldaszti's previous work, which I used as a reference (with
permission from the author):

https://github.com/bztsrc/qemu-raspi3

Signed-off-by: Pekka Enberg <penberg@iki.fi>
[PMM: fixed trailing whitespace on one line]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

bcm2836: Make CPU type configurable

This patch adds a "cpu-type" property to BCM2836 SoC in preparation for
reusing the code for the Raspberry Pi 3, which has a different processor
model.

Signed-off-by: Pekka Enberg <penberg@iki.fi>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target/arm: Implement v8M MSPLIM and PSPLIM registers

The v8M architecture includes hardware support for enforcing
stack pointer limits. We don't implement this behaviour yet,
but provide the MSPLIM and PSPLIM stack pointer limit registers
as reads-as-written, so that when we do implement the checks
in future this won't break guest migration.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-12-peter.maydell@linaro.org

target/arm: Migrate v7m.other_sp

In commit abc24d86cc0364f we accidentally broke migration of
the stack pointer value for the mode (process, handler) the CPU
is not currently running as. (The commit correctly removed the
no-longer-used v7m.current_sp flag from the VMState but also
deleted the still very much in use v7m.other_sp SP value field.)

Add a subsection to migrate it again. (We don't need to care
about trying to retain compatibility with pre-abc24d86cc0364f
versions of QEMU, because that commit bumped the version_id
and we've since bumped it again a couple of times.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-11-peter.maydell@linaro.org

target/arm: Add AIRCR to vmstate struct

In commit commit 3b2e934463121 we added support for the AIRCR
register holding state, but forgot to add it to the vmstate
structs. Since it only holds r/w state if the security extension
is implemented, we can just add it to vmstate_m_security.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-10-peter.maydell@linaro.org

hw/intc/armv7m_nvic: Fix byte-to-interrupt number conversions

In many of the NVIC registers relating to interrupts, we
have to convert from a byte offset within a register set
into the number of the first interrupt which is affected.
We were getting this wrong for:
* reads of NVIC_ISPR<n>, NVIC_ISER<n>, NVIC_ICPR<n>, NVIC_ICER<n>,
   NVIC_IABR<n> -- in all these cases we were missing the "* 8"
   needed to convert from the byte offset to the interrupt number
   (since all these registers use one bit per interrupt)
* writes of NVIC_IPR<n> had the opposite problem of a spurious
   "* 8" (since these registers use one byte per interrupt)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180209165810.6668-9-peter.maydell@linaro.org

target/arm: Implement writing to CONTROL_NS for v8M

In commit 50f11062d4c896 we added support for MSR/MRS access
to the NS banked special registers, but we forgot to implement
the support for writing to CONTROL_NS. Correct the omission.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-8-peter.maydell@linaro.org

hw/intc/armv7m_nvic: Implement SCR

We were previously making the system control register (SCR)
just RAZ/WI. Although we don't implement the functionality
this register controls, we should at least provide the state,
including the banked state for v8M.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-7-peter.maydell@linaro.org

hw/intc/armv7m_nvic: Implement cache ID registers

M profile cores have a similar setup for cache ID registers
to A profile:
* Cache Level ID Register (CLIDR) is a fixed value
* Cache Type Register (CTR) is a fixed value
* Cache Size ID Registers (CCSIDR) are a bank of registers;
which one you see is selected by the Cache Size Selection
Register (CSSELR)

The only difference is that they're in the NVIC memory mapped
register space rather than being coprocessor registers.
Implement the M profile view of them.

Since neither Cortex-M3 nor Cortex-M4 implement caches,
we don't need to update their init functions and can leave
the ctr/clidr/ccsidr[] fields in their ARMCPU structs at zero.
Newer cores (like the Cortex-M33) will want to be able to
set these ID registers to non-zero values, though.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-6-peter.maydell@linaro.org

hw/intc/armv7m_nvic: Implement v8M CPPWR register

The Coprocessor Power Control Register (CPPWR) is new in v8M.
It allows software to control whether coprocessors are allowed
to power down and lose their state. QEMU doesn't have any
notion of power control, so we choose the IMPDEF option of
making the whole register RAZ/WI (indicating that no coprocessors
can ever power down and lose state).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-5-peter.maydell@linaro.org

