aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)AuthorFilesLines
2017-04-03xhci: flush dequeue pointer to endpoint contextGerd Hoffmann1-1/+3
When done processing a endpoint ring we must update the dequeue pointer in the endpoint context in guest memory. This is needed to make sure the guest has a correct view of things and also to make live migration work properly, because xhci post_load restores alot of the state from xhci data structures in guest memory. Add xhci_set_ep_state() call to do that. The recursive calls stopped by commit ddb603ab6c981c1d67cb42266fc700c33e5b2d8f had the (unintentional) side effect to hiding this bug. xhci_set_ep_state() was called before processing, to set the state to running, which updated the dequeue pointer too. Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-id: 20170331102521.29253-1-kraxel@redhat.com
2017-03-31Revert "vfio/pci-quirks.c: Disable stolen memory for igd VFIO"Xiong Zhang1-38/+27
This reverts commit c2b2e158cc7b1cb431bd6039824ec13c3184a775. The original patch intend to prevent linux i915 driver from using stolen meory. But this patch breaks windows IGD driver loading on Gen9+, as IGD HW will use stolen memory on Gen9+, once windows IGD driver see zero size stolen memory, it will unload. Meanwhile stolen memory will be disabled in 915 when i915 run as a guest. Signed-off-by: Xiong Zhang <xiong.y.zhang@intel.com> [aw: Gen9+ is SkyLake and newer] Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2017-03-31hw/intc/arm_gicv3_kvm: Check KVM_DEV_ARM_VGIC_GRP_CPU_SYSREGS in resetEric Auger1-6/+11
KVM_DEV_ARM_VGIC_GRP_CPU_SYSREGS needs to be checked before attempting to read ICC_CTLR_EL1; otherwise kernel versions not exposing this kvm device group will be incompatible with qemu 2.9. Fixes: 07a5628 ("hw/intc/arm_gicv3_kvm: Reset GICv3 cpu interface registers") Signed-off-by: Eric Auger <eric.auger@redhat.com> Reported-by: Prakash B <bjsprakash.linux@gmail.com> Tested-by: Alexander Graf <agraf@suse.de> Message-id: 1490721640-13052-1-git-send-email-eric.auger@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-31e1000: disable debug by defaultJason Wang1-1/+1
Disable debug output by default, the information were not needed for release. Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Stefan Hajnoczi <stefanha@gmail.com> Cc: Leonid Bloch <leonid.bloch@ravellosystems.com> Cc: Dmitry Fleytman <dmitry.fleytman@ravellosystems.com> Cc: qemu-stable@nongnu.org Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2017-03-31virtio-net: avoid call tap_enable when there's only one queueJason Wang1-0/+4
We call tap_enable() even if for multiqueue is not enabled. This is wrong since it should be used for multiqueue codes to enable a disabled queue. Fixing this by only calling this when multiqueue is used. Fixes: 16dbaf905b72 ("tap: support enabling or disabling a queue") Reported-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Tested-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com>
2017-03-30vhost: generalize iommu memory regionJason Wang1-20/+64
We assumes the iommu_ops were attached to the root region of address space. This may not be true for all kinds of IOMMU implementation and especially after commit 3716d5902d74 ("pci: introduce a bus master container"). So fix this by not assuming as->root has iommu_ops, instead depending on the regions reported by memory listener through: - register a memory listener to dma_as - during region_add, if it's a region of IOMMU, register a specific IOMMU notifier, and store all notifiers in a list. - during region_del, compare and delete the IOMMU notifier from the list This is also a must for making vhost device IOTLB works for all types of IOMMUs. Note, since we register one notifier during each .region_add, the IOTLB may be flushed more than one times, this is suboptimal and could be optimized in the future. Reported-by: Maxime Coquelin <maxime.coquelin@redhat.com> Fixes: 3716d5902d74 ("pci: introduce a bus master container") Cc: Peter Xu <peterx@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Tested-by: Maxime Coquelin <maxime.coquelin@redhat.com>
2017-03-30Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.9-20170329' ↵Peter Maydell2-5/+19
