git.osdn.net Git - qmiga/qemu.git/log

qdev: Move owner-less IRQs to /machine/unattached

Move non-qdev-gpio[*] from /machine into /machine/unattached.
For the PC this moves 25 nodes from the stable namespace into the unstable.

Cc: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

memory: Move owner-less MemoryRegions to /machine/unattached

This cleans up the official /machine namespace. In particular
/machine/system[0] and /machine/io[0], as well as entries with
non-sanitized node names such as "/machine/qemu extended regs[0]".

The actual MemoryRegion names remain unchanged.

Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

qom: Implement info qom-tree HMP command

To complement qdev's bus-oriented info qtree, info qom-tree
prints a hierarchical view of the QOM composition tree.

By default, the machine composition tree is shown. This can be overriden
by supplying a path argument, such as "info qom-tree /".

Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

qom: Implement qom-set HMP command

Re-implemented based on qmp_qom_set() to facilitate argument parsing.

Warn about ambiguous path arguments.

Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

qom: Implement qom-list HMP command

Implement it as a wrapper for QMP qom-list, but mimic the behavior of
scripts/qmp/qom-list in making the path argument optional and listing
the root if absent, to hint users what kind of path to pass.

Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

scripts: Add qom-tree script

Functionally it is a recursive qom-list with qom-get per non-child<>
property. Some failures needed to be handled, such as trying to read a
pointer property, which is not representable in QMP. Those print a
literal "<EXCEPTION>".

Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

cadence_uart: Convert to QOM realize()

Use DeviceClass::realize() and TypeInfo::instance_init() instead of
the deprecated SysBusDevice::init().

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

Merge remote-tracking branch 'remotes/armbru/tags/pull-cov-model-2015-03-17' into staging

coverity: Fix g_malloc_n-like models

# gpg: Signature made Tue Mar 17 10:17:56 2015 GMT using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>"

* remotes/armbru/tags/pull-cov-model-2015-03-17:
coverity: Fix g_malloc_n-like models

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/kraxel/tags/pull-gl-20150317-1' into staging

opengl: fix configure test

# gpg: Signature made Tue Mar 17 10:11:24 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gl-20150317-1:
  opengl: fix configure test

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

opengl: fix configure test

Re-add the glx compile test to configure. We can't use pkg-config to
probe for glx, and as long as milkymist-tmu2 privately uses glx (due to
opengl infrastructure in qemu not being ready yet) we must continue to
test for glx to avoid build failures.

Reported-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>

coverity: Fix g_malloc_n-like models

Allocate the calculated overall size, not only the size of a single
element.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches for 2.3-rc0

# gpg: Signature made Mon Mar 16 16:11:55 2015 GMT using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  block/vpc: remove disabled code from get_sector_offset
  block/vpc: rename footer->size -> footer->current_size
  block/vpc: make calculate_geometry spec conform
  vpc: Ignore geometry for large images
  block/vpc: optimize vpc_co_get_block_status
  block: Drop bdrv_find
  blockdev: Convert bdrv_find to blk_by_name
  migration: Convert bdrv_find to blk_by_name
  monitor: Convert bdrv_find to blk_by_name
  iotests: Test non-self-referential qcow2 refblocks
  iotests: Add tests for refcount table growth
  qcow2: Respect new_block in alloc_refcount_block()
  qemu-img: Avoid qerror_report_err() outside QMP handlers, again
  block: Fix block-set-write-threshold not to use funky error class
  block: Deprecate QCOW/QCOW2 encryption
  qemu-img: Fix convert, amend error messages for unknown options
  iotests: Update 051's reference output

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/bkoppelmann/tags/pull-tricore-20150316' into staging

TriCore RRR1, RRRR, RRRW, and SYS instructions

# gpg: Signature made Mon Mar 16 15:55:24 2015 GMT using RSA key ID 6B69CA14
# gpg: Good signature from "Bastian Koppelmann <kbastian@mail.uni-paderborn.de>"

* remotes/bkoppelmann/tags/pull-tricore-20150316:
  target-tricore: Add instructions of SYS opcode format
  target-tricore: Add instructions of RRRW opcode format
  target-tricore: Add instructions of RRRR opcode format
  target-tricore: Add instructions of RRR1 opcode format, which have 0xe3 as first opcode
  target-tricore: Add instructions of RRR1 opcode format, which have 0x63 as first opcode
  target-tricore: Add instructions of RRR1 opcode format, which have 0xa3 as first opcode

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/rth/tags/tcg-pull-20150316' into staging

tcg opt fix for or x,a,a

# gpg: Signature made Mon Mar 16 15:47:19 2015 GMT using RSA key ID 4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"

* remotes/rth/tags/tcg-pull-20150316:
  tcg/optimize: Handle or r,a,a with constant a

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'mreitz/block' into queue-block

* mreitz/block:
  block/vpc: remove disabled code from get_sector_offset
  block/vpc: rename footer->size -> footer->current_size
  block/vpc: make calculate_geometry spec conform
  vpc: Ignore geometry for large images
  block/vpc: optimize vpc_co_get_block_status
  block: Drop bdrv_find
  blockdev: Convert bdrv_find to blk_by_name
  migration: Convert bdrv_find to blk_by_name
  monitor: Convert bdrv_find to blk_by_name
  iotests: Test non-self-referential qcow2 refblocks
  iotests: Add tests for refcount table growth
  qcow2: Respect new_block in alloc_refcount_block()

block/vpc: remove disabled code from get_sector_offset

The code to check the bitmap for the allocation status of each sector
has been "disabled by reason" ever since the vpc driver existed.

