Re: [Qemu-devel] [V15 3/4] hw/i386: Introduce AMD IOMMU

2016-08-08 Thread Peter Xu 
On Tue, Aug 02, 2016 at 11:39:06AM +0300, David Kiarie wrote:

[...]

> +/* invalidate internal caches for devid */
> +typedef struct QEMU_PACKED {
> +#ifdef HOST_WORDS_BIGENDIAN
> +uint64_t devid;/* device to invalidate   */
> +uint64_t reserved_1:44;
> +uint64_t type:4;   /* command type   */
> +#else
> +uint64_t devid;
> +uint64_t reserved_1:44;
> +uint64_t type:4;
> +#endif /* __BIG_ENDIAN_BITFIELD */

Guess you forgot to reverse the order of fields in one of above block.

[...]

> +/* load adddress translation info for devid into translation cache */
> +typedef struct QEMU_PACKED {
> +#ifdef HOST_WORDS_BIGENDIAN
> +uint64_t type:4;  /* command type   */
> +uint64_t reserved_2:8;
> +uint64_t pasid_19_0:20;
> +uint64_t pfcount_7_0:8;
> +uint64_t reserved_1:8;
> +uint64_t devid;   /* related devid  */
> +#else
> +uint64_t devid;
> +uint64_t reserved_1:8;
> +uint64_t pfcount_7_0:8;
> +uint64_t pasid_19_0:20;
> +uint64_t reserved_2:8;
> +uint64_t type:4;
> +#endif /* __BIG_ENDIAN_BITFIELD */

For this one, "devid" looks like a 16 bits field?

[...]

> +/* issue a PCIe completion packet for devid */
> +typedef struct QEMU_PACKED {
> +#ifdef HOST_WORDS_BIGENDIAN
> +uint32_t devid;   /* related devid  */
> +uint32_t reserved_1;
> +#else
> +uint32_t reserved_1;
> +uint32_t devid;
> +#endif /* __BIG_ENDIAN_BITFIELD */

Here I am not sure we need this "#ifdef".

[...]

> +/* external write */
> +static void amdvi_writew(AMDVIState *s, hwaddr addr, uint16_t val)
> +{
> +uint16_t romask = lduw_le_p(>romask[addr]);
> +uint16_t w1cmask = lduw_le_p(>w1cmask[addr]);
> +uint16_t oldval = lduw_le_p(>mmior[addr]);
> +stw_le_p(>mmior[addr], (val & ~(val & w1cmask)) | (romask & oldval));

I think the above is problematic, e.g., what if we write 1 to one of
the romask while it's 0 originally? In that case, the RO bit will be
written to 1.

Maybe we need:

  stw_le_p(>mmior[addr], ((oldval & romask) | (val & ~romask)) & \
(val & w1cmask));

Same question to the below two functions.

> +}
> +
> +static void amdvi_writel(AMDVIState *s, hwaddr addr, uint32_t val)
> +{
> +uint32_t romask = ldl_le_p(>romask[addr]);
> +uint32_t w1cmask = ldl_le_p(>w1cmask[addr]);
> +uint32_t oldval = ldl_le_p(>mmior[addr]);
> +stl_le_p(>mmior[addr], (val & ~(val & w1cmask)) | (romask & oldval));
> +}
> +
> +static void amdvi_writeq(AMDVIState *s, hwaddr addr, uint64_t val)
> +{
> +uint64_t romask = ldq_le_p(>romask[addr]);
> +uint64_t w1cmask = ldq_le_p(>w1cmask[addr]);
> +uint32_t oldval = ldq_le_p(>mmior[addr]);
> +stq_le_p(>mmior[addr], (val & ~(val & w1cmask)) | (romask & oldval));
> +}
> +
> +/* OR a 64-bit register with a 64-bit value */
> +static bool amdvi_orq(AMDVIState *s, hwaddr addr, uint64_t val)

Nit: This function name gives me an illusion that it's a write op, not
read. IMHO it'll be better we directly use amdvi_readq() for all the
callers of this function, which is more clear to me.

> +{
> +return amdvi_readq(s, addr) | val;
> +}
> +
> +/* OR a 64-bit register with a 64-bit value storing result in the register */
> +static void amdvi_orassignq(AMDVIState *s, hwaddr addr, uint64_t val)
> +{
> +amdvi_writeq_raw(s, addr, amdvi_readq(s, addr) | val);
> +}
> +
> +/* AND a 64-bit register with a 64-bit value storing result in the register 
> */
> +static void amdvi_and_assignq(AMDVIState *s, hwaddr addr, uint64_t val)

Nit: the name is not matched with above:

  amdvi_{or|and}assign[qw]

Though I would prefer:

  amdvi_assign_[qw]_{or|and}

[...]

> +static void amdvi_log_event(AMDVIState *s, uint64_t *evt)
> +{
> +/* event logging not enabled */
> +if (!s->evtlog_enabled || amdvi_orq(s, AMDVI_MMIO_STATUS,
> +AMDVI_MMIO_STATUS_EVT_OVF)) {
> +return;
> +}
> +
> +/* event log buffer full */
> +if (s->evtlog_tail >= s->evtlog_len) {
> +amdvi_orassignq(s, AMDVI_MMIO_STATUS, AMDVI_MMIO_STATUS_EVT_OVF);
> +/* generate interrupt */
> +amdvi_generate_msi_interrupt(s);
> +return;
> +}
> +
> +if (dma_memory_write(_space_memory, s->evtlog_len + 
> s->evtlog_tail,
> +, AMDVI_EVENT_LEN)) {

Check with MEMTX_OK?

[...]

> +/*
> + * AMDVi event structure
> + *0:15   -> DeviceID
> + *55:63  -> event type + miscellaneous info
> + *64:127 -> related address
> + */
> +static void amdvi_encode_event(uint64_t *evt, uint16_t devid, uint64_t addr,
> +   uint16_t info)
> +{
> +amdvi_setevent_bits(evt, devid, 0, 16);
> +amdvi_setevent_bits(evt, info, 55, 8);
> +amdvi_setevent_bits(evt, addr, 63, 64);
  ^^
should here be 64?

Also, I am not sure whether we need this amdvi_setevent_bits() if it's
only used in this

Re: [Qemu-devel] [PATCH 2/6] target-ppc: Implement darn instruction

2016-08-08 Thread Nikunj A Dadhania 
David Gibson  writes:

> [ Unknown signature status ]
> On Mon, Aug 08, 2016 at 07:33:37AM +1000, Benjamin Herrenschmidt wrote:
>> On Sun, 2016-08-07 at 23:06 +0530, Nikunj A Dadhania wrote:
>> > +target_ulong helper_darn(uint32_t l)
>> > +{
>> > +    target_ulong r = UINT64_MAX;
>> > +
>> > +    if (l <= 2) {
>> > +    do {
>> > +    r = random() * random();
>> > +    r &= l ? UINT64_MAX : UINT32_MAX;
>> > +    } while (r == UINT64_MAX);
>> > +    }
>> > +
>> > +    return r;
>> > +}
>> >  #endif
>> 
>> Isn't this a bit week ? Look at the implementation of H_RANDOM...
>
> Indeed, you should be using the rng backend that H_RANDOM, virtio-rng
> and the Intel random number instruction all use.

I was looking at implementing this, AFAIU, I have to get a new RNG
object in the initialization routine. We would need an instance of this
per machine. So for pseries I can add in ppc_spapr_init(). I am not sure
in case of linux-user where should this be initialized.

One other place was init_proc_POWER9(), but that will be per cpu and
member of CPUPPCState structure. Advantage is it will work for system
emulation and linux-user both and we would not need a lock.

>
> But, worse than that: even if random() was a good RNG, I'm pretty sure
> than although random() * random() will give you a random number with
> twice as many bits as random() alone, it won't be uniformly
> distributed.  That's probably not what you want.

Right, I had seen that issue.

Regards,
Nikunj

Re: [Qemu-devel] [PATCH v7 00/20] block: Image locking series for 2.8

2016-08-08 Thread Fam Zheng 
On Mon, 08/08 06:59, no-re...@ec2-52-6-146-230.compute-1.amazonaws.com wrote:
> Checking PATCH 3/20: block: Add and parse "lock-mode" option for image 
> locking...
> ERROR: do not use assignment in if condition
> #80: FILE: blockdev.c:548:
> +if ((buf = qemu_opt_get(opts, BDRV_OPT_LOCK_MODE)) != NULL) {
> 
> total: 1 errors, 0 warnings, 86 lines checked

I intentionally ignored this to be consistent with the several other occasions
in this function.

> 
> Your patch has style problems, please review.  If any of these errors
> are false positives report them to the maintainer, see
> CHECKPATCH in MAINTAINERS.
> 
> Checking PATCH 4/20: block: Introduce image file locking...
> Checking PATCH 5/20: osdep: Add qemu_lock_fd and qemu_unlock_fd...
> Checking PATCH 6/20: raw-posix: Add image locking support...
> Checking PATCH 7/20: qemu-io: Add "-L" option for BDRV_O_NO_LOCK...
> Checking PATCH 8/20: qemu-img: Add "-L" option to sub commands...
> Checking PATCH 9/20: qemu-img: Update documentation of "-L" option...
> Checking PATCH 10/20: qemu-nbd: Add "--no-lock/-L" option...
> Checking PATCH 11/20: block: Don't lock drive-backup target image in none 
> mode...
> Checking PATCH 12/20: qemu-iotests: 046: Move version detection out from 
> verify_io...
> Checking PATCH 13/20: qemu-iotests: Wait for QEMU processes before checking 
> image in 091...
> Checking PATCH 14/20: qemu-iotests: 030: Disable image locking when checking 
> test image...
> Checking PATCH 15/20: iotests: 087: Disable image locking in cases where file 
> is shared...
> Checking PATCH 16/20: iotests: 130: Check image info locklessly...
> ERROR: Invalid UTF-8, patch and commit message should be encoded in UTF-8
> #47: FILE: tests/qemu-iotests/130.out:13:
> +(qemu) q
>  ^
> 
> ERROR: Invalid UTF-8, patch and commit message should be encoded in UTF-8
> #55: FILE: tests/qemu-iotests/130.out:20:
> +(qemu) q
>  ^

And this one seems harmless.

Fam

Re: [Qemu-devel] [PATCH for-2.8 00/18] pc: q35: x2APIC support in kvm_apic mode

2016-08-08 Thread Chao Gao 
On Mon, Aug 08, 2016 at 04:57:14PM +0800, Peter Xu wrote:
>On Mon, Aug 08, 2016 at 03:41:23PM +0800, Chao Gao wrote:
>> HI, everyone.
>> 
>> We have done some tests after merging this patch set into the lastest qemu
>> master. In kvm aspect, we use the lastest kvm linux-next branch. Here are
>> some problems we have met.
>> 
>> 1. We can't boot up a 288 vcpus linux guest with CLI:
>> qemu-system-x86_64 -boot c -m 4096 -sdl -monitor pty --enable-kvm \
>> -M kernel-irqchip=split -serial stdio -bios bios.bin -smp cpus=288 \
>> -hda vdisk.img -device intel-iommu,intremap=on -machine q35.
>> The problem exists, even after we only assign 32 vcpus to the linux guest.
>> Maybe the output "do_IRQ: 146.113 No irq handler for vector (irq -1)" is a 
>> clue.
>> The output of qemu and kernel is in attachments. Do you have any idea
>> about the problem and how to solve it?
>
>IIUC, we need to wait for Radim's QEMU patches to finally enable 288
>vcpus?
>
>Btw, could you please try adding this to the QEMU cmdline when testing
>with 32 vcpus:
>
>  -global ioapic.version=0x20
>
>I see that you were running RHEL 7.2 guest with a default e1000. In
>that case, we may need to boost ioapic version to 0x20.

It doesn't work. My host machine has 16 cpus. When I assign 4 or 8 vcpus to the 
guest
or 255 vcpus but set "kernel-irqchip=off", the guest work well. Maybe when 
irqchip
is in kernel, intremap can only handle situations that vcpus number is less 
than 
physical cpus'. Do you think it's right? 

Thanks,
-Chao

Re: [Qemu-devel] [Qemu-ppc] [PATCH] adb: change handler only when recognized

2016-08-08 Thread Benjamin Herrenschmidt 
On Tue, 2016-08-09 at 03:31 +0200, BALATON Zoltan wrote:
> 
> > Because PowerBooks do (or rather a PMU-simulation of ADB) and MacOS
> > doesn't care. If ADB is in the device-tree, it will use it. It makes
> > things easier to support multiple combinations especially when
> > "comparing" things for debug.
> > 
> > Additionally, USB doesn't work well in OpenBIOS at this point ;-)
> 
> In what way? Keyboard works. What else is needed?

Doesnt' work for me half of the time, I haven't dug into why yet.

> > Also, I have some evil plan to change the way ADB autopoll works in
> > Qemu so that the devices signal the PMU when they want to talk. That
> > will avoid having yet another 30-something HZ timer ticking in qemu,
> > and in that regard will probably be more efficient (read: slows down
> > the emulator less) than OHCI.
> 
> OK, this is a really nice thing and justifies having an ADB bus. (This 
> would also likely fix mouse problems seen by others.)

Possibly ;-) The tracking in OS 9 at least is still done by a timer
inside MacOS itself. With my latest ndrv it's running at 30Hz. I'm
looking at maybe doing some kind of paravirt hack to make it adaptative
on whether there is actual movement on the cursor, but that's for later.

> > Why not ?
> 
> Just thought emulating all the additional details for Powerbook power 
> management might be difficult. But if you're willing to go there I won't 
> stop you. :-) Obviously you understand this very well so maybe it's not 
> that difficult for you.

Well, I wrote most of the corresponding Linux code so it's mostly a matter
of swapping that knowledge back into my brain from lossy long term storage
and finding all the MacOS 9 bugs along the way :-)

> > > 
> > >  Here's an (untested) patch for
> > > switching to using USB keyboard and mouse instead of ADB unless USB is 
> > > disabled. (The device tree should be changed accordingly in OpenBIOS.) 
> > > Not 
> > > sure if this is helpful.
> > 
> > Don't bother just yet, as I said, I am reworking all of that code. I will
> > probably just create various -machine options so you can chose what bits
> > and pieces you want to put togeher, ie, CUDA, PMU, with or without ADB,
> > which machine model string to expose to the OS etc...
> 
> Cool, looking forward to it. Thanks for all the great stuff you did for 
> this and keep it up.

Cheers,
Ben.

Re: [Qemu-devel] [PATCH 5/5] ppc: Improve generation of conditional traps

2016-08-08 Thread Benjamin Herrenschmidt 
On Tue, 2016-08-09 at 12:07 +1000, David Gibson wrote:
> On Sun, Jul 31, 2016 at 03:13:13PM +1000, Benjamin Herrenschmidt
> wrote:
> > 
> > Translate most conditions to TCG conditions and avoid the helper
> > for most of the common cases.
> > 
> > Signed-off-by: Benjamin Herrenschmidt 
> > ---
> >  target-ppc/translate.c | 168
> > ++---
> >  1 file changed, 132 insertions(+), 36 deletions(-)
> 
> I've merged 1-4 of this series into ppc-for-2.8.  I'm not really
> clear
> whether a change is still needed on patch 5, so please resend either
> way.

What you merged works fine. Richard suggestions are refinements
I can do separately and apply on top.

Cheers,
Ben.

[Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

2016-08-08 Thread chaojianhu 
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu 
Signed-off-by: chaojianhu 

---
 hw/net/xilinx_ethlite.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b8..35de353 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t 
*buf, size_t size)
 }
 
 D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
+D(qemu_log("ethlite packet is too big, size=%x\n", size));
+return -1;
+}
 memcpy(>regs[rxbase + R_RX_BUF0], buf, size);
 
 s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
-- 
1.9.1

Re: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

2016-08-08 Thread Jason Wang 



On 2016年08月09日 10:24, chaojianhu wrote:

The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowd. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu 


Patch looks correct. But as reported, please add Signed-off-by with your 
name and repost.


Thanks



---
  hw/net/xilinx_ethlite.c | 4 
  1 file changed, 4 insertions(+)

diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b8..6d3eecc 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t 
*buf, size_t size)
  }
  
  D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));

+if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4 ) {
+D(qemu_log("ethlite packet is too big, size=%x\n", size);
+return -1;
+}
  memcpy(>regs[rxbase + R_RX_BUF0], buf, size);
  
  s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;

[Qemu-devel] Fwd: Virtio related trace events.

2016-08-08 Thread Gadre Nayan 
I am unable to get the virtio related events in either the
guest or the host.

My understanding is that in the Guest OS, I will have a virtio-blk
which is the driver, the device is the virtio-transport or the
virtio-queue, then the virtio-queue will raise a kick to then dispatch
the block request to the Host kernel block sub system.

So where will be the virtio, virtqueue events be seen in the traces,
in guest or in host ?

I have a guest and host where the following events are registerred:

echo 1 > kvm/enable [ this event is enabled Only on Host, rest are on
both guest and host]
echo 1 > block/enable
echo 1 > scsi/enable

echo virtqueue_kick_prepare > /sys/kernel/debug/tracing/set_ftrace_filter
echo virtqueue_kick >> /sys/kernel/debug/tracing/set_ftrace_filter
echo scsi_kick_queue >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_dev_match >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_config_changed >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_dev_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_uevent >> /sys/kernel/debug/tracing/set_ftrace_filter
echo unregister_virtio_driver >> /sys/kernel/debug/tracing/set_ftrace_filter
echo register_virtio_device >> /sys/kernel/debug/tracing/set_ftrace_filter
echo unregister_virtio_device >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_init >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_check_driver_offered_feature >>
/sys/kernel/debug/tracing/set_ftrace_filter
echo register_virtio_driver >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_finalize_features >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_config_enable >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_dev_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_device_restore >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_device_freeze >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_break_device >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_mmio_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_mmio_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_modern_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_modern_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_release_dev >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_restore >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_freeze >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_legacy_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_legacy_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_queue_rq >> /sys/kernel/debug/tracing/set_ftrace_filter

However the traces don't show a virt related event.

I launch QEMU using:

qemu-system-x86_64 -drive
file=/home/gnayan/CUSTOM_QEMU_SYSTEM/UBUNTU/ubuntu.img,if=virtio,format=raw
-m 1G -net nic,model=virtio -net user -redir tcp:::22 -enable-kvm
&

Please suggest

Thanks


-- Forwarded message --
From: Gadre Nayan 
Date: Tue, Aug 9, 2016 at 9:15 AM
Subject: Virtio related trace events.
To: qemu-devel@nongnu.org, qemu-disc...@nongnu.org


I am unable to get the virtio related events in either the
guest or the host.

My understanding is that in the Guest OS, I will have a virtio-blk
which is the driver, the device is the virtio-transport or the
virtio-queue, then the virtio-queue will raise a kick to then dispatch
the block request to the Host kernel block sub system.

So where will be the virtio, virtqueue events be seen in the traces,
in guest or in host ?

I have a guest and host where the following events are registerred:

echo 1 > kvm/enable [ this event is enabled Only on Host, rest are on
both guest and host]
echo 1 > block/enable
echo 1 > scsi/enable

echo virtqueue_kick_prepare > /sys/kernel/debug/tracing/set_ftrace_filter
echo virtqueue_kick >> /sys/kernel/debug/tracing/set_ftrace_filter
echo scsi_kick_queue >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_dev_match >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_config_changed >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_dev_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_uevent >> /sys/kernel/debug/tracing/set_ftrace_filter
echo unregister_virtio_driver >> /sys/kernel/debug/tracing/set_ftrace_filter
echo register_virtio_device >> /sys/kernel/debug/tracing/set_ftrace_filter
echo unregister_virtio_device >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_init >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_check_driver_offered_feature >>
/sys/kernel/debug/tracing/set_ftrace_filter
echo register_virtio_driver >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_finalize_features >>

[Qemu-devel] Virtio related trace events.

2016-08-08 Thread Gadre Nayan 
I am unable to get the virtio related events in either the
guest or the host.

My understanding is that in the Guest OS, I will have a virtio-blk
which is the driver, the device is the virtio-transport or the
virtio-queue, then the virtio-queue will raise a kick to then dispatch
the block request to the Host kernel block sub system.

So where will be the virtio, virtqueue events be seen in the traces,
in guest or in host ?

I have a guest and host where the following events are registerred:

echo 1 > kvm/enable [ this event is enabled Only on Host, rest are on
both guest and host]
echo 1 > block/enable
echo 1 > scsi/enable

echo virtqueue_kick_prepare > /sys/kernel/debug/tracing/set_ftrace_filter
echo virtqueue_kick >> /sys/kernel/debug/tracing/set_ftrace_filter
echo scsi_kick_queue >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_dev_match >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_config_changed >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_dev_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_uevent >> /sys/kernel/debug/tracing/set_ftrace_filter
echo unregister_virtio_driver >> /sys/kernel/debug/tracing/set_ftrace_filter
echo register_virtio_device >> /sys/kernel/debug/tracing/set_ftrace_filter
echo unregister_virtio_device >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_init >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_check_driver_offered_feature >>
/sys/kernel/debug/tracing/set_ftrace_filter
echo register_virtio_driver >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_finalize_features >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_config_enable >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_dev_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_device_restore >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_device_freeze >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_break_device >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_mmio_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_mmio_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_modern_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_modern_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_release_dev >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_restore >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_freeze >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_legacy_probe >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_pci_legacy_remove >> /sys/kernel/debug/tracing/set_ftrace_filter
echo virtio_queue_rq >> /sys/kernel/debug/tracing/set_ftrace_filter

However the traces don't show a virt related event.

I launch QEMU using:

qemu-system-x86_64 -drive
file=/home/gnayan/CUSTOM_QEMU_SYSTEM/UBUNTU/ubuntu.img,if=virtio,format=raw
-m 1G -net nic,model=virtio -net user -redir tcp:::22 -enable-kvm
&

Please suggest

Thanks

Re: [Qemu-devel] [PATCH] net: vmxnet: check fragment length during fragmentation

2016-08-08 Thread Jason Wang 



On 2016年08月04日 15:35, P J P wrote:

   Hello Jason,

+-- On Thu, 4 Aug 2016, Jason Wang wrote --+
| The patch doesn't apply cleanly on HEAD, we now move this logic to
| hw/net/net_tx_pkt.c. Please resend on top of HEAD and cc Dmitry Fleytman
| .

   I see, that explains why it did not show-up in search. I've sent a revised
patch v2. Nevertheless, the patch here would apply to Qemu versions <= 2.6.0.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F


Yes, I will cc stable this time. Please do it next time if you want the 
fix for stable too.


Thanks

Re: [Qemu-devel] [PATCH] net: vmxnet3: check for device_active before write

2016-08-08 Thread Jason Wang 



On 2016年08月08日 21:08, Dmitry Fleytman wrote:

Acked-by: Dmitry Fleytman 


On 8 Aug 2016, at 15:38 PM, P J P  wrote:

From: Li Qiang 

Vmxnet3 device emulator does not check if the device is active,
before using it for write. It leads to a use after free issue,
if the vmxnet3_io_bar0_write routine is called after the device is
deactivated. Add check to avoid it.

Reported-by: Li Qiang 
Signed-off-by: Prasad J Pandit 
---
hw/net/vmxnet3.c | 4 
1 file changed, 4 insertions(+)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index bbf44ad..90f6943 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1167,6 +1167,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
{
 VMXNET3State *s = opaque;

+if (!s->device_active) {
+return;
+}
+
 if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
 VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
 int tx_queue_idx =
--
2.5.5



Applied, thanks.

Re: [Qemu-devel] [PATCH v1 1/5] target-ppc: add vector insert instructions

2016-08-08 Thread David Gibson 
On Thu, Aug 04, 2016 at 10:08:17PM +0530, Richard Henderson wrote:
> On 08/04/2016 06:33 PM, Rajalakshmi Srinivasaraghavan wrote:
> > +#if defined(HOST_WORDS_BIGENDIAN)
> > +#define VINSERT(suffix, element, index)
> >  \
> > +void helper_vinsert##suffix(ppc_avr_t *r, ppc_avr_t *b, uint32_t 
> > splat) \
> > +{  
> >  \
> > +memcpy(>u8[SPLAT_ELEMENT(u8)], >element[index],  
> >  \

It seems odd to use SPLAT_ELEMENT() here but not in the LE case, given
that SPLAT_ELEMENT() is already a macro whose definition is
conditional on endianness.  It might actually be clearer to open code it.

> > +   sizeof(r->element[0])); 
> >  \
> > +}
> > +#else
> > +#define VINSERT(suffix, element, index)
> >  \
> > +void helper_vinsert##suffix(ppc_avr_t *r, ppc_avr_t *b, uint32_t 
> > splat) \
> > +{  
> >  \
> > +memcpy(>u8[(16 - splat) - sizeof(r->element[0])],   
> >  \
> > +   >element[(ARRAY_SIZE(r->element) - index) - 1],  
> >  \
> > +   sizeof(r->element[0])); 
> >  \
> > +}
> 
> Something somewhere needs to check for out of bounds SPLAT, for evil guests.
> 
> The spec says it's undefined; I don't recall if that gives you the latitude
> to generate an illegal instruction trap during translate.

splat is an immediate argument, so that should be done on the
generator side, rather than the helper side.  It's already partially
done by the way it's extracted from the instruction.

But, AFAICT that just limits splat to 5 bits, and I'm not sure that's
enough for all forms of this instruction.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH v1 0/5] POWER9 TCG enablement - part3

2016-08-08 Thread David Gibson 
On Thu, Aug 04, 2016 at 06:33:45PM +0530, Rajalakshmi Srinivasaraghavan wrote:
> This series contains 14 new instructions for POWER9 described in ISA3.0.
> 
> Patches:
>   01: Adds vector insert instructions.
> vinsertb - Vector Insert Byte
> vinserth - Vector Insert Halfword
> vinsertw - Vector Insert Word
> vinsertd - Vector Insert Doubleword
>   02: Adds vector extract instructions.
> vextractub - Vector Extract Unsigned Byte
> vextractuh - Vector Extract Unsigned Halfword
> vextractuw - Vector Extract Unsigned Word
> vextractd - Vector Extract Unsigned Doubleword
>   03: Adds vector count trailing zeros instructions.
> vctzb - Vector Count Trailing Zeros Byte
> vctzh - Vector Count Trailing Zeros Halfword
> vctzw - Vector Count Trailing Zeros Word
> vctzd - Vector Count Trailing Zeros Doubleword
>   04: Adds vbpermd-vector bit permute doubleword instruction.
>   05: Adds vpermr-vector permute right indexed instruction.

I'll wait for a respin of these incorporating rth's comments.

> 
> Changelog:
> v0:
> * Rename GEN_VXFORM_300_EXT1 to GEN_VXFORM_300_EO.
> * Rename GEN_VXFORM_DUAL1 to GEN_VXFORM_DUAL_INV.
> * Remove undef GEN_VXFORM_DUAL1.
> 
>  target-ppc/helper.h |   14 +
>  target-ppc/int_helper.c |  110 
> +++
>  target-ppc/translate/vmx-impl.c |   58 
>  target-ppc/translate/vmx-ops.c  |   38 +++---
>  4 files changed, 212 insertions(+), 8 deletions(-)
> 

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH v2] ppc64: fix compressed dump with pseries kernel

2016-08-08 Thread David Gibson 
On Mon, Aug 08, 2016 at 03:08:53PM +0200, Laurent Vivier wrote:
> If we don't provide the page size in target-ppc:cpu_get_dump_info(),
> the default one (TARGET_PAGE_SIZE, 4KB) is used to create
> the compressed dump. It works fine with Macintosh, but not with
> pseries as the kernel default page size is 64KB.
> 
> Without this patch, if we generate a compressed dump in the QEMU monitor:
> 
> (qemu) dump-guest-memory -z qemu.dump
> 
> This dump cannot be read by crash:
> 
> # crash vmlinux qemu.dump
> ...
> WARNING: cannot translate vmemmap kernel virtual addresses:
>  commands requiring page structure contents will fail
> ...
> 
> Page_size is used to determine the dumpfile's block size. The
> block size needs to be at least the page size, but a multiple of page
> size works fine too. For PPC64, linux supports either 4KB or 64KB software
> page size. So we define the page_size to 64KB.
> 
> Signed-off-by: Laurent Vivier 
> Reviewed-by: Andrew Jones 
> ---
> v2: Update commit and source comments about the max page size

I've applied this to ppc-for-2.7 for now, since it definitely improves
matters.