into staging ppc patch queue for 2017-03-29 Two more bugfixes of sufficient severity to warrant going into 2.9. # gpg: Signature made Wed 29 Mar 2017 04:33:19 BST # gpg: using RSA key 0x6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.9-20170329: spapr: fix memory hot-unplugging spapr: fix buffer-overflow Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-29spapr: fix memory hot-unpluggingLaurent Vivier1-3/+17
If, once the kernel has booted, we try to remove a memory hotplugged while the kernel was not started, QEMU crashes on an assert: qemu-system-ppc64: hw/virtio/vhost.c:651: vhost_commit: Assertion `r >= 0' failed. ... #4 in vhost_commit #5 in memory_region_transaction_commit #6 in pc_dimm_memory_unplug #7 in spapr_memory_unplug #8 spapr_machine_device_unplug #9 in hotplug_handler_unplug #10 in spapr_lmb_release #11 in detach #12 in set_allocation_state #13 in rtas_set_indicator ... If we take a closer look to the guest kernel log, we can see when we try to unplug the memory: pseries-hotplug-mem: Attempting to hot-add 4 LMB(s) What happens: 1- The kernel has ignored the memory hotplug event because it was not started when it was generated. 2- When we hot-unplug the memory, QEMU starts to remove the memory, generates an hot-unplug event, and signals the kernel of the incoming new event 3- as the kernel is started, on the QEMU signal, it reads the event list, decodes the hotplug event and tries to finish the hotplugging. 4- QEMU receive the the hotplug notification while it is trying to hot-unplug the memory. This moves the memory DRC to an invalid state This patch prevents this by not allowing to set the allocation state to USABLE while the DRC is awaiting release. RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1432382 Signed-off-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-03-29spapr: fix buffer-overflowMarc-André Lureau1-2/+2
Running postcopy-test with ASAN produces the following error: QTEST_QEMU_BINARY=ppc64-softmmu/qemu-system-ppc64 tests/postcopy-test ... ================================================================= ==23641==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1556600000 at pc 0x55b8e9d28208 bp 0x7f1555f4d3c0 sp 0x7f1555f4d3b0 READ of size 8 at 0x7f1556600000 thread T6 #0 0x55b8e9d28207 in htab_save_first_pass /home/elmarco/src/qq/hw/ppc/spapr.c:1528 #1 0x55b8e9d2939c in htab_save_iterate /home/elmarco/src/qq/hw/ppc/spapr.c:1665 #2 0x55b8e9beae3a in qemu_savevm_state_iterate /home/elmarco/src/qq/migration/savevm.c:1044 #3 0x55b8ea677733 in migration_thread /home/elmarco/src/qq/migration/migration.c:1976 #4 0x7f15845f46c9 in start_thread (/lib64/libpthread.so.0+0x76c9) #5 0x7f157d9d0f7e in clone (/lib64/libc.so.6+0x107f7e) 0x7f1556600000 is located 0 bytes to the right of 2097152-byte region [0x7f1556400000,0x7f1556600000) allocated by thread T0 here: #0 0x7f159bb76980 in posix_memalign (/lib64/libasan.so.3+0xc7980) #1 0x55b8eab185b2 in qemu_try_memalign /home/elmarco/src/qq/util/oslib-posix.c:106 #2 0x55b8eab186c8 in qemu_memalign /home/elmarco/src/qq/util/oslib-posix.c:122 #3 0x55b8e9d268a8 in spapr_reallocate_hpt /home/elmarco/src/qq/hw/ppc/spapr.c:1214 #4 0x55b8e9d26e04 in ppc_spapr_reset /home/elmarco/src/qq/hw/ppc/spapr.c:1261 #5 0x55b8ea12e913 in qemu_system_reset /home/elmarco/src/qq/vl.c:1697 #6 0x55b8ea13fa40 in main /home/elmarco/src/qq/vl.c:4679 #7 0x7f157d8e9400 in __libc_start_main (/lib64/libc.so.6+0x20400) Thread T6 created by T0 here: #0 0x7f159bae0488 in __interceptor_pthread_create (/lib64/libasan.so.3+0x31488) #1 0x55b8eab1d9cb in qemu_thread_create /home/elmarco/src/qq/util/qemu-thread-posix.c:465 #2 0x55b8ea67874c in migrate_fd_connect /home/elmarco/src/qq/migration/migration.c:2096 #3 0x55b8ea66cbb0 in migration_channel_connect /home/elmarco/src/qq/migration/migration.c:500 #4 0x55b8ea678f38 in socket_outgoing_migration /home/elmarco/src/qq/migration/socket.c:87 #5 0x55b8eaa5a03a in qio_task_complete /home/elmarco/src/qq/io/task.c:142 #6 0x55b8eaa599cc in gio_task_thread_result /home/elmarco/src/qq/io/task.c:88 #7 0x7f15823e38e6 (/lib64/libglib-2.0.so.0+0x468e6) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/src/qq/hw/ppc/spapr.c:1528 in htab_save_first_pass index seems to be wrongly incremented, unless I miss something that would be worth a comment. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-03-29pci: Add missing drop of bus master AS referenceAlexey Kardashevskiy1-0/+2