hw/intc/armv7m_nvic: Implement M profile cache maintenance ops

For M profile cores, cache maintenance operations are done by
writing to special registers in the system register space.
For QEMU, cache operations are always NOPs, since we don't
implement the cache. Implementing these explicitly avoids
a spurious LOG_GUEST_ERROR when the guest uses them.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-4-peter.maydell@linaro.org

hw/intc/armv7m_nvic: Fix ICSR PENDNMISET/CLR handling

The PENDNMISET/CLR bits in the ICSR should be RAZ/WI from
NonSecure state if the AIRCR.BFHFNMINS bit is zero. We had
misimplemented this as making the bits RAZ/WI from both
Secure and NonSecure states. Fix this bug by checking
attrs.secure so that Secure code can pend and unpend NMIs.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-3-peter.maydell@linaro.org

hw/intc/armv7m_nvic: Don't hardcode M profile ID registers in NVIC

Instead of hardcoding the values of M profile ID registers in the
NVIC, use the fields in the CPU struct. This will allow us to
give different M profile CPU types different ID register values.

This commit includes the addition of the missing ID_ISAR5,
which exists as RES0 in both v7M and v8M.

(The values of the ID registers might be wrong for the M4 --
this commit leaves the behaviour there unchanged.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180209165810.6668-2-peter.maydell@linaro.org

target/arm: Handle SVE registers when using clear_vec_high

When storing to an AdvSIMD FP register, all of the high
bits of the SVE register are zeroed. Therefore, call it
more often with is_q as a parameter.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-6-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target/arm: Enforce access to ZCR_EL at translation

This also makes sure that we get the correct ordering of
SVE vs FP exceptions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target/arm: Suppress TB end for FPCR/FPSR

Nothing in either register affects the TB.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target/arm: Enforce FP access to FPCR/FPSR

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target/arm: Remove ARM_CP_64BIT from ZCR_EL registers

Because they are ARM_CP_STATE_AA64, ARM_CP_64BIT is implied.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180211205848.4568-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/arm/aspeed: simplify using the 'unimplemented device' for aspeed_soc.io

(qemu) info mtree
address-space: cpu-memory-0
   0000000000000000-ffffffffffffffff (prio 0, i/o): system
     0000000000000000-0000000007ffffff (prio 0, rom): aspeed.boot_rom
-    000000001e600000-000000001e7fffff (prio -1, i/o): aspeed_soc.io
+    000000001e600000-000000001e7fffff (prio -1000, i/o): aspeed_soc.io
     000000001e620000-000000001e6200ff (prio 0, i/o): aspeed.smc.ast2500-fmc
     000000001e630000-000000001e6300ff (prio 0, i/o): aspeed.smc.ast2500-spi1
     000000001e631000-000000001e6310ff (prio 0, i/o): aspeed.smc.ast2500-spi2

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 20180209085755.30414-3-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/arm/aspeed: directly map the serial device to the system address space

(qemu) info mtree
address-space: cpu-memory-0
   0000000000000000-ffffffffffffffff (prio 0, i/o): system
     0000000000000000-0000000007ffffff (prio 0, rom): aspeed.boot_rom
     000000001e600000-000000001e7fffff (prio -1, i/o): aspeed_soc.io
-      000000001e784000-000000001e78401f (prio 0, i/o): serial
     000000001e620000-000000001e6200ff (prio 0, i/o): aspeed.smc.ast2500-fmc
     000000001e630000-000000001e6300ff (prio 0, i/o): aspeed.smc.ast2500-spi1
     [...]
     000000001e720000-000000001e728fff (prio 0, ram): aspeed.sram
     000000001e782000-000000001e782fff (prio 0, i/o): aspeed.timer
+    000000001e784000-000000001e78401f (prio 0, i/o): serial
     000000001e785000-000000001e78501f (prio 0, i/o): aspeed.wdt
     000000001e785020-000000001e78503f (prio 0, i/o): aspeed.wdt