> 
>  target-ppc/arch_dump.c | 5 +
>  1 file changed, 5 insertions(+)
> 
> diff --git a/target-ppc/arch_dump.c b/target-ppc/arch_dump.c
> index df1fd8c..ea3d1a3 100644
> --- a/target-ppc/arch_dump.c
> +++ b/target-ppc/arch_dump.c
> @@ -220,6 +220,11 @@ int cpu_get_dump_info(ArchDumpInfo *info,
>  } else {
>  info->d_endian = ELFDATA2LSB;
>  }
> +/* 64KB is the max page size for pseries kernel */
> +if (strncmp(object_get_typename(qdev_get_machine()),
> +"pseries-", 8) == 0) {
> +info->page_size = (1U << 16);
> +}

However, I think doing this based on machine type actually isn't
great.  It's entirely plausible that a modern kernel built for Mac
would also have 64KiB page size - especially if it's a multiplatform
kernel that can run on both Mac and pSeries.

Still, that's something we can polish later.

>  
>  return 0;
>  }

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH 0/6] POWER9 TCG enablements - part4

2016-08-08 Thread David Gibson 
On Sun, Aug 07, 2016 at 11:06:49PM +0530, Nikunj A Dadhania wrote:
> This series contains 10 new instructions for POWER9 ISA3.0.
> 
> Patches:
> 01:  xxspltib: VSX Vector Splat Immediate Byte
> 02:  darn: Deliver A Random Number
> 03:  lxsibzx - Load VSX Scalar as Integer Byte & Zero Indexed
>  lxsihzx - Load VSX Scalar as Integer Halfword & Zero Indexed
> 04:  stxsibx - Store VSX Scalar as Integer Byte Indexed
>  stxsihx - Store VSX Scalar as Integer Halfword Indexed
> 05:  lxvb16x: Load VSX Vector Byte*16
>  lxvh8x:  Load VSX Vector Halfword*8
> 06:  stxvb16x: Store VSX Vector Byte*16
>  stxvh8x:  Store VSX Vector Halfword*8
> 
> Nikunj A Dadhania (5):
>   target-ppc: add xxspltib instruction
>   target-ppc: add lxsi[bw]zx instruction
>   target-ppc: add stxsi[bh]x instruction
>   target-ppc: add lxvb16x and lxvh8x
>   target-ppc: add stxvb16x and stxvh8x
> 
> Ravi Bangoria (1):
>   target-ppc: Implement darn instruction
> 
>  target-ppc/helper.h |  5 +++
>  target-ppc/int_helper.c | 14 
>  target-ppc/mem_helper.c | 65 
> +
>  target-ppc/translate.c  | 61 ++
>  target-ppc/translate/vsx-impl.inc.c | 64 
>  target-ppc/translate/vsx-ops.inc.c  | 13 
>  6 files changed, 202 insertions(+), 20 deletions(-)
> 

As with part3, I'll wait for a respin with comments addressed.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH 2/6] target-ppc: Implement darn instruction

2016-08-08 Thread David Gibson 
On Mon, Aug 08, 2016 at 07:33:37AM +1000, Benjamin Herrenschmidt wrote:
> On Sun, 2016-08-07 at 23:06 +0530, Nikunj A Dadhania wrote:
> > +target_ulong helper_darn(uint32_t l)
> > +{
> > +    target_ulong r = UINT64_MAX;
> > +
> > +    if (l <= 2) {
> > +    do {
> > +    r = random() * random();
> > +    r &= l ? UINT64_MAX : UINT32_MAX;
> > +    } while (r == UINT64_MAX);
> > +    }
> > +
> > +    return r;
> > +}
> >  #endif
> 
> Isn't this a bit week ? Look at the implementation of H_RANDOM...

Indeed, you should be using the rng backend that H_RANDOM, virtio-rng
and the Intel random number instruction all use.

But, worse than that: even if random() was a good RNG, I'm pretty sure
than although random() * random() will give you a random number with
twice as many bits as random() alone, it won't be uniformly
distributed.  That's probably not what you want.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH for-2.8 00/18] pc: q35: x2APIC support in kvm_apic mode

2016-08-08 Thread Chao Gao 
On Mon, Aug 08, 2016 at 11:18:20AM +0200, Igor Mammedov wrote:
>On Mon, 8 Aug 2016 15:41:23 +0800
>Chao Gao  wrote:
>
>> HI, everyone.
>> 
>> We have done some tests after merging this patch set into the lastest qemu
>> master. In kvm aspect, we use the lastest kvm linux-next branch. Here are
>> some problems we have met.
>> 
>> 1. We can't boot up a 288 vcpus linux guest with CLI:
>> qemu-system-x86_64 -boot c -m 4096 -sdl -monitor pty --enable-kvm \
>> -M kernel-irqchip=split -serial stdio -bios bios.bin -smp cpus=288 \
>> -hda vdisk.img -device intel-iommu,intremap=on -machine q35.
>> The problem exists, even after we only assign 32 vcpus to the linux guest.
>> Maybe the output "do_IRQ: 146.113 No irq handler for vector (irq -1)" is a 
>> clue.
>> The output of qemu and kernel is in attachments. Do you have any idea
>> about the problem and how to solve it?
>I don't think we ever looked at "kernel-irqchip=split" only in kernel variant's
>been targeted so far.
>Radim probably knows better whether it should work or not.
>
>Have you tried with smaller amount of CPUs but with APIC IDs above 254,
>like in test below?
>
>[...]
>
>> >Tested with following CLI:
>> > QEMU -M q35 -enable-kvm -smp 1,sockets=9,cores=32,threads=1,maxcpus=288 \
>> >  -device qemu64-x86_64-cpu,socket-id=8,core-id=30,thread-id=0   \
>> >  -bios x2apic_bios.bin

I test with CLI:
qemu-system-x86_64 -M q35 \
-enable-kvm -smp 1,sockets=9,cores=32,threads=1,maxcpus=288 \
-device qemu64-x86_64-cpu,socket-id=8,core-id=30,thread-id=0 \
-bios bios.bin -hda vdisk.img -serial stdio -m 4096 2>>qemu_and_guest.log >&2

But, I think there should have a cpu with initial apicid >255 
in /proc/cpuinfo. The log(in attachments) shows that the guest kernel 
treats the other cpu as a bad one. What do you think cause the problem?

# cat /proc/interrupts
localhost login: CPU0   
   0:125   IO-APIC-edge  timer
   1:117   IO-APIC-edge  i8042
   4:382   IO-APIC-edge  serial
   7:  0   IO-APIC-edge  parport0
   8:  1   IO-APIC-edge  rtc0
   9:  0   IO-APIC-fasteoi   acpi
  12:   1661   IO-APIC-edge  i8042
  16:  0   IO-APIC-fasteoi   i801_smbus
  22: 27   IO-APIC-fasteoi   enp0s2
  24:   7310   PCI-MSI-edge  :00:1f.2
 NMI:  0   Non-maskable interrupts
 LOC:   6401   Local timer interrupts
 SPU:  0   Spurious interrupts
 PMI:  0   Performance monitoring interrupts
 IWI:   3870   IRQ work interrupts
 RTR:  0   APIC ICR read retries
 RES:  0   Rescheduling interrupts
 CAL:  0   Function call interrupts
 TLB:  0   TLB shootdowns
 TRM:  0   Thermal event interrupts
 THR:  0   Threshold APIC interrupts
 MCE:  0   Machine check exceptions
 MCP:  1   Machine check polls
 ERR:  0
 MIS:  0

# cat /proc/cpuinfo
processor   : 0
vendor_id   : GenuineIntel
cpu family  : 6
model   : 6
model name  : QEMU Virtual CPU version 2.5+
stepping: 3
microcode   : 0x1
cpu MHz : 3591.682
cache size  : 4096 KB
physical id : 0
siblings: 1
core id : 0
cpu cores   : 1
apicid  : 0
initial apicid  : 0
fpu : yes
fpu_exception   : yes
cpuid level : 13
wp  : yes
flags   : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov 
pse36 clflush mmx fxsr sse sse2 ht syscall nx lm rep_good nopl xtopology pni 
cx16 x2apic hypervisor lahf_lm
bogomips: 7183.36
clflush size: 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:
Warning: Number of hotpluggable cpus requested (288) exceeds the recommended 
cpus supported by KVM (240)
Changing serial settings was 0/0 now 3/0
SeaBIOS (version ?-20160808_104017-g.c)
BUILD: gcc: (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4) binutils: version 
2.23.52.0.1-55.el7 20130226
No Xen hypervisor found.
vendor 8086 device 29c0
Running on QEMU (q35)
Running on KVM
RamSize: 0x8000 [cmos]
Relocating init from 0x000da4e0 to 0x7ffac9d0 (size 79264)
Found QEMU fw_cfg
QEMU fw_cfg DMA interface supported
RamBlock: addr 0x len 0x8000 [e820]
RamBlock: addr 0x0001 len 0x8000 [e820]
Moving pm_base to 0x600
=== PCI bus & bridge init ===
PCI: pci_bios_init_bus_rec bus = 0x0
=== PCI device probing ===
Found 6 PCI devices (max PCI bus is 00)
=== PCI new allocation pass #1 ===
PCI: check devices
=== PCI new allocation pass #2 ===
PCI: IO: c000 - c09f
PCI: 32: c000 - fec0
PCI: map device bdf=00:02.0  bar 1, addr c000, size 0040 [io]
PCI: map device bdf=00:1f.3  bar 4, addr c040, size 0040 [io]
PCI: map device bdf=00:1f.2  bar 4, addr c080, size 0020 [io]
PCI: map device bdf=00:02.0  bar 6, addr feb8, size 0004 [mem]
PCI: map device bdf=00:02.0  bar 0, addr

Re: [Qemu-devel] [PATCH v3 kernel 0/7] Extend virtio-balloon for fast (de)inflating & fast live migration

2016-08-08 Thread Li, Liang Z 
> Subject: Re: [PATCH v3 kernel 0/7] Extend virtio-balloon for fast 
> (de)inflating
> & fast live migration
> 
> On 08/07/2016 11:35 PM, Liang Li wrote:
> > Dave Hansen suggested a new scheme to encode the data structure,
> > because of additional complexity, it's not implemented in v3.
> 
> FWIW, I don't think it takes any additional complexity here, at least in the
> guest implementation side.  The thing I suggested would just mean explicitly
> calling out that there was a single bitmap instead of implying it in the ABI.
> 
> Do you think the scheme I suggested is the way to go?

Yes, I think so.  And I will do that in the later version. In this V3, I just 
want to solve the 
issue caused by a large page bitmap in v2.

Liang

Re: [Qemu-devel] [PATCH v2 1/8] util: Add UUID API

2016-08-08 Thread Fam Zheng 
On Mon, 08/08 15:51, Jeff Cody wrote:
> > > +typedef unsigned char QemuUUID[16];
> > 
> > I'm afraid this typedef is problematic.  Consider:
> > 
> > void use_uuid(QemuUUID uuid)
> > {
> > printf("sizeof(uuid) %zd\n", sizeof(uuid));
> > uuid[0]++;
> > }
> > 
> > QemuUUID is obviously a typedef name, so a reasonable reader may assume
> > (1) sizeof(uuid) is the size of the uuid, and (2) since uuid is passed
> > by value, the increment is not visible outside the function.  Both
> > assumptions are wrong, because array arguments degenerate into pointers.
> > 
> > I recommend to wrap it in a struct.
> >
> 
> If we are going for a semantic drop-in replacement for libuuid's uuid_t,
> Fam's typedef here is consistent with libuuid:
> 
> typedef unsigned char uuid_t[16];
> 
> (Not to say that prohibits changing it, just pointing out there is value in
> mimicking libuuid's interfaces).

I am not 100% comforatble with libuuid way, so yes, it was for consistency. But
Markus' point is great, let's change it to the better way anyway, since it's
not a hard requirement to mimic libuuid.

Fam

Re: [Qemu-devel] [PATCH v2 5/8] vpc: Use QEMU UUID API

2016-08-08 Thread Fam Zheng 
On Mon, 08/08 16:49, Jeff Cody wrote:
> On Mon, Aug 08, 2016 at 02:09:25PM +0800, Fam Zheng wrote:
> > Previously we conditionally generate if footer->uuid, when libuuid is
> 
> s/generate if/generated/
> 
> s/is/was/

Fixing, thanks!

Fam

Re: [Qemu-devel] [PATCH v2 8/8] configure: Remove detection code for UUID

2016-08-08 Thread Fam Zheng 
On Mon, 08/08 16:52, Jeff Cody wrote:
> > @@ -1096,6 +1091,9 @@ for opt do
> >--enable-vhdx|--disable-vhdx)
> >echo "$0: $opt is obsolete, VHDX driver is always built"
> >;;
> > +  --enable-uuid|--disable-uuid)
> > +  echo "$0: $opt is obsolete, UUID support is always built"
> > +  ;;
> 
> As with the vhdx line, this too should probably go out to stderr similar to
> the data plane option.

Yes, will do.

[Qemu-devel] [PATCH] clang: Disable warning about expansion to 'defined'

2016-08-08 Thread Pranith Kumar 
Clang produces the following warning. The warning is detailed here:
https://reviews.llvm.org/D15866. Disable the warning.

/home/pranith/devops/code/qemu/hw/display/qxl.c:507:5: warning: macro expansion 
producing 'defined' has undefined behavior [-Wexpansion-to-defined]
#if SPICE_NEEDS_SET_MM_TIME
^
/home/pranith/devops/code/qemu/include/ui/qemu-spice.h:46:5: note: expanded 
from macro 'SPICE_NEEDS_SET_MM_TIME'
  (!defined(SPICE_SERVER_VERSION) || (SPICE_SERVER_VERSION < 0xc06))
^
/home/pranith/devops/code/qemu/hw/display/qxl.c:1074:5: warning: macro 
expansion producing 'defined' has undefined behavior [-Wexpansion-to-defined]
#if SPICE_NEEDS_SET_MM_TIME
^
/home/pranith/devops/code/qemu/include/ui/qemu-spice.h:46:5: note: expanded 
from macro 'SPICE_NEEDS_SET_MM_TIME'
  (!defined(SPICE_SERVER_VERSION) || (SPICE_SERVER_VERSION < 0xc06))

Signed-off-by: Pranith Kumar 
---
 configure | 13 +
 1 file changed, 13 insertions(+)

diff --git a/configure b/configure
index f57fcc6..a1a6e3f 100755
--- a/configure
+++ b/configure
@@ -3025,6 +3025,19 @@ if ! compile_prog "$glib_cflags -Werror" "$glib_libs" ; 
then
 fi
 fi
 
+# Silence clang warnings about expansion to 'defined' in macro
+cat > $TMPC << EOF
+#define TEST (defined(DUMMY))
+#if TEST
+int main(void) { return 0; }
+#endif
+EOF
+if ! compile_prog "-Werror" ; then
+if cc_has_warning_flag "-Wno-expansion-to-defined"; then
+   CFLAGS="-Wno-expansion-to-defined $CFLAGS"
+fi
+fi
+
 ##
 # SHA command probe for modules
 if test "$modules" = yes; then
-- 
2.9.2

Re: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

2016-08-08 Thread no-reply 
Hi,

Your series seems to have some coding style problems. See output below for
more information:

Message-id: blu437-smtp43591ada801e900d4bce81db...@phx.gbl
Type: series
Subject: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in 
xlnx.xps-ethernetlite

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
echo "Checking PATCH $n/$total: $(git show --no-patch --format=%s $c)..."
if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
failed=1
echo
fi
n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
f29edf0 hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

=== OUTPUT BEGIN ===
Checking PATCH 1/1: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite...
ERROR: space prohibited before that close parenthesis ')'
#26: FILE: hw/net/xilinx_ethlite.c:200:
+if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4 ) {

ERROR: Missing Signed-off-by: line(s)

total: 2 errors, 0 warnings, 10 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-de...@freelists.org

[Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

2016-08-08 Thread chaojianhu 
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowd. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu 

---
 hw/net/xilinx_ethlite.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b8..6d3eecc 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t 
*buf, size_t size)
 }
 
 D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4 ) {
+D(qemu_log("ethlite packet is too big, size=%x\n", size);
+return -1;
+}
 memcpy(>regs[rxbase + R_RX_BUF0], buf, size);
 
 s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
-- 
1.9.1

[Qemu-devel] [PATCH] docker: Add a glib2-2.22 image

2016-08-08 Thread Fam Zheng 
It's a variation of our existing centos6, plus two more lines to
downgrade glib2 to version 2.22 which we download from vault.centos.org.

Suggested-by: Paolo Bonzini 
Signed-off-by: Fam Zheng 
---
 tests/docker/dockerfiles/min-glib.docker | 8 
 1 file changed, 8 insertions(+)
 create mode 100644 tests/docker/dockerfiles/min-glib.docker

diff --git a/tests/docker/dockerfiles/min-glib.docker 
b/tests/docker/dockerfiles/min-glib.docker
new file mode 100644
index 000..9f542d5
--- /dev/null
+++ b/tests/docker/dockerfiles/min-glib.docker
@@ -0,0 +1,8 @@
+FROM centos:6
+RUN yum install -y \
+tar git make gcc g++ \
+zlib-devel SDL-devel pixman-devel \
+epel-release
+RUN yum install -y libfdt-devel ccache
+RUN yum downgrade -y 
http://vault.centos.org/6.0/os/x86_64/Packages/glib2-2.22.5-5.el6.x86_64.rpm
+RUN yum install -y 
http://vault.centos.org/6.0/os/x86_64/Packages/glib2-devel-2.22.5-5.el6.x86_64.rpm
-- 
2.7.4

Re: [Qemu-devel] [PATCH 5/5] ppc: Improve generation of conditional traps

2016-08-08 Thread David Gibson 
On Sun, Jul 31, 2016 at 03:13:13PM +1000, Benjamin Herrenschmidt wrote:
> Translate most conditions to TCG conditions and avoid the helper
> for most of the common cases.
> 
> Signed-off-by: Benjamin Herrenschmidt 
> ---
>  target-ppc/translate.c | 168 
> ++---
>  1 file changed, 132 insertions(+), 36 deletions(-)

I've merged 1-4 of this series into ppc-for-2.8.  I'm not really clear
whether a change is still needed on patch 5, so please resend either
way.

> 
> diff --git a/target-ppc/translate.c b/target-ppc/translate.c
> index 47eb9ed..561976f 100644
> --- a/target-ppc/translate.c
> +++ b/target-ppc/translate.c
> @@ -3639,82 +3639,178 @@ static void gen_sc(DisasContext *ctx)
>  
>  /***Trap   
> ***/
>  
> -/* Check for unconditional traps (always or never) */
> -static bool check_unconditional_trap(DisasContext *ctx)
> +static int TO2tcg[32] = {
> +TCG_COND_NEVER, /* no condition */
> +TCG_COND_GTU,   /* 0x01 u> */
> +TCG_COND_LTU,   /* 0x02 u< */
> +TCG_COND_NE,/* 0x03 u< or u> -> NE */
> +TCG_COND_EQ,/* 0x04 = */
> +TCG_COND_GEU,   /* 0x05 u> or = */
> +TCG_COND_LEU,   /* 0x06 u< or = */
> +TCG_COND_ALWAYS,/* 0x07 u< or u> or = -> ALWAYS */
> +TCG_COND_GT,/* 0x08 > */
> +-1, /* 0x09 > or u> -> weird */
> +-1, /* 0x0a > or u< -> weird */
> +-1, /* 0x0b > or u< or u> -> weird */
> +TCG_COND_GE,/* 0x0c > or = */
> +-1, /* 0x0d > or = or u> */
> +-1, /* 0x0e > or = or u< */
> +-1, /* 0x0f > or = or u> or u< */
> +TCG_COND_LT,/* 0x10 < */
> +-1, /* 0x11 < or u> -> weird */
> +-1, /* 0x12 < or u< -> weird */
> +-1, /* 0x13 < or u< or u> -> weird */
> +TCG_COND_LE,/* 0x14 < or = */
> +-1, /* 0x15 < or = or u> -> weird */
> +-1, /* 0x16 < or = or u< -> weird */
> +TCG_COND_ALWAYS,/* 0x17 < or = or u< or u> -> ALWAYS */
> +TCG_COND_NE,/* 0x18 < or > -> NE */
> +-1, /* 0x19 < or > or u> -> weird */
> +-1, /* 0x1a < or > or u< -> weird */
> +-1, /* 0x1b < or > or u> or u< -> weird */
> +TCG_COND_ALWAYS,/* 0x1c < or > or = -> ALWAYS */
> +TCG_COND_ALWAYS,/* 0x1d < or > or = or u> -> ALWAYS */
> +TCG_COND_ALWAYS,/* 0x1e < or > or = or u< -> ALWAYS */
> +TCG_COND_ALWAYS,/* 0x1f < or > or = or u< -> ALWAYS */
> +};
> +
> +#define TRAP_UNCOND (-1)
> +#define TRAP_HELPER (-2)
> +
> +static int precheck_trap(DisasContext *ctx)
>  {
> -/* Trap never */
> -if (TO(ctx->opcode) == 0) {
> -return true;
> +int cond = TO2tcg[TO(ctx->opcode)];
> +
> +/* Weird traps go to helper */
> +if (cond < 0) {
> +return TRAP_HELPER;
>  }
> -/* Trap always */
> -if (TO(ctx->opcode) == 31) {
> +/* Unconditionals */
> +if (cond == TCG_COND_ALWAYS) {
>  gen_exception_err(ctx, POWERPC_EXCP_PROGRAM, POWERPC_EXCP_TRAP);
> -return true;
> +return TRAP_UNCOND;
>  }
> -return false;
> +if (cond == TCG_COND_NEVER) {
> +return TRAP_UNCOND;
> +}
> +/* Invert the condition as we branch over the exception when the
> + * condition is *not* met
> + */
> +return tcg_invert_cond(cond);
> +}
> +
> +static void gen_trap(DisasContext *ctx)
> +{
> +TCGv_i32 t0, t1;
> +
> +t0 = tcg_const_i32(POWERPC_EXCP_PROGRAM);
> +t1 = tcg_const_i32(POWERPC_EXCP_TRAP);
> +gen_update_nip(ctx, ctx->nip - 4);
> +gen_helper_raise_exception_err(cpu_env, t0, t1);
> +tcg_temp_free_i32(t0);
> +tcg_temp_free_i32(t1);
>  }
>  
>  /* tw */
>  static void gen_tw(DisasContext *ctx)
>  {
> -TCGv_i32 t0;
> +int cond = precheck_trap(ctx);
> +TCGLabel *l1;
> +TCGv t0;
> +TCGv t1;
>  
> -if (check_unconditional_trap(ctx)) {
> +if (cond == TRAP_UNCOND) {
> +return;
> +} else if (cond == TRAP_HELPER) {
> +TCGv_i32 trapop = tcg_const_i32(TO(ctx->opcode));
> +gen_helper_tw(cpu_env, cpu_gpr[rA(ctx->opcode)],
> +  cpu_gpr[rB(ctx->opcode)], trapop);
> +tcg_temp_free_i32(trapop);
>  return;
>  }
> -t0 = tcg_const_i32(TO(ctx->opcode));
> -gen_helper_tw(cpu_env, cpu_gpr[rA(ctx->opcode)], 
> cpu_gpr[rB(ctx->opcode)],
> -  t0);
> -tcg_temp_free_i32(t0);
> +l1 = gen_new_label();
> +t0 = tcg_temp_new();
> +t1 = tcg_temp_new();
> +tcg_gen_ext32s_tl(t0, cpu_gpr[rA(ctx->opcode)]);
> +tcg_gen_ext32s_tl(t1, cpu_gpr[rB(ctx->opcode)]);
> +tcg_gen_brcond_tl(cond, t0, t1, l1);
> +gen_trap(ctx);
> +gen_set_label(l1);
> +

Re: [Qemu-devel] [Qemu-ppc] [PATCH] adb: change handler only when recognized

2016-08-08 Thread BALATON Zoltan 

On Tue, 9 Aug 2016, Benjamin Herrenschmidt wrote:

On Tue, 2016-08-09 at 02:11 +0200, BALATON Zoltan wrote:

I don't know much about this but I've read here 

 that there are three 

different kind of chips: CUDA, PMU99 and PMU. Confusingly both PMU-s are 

called via-pmu by Apple.


And there's Egret ... ;-)


Right, for completeness, but that's only in very old machines we don't 
emulate in QEMU.



 However, desktop machines have no ADB so I'm not sure why we have 

one still in QEMU.


Because PowerBooks do (or rather a PMU-simulation of ADB) and MacOS
doesn't care. If ADB is in the device-tree, it will use it. It makes
things easier to support multiple combinations especially when
"comparing" things for debug.

Additionally, USB doesn't work well in OpenBIOS at this point ;-)


In what way? Keyboard works. What else is needed?


Also, I have some evil plan to change the way ADB autopoll works in
Qemu so that the devices signal the PMU when they want to talk. That
will avoid having yet another 30-something HZ timer ticking in qemu,
and in that regard will probably be more efficient (read: slows down
the emulator less) than OHCI.


OK, this is a really nice thing and justifies having an ADB bus. (This 
would also likely fix mouse problems seen by others.)



 If USB is working then we don't need ADB with PMU99 and 

that could resolve all the problems with it.


I have solved the ADB problems so there's nothing left to solve here :-
) But see above why I think it's a good idea to keep ADB as an option.


 We can keep it to old world 
beige G3 with CUDA where it works. I think only some Powerbooks have PMU 

and ADB but we are not targeting that.


Why not ?


Just thought emulating all the additional details for Powerbook power 
management might be difficult. But if you're willing to go there I won't 
stop you. :-) Obviously you understand this very well so maybe it's not 
that difficult for you.



 Here's an (untested) patch for
switching to using USB keyboard and mouse instead of ADB unless USB is 
disabled. (The device tree should be changed accordingly in OpenBIOS.) Not 
sure if this is helpful.


Don't bother just yet, as I said, I am reworking all of that code. I will
probably just create various -machine options so you can chose what bits
and pieces you want to put togeher, ie, CUDA, PMU, with or without ADB,
which machine model string to expose to the OS etc...


Cool, looking forward to it. Thanks for all the great stuff you did for 
this and keep it up.


Regards,
BALATON Zoltan

Re: [Qemu-devel] [PATCH] spapr: Correctly set query_hotpluggable_cpus hook based on machine version

2016-08-08 Thread David Gibson 
On Mon, Aug 08, 2016 at 10:46:37AM +0200, Igor Mammedov wrote:
> On Fri, 5 Aug 2016 20:21:59 +0530
> Bharata B Rao  wrote:
> 
> > On Fri, Aug 05, 2016 at 05:50:29PM +1000, David Gibson wrote:
> > > Prior to c8721d3 "spapr: Error out when CPU hotplug is attempted on older
> > > pseries machines", attempting to use query-hotpluggable-cpus on 
> > > pseries-2.6
> > > and earlier machine types would SEGV.
> > > 
> > > That change fixed that, but due to some unexpected interactions in init
> > > order and a brown-paper-bag worthy failure to test, it accidentally
> > > disabled query-hotpluggable-cpus for all pseries machine types, including
> > > the current one which should allow it.
> > > 
> > > In fact, query_hotpluggable_cpus needs to be non-NULL when and only when
> > > the dr_cpu_enabled flag in sPAPRMachineClass is set, which makes
> > > dr_cpu_enabled itself redundant.
> > > 
> > > This patch removes dr_cpu_enabled, instead directly setting
> > > query_hotpluggable_cpus from the machine class_init functions, and using
> > > that to determine the availability of CPU hotplug when necessary.  
> > 
> > dr_cpu_enabled actually determines if CPU hotplug feature is present
> > or not. It also controls the creation of DRC-specific properties
> > in /cpus DT node like ibm,drc-indexes etc
> > 
> > query_hotpluggable_cpus just tells us if the machine supports the
> > querying of hotpluggable CPUS. query_hotpluggable_cpus definitely
> > implies dr_cpu_enabled but dr_cpu_enabled can exist on its own
> > (theoretically at the least) without query_hotpluggable_cpus.
> > 
> > So I think we should not replace dr_cpu_enabled with 
> > query_hotpluggable_cpus.
> I agree, hotplug capability shouldn't depend on availability of
> interface to operate it but rather on some platform specific bits
> which dr_cpu_enabled is (or at least looks like it's).

