aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2017-06-13Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20170608' into ↵Peter Maydell8-5/+50
staging s390x: misc fixes bunch of fixes - reject MIDA accesses for CCWs - cpumodel fixes - cross-build fix for bios - migration improvements # gpg: Signature made Thu 08 Jun 2017 14:10:29 BST # gpg: using RSA key 0x117BBC80B5A61C7C # gpg: Good signature from "Christian Borntraeger (IBM) <borntraeger@de.ibm.com>" # Primary key fingerprint: F922 9381 A334 08F9 DBAB FBCA 117B BC80 B5A6 1C7C * remotes/borntraeger/tags/s390x-20170608: s390x/cpumodel: improve defintion search without an IBC s390x/cpumodel: take care of the cpuid format bit for KVM pc-bios/s390-ccw: use STRIP variable in Makefile s390x/css: fence off MIDA s390x/css: catch section mismatch on load Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-12Merge remote-tracking branch 'remotes/elmarco/tags/char-pull-request' into ↵Peter Maydell5-15/+44
staging # gpg: Signature made Thu 08 Jun 2017 15:12:11 BST # gpg: using RSA key 0xDAE8E10975969CE5 # gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" # gpg: aka "Marc-André Lureau <marcandre.lureau@gmail.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 87A9 BD93 3F87 C606 D276 F62D DAE8 E109 7596 9CE5 * remotes/elmarco/tags/char-pull-request: test-char: start a /char/serial test chardev: don't use alias names in parse_compat() char: fix alias devices regression Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-12Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' ↵Peter Maydell1-1/+9
into staging # gpg: Signature made Wed 07 Jun 2017 19:55:32 BST # gpg: using RSA key 0x9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/tracing-pull-request: simpletrace: Improve the error message if event is not declared Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-12Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into ↵Peter Maydell8-41/+77
staging # gpg: Signature made Wed 07 Jun 2017 19:06:51 BST # gpg: using RSA key 0x9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/block-pull-request: configure: split c and cxx extra flags coroutine-lock: do not touch coroutine after another one has been entered .gdbinit: load QEMU sub-commands when gdb starts coccinelle: fix typo in comment oslib: strip trailing '\n' from error_setg() string argument Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-12Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into stagingPeter Maydell11-15/+259
Block layer patches # gpg: Signature made Fri 09 Jun 2017 12:47:31 BST # gpg: using RSA key 0x7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6 * remotes/kevin/tags/for-upstream: block: fix external snapshot abort permission error block/qcow.c: Fix memory leak in qcow_create() qemu-iotests: Test automatic commit job cancel on hot unplug commit: Fix use after free in completion qemu-iotests: Block migration test migration/block: Clean up BBs in block_save_complete() migration: Inactivate images after .save_live_complete_precopy() block: Fix anonymous BBs in blk_root_inactivate() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-09block: fix external snapshot abort permission errorJeff Cody1-0/+4
In external_snapshot_abort(), we try to undo what was done in external_snapshot_prepare() calling bdrv_replace_node() to swap the nodes back. However, we receive a permissions error as writers are blocked on the old node, which is now the new node backing file. An easy fix (initially suggested by Kevin Wolf) is to call bdrv_set_backing_hd() on the new node, to set the backing node to NULL. Signed-off-by: Jeff Cody <jcody@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-06-09block/qcow.c: Fix memory leak in qcow_create()Peter Maydell1-0/+1
Coverity points out that the code path in qcow_create() for the magic "fat:" backing file name leaks the memory used to store the filename (CID 1307771). Free the memory before we overwrite the pointer. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-06-09qemu-iotests: Test automatic commit job cancel on hot unplugKevin Wolf2-4/+35