The recent introduction of a bus master container added memory_region_add_subregion() into the PCI device registering path but missed memory_region_del_subregion() in the unregistering path leaving a reference to the root memory region of the new container. This adds missing memory_region_del_subregion(). Fixes: 3716d5902d743 ("pci: introduce a bus master container") Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-279pfs: fix file descriptor leakLi Qiang1-0/+8
The v9fs_create() and v9fs_lcreate() functions are used to create a file on the backend and to associate it to a fid. The fid shouldn't be already in-use, otherwise both functions may silently leak a file descriptor or allocated memory. The current code doesn't check that. This patch ensures that the fid isn't already associated to anything before using it. Signed-off-by: Li Qiang <liqiang6-s@360.cn> (reworded the changelog, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org>
2017-03-27Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell4-67/+32
* MTTCG fix for win32 * virtio-scsi assertion failure * mem-prealloc coverity fix * x86 migration revert which requires more thought * x86 instruction limit (avoids >2 page translation blocks) * nbd dead code cleanup * small memory.c logic fix # gpg: Signature made Mon 27 Mar 2017 17:03:04 BST # gpg: using RSA key 0xBFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: scsi-generic: Fill in opt_xfer_len in INQUIRY reply if it is zero Revert "apic: save apic_delivered flag" nbd: drop unused NBDClientSession.is_unix field win32: replace custom mutex and condition variable with native primitives mem-prealloc: fix sysconf(_SC_NPROCESSORS_ONLN) failure case. tcg/i386: Check the size of instruction being translated virtio-scsi: Fix acquire/release in dataplane handlers virtio-scsi: Make virtio_scsi_acquire/release public clear pending status before calling memory commit Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-27scsi-generic: Fill in opt_xfer_len in INQUIRY reply if it is zeroFam Zheng1-3/+2
When opt_xfer_len is zero, Linux ignores max_xfer_len erroneously. While that obviously should be fixed, we do older guests a favor to always filling in a value. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <20170327142625.1249-1-famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-27Revert "apic: save apic_delivered flag"Paolo Bonzini1-33/+0
This reverts commit 07bfa354772f2de67008dc66c201b627acff0106. The global variable is only read as part of a apic_reset_irq_delivered(); qemu_irq_raise(s->irq); if (!apic_get_irq_delivered()) { sequence, so the value never matters at migration time. Reported-by: Dr. David Alan Gilbert <dglibert@redhat.com> Cc: Pavel Dovgalyuk <pavel.dovgaluk@ispras.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-27cirrus: fix PUTPIXEL macroGerd Hoffmann1-2/+2
Should be "c" not "col". The macro is used with "col" as third parameter everywhere, so this tyops doesn't break something. Fixes: 026aeffcb4752054830ba203020ed6eb05bcaba8 Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-id: 1490168303-24588-1-git-send-email-kraxel@redhat.com
2017-03-27virtio-input: fix eventq batchingLadi Prosek1-15/+14
virtio_input_send buffers input events until it sees a SYNC. Then it either sends or drops the entire batch, depending on whether eventq has enough space available. The case to avoid here is partial sends where only part of the batch would get to the guest. Using virtqueue_get_avail_bytes to check the state of eventq was not correct. The queue may have a smaller number of larger buffers available so bytes may be enough but the batch would still not be possible to send, leading to the "Huh? No vq elem available" error. Instead of checking available bytes, this patch optimistically pops buffers from the queue and puts them back in case it runs out of space and the batch needs to be dropped. Signed-off-by: Ladi Prosek <lprosek@redhat.com> Message-id: 1490365490-4854-3-git-send-email-lprosek@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-03-27virtio-input: free event queue when finalizingLadi Prosek1-2/+4
VirtIOInput.queue was never freed. This commit adds an explicit g_free to virtio_input_finalize and switches the allocation function from realloc to g_realloc in virtio_input_send. Signed-off-by: Ladi Prosek <lprosek@redhat.com> Message-id: 1490365490-4854-2-git-send-email-lprosek@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-03-24virtio-scsi: Fix acquire/release in dataplane handlersFam Zheng2-17/+30