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 20180209085755.30414-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

allow to build with older sed

sed's -E option may not be supported by older distros. As there's no
point using sed here at all, use just shell mechanisms to establish the
variable values, starting from the stem instead of the full target.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

io/channel-command: Do not kill the child process after closing the pipe

We are currently facing some migration failure on s390x when running
certain avocado-vt tests, e.g. when running the test
type_specific.io-github-autotest-qemu.migrate.with_reboot.exec.gzip_exec.
This test is using 'migrate -d "exec:nc localhost 5200"' for the migration.
The problem is detected at the receiving side, where the migration stream
apparently ends too early. However, the cause for the problem is at the
sending side: After writing the migration stream into the pipe to netcat,
the source QEMU calls qio_channel_command_close() which closes the pipe
and immediately (!) kills the child process afterwards (via the function
qio_channel_command_abort()). So if the sending netcat did not read the
final bytes from the pipe yet, or if it did not manage to send out all
its buffers yet, it is killed before the whole migration stream is passed
to the destination side.

QEMU can not know how much time is required by the child process to send
over all migration data, so we should not kill it, neither directly nor
after a delay. Let's simply wait for the child process to exit gracefully
instead (this was also the behaviour of pclose() that was used in "exec:"
migration before the QIOChannel rework).

Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

io: Add /dev/fdset/ support to QIOChannelFile

Add /dev/fdset/ support to QIOChannelFile by calling qemu_open() instead
of open() and qemu_close() instead of close(). There is a subtle
semantic change since qemu_open() automatically sets O_CLOEXEC, but this
doesn't affect any of the users of the function.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

io: Don't call close multiple times in QIOChannelFile

If the file descriptor underlying QIOChannelFile is closed in the
io_close() method, don't close it again in the finalize() method since
the file descriptor number may have been reused in the meantime.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

io: Fix QIOChannelFile when creating and opening read-write

The code wrongly passes the mode to open() only if O_WRONLY is set.
Instead, the mode should be passed when O_CREAT is set (or O_TMPFILE on
Linux). Fix this by always passing the mode since open() will correctly
ignore the mode if it is not needed. Add a testcase which exercises this
bug and also change the existing testcase to check that the mode of the
created file is correct.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

io/channel-websock: handle continuous reads without any data

According to the current implementation of websocket protocol in QEMU,
qio_channel_websock_handshake_io tries to read handshake from the
channel to start communication over socket. But this approach
doesn't cover scenario when socket was closed while handshaking.
Therefore, if G_IO_IN is caught and qio_channel_read returns zero,
error has to be set and connection has to be done.

Such behaviour causes 100% CPU load in main QEMU loop, because main loop
poll continues to receive and handle G_IO_IN events from websocket.

Step to reproduce 100% CPU load:
1) start qemu with the simplest configuration
$ qemu -vnc [::1]:1,websocket=7500
2) open any vnc listener (which doesn't follow websocket
protocol)
$ vncviewer :7500
3) kill listener
4) qemu main thread eats 100% CPU

Signed-off-by: Edgar Kaziakhmedov <edgar.kaziakhmedov@virtuozzo.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

io: fix QIONetListener memory leak

The sources array does not escape out of qio_net_listener_wait_client, so
we have to free it.

Reported by Coverity.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging

Pull request

v2:
* Dropped Fam's git-publish series because there is still ongoing discussion

# gpg: Signature made Thu 15 Feb 2018 09:42:03 GMT
# gpg:                using RSA key 9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* remotes/stefanha/tags/block-pull-request:
  misc: fix spelling
  ratelimit: don't align wait time with slices
  vl: pause vcpus before stopping iothreads

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/huth/tags/pull-request-2018-02-14' into staging

Various improvements to the qtest checks:
- Clean-ups by Eric Blake with regards to the global_qtest variable
- Some more test cases for the boot-serial tester
- Re-activation of the m48t59-test

# gpg: Signature made Wed 14 Feb 2018 11:07:44 GMT
# gpg:                using RSA key 2ED9D774FE702DB5
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>"
# gpg:                 aka "Thomas Huth <thuth@redhat.com>"
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>"
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>"
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* remotes/huth/tags/pull-request-2018-02-14:
  tests/m48t59: Use the m48t59 test on ppc, too
  tests/Makefile: Derive check-qtest-ppc64-y from check-qtest-ppc-y
  tests/m48t59: Make the test independent of global_qtest
  tests/m48t59: Fix and re-enable the test for sparc
  tests/boot-serial-test: Add support for the aarch64 virt machine
  tests/boot-serial: Add tests for PowerPC Mac machines
  tests/boot-serial: Enable the boot-serial test on SPARC machines, too
  wdt_ib700-test: Drop dependence on global_qtest
  tests/boot-sector: Drop dependence on global_qtest
  qmp-test: Drop dependence on global_qtest
  libqos: Use explicit QTestState for remaining libqos operations
  libqos: Use explicit QTestState for ahci operations
  libqos: Use explicit QTestState for i2c operations
  libqos: Use explicit QTestState for rtas operations
  libqos: Use explicit QTestState for fw_cfg operations
  libqos: Track QTestState with QPCIBus
  libqtest: Use qemu_strtoul()
  tests: Clean up wait for event