The reason might be that we might end up reading sector by sector
in vpc_read if we really used it. This would be a performance desaster.

The current code would furthermore not work if the disabled parts get
reactivated since vpc_read and vpc_write only use get_sector_offset to
check the allocation status of the first sector of a read/write operation.
This might lead to sectors incorrectly treated as zero in vpc_read and
to sectors getting allocated twice in vpc_write.

Signed-off-by: Peter Lieven <pl@kamp.de>
Message-id: 1425379316-19639-6-git-send-email-pl@kamp.de
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

block/vpc: rename footer->size -> footer->current_size

the field is named current size in the spec. Name it accordingly.

Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 1425379316-19639-5-git-send-email-pl@kamp.de
Signed-off-by: Max Reitz <mreitz@redhat.com>

block/vpc: make calculate_geometry spec conform

The VHD spec [1] allows for total_sectors of 65535 x 16 x 255 (~127GB)
represented by a CHS geometry. If total_sectors is greater
than 65535 x 16 x 255 this geometry is set as a maximum.

Qemu, Hyper-V and disk2vhd use this special geometry as an indicator
to use the image current size from the footer as disk size.

This patch changes vpc_create to effectively calculate a CxHxS geometry
for the given image size if possible while rounding up if necessary.
If the image size is too big to be represented in CHS we set the maximum
and write the exact requested image size into the footer.

This partly reverts commit 258d2edb, but leaves support for >127G disks
intact.

[1] http://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc

Signed-off-by: Peter Lieven <pl@kamp.de>
Message-id: 1425379316-19639-4-git-send-email-pl@kamp.de
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

vpc: Ignore geometry for large images

The CHS calculation as done per the VHD spec imposes a maximum image
size of ~127 GB. Real VHD images exist that are larger than that.

Apparently there are two separate non-standard ways to achieve this:
You could use more heads than the spec does - this is the option that
qemu-img create chooses.

However, other images exist where the geometry is set to the maximum
(65535/16/255), but the actual image size is larger. Until now, such
images are truncated at 127 GB when opening them with qemu.

This patch changes the vpc driver to ignore geometry in this case and
only trust the size field in the header.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
[PL: Fixed maximum geometry in the commit msg]
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-id: 1425379316-19639-3-git-send-email-pl@kamp.de
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

block/vpc: optimize vpc_co_get_block_status

*pnum can't be greater than s->block_size / BDRV_SECTOR_SIZE for allocated
sectors since there is always a bitmap in between.

Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 1425379316-19639-2-git-send-email-pl@kamp.de
Signed-off-by: Max Reitz <mreitz@redhat.com>

block: Drop bdrv_find

All callers are converted, so drop it.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1425296209-1476-5-git-send-email-famz@redhat.com
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

blockdev: Convert bdrv_find to blk_by_name

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1425296209-1476-4-git-send-email-famz@redhat.com
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

migration: Convert bdrv_find to blk_by_name

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1425296209-1476-3-git-send-email-famz@redhat.com
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

monitor: Convert bdrv_find to blk_by_name

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1425296209-1476-2-git-send-email-famz@redhat.com
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

iotests: Test non-self-referential qcow2 refblocks

It is easy to create only self-referential refblocks, but there are
cases where that is impossible. This adds a test for two of those cases
(combined in a single test case).

Suggested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 1417798412-15330-1-git-send-email-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

iotests: Add tests for refcount table growth

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 1423598552-24301-3-git-send-email-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

qcow2: Respect new_block in alloc_refcount_block()

When choosing a new place for the refcount table, alloc_refcount_block()
tries to infer the number of clusters used so far from its argument
cluster_index (which comes from the idea that if any cluster with an
index greater than cluster_index was in use, the refcount table would
have to be big enough already to describe cluster_index).

However, there is a cluster that may be at or after cluster_index, and
which is not covered by the refcount structures, and that is the new
refcount block new_block. Therefore, it should be taken into account for
the blocks_used calculation.

Also, because new_block already describes (or is intended to describe)
cluster_index, we may not put the new refcount structures there.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 1423598552-24301-2-git-send-email-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>

qemu-img: Avoid qerror_report_err() outside QMP handlers, again

qerror_report_err() is a transitional interface to help with
converting existing monitor commands to QMP.  It should not be used
elsewhere.  Replace by error_report_err().

Commit 6936f29 cleaned that up in qemu-img.c, but two calls have crept
in since.  Take care of them the same way.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

block: Fix block-set-write-threshold not to use funky error class

Error classes are a leftover from the days of "rich" error objects.
New code should always use ERROR_CLASS_GENERIC_ERROR. Commit e246211
added a use of ERROR_CLASS_DEVICE_NOT_FOUND. Replace it.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

block: Deprecate QCOW/QCOW2 encryption

We've steered users away from QCOW/QCOW2 encryption for a while,
because it's a flawed design (commit 136cd19 Describe flaws in
qcow/qcow2 encryption in the docs).

In addition to flawed crypto, we have comically bad usability, and
plain old bugs.  Let me show you.