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
2017-06-09commit: Fix use after free in completionKevin Wolf1-0/+7
The final bdrv_set_backing_hd() could be working on already freed nodes because the commit job drops its references (through BlockBackends) to both overlay_bs and top already a bit earlier. One way to trigger the bug is hot unplugging a disk for which blockdev_mark_auto_del() cancels the block job. Fix this by taking BDS-level references while we're still using the nodes. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
2017-06-09qemu-iotests: Block migration testKevin Wolf3-0/+187
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2017-06-09migration/block: Clean up BBs in block_save_complete()Kevin Wolf1-5/+17
We need to release any block migrations BlockBackends on the source before successfully completing the migration because otherwise inactivating the images will fail (inactivation only tolerates device BBs). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com>
2017-06-09migration: Inactivate images after .save_live_complete_precopy()Kevin Wolf1-5/+7
Block migration may still access the image during its .save_live_complete_precopy() implementation, so we should only inactivate the image afterwards. Another reason for the change is that inactivating an image fails when there is still a non-device BlockBackend using it, which includes the BBs used by block migration. We want to give block migration a chance to release the BBs before trying to inactivate the image (this will be done in another patch). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com>
2017-06-09block: Fix anonymous BBs in blk_root_inactivate()Kevin Wolf1-1/+1
blk->name isn't an array, but a pointer that can be NULL. Checking for an anonymous BB must involve a NULL check first, otherwise we get crashes. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com>
2017-06-08test-char: start a /char/serial testMarc-André Lureau1-0/+29
Quite limited test, to check that the chardev can be created with a path and with the tty alias. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2017-06-08chardev: don't use alias names in parse_compat()Marc-André Lureau1-2/+2
"parport" is considered "old" since commit 88a946d32d, when "parallel" was added. Similarly for "tty" in commit d59044ef74d. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2017-06-08char: fix alias devices regressionMarc-André Lureau3-13/+13
Fix regression from commit 4d43a603c71, where the serial and parallel headers got removed from char.c, which broke the alias table. Move the HAVE_CHARDEV_SERIAL/HAVE_CHARDEV_PARPORT to osdep.h instead of being in separate headers. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2017-06-07Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell63-386/+732
* virtio-scsi use-after-free fix (Fam) * SMM fixes and improvements for TCG (myself, Mihail) * irqchip and AddressSpaceDispatch cleanups and fixes (Peter) * Coverity fix (Stefano) * NBD cleanups and fixes (Vladimir, Eric, myself) * RTC accuracy improvements and code cleanups (Guangrong+Yunfang) * socket error reporting improvement (Daniel) * GDB XML description for SSE registers (Abdallah) * kvmclock update fix (Denis) * SMM memory savings (Gonglei) * -cpu 486 fix (myself) * various bugfixes (Roman, Peter, myself, Thomas) * rtc-test improvement (Guangrong) * migration throttling fix (Felipe) * create docs/ subdirectories (myself) # gpg: Signature made Wed 07 Jun 2017 17:22:07 BST # gpg: using RSA key 0xBFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: (31 commits) docs: create config/, devel/ and spin/ subdirectories cpus: reset throttle_thread_scheduled after sleep kvm: don't register smram_listener when smm is off nbd: make it thread-safe, fix qcow2 over nbd target/i386: Add GDB XML description for SSE registers i386/kvm: do not zero out segment flags if segment is unusable or not present edu: fix memory leak on msi_broken platforms linuxboot_dma: compile for i486 kvmclock: update system_time_msr address forcibly nbd: Fully initialize client in case of failed negotiation sockets: improve error reporting if UNIX socket path is too long i386: fix read/write cr with icount option target/i386: use multiple CPU AddressSpaces target/i386: enable A20 automatically in system management mode virtio-scsi: Unset hotplug handler when unrealize exec: simplify phys_page_find() params nbd/client.c: use errp instead of LOG nbd: add errp to read_sync, write_sync and drop_sync nbd: add errp parameter to nbd_wr_syncv() nbd: read_sync and friends: return 0 on success ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-07docs: create config/, devel/ and spin/ subdirectoriesPaolo Bonzini26-0/+0