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/vivier/tags/m68k-for-2.12-pull-request' into staging

# gpg: Signature made Wed 14 Feb 2018 10:37:02 GMT
# gpg:                using RSA key F30C38BD3F2FBE3C
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>"
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>"
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>"
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier/tags/m68k-for-2.12-pull-request:
  m68k: implement movep instruction

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

misc: fix spelling

s/pupulate/populate

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180208162447.10851-1-marcandre.lureau@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

ratelimit: don't align wait time with slices

It is possible for rate limited writes to keep overshooting a slice's
quota by a tiny amount causing the slice-aligned waiting period to
effectively halve the rate.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Message-id: 20180207071758.6818-1-w.bumiller@proxmox.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

vl: pause vcpus before stopping iothreads

Commit dce8921b2baaf95974af8176406881872067adfa ("iothread: Stop threads
before main() quits") introduced iothread_stop_all() to avoid the
following virtio-scsi assertion failure:

assert(blk_get_aio_context(d->conf.blk) == s->ctx);

Back then the assertion failed because when bdrv_close_all() made
d->conf.blk NULL, blk_get_aio_context() returned the global AioContext
instead of s->ctx.

The same assertion can still fail today when vcpus submit new I/O
requests after iothread_stop_all() has moved the BDS to the global
AioContext.

This patch hardens the iothread_stop_all() approach by pausing vcpus
before calling iothread_stop_all().

Note that the assertion failure is a race condition. It is not possible
to reproduce it reliably.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20180201110708.8080-1-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

tests/m48t59: Use the m48t59 test on ppc, too

The ref405ep machine has a memory-mapped m48t59 device, so
we can run the m48t59 test on this machine, too.

Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/Makefile: Derive check-qtest-ppc64-y from check-qtest-ppc-y

ppc64 is a superset of ppc, so the ppc64 tests should include all
the ppc tests.

Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/m48t59: Make the test independent of global_qtest

Stop using the functions that require global_qtest here and pass
around the QTestState instead (global_qtest should finally get
removed since this causes problems with tests running in parallel).

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/m48t59: Fix and re-enable the test for sparc

The m48t59 test has been disabled in commit baeddded5fe6fa37d13fb94bf8d
("sparc: disable qtest in make check"), likely due to some timing issues
in the bcd_check_time tests which might fail if it gets interrupted for
too long. It should be OK to re-enable this test if we make sure that we
do not run it on timing-sensitive machines, thus it should be OK if we only
run it in the g_test_slow() mode.

Additionally, there are two other issues:

First, the test can not run so easily on sparc64 anymore, since commit
f3b18f35a23c60edbda6420cd ("sun4u: switch m48t59 NVRAM to MMIO access")
moved the m48t59 device to the ebus instead, and for this you first
have to set up the corresponding PCI device (which is currently not
possible from within the m48t59 test). So we can only re-enable this
test on sparc, but not the sparc64 target.

Second, the fuzzing test is executed before the bcd-check-time test
(due to the naming of the tests), without having the base address set
up properly, so the fuzzing test does not really check anything at all.
Fix it by setting up the base address from the main function already
and by moving the qtest_start() to the tests themselves, so that each
test starts with a clean environment (since after the fuzzing, the clock
is unusable for the bcd-check-time test).

Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/boot-serial-test: Add support for the aarch64 virt machine

This patch adds a small binary kernel to test aarch64 virt machine's
UART.

Signed-off-by: Wei Huang <wei@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[thuth: Fixed contextual conflicts with the hppa and sdhci patches]
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/boot-serial: Add tests for PowerPC Mac machines

OpenBIOS prints out the CPU type on these machine types, so we can use
this string to test whether the CPU detection is working correctly.

