git.osdn.net Git - qmiga/qemu.git/log

softfloat: add uint128_to_float128

Based on parts_uint_to_float, implements uint128_to_float128 to convert
an unsigned 128-bit value received through an Int128 argument.

Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220330175932.6995-4-matheus.ferst@eldorado.org.br>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

qemu/int128: add int128_urshift

Implement an unsigned right shift for Int128 values and add the same
tests cases of int128_rshift in the unit test.

Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220330175932.6995-3-matheus.ferst@eldorado.org.br>
[danielhb: fixed long lines in test_urshift()]
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

target/ppc: Improve KVM hypercall trace

Before:

  kvm_handle_papr_hcall handle PAPR hypercall
  kvm_handle_papr_hcall handle PAPR hypercall
  kvm_handle_papr_hcall handle PAPR hypercall
  kvm_handle_papr_hcall handle PAPR hypercall
  kvm_handle_papr_hcall handle PAPR hypercall
  kvm_handle_papr_hcall handle PAPR hypercall

After:

  kvm_handle_papr_hcall 0x3a8
  kvm_handle_papr_hcall 0x3ac
  kvm_handle_papr_hcall 0x108
  kvm_handle_papr_hcall 0x104
  kvm_handle_papr_hcall 0x104
  kvm_handle_papr_hcall 0x108

Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220325223316.276494-1-farosas@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

spapr: Move nested KVM hypercalls under a TCG only config.

These are the spapr virtual hypervisor implementation of the nested
KVM API. They only make sense when running with TCG.

Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20220325221113.255834-3-farosas@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

spapr: Move hypercall_register_softmmu

I'm moving this because next patch will add more code under the ifdef
and it will be cleaner if we keep them together.

Also switch the ifdef branches to make it more convenient to add code
under CONFIG_TCG in the next patch.

Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20220325221113.255834-2-farosas@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

ppc/pnv: Remove useless checks in set_irq handlers

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20220323072846.1780212-6-clg@kaod.org>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

ppc/pnv: Remove PnvPsiClas::irq_set

All devices raising PSI interrupts are now converted to use GPIO lines
and the pnv_psi_irq_set() routines have become useless. Drop them.

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20220323072846.1780212-5-clg@kaod.org>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

ppc/pnv: Remove PnvOCC::psi link

Use an anonymous output GPIO line to connect the OCC device with the
PSIHB device and raise the appropriate PSI IRQ line depending on the
processor model.

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20220323072846.1780212-4-clg@kaod.org>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

ppc/pnv: Remove PnvLpcController::psi link

Create an anonymous output GPIO line to connect the LPC device with
the PSIHB device and raise the appropriate PSI IRQ line depending on
the processor model.

A temporary __pnv_psi_irq_set() routine is introduced to handle the
transition. It will be removed when all devices raising PSI interrupts
are converted to use GPIOs.

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20220323072846.1780212-3-clg@kaod.org>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

ppc/pnv: Fix PSI IRQ definition

On HW, the PSI and FSP interrupt levels are muxed under the same
interrupt number. For coding reasons, an extra IRQ number was
introduced to index register values in an array. It increased the
count of IRQs which do not fit in the PSI IRQ range anymore.

The PSI and FSP interrupts should be modeled with an extra level of
GPIO lines but since QEMU does not support them, simply drop the extra
number to stay within the IRQ range.

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20220323072846.1780212-2-clg@kaod.org>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

ppc/spapr/ddw: Add 2M pagesize

Recently the LoPAPR spec got a new 2MB pagesize to support in Dynamic DMA
Windows API (DDW), this adds the new flag.

Linux supports it since
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=38727311871

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Message-Id: <20220321071945.918669-1-aik@ozlabs.ru>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

ppc/pnv: Update skiboot to v7.0

This is skiboot 7.0 (commit 76b349cf7b40). Built using gcc 11.2.0 and
binutils 2.38.

Changes since the previous version:

Christophe Lombard (15):
      npu2: move opal api
      pau: introduce support
      rainier: detect pau devices
      pau: assign bars
      pau: create phb
      pau: enabling opencapi
      pau: translation layer configuration
      pau: enable interrupt on error
      pau: complete phb ops
      pau: hmi scom dump
      pau: phy init
      pau: link training
      pau: update current opal call functions
      pau: mmio invalidates
      pau: Add support for OpenCAPI Persistent Memory devices.

Cédric Le Goater (4):
      xive/p10: Fix xive_special_cache_check when DEBUG=1
      xive/p10: Fix mismatch errors when DEBUG=1
      interrupts: Do not advertise XICS support on P10
      skiboot v6.6.6 release notes

Frederic Barrat (6):
      phb4/5: Escalate page-level TCE kills
      npu3: Remove GPU support on Swift
      phb5: Remove obsolete capp-related properties
      xive/p10:: Declare xive2 DT node as an interrupt-controller
      skiboot v6.0.24 release notes
      opal-api: Drop diagnostics data type symbol for PHB5

Michael Ellerman (3):
      external/mambo: Print more info when the kernel is too big
      doc: Make it clear all existing platforms use Power9N
      docs: Add Swift, Mowgli & Rainier