Developer documentation should be its own manual. As a start, move all developer-oriented files to a separate directory. Also move non-text files to their own directories: docs/config/ for QEMU -readconfig input, and docs/spin/ for formal models to be used with the SPIN model checker. Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07cpus: reset throttle_thread_scheduled after sleepFelipe Franciosi1-1/+1
Currently, the throttle_thread_scheduled flag is reset back to 0 before sleeping (as part of the throttling logic). Given that throttle_timer (well, any timer) may tick with a slight delay, it so happens that under heavy throttling (ie. close or on CPU_THROTTLE_PCT_MAX) the tick may schedule a further cpu_throttle_thread() work item after the flag reset, but before the previous sleep completed. This results on the vCPU thread sleeping continuously for potentially several seconds in a row. The chances of that happening can be drastically minimised by resetting the flag after the sleep. Signed-off-by: Felipe Franciosi <felipe@nutanix.com> Signed-off-by: Malcolm Crossley <malcolm@nutanix.com> Message-Id: <1495229390-18909-1-git-send-email-felipe@nutanix.com> Acked-by: Jason J. Herne <jjherne@linux.vnet.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07kvm: don't register smram_listener when smm is offGonglei2-3/+5
If the user set disable smm by '-machine smm=off', we should not register smram_listener so that we can avoid waster memory in kvm since the added sencond address space. Meanwhile we should assign value of the global kvm_state before invoking the kvm_arch_init(), because pc_machine_is_smm_enabled() may use it by kvm_has_mm(). Signed-off-by: Gonglei <arei.gonglei@huawei.com> Message-Id: <1496316915-121196-1-git-send-email-arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07nbd: make it thread-safe, fix qcow2 over nbdPaolo Bonzini1-21/+9
NBD is not thread safe, because it accesses s->in_flight without a CoMutex. Fixing this will be required for multiqueue. CoQueue doesn't have spurious wakeups but, when another coroutine can run between qemu_co_queue_next's wakeup and qemu_co_queue_wait's re-locking of the mutex, the wait condition can become false and a loop is necessary. In fact, it turns out that the loop is necessary even without this multi-threaded scenario. A particular sequence of coroutine wakeups is happening ~80% of the time when starting a guest with qcow2 image served over NBD (i.e. qemu-nbd --format=raw, and QEMU's -drive option has -format=qcow2). This patch fixes that issue too. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07target/i386: Add GDB XML description for SSE registersAbdallah Bouassida6-6/+146
Add an XML description for SSE registers (XMM+MXCSR) for both X86 and X86-64 architectures in the GDB stub: - configure: Define gdb_xml_files for the X86 targets (32 and 64bit). - gdb-xml/i386-32bit-sse.xml & gdb-xml/i386-64bit-sse.xml: The XML files that contain a description of the XMM + MXCSR registers. - gdb-xml/i386-32bit.xml & gdb-xml/i386-64bit.xml: wrappers that include the XML file of the core registers and the other XML file of the SSE registers. - target/i386/cpu.c: Modify the gdb_core_xml_file to the new XML wrapper, modify the gdb_num_core_regs to fit the registers number defined in each XML file. Signed-off-by: Abdallah Bouassida <abdallah.bouassida@lauterbach.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07i386/kvm: do not zero out segment flags if segment is unusable or not presentRoman Pen1-12/+8