= Example images =

I'm going to use a raw image as backing file, and two QCOW2 images,
one encrypted, and one not:

    $ qemu-img create -f raw backing.img 4m
    Formatting 'backing.img', fmt=raw size=4194304
    $ qemu-img create -f qcow2 -o encryption,backing_file=backing.img,backing_fmt=raw geheim.qcow2 4m
    Formatting 'geheim.qcow2', fmt=qcow2 size=4194304 backing_file='backing.img' backing_fmt='raw' encryption=on cluster_size=65536 lazy_refcounts=off
    $ qemu-img create -f qcow2 -o backing_file=backing.img,backing_fmt=raw normal.qcow2 4m
    Formatting 'normal.qcow2', fmt=qcow2 size=4194304 backing_file='backing.img' backing_fmt='raw' encryption=off cluster_size=65536 lazy_refcounts=off

= Usability issues =

== Confusing startup ==

When no image is encrypted, and you don't give -S, QEMU starts the
guest immediately:

    $ qemu-system-x86_64 -nodefaults -display none -monitor stdio normal.qcow2
    QEMU 2.2.50 monitor - type 'help' for more information
    (qemu) info status
    VM status: running

But as soon as there's an encrypted image in play, the guest is *not*
started, with no notification whatsoever:

    $ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
    QEMU 2.2.50 monitor - type 'help' for more information
    (qemu) info status
    VM status: paused (prelaunch)

If the user figured out that he needs to type "cont" to enter his
keys, the confusion enters the next level: "cont" asks for at most
*one* key.  If more are needed, it then silently does nothing.  The
user has to type "cont" once per encrypted image:

    $ qemu-system-x86_64 -nodefaults -display none -monitor stdio -drive if=none,file=geheim.qcow2 -drive if=none,file=geheim.qcow2
    QEMU 2.2.50 monitor - type 'help' for more information
    (qemu) info status
    VM status: paused (prelaunch)
    (qemu) c
    none0 (geheim.qcow2) is encrypted.
    Password: ******
    (qemu) info status
    VM status: paused (prelaunch)
    (qemu) c
    none1 (geheim.qcow2) is encrypted.
    Password: ******
    (qemu) info status
    VM status: running

== Incorrect passwords not caught ==

All existing encryption schemes give you the GIGO treatment: garbage
password in, garbage data out.  Guests usually refuse to mount
garbage, but other usage is prone to data loss.

== Need to stop the guest to add an encrypted image ==

    $ qemu-system-x86_64 -nodefaults -display none -monitor stdio
    QEMU 2.2.50 monitor - type 'help' for more information
    (qemu) info status
    VM status: running
    (qemu) drive_add "" if=none,file=geheim.qcow2
    Guest must be stopped for opening of encrypted image
    (qemu) stop
    (qemu) drive_add "" if=none,file=geheim.qcow2
    OK

Commit c3adb58 added this restriction.  Before, we could expose images
lacking an encryption key to guests, with potentially catastrophic
results.  See also "Use without key is not always caught".

= Bugs =

== Use without key is not always caught ==

Encrypted images can be in an intermediate state "opened, but no key".
The weird startup behavior and the need to stop the guest are there to
ensure the guest isn't exposed to that state.  But other things still
are!

* drive_backup

    $ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
    QEMU 2.2.50 monitor - type 'help' for more information
    (qemu) drive_backup -f ide0-hd0 out.img raw
    Formatting 'out.img', fmt=raw size=4194304

  I guess this writes encrypted data to raw image out.img.  Good luck
  with figuring out how to decrypt that again.

* commit

    $ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
    QEMU 2.2.50 monitor - type 'help' for more information
    (qemu) commit ide0-hd0

  I guess this writes encrypted data into the unencrypted raw backing
  image, effectively destroying it.

== QMP device_add of usb-storage fails when it shouldn't ==

When the image is encrypted, device_add creates the device, defers
actually attaching it to when the key becomes available, then fails.
This is wrong.  device_add must either create the device and succeed,
or do nothing and fail.

    $ qemu-system-x86_64 -nodefaults -display none -usb -qmp stdio -drive if=none,id=foo,file=geheim.qcow2
    {"QMP": {"version": {"qemu": {"micro": 50, "minor": 2, "major": 2}, "package": ""}, "capabilities": []}}
    { "execute": "qmp_capabilities" }
    {"return": {}}
    { "execute": "device_add", "arguments": { "driver": "usb-storage", "id": "bar", "drive": "foo" } }
    {"error": {"class": "DeviceEncrypted", "desc": "'foo' (geheim.qcow2) is encrypted"}}
    {"execute":"device_del","arguments": { "id": "bar" } }
    {"timestamp": {"seconds": 1426003440, "microseconds": 237181}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/bar/bar.0/legacy[0]"}}
    {"timestamp": {"seconds": 1426003440, "microseconds": 238231}, "event": "DEVICE_DELETED", "data": {"device": "bar", "path": "/machine/peripheral/bar"}}
    {"return": {}}

This stuff is worse than useless, it's a trap for users.

If people become sufficiently interested in encrypted images to
contribute a cryptographically sane implementation for QCOW2 (or
whatever other format), then rewriting the necessary support around it
from scratch will likely be easier and yield better results than
fixing up the existing mess.

Let's deprecate the mess now, drop it after a grace period, and move
on.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

qemu-img: Fix convert, amend error messages for unknown options

Message quality regressed in commit dc523cd.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

iotests: Update 051's reference output

Commit c4bacaf improved error reporting, but neglected to update
051.out. Commit 2726958 tried to redress, but didn't get it quite
right (punctuation difference), and shortly after commit
ae071cc..master improved error reporting some more, neglecting 051.out
some more. Sorry!