Acked-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/boot-serial: Enable the boot-serial test on SPARC machines, too

OpenBIOS prints out the name of the detected CPU here, so looking for
this string is a nice test to verify that the CPU detection is still
working correctly.

Acked-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

wdt_ib700-test: Drop dependence on global_qtest

As a general rule, we prefer avoiding implicit global state
because it makes code harder to safely copy and paste without
thinking about the global state. Improve this test to be
explicit about the state.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/boot-sector: Drop dependence on global_qtest

As a general rule, we prefer avoiding implicit global state
because it makes code harder to safely copy and paste without
thinking about the global state. Adjust the helper code to
use explicit state instead, and update all callers.

Fix some trailing whitespace while touching the file.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

qmp-test: Drop dependence on global_qtest

As a general rule, we prefer avoiding implicit global state
because it makes code harder to safely copy and paste without
thinking about the global state. Although qmp-test does not
maintain parallel qtest connections, it was the last test
assigning to global_qtest. It's just as easy to be explicit
about the state; once all tests have been cleaned up, a later
patch can then get rid of global_qtest and a layer of wrappers
in libqtest.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

libqos: Use explicit QTestState for remaining libqos operations

Drop one more client of global_qtest by teaching all remaining
libqos stragglers to pass in an explicit QTestState. Change the
setting of global_qtest from being implicit in libqos' call to
qtest_start() to instead be explicit in all clients that are
still relying on global_qtest.

Note that qmp_execute() can be greatly simplified in the process,
and that we also get rid of interpolation of a JSON string into a
temporary variable when qtest_qmp() can do it more reliably.

Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Greg Kurz <groug@kaod.org>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

libqos: Use explicit QTestState for ahci operations

Drop one more client of global_qtest by teaching all ahci test
functionality to pass in an explicit QTestState. The state was
already available, so no callers had to be adjusted.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

libqos: Use explicit QTestState for i2c operations

Drop one more client of global_qtest by teaching all i2c test
functionality to pass in an explicit QTestState, adjusting all
callers.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

libqos: Use explicit QTestState for rtas operations

Drop one more client of global_qtest by teaching all rtas test
functionality to pass in an explicit QTestState, adjusting all
callers.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
[thuth: Use nicer indentation in rtas.h]
Signed-off-by: Thomas Huth <thuth@redhat.com>

libqos: Use explicit QTestState for fw_cfg operations

Drop one more client of global_qtest by teaching all fw_cfg test
functionality (invoked through alloc-pc) to pass in an explicit
QTestState, adjusting all callers. In particular, fw_cfg-test
had to reorder things to create the test state prior to creating
the fw_cfg (and drop a pointless strdup in the meantime), but that
test now no longer depends on global_qtest.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
[thuth: Fixed conflict wrt pc_alloc_init() in vhost-user-test.c]
Signed-off-by: Thomas Huth <thuth@redhat.com>

libqos: Track QTestState with QPCIBus

When initializing a QPCIBus, track which QTestState the bus is
associated with (so that a later patch can then explicitly use
that test state for all communication on the bus, rather than
blindly relying on global_qtest). Update the initialization
functions to take another parameter, and update all callers to
pass in state (for now, most callers get away with passing the
current global_qtest as the current state, although this required
fixing the order of initialization to ensure qtest_start() is
called before qpci_init*() in rtl8139-test, and provided an
opportunity to pass in the allocator in e1000e-test).

Touch up some allocations to use g_new0() rather than g_malloc()
while in the area, and simplify some code (all implementations
of QOSOps provide a .init_allocator() that never fails).

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
[thuth: Removed hunk from vhost-user-test.c that is not required anymore,
fixed conflict in qtest_vboot() and adjusted qpci_init_pc() in sdhci-test]
Signed-off-by: Thomas Huth <thuth@redhat.com>

migration: pass MigrationState to migrate_init()

Let the callers take the object, then pass it to migrate_init().

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <20180208103132.28452-12-peterx@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

migration: allow send_rq to fail

We will not allow failures to happen when sending data from destination
to source via the return path. However it is possible that there can be
errors along the way. This patch allows the migrate_send_rp_message()
to return error when it happens, and further extended it to
migrate_send_rp_req_pages().