After the AioContext lock push down, there is a race between virtio_scsi_dataplane_start and those "assert(s->ctx && s->dataplane_started)", because the latter doesn't isn't wrapped in aio_context_acquire. Reproducer is simply booting a Fedora guest with an empty virtio-scsi-dataplane controller: qemu-system-x86_64 \ -drive if=none,id=root,format=raw,file=Fedora-Cloud-Base-25-1.3.x86_64.raw \ -device virtio-scsi \ -device scsi-disk,drive=root,bootindex=1 \ -object iothread,id=io \ -device virtio-scsi-pci,iothread=io \ -net user,hostfwd=tcp::10022-:22 -net nic,model=virtio -m 2048 \ --enable-kvm Fix this by moving acquire/release pairs from virtio_scsi_handle_*_vq to their callers - and wrap the broken assertions in. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <20170317061447.16243-3-famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-24virtio-scsi: Make virtio_scsi_acquire/release publicFam Zheng1-14/+0
They will be used in virtio-scsi-dataplane.c as well, so move them to header. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <20170317061447.16243-2-famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-24trace: Avoid abuse of amdvi_mmio_readEric Blake2-2/+2
hw/i386/trace-events has an amdvi_mmio_read trace that is used for both normal reads (listing the register name, address, size, and offset) and for an error case (abusing the register name to show an error message, the address to show the maximum value supported, then shoehorning address and size into the size and offset parameters). The change from a wide address to a narrower size parameter could truncate a (rather-large) bogus read attempt, so it's better to create a separate dedicated trace with correct types, rather than abusing the trace mechanism. Broken since its introduction in commit d29a09c. [Change trace event argument type from hwaddr to uint64_t since user-defined types should not be used for trace events. This fixes a build failure with LTTng UST. --Stefan] Signed-off-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-03-24trace: Fix incorrect megasas trace parametersEric Blake1-3/+3
hw/scsi/trace-events lists cmd as the first parameter for both megasas_iovec_overflow and megasas_iovec_underflow, but the caller was mistakenly passing cmd->iov_size twice instead of the command index. Also, trace_megasas_abort_invalid is called with parameters in the wrong order. Broken since its introduction in commit e8f943c3. Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Hannes Reinecke <hare@suse.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-03-23Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.9-20170323' ↵Peter Maydell2-0/+11
into staging ppc patch queue for 2017-03-23 Just a single bugfix in this batch. It's not strictly in ppc code, though it's for the pseries machine's benefit. Eduardo suggested it go through my tree however. # gpg: Signature made Thu 23 Mar 2017 10:09:17 GMT # gpg: using RSA key 0x6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.9-20170323: numa,spapr: align default numa node memory size to 256MB Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-22hw/acpi/vmgenid: prevent more than one vmgenid deviceLaszlo Ersek1-0/+8
A system with multiple VMGENID devices is undefined in the VMGENID spec by omission. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Ben Warren <ben@skyportsystems.com> Cc: Igor Mammedov <imammedo@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com>
2017-03-22hw/acpi/vmgenid: prevent device realization on pre-2.5 machine typesLaszlo Ersek1-0/+14
The WRITE_POINTER linker/loader command that underlies VMGENID depends on commit baf2d5bfbac0 ("fw-cfg: support writeable blobs", 2017-01-12), which in turn depends on fw_cfg DMA. DMA for fw_cfg is enabled in 2.5+ machine types only (see commit e6915b5f3a87, "fw_cfg: unbreak migration compatibility for 2.4 and earlier machines", 2016-02-18). Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Ben Warren <ben@skyportsystems.com> Cc: Igor Mammedov <imammedo@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Ben Warren <ben@skyportsystems.com <mailto:ben@skyportsystems.com>> Reviewed-by: Igor Mammedov <imammedo@redhat.com>
2017-03-22virtio: always use handle_aio_output if registeredPaolo Bonzini1-1/+12