I still don't understand the objection here.  Once
query_hotpluggable_cpus was set correctly it really was non-NULL if
and only if dr_cpu_enabled was also true.  Are you saying there should
be an option to disable hotplug even in the newer machine types?

For now, Peter has already merged my pull request including this
patch.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH] docs: add cpu-hotplug.txt

2016-08-08 Thread David Gibson 
On Mon, Aug 08, 2016 at 02:18:05PM +0200, Igor Mammedov wrote:
> On Mon, 8 Aug 2016 10:28:02 +0800
> Dou Liyang  wrote:
> 
> > This document describes how to use cpu hotplug in QEMU.
> > 
> > Signed-off-by: Dou Liyang 
> > ---
> >  docs/cpu-hotplug.txt | 110 
> > +++
> >  1 file changed, 110 insertions(+)
> >  create mode 100644 docs/cpu-hotplug.txt
> > 
> > diff --git a/docs/cpu-hotplug.txt b/docs/cpu-hotplug.txt
> > new file mode 100644
> > index 000..d62638e
> > --- /dev/null
> > +++ b/docs/cpu-hotplug.txt
> > @@ -0,0 +1,110 @@
> > +QEMU CPU hotplug
> > +===
> > +
> > +This document explains how to use the cpu hotplug feature in QEMU,
> > +which is present since v2.6.0.
> 
>  -device/device_add based CPUs are merged since 2.7
> 
> > +
> > +Guest support is required for cpu hotplug to work.
> > +
> > +CPU hotplug
> > +---
> > +
> > +In order to be able to hotplug cpu, QEMU has to be told what is the
> > +maximum amount of cpus the guest can grow. This is done at startup
> > +time by means of the -smp command-line option, which has the following
> > +format:
> > +
> > + -smp [cpus=]n[,maxcpus=cpus][,cores=cores][,threads=threads]
> > +   [,sockets=sockets]
> > +
> > +Where,
> > +
> > + - "cpus" set the number of CPUs to 'n' [default=1]
> > + - "maxcpus" maximum number of total cpus, including offlineCPUs for
> > +   hotplug, etc
> s/total//
> s/offlineCPUs/offline VCPUs/ or threads
> 
> > + - "cores" number of CPU cores on one socket
> > + - "threads= number of threads on one CPU core
> > + - "sockets= number of discrete sockets in the system
> Above needs additional meaning clarification for SPAPR,
> CCing David

Sockets have no real meaning on sPAPR.  You can decide how many cores
go into each "socket", but it has no real effect on the guest.

> 
> > +
> > +
> > +For example, the following command-line:
> > +
> > + qemu [...] -smp 3,maxcpus=10,sockets=2,cores=2,threads=2
> > +
> > +Creates a guest with 3 cpus and it support up to 10 cpus. The cpu
> > +topology is sockets (2) * cores (2) * threads (2) and can't greater
> > +than maxcpus. When the guest is just booted, the guest will see 3
> > +cpus. so there are seven cpus can be hotplugged by using any
> > +combination of the available sockets,cores and threads topology or
> > +using apic-id.
> s/cpus/vcpus/
> 
> drop any mentioning of apic-id, it's not supposed to be used
> by user and socket/core/thread-ids should be used i.e.
> properties advertised by QEMU via QMP command query-hotpluggable-cpus
> or corresponding HMP command 'info hotpluggable-cpus'
> 
> PS:
> Eduardo should we drop apic-id property before 2.7 is released?
> So people won't even try to use it, it wan never a public
> property before as cpus weren't available with -device/device_add.
> 
> 
> > +cpu hot-plug
> > +---
> > +
> > +A monitor commands are used to hotplug cpu:
> > +
> > + - "device_add": creates a cpu device and inserts it into the
> > + specific topology as a device
> > +
> > +For example, the following commands add a cpu which id is cpu1 to
> > +the guest discussed earlier:
> > +
> > +  (qemu) device_add qemu64-x86_64-cpu,id=cpu1,apic-id=3
> likewise remove any mentioning of apic-id from document
> 
> I'd add as the first section here commands that query possible
> available cpus including topology properties. 
> 
> > +
> > + - "qemu64-x86_64-cpu" is the cpu modle.
> > + - "id" is the unique identifier in the device sets.
> > + - "apic-id" is the hotpluged cpu's physical identification.
> > +
> > +Another command uses the cpu topology to add the additional cpu in
> > +the designated position.
> > +
> > +For example, the following commands add a cpu in the last position
> > +of the guest cpu topology discussed earlier.
> > +
> > +  (qemu) device_add qemu64-x86_64-cpu,id=cpu1,socket-id=2,core-id=1,
> > +   thread-id=1
> > +
> > +It's also possible to start a guest with cpu cold-plugged into the
> > +hotpluggable cpu topology.
> s/hotpluggable cpu topology/specific place (socket,core,thread)/
> 
> > +
> > +In the following command-line example, a guest which has 3 cpus is
> > +created where one of the cpus comes from the "apic-id", and another
> > +one comes from "socket-id...". After that, the guest has additional
> > +seven cpus to be hot-plug when needed:
> > +
> > + qemu  [...] -smp 1,maxcpus=10,sockets=2,cores=2,threads=2
> > +   -device qemu64-x86_64-cpu,id=cpu1,apic-id=1
> > +   -device qemu64-x86_64-cpu,socket-id=2,core-id=1,thread-id=0
> > +
> > +cpu hot-unplug
> > +
> > +
> > +In order to be able to hot unplug cpu device, QEMU has two ways
> > +to remove cpu device.
> > +  1. Using the ids which were assigned when you hot plugged cpus.
> > +  2. Using qom_path where the cpu is located in the guest.
> I wouldn't advertise #2 as it's possible to unplug CPUs created with
> -smp X with

Re: [Qemu-devel] [Patch v2 00/29] s390x CPU models: exposing features

2016-08-08 Thread Fam Zheng 
On Mon, 08/08 14:27, Eduardo Habkost wrote:
> On Mon, Aug 08, 2016 at 09:45:04AM -0700, 
> no-re...@ec2-52-6-146-230.compute-1.amazonaws.com wrote:
> > Hi,
> > 
> > Your series seems to have some coding style problems. See output below for
> > more information:
> [...]
> 
> Does anybody know who owns this robot?

Fam does.

[Qemu-devel] [PATCH repost] virtio-balloon: Remove needless precompiled directive

2016-08-08 Thread Liang Li 
Since there in wrapper around madvise(), the virtio-balloon
code is able to work without the precompiled directive, the
directive can be removed.

Signed-off-by: Liang Li 
Suggested-by: Thomas Huth 
Reviewd-by: Dr. David Alan Gilbert 
---
 hw/virtio/virtio-balloon.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 5af429a..61325f2 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -34,13 +34,11 @@
 
 static void balloon_page(void *addr, int deflate)
 {
-#if defined(__linux__)
 if (!qemu_balloon_is_inhibited() && (!kvm_enabled() ||
  kvm_has_sync_mmu())) {
 qemu_madvise(addr, BALLOON_PAGE_SIZE,
 deflate ? QEMU_MADV_WILLNEED : QEMU_MADV_DONTNEED);
 }
-#endif
 }
 
 static const char *balloon_stat_names[] = {
-- 
1.9.1

[Qemu-devel] [PATCH] migration: fix live migration failure with compression

2016-08-08 Thread Liang Li 
Because of commit 11808bb0c422, which remove some condition checks
of 'f->ops->writev_buffer', 'qemu_put_qemu_file' should be enhanced
to clear the 'f_src->iovcnt', or 'f_src->iovcnt' may exceed the
MAX_IOV_SIZE which will break live migration. This should be fixed.

Signed-off-by: Liang Li 
Reported-by: Jinshi Zhang 
---
 migration/qemu-file.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/migration/qemu-file.c b/migration/qemu-file.c
index bbc565e..e9fae31 100644
--- a/migration/qemu-file.c
+++ b/migration/qemu-file.c
@@ -668,6 +668,7 @@ int qemu_put_qemu_file(QEMUFile *f_des, QEMUFile *f_src)
 len = f_src->buf_index;
 qemu_put_buffer(f_des, f_src->buf, f_src->buf_index);
 f_src->buf_index = 0;
+f_src->iovcnt = 0;
 }
 return len;
 }
-- 
1.9.1

Re: [Qemu-devel] [Qemu-ppc] [PATCH] adb: change handler only when recognized

2016-08-08 Thread Benjamin Herrenschmidt 
On Tue, 2016-08-09 at 02:11 +0200, BALATON Zoltan wrote:
> I don't know much about this but I've read here 
> >  that there are three 
> different kind of chips: CUDA, PMU99 and PMU. Confusingly both PMU-s are 
> > called via-pmu by Apple.

And there's Egret ... ;-)

No really we don't care. There's more than 2 kinds in fact, it's just
depends whatever microcontroller's in there. But it's the same
protocol. It's always connected to the VIA.

>  I think we want PMU99 which is found on desktop 
> machines and not PMU found in Powerbooks (unless we want to emulate that) 
> > because PMU99 has less features and more similar to CUDA.

PMU99 doesn't have "less" features, it's the same in the desktop G4 and
a PowerBook G4. I will eventually add some of the powerbook'ish
features so we can support sleep ...

>  But it has some 
> differences such as a different interrupt mentioned in this page and maybe 
> > others.

The different interrupt is just a hack they did with KeyLargo ASIC,
instead of using the VIA CB1, it uses a GPIO to signal that the OS
needs to fetch interrupt conditions, but that's about it. The basic VIA
SR interrupt is still used for the basic shifting.

>  However, desktop machines have no ADB so I'm not sure why we have 
> > one still in QEMU.

Because PowerBooks do (or rather a PMU-simulation of ADB) and MacOS
doesn't care. If ADB is in the device-tree, it will use it. It makes
things easier to support multiple combinations especially when
"comparing" things for debug.

Additionally, USB doesn't work well in OpenBIOS at this point ;-)

Also, I have some evil plan to change the way ADB autopoll works in
Qemu so that the devices signal the PMU when they want to talk. That
will avoid having yet another 30-something HZ timer ticking in qemu,
and in that regard will probably be more efficient (read: slows down
the emulator less) than OHCI.

>  If USB is working then we don't need ADB with PMU99 and 
> > that could resolve all the problems with it.

I have solved the ADB problems so there's nothing left to solve here :-
) But see above why I think it's a good idea to keep ADB as an option.

>  We can keep it to old world 
> beige G3 with CUDA where it works. I think only some Powerbooks have PMU 
> > and ADB but we are not targeting that.

Why not ?
>  Here's an (untested) patch for
> switching to using USB keyboard and mouse instead of ADB unless USB is 
> disabled. (The device tree should be changed accordingly in OpenBIOS.) Not 
> sure if this is helpful.

Don't bother just yet, as I said, I am reworking all of that code. I will
probably just create various -machine options so you can chose what bits
and pieces you want to put togeher, ie, CUDA, PMU, with or without ADB,
which machine model string to expose to the OS etc...

Cheers,
Ben.

> > --

Re: [Qemu-devel] [Qemu-ppc] [PATCH] adb: change handler only when recognized

2016-08-08 Thread BALATON Zoltan 

On Tue, 9 Aug 2016, Benjamin Herrenschmidt wrote:

On Sat, 2016-03-12 at 14:38 +0100, Hervé Poussineau wrote:

ADB devices must take new handler into account only when they
recognize it.
This lets operating systems probe for valid/invalid handles, to know
device capabilities.

Add a FIXME in keyboard handler, which should use a different
translation
table depending of the selected handler.


Ah interesting ! I was just debugging why my new via-pmu model in Qemu
makes the ADB mouse emulation not work, while I tracked it down to
problems in that area and started re-inventing ... your patch :-)

The other issue is we shouldn't let the device change address unless
it's one of the "special" handler IDs. MacOS 9 with a PMU tries to
send an oddball 3-bytes write to register 3 during boot to the mouse
(probably some Trackpad related magic) with "2" in the address field,
if we accept the address change, things go very wrong.


I don't know much about this but I've read here 
 that there are three 
different kind of chips: CUDA, PMU99 and PMU. Confusingly both PMU-s are 
called via-pmu by Apple. I think we want PMU99 which is found on desktop 
machines and not PMU found in Powerbooks (unless we want to emulate that) 
because PMU99 has less features and more similar to CUDA. But it has some 
differences such as a different interrupt mentioned in this page and maybe 
others. However, desktop machines have no ADB so I'm not sure why we have 
one still in QEMU. If USB is working then we don't need ADB with PMU99 and 
that could resolve all the problems with it. We can keep it to old world 
beige G3 with CUDA where it works. I think only some Powerbooks have PMU 
and ADB but we are not targeting that. Here's an (untested) patch for 
switching to using USB keyboard and mouse instead of ADB unless USB is 
disabled. (The device tree should be changed accordingly in OpenBIOS.) Not 
sure if this is helpful.


--
Regards, 
BALATON Zoltan


diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 7d25106..bf8ad9b 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -418,24 +418,21 @@ static void ppc_core99_init(MachineState *machine)
 "ide[1]"));
 macio_ide_init_drives(macio_ide, [MAX_IDE_DEVS]);

-dev = DEVICE(object_resolve_path_component(OBJECT(macio), "cuda"));
-adb_bus = qdev_get_child_bus(dev, "adb.0");
-dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD);
-qdev_init_nofail(dev);
-dev = qdev_create(adb_bus, TYPE_ADB_MOUSE);
-qdev_init_nofail(dev);
-
 if (machine->usb) {
 pci_create_simple(pci_bus, -1, "pci-ohci");

-/* U3 needs to use USB for input because Linux doesn't support via-cuda
-on PPC64 */
-if (machine_arch == ARCH_MAC99_U3) {
-USBBus *usb_bus = usb_bus_find(-1);
+/* New world machines have USB instead of ADB */
+USBBus *usb_bus = usb_bus_find(-1);

-usb_create_simple(usb_bus, "usb-kbd");
-usb_create_simple(usb_bus, "usb-mouse");
-}
+usb_create_simple(usb_bus, "usb-kbd");
+usb_create_simple(usb_bus, "usb-mouse");
+} else {
+dev = DEVICE(object_resolve_path_component(OBJECT(macio), "cuda"));
+adb_bus = qdev_get_child_bus(dev, "adb.0");
+dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD);
+qdev_init_nofail(dev);
+dev = qdev_create(adb_bus, TYPE_ADB_MOUSE);
+qdev_init_nofail(dev);
 }

 pci_vga_init(pci_bus);

[Qemu-devel] [Bug 1609968] Re: "cannot set up guest memory" b/c no automatic clearing of Linux' cache

2016-08-08 Thread Celmor 
@dgilbert-h / Dr. David Alan Gilbert
Thanks for your answer.

b)
Mounted/used block devices:
NAMEMOUNTPOINT TYPE  FSTYPE
sdadisk  crypto_LUKS
└─Data1crypt zfs_member
├─sdb5  /  part  ext4
└─sdb6  /boot  part  vfat
sdddisk  crypto_LUKS
└─Data2crypt zfs_member
ZFS file system for extra space, also ZFS is the reason I'm not running the 
latest kernel...

a)
$ free
  totalusedfree  shared  buff/cache   available
Mem:   16379476 7879216 1867196  188180 6633064 3587620
Swap: 0   0   0
$ qemu.sh -m 10240 && echo success || echo failed
qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate memory
failed
$ sudo sh -c 'echo 1 > /proc/sys/vm/overcommit_memory'
$ qemu.sh -m 10240 && echo success || echo failed
success

So setting /proc/sys/vm/overcommit_memory to 1 works, so I guess I'm gonna need 
to execute
sudo sh -c 'echo 1 > /proc/sys/vm/overcommit_memory'
at start of my qemu.sh script instead of the 'drop_caches' part.
I still think the kernel should do whatever function overcommit_memory is for 
automatically, bit it seams to be the fault of the kernel of my distribution 
then, thanks for your help.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1609968

Title:
  "cannot set up guest memory" b/c no automatic clearing of Linux' cache

Status in QEMU:
  New

Bug description:
  Version: qemu-2.6.0-1
  Kernel: 4.4.13-1-MANJARO
  Full script (shouldn't matter though): https://pastebin.com/Hp24PWNE

  Problem:
  When host has been up and used for a while cache has been filled as much that 
guest can't be started without droping caches.

  Expected behavior:
  Qemu should be able to request as much Memory as it needs and cause Linux to 
drop cache pages if needed. A user shouldn't be required to have to come to 
this conclusion and having to drop caches to start Qemu with the required 
amount of memory.

  My fix:
  Following command (as root) required before qemu start:
  # sync && echo 3 > /proc/sys/vm/drop_caches

  Example:
  $ sudo qemu.sh -m 10240 && echo success || echo failed
  qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate 
memory
  failed
  $ free
totalusedfree  shared  buff/cache   
available
  Mem:   16379476 9126884 3462688  148480 3789904 
5123572
  Swap: 0   0   0
  $ sudo sh -c 'sync && echo 3 > /proc/sys/vm/drop_caches'
  $ free
totalusedfree  shared  buff/cache   
available
  Mem:   16379476 169452814106552  149772  578396
14256428
  Swap: 0   0   0
  $ sudo qemu.sh -m 10240  && echo success || echo failed
  success

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1609968/+subscriptions

Re: [Qemu-devel] [Qemu-stable] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12

2016-08-08 Thread Cole Robinson 
On 08/08/2016 05:03 PM, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.6.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.6-staging
> 
> The release is planned for 2016-08-17:
> 
>   http://wiki.qemu.org/Planning/2.6
> 
> Please respond here or CC qemu-sta...@nongnu.org on any patches you
> think should be included in the release.
> 
> Testing/feedback is greatly appreciated.
> 

Here are the additional patches I'm carrying in Fedora 24. You can see my tree
at https://github.com/crobinso/qemu/tree/fedora-24

commit 4fd811a6bd0b8f24f4761fc281454494c336d310
Author: Cole Robinson 
Date:   Fri May 6 14:03:05 2016 -0400

ui: gtk: fix crash when terminal inner-border is NULL

commit 56f289f383a871e871f944c7226920b35794efe6
Author: Cole Robinson 
Date:   Fri May 6 14:03:06 2016 -0400

ui: sdl2: Release grab before opening console window

commit e059bcdaed2b7b8a16f693309001674982393ab9
Author: Gerd Hoffmann 
Date:   Wed Jun 1 16:08:36 2016 +0200

sdl2: skip init without outputs

commit daafc661cc1a1de5a2e8ea0a7c0f396b827ebc3b
Author: Cole Robinson 
Date:   Wed May 18 12:40:50 2016 -0400

ui: spice: Exit if gl=on EGL init fails

commit 0bf8039dca6bfecec243a13ebcd224d3941d9242
Author: Cole Robinson 
Date:   Mon Jun 6 16:59:29 2016 +0100

hw/arm/virt: Reject gic-version=host for non-KVM


Stuff flagged as security issues:

commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f
Author: Prasad J Pandit 
Date:   Thu Apr 7 15:56:02 2016 +0530

net: mipsnet: check packet length against buffer

commit 1b85898025c4cd95dce673d15e67e60e98e91731
Author: Prasad J Pandit 
Date:   Wed May 25 16:01:29 2016 +0530

scsi: megasas: use appropriate property buffer size

commit cf5d698ed7320b017fd15df95bc42dfdb137
Author: Prasad J Pandit 
Date:   Wed May 25 17:41:44 2016 +0530

scsi: megasas: initialise local configuration data buffer

commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2
Author: Prasad J Pandit 
Date:   Wed May 25 17:55:10 2016 +0530

scsi: megasas: check 'read_queue_head' index value

commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a
Author: Prasad J Pandit 
Date:   Tue May 31 23:23:27 2016 +0530

scsi: esp: check buffer length before reading scsi command

commit d020aa504cec8f525b55ba2ef982c09dc847c72e
Author: Paolo Bonzini 
Date:   Tue Jun 14 15:10:24 2016 +0200

scsi: esp: respect FIFO invariant after message phase

commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f
Author: Paolo Bonzini 
Date:   Wed Jun 15 14:29:33 2016 +0200

scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd

commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11
Author: Prasad J Pandit 
Date:   Thu Jun 16 00:22:35 2016 +0200

scsi: esp: make cmdbuf big enough for maximum CDB size

commit 844864fbae66935951529408831c2f22367a57b6
Author: Prasad J Pandit 
Date:   Tue Jun 7 16:44:03 2016 +0530

scsi: megasas: null terminate bios version buffer

Re: [Qemu-devel] [Qemu-ppc] [PATCH] adb: change handler only when recognized

2016-08-08 Thread Benjamin Herrenschmidt 
On Sat, 2016-03-12 at 14:38 +0100, Hervé Poussineau wrote:
> ADB devices must take new handler into account only when they
> recognize it.
> This lets operating systems probe for valid/invalid handles, to know
> device capabilities.
> 
> Add a FIXME in keyboard handler, which should use a different
> translation
> table depending of the selected handler.

Ah interesting ! I was just debugging why my new via-pmu model in Qemu
makes the ADB mouse emulation not work, while I tracked it down to
problems in that area and started re-inventing ... your patch :-)

The other issue is we shouldn't let the device change address unless
it's one of the "special" handler IDs. MacOS 9 with a PMU tries to
send an oddball 3-bytes write to register 3 during boot to the mouse
(probably some Trackpad related magic) with "2" in the address field,
if we accept the address change, things go very wrong.

We should add support for handler 4 for the mouse at some point too
while we are at it (different protocol though reg 0 though).

I'll send a fixup patch to correctly ignore the address change for
now but I'll wait for you to rebase your patch for the rest.

Cheers,
Ben.

> Signed-off-by: Hervé Poussineau 
> ---
> 
> This conflicts with some in-list patches, but may explain why
> translation tables are not
> correct, or don't work in all situations.
> I have another patch to add 3-button mouse support, but I'll wait for
> 2.7 merge window.
> 
>  hw/input/adb.c | 26 +++---
>  1 file changed, 23 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/input/adb.c b/hw/input/adb.c
> index f0ad0d4..82bfb05 100644
> --- a/hw/input/adb.c
> +++ b/hw/input/adb.c
> @@ -237,6 +237,7 @@ static int adb_kbd_poll(ADBDevice *d, uint8_t
> *obuf)
>  if (keycode == 0xe0) {
>  ext_keycode = 1;
>  } else {
> +/* FIXME: take handler into account when translating
> keycode */
>  if (ext_keycode)
>  adb_keycode =  pc_to_adb_keycode[keycode | 0x80];
>  else
> @@ -283,9 +284,15 @@ static int adb_kbd_request(ADBDevice *d, uint8_t
> *obuf,
>  d->devaddr = buf[1] & 0xf;
>  break;
>  default:
> -/* XXX: check this */
>  d->devaddr = buf[1] & 0xf;
> -d->handler = buf[2];
> +/* we support handlers:
> + * 1: Apple Standard Keyboard
> + * 2: Apple Extended Keyboard (LShift = RShift)
> + * 3: Apple Extended Keyboard (LShift != RShift)
> + */
> +if (buf[2] == 1 || buf[2] == 2 || buf[2] == 3) {
> +d->handler = buf[2];
> +}
>  break;
>  }
>  }
> @@ -492,8 +499,21 @@ static int adb_mouse_request(ADBDevice *d,
> uint8_t *obuf,
>  d->devaddr = buf[1] & 0xf;
>  break;
>  default:
> -/* XXX: check this */
>  d->devaddr = buf[1] & 0xf;
> +/* we support handlers:
> + * 0x01: Classic Apple Mouse Protocol / 100 cpi
> operations
> + * 0x02: Classic Apple Mouse Protocol / 200 cpi
> operations
> + * we don't support handlers (at least):
> + * 0x03: Mouse systems A3 trackball
> + * 0x04: Extended Apple Mouse Protocol
> + * 0x2f: Microspeed mouse
> + * 0x42: Macally
> + * 0x5f: Microspeed mouse
> + * 0x66: Microspeed mouse
> + */
> +if (buf[2] == 1 || buf[2] == 2) {
> +d->handler = buf[2];
> +}
>  break;
>  }
>  }

[Qemu-devel] [PATCH 07/56] target-mips: fix call to memset in soft reset code

2016-08-08 Thread Michael Roth 
From: Aurelien Jarno 

Recent versions of GCC report the following error when compiling
target-mips/helper.c:

  qemu/target-mips/helper.c:542:9: warning: ‘memset’ used with length
  equal to number of elements without multiplication by element size
  [-Wmemset-elt-size]

This is indeed correct and due to a wrong usage of sizeof(). Fix that.

Cc: Stefan Weil 
Cc: Leon Alrae 
Cc: qemu-sta...@nongnu.org
LP: https://bugs.launchpad.net/qemu/+bug/1577841
Signed-off-by: Aurelien Jarno 
Reviewed-by: Stefan Weil 
Reviewed-by: Leon Alrae 
Signed-off-by: Leon Alrae 
(cherry picked from commit 9d989c732b153fe1576adbddb9879313a24d3cd2)
Signed-off-by: Michael Roth 
---
 target-mips/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-mips/helper.c b/target-mips/helper.c
index 1004ede..cfea177 100644
--- a/target-mips/helper.c
+++ b/target-mips/helper.c
@@ -539,7 +539,7 @@ void mips_cpu_do_interrupt(CPUState *cs)
 break;
 case EXCP_SRESET:
 env->CP0_Status |= (1 << CP0St_SR);
-memset(env->CP0_WatchLo, 0, sizeof(*env->CP0_WatchLo));
+memset(env->CP0_WatchLo, 0, sizeof(env->CP0_WatchLo));
 goto set_error_EPC;
 case EXCP_NMI:
 env->CP0_Status |= (1 << CP0St_NMI);
-- 
1.9.1

[Qemu-devel] [PATCH 56/56] ide: fix halted IO segfault at reset

2016-08-08 Thread Michael Roth 
From: John Snow 

If one attempts to perform a system_reset after a failed IO request
that causes the VM to enter a paused state, QEMU will segfault trying
to free up the pending IO requests.

These requests have already been completed and freed, though, so all
we need to do is NULL them before we enter the paused state.

Existing AHCI tests verify that halted requests are still resumed
successfully after a STOP event.

Analyzed-by: Laszlo Ersek 
Reviewed-by: Laszlo Ersek 
Signed-off-by: John Snow 
Message-id: 1469635201-11918-2-git-send-email-js...@redhat.com
Signed-off-by: John Snow 
(cherry picked from commit 87ac25fd1fed05a30a93d27dbeb2a4c4b83ec95f)
Signed-off-by: Michael Roth 
---
 hw/ide/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 41e6a2d..e87dc57 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -806,6 +806,7 @@ static void ide_dma_cb(void *opaque, int ret)
 }
 if (ret < 0) {
 if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) {
+s->bus->dma->aiocb = NULL;
 return;
 }
 }
-- 
1.9.1

[Qemu-devel] [PATCH 05/56] exec.c: Ensure right alignment also for file backed ram

2016-08-08 Thread Michael Roth 
From: Dominik Dingel 

While in the anonymous ram case we already take care of the right alignment
such an alignment gurantee does not exist for file backed ram allocation.

Instead, pagesize is used for alignment. On s390 this is not enough for gmap,
as we need to satisfy an alignment up to segments.