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

target-tricore: Add instructions of SYS opcode format

This adds only the non trap instructions.

Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>

tcg/optimize: Handle or r,a,a with constant a

As seen with ubuntu-5.10-live-powerpc.iso.

Reported-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>

target-tricore: Add instructions of RRRW opcode format

Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>

target-tricore: Add instructions of RRRR opcode format

Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>

target-tricore: Add instructions of RRR1 opcode format, which have 0xe3 as first opcode

Add helpers helper_subadr_h/_ssov which subs one halfword and adds one
halfword, rounds / and saturates each half word independently.

Add microcode helper functions:
    * gen_msubad_h/ads_h: multiply two halfwords left justified and sub from the
                          first one word and add the second one word
                          / and saturate each resulting word independetly.
    * gen_msubadm_h/adms_h: multiply two halfwords in q-format left justified
                            and sub from the first one word and add to
                            the second one word / and saturate each resulting
                            word independetly.
    * gen_msubadr32_h/32s_h: multiply two halfwords in q-format left justified
                             and sub from the first one word and add to
                             the second one word, round both results / and
                             saturate each resulting word independetly.

Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>

target-tricore: Add instructions of RRR1 opcode format, which have 0x63 as first opcode

Add helpers:
    * msub64_q_ssov: multiply two 32 bit q-format number, sub the result from a
                     64 bit q-format number and saturate.
    * msub32_q_sub_ssov: sub two 64 bit q-format numbers and return a 32 bit
                         result.
    * msubr_q_ssov: multiply two 32 bit q-format numbers, sub the result from a 32 bit
                    q-format number and saturate.
    * msubr_q: multiply two 32 bit q-format numbers and sub the result from a 32 bit
               q-format number.

Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>

target-tricore: Add instructions of RRR1 opcode format, which have 0xa3 as first opcode

Add helpers:
    * sub64_ssov: subs two 64 bit values and saturates the result.
    * subr_h/_ssov: subs two halfwords from two words in q-format with rounding
                    / and saturates each result independetly.

Add microcode generator:
    * gen_sub64_d: adds two 64 bit values.
    * gen_msub_h/s_h: multiply four halfwords, sub each result left justfied
                      from two word values / and saturate each result.
    * gen_msubm_h/s_h: multiply four halfwords, sub each result left justfied
                       from two words values in q-format / and saturate each
                       result.
    * gen_msubr32/64_h/s_h: multiply four halfwords, sub each result left
                            justfied from two halftwords/words values in q-format
                            / and saturate each result.

Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>

Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20150316' into staging

migration/next for 20150316

# gpg: Signature made Mon Mar 16 13:36:37 2015 GMT using RSA key ID 5872D723
# gpg: Can't check signature: public key not found

* remotes/juanquintela/tags/migration/20150316:
  pc: Disable vmdesc submission for old machines
  migration: Allow to suppress vmdesc submission
  migration: Read JSON VM description on incoming migration
  rename save_block_hdr to save_page_header
  save_block_hdr: we can recalculate the cont parameter here
  save_xbzrle_page: change calling convention
  ram_save_page: change calling covention
  ram_find_and_save_block:  change calling convention
  ram: make all save_page functions take a uint64_t parameter
  Add migrate_incoming
  Add -incoming defer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20150316' into staging

target-arm queue:
* fix handling of execute-never bits in page table walks
* tell kernel to initialize KVM GIC in realize function
* fix handling of STM (user) with r15 in register list
* ignore low bit of PC in M-profile exception return
* fix linux-user get/set_tls syscalls on CPUs with TZ

# gpg: Signature made Mon Mar 16 12:39:04 2015 GMT using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20150316:
  linux-user: Access correct register for get/set_tls syscalls on ARM TZ CPUs
  target-arm: Ignore low bit of PC in M-profile exception return
  target-arm: Fix handling of STM (user) with r15 in register list
  hw/intc/arm_gic: Initialize the vgic in the realize function
  target-arm: get_phys_addr_lpae: more xn control
  target-arm: fix get_phys_addr_v6/SCTLR_AFE access check
  target-arm: convert check_ap to ap_to_rw_prot

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

pc: Disable vmdesc submission for old machines

Older PC machine types might by accident be backwards live migration compatible,
but with the new vmdesc self-describing blob in our live migration stream we
would break that compatibility.

Also users wouldn't expect massive behaviorial differences when updating to a
new version of QEMU while retaining their old machine type, especially not
potential breakage in tooling around live migration.

So disable vmdesc submission for old PC machine types.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

migration: Allow to suppress vmdesc submission

We now always send a JSON blob describing the migration file format as part
of the migration stream. However, some tools built around QEMU have proven
to stumble over this.

This patch gives the user the chance to disable said self-describing part of
the migration stream. To disable vmdesc submission, just add

-machine suppress-vmdesc=on

to your QEMU command line.

Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Juan Quintela <quintela@redhat.com>

migration: Read JSON VM description on incoming migration

One of the really nice things about the VM description format is that it goes
over the wire when live migration is happening. Unfortunately QEMU today closes
any socket once it sees VM_EOF coming, so we never give the VMDESC the chance to
actually land on the wire.

This patch makes QEMU read the description as well. This way we ensure that
anything wire tapping us in between will get the chance to also interpret the
stream.