This is a fix for the problem [1], where VMCB.CPL was set to 0 and interrupt was taken on userspace stack. The root cause lies in the specific AMD CPU behaviour which manifests itself as unusable segment attributes on SYSRET[2]. Here in this patch flags are not touched even segment is unusable or is not present, therefore CPL (which is stored in DPL field) should not be lost and will be successfully restored on kvm/svm kernel side. Also current patch should not break desired behavior described in this commit: 4cae9c97967a ("target-i386: kvm: clear unusable segments' flags in migration") since present bit will be dropped if segment is unusable or is not present. This is the second part of the whole fix of the corresponding problem [1], first part is related to kvm/svm kernel side and does exactly the same: segment attributes are not zeroed out. [1] Message id: CAJrWOzD6Xq==b-zYCDdFLgSRMPM-NkNuTSDFEtX=7MreT45i7Q@mail.gmail.com [2] Message id: 5d120f358612d73fc909f5bfa47e7bd082db0af0.1429841474.git.luto@kernel.org Signed-off-by: Roman Pen <roman.penyaev@profitbricks.com> Signed-off-by: Mikhail Sennikovskii <mikhail.sennikovskii@profitbricks.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: Michael Chapman <mike@very.puzzling.org> Cc: qemu-devel@nongnu.org Message-Id: <20170601085604.12980-1-roman.penyaev@profitbricks.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07edu: fix memory leak on msi_broken platformsPaolo Bonzini1-6/+6
If msi_init fails, the thread has already been created and the mutex/condvar are not destroyed. Initialize everything only after the point where pci_edu_realize cannot fail. Reported-by: Markus Armbruster <armbru@redhat.com> Cc: Peter Xu <peterx@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07linuxboot_dma: compile for i486Paolo Bonzini2-0/+1
The ROM uses the cmovne instruction, which is new in Pentium Pro and does not work when running QEMU with "-cpu 486". Avoid producing that instruction. Suggested-by: Richard W.M. Jones <rjones@redhat.com> Suggested-by: Thomas Huth <thuth@redhat.com> Reported-by: Rob Landley <rob@landley.net> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07kvmclock: update system_time_msr address forciblyDenis Plotnikov1-0/+3
Do an update of system_time_msr address every time before reading the value of tsc_timestamp from guest's kvmclock page. There is no other code paths which ensure that qemu has an up-to-date value of system_time_msr. So, force this update on guest's tsc_timestamp reading. This bug causes effect on those nested setups which turn off TPR access interception for L2 guests and that access being intercepted by L0 doesn't show up in L1. Linux bootstrap initiate kvmclock before APIC initializing causing TPR access. That's why on L1 guests, having TPR interception turned on for L2, the effect of the bug is not revealed. This patch fixes this problem by making sure it knows the correct system_time_msr address every time it is needed. Signed-off-by: Denis Plotnikov <dplotnikov@virtuozzo.com> Message-Id: <1496054944-25623-1-git-send-email-dplotnikov@virtuozzo.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07nbd: Fully initialize client in case of failed negotiationEric Blake2-6/+4
If a non-NBD client connects to qemu-nbd, we would end up with a SIGSEGV in nbd_client_put() because we were trying to unregister the client's association to the export, even though we skipped inserting the client into that list. Easy trigger in two terminals: $ qemu-nbd -p 30001 --format=raw file $ nmap 127.0.0.1 -p 30001 nmap claims that it thinks it connected to a pago-services1 server (which probably means nmap could be updated to learn the NBD protocol and give a more accurate diagnosis of the open port - but that's not our problem), then terminates immediately, so our call to nbd_negotiate() fails. The fix is to reorder nbd_co_client_start() to ensure that all initialization occurs before we ever try talking to a client in nbd_negotiate(), so that the teardown sequence on negotiation failure doesn't fault while dereferencing a half-initialized object. While debugging this, I also noticed that nbd_update_server_watch() called by nbd_client_closed() was still adding a channel to accept the next client, even when the state was no longer RUNNING. That is fixed by making nbd_can_accept() pay attention to the current state. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20170527030421.28366-1-eblake@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07sockets: improve error reporting if UNIX socket path is too longDaniel P. Berrange1-22/+46