Reported-by: Halil Pasic 
Signed-off-by: Dominik Dingel 

Message-Id: <1461585338-45863-1-git-send-email-din...@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit d2f39add725e2be849f5fb014a72368f711056fc)
Signed-off-by: Michael Roth 
---
 exec.c   |  5 +++--
 include/qemu/osdep.h | 13 +
 util/oslib-posix.c   | 13 -
 3 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/exec.c b/exec.c
index c4f9036..fc75266 100644
--- a/exec.c
+++ b/exec.c
@@ -1296,7 +1296,7 @@ static void *file_ram_alloc(RAMBlock *block,
 }
 
 page_size = qemu_fd_getpagesize(fd);
-block->mr->align = page_size;
+block->mr->align = MAX(page_size, QEMU_VMALLOC_ALIGN);
 
 if (memory < page_size) {
 error_setg(errp, "memory size 0x" RAM_ADDR_FMT " must be equal to "
@@ -1317,7 +1317,8 @@ static void *file_ram_alloc(RAMBlock *block,
 perror("ftruncate");
 }
 
-area = qemu_ram_mmap(fd, memory, page_size, block->flags & RAM_SHARED);
+area = qemu_ram_mmap(fd, memory, block->mr->align,
+ block->flags & RAM_SHARED);
 if (area == MAP_FAILED) {
 error_setg_errno(errp, errno,
  "unable to map backing store for guest RAM");
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 408783f..783270f 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -247,6 +247,19 @@ void qemu_anon_ram_free(void *ptr, size_t size);
 
 #endif
 
+#if defined(__linux__) && \
+(defined(__x86_64__) || defined(__arm__) || defined(__aarch64__))
+   /* Use 2 MiB alignment so transparent hugepages can be used by KVM.
+  Valgrind does not support alignments larger than 1 MiB,
+  therefore we need special code which handles running on Valgrind. */
+#  define QEMU_VMALLOC_ALIGN (512 * 4096)
+#elif defined(__linux__) && defined(__s390x__)
+   /* Use 1 MiB (segment size) alignment so gmap can be used by KVM. */
+#  define QEMU_VMALLOC_ALIGN (256 * 4096)
+#else
+#  define QEMU_VMALLOC_ALIGN getpagesize()
+#endif
+
 int qemu_madvise(void *addr, size_t len, int advice);
 
 int qemu_open(const char *name, int flags, ...);
diff --git a/util/oslib-posix.c b/util/oslib-posix.c
index 6cc4b8f..4adde93 100644
--- a/util/oslib-posix.c
+++ b/util/oslib-posix.c
@@ -26,19 +26,6 @@
  * THE SOFTWARE.
  */
 
-#if defined(__linux__) && \
-(defined(__x86_64__) || defined(__arm__) || defined(__aarch64__))
-   /* Use 2 MiB alignment so transparent hugepages can be used by KVM.
-  Valgrind does not support alignments larger than 1 MiB,
-  therefore we need special code which handles running on Valgrind. */
-#  define QEMU_VMALLOC_ALIGN (512 * 4096)
-#elif defined(__linux__) && defined(__s390x__)
-   /* Use 1 MiB (segment size) alignment so gmap can be used by KVM. */
-#  define QEMU_VMALLOC_ALIGN (256 * 4096)
-#else
-#  define QEMU_VMALLOC_ALIGN getpagesize()
-#endif
-
 #include "qemu/osdep.h"
 #include 
 #include 
-- 
1.9.1

Re: [Qemu-devel] [PATCH 3/5] blockjob: refactor backup_start as backup_job_create

2016-08-08 Thread John Snow 



On 08/08/2016 03:09 PM, John Snow wrote:

Refactor backup_start as backup_job_create, which only creates the job,
but does not automatically start it. The old interface, 'backup_start',
is not kept in favor of limiting the number of nearly-identical iterfaces
that would have to be edited to keep up with QAPI changes in the future.

Callers that wish to synchronously start the backup_block_job can
instead just call block_job_start immediately after calling
backup_job_create.

Transactions are updated to use the new interface, calling block_job_start
only during the .commit phase, which helps prevent race conditions where
jobs may finish before we even finish building the transaction. This may
happen, for instance, during empty blockup jobs.

Reported-by: Vladimir Sementsov-Ogievskiy 
Signed-off-by: John Snow 
---
 block/backup.c|  39 ++
 blockdev.c| 194 ++
 blockjob.c|   9 ++-
 include/block/block_int.h |  19 ++---
 4 files changed, 149 insertions(+), 112 deletions(-)

diff --git a/block/backup.c b/block/backup.c
index 2229e26..5878ffe 100644
--- a/block/backup.c
+++ b/block/backup.c
@@ -474,13 +474,16 @@ static void coroutine_fn backup_run(void *opaque)
 block_job_defer_to_main_loop(>common, backup_complete, data);
 }

-void backup_start(const char *job_id, BlockDriverState *bs,
-  BlockDriverState *target, int64_t speed,
-  MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap,
-  BlockdevOnError on_source_error,
-  BlockdevOnError on_target_error,
-  BlockCompletionFunc *cb, void *opaque,
-  BlockJobTxn *txn, Error **errp)
+BlockJob *backup_job_create(const char *job_id,
+BlockDriverState *bs,
+BlockDriverState *target,
+int64_t speed,
+MirrorSyncMode sync_mode,
+BdrvDirtyBitmap *sync_bitmap,
+BlockdevOnError on_source_error,
+BlockdevOnError on_target_error,
+BlockCompletionFunc *cb, void *opaque,
+BlockJobTxn *txn, Error **errp)
 {
 int64_t len;
 BlockDriverInfo bdi;
@@ -492,46 +495,46 @@ void backup_start(const char *job_id, BlockDriverState 
*bs,

 if (bs == target) {
 error_setg(errp, "Source and target cannot be the same");
-return;
+return NULL;
 }

 if (!bdrv_is_inserted(bs)) {
 error_setg(errp, "Device is not inserted: %s",
bdrv_get_device_name(bs));
-return;
+return NULL;
 }

 if (!bdrv_is_inserted(target)) {
 error_setg(errp, "Device is not inserted: %s",
bdrv_get_device_name(target));
-return;
+return NULL;
 }

 if (bdrv_op_is_blocked(bs, BLOCK_OP_TYPE_BACKUP_SOURCE, errp)) {
-return;
+return NULL;
 }

 if (bdrv_op_is_blocked(target, BLOCK_OP_TYPE_BACKUP_TARGET, errp)) {
-return;
+return NULL;
 }

 if (sync_mode == MIRROR_SYNC_MODE_INCREMENTAL) {
 if (!sync_bitmap) {
 error_setg(errp, "must provide a valid bitmap name for "
  "\"incremental\" sync mode");
-return;
+return NULL;
 }

 /* Create a new bitmap, and freeze/disable this one. */
 if (bdrv_dirty_bitmap_create_successor(bs, sync_bitmap, errp) < 0) {
-return;
+return NULL;
 }
 } else if (sync_bitmap) {
 error_setg(errp,
"a sync_bitmap was provided to backup_run, "
"but received an incompatible sync_mode (%s)",
MirrorSyncMode_lookup[sync_mode]);
-return;
+return NULL;
 }

 len = bdrv_getlength(bs);
@@ -578,8 +581,8 @@ void backup_start(const char *job_id, BlockDriverState *bs,
 job->common.len = len;
 job->common.co = qemu_coroutine_create(backup_run, job);
 block_job_txn_add_job(txn, >common);
-block_job_start(>common);
-return;
+
+return >common;

  error:
 if (sync_bitmap) {
@@ -589,4 +592,6 @@ void backup_start(const char *job_id, BlockDriverState *bs,
 blk_unref(job->target);
 block_job_unref(>common);
 }
+
+return NULL;
 }
diff --git a/blockdev.c b/blockdev.c
index 2161400..4b041d9 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -1838,17 +1838,17 @@ typedef struct DriveBackupState {
 BlockJob *job;
 } DriveBackupState;

-static void do_drive_backup(const char *job_id, const char *device,
-const char *target, bool has_format,
-const char *format, enum MirrorSyncMode sync,
-bool has_mode, enum

[Qemu-devel] [PATCH 06/56] usb:xhci: no DMA on HC reset

2016-08-08 Thread Michael Roth 
From: Roman Kagan 

This patch is a rough fix to a memory corruption we are observing when
running VMs with xhci USB controller and OVMF firmware.

Specifically, on the following call chain

xhci_reset
  xhci_disable_slot
xhci_disable_ep
  xhci_set_ep_state

QEMU overwrites guest memory using stale guest addresses.

This doesn't happen when the guest (firmware) driver sets up xhci for
the first time as there are no slots configured yet.  However when the
firmware hands over the control to the OS some slots and endpoints are
already set up with their context in the guest RAM.  Now the OS' driver
resets the controller again and xhci_set_ep_state then reads and writes
that memory which is now owned by the OS.

As a quick fix, skip calling xhci_set_ep_state in xhci_disable_ep if the
device context base address array pointer is zero (indicating we're in
the HC reset and no DMA is possible).

Cc: qemu-sta...@nongnu.org
Signed-off-by: Roman Kagan 
Message-id: 1462384435-1034-1-git-send-email-rka...@virtuozzo.com
Signed-off-by: Gerd Hoffmann 
(cherry picked from commit 491d68d9382dbb588f2ff5132ee3d87ce2f1b230)
Signed-off-by: Michael Roth 
---
 hw/usb/hcd-xhci.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index bcde8a2..43ba615 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1531,7 +1531,10 @@ static TRBCCode xhci_disable_ep(XHCIState *xhci, 
unsigned int slotid,
 usb_packet_cleanup(>transfers[i].packet);
 }
 
-xhci_set_ep_state(xhci, epctx, NULL, EP_DISABLED);
+/* only touch guest RAM if we're not resetting the HC */
+if (xhci->dcbaap_low || xhci->dcbaap_high) {
+xhci_set_ep_state(xhci, epctx, NULL, EP_DISABLED);
+}
 
 timer_free(epctx->kick_timer);
 g_free(epctx);
-- 
1.9.1

[Qemu-devel] [PATCH 04/56] tools: kvm_stat: Powerpc related fixes

2016-08-08 Thread Michael Roth 
From: Hemant Kumar 

kvm_stat script is failing to execute on powerpc :
 # ./kvm_stat
Traceback (most recent call last):
  File "./kvm_stat", line 825, in 
main()
  File "./kvm_stat", line 813, in main
providers = get_providers(options)
  File "./kvm_stat", line 778, in get_providers
providers.append(TracepointProvider())
  File "./kvm_stat", line 416, in __init__
self.filters = get_filters()
  File "./kvm_stat", line 315, in get_filters
if ARCH.exit_reasons:
AttributeError: 'ArchPPC' object has no attribute 'exit_reasons'

This is because, its trying to access a non-defined attribute.

Also, the IOCTL number of RESET is incorrect for powerpc. The correct
number has been added.

Signed-off-by: Hemant Kumar 
Signed-off-by: Paolo Bonzini 
* cherry-picked from linux commit c7d4fb5a
Signed-off-by: Michael Roth 
---
 scripts/kvm/kvm_stat | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat
index 769d884..27d217a 100755
--- a/scripts/kvm/kvm_stat
+++ b/scripts/kvm/kvm_stat
@@ -256,11 +256,13 @@ class ArchPPC(Arch):
 self.ioctl_numbers = IOCTL_NUMBERS
 self.ioctl_numbers['ENABLE'] = 0x20002400
 self.ioctl_numbers['DISABLE'] = 0x20002401
+self.ioctl_numbers['RESET'] = 0x20002403
 
 # PPC comes in 32 and 64 bit and some generated ioctl
 # numbers depend on the wordsize.
 char_ptr_size = ctypes.sizeof(ctypes.c_char_p)
 self.ioctl_numbers['SET_FILTER'] = 0x80002406 | char_ptr_size << 16
+self.exit_reasons = {}
 
 class ArchA64(Arch):
 def __init__(self):
-- 
1.9.1

[Qemu-devel] [PATCH 08/56] target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2

2016-08-08 Thread Michael Roth 
From: Paolo Bonzini 

sfence was introduced before lfence and mfence.  This fixes Linux
2.4's measurement of checksumming speeds for the pIII_sse
algorithm:

md: linear personality registered as nr 1
md: raid0 personality registered as nr 2
md: raid1 personality registered as nr 3
md: raid5 personality registered as nr 4
raid5: measuring checksumming speed
   8regs :   384.400 MB/sec
   32regs:   259.200 MB/sec
invalid operand: 
CPU:0
EIP:0010:[]Not tainted
EFLAGS: 0246
eax: c15d8000   ebx:    ecx:    edx: c15d5000
esi: 8005003b   edi: 0004   ebp:    esp: c15bdf50
ds: 0018   es: 0018   ss: 0018
Process swapper (pid: 1, stackpage=c15bd000)
Stack:       

         

    0206 c0241c6c 1000 c15d4000 c15d7000 c15d4000
c15d4000
Call Trace:[] [] [] []
[]
  [] []

Code: 0f ae f8 0f 10 04 24 0f 10 4c 24 10 0f 10 54 24 20 0f 10 5c
 <0>Kernel panic: Attempted to kill init!

Reported-by: Stefan Weil 
Fixes: 121f3157887f92268a3d6169e2d4601f9292020b
Cc: qemu-sta...@nongnu.org
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 14cb949a3e2efd64ea3271b919b33b452ce7b180)
Signed-off-by: Michael Roth 
---
 target-i386/translate.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/target-i386/translate.c b/target-i386/translate.c
index 1a1214d..69760b4 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -8002,6 +8002,11 @@ static target_ulong disas_insn(CPUX86State *env, 
DisasContext *s,
 }
 /* fallthru */
 case 0xf9 ... 0xff: /* sfence */
+if (!(s->cpuid_features & CPUID_SSE)
+|| (prefixes & PREFIX_LOCK)) {
+goto illegal_op;
+}
+break;
 case 0xe8 ... 0xef: /* lfence */
 case 0xf0 ... 0xf7: /* mfence */
 if (!(s->cpuid_features & CPUID_SSE2)
-- 
1.9.1

[Qemu-devel] [PATCH 55/56] virtio: error out if guest exceeds virtqueue size

2016-08-08 Thread Michael Roth 
From: Stefan Hajnoczi 

A broken or malicious guest can submit more requests than the virtqueue
size permits, causing unbounded memory allocation in QEMU.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is not allowed by the
VIRTIO 1.0 specification.

In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
says:

  1. The driver places the buffer into free descriptor(s) in the
 descriptor table, chaining as necessary

and

  Note that the above code does not take precautions against the
  available ring buffer wrapping around: this is not possible since the
  ring buffer is the same size as the descriptor table, so step (1) will
  prevent such a condition.

This implies that placing more buffers into the virtqueue than the
descriptor table size is not allowed.

QEMU is missing the check to prevent this case.  Processing a request
allocates a VirtQueueElement leading to unbounded memory allocation
controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
Marvel Team, China.

Reported-by: Zhenhao Hong 
Signed-off-by: Stefan Hajnoczi 
(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66)
Signed-off-by: Michael Roth 
---
 hw/virtio/virtio.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 90f86cf..8ed260a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
 
 max = vq->vring.num;
 
+if (vq->inuse >= vq->vring.num) {
+error_report("Virtqueue size exceeded");
+exit(1);
+}
+
 i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
 if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
 vring_set_avail_event(vq, vq->last_avail_idx);
-- 
1.9.1

[Qemu-devel] [PATCH 50/56] nbd: More debug typo fixes, use correct formats

2016-08-08 Thread Michael Roth 
From: Eric Blake 

Clean up some debug message oddities missed earlier; this includes
some typos, and recognizing that %d is not necessarily compatible
with uint32_t. Also add a couple messages that I found useful
while debugging things.

Signed-off-by: Eric Blake 

Message-Id: <1463006384-7734-3-git-send-email-ebl...@redhat.com>
[Do not use PRIx16, clang complains. - Paolo]
Signed-off-by: Paolo Bonzini 

(cherry picked from commit 2cb347493c5a0c3634dc13942ba65fdcefbcd34b)
* context prereq for 7423f41
Signed-off-by: Michael Roth 
---
 nbd/client.c | 41 ++---
 nbd/server.c | 48 +++-
 2 files changed, 49 insertions(+), 40 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 31b88f3..42e4e52 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -109,25 +109,27 @@ static int nbd_handle_reply_err(QIOChannel *ioc, uint32_t 
opt, uint32_t type,
 
 switch (type) {
 case NBD_REP_ERR_UNSUP:
-TRACE("server doesn't understand request %d, attempting fallback",
-  opt);
+TRACE("server doesn't understand request %" PRIx32
+  ", attempting fallback", opt);
 result = 0;
 goto cleanup;
 
 case NBD_REP_ERR_POLICY:
-error_setg(errp, "Denied by server for option %x", opt);
+error_setg(errp, "Denied by server for option %" PRIx32, opt);
 break;
 
 case NBD_REP_ERR_INVALID:
-error_setg(errp, "Invalid data length for option %x", opt);
+error_setg(errp, "Invalid data length for option %" PRIx32, opt);
 break;
 
 case NBD_REP_ERR_TLS_REQD:
-error_setg(errp, "TLS negotiation required before option %x", opt);
+error_setg(errp, "TLS negotiation required before option %" PRIx32,
+   opt);
 break;
 
 default:
-error_setg(errp, "Unknown error code when asking for option %x", opt);
+error_setg(errp, "Unknown error code when asking for option %" PRIx32,
+   opt);
 break;
 }
 
@@ -165,7 +167,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, 
Error **errp)
 }
 opt = be32_to_cpu(opt);
 if (opt != NBD_OPT_LIST) {
-error_setg(errp, "Unexpected option type %x expected %x",
+error_setg(errp, "Unexpected option type %" PRIx32 " expected %x",
opt, NBD_OPT_LIST);
 return -1;
 }
@@ -207,7 +209,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, 
Error **errp)
 return -1;
 }
 if (namelen > 255) {
-error_setg(errp, "export name length too long %d", namelen);
+error_setg(errp, "export name length too long %" PRIu32, namelen);
 return -1;
 }
 
@@ -234,7 +236,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, 
Error **errp)
 g_free(buf);
 }
 } else {
-error_setg(errp, "Unexpected reply type %x expected %x",
+error_setg(errp, "Unexpected reply type %" PRIx32 " expected %x",
type, NBD_REP_SERVER);
 return -1;
 }
@@ -349,7 +351,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
 }
 opt = be32_to_cpu(opt);
 if (opt != NBD_OPT_STARTTLS) {
-error_setg(errp, "Unexpected option type %x expected %x",
+error_setg(errp, "Unexpected option type %" PRIx32 " expected %x",
opt, NBD_OPT_STARTTLS);
 return NULL;
 }
@@ -361,7 +363,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
 }
 type = be32_to_cpu(type);
 if (type != NBD_REP_ACK) {
-error_setg(errp, "Server rejected request to start TLS %x",
+error_setg(errp, "Server rejected request to start TLS %" PRIx32,
type);
 return NULL;
 }
@@ -373,7 +375,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
 }
 length = be32_to_cpu(length);
 if (length != 0) {
-error_setg(errp, "Start TLS response was not zero %x",
+error_setg(errp, "Start TLS response was not zero %" PRIu32,
length);
 return NULL;
 }
@@ -384,7 +386,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
 return NULL;
 }
 data.loop = g_main_loop_new(g_main_context_default(), FALSE);
-TRACE("Starting TLS hanshake");
+TRACE("Starting TLS handshake");
 qio_channel_tls_handshake(tioc,
   nbd_tls_handshake,
   ,
@@ -474,7 +476,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char 
*name, uint32_t *flags,
 }
 globalflags = be16_to_cpu(globalflags);
 *flags = globalflags << 16;
-TRACE("Global flags are %x", globalflags);
+TRACE("Global flags are %" PRIx32, globalflags);
 if (globalflags &

[Qemu-devel] [PATCH 53/56] pcie: fix link active status bit migration

2016-08-08 Thread Michael Roth 
From: "Michael S. Tsirkin" 

We changed link status register in pci express endpoint capability
over time. Specifically,

commit b2101eae63ea57b571cee4a9075a4287d24ba4a4 ("pcie: Set the "link
active" in the link status register") set data link layer link active
bit in this register without adding compatibility to old machine types.

When migrating from qemu 2.3 and older this affects xhci devices which
under machine type 2.0 and older have a pci express endpoint capability
even if they are on a pci bus.

Add compatibility flags to make this bit value match what it was under
2.3.

Additionally, to avoid breaking migration from qemu 2.3 and up,
suppress checking link status during migration: this seems sane
since hardware can change link status at any time.

https://bugzilla.redhat.com/show_bug.cgi?id=1352860

Reported-by: Gerd Hoffmann 
Fixes: b2101eae63ea57b571cee4a9075a4287d24ba4a4
("pcie: Set the "link active" in the link status register")
Cc: qemu-sta...@nongnu.org
Cc: Benjamin Herrenschmidt 
Signed-off-by: Michael S. Tsirkin 

(cherry picked from commit 6b4495401bdf442457b713b7e3994b465c55af35)
Conflicts:
hw/pci/pcie.c

* removed functional dependency on 6383292

Signed-off-by: Michael Roth 
---
 hw/pci/pci.c |  2 ++
 hw/pci/pcie.c| 15 ++-
 include/hw/compat.h  |  4 
 include/hw/pci/pci.h |  3 +++
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index bb605ef..616f04c 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -62,6 +62,8 @@ static Property pci_props[] = {
 QEMU_PCI_CAP_MULTIFUNCTION_BITNR, false),
 DEFINE_PROP_BIT("command_serr_enable", PCIDevice, cap_present,
 QEMU_PCI_CAP_SERR_BITNR, true),
+DEFINE_PROP_BIT("x-pcie-lnksta-dllla", PCIDevice, cap_present,
+QEMU_PCIE_LNKSTA_DLLLA_BITNR, true),
 DEFINE_PROP_END_OF_LIST()
 };
 
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index 728386a..c85b4f7 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -47,6 +47,7 @@ int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t 
type, uint8_t port)
 {
 int pos;
 uint8_t *exp_cap;
+uint8_t *cmask;
 
 assert(pci_is_express(dev));
 
@@ -57,6 +58,7 @@ int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t 
type, uint8_t port)
 }
 dev->exp.exp_cap = pos;
 exp_cap = dev->config + pos;
+cmask = dev->cmask + pos;
 
 /* capability register
interrupt message number defaults to 0 */
@@ -80,7 +82,18 @@ int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t 
type, uint8_t port)
  PCI_EXP_LNK_LS_25);
 
 pci_set_word(exp_cap + PCI_EXP_LNKSTA,
- PCI_EXP_LNK_MLW_1 | PCI_EXP_LNK_LS_25 |PCI_EXP_LNKSTA_DLLLA);
+ PCI_EXP_LNK_MLW_1 | PCI_EXP_LNK_LS_25);
+
+if (dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
+pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA,
+   PCI_EXP_LNKSTA_DLLLA);
+}
+
+/* We changed link status bits over time, and changing them across
+ * migrations is generally fine as hardware changes them too.
+ * Let's not bother checking.
+ */
+pci_set_word(cmask + PCI_EXP_LNKSTA, 0);
 
 pci_set_long(exp_cap + PCI_EXP_DEVCAP2,
  PCI_EXP_DEVCAP2_EFF | PCI_EXP_DEVCAP2_EETLPP);
diff --git a/include/hw/compat.h b/include/hw/compat.h
index a5dbbf8..81fc19b 100644
--- a/include/hw/compat.h
+++ b/include/hw/compat.h
@@ -73,6 +73,10 @@
 .driver   = "virtio-rng-pci",\
 .property = "any_layout",\
 .value= "off",\
+},{\
+.driver   = TYPE_PCI_DEVICE,\
+.property = "x-pcie-lnksta-dllla",\
+.value= "off",\
 },
 
 #define HW_COMPAT_2_2 \
diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index ef6ba51..e7f2df5 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -173,6 +173,9 @@ enum {
 /* PCI Express capability - Power Controller Present */
 #define QEMU_PCIE_SLTCAP_PCP_BITNR 7
 QEMU_PCIE_SLTCAP_PCP = (1 << QEMU_PCIE_SLTCAP_PCP_BITNR),
+/* Link active status in endpoint capability is always set */
+#define QEMU_PCIE_LNKSTA_DLLLA_BITNR 8
+QEMU_PCIE_LNKSTA_DLLLA = (1 << QEMU_PCIE_LNKSTA_DLLLA_BITNR),
 };
 
 #define TYPE_PCI_DEVICE "pci-device"
-- 
1.9.1

[Qemu-devel] [PATCH 54/56] target-i386: fix typo in xsetbv implementation

2016-08-08 Thread Michael Roth 
From: Dave Hansen 

QEMU 2.6 added support for the XSAVE family of instructions, which
includes the XSETBV instruction which allows setting the XCR0
register.

But, when booting Linux kernels with XSAVE support enabled, I was
getting very early crashes where the instruction pointer was set
to 0x3.  I tracked it down to a jump instruction generated by this:

gen_jmp_im(s->pc - pc_start);

where s->pc is pointing to the instruction after XSETBV and pc_start
is pointing _at_ XSETBV.  Subtract the two and you get 0x3.  Whoops.

The fix is to replace this typo with the pattern found everywhere
else in the file when folks want to end the translation buffer.

Richard Henderson confirmed that this is a bug and that this is the
correct fix.

Signed-off-by: Dave Hansen 
Cc: qemu-sta...@nongnu.org
Cc: Eduardo Habkost 
Reviewed-by: Richard Henderson 
Signed-off-by: Paolo Bonzini 
(cherry picked from commit ba03584f4f88082368b2562e515c3d60421b68ce)
Signed-off-by: Michael Roth 
---
 target-i386/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-i386/translate.c b/target-i386/translate.c
index 69760b4..922347c 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -7170,7 +7170,7 @@ static target_ulong disas_insn(CPUX86State *env, 
DisasContext *s,
 tcg_gen_trunc_tl_i32(cpu_tmp2_i32, cpu_regs[R_ECX]);
 gen_helper_xsetbv(cpu_env, cpu_tmp2_i32, cpu_tmp1_i64);
 /* End TB because translation flags may change.  */
-gen_jmp_im(s->pc - pc_start);
+gen_jmp_im(s->pc - s->cs_base);
 gen_eob(s);
 break;
 
-- 
1.9.1

[Qemu-devel] [PATCH 47/56] util: Fix MIN_NON_ZERO

2016-08-08 Thread Michael Roth 
From: Fam Zheng 

MIN_NON_ZERO(1, 0) is evaluated to 0. Rewrite the macro to fix it.