Along the way we also fix virt tests that assume that number_bytes_sent on the
sender side is equal to number_bytes_read which was true before the VMDESC
patches and is true again with this patch.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

rename save_block_hdr to save_page_header

It has always been a page header, not a block header. Once there, the
flag argument was only passed to make a bit or with it, just do the or
on the caller.

Signed-off-by: Juan Quintela <quintela@redhat.com>

save_block_hdr: we can recalculate the cont parameter here

No need to pass it through all the callers. Once there, update
last_sent_block here.

Signed-off-by: Juan Quintela <quintela@redhat.com>

save_xbzrle_page: change calling convention

Add a parameter to pass the number of bytes written, and make it return
the number of pages written instead.

Signed-off-by: Juan Quintela <quintela@redhat.com>

ram_save_page: change calling covention

Add a parameter to pass the number of bytes written, and make it return
the number of pages written instead.

Signed-off-by: Juan Quintela <quintela@redhat.com>

ram_find_and_save_block: change calling convention

Add a parameter to pass the number of bytes written, and make it return
the number of pages written instead.

Signed-off-by: Juan Quintela <quintela@redhat.com>

ram: make all save_page functions take a uint64_t parameter

It used to be an int, but then we can't pass directly the
bytes_transferred parameter, that would happen later in the series.

Signed-off-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>

Add migrate_incoming

Add migrate_incoming/migrate-incoming to start an incoming
migration.

Once a qemu has been started with
-incoming defer

the migration can be started by issuing:
migrate_incoming uri

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Add -incoming defer

-incoming defer causes qemu to wait for an incoming migration
to be specified later. The monitor can be used to set migration
capabilities that may affect the incoming connection process.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Merge remote-tracking branch 'remotes/kvaneesh/for-upstream' into staging

* remotes/kvaneesh/for-upstream:
  virtio: Fix memory leaks reported by Coverity
  virtfs-proxy: Fix possible overflow
  fsdev/virtfs-proxy-helper: Fix improper use of negative value
  hw/9pfs/virtio-9p-posix-acl: Fix out-of-bounds access
  9pfs-proxy: tiny cleanups in proxy_pwritev and proxy_preadv
  9pfs-local: simplify/optimize local_mapped_attr_path()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

linux-user: Access correct register for get/set_tls syscalls on ARM TZ CPUs

When support was added for TrustZone to ARM CPU emulation, we failed
to correctly update the support for the linux-user implementation of
the get/set_tls syscalls. This meant that accesses to the TPIDRURO
register via the syscalls were always using the non-secure copy of
the register even if native MRC/MCR accesses were using the secure
register. This inconsistency caused most binaries to segfault on startup
if the CPU type was explicitly set to one of the TZ-enabled ones like
cortex-a15. (The default "any" CPU doesn't have TZ enabled and so is
not affected.)

Use access_secure_reg() to determine whether we should be using
the secure or the nonsecure copy of TPIDRURO when emulating these
syscalls.

Signed-off-by: Mikhail Ilyin <m.ilin@samsung.com>
Message-id: 1426505198-2411-1-git-send-email-m.ilin@samsung.com
[PMM: rewrote commit message to more clearly explain the issue
and its consequences.]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target-arm: Ignore low bit of PC in M-profile exception return

For the ARM M-profile cores, exception return pops various registers
including the PC from the stack. The architecture defines that if the
lowest bit in the new PC value is set (ie the PC is not halfword
aligned) then behaviour is UNPREDICTABLE. In practice hardware
implementations seem to simply ignore the low bit, and some buggy
RTOSes incorrectly rely on this. QEMU's behaviour was architecturally
permitted, but bringing QEMU into line with the hardware behaviour
allows more guest code to run. We log the situation as a guest error.

This was reported as LP:1428657.

Reported-by: Anders Esbensen <anders@lyes.dk>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target-arm: Fix handling of STM (user) with r15 in register list

The A32 encoding of LDM distinguishes LDM (user) from LDM (exception
return) based on whether r15 is in the register list. However for
STM (user) there is no equivalent distinction. We were incorrectly
treating "r15 in list" as indicating exception return for both LDM
and STM, with the result that an STM (user) involving r15 went into
an infinite loop. Fix this; note that the value stored for r15
in this case is the current PC regardless of our current mode.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1426015125-5521-1-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gic: Initialize the vgic in the realize function

This patch forces vgic initialization in the vgic realize function.
It uses a new group/attribute that allows such operation:
KVM_DEV_ARM_VGIC_GRP_CTRL/KVM_DEV_ARM_VGIC_CTRL_INIT

This earlier initialization allows, for example, to setup VFIO
signaling and irqfd after vgic initialization, on a reset notifier.

Signed-off-by: Eric Auger <eric.auger@linaro.org>
Message-id: 1426094226-8515-1-git-send-email-eric.auger@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target-arm: get_phys_addr_lpae: more xn control

This patch makes the following changes to the determination of
whether an address is executable, when translating addresses
using LPAE.

1. No longer assumes that PL0 can't execute when it can't read.
   It can in AArch64, a difference from AArch32.
2. Use va_size == 64 to determine we're in AArch64, rather than
   arm_feature(env, ARM_FEATURE_V8), which is insufficient.
3. Add additional XN determinants
   - NS && is_secure && (SCR & SCR_SIF)
   - WXN && (prot & PAGE_WRITE)
   - AArch64: (prot_PL0 & PAGE_WRITE)
   - AArch32: UWXN && (prot_PL0 & PAGE_WRITE)
   - XN determination should also work in secure mode (untested)
   - XN may even work in EL2 (currently impossible to test)
4. Cleans up the bloated PAGE_EXEC condition - by removing it.