Nicholas Piggin (12):
      external/mambo: Updates for POWER10 configuration for DD2.0
      external/mambo: Updates POWER9 SIM_CTRL1 to remove hardware atomic RC
      external/mambo: Add POWER10 small-core mode
      HBRT: fix clobbered r16 when host services handlers are called
      interrupts: add_opal_interrupts avoid NULL dereference on P10 mambo
      cpu: cpu_idle_job SMT priority fix
      cpu: add debug check in cpu_relax
      asm/head: Fix P10 HILE for little endian build
      phb4: annotate tbl_pest with endian types
      Remove support for POWER8 DD1
      phb3: make endian-clean
      flash: AST BMC endian fixes

Nick Child (1):
      secvar: Free md context on hash error

Ryan Grimm (1):
      AWAN simulator support for P10

Vasant Hegde (5):
      ci: Bump qemu version
      hello_world: Add p10 mambo tests
      skiboot v6.7.3 release notes
      skiboot v6.8.1 release notes
      skiboot v7.0 release notes

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

Merge tag 'pull-fixes-for-7.1-200422-1' of https://github.com/stsquad/qemu into staging

Testing, docs and gdbstub updates:

  - make -M virt test exercise -cpu max
  - document how binfmt_misc docker works
  - clean-up the devel TOC generation
  - clean-up check-tcg cross-compile behaviour
  - fix byte swap error in xmm gdbstub access
  - add float_convd test with reference files
  - more reference files for float_convs
  - more cleanly handle gdb crashing during check-tcg

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmJgIgsACgkQ+9DbCVqe
# KkRs3Qf/WnL4YV3l8jO/wEVbls/57aLPk+ak1GuvXJ+iM9gH8Qz6WZxIJIEhhHlu
# ZEixCewahTn8POMMRo4JAr0bRgtfBuh717GerXObiHcS3OuLsGM8rYP2Z1xqKL3L
# 4pR8VqhyUq/Jyl/6MPN5OZB0AdEPIdI5MuflckCeDcFaowpthLjwHao07hG/FU0s
# wQYS7aYTZT33V2Xm6xlePEEMq8YMPCJj00HF3Ljg4eUOmb+C+csFXMQtotsBJRCg
# mC/T2U0IFbrQUkkWJqVmRCPwKraQGDMn6POk298siRWE0kV4BmH8mnmN+/Jxhqgl
# QfFhQrsBxmPPG5TfQhEmlHfQ5EARLQ==
# =8q12
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 20 Apr 2022 08:08:59 AM PDT
# gpg:                using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8  DF35 FBD0 DB09 5A9E 2A44

* tag 'pull-fixes-for-7.1-200422-1' of https://github.com/stsquad/qemu: (25 commits)
  tests/guest-debug: better handle gdb crashes
  target/i386: fix byte swap issue with XMM register access
  tests/tcg: add missing reference files for float_convs
  tests/tcg: add float_convd test
  tests/tcg: remove duplicate sha512-sse case
  tests/tcg: fix non-static build
  tests/docker: remove SKIP_DOCKER_BUILD
  tests/tcg: isolate from QEMU's config-host.mak
  tests/tcg: invoke Makefile.target directly from QEMU's makefile
  tests/tcg: list test targets in Makefile.prereqs
  tests/tcg: prepare Makefile.prereqs at configure time
  tests/tcg: remove CONFIG_USER_ONLY from config-target.mak
  tests/tcg: remove CONFIG_LINUX_USER from config-target.mak
  tests/tcg: add compiler test variables when using containers
  tests/docker: do not duplicate rules for hexagon-cross
  tests/docker: simplify docker-TEST@IMAGE targets
  tests/docker: remove unnecessary filtering of $(DOCKER_IMAGES)
  tests/docker: inline variable definitions or move close to use
  tests/docker: remove unnecessary default definitions
  tests/docker: remove dead variable
  ...

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Merge tag 'pull-block-2022-04-20' of https://gitlab.com/hreitz/qemu into staging

Block patches:
- Some changes for qcow2's refcount repair algorithm to make it work for
  qcow2 images stored on block devices
- Skip test cases that require zstd when support for it is missing
- Some refactoring in the iotests' meson.build

# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCAAwFiEEy2LXoO44KeRfAE00ofpA0JgBnN8FAmJf/asSHGhyZWl0ekBy
# ZWRoYXQuY29tAAoJEKH6QNCYAZzfYXUQAKQv5qKQBjU4MTwlS8A4h6B6OJgC1Sik
# 9BB7LO/QFjuuF4vNKpcUlf6i0epxPP8B5pmCjaAolMh6u6wZwL7hHq+SOYXvejTo
# vINW+r097U0qYPkSV+cS6tbW92rYJDD7VxF+34udiWXGjozsBTw/k9DfJaa9Ht66
# 2dw3AxUa4lxN1/ejFzDLx3DNaff+HctLhgVpHeBb0eN2zr2Ug5+ZFgMoiWwU6r6J
# EzTORLAzATerlQVYUkhh4Y/UdVLLw1SzTWOQv5b/NqvaLfKmYsQobSfjC2ajO8XJ
# P2REigcOAij5uWVRf4EY7xoqmADP8pXxuOTzw0hyGNLOLNcXoFbfW45WSPoY+YgH
# EH1TtC4vMsg/MlO/A3PJr9v+SNqxz32cul3MVrY3PuG4Dzz0riy9GhtFUU37igbj
# mR6pP3nSa/f2X4+9B6/UrPjLzusRvc8bvzYqVEnSLABav11npphkYaR9QT1fQUVD
# Zw26igXtmLKUcfop/EqShbhblk0ZLYDTj/Lx7X+thC9OCrK1QgF6qAsIUqiS1iHz
# vwdktRTCofo4ZIT/OCz5QeriJqDz0B7VJ8/4i/uvm2eq8BUsn2mJuyAGD2XtaONV
# rmASrV9VbajdxX5VptjKOOHG6aHtqQlKbyBFog8I4nqVFdjdSMalb++gBMCrPu1A
# 1iZPsOOyz/8+
# =BF0c
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 20 Apr 2022 05:33:47 AM PDT
# gpg:                using RSA key CB62D7A0EE3829E45F004D34A1FA40D098019CDF
# gpg:                issuer "hreitz@redhat.com"
# gpg: Good signature from "Hanna Reitz <hreitz@redhat.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CB62 D7A0 EE38 29E4 5F00  4D34 A1FA 40D0 9801 9CDF