Commit ad07cd6 ("virtio-scsi: always use dataplane path if ioeventfd is active", 2016-10-30) and 9ffe337 ("virtio-blk: always use dataplane path if ioeventfd is active", 2016-10-30) broke the virtio 1.0 indirect access registers. The indirect access registers bypass the ioeventfd, so that virtio-blk and virtio-scsi now repeatedly try to initialize dataplane instead of triggering the guest->host EventNotifier. Detect the situation by checking vq->handle_aio_output; if it is not NULL, trigger the EventNotifier, which is how the device expects to get notifications and in fact the only thread-safe manner to deliver them. Fixes: ad07cd6 Fixes: 9ffe337 Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-03-22virtio: Fix error handling in virtio_bus_device_pluggedFam Zheng1-3/+17
For one thing we shouldn't continue if an error happened, for the other two steps failing can cause an abort() in error_setg because we reuse the same errp blindly. Add error handling checks to fix both issues. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Andrew Jones <drjones@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-03-22numa,spapr: align default numa node memory size to 256MBLaurent Vivier2-0/+11
Since commit 224245b ("spapr: Add LMB DR connectors"), NUMA node memory size must be aligned to 256MB (SPAPR_MEMORY_BLOCK_SIZE). But when "-numa" option is provided without "mem" parameter, the memory is equally divided between nodes, but 8MB aligned. This can be not valid for pseries. In that case we can have: $ ./ppc64-softmmu/qemu-system-ppc64 -m 4G -numa node -numa node -numa node qemu-system-ppc64: Node 0 memory size 0x55000000 is not aligned to 256 MiB With this patch, we have: (qemu) info numa 3 nodes node 0 cpus: 0 node 0 size: 1280 MB node 1 cpus: node 1 size: 1280 MB node 2 cpus: node 2 size: 1536 MB Signed-off-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2017-03-21Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into stagingPeter Maydell2-15/+19
This pull request fixes a potential QEMU hang in 9pfs and two issues reported by Coverity. # gpg: Signature made Tue 21 Mar 2017 09:57:58 GMT # gpg: using DSA key 0x02FC3AEB0101DBC2 # gpg: Good signature from "Greg Kurz <groug@kaod.org>" # gpg: aka "Greg Kurz <groug@free.fr>" # gpg: aka "Greg Kurz <gkurz@linux.vnet.ibm.com>" # gpg: aka "Gregory Kurz (Groug) <groug@free.fr>" # gpg: aka "[jpeg image of size 3330]" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2 * remotes/gkurz/tags/for-upstream: 9pfs: proxy: assert if unmarshal fails 9pfs: don't try to flush self and avoid QEMU hang on reset Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-21add opengl_cflags to QEMU_CFLAGSGerd Hoffmann1-5/+1
... and drop OPENGL_CFLAGS from Makefiles. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1490079888-29029-1-git-send-email-kraxel@redhat.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-219pfs: proxy: assert if unmarshal failsGreg Kurz1-11/+11
Replies from the virtfs proxy are made up of a fixed-size header (8 bytes) and a payload of variable size (maximum 64kb). When receiving a reply, the proxy backend first reads the whole header and then unmarshals it. If the header is okay, it then does the same operation with the payload. Since the proxy backend uses a pre-allocated buffer which has enough room for a header and the maximum payload size, marshalling should never fail with fixed size arguments. Any error here is likely to result from a more serious corruption in QEMU and we'd better dump core right away. This patch adds error checks where they are missing and converts the associated error paths into assertions. This should also address Coverity's complaints CID 1348519 and CID 1348520, about not always checking the return value of proxy_unmarshal(). Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-03-219pfs: don't try to flush self and avoid QEMU hang on resetGreg Kurz1-4/+8
According to the 9P spec [*], when a client wants to cancel a pending I/O request identified by a given tag (uint16), it must send a Tflush message and wait for the server to respond with a Rflush message before reusing this tag for another I/O. The server may still send a completion message for the I/O if it wasn't actually cancelled but the Rflush message must arrive after that. QEMU hence waits for the flushed PDU to complete before sending the Rflush message back to the client. If a client sends 'Tflush tag oldtag' and tag == oldtag, QEMU will then allocate a PDU identified by tag, find it in the PDU list and wait for this same PDU to complete... i.e. wait for a completion that will