The helper get_S1prot is introduced. It may even work in EL2,
when support for that comes, but, as the function name implies,
it only works for stage 1 translations.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-id: 1426099139-14463-4-git-send-email-drjones@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target-arm: fix get_phys_addr_v6/SCTLR_AFE access check

Introduce simple_ap_to_rw_prot(), which has the same behavior as
ap_to_rw_prot(), but takes the 2-bit simple AP[2:1] instead of
the 3-bit AP[2:0]. Use this in get_phys_addr_v6 when SCTLR_AFE
is set, as that bit indicates we should be using the simple AP
format.

It's unlikely this path is getting used. I don't see CR_AFE
getting used by Linux, so possibly not. If it had been, then
the check would have been wrong for all but AP[2:1] = 0b11.
Anyway, this should fix it up, in case it ever does get used.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1426099139-14463-3-git-send-email-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target-arm: convert check_ap to ap_to_rw_prot

Instead of mixing access permission checking with access permissions
to page protection flags translation, just do the translation, and
leave it to the caller to check the protection flags against the access
type. Also rename to ap_to_rw_prot to better describe the new behavior.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1426099139-14463-2-git-send-email-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150316' into staging

Final batch of s390x enhancements/fixes for 2.3:
- handle TOD clock during migration
- CPACF key wrap options
- limit amount of pci device code we build
- ensure big endian accesses for ccws
- various fixes and cleanups

# gpg: Signature made Mon Mar 16 10:01:44 2015 GMT using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"

* remotes/cohuck/tags/s390x-20150316:
  s390x/config: Do not include full pci.mak
  s390x/pci: fix length in sei_nt2 event
  s390x/ipl: remove dead code
  s390x/virtio-bus: Remove unused function s390_virtio_bus_console()
  s390x: CPACF: Handle key wrap machine options
  s390x/kvm: make use of generic vm attribute check
  kvm: encapsulate HAS_DEVICE for vm attrs
  virtio-ccw: assure BE accesses
  s390x/kvm: Guest Migration TOD clock synchronization
  s390x: Replace unchecked qdev_init() by qdev_init_nofail()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/kraxel/tags/pull-seabios-1.8.1-20150316-1' into staging

seabios: update to 1.8.1 stable release

# gpg: Signature made Mon Mar 16 08:09:25 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-seabios-1.8.1-20150316-1:
  seabios: update to 1.8.1 stable release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/rth/tags/tcg-pull-20150313' into staging

Pool TCG data, and ALWAYS/NEVER fix

# gpg: Signature made Fri Mar 13 20:09:09 2015 GMT using RSA key ID 4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"

* remotes/rth/tags/tcg-pull-20150313:
  tcg: Complete handling of ALWAYS and NEVER
  tcg: Use tcg_malloc to allocate TCGLabel
  tcg: Change generator-side labels to a pointer
  tcg: Change translator-side labels to a pointer
  tcg-ia64: Use tcg_malloc to allocate TCGLabelQemuLdst
  tcg: Use tcg_malloc to allocate TCGLabelQemuLdst

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

s390x/config: Do not include full pci.mak

pci.mak includes a lot of devices - and most of them do not make
sense on s390x, like USB controllers or audio cards. These devices
also show up when running "qemu-system-s390x -device help" and thus
could raise the hope for the users that they could use these kind
of devices with qemu-system-s390x. To avoid this confusion, we
should not include pci.mak and rather include the bare minimum
manually instead.

Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Acked-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Message-Id: <1426169954-6062-1-git-send-email-thuth@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

s390x/pci: fix length in sei_nt2 event

The sei_nt2 event must contain the length of the event.

Signed-off-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-7-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

s390x/ipl: remove dead code

load_image_targphys already checks the max size and will return
an error code. So the follow-on check will never trigger.

Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-6-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

s390x/virtio-bus: Remove unused function s390_virtio_bus_console()

The function s390_virtio_bus_console() is completely unused and thus
can be removed safely.

Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-5-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

s390x: CPACF: Handle key wrap machine options

Check for the aes_key_wrap and dea_key_wrap machine options and set the
appropriate KVM device attribute(s) to tell the kernel to enable or disable
the AES/DEA protected key functions for the guest domain.

This patch introduces two new machine options for indicating the state of
AES/DEA key wrapping functions. This controls whether the guest will
have access to the AES/DEA crypto functions.

aes_key_wrap="on | off" is changed to aes-key-wrap="on | off"
dea_key_wrap="on | off" is changed to dea-key-wrap="on | off"

Check for the aes-key-wrap and dea-key-wrap machine options and set the
appropriate KVM device attribute(s) to tell the kernel to enable or disable
the AES/DEA protected key functions for the guest domain.

Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Tony Krowiak <akrowiak@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-4-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

s390x/kvm: make use of generic vm attribute check

By using the new introduced generic interface we
can remove redundancies and clean up.

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Suggested-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-3-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

kvm: encapsulate HAS_DEVICE for vm attrs

More and more virtual machine specifics between kvm and qemu will be
transferred with vm attributes.
So we encapsulate the common logic in a generic function.

Additionally we need only to check during initialization if kvm supports
virtual machine attributes.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1426164834-38648-2-git-send-email-jfrei@linux.vnet.ibm.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

virtio-ccw: assure BE accesses

All fields in structures transmitted by ccws are big endian; assure
we handle them as such.