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <20180208103132.28452-9-peterx@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

migration: provide postcopy_fault_thread_notify()

A general helper to notify the fault thread.

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <20180208103132.28452-4-peterx@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

migration: reuse mis->userfault_quit_fd

It was only used for quitting the page fault thread before. Let it be
something more useful - now we can use it to notify a "wake" for the
page fault thread (for any reason), and it only means "quit" if the
fault_thread_quit is set.

Since we changed what it does, renaming it to userfault_event_fd.

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <20180208103132.28452-3-peterx@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

migration: better error handling with QEMUFile

If the postcopy down due to some reason, we can always see this on dst:

qemu-system-x86_64: RP: Received invalid message 0x0000 length 0x0000

However in most cases that's not the real issue. The problem is that
qemu_get_be16() has no way to show whether the returned data is valid or
not, and we are _always_ assuming it is valid. That's possibly not wise.

The best approach to solve this would be: refactoring QEMUFile interface
to allow the APIs to return error if there is. However it needs quite a
bit of work and testing. For now, let's explicitly check the validity
first before using the data in all places for qemu_get_*().

This patch tries to fix most of the cases I can see. Only if we are with
this, can we make sure we are processing the valid data, and also can we
make sure we can capture the channel down events correctly.

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <20180208103132.28452-2-peterx@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

tests/migration: Add test for migration to bad destination

Check the source survives.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20180212160340.15333-3-dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>

migration: Fix early failure cleanup

Avoid crash in cleanup after a very early migration failure
(possibly due to my 688a3dcba980bf01344a 'Route errors down ...')

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20180212160340.15333-2-dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>

tests/migration: Add source to PC boot block

The boot block used in the migration test is currently only
shipped as a hex (with the source in the git commit message of ea0c6d62),
change this to actually include the source.

A script is added to rebuild the header but the expectation is that
the generated hex is shipped as well as the .s, so that
there's no requirement to have just the right assembler etc.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20180213100606.5379-1-dgilbert@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Removed blank line at end of script

migration: improve documentation of postcopy-ram

This capability must have the same value on both source and destination,
otherwise migration fails (commit 875fcd013ab6 "migration: incoming
postcopy advise sanity checks").

Let's write it down in various places where postcopy-ram is documented.

Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <151801810352.29167.4832480228518630626.stgit@bahia.lan>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

migration/xen: Check return value of qemu_fclose

QEMUFile uses buffered IO so when writing small amounts (such as the Xen
device state file), the actual write call and any errors that may occur
only happen as part of qemu_fclose(). Therefore, report IO errors when
saving the device state under Xen by checking the return value of
qemu_fclose().

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Message-Id: <20180206163039.23661-1-ross.lagerwall@citrix.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

m68k: implement movep instruction

This patch implements movep instruction. It moves data between a data register
and alternate bytes within the address space starting at the location
specified and incrementing by two.

It was designed for the original 68000 and used in firmwares for
interfacing the 8-bit peripherals through the 16-bit data bus.
Without this patch opcode for this instruction is recognized as some bitop.

Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@ispras.ru>
Signed-off-by: Mihail Abakumov <mikhail.abakumov@ispras.ru>
Tested-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20180206124431.31433.91946.stgit@pasha-VirtualBox>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>

libqtest: Use qemu_strtoul()

This will keep checkpatch happy when the next patch does code motion.
Fix the include order to match HACKING when adding the needed header.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests: Clean up wait for event

We still use hacks like qmp("") to wait for an event, even though we
have qmp_eventwait() since commit 8fe941f, and qmp_eventwait_ref()
since commit 7ffe312.  Both commits neglected to convert all the
existing hacks.  Make up what they missed.