* tag 'pull-block-2022-04-20' of https://gitlab.com/hreitz/qemu:
  qcow2: Add errp to rebuild_refcount_structure()
  iotests/108: Test new refcount rebuild algorithm
  qcow2: Improve refcount structure rebuilding
  iotests/303: Check for zstd support
  iotests/065: Check for zstd support
  iotests.py: Add supports_qcow2_zstd_compression()
  tests/qemu-iotests: Move the bash and sanitizer checks to meson.build
  tests/qemu-iotests/meson.build: Improve the indentation

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tests/guest-debug: better handle gdb crashes

There are a number of GDB's on various distros which fail fairly hard
when attempting to talk to a cross-arch guest. The previous attempt to
catch this was incorrect as the shell will deliver signals as 128+n.
Fix the detection and while we are it improve the logging we dump into
the test output.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reported-by: Gautam Agrawal <gautamnagrawal@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-26-alex.bennee@linaro.org>

target/i386: fix byte swap issue with XMM register access

During the conversion to the gdb_get_reg128 helpers the high and low
parts of the XMM register where inadvertently swapped. This causes
reads of the register to report the incorrect value to gdb.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/971
Fixes: b7b8756a9c (target/i386: use gdb_get_reg helpers)
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: qemu-stable@nongnu.org
Message-Id: <20220419091020.3008144-25-alex.bennee@linaro.org>

tests/tcg: add missing reference files for float_convs

We might as well include a reference file for i386/x86_64. I was going
to include s390x as well but it's broken hence I raised:

https://gitlab.com/qemu-project/qemu/-/issues/979.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220419091020.3008144-24-alex.bennee@linaro.org>

tests/tcg: add float_convd test

This is a simple transliteration of the float_convs test but this time
working with doubles. I'm used it to test the handling of vector
registers in gdbstub but wasn't able to find a non-ugly way to
automate it.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-23-alex.bennee@linaro.org>

tests/tcg: remove duplicate sha512-sse case

We already generate the sha512-sse case in the i386 makefile which
works for both i386 and x86_64.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Fixes: f8a4c6d728 ("tests/tcg: add vectorised sha512 versions")
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-22-alex.bennee@linaro.org>

tests/tcg: fix non-static build

If linking with -static fails at configure time, -static should not be used
at build time either. Do not include BUILD_STATIC in $config_target_mak.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-18-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-21-alex.bennee@linaro.org>

tests/docker: remove SKIP_DOCKER_BUILD

It is now unused.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-17-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-20-alex.bennee@linaro.org>

tests/tcg: isolate from QEMU's config-host.mak

Do not include variables for the QEMU's own compiler, as they
are not necessarily related to the cross compiler used for tests/tcg.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-16-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-19-alex.bennee@linaro.org>

tests/tcg: invoke Makefile.target directly from QEMU's makefile

Build the "docker.py cc" invocation directly in tests/tcg/configure.sh, and
remove the Makefile.qemu wrapper around Makefile.target. The config-*.mak
files now include the actual variables used when building the tests, rather
than the CROSS_* variables that Makefile.qemu used to "translate".

This is a first step towards generalizing the cross-compilation infrastructure
so that it can be used for firmware as well.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-15-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-18-alex.bennee@linaro.org>

tests/tcg: list test targets in Makefile.prereqs

Omit the rules altogether for targets that do not have a compiler.
Makefile.qemu now is only invoked if the tests are actually built/run.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-14-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-17-alex.bennee@linaro.org>

tests/tcg: prepare Makefile.prereqs at configure time

List the dependencies of the build-tcg-tests-* and run-tcg-tests-*
targets in a Makefile fragment, without going through Makefile.prereqs's
"parsing" of config-*.mak.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-13-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-16-alex.bennee@linaro.org>

tests/tcg: remove CONFIG_USER_ONLY from config-target.mak

Just check the target name instead.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-12-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-15-alex.bennee@linaro.org>

tests/tcg: remove CONFIG_LINUX_USER from config-target.mak

Just check the target name instead.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20220401141326.1244422-11-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-14-alex.bennee@linaro.org>

tests/tcg: add compiler test variables when using containers

Even for container-based cross compilation use $(CROSS_CC_HAS_*) variables.
This makes the TCG test makefiles oblivious of whether the compiler is
invoked through a container or not.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220401141326.1244422-10-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-13-alex.bennee@linaro.org>

tests/docker: do not duplicate rules for hexagon-cross

The commands for docker-image-debian-hexagon-cross are the same as those
in debian-toolchain-run, just with a nonstandard path to build-toolchain.sh.
Reuse the definition by renaming the debian-hexagon-cross.docker.d directory.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-9-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-12-alex.bennee@linaro.org>

tests/docker: simplify docker-TEST@IMAGE targets

No need to go through the shell when we already have the test and images at
the point where the targets are declared.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-8-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-11-alex.bennee@linaro.org>

tests/docker: remove unnecessary filtering of $(DOCKER_IMAGES)