The 'struct sockaddr_un' only allows 108 bytes for the socket path. If the user supplies a path, QEMU uses snprintf() to silently truncate it when too long. This is undesirable because the user will then be unable to connect to the path they asked for. If the user doesn't supply a path, QEMU builds one based on TMPDIR, but if that leads to an overlong path, it mistakenly uses error_setg_errno() with a stale errno value, because snprintf() does not set errno on truncation. In solving this the code needed some refactoring to ensure we don't pass 'un.sun_path' directly to any APIs which expect NUL-terminated strings, because the path is not required to be terminated. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <20170525155300.22743-1-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07i386: fix read/write cr with icount optionMihail Abakumov1-0/+12
Running Windows with icount causes a crash in instruction of write cr. This patch fixes it. Reading and writing cr cause an icount read because there are called cpu_get_apic_tpr and cpu_set_apic_tpr functions. So, there is need gen_io_start()/gen_io_end() calls. Signed-off-by: Mihail Abakumov <mikhail.abakumov@ispras.ru> Message-Id: <ffb376034ff184f2fcbe93d5317d9e76@ispras.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07target/i386: use multiple CPU AddressSpacesPaolo Bonzini5-55/+47
This speeds up SMM switches. Later on it may remove the need to take the BQL, and it may also allow to reuse code between TCG and KVM. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07target/i386: enable A20 automatically in system management modePaolo Bonzini3-27/+42
Ignore env->a20_mask when running in system management mode. Reported-by: Anthony Xu <anthony.xu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1494502528-12670-1-git-send-email-pbonzini@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-07arm_gicv3: Fix ICC_BPR1 reset value when EL3 not implementedPeter Maydell1-5/+1
If EL3 is not implemented (ie only one security state) then the one and only ICC_BPR1 register behaves like the Non-secure ICC_BPR1 in an EL3-present configuration. In particular, its reset value is GIC_MIN_BPR_NS, not GIC_MIN_BPR. Correct the erroneous reset value; this fixes a problem where we might hit the assert added in commit a89ff39ee901. Reported-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> Message-id: 1496849369-30282-1-git-send-email-peter.maydell@linaro.org
2017-06-07configure: split c and cxx extra flagsBruno Dominguez3-37/+44
There was no possibility to add specific cxx flags using the configure file. So A new entrance has been created to support it. Duplication of information in configure and rules.mak. Taking QEMU_CFLAGS and add them to QEMU_CXXFLAGS, now the value of QEMU_CXXFLAGS is stored in config-host.mak, so there is no need for it. The makefile for libvixl was adding flags for QEMU_CXXFLAGS in QEMU_CFLAGS because of the addition in rules.mak. That was removed, so adding them where it should be. Signed-off-by: Bruno Dominguez <bru.dominguez@gmail.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1496754467-20893-1-git-send-email-bru.dominguez@gmail.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-06-07Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20170607' ↵Peter Maydell4-194/+114