Reported-by: Miroslav Rezanina 
Signed-off-by: Fam Zheng 
Message-Id: <1468306113-847-1-git-send-email-f...@redhat.com>
Reviewed-by: Eric Blake 
Signed-off-by: Paolo Bonzini 
(cherry picked from commit d27ba624aa1dfe5c07cc01200d95967ffce905d9)
Signed-off-by: Michael Roth 
---
 include/qemu/osdep.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 783270f..94a1603 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -149,7 +149,8 @@ extern int daemon(int, int);
 /* Minimum function that returns zero only iff both values are zero.
  * Intended for use with unsigned values only. */
 #ifndef MIN_NON_ZERO
-#define MIN_NON_ZERO(a, b) (((a) != 0 && (a) < (b)) ? (a) : (b))
+#define MIN_NON_ZERO(a, b) ((a) == 0 ? (b) : \
+((b) == 0 ? (a) : (MIN(a, b
 #endif
 
 /* Round number down to multiple */
-- 
1.9.1

[Qemu-devel] [PATCH 49/56] Fix some typos found by codespell

2016-08-08 Thread Michael Roth 
From: Stefan Weil 

Signed-off-by: Stefan Weil 
Reviewed-by: Peter Maydell 
Signed-off-by: Michael Tokarev 
(cherry picked from commit cb8d4c8f54b8271f642f02382eec29d468bb1c77)
* context prereq for 2cb34749
Signed-off-by: Michael Roth 
---
 audio/mixeng.c  |  2 +-
 audio/ossaudio.c|  2 +-
 contrib/ivshmem-server/ivshmem-server.h |  2 +-
 docs/specs/rocker.txt   |  2 +-
 docs/throttle.txt   |  2 +-
 hw/i2c/imx_i2c.c|  2 +-
 hw/net/vmxnet3.c|  4 ++--
 hw/pci/msi.c|  2 +-
 hw/pci/pci_bridge.c |  2 +-
 hw/scsi/spapr_vscsi.c   |  2 +-
 hw/scsi/vmw_pvscsi.c|  2 +-
 hw/timer/a9gtimer.c |  2 +-
 hw/timer/aspeed_timer.c |  4 ++--
 include/crypto/random.h |  2 +-
 include/hw/xen/xen_common.h |  2 +-
 include/io/task.h   |  2 +-
 include/qemu/osdep.h|  2 +-
 kvm-all.c   |  2 +-
 migration/migration.c   |  2 +-
 migration/ram.c |  2 +-
 nbd/client.c|  2 +-
 qga/channel-win32.c |  2 +-
 qga/commands.c  |  4 ++--
 scripts/checkpatch.pl   |  2 +-
 slirp/socket.c  |  2 +-
 target-cris/translate.c |  4 ++--
 target-cris/translate_v10.c |  2 +-
 target-i386/cpu.c   |  2 +-
 target-i386/cpu.h   |  2 +-
 target-mips/op_helper.c |  2 +-
 target-tricore/translate.c  |  2 +-
 tcg/README  |  2 +-
 tests/tcg/cris/check_addo.c | 14 +++---
 trace/simple.c  |  4 ++--
 ui/cocoa.m  |  2 +-
 util/timed-average.c|  4 ++--
 36 files changed, 48 insertions(+), 48 deletions(-)

diff --git a/audio/mixeng.c b/audio/mixeng.c
index 981b97a..61ef869 100644
--- a/audio/mixeng.c
+++ b/audio/mixeng.c
@@ -270,7 +270,7 @@ f_sample *mixeng_clip[2][2][2][3] = {
  * August 21, 1998
  * Copyright 1998 Fabrice Bellard.
  *
- * [Rewrote completly the code of Lance Norskog And Sundry
+ * [Rewrote completely the code of Lance Norskog And Sundry
  * Contributors with a more efficient algorithm.]
  *
  * This source code is freely redistributable and may be used for
diff --git a/audio/ossaudio.c b/audio/ossaudio.c
index 349e9dd..a0d9cda 100644
--- a/audio/ossaudio.c
+++ b/audio/ossaudio.c
@@ -898,7 +898,7 @@ static struct audio_option oss_options[] = {
 .name  = "EXCLUSIVE",
 .tag   = AUD_OPT_BOOL,
 .valp  = _conf.exclusive,
-.descr = "Open device in exclusive mode (vmix wont work)"
+.descr = "Open device in exclusive mode (vmix won't work)"
 },
 #ifdef USE_DSP_POLICY
 {
diff --git a/contrib/ivshmem-server/ivshmem-server.h 
b/contrib/ivshmem-server/ivshmem-server.h
index 3851639..d37ca85 100644
--- a/contrib/ivshmem-server/ivshmem-server.h
+++ b/contrib/ivshmem-server/ivshmem-server.h
@@ -15,7 +15,7 @@
  * unix socket. For each client, the server will create some eventfd
  * (see EVENTFD(2)), one per vector. These fd are transmitted to all
  * clients using the SCM_RIGHTS cmsg message. Therefore, each client is
- * able to send a notification to another client without beeing
+ * able to send a notification to another client without being
  * "profixied" by the server.
  *
  * We use this mechanism to send interruptions between guests.
diff --git a/docs/specs/rocker.txt b/docs/specs/rocker.txt
index d2a8262..1857b31 100644
--- a/docs/specs/rocker.txt
+++ b/docs/specs/rocker.txt
@@ -303,7 +303,7 @@ Endianness
 --
 
 Device registers are hard-coded to little-endian (LE).  The driver should
-convert to/from host endianess to LE for device register accesses.
+convert to/from host endianness to LE for device register accesses.
 
 Descriptors are LE.  Descriptor buffer TLVs will have LE type and length
 fields, but the value field can either be LE or network-byte-order, depending
diff --git a/docs/throttle.txt b/docs/throttle.txt
index 28204e4..06ed9b3 100644
--- a/docs/throttle.txt
+++ b/docs/throttle.txt
@@ -10,7 +10,7 @@ Introduction
 
 QEMU includes a throttling module that can be used to set limits to
 I/O operations. The code itself is generic and independent of the I/O
-units, but it is currenly used to limit the number of bytes per second
+units, but it is currently used to limit the number of bytes per second
 and operations per second (IOPS) when performing disk I/O.
 
 This document explains how to use the throttling code in QEMU, and how
diff --git a/hw/i2c/imx_i2c.c

[Qemu-devel] [PATCH 52/56] nbd: Limit nbdflags to 16 bits

2016-08-08 Thread Michael Roth 
From: Eric Blake 

Rather than asserting that nbdflags is within range, just give
it the correct type to begin with :)  nbdflags corresponds to
the per-export portion of NBD Protocol "transmission flags", which
is 16 bits in response to NBD_OPT_EXPORT_NAME and NBD_OPT_GO.

Furthermore, upstream NBD has never passed the global flags to
the kernel via ioctl(NBD_SET_FLAGS) (the ioctl was first
introduced in NBD 2.9.22; then a latent bug in NBD 3.1 actually
tried to OR the global flags with the transmission flags, with
the disaster that the addition of NBD_FLAG_NO_ZEROES in 3.9
caused all earlier NBD 3.x clients to treat every export as
read-only; NBD 3.10 and later intentionally clip things to 16
bits to pass only transmission flags).  Qemu should follow suit,
since the current two global flags (NBD_FLAG_FIXED_NEWSTYLE
and NBD_FLAG_NO_ZEROES) have no impact on the kernel's behavior
during transmission.

CC: qemu-sta...@nongnu.org
Signed-off-by: Eric Blake 

Message-Id: <1469129688-22848-3-git-send-email-ebl...@redhat.com>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 7423f417827146f956df820f172d0bf80a489495)
Signed-off-by: Michael Roth 
---
 block/nbd-client.h  |  2 +-
 include/block/nbd.h |  6 +++---
 nbd/client.c| 28 +++-
 nbd/server.c| 10 --
 qemu-nbd.c  |  4 ++--
 5 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/block/nbd-client.h b/block/nbd-client.h
index bc7aec0..1243612 100644
--- a/block/nbd-client.h
+++ b/block/nbd-client.h
@@ -20,7 +20,7 @@
 typedef struct NbdClientSession {
 QIOChannelSocket *sioc; /* The master data channel */
 QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
-uint32_t nbdflags;
+uint16_t nbdflags;
 off_t size;
 
 CoMutex send_mutex;
diff --git a/include/block/nbd.h b/include/block/nbd.h
index 36dde24..fde4421 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -84,11 +84,11 @@ ssize_t nbd_wr_syncv(QIOChannel *ioc,
  size_t offset,
  size_t length,
  bool do_read);
-int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
+int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags,
   QCryptoTLSCreds *tlscreds, const char *hostname,
   QIOChannel **outioc,
   off_t *size, Error **errp);
-int nbd_init(int fd, QIOChannelSocket *sioc, uint32_t flags, off_t size);
+int nbd_init(int fd, QIOChannelSocket *sioc, uint16_t flags, off_t size);
 ssize_t nbd_send_request(QIOChannel *ioc, struct nbd_request *request);
 ssize_t nbd_receive_reply(QIOChannel *ioc, struct nbd_reply *reply);
 int nbd_client(int fd);
@@ -98,7 +98,7 @@ typedef struct NBDExport NBDExport;
 typedef struct NBDClient NBDClient;
 
 NBDExport *nbd_export_new(BlockBackend *blk, off_t dev_offset, off_t size,
-  uint32_t nbdflags, void (*close)(NBDExport *),
+  uint16_t nbdflags, void (*close)(NBDExport *),
   Error **errp);
 void nbd_export_close(NBDExport *exp);
 void nbd_export_get(NBDExport *exp);
diff --git a/nbd/client.c b/nbd/client.c
index e72befd..1a01b6c 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -406,7 +406,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
 }
 
 
-int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
+int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags,
   QCryptoTLSCreds *tlscreds, const char *hostname,
   QIOChannel **outioc,
   off_t *size, Error **errp)
@@ -466,7 +466,6 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char 
*name, uint32_t *flags,
 uint32_t opt;
 uint32_t namesize;
 uint16_t globalflags;
-uint16_t exportflags;
 bool fixedNewStyle = false;
 
 if (read_sync(ioc, , sizeof(globalflags)) !=
@@ -475,7 +474,6 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char 
*name, uint32_t *flags,
 goto fail;
 }
 globalflags = be16_to_cpu(globalflags);
-*flags = globalflags << 16;
 TRACE("Global flags are %" PRIx32, globalflags);
 if (globalflags & NBD_FLAG_FIXED_NEWSTYLE) {
 fixedNewStyle = true;
@@ -543,17 +541,15 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char 
*name, uint32_t *flags,
 goto fail;
 }
 *size = be64_to_cpu(s);
-TRACE("Size is %" PRIu64, *size);
 
-if (read_sync(ioc, , sizeof(exportflags)) !=
-sizeof(exportflags)) {
+if (read_sync(ioc, flags, sizeof(*flags)) != sizeof(*flags)) {
 error_setg(errp, "Failed to read export flags");
 goto fail;
 }
-exportflags

[Qemu-devel] [PATCH 43/56] Revert "virtio-net: unbreak self announcement and guest offloads after migration"

2016-08-08 Thread Michael Roth 
From: "Michael S. Tsirkin" 

This reverts commit 1f8828ef573c83365b4a87a776daf8bcef1caa21.

Cc: qemu-sta...@nongnu.org
Reported-by: Robin Geuze 
Tested-by: Robin Geuze 
Signed-off-by: Michael S. Tsirkin 
(cherry picked from commit 6c6668232e71b7cf7ff39fa1a7abf660c40f9cea)
Signed-off-by: Michael Roth 
---
 hw/net/virtio-net.c | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 5798f87..8aaa103 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1542,33 +1542,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, 
int version_id)
 {
 VirtIONet *n = opaque;
 VirtIODevice *vdev = VIRTIO_DEVICE(n);
-int ret;
 
 if (version_id < 2 || version_id > VIRTIO_NET_VM_VERSION)
 return -EINVAL;
 
-ret = virtio_load(vdev, f, version_id);
-if (ret) {
-return ret;
-}
-
-if (virtio_vdev_has_feature(vdev, VIRTIO_NET_F_CTRL_GUEST_OFFLOADS)) {
-n->curr_guest_offloads = qemu_get_be64(f);
-} else {
-n->curr_guest_offloads = virtio_net_supported_guest_offloads(n);
-}
-
-if (peer_has_vnet_hdr(n)) {
-virtio_net_apply_guest_offloads(n);
-}
-
-if (virtio_vdev_has_feature(vdev, VIRTIO_NET_F_GUEST_ANNOUNCE) &&
-virtio_vdev_has_feature(vdev, VIRTIO_NET_F_CTRL_VQ)) {
-n->announce_counter = SELF_ANNOUNCE_ROUNDS;
-timer_mod(n->announce_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL));
-}
-
-return 0;
+return virtio_load(vdev, f, version_id);
 }
 
 static int virtio_net_load_device(VirtIODevice *vdev, QEMUFile *f,
@@ -1665,6 +1643,16 @@ static int virtio_net_load_device(VirtIODevice *vdev, 
QEMUFile *f,
 }
 }
 
+if (virtio_vdev_has_feature(vdev, VIRTIO_NET_F_CTRL_GUEST_OFFLOADS)) {
+n->curr_guest_offloads = qemu_get_be64(f);
+} else {
+n->curr_guest_offloads = virtio_net_supported_guest_offloads(n);
+}
+
+if (peer_has_vnet_hdr(n)) {
+virtio_net_apply_guest_offloads(n);
+}
+
 virtio_net_set_queues(n);
 
 /* Find the first multicast entry in the saved MAC filter */
@@ -1682,6 +1670,12 @@ static int virtio_net_load_device(VirtIODevice *vdev, 
QEMUFile *f,
 qemu_get_subqueue(n->nic, i)->link_down = link_down;
 }
 
+if (virtio_vdev_has_feature(vdev, VIRTIO_NET_F_GUEST_ANNOUNCE) &&
+virtio_vdev_has_feature(vdev, VIRTIO_NET_F_CTRL_VQ)) {
+n->announce_counter = SELF_ANNOUNCE_ROUNDS;
+timer_mod(n->announce_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL));
+}
+
 return 0;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 48/56] block/iscsi: fix rounding in iscsi_allocationmap_set

2016-08-08 Thread Michael Roth 
From: Peter Lieven 

when setting clusters as alloacted the boundaries have
to be expanded. As Paolo pointed out the calculation of
the number of clusters is wrong:

Suppose cluster_sectors is 2, sector_num = 1, nb_sectors = 6:

In the "mark allocated" case, you want to set 0..8, i.e.
cluster_num=0, nb_clusters=4.

   0--.--2--.--4--.--6--.--8
   <--|_|-->  (<--> = expanded)

Instead you are setting nb_clusters=3, so that 6..8 is not marked.

   0--.--2--.--4--.--6--.--8
   <--|__|!!! (! = wrong)

Cc: qemu-sta...@nongnu.org
Reported-by: Paolo Bonzini 
Signed-off-by: Peter Lieven 
Message-Id: <1468831940-15556-2-git-send-email...@kamp.de>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit eb36b953e0ebf4129b188a241fbc367062ac2e06)
Signed-off-by: Michael Roth 
---
 block/iscsi.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index 172e6cf..0466c30 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -425,12 +425,14 @@ static unsigned long *iscsi_allocationmap_init(IscsiLun 
*iscsilun)
 static void iscsi_allocationmap_set(IscsiLun *iscsilun, int64_t sector_num,
 int nb_sectors)
 {
+int64_t cluster_num, nb_clusters;
 if (iscsilun->allocationmap == NULL) {
 return;
 }
-bitmap_set(iscsilun->allocationmap,
-   sector_num / iscsilun->cluster_sectors,
-   DIV_ROUND_UP(nb_sectors, iscsilun->cluster_sectors));
+cluster_num = sector_num / iscsilun->cluster_sectors;
+nb_clusters = DIV_ROUND_UP(sector_num + nb_sectors,
+   iscsilun->cluster_sectors) - cluster_num;
+bitmap_set(iscsilun->allocationmap, cluster_num, nb_clusters);
 }
 
 static void iscsi_allocationmap_clear(IscsiLun *iscsilun, int64_t sector_num,
-- 
1.9.1

[Qemu-devel] [PATCH 45/56] blockdev: Fix regression with the default naming of throttling groups

2016-08-08 Thread Michael Roth 
From: Alberto Garcia 

When I/O limits are set for a block device, the name of the throttling
group is taken from the BlockBackend if the user doesn't specify one.

Commit efaa7c4eeb7490c6f37f3 moved the naming of the BlockBackend in
blockdev_init() to the end of the function, after I/O limits are set.
The consequence is that the throttling group gets an empty name.

Signed-off-by: Alberto Garcia 
Reported-by: Stefan Hajnoczi 
Cc: Max Reitz 
Cc: qemu-sta...@nongnu.org
* backport of ff356ee
Signed-off-by: Michael Roth 
---
 blockdev.c | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/blockdev.c b/blockdev.c
index f1f520a..260a6f5 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -481,6 +481,7 @@ static BlockBackend *blockdev_init(const char *file, QDict 
*bs_opts,
 const char *id;
 BlockdevDetectZeroesOptions detect_zeroes =
 BLOCKDEV_DETECT_ZEROES_OPTIONS_OFF;
+const char *blk_id;
 const char *throttling_group = NULL;
 
 /* Check common options by copying from bs_opts to opts, all other options
@@ -510,6 +511,8 @@ static BlockBackend *blockdev_init(const char *file, QDict 
*bs_opts,
 
 writethrough = !qemu_opt_get_bool(opts, BDRV_OPT_CACHE_WB, true);
 
+blk_id = qemu_opts_id(opts);
+
 qdict_extract_subqdict(bs_opts, _dict, "stats-intervals.");
 qdict_array_split(interval_dict, _list);
 
@@ -579,7 +582,7 @@ static BlockBackend *blockdev_init(const char *file, QDict 
*bs_opts,
 
 if (throttle_enabled()) {
 if (!throttling_group) {
-throttling_group = blk_name(blk);
+throttling_group = blk_id;
 }
 blk_rs->throttle_group = g_strdup(throttling_group);
 blk_rs->throttle_state = throttle_group_incref(throttling_group);
@@ -614,7 +617,7 @@ static BlockBackend *blockdev_init(const char *file, QDict 
*bs_opts,
 /* disk I/O throttling */
 if (throttle_enabled()) {
 if (!throttling_group) {
-throttling_group = blk_name(blk);
+throttling_group = blk_id;
 }
 bdrv_io_limits_enable(bs, throttling_group);
 bdrv_set_io_limits(bs, );
@@ -636,7 +639,7 @@ static BlockBackend *blockdev_init(const char *file, QDict 
*bs_opts,
 blk_set_enable_write_cache(blk, !writethrough);
 blk_set_on_error(blk, on_read_error, on_write_error);
 
-if (!monitor_add_blk(blk, qemu_opts_id(opts), errp)) {
+if (!monitor_add_blk(blk, blk_id, errp)) {
 blk_unref(blk);
 blk = NULL;
 goto err_no_bs_opts;
-- 
1.9.1

[Qemu-devel] [PATCH 46/56] qemu-iotests: Test naming of throttling groups

2016-08-08 Thread Michael Roth 
From: Alberto Garcia 

Throttling groups are named using the 'group' parameter of the
block_set_io_throttle command and the throttling.group command-line
option. If that parameter is unspecified the groups get the name of
the block device.

This patch adds a new test to check the naming of throttling groups.

Signed-off-by: Alberto Garcia 
* backport of 435d5ee
Signed-off-by: Michael Roth 
---
 tests/qemu-iotests/093 | 98 ++
 tests/qemu-iotests/093.out |  4 +-
 2 files changed, 100 insertions(+), 2 deletions(-)

diff --git a/tests/qemu-iotests/093 b/tests/qemu-iotests/093
index ce8e13c..ffcb271 100755
--- a/tests/qemu-iotests/093
+++ b/tests/qemu-iotests/093
@@ -184,5 +184,103 @@ class ThrottleTestCase(iotests.QMPTestCase):
 class ThrottleTestCoroutine(ThrottleTestCase):
 test_img = "null-co://"
 
+class ThrottleTestGroupNames(iotests.QMPTestCase):
+test_img = "null-aio://"
+max_drives = 3
+
+def setUp(self):
+self.vm = iotests.VM()
+for i in range(0, self.max_drives):
+self.vm.add_drive(self.test_img, "throttling.iops-total=100")
+self.vm.launch()
+
+def tearDown(self):
+self.vm.shutdown()
+
+def set_io_throttle(self, device, params):
+params["device"] = device
+result = self.vm.qmp("block_set_io_throttle", conv_keys=False, 
**params)
+self.assert_qmp(result, 'return', {})
+
+def verify_name(self, device, name):
+result = self.vm.qmp("query-block")
+for r in result["return"]:
+if r["device"] == device:
+info = r["inserted"]
+if name:
+self.assertEqual(info["group"], name)
+else:
+self.assertFalse(info.has_key('group'))
+return
+
+raise Exception("No group information found for '%s'" % device)
+
+def test_group_naming(self):
+params = {"bps": 0,
+  "bps_rd": 0,
+  "bps_wr": 0,
+  "iops": 0,
+  "iops_rd": 0,
+  "iops_wr": 0}
+
+# Check the drives added using the command line.
+# The default throttling group name is the device name.
+for i in range(self.max_drives):
+devname = "drive%d" % i
+self.verify_name(devname, devname)
+
+# Clear throttling settings => the group name is gone.
+for i in range(self.max_drives):
+devname = "drive%d" % i
+self.set_io_throttle(devname, params)
+self.verify_name(devname, None)
+
+# Set throttling settings using block_set_io_throttle and
+# check the default group names.
+params["iops"] = 10
+for i in range(self.max_drives):
+devname = "drive%d" % i
+self.set_io_throttle(devname, params)
+self.verify_name(devname, devname)
+
+# Set a custom group name for each device
+for i in range(3):
+devname = "drive%d" % i
+groupname = "group%d" % i
+params['group'] = groupname
+self.set_io_throttle(devname, params)
+self.verify_name(devname, groupname)
+
+# Put drive0 in group1 and check that all other devices remain
+# unchanged
+params['group'] = 'group1'
+self.set_io_throttle('drive0', params)
+self.verify_name('drive0', 'group1')
+for i in range(1, self.max_drives):
+devname = "drive%d" % i
+groupname = "group%d" % i
+self.verify_name(devname, groupname)
+
+# Put drive0 in group2 and check that all other devices remain
+# unchanged
+params['group'] = 'group2'
+self.set_io_throttle('drive0', params)
+self.verify_name('drive0', 'group2')
+for i in range(1, self.max_drives):
+devname = "drive%d" % i
+groupname = "group%d" % i
+self.verify_name(devname, groupname)
+
+# Clear throttling settings from drive0 check that all other
+# devices remain unchanged
+params["iops"] = 0
+self.set_io_throttle('drive0', params)
+self.verify_name('drive0', None)
+for i in range(1, self.max_drives):
+devname = "drive%d" % i
+groupname = "group%d" % i
+self.verify_name(devname, groupname)
+
+
 if __name__ == '__main__':
 iotests.main(supported_fmts=["raw"])
diff --git a/tests/qemu-iotests/093.out b/tests/qemu-iotests/093.out
index 89968f3..914e373 100644
--- a/tests/qemu-iotests/093.out
+++ b/tests/qemu-iotests/093.out
@@ -1,5 +1,5 @@
-
+.
 --
-Ran 4 tests
+Ran 5 tests
 
 OK
-- 
1.9.1

[Qemu-devel] [PATCH 42/56] virtio: set low features early on load

2016-08-08 Thread Michael Roth 
From: "Michael S. Tsirkin" 

virtio migrates the low 32 feature bits twice, the first copy is there
for compatibility but ever since
019a3edbb25f1571e876f8af1ce4c55412939e5d: ("virtio: make features 64bit
wide") it's ignored on load. This is wrong since virtio_net_load tests
self announcement and guest offloads before the second copy including
high feature bits is loaded.  This means that self announcement, control
vq and guest offloads are all broken after migration.

Fix it up by loading low feature bits: somewhat ugly since high and low
bits become out of sync temporarily, but seems unavoidable for
compatibility.  The right thing to do for new features is probably to
test the host features, anyway.

Fixes: 019a3edbb25f1571e876f8af1ce4c55412939e5d
("virtio: make features 64bit wide")
Cc: qemu-sta...@nongnu.org
Reported-by: Robin Geuze 
Tested-by: Robin Geuze 
Signed-off-by: Michael S. Tsirkin 

(cherry picked from commit 62cee1a28aada2cce4b0e1fb835d8fc830aed7ac)
Signed-off-by: Michael Roth 
---
 hw/virtio/virtio.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 30ede3d..90f86cf 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -1506,6 +1506,16 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f, int 
version_id)
 }
 qemu_get_be32s(f, );
 
+/*
+ * Temporarily set guest_features low bits - needed by
+ * virtio net load code testing for VIRTIO_NET_F_CTRL_GUEST_OFFLOADS
+ * VIRTIO_NET_F_GUEST_ANNOUNCE and VIRTIO_NET_F_CTRL_VQ.
+ *
+ * Note: devices should always test host features in future - don't create
+ * new dependencies like this.
+ */
+vdev->guest_features = features;
+
 config_len = qemu_get_be32(f);
 
 /*
-- 
1.9.1

[Qemu-devel] [PATCH 39/56] scsi-generic: Merge block max xfer len in INQUIRY response

2016-08-08 Thread Michael Roth 
From: Fam Zheng 

The rationale is similar to the above mode sense response interception:
this is practically the only channel to communicate restraints from
elsewhere such as host and block driver.

The scsi bus we attach onto can have a larger max xfer len than what is
accepted by the host file system (guarding between the host scsi LUN and
QEMU), in which case the SG_IO we generate would get -EINVAL.

Signed-off-by: Fam Zheng 
Message-Id: <1464243305-10661-3-git-send-email-f...@redhat.com>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 063143d5b1fde0fdcbae30bc7d6d14e76fa607d2)
Signed-off-by: Michael Roth 
---
 hw/scsi/scsi-generic.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 7459465..71372a8 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -222,6 +222,18 @@ static void scsi_read_complete(void * opaque, int ret)
 r->buf[3] |= 0x80;
 }
 }
+if (s->type == TYPE_DISK &&
+r->req.cmd.buf[0] == INQUIRY &&
+r->req.cmd.buf[2] == 0xb0) {
+uint32_t max_xfer_len = blk_get_max_transfer_length(s->conf.blk);
+if (max_xfer_len) {
+stl_be_p(>buf[8], max_xfer_len);
+/* Also take care of the opt xfer len. */
+if (ldl_be_p(>buf[12]) > max_xfer_len) {
+stl_be_p(>buf[12], max_xfer_len);
+}
+}
+}
 scsi_req_data(>req, len);
 scsi_req_unref(>req);
 }
-- 
1.9.1

[Qemu-devel] [PATCH 02/56] spice/gl: add & use qemu_spice_gl_monitor_config

2016-08-08 Thread Michael Roth 
From: Gerd Hoffmann 

Cc: qemu-sta...@nongnu.org
Signed-off-by: Gerd Hoffmann 
Reviewed-by: Marc-André Lureau 
(cherry picked from commit 39414ef4e93db9041e463a097084a407d0d374f0)
Signed-off-by: Michael Roth 
---
 include/ui/spice-display.h |  1 +
 ui/spice-display.c | 30 ++
 2 files changed, 31 insertions(+)

diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
index 30ccfe3..568b64a 100644
--- a/include/ui/spice-display.h
+++ b/include/ui/spice-display.h
@@ -71,6 +71,7 @@ typedef struct QXLCookie {
 QXLRect area;
 int redraw;
 } render;
+void *data;
 } u;
 } QXLCookie;
 
diff --git a/ui/spice-display.c b/ui/spice-display.c
index 242ab5f..2a77a54 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -660,6 +660,11 @@ static void interface_async_complete(QXLInstance *sin, 
uint64_t cookie_token)
 qemu_bh_schedule(ssd->gl_unblock_bh);
 break;
 }
+case QXL_COOKIE_TYPE_IO:
+if (cookie->io == QXL_IO_MONITORS_CONFIG_ASYNC) {
+g_free(cookie->u.data);
+}
+break;
 #endif
 default:
 /* should never be called, used in qxl native mode only */
@@ -795,6 +800,29 @@ static const DisplayChangeListenerOps display_listener_ops 
= {
 
 #ifdef HAVE_SPICE_GL
 
+static void qemu_spice_gl_monitor_config(SimpleSpiceDisplay *ssd,
+ int x, int y, int w, int h)
+{
+QXLMonitorsConfig *config;
+QXLCookie *cookie;
+
+config = g_malloc0(sizeof(QXLMonitorsConfig) + sizeof(QXLHead));
+config->count = 1;
+config->max_allowed = 1;
+config->heads[0].x = x;
+config->heads[0].y = y;
+config->heads[0].width = w;
+config->heads[0].height = h;
+cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+QXL_IO_MONITORS_CONFIG_ASYNC);
+cookie->u.data = config;
+
+spice_qxl_monitors_config_async(>qxl,
+(uintptr_t)config,
+MEMSLOT_GROUP_HOST,
+(uintptr_t)cookie);
+}
+
 static void qemu_spice_gl_block(SimpleSpiceDisplay *ssd, bool block)
 {
 uint64_t timeout;
@@ -858,6 +886,8 @@ static void qemu_spice_gl_scanout(DisplayChangeListener 
*dcl,
  surface_width(ssd->ds),
  surface_height(ssd->ds),
  stride, fourcc, y_0_top);
+
+qemu_spice_gl_monitor_config(ssd, x, y, w, h);
 }
 
 static void qemu_spice_gl_update(DisplayChangeListener *dcl,
-- 
1.9.1

[Qemu-devel] [PATCH 35/56] qapi: Fix crash on missing alternate member of QAPI struct

2016-08-08 Thread Michael Roth 
From: Eric Blake 

If a QAPI struct has a mandatory alternate member which is not
present on input, the input visitor reports an error for the
missing alternate without setting the discriminator, but the
cleanup code for the struct still tries to use the dealloc
visitor to clean up the alternate.

Commit dbf11922 changed visit_start_alternate to set *obj to NULL
when an error occurs, where it was previously left untouched.
Thus, before the patch, the dealloc visitor is blindly trying to
cleanup whatever branch corresponds to (*obj)->type == 0 (that is,
QTYPE_NONE, because *obj still pointed to zeroed memory), which
selects the default branch of the switch and sets an error, but
this second error is ignored by the way the dealloc visitor is
used; but after the patch, the attempt to switch dereferences NULL.

When cleaning up after a partial object parse, we specifically
check for !*obj after visit_start_struct() (see gen_visit_object());
doing the same for alternates fixes the crash. Enhance the testsuite
to give coverage for both missing struct and missing alternate
members.