Now that DOCKER_IMAGES is only defined after DOCKER_VIRTUAL_IMAGES is
complete, there is no need to re-filter DOCKER_IMAGES against it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-7-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-10-alex.bennee@linaro.org>

tests/docker: inline variable definitions or move close to use

Variables that are defined with ":=" are handled imperatively, so moving
them closer to the first use ensures that all the assignments prior to
the first use are taken into account.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-6-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-9-alex.bennee@linaro.org>

tests/docker: remove unnecessary default definitions

The definition of DOCKER_IMAGES and DOCKER_TESTS copes already with an
empty value of $(IMAGES) and $(TESTS), no need to force them to "%" if
undefined.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-5-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-8-alex.bennee@linaro.org>

tests/docker: remove dead variable

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220401141326.1244422-4-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-7-alex.bennee@linaro.org>

tests/docker: remove test targets

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-3-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-6-alex.bennee@linaro.org>

tests/docker: remove dead code for linux-user containers

debian-powerpc-user-cross was the only linux-user powered cross builder
and it was removed in commit 80394ccf21 ("tests/docker: remove
debian-powerpc-user-cross", 2019-09-26). Remove all the infrastructure
around it since it is now unused.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220401141326.1244422-2-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-5-alex.bennee@linaro.org>

docs/devel: drop :hidden: and :includehidden: tags

This was confusing and in the case of qtest was hiding the details of
the qgraph sub-document in the qtest pages.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-4-alex.bennee@linaro.org>

docs/devel: add some notes on the binfmt-image-debian targets

We document some of this on the wiki but lets move it into our
official developer notes documentation.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-3-alex.bennee@linaro.org>

tests/avocado: update aarch64_virt test to exercise -cpu max

The Fedora 29 kernel is quite old and importantly fails when running
in LPA2 scenarios. As it's not really exercising much of the CPU space
replace it with a custom 5.16.12 kernel with all the architecture
options turned on. There is a minimal buildroot initramfs included in
the kernel which has a few tools for stress testing the memory
subsystem. The userspace also targets the Neoverse N1 processor so
would fail with a v8.0 cpu like cortex-a53.

While we are at it move the test into its own file so it can have an
assigned maintainer.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-2-alex.bennee@linaro.org>

Merge tag 'pull-request-2022-04-20' of https://gitlab.com/thuth/qemu into staging

* Drop perl-Test-Harness from the CI containers / VMs
* Some qtest fixes
* Convert ccid doc to restructuredText
* Add compat machines for 7.1
* Allow overwrite smp and memory size in avocado tests

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmJf32MRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbXEHQ//e4S4rlETwKwIQR6SqaOGl9wQr8yPX80r
# V6UFMt+MhTdtItBDa+cDrWY7xkBU3DpIPcfDRfg4P7F/WB5LFaXfYPQHIB28cmkQ
# f5nX4dIVfas/wS+2zk8uvaZEsuv0QiVCKldF2+Z49rE/1UMDfJkHJI+c3MvJToe7
# CPuzR9SL7wfb3gFV5YrDqyZFRtpUurNhQ3j7sfmh+9P+9QVZg118pDI/lE2WIIBT
# HwrB0/keRdgepEv/n+6bwIhf+XRPnKyK8ETRo5vaVaj5BxKDHDVaevNYABp1kBB5
# udyCrEtS4KjPmyNgsMc1ZnIdG2R2pGyRPPYvVUXVpODkAQFoprjTS4yc5Gauqeuj
# EtrDJDnV+EFtZZlnd2T4Uj+ZxTR9suXWF+kJU8R7vXX5Dffu7C7tAw88FqQoG1GR
# mlhtN4fng2PJ/wEZUc+OESVjLUW/3H8yA6rRsbD21gMFaPVxrxc5iXrJoPEWoz1q
# BPbc+1v+lf3PgIDTMokogV0HFaxl8Xoq7T1TaXhQHEbEchfPib55VAHnN7rXKJgs
# eQt7FBqRTCZdFgRnKNZ71NMGdW2suHRk2lpabGPcuGb/bxyJWc6lcdOM8uEMDUlq
# vzAZwbXx3mlGArx7jaGERTrColCgMa0WLbQZ54eP1qCJnqUbzadaIQxmlMaPFWgm
# 2imKnvET5PM=
# =vsLu
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 20 Apr 2022 03:24:35 AM PDT
# gpg:                using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg:                issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [undefined]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [undefined]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2022-04-20' of https://gitlab.com/thuth/qemu:
  tests/avocado: Allow overwrite smp and memory size command line options
  hw: Add compat machines for 7.1
  docs/ccid: convert to restructuredText
  tests/qtest: properly initialise the vring used idx
  tests/qtest: Move the fuzz tests to x86 only
  tests/qtest: Enable more tests for the "mipsel" target
  tests: Drop perl-Test-Harness from the CI containers / VMs

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

qcow2: Add errp to rebuild_refcount_structure()

Instead of fprint()-ing error messages in rebuild_refcount_structure()
and its rebuild_refcounts_write_refblocks() helper, pass them through an
Error object to qcow2_check_refcounts() (which will then print it).