into staging migration/next for 20170607 # gpg: Signature made Wed 07 Jun 2017 10:02:01 BST # gpg: using RSA key 0xF487EF185872D723 # gpg: Good signature from "Juan Quintela <quintela@redhat.com>" # gpg: aka "Juan Quintela <quintela@trasno.org>" # Primary key fingerprint: 1899 FF8E DEBF 58CC EE03 4B82 F487 EF18 5872 D723 * remotes/juanquintela/tags/migration/20170607: qemu/migration: fix the double free problem on from_src_file ram: Make RAMState dynamic ram: Use MigrationStats for statistics ram: Move ZERO_TARGET_PAGE inside XBZRLE ram: Call migration_page_queue_free() at ram_migration_cleanup() ram: We only print throttling information sometimes ram: Unfold get_xbzrle_cache_stats() into populate_ram_info() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-07coroutine-lock: do not touch coroutine after another one has been enteredRoman Pen2-2/+22
Submission of requests on linux aio is a bit tricky and can lead to requests completions on submission path: 44713c9e8547 ("linux-aio: Handle io_submit() failure gracefully") 0ed93d84edab ("linux-aio: process completions from ioq_submit()") That means that any coroutine which has been yielded in order to wait for completion can be resumed from submission path and be eventually terminated (freed). The following use-after-free crash was observed when IO throttling was enabled: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f5813dff700 (LWP 56417)] virtqueue_unmap_sg (elem=0x7f5804009a30, len=1, vq=<optimized out>) at virtio.c:252 (gdb) bt #0 virtqueue_unmap_sg (elem=0x7f5804009a30, len=1, vq=<optimized out>) at virtio.c:252 ^^^^^^^^^^^^^^ remember the address #1 virtqueue_fill (vq=0x5598b20d21b0, elem=0x7f5804009a30, len=1, idx=0) at virtio.c:282 #2 virtqueue_push (vq=0x5598b20d21b0, elem=elem@entry=0x7f5804009a30, len=<optimized out>) at virtio.c:308 #3 virtio_blk_req_complete (req=req@entry=0x7f5804009a30, status=status@entry=0 '\000') at virtio-blk.c:61 #4 virtio_blk_rw_complete (opaque=<optimized out>, ret=0) at virtio-blk.c:126 #5 blk_aio_complete (acb=0x7f58040068d0) at block-backend.c:923 #6 coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at coroutine-ucontext.c:78 (gdb) p * elem $8 = {index = 77, out_num = 2, in_num = 1, in_addr = 0x7f5804009ad8, out_addr = 0x7f5804009ae0, in_sg = 0x0, out_sg = 0x7f5804009a50} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'in_sg' and 'out_sg' are invalid. e.g. it is impossible that 'in_sg' is zero, instead its value must be equal to: (gdb) p/x 0x7f5804009ad8 + sizeof(elem->in_addr[0]) + 2 * sizeof(elem->out_addr[0]) $26 = 0x7f5804009af0 Seems 'elem' was corrupted. Meanwhile another thread raised an abort: Thread 12 (Thread 0x7f57f2ffd700 (LWP 56426)): #0 raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 qemu_coroutine_enter (co=0x7f5804009af0) at qemu-coroutine.c:113 #3 qemu_co_queue_run_restart (co=0x7f5804009a30) at qemu-coroutine-lock.c:60 #4 qemu_coroutine_enter (co=0x7f5804009a30) at qemu-coroutine.c:119 ^^^^^^^^^^^^^^^^^^ WTF?? this is equal to elem from crashed thread #5 qemu_co_queue_run_restart (co=0x7f57e7f16ae0) at qemu-coroutine-lock.c:60 #6 qemu_coroutine_enter (co=0x7f57e7f16ae0) at qemu-coroutine.c:119 #7 qemu_co_queue_run_restart (co=0x7f5807e112a0) at qemu-coroutine-lock.c:60 #8 qemu_coroutine_enter (co=0x7f5807e112a0) at qemu-coroutine.c:119 #9 qemu_co_queue_run_restart (co=0x7f5807f17820) at qemu-coroutine-lock.c:60 #10 qemu_coroutine_enter (co=0x7f5807f17820) at qemu-coroutine.c:119 #11 qemu_co_queue_run_restart (co=0x7f57e7f18e10) at qemu-coroutine-lock.c:60 #12 qemu_coroutine_enter (co=0x7f57e7f18e10) at qemu-coroutine.c:119 #13 qemu_co_enter_next (queue=queue@entry=0x5598b1e742d0) at qemu-coroutine-lock.c:106 #14 timer_cb (blk=0x5598b1e74280, is_write=<optimized out>) at throttle-groups.c:419 Crash can be explained by access of 'co' object from the loop inside qemu_co_queue_run_restart(): while ((next = QSIMPLEQ_FIRST(&co->co_queue_wakeup))) { QSIMPLEQ_REMOVE_HEAD(&co->co_queue_wakeup, co_queue_next); ^^^^^^^^^^^^^^^^^^^^ on each iteration 'co' is accessed, but 'co' can be already freed qemu_coroutine_enter(next); } When 'next' coroutine is resumed (entered) it can in its turn resume 'co', and eventually free it. That's why we see 'co' (which was freed) has the same address as 'elem' from the first backtrace. The fix is obvious: use temporary queue and do not touch coroutine after first qemu_coroutine_enter() is invoked. The issue is quite rare and happens every ~12 hours on very high IO and CPU load (building linux kernel with -j512 inside guest) when IO throttling is enabled. With the fix applied guest is running ~35 hours and is still alive so far. Signed-off-by: Roman Pen <roman.penyaev@profitbricks.