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Message-Id: <1426067871-17693-2-git-send-email-cornelia.huck@de.ibm.com>

s390x/kvm: Guest Migration TOD clock synchronization

Synchronizes the guest TOD clock across a migration by sending the guest TOD
clock value to the destination system. If the guest TOD clock is not preserved
across a migration then the guest's view of time will snap backwards if the
destination host clock is behind the source host clock. This will cause the
guest to hang immediately upon resuming on the destination system.

Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Jason J. Herne <jjherne@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Message-Id: <1425912968-54387-1-git-send-email-jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

s390x: Replace unchecked qdev_init() by qdev_init_nofail()

s390_flic_init() is a helper to create and realize either
"s390-flic-kvm" or "s390-flic-qemu". When qdev_init() fails, it
complains to stderr and succeeds.

Except it can't actually fail, because the "s390-flic-qemu" is a dummy
without a realize method, and "s390-flic-kvm"'s realize can't fail,
even when the kernel device is really unavailable. Odd.

Replace qdev_init() by qdev_init_nofail() to make "can't fail" locally
obvious, and get rid of the unreachable error reporting.

Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Message-Id: <1423128889-18260-4-git-send-email-armbru@redhat.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

seabios: update to 1.8.1 stable release

Carries two bugfixes and support for multiple pci root buses.

git shortlog rel-1.8.0..rel-1.8.1
=================================

Ameya Palande (1):
      x86: add barrier to read{b,w,l} and write{b,w,l} functions

Kevin O'Connor (1):
      smp: Fix smp race introduced in 0673b787

Marcel Apfelbaum (2):
      fw/pci: scan all buses if extraroots romfile is present
      fw/pci: map memory and IO regions for multiple pci root buses

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

virtio: Fix memory leaks reported by Coverity

All four leaks are similar, so fix them in one patch.
Success path was not doing memory free.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

virtfs-proxy: Fix possible overflow

It's detected by coverity. The socket name specified
should fit in the sockadd_un.sun_path. If not abort.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

fsdev/virtfs-proxy-helper: Fix improper use of negative value

It's detected by coverity. Check the return value of proxy_marshal.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

tcg: Complete handling of ALWAYS and NEVER

Missing from movcond, and brcondi_i32 (but not brcondi_i64).

Signed-off-by: Richard Henderson <rth@twiddle.net>

tcg: Use tcg_malloc to allocate TCGLabel

Pre-allocating 512 of them per TB is a waste.

Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>

tcg: Change generator-side labels to a pointer

This is less about improved type checking than enabling a
subsequent change to the representation of labels.

Acked-by: Claudio Fontana <claudio.fontana@huawei.com>
Tested-by: Claudio Fontana <claudio.fontana@huawei.com>
Cc: Andrzej Zaborowski <balrogg@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>

tcg: Change translator-side labels to a pointer

This is improved type checking for the translators -- it's no longer
possible to accidentally swap arguments to the branch functions.

Note that the code generating backends still manipulate labels as int.

With notable exceptions, the scope of the change is just a few lines
for each target, so it's not worth building extra machinery to do this
change in per-target increments.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Edgar E. Iglesias <edgar.iglesias@gmail.com>
Cc: Michael Walle <michael@walle.cc>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: Anthony Green <green@moxielogic.com>
Cc: Jia Liu <proljc@gmail.com>
Cc: Alexander Graf <agraf@suse.de>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>

tcg-ia64: Use tcg_malloc to allocate TCGLabelQemuLdst

Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>

tcg: Use tcg_malloc to allocate TCGLabelQemuLdst

Pre-allocating 640 of them per TB is a waste.

Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>

user-exec.c: fix build on NetBSD/sparc64 and NetBSD/arm

A couple of #ifdef changes necessary to use NetBSD's ucontext
structs on sparc64 and arm.

Signed-off-by: Tobias Nygren <tnn@NetBSD.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1425591461-17550-1-git-send-email-tnn@NetBSD.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-20150312-2' into staging

misc ui patches, mostly sdl related.

# gpg: Signature made Thu Mar 12 14:51:07 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-sdl-20150312-2:
  pixman: add a bunch of PIXMAN_BE_* defines for 32bpp
  Allow the use of X11 from a non standard location.
  configure: opengl overhaul
  sdl: Fix crash when calling sdl_switch() with NULL surface
  sdl: Refresh debug statements

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' into staging

Update OpenBIOS images

# gpg: Signature made Fri Mar 13 11:04:07 2015 GMT using RSA key ID AE0F321F
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>"

* remotes/mcayland/tags/qemu-openbios-signed:
Update OpenBIOS images

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Update OpenBIOS images

Update OpenBIOS images to SVN r1334 built from submodule.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>

Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging

# gpg: Signature made Thu Mar 12 20:06:50 2015 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  tests: rtl8139: test timers and interrupt
  net: synchronize net_host_device_remove with host_net_remove_completion

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging

# gpg: Signature made Thu Mar 12 19:09:26 2015 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/block-pull-request:
  qcow2: fix the macro QCOW_MAX_L1_SIZE's use
  queue: fix QSLIST_INSERT_HEAD_ATOMIC race

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/9pfs/virtio-9p-posix-acl: Fix out-of-bounds access

It's detected by coverity. Fix out-of-bounds access of the function mp_dacl_listxattr.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

tests: rtl8139: test timers and interrupt

Test behaviour of timers and interrupts related to timeouts.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1420742303-3030-1-git-send-email-freddy77@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

net: synchronize net_host_device_remove with host_net_remove_completion

Using net_host_check_device is unnecessary. qemu_del_net_client asserts
for the non-peer case that it can only process NIC type NetClientStates,
and that assertion is valid for the peered case as well, so move it and
use the same check in net_host_device_remove. host_net_remove_completion
is already checking the type.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1419353600-30519-2-git-send-email-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

qcow2: fix the macro QCOW_MAX_L1_SIZE's use

QCOW_MAX_L1_SIZE's unit is byte, and l1_size's unit
is l1 table entry size(8 bytes).