never happen. This causes a tag and ring slot leak in the guest, and a PDU leak in QEMU, all of them limited by the maximal number of PDUs (128). But, worse, this causes QEMU to hang on device reset since v9fs_reset() wants to drain all pending I/O. This insane behavior is likely to denote a bug in the client, and it would deserve an Rerror message to be sent back. Unfortunately, the protocol allows it and requires all flush requests to suceed (only a Tflush response is expected). The only option is to detect when we have to handle a self-referencing flush request and report success to the client right away. [*] http://man.cat-v.org/plan_9/5/flush Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Greg Kurz <groug@kaod.org>
2017-03-20Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell6-6/+6
fixes for 2.9-rc1, plus removal of -mno-cygwin references # gpg: Signature made Mon 20 Mar 2017 11:25:07 GMT # gpg: using RSA key 0xBFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: hax: fix breakage in locking configure: remove Cygwin xen: do not build backends for targets that do not support xen qemu-ga: obey LISTEN_PID when using systemd socket activation Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-20Merge remote-tracking branch 'remotes/yongbok/tags/mips-20170320' into stagingPeter Maydell1-124/+38
MIPS patches 2017-03-20 Changes: * Fix clang warnings * Fix delay slot detection in gen_msa_branch() * Fix rc4030 interval timer * Fix rc4030 to tranlate memory accesses only when they occur * Fix 4c4030 a mixed declarations and code warning * Update MAINTAINERS file # gpg: Signature made Mon 20 Mar 2017 12:46:01 GMT # gpg: using RSA key 0x2238EB86D5F797C2 # gpg: Good signature from "Yongbok Kim <yongbok.kim@imgtec.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 8600 4CF5 3415 A5D9 4CFA 2B5C 2238 EB86 D5F7 97C2 * remotes/yongbok/tags/mips-20170320: MAINTAINERS: update for MIPS devices dma/rc4030: fix a mixed declarations and code warning dma/rc4030: translate memory accesses only when they occur dma: rc4030: limit interval timer reload value target/mips: fix delay slot detection in gen_msa_branch() target-mips: replace few LOG_DISAS() with trace points target-mips: replace break by goto cp0_unimplemented target-mips: log bad coprocessor0 register accesses with LOG_UNIMP target-mips: remove old & unuseful comments target-mips: fix compiler warnings (clang 5) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-20dma/rc4030: fix a mixed declarations and code warningYongbok Kim1-1/+1
Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com> Reviewed-by: Hervé Poussineau <hpoussin@reactos.org>
2017-03-20dma/rc4030: translate memory accesses only when they occurHervé Poussineau1-122/+36
This simplifies the code a lot, and this fixes big memory leaks introduced in a3d586f704609a45b6037534cb2f34da5dfd8895 Windows NT is now able to boot without using gigabytes of ram on the host. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Reviewed-by: Yongbok Kim <yongbok.kim@imgtec.com> Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
2017-03-20dma: rc4030: limit interval timer reload valuePrasad J Pandit1-1/+1
The JAZZ RC4030 chipset emulator has a periodic timer and associated interval reload register. The reload value is used as divider when computing timer's next tick value. If reload value is large, it could lead to divide by zero error. Limit the interval reload value to avoid it. Reported-by: Huawei PSIRT <psirt@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Tested-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
2017-03-20Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20170320' into stagingPeter Maydell1-0/+15
One bugfix for device plug/unplug and migration in the channel subsystem code. # gpg: Signature made Mon 20 Mar 2017 08:45:59 GMT # gpg: using RSA key 0xDECF6B93C6F02FAF # gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>" # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" # Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF * remotes/cohuck/tags/s390x-20170320: s390x/css: reassign subchannel if schid is changed after migration Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-20Merge remote-tracking branch 'remotes/kraxel/tags/pull-fixes-20170320-1' ↵Peter Maydell1-1/+1