Suggested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220405134652.19278-4-hreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>

iotests/108: Test new refcount rebuild algorithm

One clear problem with how qcow2's refcount structure rebuild algorithm
used to be before "qcow2: Improve refcount structure rebuilding" was
that it is prone to failure for qcow2 images on block devices: There is
generally unused space after the actual image, and if that exceeds what
one refblock covers, the old algorithm would invariably write the
reftable past the block device's end, which cannot work.  The new
algorithm does not have this problem.

Test it with three tests:
(1) Create an image with more empty space at the end than what one
    refblock covers, see whether rebuilding the refcount structures
    results in a change in the image file length.  (It should not.)

(2) Leave precisely enough space somewhere at the beginning of the image
    for the new reftable (and the refblock for that place), see whether
    the new algorithm puts the reftable there.  (It should.)

(3) Test the original problem: Create (something like) a block device
    with a fixed size, then create a qcow2 image in there, write some
    data, and then have qemu-img check rebuild the refcount structures.
    Before HEAD^, the reftable would have been written past the image
    file end, i.e. outside of what the block device provides, which
    cannot work.  HEAD^ should have fixed that.
    ("Something like a block device" means a loop device if we can use
    one ("sudo -n losetup" works), or a FUSE block export with
    growable=false otherwise.)

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220405134652.19278-3-hreitz@redhat.com>

qcow2: Improve refcount structure rebuilding

When rebuilding the refcount structures (when qemu-img check -r found
errors with refcount = 0, but reference count > 0), the new refcount
table defaults to being put at the image file end[1].  There is no good
reason for that except that it means we will not have to rewrite any
refblocks we already wrote to disk.

Changing the code to rewrite those refblocks is not too difficult,
though, so let us do that.  That is beneficial for images on block
devices, where we cannot really write beyond the end of the image file.

Use this opportunity to add extensive comments to the code, and refactor
it a bit, getting rid of the backwards-jumping goto.

[1] Unless there is something allocated in the area pointed to by the
    last refblock, so we have to write that refblock.  In that case, we
    try to put the reftable in there.

Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1519071
Closes: https://gitlab.com/qemu-project/qemu/-/issues/941
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220405134652.19278-2-hreitz@redhat.com>

iotests/303: Check for zstd support

303 runs two test cases, one of which requires zstd support.
Unfortunately, given that this is not a unittest-style test, we cannot
easily skip that single case, and instead can only skip the whole test.

(Alternatively, we could split this test into a zlib and a zstd part,
but that seems excessive, given that this test is not in auto and thus
likely only run by developers who have zstd support compiled in.)

Fixes: 677e0bae686e7c670a71d1f ("iotest 303: explicit compression type")
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <v.sementsov-og@mail.ru>
Message-Id: <20220323105522.53660-4-hreitz@redhat.com>

iotests/065: Check for zstd support

Some test cases run in iotest 065 want to run with zstd compression just
for added coverage. Run them with zlib if there is no zstd support
compiled in.

Reported-by: Thomas Huth <thuth@redhat.com>
Fixes: 12a936171d71f839dc907ff ("iotest 065: explicit compression type")
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220323105522.53660-3-hreitz@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <v.sementsov-og@mail.ru>

iotests.py: Add supports_qcow2_zstd_compression()

Suggested-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220323105522.53660-2-hreitz@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <v.sementsov-og@mail.ru>

tests/qemu-iotests: Move the bash and sanitizer checks to meson.build

We want to get rid of check-block.sh in the long run, so let's move
the checks for the bash version and sanitizers from check-block.sh
into the meson.build file instead.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20220223093840.2515281-4-thuth@redhat.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>

tests/qemu-iotests/meson.build: Improve the indentation

By using subdir_done(), we can get rid of one level of indentation
in this file. This will make it easier to add more conditions to
skip the iotests in future patches.

Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20220223093840.2515281-3-thuth@redhat.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>

tests/avocado: Allow overwrite smp and memory size command line options

Removes the hard-coded values in setUp(). Class inheriting from
avocado_qemu.LinuxTest can overwrite the default smp and memory instead.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/453
Signed-off-by: Ahmed Abouzied <email@aabouzied.com>
Message-Id: <20210802222257.50946-1-email@aabouzied.com>
Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

hw: Add compat machines for 7.1

Add 7.1 machine types for arm/i440fx/m68k/q35/s390x/spapr.