Signed-off-by: Wen Congyang <wency@cn.fujitsu.com>
Message-id: 54FFB0F1.5010307@cn.fujitsu.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

queue: fix QSLIST_INSERT_HEAD_ATOMIC race

There is a not-so-subtle race in QSLIST_INSERT_HEAD_ATOMIC.

Because atomic_cmpxchg returns the old value instead of a success flag,
QSLIST_INSERT_HEAD_ATOMIC was checking for success by comparing against
the second argument to atomic_cmpxchg.  Unfortunately, this only works
if the second argument is a local or thread-local variable.

If it is in memory, it can be subject to common subexpression elimination
(and then everything's fine) or reloaded after the atomic_cmpxchg,
depending on the compiler's whims.  If the latter happens, the race can
happen.  A thread can sneak in, doing something on elm->field.sle_next
after the atomic_cmpxchg and before the comparison.  This causes a wrong
failure, and then two threads are using "elm" at the same time.  In the
case discovered by Christian, the sequence was likely something like this:

    thread 1                   | thread 2
    QSLIST_INSERT_HEAD_ATOMIC  |
      atomic_cmpxchg succeeds  |
      elm added to list        |
                               | steal release_pool
                               | QSLIST_REMOVE_HEAD
                               | elm removed from list
                               | ...
                               | QSLIST_INSERT_HEAD_ATOMIC
                               |   (overwrites sle_next)
      spurious failure         |
      atomic_cmpxchg succeeds  |
      elm added to list again  |
                               |
    steal release_pool         |
    QSLIST_REMOVE_HEAD         |
    elm removed again          |

The last three steps could be done by a third thread as well.
A reproducer that failed in a matter of seconds is as follows:

- the guest has 32 VCPUs on a 28 core host (hyperthreading was enabled),
  memory was 16G just to err on the safe side (the host has 64G, but hey
  at least you need no s390)

- the guest has 24 null-aio virtio-blk devices using dataplane
  (-object iothread,id=ioN -drive if=none,id=blkN,driver=null-aio,size=500G
  -device virtio-blk-pci,iothread=ioN,drive=blkN)

- the guest also has a single network interface.  It's only doing loopback
  tests so slirp vs. tap and the model doesn't matter.

- the guest is running fio with the following script:

     [global]
     rw=randread
     blocksize=16k
     ioengine=libaio
     runtime=10m
     buffered=0
     fallocate=none
     time_based
     iodepth=32

     [virtio1a]
     filename=/dev/block/252\:16

     [virtio1b]
     filename=/dev/block/252\:16

     ...

     [virtio24a]
     filename=/dev/block/252\:384

     [virtio24b]
     filename=/dev/block/252\:384

     [listen1]
     protocol=tcp
     ioengine=net
     port=12345
     listen
     rw=read
     bs=4k
     size=1000g

     [connect1]
     protocol=tcp
     hostname=localhost
     ioengine=net
     port=12345
     protocol=tcp
     rw=write
     startdelay=1
     size=1000g

     ...

     [listen8]
     protocol=tcp
     ioengine=net
     port=12352
     listen
     rw=read
     bs=4k
     size=1000g

     [connect8]
     protocol=tcp
     hostname=localhost
     ioengine=net
     port=12352
     rw=write
     startdelay=1
     size=1000g

Moral of the story: I should refrain from writing more clever stuff.
At least it looks like it is not too clever to be undebuggable.

Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1426002357-6889-1-git-send-email-pbonzini@redhat.com
Fixes: c740ad92d0d958fa785e5d7aa1b67ecaf30a6a54
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

pixman: add a bunch of PIXMAN_BE_* defines for 32bpp

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>

Allow the use of X11 from a non standard location.

Signed-off-by: Jeremy White <jwhite@codeweavers.com>
[ kraxel: solve opengl patch conflicts ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>

configure: opengl overhaul

Rename config option from "glx" to "opengl", glx will not be the only
option for opengl in near future. Also switch over to pkg-config for
opengl support detection.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>

sdl: Fix crash when calling sdl_switch() with NULL surface

This happens for example when doing ctrl-alt-u and segfaults

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

sdl: Refresh debug statements

Put them under a #define similar to the VGA model and make them
actually compile. Add a couple too.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20150312-1' into staging

vnc: bugfixes and cleanups.

# gpg: Signature made Thu Mar 12 08:58:39 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20150312-1:
  vnc: fix segmentation fault when invalid vnc parameters are specified
  vnc: avoid possible file handler leak
  ui/console: fix OVERFLOW_BEFORE_WIDEN
  ui: fix regression in x509verify parameter for VNC server
  vnc: switch to inet_listen_opts
  vnc: remove dead code
  vnc: drop display+ws_display from VncDisplay

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>