Bonus: gets rid of empty format strings.  A step towards compile-time
format string checking without triggering -Wformat-zero-length.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
[thuth: dropped the hunks from the usb tests - not needed anymore]
Signed-off-by: Thomas Huth <thuth@redhat.com>

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches

# gpg: Signature made Tue 13 Feb 2018 17:03:11 GMT
# gpg:                using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream: (55 commits)
  iotests: Add l2-cache-entry-size to iotest 137
  iotests: Test downgrading an image using a small L2 slice size
  iotests: Test valid values of l2-cache-entry-size
  qcow2: Allow configuring the L2 slice size
  qcow2: Rename l2_table in count_cow_clusters()
  qcow2: Rename l2_table in count_contiguous_clusters_unallocated()
  qcow2: Rename l2_table in count_contiguous_clusters()
  qcow2: Rename l2_table in qcow2_alloc_compressed_cluster_offset()
  qcow2: Update qcow2_truncate() to support L2 slices
  qcow2: Update expand_zero_clusters_in_l1() to support L2 slices
  qcow2: Prepare expand_zero_clusters_in_l1() for adding L2 slice support
  qcow2: Read refcount before L2 table in expand_zero_clusters_in_l1()
  qcow2: Update qcow2_update_snapshot_refcount() to support L2 slices
  qcow2: Prepare qcow2_update_snapshot_refcount() for adding L2 slice support
  qcow2: Update zero_single_l2() to support L2 slices
  qcow2: Update discard_single_l2() to support L2 slices
  qcow2: Update handle_alloc() to support L2 slices
  qcow2: Update handle_copied() to support L2 slices
  qcow2: Update qcow2_alloc_cluster_link_l2() to support L2 slices
  qcow2: Update qcow2_get_cluster_offset() to support L2 slices
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

* CAN bus (will be under network maintainner)
* scsi-block opblockers (myself)
* Dirty log bitmap cleanup (myself)
* SDHCI improvements and tests (Philippe)
* HAX support for larger guest sizese (Yu Ning)

# gpg: Signature made Tue 13 Feb 2018 15:37:14 GMT
# gpg:                using RSA key BFFBD25F78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream: (48 commits)
  travis: use libgcc-4.8-dev (libgcc-6-dev is not available on Ubuntu 14.04)
  memory: unify loops to sync dirty log bitmap
  memory: hide memory_region_sync_dirty_bitmap behind DirtyBitmapSnapshot
  memory: remove memory_region_test_and_clear_dirty
  g364fb: switch to using DirtyBitmapSnapshot
  sdhci: add Spec v4.2 register definitions
  sdhci: add a check_capab_v3() qtest
  sdhci: check Spec v3 capabilities qtest
  hw/arm/xilinx_zynqmp: enable the UHS-I mode
  hw/arm/xilinx_zynqmp: fix the capabilities/spec version to match the datasheet
  hw/arm/fsl-imx6: implement SDHCI Spec. v3
  hw/arm/bcm2835_peripherals: change maximum block size to 1kB
  hw/arm/bcm2835_peripherals: implement SDHCI Spec v3
  sdhci: implement CMD/DAT[] fields in the Present State register
  sdhci: implement UHS-I voltage switch
  sdbus: add trace events
  sdhci: implement the Host Control 2 register (tuning sequence)
  sdhci: rename the hostctl1 register
  sdhci: add support for v3 capabilities
  hw/arm/xilinx_zynq: fix the capabilities register to match the datasheet
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio,vhost,pci,pc: features, fixes and cleanups

- new stats in virtio balloon
- virtio eventfd rework for boot speedup
- vhost memory rework for boot speedup
- fixes and cleanups all over the place

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Tue 13 Feb 2018 16:29:55 GMT
# gpg:                using RSA key 281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (22 commits)
  virtio-balloon: include statistics of disk/file caches
  acpi-test: update FADT
  lpc: drop pcie host dependency
  tests: acpi: fix FADT not being compared to reference table
  hw/pci-bridge: fix pcie root port's IO hints capability
  libvhost-user: Support across-memory-boundary access
  libvhost-user: Fix resource leak
  virtio-balloon: unref the memory region before continuing
  pci: removed the is_express field since a uniform interface was inserted
  virtio-blk: enable multiple vectors when using multiple I/O queues
  pci/bus: let it has higher migration priority
  pci-bridge/i82801b11: clear bridge registers on platform reset
  vhost: Move log_dirty check
  vhost: Merge and delete unused callbacks
  vhost: Clean out old vhost_set_memory and friends
  vhost: Regenerate region list from changed sections list
  vhost: Merge sections added to temporary list
  vhost: Simplify ring verification checks
  vhost: Build temporary section list and deref after commit
  virtio: improve virtio devices initialization time
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>