into staging fixes for 2.9: vnc, cirrus, tcg display updates. # gpg: Signature made Mon 20 Mar 2017 08:52:34 GMT # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/pull-fixes-20170320-1: vnc: fix a qio-channel leak cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16 ui/console: ensure graphic updates don't race with TCG vCPUs Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-20s390x/css: reassign subchannel if schid is changed after migrationDong Jia Shi1-0/+15
The subchannel is a means to access a device. While the device number is assigned by the administrator, the subchannel number is assigned by the channel subsystem in an ascending order on cold and hot plug. When doing unplug and replug operations, the same device may end up on a different subchannel; for example - We start with a device fe.1.2222, which ends up at subchannel fe.1.0000. - Now we detach the device, attach a device fe.1.3333 (which would get the now-free subchannel fe.1.0000), re-attach fe.1.2222 (which ends up at subchannel fe.1.0001) and detach fe.1.3333. - We now have the same device (fe.1.2222) available to the guest; it just shows up on a different subchannel. In such a case, the subchannel numbers are different from what a QEMU would create during cold plug when parsing the command line. As this would cause a guest visible change on migration, we do restore the source system's value of the subchannel number on load. So we are now fine from the guest perspective. From the host perspective this will cause an inconsistent state in our internal data structures, though. For example, the subchannel 0 might not be at array position 0. This will lead to problems when we continue doing hot (un/re) plug operations. Let's fix this by cleaning up our internal data structures. Reported-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Dong Jia Shi <bjsdjshi@linux.vnet.ibm.com> Cc: qemu-stable@nongnu.org Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-03-19xen: do not build backends for targets that do not support xenStefano Stabellini6-6/+6
Change Makefile.objs to use CONFIG_XEN instead of CONFIG_XEN_BACKEND, so that the Xen backends are only built for targets that support Xen. Set CONFIG_XEN in the toplevel Makefile to ensure that files that are built only once pick up Xen support properly. Signed-off-by: Stefano Stabellini <stefano@aporeto.com> Tested-by: Greg Kurz <groug@kaod.org> Reviewed-by: Greg Kurz <groug@kaod.org> CC: pbonzini@redhat.com CC: peter.maydell@linaro.org CC: rth@twiddle.net CC: stefanha@redhat.com Message-Id: <1489694518-16978-1-git-send-email-sstabellini@kernel.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-18nios2: iic: Convert CPU prop to qom linkMarek Vasut2-9/+7
Add a const qom link between the CPU and the IIC instead of passing the CPU link through a qom property. Signed-off-by: Marek Vasut <marex@denx.de> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-id: 20170317210627.23532-1-marex@denx.de Cc: Alexander Graf <agraf@suse.de> Cc: Chris Wulff <crwulff@gmail.com> Cc: Igor Mammedov <imammedo@redhat.com> Cc: Jeff Da Silva <jdasilva@altera.com> Cc: Ley Foon Tan <lftan@altera.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Sandra Loosemore <sandra@codesourcery.com> Cc: Yves Vandervennet <yvanderv@altera.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-18Merge remote-tracking branch 'remotes/xtensa/tags/20170317-xtensa' into stagingPeter Maydell1-0/+9
target/xtensa fixes for 2.9: - fix build failure when FDT support is not enabled; - correctly pass command line arguments to semihosting guests. # gpg: Signature made Fri 17 Mar 2017 18:14:01 GMT # gpg: using RSA key 0x51F9CC91F83FA044 # gpg: Good signature from "Max Filippov <filippov@cadence.com>" # gpg: aka "Max Filippov <max.filippov@cogentembedded.com>" # gpg: aka "Max Filippov <jcmvbkbc@gmail.com>" # Primary key fingerprint: 2B67 854B 98E5 327D CDEB 17D8 51F9 CC91 F83F A044 * remotes/xtensa/tags/20170317-xtensa: target/xtensa: fix semihosting argc/argv implementation target/xtensa: xtfpga: load DTB only when FDT support is enabled Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-17cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16Gerd Hoffmann1-1/+1
The switch from pointers to addresses (commit 026aeffcb4752054830ba203020ed6eb05bcaba8 and ffaf857778286ca54e3804432a2369a279e73aa7) added a off-by-one bug to 16bit backward blits. Fix. Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Li Qiang <liqiang6-s@360.cn> Message-id: 1489735296-19047-1-git-send-email-kraxel@redhat.com