Also add an abort - we expect visit_start_alternate() to either set an
error or to set (*obj)->type to a valid QType that corresponds to
actual user input, and QTYPE_NONE should never be reachable from valid
input.  Had the abort() been in place earlier, we might have noticed
the dealloc visitor dereferencing bogus zeroed memory prior to when
commit dbf11922 forced our hand by setting *obj to NULL and causing a
fault.

Test case:

{'execute':'blockdev-add', 'arguments':{'options':{'driver':'raw'}}}

The choice of 'driver':'raw' selects a BlockdevOptionsGenericFormat
struct, which has a mandatory 'file':'BlockdevRef' in QAPI.  Since
'file' is missing as a sibling of 'driver', this should report a
graceful error rather than fault.  After this patch, we are back to:

{"error": {"class": "GenericError", "desc": "Parameter 'file' is missing"}}

Generated code in qapi-visit.c changes as:

|@@ -2444,6 +2444,9 @@ void visit_type_BlockdevRef(Visitor *v,
| if (err) {
| goto out;
| }
|+if (!*obj) {
|+goto out_obj;
|+}
| switch ((*obj)->type) {
| case QTYPE_QDICT:
| visit_start_struct(v, name, NULL, 0, );
|@@ -2459,10 +2462,13 @@ void visit_type_BlockdevRef(Visitor *v,
| case QTYPE_QSTRING:
| visit_type_str(v, name, &(*obj)->u.reference, );
| break;
|+case QTYPE_NONE:
|+abort();
| default:
| error_setg(, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
|"BlockdevRef");
| }
|+out_obj:
| visit_end_alternate(v);

Reported by Kashyap Chamarthy 
CC: qemu-sta...@nongnu.org
Signed-off-by: Eric Blake 
Message-Id: <1466012271-5204-1-git-send-email-ebl...@redhat.com>
Reviewed-by: Markus Armbruster 
Tested-by: Kashyap Chamarthy 
[Commit message tweaked]
Signed-off-by: Markus Armbruster 

(cherry picked from commit 9b4e38fe6a35890bb1d995316d7be08de0b30ee5)
Conflicts:
tests/test-qmp-input-visitor.c

* removed contexual/functional dependencies on 68ab47e

Signed-off-by: Michael Roth 
---
 scripts/qapi-visit.py  |  6 ++
 tests/test-qmp-input-visitor.c | 14 ++
 2 files changed, 20 insertions(+)

diff --git a/scripts/qapi-visit.py b/scripts/qapi-visit.py
index 31d2330..6c1c1fb 100644
--- a/scripts/qapi-visit.py
+++ b/scripts/qapi-visit.py
@@ -170,6 +170,9 @@ void visit_type_%(c_name)s(Visitor *v, const char *name, 
%(c_name)s **obj, Error
 if (err) {
 goto out;
 }
+if (!*obj) {
+goto out_obj;
+}
 switch ((*obj)->type) {
 ''',
  c_name=c_name(name), promote_int=promote_int)
@@ -203,10 +206,13 @@ void visit_type_%(c_name)s(Visitor *v, const char *name, 
%(c_name)s **obj, Error
 ''')
 
 ret += mcgen('''
+case QTYPE_NONE:
+abort();
 default:
 error_setg(, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
"%(name)s");
 }
+out_obj:
 visit_end_alternate(v);
 out:
 error_propagate(errp, err);
diff --git a/tests/test-qmp-input-visitor.c b/tests/test-qmp-input-visitor.c
index 80527eb..8523283 100644
--- a/tests/test-qmp-input-visitor.c
+++ b/tests/test-qmp-input-visitor.c
@@ -739,6 +739,8 @@ static void test_visitor_in_errors(TestInputVisitorData 
*data,
 Error *err = NULL;
 Visitor *v;
 strList *q = NULL;
+UserDefTwo *r = NULL;
+WrapAlternate *s = NULL;
 
 v = visitor_input_test_init(data, "{ 'integer': false, 'boolean': 'foo', "
 "'string': -42 }");
@@ -757,6 +759,18 @@ static void test_visitor_in_errors(TestInputVisitorData 
*data,
 error_free_or_abort();
 assert(q);
 qapi_free_strList(q);
+
+v = visitor_input_test_init(data, "{ 'str':'hi' }");
+visit_type_UserDefTwo(v, NULL, , );
+

[Qemu-devel] [PATCH 38/56] nbd: Allow larger requests

2016-08-08 Thread Michael Roth 
From: Eric Blake 

The NBD layer was breaking up request at a limit of 2040 sectors
(just under 1M) to cater to old qemu-nbd. But the server limit
was raised to 32M in commit 2d8214885 to match the kernel, more
than three years ago; and the upstream NBD Protocol is proposing
documentation that without any explicit communication to state
otherwise, a client should be able to safely assume that a 32M
transaction will work.  It is time to rely on the larger sizing,
and any downstream distro that cares about maximum
interoperability to older qemu-nbd servers can just tweak the
value of #define NBD_MAX_SECTORS.

Signed-off-by: Eric Blake 
Reviewed-by: Kevin Wolf 
Acked-by: Paolo Bonzini 
Cc: qemu-sta...@nongnu.org
Reviewed-by: Fam Zheng 
Reviewed-by: Stefan Hajnoczi 
Signed-off-by: Kevin Wolf 

(cherry picked from commit 476b923c32ece0e268580776aaf1fab4ab4459a8)
Conflicts:
include/block/nbd.h

* removed context dependency on 943cec86

Signed-off-by: Michael Roth 
---
 block/nbd-client.c  | 4 
 include/block/nbd.h | 1 +
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/block/nbd-client.c b/block/nbd-client.c
index 878e879..6f6df46 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -269,10 +269,6 @@ static int nbd_co_writev_1(BlockDriverState *bs, int64_t 
sector_num,
 return -reply.error;
 }
 
-/* qemu-nbd has a limit of slightly less than 1M per request.  Try to
- * remain aligned to 4K. */
-#define NBD_MAX_SECTORS 2040
-
 int nbd_client_co_readv(BlockDriverState *bs, int64_t sector_num,
 int nb_sectors, QEMUIOVector *qiov)
 {
diff --git a/include/block/nbd.h b/include/block/nbd.h
index b86a976..36dde24 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -76,6 +76,7 @@ enum {
 
 /* Maximum size of a single READ/WRITE data buffer */
 #define NBD_MAX_BUFFER_SIZE (32 * 1024 * 1024)
+#define NBD_MAX_SECTORS (NBD_MAX_BUFFER_SIZE / BDRV_SECTOR_SIZE)
 
 ssize_t nbd_wr_syncv(QIOChannel *ioc,
  struct iovec *iov,
-- 
1.9.1

[Qemu-devel] [PATCH 44/56] s390x/ipl: fix reboots for migration from different bios

2016-08-08 Thread Michael Roth 
From: David Hildenbrand 

When migrating from a different QEMU version, the start_address and
bios_start_address may differ. During migration these values are migrated
and overwrite the values that were detected by QEMU itself.

On a reboot, QEMU will reload its own BIOS, but use the migrated start
addresses, which does not work if the values differ.

Fix this by not relying on the migrated values anymore, but still
provide them during migration, so existing QEMUs continue to work.

Signed-off-by: David Hildenbrand 
Cc: qemu-sta...@nongnu.org
Signed-off-by: Cornelia Huck 
(cherry picked from commit bb0995468a39f14077ceaa8ed5afdca849f00c7c)
Signed-off-by: Michael Roth 
---
 hw/s390x/ipl.c | 11 +--
 hw/s390x/ipl.h |  2 ++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index f104200..3173dcf 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -47,8 +47,8 @@ static const VMStateDescription vmstate_ipl = {
 .version_id = 0,
 .minimum_version_id = 0,
 .fields = (VMStateField[]) {
-VMSTATE_UINT64(start_addr, S390IPLState),
-VMSTATE_UINT64(bios_start_addr, S390IPLState),
+VMSTATE_UINT64(compat_start_addr, S390IPLState),
+VMSTATE_UINT64(compat_bios_start_addr, S390IPLState),
 VMSTATE_STRUCT(iplb, S390IPLState, 0, vmstate_iplb, IplParameterBlock),
 VMSTATE_BOOL(iplb_valid, S390IPLState),
 VMSTATE_UINT8(cssid, S390IPLState),
@@ -170,6 +170,13 @@ static void s390_ipl_realize(DeviceState *dev, Error 
**errp)
 stq_p(rom_ptr(INITRD_PARM_SIZE), initrd_size);
 }
 }
+/*
+ * Don't ever use the migrated values, they could come from a different
+ * BIOS and therefore don't work. But still migrate the values, so
+ * QEMUs relying on it don't break.
+ */
+ipl->compat_start_addr = ipl->start_addr;
+ipl->compat_bios_start_addr = ipl->bios_start_addr;
 qemu_register_reset(qdev_reset_all_fn, dev);
 error:
 error_propagate(errp, err);
diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
index 6b48ed7..0bfb72b 100644
--- a/hw/s390x/ipl.h
+++ b/hw/s390x/ipl.h
@@ -33,7 +33,9 @@ struct S390IPLState {
 /*< private >*/
 DeviceState parent_obj;
 uint64_t start_addr;
+uint64_t compat_start_addr;
 uint64_t bios_start_addr;
+uint64_t compat_bios_start_addr;
 bool enforce_bios;
 IplParameterBlock iplb;
 bool iplb_valid;
-- 
1.9.1

[Qemu-devel] [PATCH 37/56] vfio/pci: Fix VGA quirks

2016-08-08 Thread Michael Roth 
From: Alex Williamson 

Commit 2d82f8a3cdb2 ("vfio/pci: Convert all MemoryRegion to dynamic
alloc and consistent functions") converted VFIOPCIDevice.vga to be
dynamically allocted, negating the need for VFIOPCIDevice.has_vga.
Unfortunately not all of the has_vga users were converted, nor was
the field removed from the structure.  Correct these oversights.

Reported-by: Peter Maloney 
Tested-by: Peter Maloney 
Fixes: 2d82f8a3cdb2 ("vfio/pci: Convert all MemoryRegion to dynamic alloc and 
consistent functions")
Fixes: https://bugs.launchpad.net/qemu/+bug/1591628
Cc: qemu-sta...@nongnu.org
Signed-off-by: Alex Williamson 
(cherry picked from commit 4d3fc4fdc6857e33346ed58ae55870f59391ee71)
Signed-off-by: Michael Roth 
---
 hw/vfio/pci-quirks.c | 8 
 hw/vfio/pci.h| 1 -
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
index 49ecf11..6624905 100644
--- a/hw/vfio/pci-quirks.c
+++ b/hw/vfio/pci-quirks.c
@@ -315,7 +315,7 @@ static void vfio_probe_ati_bar4_quirk(VFIOPCIDevice *vdev, 
int nr)
 
 /* This windows doesn't seem to be used except by legacy VGA code */
 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
-!vdev->has_vga || nr != 4) {
+!vdev->vga || nr != 4) {
 return;
 }
 
@@ -363,7 +363,7 @@ static void vfio_probe_ati_bar2_quirk(VFIOPCIDevice *vdev, 
int nr)
 
 /* Only enable on newer devices where BAR2 is 64bit */
 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
-!vdev->has_vga || nr != 2 || !vdev->bars[2].mem64) {
+!vdev->vga || nr != 2 || !vdev->bars[2].mem64) {
 return;
 }
 
@@ -657,7 +657,7 @@ static void vfio_probe_nvidia_bar5_quirk(VFIOPCIDevice 
*vdev, int nr)
 VFIOConfigWindowQuirk *window;
 
 if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
-!vdev->has_vga || nr != 5) {
+!vdev->vga || nr != 5) {
 return;
 }
 
@@ -773,7 +773,7 @@ static void vfio_probe_nvidia_bar0_quirk(VFIOPCIDevice 
*vdev, int nr)
 QLIST_INSERT_HEAD(>bars[nr].quirks, quirk, next);
 
 /* The 0x1800 offset mirror only seems to get used by legacy VGA */
-if (vdev->has_vga) {
+if (vdev->vga) {
 quirk = g_malloc0(sizeof(*quirk));
 mirror = quirk->data = g_malloc0(sizeof(*mirror));
 mirror->mem = quirk->mem = g_new0(MemoryRegion, 1);
diff --git a/hw/vfio/pci.h b/hw/vfio/pci.h
index 3976f68..72174b3 100644
--- a/hw/vfio/pci.h
+++ b/hw/vfio/pci.h
@@ -130,7 +130,6 @@ typedef struct VFIOPCIDevice {
 #define VFIO_FEATURE_ENABLE_REQ (1 << VFIO_FEATURE_ENABLE_REQ_BIT)
 int32_t bootindex;
 uint8_t pm_cap;
-bool has_vga;
 bool pci_aer;
 bool req_enabled;
 bool has_flr;
-- 
1.9.1

[Qemu-devel] [PATCH 41/56] target-sparc: fix register corruption in ldstub if there is no write permission

2016-08-08 Thread Michael Roth 
From: Artyom Tarasenko 

Signed-off-by: Artyom Tarasenko 
Reviewed-by: Richard Henderson 
Signed-off-by: Mark Cave-Ayland 
(cherry picked from commit b64d2e57e704edbb56ae969de864292dd38379bf)
Signed-off-by: Michael Roth 
---
 target-sparc/translate.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/target-sparc/translate.c b/target-sparc/translate.c
index 7998ff5..502510c 100644
--- a/target-sparc/translate.c
+++ b/target-sparc/translate.c
@@ -4668,12 +4668,15 @@ static void disas_sparc_insn(DisasContext * dc, 
unsigned int insn)
 case 0xd:   /* ldstub -- XXX: should be atomically */
 {
 TCGv r_const;
+TCGv tmp = tcg_temp_new();
 
 gen_address_mask(dc, cpu_addr);
-tcg_gen_qemu_ld8u(cpu_val, cpu_addr, dc->mem_idx);
+tcg_gen_qemu_ld8u(tmp, cpu_addr, dc->mem_idx);
 r_const = tcg_const_tl(0xff);
 tcg_gen_qemu_st8(r_const, cpu_addr, dc->mem_idx);
+tcg_gen_mov_tl(cpu_val, tmp);
 tcg_temp_free(r_const);
+tcg_temp_free(tmp);
 }
 break;
 case 0x0f:
-- 
1.9.1

[Qemu-devel] [PATCH 36/56] pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c

2016-08-08 Thread Michael Roth 
From: Lin Ma 

In function pci_assign_dev_load_option_rom, For those pci devices don't
have 'rom' file under sysfs or if loading ROM from external file, The
function returns NULL, and won't set the passed 'size' variable.

In these 2 cases, qemu still reports "Invalid ROM" error message, Users
may be confused by it.

Signed-off-by: Lin Ma 
Message-Id: <1466010327-22368-1-git-send-email-...@suse.com>
Cc: qemu-sta...@nongnu.org
Signed-off-by: Paolo Bonzini 
(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82)
Signed-off-by: Michael Roth 
---
 hw/i386/kvm/pci-assign.c  | 4 
 hw/i386/pci-assign-load-rom.c | 3 +++
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index bf425a2..8abce52 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -1891,8 +1891,4 @@ static void assigned_dev_load_option_rom(AssignedDevice 
*dev)
 pci_assign_dev_load_option_rom(>dev, OBJECT(dev), ,
dev->host.domain, dev->host.bus,
dev->host.slot, dev->host.function);
-
-if (!size) {
-error_report("pci-assign: Invalid ROM.");
-}
 }
diff --git a/hw/i386/pci-assign-load-rom.c b/hw/i386/pci-assign-load-rom.c
index 4bbb08c..0d8e4b2 100644
--- a/hw/i386/pci-assign-load-rom.c
+++ b/hw/i386/pci-assign-load-rom.c
@@ -40,6 +40,9 @@ void *pci_assign_dev_load_option_rom(PCIDevice *dev, struct 
Object *owner,
  domain, bus, slot, function);
 
 if (stat(rom_file, )) {
+if (errno != ENOENT) {
+error_report("pci-assign: Invalid ROM.");
+}
 return NULL;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 30/56] io: remove mistaken call to object_ref on QTask

2016-08-08 Thread Michael Roth 
From: "Daniel P. Berrange" 

The QTask struct is just a standalone struct, not a QOM Object,
so calling object_ref() on it is not appropriate. This results
in mangling the 'destroy' field in the QTask struct, causing
the later call to qtask_free() to try to call the function
at address 0x1, with predictably segfault happy results.

There is in fact no need for ref counting with QTask, as the
call to qtask_abort() or qtask_complete() will automatically
free associated memory.

This fixes the crash shown in

  https://bugs.launchpad.net/qemu/+bug/1589923

Reviewed-by: Eric Blake 
Signed-off-by: Daniel P. Berrange 
(cherry picked from commit bc35d51077b33e68a0ab10a057f352747214223f)
Signed-off-by: Michael Roth 
---
 io/channel-websock.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/io/channel-websock.c b/io/channel-websock.c
index 7081787..d5a4ed3 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -316,14 +316,13 @@ static gboolean 
qio_channel_websock_handshake_io(QIOChannel *ioc,
 return TRUE;
 }
 
-object_ref(OBJECT(task));
 trace_qio_channel_websock_handshake_reply(ioc);
 qio_channel_add_watch(
 wioc->master,
 G_IO_OUT,
 qio_channel_websock_handshake_send,
 task,
-(GDestroyNotify)object_unref);
+NULL);
 return FALSE;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 51/56] nbd: Don't use *_to_cpup() functions

2016-08-08 Thread Michael Roth 
From: Peter Maydell 

The *_to_cpup() functions are not very useful, as they simply do
a pointer dereference and then a *_to_cpu(). Instead use either:
 * ld*_*_p(), if the data is at an address that might not be
   correctly aligned for the load
 * a local dereference and *_to_cpu(), if the pointer is
   the correct type and known to be correctly aligned

Signed-off-by: Peter Maydell 
Message-Id: <1465570836-22211-1-git-send-email-peter.mayd...@linaro.org>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 773dce3c7286a66c37f7b07994177faf7046bfa8)
* context prereq for 7423f417
Signed-off-by: Michael Roth 
---
 nbd/client.c |  8 
 nbd/server.c | 10 +-
 qemu-nbd.c   |  4 ++--
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 42e4e52..e72befd 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -574,7 +574,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char 
*name, uint32_t *flags,
 error_setg(errp, "Failed to read export flags");
 goto fail;
 }
-*flags = be32_to_cpup(flags);
+*flags = be32_to_cpu(*flags);
 } else {
 error_setg(errp, "Bad magic received");
 goto fail;
@@ -729,9 +729,9 @@ ssize_t nbd_receive_reply(QIOChannel *ioc, struct nbd_reply 
*reply)
[ 7 .. 15]handle
  */
 
-magic = be32_to_cpup((uint32_t*)buf);
-reply->error  = be32_to_cpup((uint32_t*)(buf + 4));
-reply->handle = be64_to_cpup((uint64_t*)(buf + 8));
+magic = ldl_be_p(buf);
+reply->error  = ldl_be_p(buf + 4);
+reply->handle = ldq_be_p(buf + 8);
 
 reply->error = nbd_errno_to_system_errno(reply->error);
 
diff --git a/nbd/server.c b/nbd/server.c
index 6d3773f..2fc6d74 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -651,11 +651,11 @@ static ssize_t nbd_receive_request(QIOChannel *ioc, 
struct nbd_request *request)
[24 .. 27]   len
  */
 
-magic = be32_to_cpup((uint32_t*)buf);
-request->type  = be32_to_cpup((uint32_t*)(buf + 4));
-request->handle = be64_to_cpup((uint64_t*)(buf + 8));
-request->from  = be64_to_cpup((uint64_t*)(buf + 16));
-request->len   = be32_to_cpup((uint32_t*)(buf + 24));
+magic = ldl_be_p(buf);
+request->type   = ldl_be_p(buf + 4);
+request->handle = ldq_be_p(buf + 8);
+request->from   = ldq_be_p(buf + 16);
+request->len= ldl_be_p(buf + 24);
 
 TRACE("Got request: { magic = 0x%" PRIx32 ", .type = %" PRIx32
   ", from = %" PRIu64 " , len = %" PRIu32 " }",
diff --git a/qemu-nbd.c b/qemu-nbd.c
index c55b40f..114d82f 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -151,8 +151,8 @@ static void read_partition(uint8_t *p, struct 
partition_record *r)
 r->end_cylinder = p[7] | ((p[6] << 2) & 0x300);
 r->end_sector = p[6] & 0x3f;
 
-r->start_sector_abs = le32_to_cpup((uint32_t *)(p +  8));
-r->nb_sectors_abs   = le32_to_cpup((uint32_t *)(p + 12));
+r->start_sector_abs = ldl_le_p(p + 8);
+r->nb_sectors_abs   = ldl_le_p(p + 12);
 }
 
 static int find_partition(BlockBackend *blk, int partition,
-- 
1.9.1

[Qemu-devel] [PATCH 40/56] scsi: Advertise limits by blocksize, not 512

2016-08-08 Thread Michael Roth 
From: Eric Blake 

s->blocksize may be larger than 512, in which case our
tweaks to max_xfer_len and opt_xfer_len must be scaled
appropriately.

CC: qemu-sta...@nongnu.org
Reported-by: Fam Zheng 
Signed-off-by: Eric Blake 
Reviewed-by: Fam Zheng 
Signed-off-by: Kevin Wolf 
(cherry picked from commit efaf4781a995aacd22b1dd521b14e4644bafae14)
Signed-off-by: Michael Roth 
---
 hw/scsi/scsi-generic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 71372a8..c4ba9a4 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -225,7 +225,8 @@ static void scsi_read_complete(void * opaque, int ret)
 if (s->type == TYPE_DISK &&
 r->req.cmd.buf[0] == INQUIRY &&
 r->req.cmd.buf[2] == 0xb0) {
-uint32_t max_xfer_len = blk_get_max_transfer_length(s->conf.blk);
+uint32_t max_xfer_len = blk_get_max_transfer_length(s->conf.blk) /
+(s->blocksize / BDRV_SECTOR_SIZE);
 if (max_xfer_len) {
 stl_be_p(>buf[8], max_xfer_len);
 /* Also take care of the opt xfer len. */
-- 
1.9.1

[Qemu-devel] [PATCH 26/56] vmsvga: move fifo sanity checks to vmsvga_fifo_length

2016-08-08 Thread Michael Roth 
From: Gerd Hoffmann 

Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
changes the fifo registers afterwards.  Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.

Fixes: CVE-2016-4454
Cc: qemu-sta...@nongnu.org
Cc: P J P 
Reported-by: 李强 
Signed-off-by: Gerd Hoffmann 
Message-id: 1464592161-18348-2-git-send-email-kra...@redhat.com
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
Signed-off-by: Michael Roth 
---
 hw/display/vmware_vga.c | 28 +++-
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 0c63fa8..63a7c05 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s 
*s)
 if (!s->config || !s->enable) {
 return 0;
 }
+
+/* Check range and alignment.  */
+if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+return 0;
+}
+if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+return 0;
+}
+if (CMD(max) > SVGA_FIFO_SIZE) {
+return 0;
+}
+if (CMD(max) < CMD(min) + 10 * 1024) {
+return 0;
+}
+
 num = CMD(next_cmd) - CMD(stop);
 if (num < 0) {
 num += CMD(max) - CMD(min);
@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t 
address, uint32_t value)
 case SVGA_REG_CONFIG_DONE:
 if (value) {
 s->fifo = (uint32_t *) s->fifo_ptr;
-/* Check range and alignment.  */
-if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-break;
-}
-if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-break;
-}
-if (CMD(max) > SVGA_FIFO_SIZE) {
-break;
-}
-if (CMD(max) < CMD(min) + 10 * 1024) {
-break;
-}
 vga_dirty_log_stop(>vga);
 }
 s->config = !!value;
-- 
1.9.1

[Qemu-devel] [PATCH 31/56] ui: fix regression in printing VNC host/port on startup

2016-08-08 Thread Michael Roth 
From: "Daniel P. Berrange" 

If VNC is chosen as the compile time default display backend,
QEMU will print the host/port it listens on at startup.
Previously this would look like

  VNC server running on '::1:5900'

but in 04d2529da27db512dcbd5e99d0e26d333f16efcc the ':' was
accidentally replaced with a ';'. This the ':' back.

Reported-by: Dr. David Alan Gilbert 
Signed-off-by: Daniel P. Berrange 
Reviewed-by: Eric Blake 
Message-id: 1465382576-25552-1-git-send-email-berra...@redhat.com
Signed-off-by: Gerd Hoffmann 
(cherry picked from commit 83cf07b0b577bde1afe1329d25bbcc762966e637)
Signed-off-by: Michael Roth 
---
 ui/vnc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index d2ebf1f..3e89dad 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3193,7 +3193,7 @@ char *vnc_display_local_addr(const char *id)
 qapi_free_SocketAddress(addr);
 return NULL;
 }
-ret = g_strdup_printf("%s;%s", addr->u.inet.data->host,
+ret = g_strdup_printf("%s:%s", addr->u.inet.data->host,
   addr->u.inet.data->port);
 qapi_free_SocketAddress(addr);
 
-- 
1.9.1

[Qemu-devel] [PATCH 03/56] vl: change runstate only if new state is different from current state

2016-08-08 Thread Michael Roth 
From: Li Zhijian 

Previously, qemu will abort at following scenario:
(qemu) stop
(qemu) system_reset
(qemu) system_reset
(qemu) 2016-04-13T20:54:38.979158Z qemu-system-x86_64: invalid runstate 
transition: 'prelaunch' -> 'prelaunch'

Signed-off-by: Li Zhijian 
Acked-by: Paolo Bonzini 
Message-Id: <1460604352-18630-1-git-send-email-lizhij...@cn.fujitsu.com>
Cc: qemu-sta...@nongnu.org
Signed-off-by: Paolo Bonzini 
(cherry picked from commit e92a2d9cb3d8f589c9fe5d2eacc83d8dddea0e16)
Signed-off-by: Michael Roth 
---
 vl.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/vl.c b/vl.c
index 5fd22cb..5db5dc2 100644
--- a/vl.c
+++ b/vl.c
@@ -692,6 +692,10 @@ void runstate_set(RunState new_state)
 {
 assert(new_state < RUN_STATE__MAX);
 
+if (current_run_state == new_state) {
+return;
+}
+
 if (!runstate_valid_transitions[current_run_state][new_state]) {
 error_report("invalid runstate transition: '%s' -> '%s'",
  RunState_lookup[current_run_state],
-- 
1.9.1

[Qemu-devel] [PATCH 32/56] net: fix qemu_announce_self not emitting packets

2016-08-08 Thread Michael Roth 
From: Peter Lieven 

commit fefe2a78 accidently dropped the code path for injecting
raw packets. This feature is needed for sending gratuitous ARPs
after an incoming migration has completed. The result is increased
network downtime for vservers where the network card is not virtio-net
with the VIRTIO_NET_F_GUEST_ANNOUNCE feature.

Fixes: fefe2a78abde932e0f340b21bded2c86def1d242
Cc: qemu-sta...@nongnu.org
Cc: hongyang.y...@easystack.cn
Signed-off-by: Peter Lieven 
Signed-off-by: Jason Wang 
(cherry picked from commit ca1ee3d6b546e841a1b9db413eb8fa09f13a061b)
Signed-off-by: Michael Roth 
---
 net/net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/net.c b/net/net.c
index 0ad6217..6b0b375 100644
--- a/net/net.c
+++ b/net/net.c
@@ -724,7 +724,7 @@ ssize_t qemu_deliver_packet_iov(NetClientState *sender,
 return 0;
 }
 
-if (nc->info->receive_iov) {
+if (nc->info->receive_iov && !(flags & QEMU_NET_PACKET_FLAG_RAW)) {
 ret = nc->info->receive_iov(nc, iov, iovcnt);
 } else {
 ret = nc_sendv_compat(nc, iov, iovcnt, flags);
-- 
1.9.1

[Qemu-devel] [PATCH 25/56] block: Drop bdrv_ioctl_bh_cb

2016-08-08 Thread Michael Roth 
From: Fam Zheng 

Similar to the "!drv || !drv->bdrv_aio_ioctl" case above, here it is
okay to set co.ret and return. As pointed out by Paolo, a BH will be
created as necessary by the caller (bdrv_co_maybe_schedule_bh).
Besides, as pointed out by Kevin, "data" was leaked before.