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <20220316145521.1224083-1-cohuck@redhat.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Acked-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

docs/ccid: convert to restructuredText

Buglink: https://gitlab.com/qemu-project/qemu/-/issues/527
Signed-off-by: Lucas Ramage <lucas.ramage@infinite-omicron.com>
Message-Id: <20220405142906.21382-1-oxr463@gmx.us>
Reviewed-by: Damien Hedde <damien.hedde@greensocs.com>
[thuth: Added some cosmetic fixes]
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/qtest: properly initialise the vring used idx

Eric noticed while attempting to enable the vhost-user-blk-test for
Aarch64 that that things didn't work unless he put in a dummy
guest_malloc() at the start of the test. Without it
qvirtio_wait_used_elem() would assert when it reads a junk value for
idx resulting in:

  qvirtqueue_get_buf: idx:2401 last_idx:0
  qvirtqueue_get_buf: 0x7ffcb6d3fe74, (nil)
  qvirtio_wait_used_elem: 3000000/0
  ERROR:../../tests/qtest/libqos/virtio.c:226:qvirtio_wait_used_elem: assertion failed (got_desc_idx == desc_idx): (50331648 == 0)
  Bail out! ERROR:../../tests/qtest/libqos/virtio.c:226:qvirtio_wait_used_elem: assertion failed (got_desc_idx == desc_idx): (50331648 == 0)

What was actually happening is the guest_malloc() effectively pushed
the allocation of the vring into the next page which just happened to
have clear memory. After much tedious tracing of the code I could see
that qvring_init() does attempt initialise a bunch of the vring
structures but skips the vring->used.idx value. It is probably not
wise to assume guest memory is zeroed anyway. Once the ring is
properly initialised the hack is no longer needed to get things
working.

Thanks-to: John Snow <jsnow@redhat.com> for helping debug
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220406173356.1891500-1-alex.bennee@linaro.org>
Tested-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/qtest: Move the fuzz tests to x86 only

The fuzz tests are currently scheduled for all targets, but their setup
code limits the run to "i386", so that these tests always show "SKIP"
on other targets. Move it to the right x86 list in meson.build, then
we can drop the architecture check during runtime, too.

Message-Id: <20220414130127.719528-1-thuth@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/qtest: Enable more tests for the "mipsel" target

Allow the same set of tests for all MIPS targets, so that "mipsel"
now gets some additional test coverage, too. While we're at it,
simplify the definitions for qtests_mips64 and qtests_mips64el.

Message-Id: <20220414114655.604391-1-thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests: Drop perl-Test-Harness from the CI containers / VMs

The perl test harness is not necessary anymore since commit 3d2f73ef75
("build: use "meson test" as the test harness"). Thus remove it from
tests/lcitool/projects/qemu.yml, run "make lcitool-refresh" and manually
clean the remaining docker / vm files that are not managed by lcitool yet.

Message-Id: <20220329102808.423681-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* Add cpu0-id to query-sev-capabilities
* whpx support for breakpoints and stepping
* initial support for Hyper-V Synthetic Debugging
* use monotonic clock for QemuCond and QemuSemaphore
* Remove qemu-common.h include from most units and lots of other clenaups
* do not include headers for all virtio devices in virtio-ccw.h

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmJXCQAUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroNT6wf+NHDJUEdDiwaVGVTGXgHuiaycsymi
# FpNPiw/+XxSGN5xF3fkUGgqaDrcwIYwVfnXlghKSz8kp1cP3cjxa5CzNMLGTp5je
# N6BxFbD7yC6dhagGm3mj32jlsptv3M38OHqKc3t+RaUAotP5RF2VdCyfUBLG6vU0
# aMzvMfMtB5aG0D8Fr5EV63t1JMTceFU0YxsG73UCFs2Yx4Z0cGBbNxMbHweRhd1q
# tPeVDS46MFPM3/2cGGHpeeqxkoCTU7A9j1VuNQI3k+Kg+6W5YVxiK/UP7bw77E/a
# yAHsmIVTNro8ajMBch73weuHtGtdfFLvCKc6QX6aVjzK4dF1voQ01E7gPQ==
# =rMle
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 13 Apr 2022 10:31:44 AM PDT
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [undefined]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (53 commits)
  target/i386: Remove unused XMMReg, YMMReg types and CPUState fields
  target/i386: do not access beyond the low 128 bits of SSE registers
  virtio-ccw: do not include headers for all virtio devices
  virtio-ccw: move device type declarations to .c files
  virtio-ccw: move vhost_ccw_scsi to a separate file
  s390x: follow qdev tree to detect SCSI device on a CCW bus
  hw: hyperv: Initial commit for Synthetic Debugging device
  hyperv: Add support to process syndbg commands
  hyperv: Add definitions for syndbg
  hyperv: SControl is optional to enable SynIc
  thread-posix: optimize qemu_sem_timedwait with zero timeout
  thread-posix: implement Semaphore with QemuCond and QemuMutex
  thread-posix: use monotonic clock for QemuCond and QemuSemaphore
  thread-posix: remove the posix semaphore support
  whpx: Added support for breakpoints and stepping
  build-sys: simplify AF_VSOCK check
  build-sys: drop ntddscsi.h check
  Remove qemu-common.h include from most units
  qga: remove explicit environ argument from exec/spawn
  Move fcntl_setfl() to oslib-posix
  ...

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Open 7.1 development tree

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Update version for v7.0.0 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target/i386: Remove unused XMMReg, YMMReg types and CPUState fields

In commit b7711471f5 in 2014 we refactored the handling of the x86
vector registers so that instead of separate structs XMMReg, YMMReg
and ZMMReg for representing the 16-byte, 32-byte and 64-byte width
vector registers and multiple fields in the CPU state, we have a
single type (XMMReg, later renamed to ZMMReg) and a single struct
field (xmm_regs). However, in 2017 in commit c97d6d2cdf97ed some of
the old struct types and CPU state fields got added back, when we
merged in the hvf support (which had developed in a separate fork
that had presumably not had the refactoring of b7711471f5), as part
of code handling xsave. Commit f585195ec07 then almost immediately
dropped that xsave code again in favour of sharing the xsave handling
with KVM, but forgot to remove the now unused CPU state fields and
struct types.