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 20170601160847.23720-1-roman.penyaev@profitbricks.com Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Fam Zheng <famz@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Kevin Wolf <kwolf@redhat.com> Cc: qemu-devel@nongnu.org Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-06-07.gdbinit: load QEMU sub-commands when gdb startsStefan Hajnoczi2-0/+9
The scripts/qemu-gdb.py file is not easily discoverable. Add a .gdbinit file so GDB either loads qemu-gdb.py automatically or prints a message informing the user how to enable them (some systems disable ./.gdbinit loading for security reasons). Symlink .gdbinit and the scripts directory in order to make out-of-tree builds work. The scripts directory is used to find the qemu-gdb.py file specified by a relative path in .gdbinit. Suggested-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Eric Blake <eblake@redhat.com> Message-id: 20170517124042.1430-1-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-06-07coccinelle: fix typo in commentPhilippe Mathieu-Daudé1-1/+1
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-06-07oslib: strip trailing '\n' from error_setg() string argumentPhilippe Mathieu-Daudé1-1/+1
spotted by Coccinelle script scripts/coccinelle/err-bad-newline.cocci Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-06-07simpletrace: Improve the error message if event is not declaredJose Ricardo Ziviani1-1/+9
Today, if we use a trace-event file which does not declare an event existing in the log file we'll get the following error: $ scripts/simpletrace.py trace-events trace-68508 Traceback (most recent call last): File "scripts/simpletrace.py", line 242, in <module> run(Formatter()) File "scripts/simpletrace.py", line 217, in run process(events, sys.argv[2], analyzer, read_header=read_header) File "scripts/simpletrace.py", line 192, in process for rec in read_trace_records(edict, log): File "scripts/simpletrace.py", line 107, in read_trace_records rec = read_record(edict, idtoname, fobj) File "scripts/simpletrace.py", line 71, in read_record return get_record(edict, idtoname, rechdr, fobj) File "scripts/simpletrace.py", line 45, in get_record event = edict[name] KeyError: 'qemu_mutex_locked' This patch improves this error by adding a hint instead of just that KeyError log: $ scripts/simpletrace.py trace-events trace-68508 'qemu_mutex_locked' event is logged but is not declared in the trace events file, try using trace-events-all instead. Signed-off-by: Jose Ricardo Ziviani <joserz@linux.vnet.ibm.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1496075404-8845-1-git-send-email-joserz@linux.vnet.ibm.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-06-07Merge remote-tracking branch ↵Peter Maydell3-0/+14
'remotes/vivier/tags/m68k-for-2.10-pull-request' into staging # gpg: Signature made Wed 07 Jun 2017 10:29:50 BST # gpg: using RSA key 0xF30C38BD3F2FBE3C # gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" # gpg: aka "Laurent Vivier <laurent@vivier.eu>" # gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C * remotes/vivier/tags/m68k-for-2.10-pull-request: target/m68k: implement rtd Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-07Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell3-80/+60
staging # gpg: Signature made Wed 07 Jun 2017 04:29:20 BST # gpg: using RSA key 0xEF04965B398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: Revert "Change net/socket.c to use socket_*() functions" again net/rocker: Cleanup the useless return value check Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-07target/m68k: implement rtdLaurent Vivier3-0/+14