Reported-by: Kevin Wolf 
Reported-by: Paolo Bonzini 
Signed-off-by: Fam Zheng 
Reviewed-by: Paolo Bonzini 
Message-id: 20160601015223.19277-1-f...@redhat.com
Signed-off-by: Stefan Hajnoczi 
(cherry picked from commit c8a9fd80719e63615dac12e3625223fb54aa8430)
Signed-off-by: Michael Roth 
---
 block/io.c | 20 ++--
 1 file changed, 2 insertions(+), 18 deletions(-)

diff --git a/block/io.c b/block/io.c
index a7dbf85..d02e0d5 100644
--- a/block/io.c
+++ b/block/io.c
@@ -2595,19 +2595,6 @@ int bdrv_discard(BlockDriverState *bs, int64_t 
sector_num, int nb_sectors)
 return rwco.ret;
 }
 
-typedef struct {
-CoroutineIOCompletion *co;
-QEMUBH *bh;
-} BdrvIoctlCompletionData;
-
-static void bdrv_ioctl_bh_cb(void *opaque)
-{
-BdrvIoctlCompletionData *data = opaque;
-
-bdrv_co_io_em_complete(data->co, -ENOTSUP);
-qemu_bh_delete(data->bh);
-}
-
 static int bdrv_co_do_ioctl(BlockDriverState *bs, int req, void *buf)
 {
 BlockDriver *drv = bs->drv;
@@ -2625,11 +2612,8 @@ static int bdrv_co_do_ioctl(BlockDriverState *bs, int 
req, void *buf)
 
 acb = drv->bdrv_aio_ioctl(bs, req, buf, bdrv_co_io_em_complete, );
 if (!acb) {
-BdrvIoctlCompletionData *data = g_new(BdrvIoctlCompletionData, 1);
-data->bh = aio_bh_new(bdrv_get_aio_context(bs),
-bdrv_ioctl_bh_cb, data);
-data->co = 
-qemu_bh_schedule(data->bh);
+co.ret = -ENOTSUP;
+goto out;
 }
 qemu_coroutine_yield();
 out:
-- 
1.9.1

[Qemu-devel] [PATCH 34/56] qcow2: Avoid making the L1 table too big

2016-08-08 Thread Michael Roth 
From: Max Reitz 

We refuse to open images whose L1 table we deem "too big". Consequently,
we should not produce such images ourselves.

Cc: qemu-sta...@nongnu.org
Signed-off-by: Max Reitz 
Message-id: 20160615153630.2116-3-mre...@redhat.com
Reviewed-by: Eric Blake 
[mreitz: Added QEMU_BUILD_BUG_ON()]
Signed-off-by: Max Reitz 

(cherry picked from commit 84c26520d3c1c9ff4a10455748139463278816d5)
Signed-off-by: Michael Roth 
---
 block/qcow2-cluster.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 31ecc10..22bdb47 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -64,7 +64,8 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t 
min_size,
 }
 }
 
-if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
+QEMU_BUILD_BUG_ON(QCOW_MAX_L1_SIZE > INT_MAX);
+if (new_l1_size > QCOW_MAX_L1_SIZE / sizeof(uint64_t)) {
 return -EFBIG;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)

2016-08-08 Thread Michael Roth 
From: Prasad J Pandit 

Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.

Reported-by: Li Qiang 
Signed-off-by: Prasad J Pandit 
Cc: qemu-sta...@nongnu.org
Message-Id: <1464000485-27041-1-git-send-email-ppan...@redhat.com>
Reviewed-by: Shmulik Ladkani 
Reviewed-by: Dmitry Fleytman 
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
Signed-off-by: Michael Roth 
---
 hw/scsi/vmw_pvscsi.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index e690b4e..e1d6d06 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
 return log;
 }
 
-static void
+static int
 pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
 {
 int i;
@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, 
PVSCSICmdDescSetupRings *ri)
 uint32_t req_ring_size, cmp_ring_size;
 m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
 
+if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
+|| (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
+return -1;
+}
 req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
 cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
 txr_len_log2 = pvscsi_log2(req_ring_size - 1);
@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, 
PVSCSICmdDescSetupRings *ri)
 
 /* Flush ring state page changes */
 smp_wmb();
+
+return 0;
 }
 
-static void
+static int
 pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
 {
 int i;
 uint32_t len_log2;
 uint32_t ring_size;
 
+if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+return -1;
+}
 ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
 len_log2 = pvscsi_log2(ring_size - 1);
 
@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, 
PVSCSICmdDescSetupMsgRing *ri)
 
 /* Flush ring state page changes */
 smp_wmb();
+
+return 0;
 }
 
 static void
@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
 trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
 
 pvscsi_dbg_dump_tx_rings_config(rc);
-pvscsi_ring_init_data(>rings, rc);
+if (pvscsi_ring_init_data(>rings, rc) < 0) {
+return PVSCSI_COMMAND_PROCESSING_FAILED;
+}
+
 s->rings_info_valid = TRUE;
 return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
 }
@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
 }
 
 if (s->rings_info_valid) {
-pvscsi_ring_init_msg(>rings, rc);
+if (pvscsi_ring_init_msg(>rings, rc) < 0) {
+return PVSCSI_COMMAND_PROCESSING_FAILED;
+}
 s->msg_ring_info_valid = TRUE;
 }
 return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
-- 
1.9.1

[Qemu-devel] [PATCH 33/56] backup: Don't leak BackupBlockJob in error path

2016-08-08 Thread Michael Roth 
From: Kevin Wolf 

Signed-off-by: Kevin Wolf 
Reviewed-by: Max Reitz 
Reviewed-by: Alberto Garcia 
(cherry picked from commit 91ab68837933232bcef99da7c968e6d41900419b)
Signed-off-by: Michael Roth 
---
 block/backup.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/block/backup.c b/block/backup.c
index 491fd14..370c285 100644
--- a/block/backup.c
+++ b/block/backup.c
@@ -504,6 +504,7 @@ void backup_start(BlockDriverState *bs, BlockDriverState 
*target,
 {
 int64_t len;
 BlockDriverInfo bdi;
+BackupBlockJob *job = NULL;
 int ret;
 
 assert(bs);
@@ -568,8 +569,7 @@ void backup_start(BlockDriverState *bs, BlockDriverState 
*target,
 goto error;
 }
 
-BackupBlockJob *job = block_job_create(_job_driver, bs, speed,
-   cb, opaque, errp);
+job = block_job_create(_job_driver, bs, speed, cb, opaque, errp);
 if (!job) {
 goto error;
 }
@@ -610,4 +610,7 @@ void backup_start(BlockDriverState *bs, BlockDriverState 
*target,
 if (sync_bitmap) {
 bdrv_reclaim_dirty_bitmap(bs, sync_bitmap, NULL);
 }
+if (job) {
+block_job_unref(>common);
+}
 }
-- 
1.9.1

[Qemu-devel] [PATCH 27/56] vmsvga: add more fifo checks

2016-08-08 Thread Michael Roth 
From: Gerd Hoffmann 

Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: qemu-sta...@nongnu.org
Cc: P J P 
Reported-by: 李强 
Signed-off-by: Gerd Hoffmann 
Message-id: 1464592161-18348-3-git-send-email-kra...@redhat.com
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
Signed-off-by: Michael Roth 
---
 hw/display/vmware_vga.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 63a7c05..a26e62e 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s 
*s)
 if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
 return 0;
 }
-if (CMD(max) > SVGA_FIFO_SIZE) {
+if (CMD(max) > SVGA_FIFO_SIZE ||
+CMD(min) >= SVGA_FIFO_SIZE ||
+CMD(stop) >= SVGA_FIFO_SIZE ||
+CMD(next_cmd) >= SVGA_FIFO_SIZE) {
 return 0;
 }
 if (CMD(max) < CMD(min) + 10 * 1024) {
-- 
1.9.1

[Qemu-devel] [PATCH 24/56] scsi: mptsas: infinite loop while fetching requests

2016-08-08 Thread Michael Roth 
From: Prasad J Pandit 

The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
looks for requests and fetches them. A loop doing that in
mptsas_fetch_requests() could run infinitely if 's->state' was
not operational. Move check to avoid such a loop.

Reported-by: Li Qiang 
Signed-off-by: Prasad J Pandit 
Cc: qemu-sta...@nongnu.org
Message-Id: <1464077264-25473-1-git-send-email-ppan...@redhat.com>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd)
Signed-off-by: Michael Roth 
---
 hw/scsi/mptsas.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 499c146..be88e16 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
 hwaddr addr;
 int size;
 
-if (s->state != MPI_IOC_STATE_OPERATIONAL) {
-mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
-return;
-}
-
 /* Read the message header from the guest first. */
 addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
 pci_dma_read(pci, addr, req, sizeof(hdr));
@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
 {
 MPTSASState *s = opaque;
 
+if (s->state != MPI_IOC_STATE_OPERATIONAL) {
+mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
+return;
+}
 while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
 mptsas_fetch_request(s);
 }
-- 
1.9.1

[Qemu-devel] [PATCH 28/56] vmsvga: shadow fifo registers

2016-08-08 Thread Michael Roth 
From: Gerd Hoffmann 

The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization.  Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us.  So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.

Fixes: CVE-2016-4454
Cc: qemu-sta...@nongnu.org
Cc: P J P 
Signed-off-by: Gerd Hoffmann 
Message-id: 1464592161-18348-4-git-send-email-kra...@redhat.com
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
Signed-off-by: Michael Roth 
---
 hw/display/vmware_vga.c | 57 -
 1 file changed, 28 insertions(+), 29 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index a26e62e..de2567b 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -66,17 +66,11 @@ struct vmsvga_state_s {
 uint8_t *fifo_ptr;
 unsigned int fifo_size;
 
-union {
-uint32_t *fifo;
-struct QEMU_PACKED {
-uint32_t min;
-uint32_t max;
-uint32_t next_cmd;
-uint32_t stop;
-/* Add registers here when adding capabilities.  */
-uint32_t fifo[0];
-} *cmd;
-};
+uint32_t *fifo;
+uint32_t fifo_min;
+uint32_t fifo_max;
+uint32_t fifo_next;
+uint32_t fifo_stop;
 
 #define REDRAW_FIFO_LEN  512
 struct vmsvga_rect_s {
@@ -198,7 +192,7 @@ enum {
  */
 SVGA_FIFO_MIN = 0,
 SVGA_FIFO_MAX,  /* The distance from MIN to MAX must be at least 10K */
-SVGA_FIFO_NEXT_CMD,
+SVGA_FIFO_NEXT,
 SVGA_FIFO_STOP,
 
 /*
@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct 
vmsvga_state_s *s,
 }
 #endif
 
-#define CMD(f)  le32_to_cpu(s->cmd->f)
-
 static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
 {
 int num;
@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct 
vmsvga_state_s *s)
 return 0;
 }
 
+s->fifo_min  = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
+s->fifo_max  = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
+s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
+s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
+
 /* Check range and alignment.  */
-if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
 return 0;
 }
-if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+if (s->fifo_min < sizeof(uint32_t) * 4) {
 return 0;
 }
-if (CMD(max) > SVGA_FIFO_SIZE ||
-CMD(min) >= SVGA_FIFO_SIZE ||
-CMD(stop) >= SVGA_FIFO_SIZE ||
-CMD(next_cmd) >= SVGA_FIFO_SIZE) {
+if (s->fifo_max > SVGA_FIFO_SIZE ||
+s->fifo_min >= SVGA_FIFO_SIZE ||
+s->fifo_stop >= SVGA_FIFO_SIZE ||
+s->fifo_next >= SVGA_FIFO_SIZE) {
 return 0;
 }
-if (CMD(max) < CMD(min) + 10 * 1024) {
+if (s->fifo_max < s->fifo_min + 10 * 1024) {
 return 0;
 }
 
-num = CMD(next_cmd) - CMD(stop);
+num = s->fifo_next - s->fifo_stop;
 if (num < 0) {
-num += CMD(max) - CMD(min);
+num += s->fifo_max - s->fifo_min;
 }
 return num >> 2;
 }
 
 static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
 {
-uint32_t cmd = s->fifo[CMD(stop) >> 2];
+uint32_t cmd = s->fifo[s->fifo_stop >> 2];
 
-s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
-if (CMD(stop) >= CMD(max)) {
-s->cmd->stop = s->cmd->min;
+s->fifo_stop += 4;
+if (s->fifo_stop >= s->fifo_max) {
+s->fifo_stop = s->fifo_min;
 }
+s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
 return cmd;
 }
 
@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 len = vmsvga_fifo_length(s);
 while (len > 0) {
 /* May need to go back to the start of the command if incomplete */
-cmd_start = s->cmd->stop;
+cmd_start = s->fifo_stop;
 
 switch (cmd = vmsvga_fifo_read(s)) {
 case SVGA_CMD_UPDATE:
@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 break;
 
 rewind:
-s->cmd->stop = cmd_start;
+s->fifo_stop = cmd_start;
+s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
 break;
 }
 }
-- 
1.9.1

[Qemu-devel] [PATCH 21/56] savevm: fail if migration blockers are present

2016-08-08 Thread Michael Roth 
From: Greg Kurz 

QEMU has currently two ways to prevent migration to occur:
- migration blocker when it depends on runtime state
- VMStateDescription.unmigratable when migration is not supported at all

This patch gathers all the logic into a single function to be called from
both the savevm and the migrate paths.

This fixes a bug with 9p, at least, where savevm would succeed and the
following would happen in the guest after loadvm:

$ ls /host
ls: cannot access /host: Protocol error

With this patch:

(qemu) savevm foo
Migration is disabled when VirtFS export path '/' is mounted in the guest
using mount_tag 'host'

Signed-off-by: Greg Kurz 
Reviewed-by: Paolo Bonzini 
Message-Id: <146239057139.11271.9011797645454781543.st...@bahia.huguette.org>

[Update subject according to Paolo's suggestion - Amit]

Signed-off-by: Amit Shah 
(cherry picked from commit 24f3902b088cd4f2dbebfd90527b5d81d6a050e9)
Signed-off-by: Michael Roth 
---
 include/migration/migration.h |  1 +
 migration/migration.c | 21 +++--
 migration/savevm.c|  2 +-
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/include/migration/migration.h b/include/migration/migration.h
index ac2c12c..9e36a97 100644
--- a/include/migration/migration.h
+++ b/include/migration/migration.h
@@ -210,6 +210,7 @@ int migrate_fd_close(MigrationState *s);
 void add_migration_state_change_notifier(Notifier *notify);
 void remove_migration_state_change_notifier(Notifier *notify);
 MigrationState *migrate_init(const MigrationParams *params);
+bool migration_is_blocked(Error **errp);
 bool migration_in_setup(MigrationState *);
 bool migration_has_finished(MigrationState *);
 bool migration_has_failed(MigrationState *);
diff --git a/migration/migration.c b/migration/migration.c
index 0563b4c..6cecc35 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -992,6 +992,20 @@ void qmp_migrate_incoming(const char *uri, Error **errp)
 once = false;
 }
 
+bool migration_is_blocked(Error **errp)
+{
+if (qemu_savevm_state_blocked(errp)) {
+return true;
+}
+
+if (migration_blockers) {
+*errp = error_copy(migration_blockers->data);
+return true;
+}
+
+return false;
+}
+
 void qmp_migrate(const char *uri, bool has_blk, bool blk,
  bool has_inc, bool inc, bool has_detach, bool detach,
  Error **errp)
@@ -1014,12 +1028,7 @@ void qmp_migrate(const char *uri, bool has_blk, bool blk,
 return;
 }
 
-if (qemu_savevm_state_blocked(errp)) {
-return;
-}
-
-if (migration_blockers) {
-*errp = error_copy(migration_blockers->data);
+if (migration_is_blocked(errp)) {
 return;
 }
 
diff --git a/migration/savevm.c b/migration/savevm.c
index 16ba443..8346649 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -1169,7 +1169,7 @@ static int qemu_savevm_state(QEMUFile *f, Error **errp)
 MigrationState *ms = migrate_init();
 ms->to_dst_file = f;
 
-if (qemu_savevm_state_blocked(errp)) {
+if (migration_is_blocked(errp)) {
 return -EINVAL;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 20/56] nbd: Don't trim unrequested bytes

2016-08-08 Thread Michael Roth 
From: Eric Blake 

Similar to commit df7b97ff, we are mishandling clients that
give an unaligned NBD_CMD_TRIM request, and potentially
trimming bytes that occur before their request; which in turn
can cause potential unintended data loss (unlikely in
practice, since most clients are sane and issue aligned trim
requests).  However, while we fixed read and write by switching
to the byte interfaces of blk_, we don't yet have a byte
interface for discard.  On the other hand, trim is advisory, so
rounding the user's request to simply ignore the first and last
unaligned sectors (or the entire request, if it is sub-sector
in length) is just fine.

CC: qemu-sta...@nongnu.org
Signed-off-by: Eric Blake 
Message-Id: <1464173965-9694-1-git-send-email-ebl...@redhat.com>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 353ab969730742b7392414d62f4ba9632e8cf22c)
Signed-off-by: Michael Roth 
---
 nbd/server.c | 20 ++--
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 2184c64..cc4bda3 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1153,12 +1153,20 @@ static void nbd_trip(void *opaque)
 break;
 case NBD_CMD_TRIM:
 TRACE("Request type is TRIM");
-ret = blk_co_discard(exp->blk, (request.from + exp->dev_offset)
-   / BDRV_SECTOR_SIZE,
- request.len / BDRV_SECTOR_SIZE);
-if (ret < 0) {
-LOG("discard failed");
-reply.error = -ret;
+/* Ignore unaligned head or tail, until block layer adds byte
+ * interface */
+if (request.len >= BDRV_SECTOR_SIZE) {
+request.len -= (request.from + request.len) % BDRV_SECTOR_SIZE;
+ret = blk_co_discard(exp->blk,
+ DIV_ROUND_UP(request.from + exp->dev_offset,
+  BDRV_SECTOR_SIZE),
+ request.len / BDRV_SECTOR_SIZE);
+if (ret < 0) {
+LOG("discard failed");
+reply.error = -ret;
+}
+} else {
+TRACE("trim request too small, ignoring");
 }
 if (nbd_co_send_reply(req, , 0) < 0) {
 goto out;
-- 
1.9.1

[Qemu-devel] [PATCH 01/56] i386: kvmvapic: initialise imm32 variable

2016-08-08 Thread Michael Roth 
From: Prasad J Pandit 

When processing Task Priorty Register(TPR) access, it could leak
automatic stack variable 'imm32' in patch_instruction().
Initialise the variable to avoid it.

Reported by: Donghai Zdh 
Cc: qemu-sta...@nongnu.org
Signed-off-by: Prasad J Pandit 
Message-Id: <1460013608-16670-1-git-send-email-ppan...@redhat.com>
Signed-off-by: Paolo Bonzini 

(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
Signed-off-by: Michael Roth 
---
 hw/i386/kvmvapic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index c69f374..ff1e31a 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU 
*cpu, target_ulong ip)
 CPUX86State *env = >env;
 VAPICHandlers *handlers;
 uint8_t opcode[2];
-uint32_t imm32;
+uint32_t imm32 = 0;
 target_ulong current_pc = 0;
 target_ulong current_cs_base = 0;
 int current_flags = 0;
-- 
1.9.1

[Qemu-devel] [PATCH 29/56] vmsvga: don't process more than 1024 fifo commands at once

2016-08-08 Thread Michael Roth 
From: Gerd Hoffmann 

vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off.  So we can simply exit the loop,
without having to worry about how processing will continue.

Fixes: CVE-2016-4453
Cc: qemu-sta...@nongnu.org
Cc: P J P 
Reported-by: 李强 
Signed-off-by: Gerd Hoffmann 
Message-id: 1464592161-18348-5-git-send-email-kra...@redhat.com
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
Signed-off-by: Michael Roth 
---
 hw/display/vmware_vga.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index de2567b..e51a05e 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct 
vmsvga_state_s *s)
 static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 {
 uint32_t cmd, colour;
-int args, len;
+int args, len, maxloop = 1024;
 int x, y, dx, dy, width, height;
 struct vmsvga_cursor_definition_s cursor;
 uint32_t cmd_start;
 
 len = vmsvga_fifo_length(s);
-while (len > 0) {
+while (len > 0 && --maxloop > 0) {
 /* May need to go back to the start of the command if incomplete */
 cmd_start = s->fifo_stop;
 
-- 
1.9.1

[Qemu-devel] [PATCH 22/56] Fix configure test for PBKDF2 in nettle

2016-08-08 Thread Michael Roth 
From: Steven Luo 

On my Debian jessie system, including nettle/pbkdf2.h does not cause
NULL to be defined, which causes the test to fail to compile.  Include
stddef.h to bring in a definition of NULL.

Cc: qemu-triv...@nongnu.org
Cc: qemu-sta...@nongnu.org
Signed-off-by: Steven Luo 
Signed-off-by: Michael Tokarev 
(cherry picked from commit 9e87a691bd46846e2232f8c30605c491c85ac987)
Signed-off-by: Michael Roth 
---
 configure | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure b/configure
index 49bdb4b..60e3c0d 100755
--- a/configure
+++ b/configure
@@ -2342,6 +2342,7 @@ if test "$nettle" != "no"; then
 nettle="yes"
 
 cat > $TMPC << EOF
+#include 
 #include 
 int main(void) {
  pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
-- 
1.9.1

[Qemu-devel] [PATCH 18/56] vfio: Fix broken EEH

2016-08-08 Thread Michael Roth 
From: Gavin Shan 

vfio_eeh_container_op() is the backend that communicates with
host kernel to support EEH functionality in QEMU. However, the
functon should return the value from host kernel instead of 0
unconditionally.

dwg: Specifically the problem occurs for the handful of EEH
sub-operations which can return a non-zero, non-error result.

Signed-off-by: Gavin Shan 
Acked-by: Alex Williamson 
[dwg: clarification to commit message]
Signed-off-by: David Gibson 

(cherry picked from commit d917e88d85a147a99f38a62a4f95cac21e366d51)
Signed-off-by: Michael Roth 
---
 hw/vfio/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index f27db36..e1927a5 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -1147,7 +1147,7 @@ static int vfio_eeh_container_op(VFIOContainer 
*container, uint32_t op)
 return -errno;
 }
 
-return 0;
+return ret;
 }
 
 static VFIOContainer *vfio_eeh_as_container(AddressSpace *as)
-- 
1.9.1

[Qemu-devel] [PATCH 14/56] esp: check dma length before reading scsi command(CVE-2016-4441)

2016-08-08 Thread Michael Roth 
From: Prasad J Pandit 

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.

Fixes CVE-2016-4441.

Reported-by: Li Qiang 
Cc: qemu-sta...@nongnu.org
Signed-off-by: Prasad J Pandit 
Message-Id: <1463654371-11169-3-git-send-email-ppan...@redhat.com>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
Signed-off-by: Michael Roth 
---
 hw/scsi/esp.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 01497e6..591c817 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
 }
 }
 
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
 {
 uint32_t dmalen;
 int target;
@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
 dmalen = s->rregs[ESP_TCLO];
 dmalen |= s->rregs[ESP_TCMID] << 8;
 dmalen |= s->rregs[ESP_TCHI] << 16;
+if (dmalen > buflen) {
+return 0;
+}
 s->dma_memory_read(s->dma_opaque, buf, dmalen);
 } else {
 dmalen = s->ti_size;
@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
 s->dma_cb = handle_satn;
 return;
 }
-len = get_cmd(s, buf);
+len = get_cmd(s, buf, sizeof(buf));
 if (len)
 do_cmd(s, buf);
 }
@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
 s->dma_cb = handle_s_without_atn;
 return;
 }
-len = get_cmd(s, buf);
+len = get_cmd(s, buf, sizeof(buf));
 if (len) {
 do_busid_cmd(s, buf, 0);
 }
@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
 s->dma_cb = handle_satn_stop;
 return;
 }
-s->cmdlen = get_cmd(s, s->cmdbuf);
+s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
 if (s->cmdlen) {
 trace_esp_handle_satn_stop(s->cmdlen);
 s->do_cmd = 1;
-- 
1.9.1

[Qemu-devel] [PATCH 19/56] block/iscsi: avoid potential overflow of acb->task->cdb

2016-08-08 Thread Michael Roth 
From: Peter Lieven 

at least in the path via virtio-blk the maximum size is not
restricted.

Cc: qemu-sta...@nongnu.org
Signed-off-by: Peter Lieven 
Message-Id: <1464080368-29584-1-git-send-email...@kamp.de>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
Signed-off-by: Michael Roth 
---
 block/iscsi.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/block/iscsi.c b/block/iscsi.c
index 302baf8..172e6cf 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
 return >common;
 }
 
+if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
+error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
+qemu_aio_unref(acb);
+return NULL;
+}
+
 acb->task = malloc(sizeof(struct scsi_task));
 if (acb->task == NULL) {
 error_report("iSCSI: Failed to allocate task for scsi command. %s",
-- 
1.9.1

[Qemu-devel] [PATCH 12/56] json-streamer: fix double-free on exiting during a parse

2016-08-08 Thread Michael Roth 
From: Paolo Bonzini 

Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call.  To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.

Reported-by: Changlong Xie 
Signed-off-by: Paolo Bonzini 
Message-Id: <1467636059-12557-1-git-send-email-pbonz...@redhat.com>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit a942d8fa01f65279cdc135f4294db611bbc088ef)
Signed-off-by: Michael Roth 
---
 qobject/json-streamer.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 7164390..c51c202 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, 
GString *input,
 {
 JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
 JSONToken *token;
+GQueue *tokens;
 
 switch (type) {
 case JSON_LCURLY:
@@ -96,9 +97,12 @@ out_emit:
 /* send current list of tokens to parser and reset tokenizer */
 parser->brace_count = 0;
 parser->bracket_count = 0;
-/* parser->emit takes ownership of parser->tokens.  */
-parser->emit(parser, parser->tokens);
+/* parser->emit takes ownership of parser->tokens.  Remove our own
+ * reference to parser->tokens before handing it out to parser->emit.
+ */
+tokens = parser->tokens;
 parser->tokens = g_queue_new();
+parser->emit(parser, tokens);
 parser->token_size = 0;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 17/56] vga: add sr_vbe register set

2016-08-08 Thread Michael Roth 
From: Gerd Hoffmann 

Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.

This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[].  Normal vga register reads and
writes go to sr[].  Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.

This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.

Cc: qemu-sta...@nongnu.org
Reported-by: Thomas Lamprecht 
Signed-off-by: Gerd Hoffmann 
Message-id: 1463475294-14119-1-git-send-email-kra...@redhat.com
(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
Signed-off-by: Michael Roth 
---
 hw/display/vga.c | 50 --
 hw/display/vga_int.h |  1 +
 2 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index 4a55ec6..9ebc54f 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
 return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
 }
 
+static inline uint8_t sr(VGACommonState *s, int idx)
+{
+return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
+}
+
 static void vga_update_memory_access(VGACommonState *s)
 {
 hwaddr base, offset, size;
@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
 s->has_chain4_alias = false;
 s->plane_updated = 0xf;
 }
-if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
-VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
+VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
 offset = 0;
 switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
 case 0:
@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState 
*s)
   ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
 vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
 
-clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
+clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
 clock_sel = (s->msr >> 2) & 3;
 dots = (s->msr & 1) ? 8 : 9;
 
@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t 
val)
 printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
 #endif
 s->sr[s->sr_index] = val & sr_mask[s->sr_index];
-vbe_update_vgaregs(s);
 if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
 s->update_retrace_info(s);
 }
@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
 
 if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
 shift_control = 0;
-s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
+s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
 } else {
 shift_control = 2;
 /* set chain 4 mode */
-s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
 /* activate all planes */
-s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
+s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
 }
 s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
 (shift_control << 5);
@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
 break;
 }
 
-if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
 /* chain 4 mode : simplest access */
 assert(addr < s->vram_size);
 ret = s->vram_ptr[addr];
@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, 
uint32_t val)
 break;
 }
 
-if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
 /* chain 4 mode : simplest access */
 plane = addr & 3;
 mask = (1 << plane);
-if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
 assert(addr < s->vram_size);
 s->vram_ptr[addr] = val;
 #ifdef DEBUG_VGA_MEM
@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, 
uint32_t val)
 /* odd/even mode (aka text mode mapping) */
 plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
 mask = (1 << plane);
-if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
 addr = ((addr & ~1) << 1) | plane;
 if (addr >= s->vram_size) {
 return;
@@ -996,7 +1000,7 @@ void

[Qemu-devel] [PATCH 11/56] json-streamer: Don't leak tokens on incomplete parse

2016-08-08 Thread Michael Roth 
From: Eric Blake 

Valgrind complained about a number of leaks in
tests/check-qobject-json:

==12657==definitely lost: 17,247 bytes in 1,234 blocks

All of which had the same root cause: on an incomplete parse,
we were abandoning the token queue without cleaning up the
allocated data within each queue element.  Introduced in
commit 95385fe, when we switched from QList (which recursively
frees contents) to g_queue (which does not).