Delete the unused types and CPUState fields.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20220412110047.1497190-1-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: do not access beyond the low 128 bits of SSE registers

The i386 target consolidates all vector registers so that instead of
XMMReg, YMMReg and ZMMReg structs there is a single ZMMReg that can
fit all of SSE, AVX and AVX512.

When TCG copies data from and to the SSE registers, it uses the
full 64-byte width. This is not a correctness issue because TCG
never lets guest code see beyond the first 128 bits of the ZMM
registers, however it causes uninitialized stack memory to
make it to the CPU's migration stream.

Fix it by only copying the low 16 bytes of the ZMMReg union into
the destination register.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Update version for v7.0.0-rc4 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

virtio-iommu: use-after-free fix

A potential Use-after-free was reported in virtio_iommu_handle_command
when using virtio-iommu:

> I find a potential Use-after-free in QEMU 6.2.0, which is in
> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c).
>
>
> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be
> freed by g_free() at line 659. However, if the execution path enters the loop
> body again and the if branch takes true at line 616, the control will directly
> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not
> assigned with an allocated memory but used at line 653. As a result, a UAF bug
> is triggered.
>
>
>
> 599     for (;;) {
> ...
> 615         sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
> 616         if (unlikely(sz != sizeof(head))) {
> 617             tail.status = VIRTIO_IOMMU_S_DEVERR;
> 618             goto out;
> 619         }
> ...
> 639             buf = g_malloc0(output_size);
> ...
> 651 out:
> 652         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653                           buf ? buf : &tail, output_size);
> ...
> 659         g_free(buf);
>
> We can fix it by set ‘buf‘ to NULL after freeing it:
>
>
> 651 out:
> 652         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653                           buf ? buf : &tail, output_size);
> ...
> 659         g_free(buf);
> +++ buf = NULL;
> 660     }

Fix as suggested by the reporter.

Signed-off-by: Wentao Liang <Wentao_Liang_g@163.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220407095047.50371-1-mst@redhat.com
Message-ID: <20220406040445-mutt-send-email-mst@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu into staging

two cursor/qxl related security fixes.

# gpg: Signature made Fri 08 Apr 2022 05:37:16 BST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu:
  ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
  display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)

Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.

Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)

Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.

Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Update version for v7.0.0-rc3 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

acpi: fix acpi_index migration

vmstate_acpi_pcihp_use_acpi_index() was expecting AcpiPciHpState
as state but it actually received PIIX4PMState, because
VMSTATE_PCI_HOTPLUG is a macro and not another struct.
So it ended up accessing random pointer, which resulted
in 'false' return value and acpi_index field wasn't ever
sent.

However in 7.0 that pointer de-references to value > 0, and
destination QEMU starts to expect the field which isn't
sent in migratioon stream from older QEMU (6.2 and older).
As result migration fails with:
qemu-system-x86_64: Missing section footer for 0000:00:01.3/piix4_pm
qemu-system-x86_64: load of migration failed: Invalid argument

In addition with QEMU-6.2, destination due to not expected
state, also never expects the acpi_index field in migration
stream.

Q35 is not affected as it always sends/expects the field as
long as acpi based PCI hotplug is enabled.

Fix issue by introducing compat knob to never send/expect
acpi_index in migration stream for 6.2 and older PC machine
types and always send it for 7.0 and newer PC machine types.

Diagnosed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Fixes: b32bd76 ("pci: introduce acpi-index property for PCI device")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/932
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

virtio-ccw: do not include headers for all virtio devices

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

virtio-ccw: move device type declarations to .c files

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

virtio-ccw: move vhost_ccw_scsi to a separate file

Remove unecessary use of #ifdef CONFIG_VHOST_SCSI, instead just use a
separate file and a separate rule in meson.build.

Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

s390x: follow qdev tree to detect SCSI device on a CCW bus

Do not make assumptions on the parent type of the SCSIDevice, instead
use object_dynamic_cast all the way up to the CcwDevice. This is cleaner
because there is no guarantee that the bus is on a virtio-scsi device;
that is only the case for the default configuration of QEMU's s390x
target.

Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

hw: hyperv: Initial commit for Synthetic Debugging device

Signed-off-by: Jon Doron <arilou@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20220216102500.692781-5-arilou@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

hyperv: Add support to process syndbg commands

SynDbg commands can come from two different flows:
1. Hypercalls, in this mode the data being sent is fully
encapsulated network packets.
2. SynDbg specific MSRs, in this mode only the data that needs to be
transfered is passed.

Signed-off-by: Jon Doron <arilou@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20220216102500.692781-4-arilou@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

hyperv: Add definitions for syndbg

Add all required definitions for hyperv synthetic debugger interface.

Signed-off-by: Jon Doron <arilou@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20220216102500.692781-3-arilou@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

hyperv: SControl is optional to enable SynIc

SynIc can be enabled regardless of the SControl mechanisim which can
register a GSI for a given SintRoute.

This behaviour can achived by setting enabling SIMP and then the guest
will poll on the message slot.