Add "Return and Deallocate" (rtd) instruction. RTD #d (SP) -> PC SP + 4 + d -> SP Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Richard Henderson <rth@twiddle.net> Tested-By: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Message-Id: <20170605100014.22981-1-laurent@vivier.eu>
2017-06-07Merge remote-tracking branch 'remotes/rth/tags/pull-s390-20170606' into stagingPeter Maydell11-496/+1553
Queued s390 patches # gpg: Signature made Wed 07 Jun 2017 01:18:29 BST # gpg: using RSA key 0xAD1270CC4DD0279B # gpg: Good signature from "Richard Henderson <rth7680@gmail.com>" # gpg: aka "Richard Henderson <rth@redhat.com>" # gpg: aka "Richard Henderson <rth@twiddle.net>" # Primary key fingerprint: 9CB1 8DDA F8E8 49AD 2AFC 16A4 AD12 70CC 4DD0 279B * remotes/rth/tags/pull-s390-20170606: (70 commits) target/s390x: addressing exceptions are suppressing target/s390x: mark ETF2 and ETF2-ENH facilities as available target/s390x: check alignment in CDSG in the !CONFIG_ATOMIC128 case target/s390x: implement STORE PAIR TO QUADWORD target/s390x: implement LOAD PAIR FROM QUADWORD target/s390x: implement TRANSLATE ONE/TWO TO ONE/TWO target/s390x: implement TEST DECIMAL target/s390x: implement UNPACK UNICODE target/s390x: implement UNPACK ASCII target/s390x: implement PACK UNICODE target/s390x: implement PACK ASCII target/s390x: implement MOVE LONG UNICODE target/s390x: implement COMPARE LOGICAL LONG UNICODE target/s390x: improve MOVE LONG and MOVE LONG EXTENDED target/s390x: fix adj_len_to_page target/s390x: implement COMPARE LOGICAL LONG target/s390x: fix COMPARE LOGICAL LONG EXTENDED target/s390x: improve 24-bit and 31-bit lengths read/write target/s390x: improve 24-bit and 31-bit addresses write target/s390x: improve 24-bit and 31-bit addresses read ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-06-07qemu/migration: fix the double free problem on from_src_fileQingFeng Hao1-1/+0
In load_snapshot, mis->from_src_file is freed twice, the first free is by qemu_fclose, the second is by migration_incoming_state_destroy and it causes Illegal instruction exception. The fix is just to remove the first free. This problem is found by qemu-iotests case 068 since commit "660819b migration: shut src return path unconditionally". The error is: 068 1s ... - output mismatch (see 068.out.bad) --- tests/qemu-iotests/068.out 2017-05-06 01:00:26.417270437 +0200 +++ 068.out.bad 2017-06-03 13:59:55.360274640 +0200 @@ -6,6 +6,8 @@ QEMU X.Y.Z monitor - type 'help' for more information (qemu) savevm 0 (qemu) quit +./common.config: line 107: 242472 Illegal instruction (core dumped) ( if [ -n "${QEMU_NEED_PID}" ]; then + echo $BASHPID > "${QEMU_TEST_DIR}/qemu-${_QEMU_HANDLE}.pid"; +fi; exec "$QEMU_PROG" $QEMU_OPTIONS "$@" ) QEMU X.Y.Z monitor - type 'help' for more information -(qemu) quit -*** done +(qemu) *** done Signed-off-by: QingFeng Hao <haoqf@linux.vnet.ibm.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2017-06-07ram: Make RAMState dynamicJuan Quintela1-23/+35
We create the variable while we are at migration and we remove it after migration. Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2017-06-07ram: Use MigrationStats for statisticsJuan Quintela3-144/+61
RAM Statistics need to survive migration to make info migrate work, so we need to store them outside of RAMState. As we already have an struct with those fields, just used them. (MigrationStats and XBZRLECacheStats). Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com>
2017-06-07ram: Move ZERO_TARGET_PAGE inside XBZRLEJuan Quintela1-5/+6
It was only used by XBZRLE anyways. Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com>
2017-06-07ram: Call migration_page_queue_free() at ram_migration_cleanup()Juan Quintela3-5/+3
We shouldn't be using memory later than that. Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com>
2017-06-07ram: We only print throttling information sometimesJuan Quintela1-5/+5
Change it to be consistent with everything else. Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2017-06-07ram: Unfold get_xbzrle_cache_stats() into populate_ram_info()Juan Quintela1-18/+11
They were called consecutively always. Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>