2017-03-16Merge remote-tracking branch 'remotes/kraxel/tags/pull-cirrus-20170316-1' ↵Peter Maydell3-171/+251
into staging cirrus: blitter fixes. # gpg: Signature made Thu 16 Mar 2017 09:05:22 GMT # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/pull-cirrus-20170316-1: cirrus: stop passing around src pointers in the blitter cirrus: stop passing around dst pointers in the blitter cirrus: fix cirrus_invalidate_region cirrus: add option to disable blitter cirrus: switch to 4 MB video memory by default cirrus/vnc: zap bitblit support from console code. fix :cirrus_vga fix OOB read case qemu Segmentation fault # Conflicts: # include/hw/compat.h Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-16Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell5-0/+66
virtio, pci: fixes More fixes missed in the previous pull request. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Thu 16 Mar 2017 02:29:49 GMT # gpg: using RSA key 0x281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: virtio-serial-bus: Delete timer from list before free it hw/virtio: fix Power Management Control Register for PCI Express virtio devices hw/virtio: fix Link Control Register for PCI Express virtio devices hw/virtio: fix error enabling flags in Device Control register hw/pcie: fix Extended Configuration Space for devices with no Extended Capabilities Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-16cirrus: stop passing around src pointers in the blitterGerd Hoffmann3-54/+93
Does basically the same as "cirrus: stop passing around dst pointers in the blitter", just for the src pointer instead of the dst pointer. For the src we have to care about cputovideo blits though and fetch the data from s->cirrus_bltbuf instead of vga memory. The cirrus_src*() helper functions handle that. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1489584487-3489-1-git-send-email-kraxel@redhat.com
2017-03-16cirrus: stop passing around dst pointers in the blitterGerd Hoffmann3-125/+153
Instead pass around the address (aka offset into vga memory). Calculate the pointer in the rop_* functions, after applying the mask to the address, to make sure the address stays within the valid range. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1489574872-8679-1-git-send-email-kraxel@redhat.com
2017-03-16cirrus: fix cirrus_invalidate_regionGerd Hoffmann1-3/+3
off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid. Fix calculation to make sure to allow that, otherwise the assert added by commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3 can trigger for valid blits. Test case: boot windows nt 4.0 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1489579606-26020-1-git-send-email-kraxel@redhat.com
2017-03-16cirrus: add option to disable blitterGerd Hoffmann1-0/+9
Ok, we have this beast in the cirrus code which is not used at all by modern guests, except when you try to find security holes in qemu. So, add an option to disable blitter altogether. Guests released within the last ten years should not show any rendering issues if you turn off blitter support. There are no known bugs in the cirrus blitter code. But in the past we hoped a few times already that we've finally nailed the last issue. So having some easy way to mitigate in case yet another blitter issue shows up certainly makes me sleep a bit better at night. For completeness: The by far better way to mitigate is to switch away from cirrus and use stdvga instead. Or something more modern like virtio-vga in case your guest has support for it. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1489494540-15745-1-git-send-email-kraxel@redhat.com
2017-03-16cirrus: switch to 4 MB video memory by defaultGerd Hoffmann1-2/+2
Quoting cirrus source code: Follow real hardware, cirrus card emulated has 4 MB video memory. Also accept 8 MB/16 MB for backward compatibility. So just use 4MB by default. We decided to leave that at 8MB by default a while ago, for live migration compatibility reasons. But we have compat properties to handle that, so that isn't a compeling reason. This also removes some sanity check inconsistencies in the cirrus code. Some places check against the allocated video memory, some places check against the 4MB physical hardware has. Guest code can trigger asserts because of that. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1489494514-15606-1-git-send-email-kraxel@redhat.com