Once there is another message pending the host will set the message slot
with the pending flag.
When the guest polls from the message slot, in case the pending flag is
set it will write to the HV_X64_MSR_EOM indicating it has cleared the
slot and we can try and push our message again.

Signed-off-by: Jon Doron <arilou@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20220216102500.692781-2-arilou@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

thread-posix: optimize qemu_sem_timedwait with zero timeout

In this case there is no need to call pthread_cond_timedwait; the
function is just a trywait and waiting on the condition variable would
always time out.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

thread-posix: implement Semaphore with QemuCond and QemuMutex

Now that QemuSemaphore is implemented through pthread_cond_t only, we can use
QemuCond and QemuMutex to make the code smaller. Features such as mutex
tracing and CLOCK_MONOTONIC timedwait are supported in qemu-sem naturally.

Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
Message-Id: <20220222090507.2028-4-longpeng2@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

thread-posix: use monotonic clock for QemuCond and QemuSemaphore

Use CLOCK_MONOTONIC, so the timeout isn't affected by changes to
the system time. It depends on the pthread_condattr_setclock(),
while some systems(e.g. mac os) does not support it, so the behavior
won't change in these systems.

Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
Message-Id: <20220222090507.2028-3-longpeng2@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

thread-posix: remove the posix semaphore support

POSIX specifies an absolute time for sem_timedwait(), it would be
affected if the system time is changing, but there is not a relative
time or monotonic clock version of sem_timedwait, so we cannot gain
from POSIX semaphore any more.

An alternative way is to use sem_trywait + usleep, maybe we can
remove CONFIG_SEM_TIMEDWAIT in this way? No, because some systems
(e.g. mac os) mark the sem_xxx API as deprecated.

So maybe remove the usage of POSIX semaphore and turn to use the
pthread variant for all systems looks better.

Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
Message-Id: <20220222090507.2028-2-longpeng2@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

whpx: Added support for breakpoints and stepping

Below is the updated version of the patch adding debugging support to WHPX.
It incorporates feedback from Alex Bennée and Peter Maydell regarding not
changing the emulation logic depending on the gdb connection status.

Instead of checking for an active gdb connection to determine whether QEMU
should intercept the INT1 exceptions, it now checks whether any breakpoints
have been set, or whether gdb has explicitly requested one or more CPUs to
do single-stepping. Having none of these condition present now has the same
effect as not using gdb at all.

Message-Id: <0e7f01d82e9e$00e9c360$02bd4a20$@sysprogs.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

build-sys: simplify AF_VSOCK check

The current test checks more than AF_VSOCK availability, and doesn't
need to be that long.

Since its introduction in Linux in 2013, AF_VSOCK came with
linux/vm_sockets.h for sockaddr_vm, let's check that.

We could even go back to the initial configure-less approach
proposed by Stefan Hajnoczi, since Michael Roth added the configure-time
check back then to satisfy glibc in Ubuntu 14. See:
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg08208.html

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220401115005.2204000-1-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

build-sys: drop ntddscsi.h check

The header has been part of MinGW-w64 since the introduction of the
project (2007). While on MinGW(32), the legacy project, it was imported
in 2014 from w32api-3.17 (commit e4803e0da2).

According to build-platform.rst and our CI coverage, we only support
building with MinGW-w64 (from Debian/Fedora).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Message-Id: <20220401085106.2167374-1-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Remove qemu-common.h include from most units

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-33-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

qga: remove explicit environ argument from exec/spawn

Environment is implicitly inherited from the current process "environ"
variable for execl() or g_spawn_sync(), no need to be explicit about it.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220323155743.1585078-31-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Move fcntl_setfl() to oslib-posix

It is only implemented for POSIX anyway.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220323155743.1585078-30-marcandre.lureau@redhat.com>
[Add braces around if statements. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Move CPU softfloat unions to cpu-float.h

The types are no longer used in bswap.h since commit
f930224fffe ("bswap.h: Remove unused float-access functions"), there
isn't much sense in keeping it there and having a dependency on fpu/.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-29-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move page_size_init() to include/hw/core/cpu.h

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-28-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move os_*() to os-foo.h

For consistency with other os_ functions that do not have POSIX
implementation, declare an inline function for the stub in os-win32.h.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-27-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move qemu_get_vm_name() to sysemu.h

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-26-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move progress API to qemu-progress.h

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-25-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move target page bits declaration to page-vary.h

Since the implementation unit is page-vary.c.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220323155743.1585078-24-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move cpu_exec* declarations to cpu-common.h

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-23-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move C/util-related declarations to cutils.h

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-22-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move dump_in_progress() to runstate.h

Along with other state tracking functions. Rename it for consistency.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-21-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move coroutine IO functions to coroutine.h

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-20-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move qemu_pipe() to osdep.h

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-19-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move qemu_write_full() declaration to osdep.h

Closer to other IO functions.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-18-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include: move TFR to osdep.h

The macro requires EINTR, which has its header included in osdep.h.

(Not sure what TFR stands for, perhaps "Test For Retry". Rename it ?)

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-17-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

error-report: use error_printf() for program prefix

For consistency with other calls in the function, let's use
error_printf(). (it will use stderr since !monitor_cur())

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-16-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

util: rename qemu-error.c to match its header name

The header name is more appropriate.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220323155743.1585078-15-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>