We don't yet require glib 2.32 with its g_queue_free_full(),
so open-code it instead.

CC: qemu-sta...@nongnu.org
Signed-off-by: Eric Blake 
Message-Id: <1463608012-12760-1-git-send-email-ebl...@redhat.com>
Reviewed-by: Markus Armbruster 
Signed-off-by: Markus Armbruster 
(cherry picked from commit ba4dba54347d5062436a8553f527dbbed6dcf069)
Signed-off-by: Michael Roth 
---
 qobject/json-streamer.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 0251685..7164390 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -20,9 +20,15 @@
 #define MAX_TOKEN_COUNT (2ULL << 20)
 #define MAX_NESTING (1ULL << 10)
 
+static void json_message_free_token(void *token, void *opaque)
+{
+g_free(token);
+}
+
 static void json_message_free_tokens(JSONMessageParser *parser)
 {
 if (parser->tokens) {
+g_queue_foreach(parser->tokens, json_message_free_token, NULL);
 g_queue_free(parser->tokens);
 parser->tokens = NULL;
 }
-- 
1.9.1

[Qemu-devel] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12

2016-08-08 Thread Michael Roth 
Hi everyone,

The following new patches are queued for QEMU stable v2.6.1:

  https://github.com/mdroth/qemu/commits/stable-2.6-staging

The release is planned for 2016-08-17:

  http://wiki.qemu.org/Planning/2.6

Please respond here or CC qemu-sta...@nongnu.org on any patches you
think should be included in the release.

Testing/feedback is greatly appreciated.

Thanks!


Alberto Garcia (2):
  blockdev: Fix regression with the default naming of throttling groups
  qemu-iotests: Test naming of throttling groups

Alex Williamson (1):
  vfio/pci: Fix VGA quirks

Artyom Tarasenko (1):
  target-sparc: fix register corruption in ldstub if there is no write 
permission

Aurelien Jarno (1):
  target-mips: fix call to memset in soft reset code

Daniel P. Berrange (2):
  io: remove mistaken call to object_ref on QTask
  ui: fix regression in printing VNC host/port on startup

Dave Hansen (1):
  target-i386: fix typo in xsetbv implementation

David Hildenbrand (1):
  s390x/ipl: fix reboots for migration from different bios

Dominik Dingel (1):
  exec.c: Ensure right alignment also for file backed ram

Eric Blake (7):
  json-streamer: Don't leak tokens on incomplete parse
  nbd: Don't trim unrequested bytes
  qapi: Fix crash on missing alternate member of QAPI struct
  nbd: Allow larger requests
  scsi: Advertise limits by blocksize, not 512
  nbd: More debug typo fixes, use correct formats
  nbd: Limit nbdflags to 16 bits

Fam Zheng (3):
  block: Drop bdrv_ioctl_bh_cb
  scsi-generic: Merge block max xfer len in INQUIRY response
  util: Fix MIN_NON_ZERO

Gavin Shan (1):
  vfio: Fix broken EEH

Gerd Hoffmann (6):
  spice/gl: add & use qemu_spice_gl_monitor_config
  vga: add sr_vbe register set
  vmsvga: move fifo sanity checks to vmsvga_fifo_length
  vmsvga: add more fifo checks
  vmsvga: shadow fifo registers
  vmsvga: don't process more than 1024 fifo commands at once

Greg Kurz (2):
  migration: regain control of images when migration fails to complete
  savevm: fail if migration blockers are present

Hemant Kumar (1):
  tools: kvm_stat: Powerpc related fixes

John Snow (1):
  ide: fix halted IO segfault at reset

Kevin Wolf (1):
  backup: Don't leak BackupBlockJob in error path

Li Zhijian (1):
  vl: change runstate only if new state is different from current state

Lin Ma (1):
  pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c

Max Reitz (1):
  qcow2: Avoid making the L1 table too big

Michael S. Tsirkin (3):
  virtio: set low features early on load
  Revert "virtio-net: unbreak self announcement and guest offloads after 
migration"
  pcie: fix link active status bit migration

Paolo Bonzini (2):
  target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2
  json-streamer: fix double-free on exiting during a parse

Peter Lieven (4):
  block/nfs: refuse readahead if cache.direct is on
  block/iscsi: avoid potential overflow of acb->task->cdb
  net: fix qemu_announce_self not emitting packets
  block/iscsi: fix rounding in iscsi_allocationmap_set

Peter Maydell (1):
  nbd: Don't use *_to_cpup() functions

Prasad J Pandit (5):
  i386: kvmvapic: initialise imm32 variable
  esp: check command buffer length before write(CVE-2016-4439)
  esp: check dma length before reading scsi command(CVE-2016-4441)
  scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
  scsi: mptsas: infinite loop while fetching requests

Roman Kagan (1):
  usb:xhci: no DMA on HC reset

Stefan Hajnoczi (1):
  virtio: error out if guest exceeds virtqueue size

Stefan Weil (2):
  configure: Allow builds with extra warnings
  Fix some typos found by codespell

Steven Luo (1):
  Fix configure test for PBKDF2 in nettle

Thomas Huth (1):
  usb/ohci: Fix crash with when specifying too many num-ports

 audio/mixeng.c  |  2 +-
 audio/ossaudio.c|  2 +-
 block/backup.c  |  7 ++-
 block/io.c  | 20 +--
 block/iscsi.c   | 15 -
 block/nbd-client.c  |  4 --
 block/nbd-client.h  |  2 +-
 block/nfs.c | 20 +--
 block/qcow2-cluster.c   |  3 +-
 blockdev.c  |  9 ++-
 configure   |  3 +-
 contrib/ivshmem-server/ivshmem-server.h |  2 +-
 docs/specs/rocker.txt   |  2 +-
 docs/throttle.txt   |  2 +-
 exec.c  |  5 +-
 hw/display/vga.c| 50 +
 hw/display/vga_int.h|  1 +
 hw/display/vmware_vga.c | 78 +-

[Qemu-devel] [PATCH 15/56] block/nfs: refuse readahead if cache.direct is on

2016-08-08 Thread Michael Roth 
From: Peter Lieven 

if we open a NFS export with disabled cache we should refuse
the readahead feature as it will cache data inside libnfs.

If a export was opened with readahead enabled it should
futher not be allowed to disable the cache while running.

Cc: qemu-sta...@nongnu.org
Signed-off-by: Peter Lieven 
Reviewed-by: Jeff Cody 
Message-id: 1463662083-20814-2-git-send-email...@kamp.de
Signed-off-by: Jeff Cody 
(cherry picked from commit 38f8d5e0251ae7d8257cf099cb3e5a375ef60378)
Signed-off-by: Michael Roth 
---
 block/nfs.c | 20 
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/block/nfs.c b/block/nfs.c
index 9f51cc3..60be45e 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -1,7 +1,7 @@
 /*
  * QEMU Block driver for native access to files on NFS shares
  *
- * Copyright (c) 2014 Peter Lieven 
+ * Copyright (c) 2014-2016 Peter Lieven 
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to 
deal
@@ -47,6 +47,7 @@ typedef struct NFSClient {
 bool has_zero_init;
 AioContext *aio_context;
 blkcnt_t st_blocks;
+bool cache_used;
 } NFSClient;
 
 typedef struct NFSRPC {
@@ -278,7 +279,7 @@ static void nfs_file_close(BlockDriverState *bs)
 }
 
 static int64_t nfs_client_open(NFSClient *client, const char *filename,
-   int flags, Error **errp)
+   int flags, Error **errp, int open_flags)
 {
 int ret = -EINVAL, i;
 struct stat st;
@@ -330,12 +331,18 @@ static int64_t nfs_client_open(NFSClient *client, const 
char *filename,
 nfs_set_tcp_syncnt(client->context, val);
 #ifdef LIBNFS_FEATURE_READAHEAD
 } else if (!strcmp(qp->p[i].name, "readahead")) {
+if (open_flags & BDRV_O_NOCACHE) {
+error_setg(errp, "Cannot enable NFS readahead "
+ "if cache.direct = on");
+goto fail;
+}
 if (val > QEMU_NFS_MAX_READAHEAD_SIZE) {
 error_report("NFS Warning: Truncating NFS readahead"
  " size to %d", QEMU_NFS_MAX_READAHEAD_SIZE);
 val = QEMU_NFS_MAX_READAHEAD_SIZE;
 }
 nfs_set_readahead(client->context, val);
+client->cache_used = true;
 #endif
 #ifdef LIBNFS_FEATURE_DEBUG
 } else if (!strcmp(qp->p[i].name, "debug")) {
@@ -418,7 +425,7 @@ static int nfs_file_open(BlockDriverState *bs, QDict 
*options, int flags,
 }
 ret = nfs_client_open(client, qemu_opt_get(opts, "filename"),
   (flags & BDRV_O_RDWR) ? O_RDWR : O_RDONLY,
-  errp);
+  errp, bs->open_flags);
 if (ret < 0) {
 goto out;
 }
@@ -454,7 +461,7 @@ static int nfs_file_create(const char *url, QemuOpts *opts, 
Error **errp)
 total_size = ROUND_UP(qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0),
   BDRV_SECTOR_SIZE);
 
-ret = nfs_client_open(client, url, O_CREAT, errp);
+ret = nfs_client_open(client, url, O_CREAT, errp, 0);
 if (ret < 0) {
 goto out;
 }
@@ -516,6 +523,11 @@ static int nfs_reopen_prepare(BDRVReopenState *state,
 return -EACCES;
 }
 
+if ((state->flags & BDRV_O_NOCACHE) && client->cache_used) {
+error_setg(errp, "Cannot disable cache if libnfs readahead is 
enabled");
+return -EINVAL;
+}
+
 /* Update cache for read-only reopens */
 if (!(state->flags & BDRV_O_RDWR)) {
 ret = nfs_fstat(client->context, client->fh, );
-- 
1.9.1

[Qemu-devel] [PATCH 16/56] usb/ohci: Fix crash with when specifying too many num-ports

2016-08-08 Thread Michael Roth 
From: Thomas Huth 

QEMU currently crashes when an OHCI controller is instantiated with
too many ports, e.g. "-device pci-ohci,num-ports=100,masterbus=1".
Thus add a proper check in usb_ohci_init() to make sure that we
do not use more than OHCI_MAX_PORTS = 15 ports here.

Ticket: https://bugs.launchpad.net/qemu/+bug/1581308
Signed-off-by: Thomas Huth 
Message-id: 1463995387-11710-1-git-send-email-th...@redhat.com
Signed-off-by: Gerd Hoffmann 
(cherry picked from commit d400fc018b326104d26d730e5cc8c36c1f662c34)
Signed-off-by: Michael Roth 
---
 hw/usb/hcd-ohci.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index ffab561..16d9ff7 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -1848,6 +1848,12 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState 
*dev,
 
 ohci->as = as;
 
+if (num_ports > OHCI_MAX_PORTS) {
+error_setg(errp, "OHCI num-ports=%d is too big (limit is %d ports)",
+   num_ports, OHCI_MAX_PORTS);
+return;
+}
+
 if (usb_frame_time == 0) {
 #ifdef OHCI_TIME_WARP
 usb_frame_time = NANOSECONDS_PER_SECOND;
-- 
1.9.1

[Qemu-devel] [PATCH 10/56] migration: regain control of images when migration fails to complete

2016-08-08 Thread Michael Roth 
From: Greg Kurz 

We currently have an error path during migration that can cause
the source QEMU to abort:

migration_thread()
  migration_completion()
runstate_is_running() > true if guest is running
bdrv_inactivate_all() > inactivate images
qemu_savevm_state_complete_precopy()
 ... qemu_fflush()
   socket_writev_buffer() > error because destination fails
 qemu_fflush() ---> set error on migration stream
  migration_completion() -> set migrate state to FAILED
migration_thread() ---> break migration loop
  vm_start() -> restart guest with inactive
images

and you get:

qemu-system-ppc64: socket_writev_buffer: Got err=104 for 
(32768/18446744073709551615)
qemu-system-ppc64: 
/home/greg/Work/qemu/qemu-master/block/io.c:1342:bdrv_co_do_pwritev: Assertion 
`!(bs->open_flags & 0x0800)' failed.
Aborted (core dumped)

If we try postcopy with a similar scenario, we also get the writev error
message but QEMU leaves the guest paused because entered_postcopy is true.

We could possibly do the same with precopy and leave the guest paused.
But since the historical default for migration errors is to restart the
source, this patch adds a call to bdrv_invalidate_cache_all() instead.

Signed-off-by: Greg Kurz 
Message-Id: <146357896785.6003.11983081732454362715.st...@bahia.huguette.org>
Signed-off-by: Amit Shah 
(cherry picked from commit fe904ea8242cbae2d7e69c052c754b8f5f1ba1d6)
Signed-off-by: Michael Roth 
---
 migration/migration.c | 17 +++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index 991313a..0563b4c 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -1597,19 +1597,32 @@ static void migration_completion(MigrationState *s, int 
current_active_state,
 rp_error = await_return_path_close_on_source(s);
 trace_migration_completion_postcopy_end_after_rp(rp_error);
 if (rp_error) {
-goto fail;
+goto fail_invalidate;
 }
 }
 
 if (qemu_file_get_error(s->to_dst_file)) {
 trace_migration_completion_file_err();
-goto fail;
+goto fail_invalidate;
 }
 
 migrate_set_state(>state, current_active_state,
   MIGRATION_STATUS_COMPLETED);
 return;
 
+fail_invalidate:
+/* If not doing postcopy, vm_start() will be called: let's regain
+ * control on images.
+ */
+if (s->state == MIGRATION_STATUS_ACTIVE) {
+Error *local_err = NULL;
+
+bdrv_invalidate_cache_all(_err);
+if (local_err) {
+error_report_err(local_err);
+}
+}
+
 fail:
 migrate_set_state(>state, current_active_state,
   MIGRATION_STATUS_FAILED);
-- 
1.9.1

[Qemu-devel] [PATCH 09/56] configure: Allow builds with extra warnings

2016-08-08 Thread Michael Roth 
From: Stefan Weil 

The clang compiler supports a useful compiler option -Weverything,
and GCC also has other warnings not enabled by -Wall.

If glib header files trigger a warning, however, testing glib with
-Werror will always fail. A size mismatch is also detected without
-Werror, so simply remove it.

Cc: qemu-sta...@nongnu.org
Signed-off-by: Stefan Weil 
Message-Id: <1461879221-13338-1-git-send-email...@weilnetz.de>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit 5919e0328b7d6a08a661c3c747bae3e841d4e6f4)
Signed-off-by: Michael Roth 
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index c37fc5f..49bdb4b 100755
--- a/configure
+++ b/configure
@@ -2967,7 +2967,7 @@ int main(void) {
 }
 EOF
 
-if ! compile_prog "-Werror $CFLAGS" "$LIBS" ; then
+if ! compile_prog "$CFLAGS" "$LIBS" ; then
 error_exit "sizeof(size_t) doesn't match GLIB_SIZEOF_SIZE_T."\
"You probably need to set PKG_CONFIG_LIBDIR"\
   "to point to the right pkg-config files for your"\
-- 
1.9.1

[Qemu-devel] [PATCH 13/56] esp: check command buffer length before write(CVE-2016-4439)

2016-08-08 Thread Michael Roth 
From: Prasad J Pandit 

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer. While
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
was missing to validate input length. Add check to avoid OOB write
access.

Fixes CVE-2016-4439.

Reported-by: Li Qiang 
Cc: qemu-sta...@nongnu.org
Signed-off-by: Prasad J Pandit 
Message-Id: <1463654371-11169-2-git-send-email-ppan...@redhat.com>
Signed-off-by: Paolo Bonzini 
(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
Signed-off-by: Michael Roth 
---
 hw/scsi/esp.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8961be2..01497e6 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t 
val)
 break;
 case ESP_FIFO:
 if (s->do_cmd) {
-s->cmdbuf[s->cmdlen++] = val & 0xff;
+if (s->cmdlen < TI_BUFSZ) {
+s->cmdbuf[s->cmdlen++] = val & 0xff;
+} else {
+trace_esp_error_fifo_overrun();
+}
 } else if (s->ti_size == TI_BUFSZ - 1) {
 trace_esp_error_fifo_overrun();
 } else {
-- 
1.9.1

[Qemu-devel] Abort with qemu-aarch64(latest git master)

2016-08-08 Thread Pranith Kumar 
I am seeing an abort when I run qemu-aarch64 on a multi-threaded ARM64
executable. Is this a valid use case or is multi-threading still not supported?

The back trace is as follows. You can find it as a paste for easier reading
here: http://paste.ubuntu.com/22734688/

#0  0x7684c418 in __GI_raise (sig=sig@entry=6) at
 ../sysdeps/unix/sysv/linux/raise.c:54
 #1  0x7684e01a in __GI_abort () at abort.c:89
 #2  0x7688e72a in __libc_message (do_abort=do_abort@entry=2,
 fmt=fmt@entry=0x769a76b0 "*** Error in `%s': %s: 0x%s ***\n") at
 ../sysdeps/posix/libc_fatal.c:175
 #3  0x7689648d in malloc_printerr (ar_ptr=0x76bdab20
 , ptr=, str=0x769a7728 "free(): invalid next
 size (fast)", action=3) at malloc.c:5007
 #4  _int_free (have_lock=1, p=, av=0x76bdab20
 ) at malloc.c:3868
 #5  free_check (mem=, caller=) at hooks.c:324
 #6  0x7689ab67 in __GI___libc_free (mem=) at
 malloc.c:2943
 #7  0x77afdf2d in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 #8  0x77afe0cf in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 #9  0x77afe4ba in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 #10 0x556a7490 in object_property_add (obj=0x57a17600,
 name=0x57b530f0 "device[7]", type=0x57b53170 "child",
 get=0x556a82e1 , set=0x0,
 release=0x556a8375 ,
 opaque=0x57b3eb00, errp=0x77f42eb0) at
 /home/pranith/devops/code/qemu/qom/object.c:947
 #11 0x556a8490 in object_property_add_child (obj=0x57a17600,
 name=0x57b530f0 "device[7]", child=0x57b3eb00, errp=0x579f6478
 )
 at /home/pranith/devops/code/qemu/qom/object.c:1382
 #12 0x5569f7b7 in device_set_realized (obj=0x57b3eb00,
 value=true, errp=0x77f430b0) at
 /home/pranith/devops/code/qemu/hw/core/qdev.c:902
 #13 0x556a94d1 in property_set_bool (obj=0x57b3eb00,
 v=0x57b52fb0, name=0x5572388f "realized", opaque=0x57b50ee0,
 errp=0x77f430b0) at /home/pranith/devops/code/qemu/qom/object.c:1853
 #14 0x556a79dc in object_property_set (obj=0x57b3eb00,
 v=0x57b52fb0, name=0x5572388f "realized", errp=0x77f430b0) at
 /home/pranith/devops/code/qemu/qom/object.c:1087
 #15 0x556aa804 in object_property_set_qobject (obj=0x57b3eb00,
 value=0x57b52eb0, name=0x5572388f "realized", errp=0x77f430b0) at
 /home/pranith/devops/code/qemu/qom/qom-qobject.c:27
 #16 0x556a7c7f in object_property_set_bool (obj=0x57b3eb00,
 value=true, name=0x5572388f "realized", errp=0x77f430b0) at
 /home/pranith/devops/code/qemu/qom/object.c:1156
 #17 0x556a416c in cpu_generic_init (typename=0x5570bef9
 "arm-cpu", cpu_model=0x5570457d "any") at
 /home/pranith/devops/code/qemu/qom/cpu.c:76
 #18 0x5563c729 in cpu_arm_init (cpu_model=0x5570457d "any") at
 /home/pranith/devops/code/qemu/target-arm/helper.c:5101
 #19 0x555d030f in cpu_copy (env=0x57abc6a0) at
 /home/pranith/devops/code/qemu/linux-user/main.c:3808
 #20 0x555de45c in do_fork (env=0x57abc6a0, flags=4001536,
 newsp=274939877808, parent_tidptr=274939879792, newtls=274939881360,
 child_tidptr=274939879792)
 at /home/pranith/devops/code/qemu/linux-user/syscall.c:5829
 #21 0x555e5e89 in do_syscall (cpu_env=0x57abc6a0, num=220,
 arg1=4001536, arg2=274939877808, arg3=274939879792, arg4=274939881360,
 arg5=274939879792, arg6=274939881360, arg7=0, arg8=0)
 at /home/pranith/devops/code/qemu/linux-user/syscall.c:9211
 #22 0x555d001d in cpu_loop (env=0x57abc6a0) at
 /home/pranith/devops/code/qemu/linux-user/main.c:1079
 #23 0x555de387 in clone_func (arg=0x7fffbcd0) at
 /home/pranith/devops/code/qemu/linux-user/syscall.c:5798
 #24 0x76be76fa in start_thread (arg=0x77f45700) at
 pthread_create.c:333
 #25 0x7691db5d in clone () at
 ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

-- 
Pranith

Re: [Qemu-devel] [PATCH v2 8/8] configure: Remove detection code for UUID

2016-08-08 Thread Jeff Cody 
On Mon, Aug 08, 2016 at 02:09:28PM +0800, Fam Zheng wrote:
> All code now uses built-in UUID implementation. Remove the code of
> libuuid and make --enable-uuid and --disable-uuid only print a message.
> 
> Signed-off-by: Fam Zheng 
> ---
>  configure | 43 ---
>  1 file changed, 4 insertions(+), 39 deletions(-)
> 
> diff --git a/configure b/configure
> index cbb96d5..d6d71f3 100755
> --- a/configure
> +++ b/configure
> @@ -212,7 +212,6 @@ sdlabi=""
>  virtfs=""
>  vnc="yes"
>  sparse="no"
> -uuid=""
>  vde=""
>  vnc_sasl=""
>  vnc_jpeg=""
> @@ -881,10 +880,6 @@ for opt do
>;;
>--disable-slirp) slirp="no"
>;;
> -  --disable-uuid) uuid="no"
> -  ;;
> -  --enable-uuid) uuid="yes"
> -  ;;
>--disable-vde) vde="no"
>;;
>--enable-vde) vde="yes"
> @@ -1096,6 +1091,9 @@ for opt do
>--enable-vhdx|--disable-vhdx)
>echo "$0: $opt is obsolete, VHDX driver is always built"
>;;
> +  --enable-uuid|--disable-uuid)
> +  echo "$0: $opt is obsolete, UUID support is always built"
> +  ;;

As with the vhdx line, this too should probably go out to stderr similar to
the data plane option.

>--disable-gtk) gtk="no"
>;;
>--enable-gtk) gtk="yes"
> @@ -1350,7 +1348,6 @@ disabled with --disable-FEATURE, default is enabled if 
> available:
>bluez   bluez stack connectivity
>kvm KVM acceleration support
>rdmaRDMA-based migration support
> -  uuiduuid support
>vde support for vde network
>netmap  support for netmap network
>linux-aio   Linux AIO support
> @@ -2654,34 +2651,6 @@ if compile_prog "" "" ; then
>  fi
>  
>  ##
> -# uuid_generate() probe, used for vdi block driver
> -# Note that on some systems (notably MacOSX) no extra library
> -# need be linked to get the uuid functions.
> -if test "$uuid" != "no" ; then
> -  uuid_libs="-luuid"
> -  cat > $TMPC << EOF
> -#include 
> -int main(void)
> -{
> -uuid_t my_uuid;
> -uuid_generate(my_uuid);
> -return 0;
> -}
> -EOF
> -  if compile_prog "" "" ; then
> -uuid="yes"
> -  elif compile_prog "" "$uuid_libs" ; then
> -uuid="yes"
> -libs_softmmu="$uuid_libs $libs_softmmu"
> -libs_tools="$uuid_libs $libs_tools"
> -  else
> -if test "$uuid" = "yes" ; then
> -  feature_not_found "uuid" "Install libuuid devel"
> -fi
> -uuid=no
> -  fi
> -fi
> -
>  # xfsctl() probe, used for raw-posix
>  if test "$xfs" != "no" ; then
>cat > $TMPC << EOF
> @@ -4054,7 +4023,7 @@ EOF
>if compile_prog "$vss_win32_include" "" ; then
>  guest_agent_with_vss="yes"
>  QEMU_CFLAGS="$QEMU_CFLAGS $vss_win32_include"
> -libs_qga="-lole32 -loleaut32 -lshlwapi -luuid -lstdc++ 
> -Wl,--enable-stdcall-fixup $libs_qga"
> +libs_qga="-lole32 -loleaut32 -lshlwapi -lstdc++ 
> -Wl,--enable-stdcall-fixup $libs_qga"
>  qga_vss_provider="qga/vss-win32/qga-vss.dll qga/vss-win32/qga-vss.tlb"
>else
>  if test "$vss_win32_sdk" != "" ; then
> @@ -4842,7 +4811,6 @@ echo "preadv support$preadv"
>  echo "fdatasync $fdatasync"
>  echo "madvise   $madvise"
>  echo "posix_madvise $posix_madvise"
> -echo "uuid support  $uuid"
>  echo "libcap-ng support $cap_ng"
>  echo "vhost-net support $vhost_net"
>  echo "vhost-scsi support $vhost_scsi"
> @@ -5030,9 +4998,6 @@ fi
>  if test "$fnmatch" = "yes" ; then
>echo "CONFIG_FNMATCH=y" >> $config_host_mak
>  fi
> -if test "$uuid" = "yes" ; then
> -  echo "CONFIG_UUID=y" >> $config_host_mak
> -fi
>  if test "$xfs" = "yes" ; then
>echo "CONFIG_XFS=y" >> $config_host_mak
>  fi
> -- 
> 2.7.4
>

Re: [Qemu-devel] [PATCH v2 5/8] vpc: Use QEMU UUID API

2016-08-08 Thread Jeff Cody 
On Mon, Aug 08, 2016 at 02:09:25PM +0800, Fam Zheng wrote:
> Previously we conditionally generate if footer->uuid, when libuuid is

s/generate if/generated/

s/is/was/

> available. Now that we have a built-in implementation, we can switch to
> it.
> 
> Signed-off-by: Fam Zheng 
> ---
>  block/vpc.c | 8 ++--
>  1 file changed, 2 insertions(+), 6 deletions(-)
> 
> diff --git a/block/vpc.c b/block/vpc.c
> index 43707ed..4a60438 100644
> --- a/block/vpc.c
> +++ b/block/vpc.c
> @@ -30,9 +30,7 @@
>  #include "qemu/module.h"
>  #include "migration/migration.h"
>  #include "qemu/bswap.h"
> -#if defined(CONFIG_UUID)
> -#include 
> -#endif
> +#include "qemu/uuid.h"
>  
>  /**/
>  
> @@ -980,9 +978,7 @@ static int vpc_create(const char *filename, QemuOpts 
> *opts, Error **errp)
>  
>  footer->type = cpu_to_be32(disk_type);
>  
> -#if defined(CONFIG_UUID)
> -uuid_generate(footer->uuid);
> -#endif
> +qemu_uuid_generate(footer->uuid);
>  
>  footer->checksum = cpu_to_be32(vpc_checksum(buf, HEADER_SIZE));
>  
> -- 
> 2.7.4
>

[Qemu-devel] [ANNOUNCE] QEMU 2.7.0-rc2 is now available

2016-08-08 Thread Michael Roth 
Hello,

On behalf of the QEMU Team, I'd like to announce the availability of the
third release candidate for the QEMU 2.7 release.  This release is meant
for testing purposes and should not be used in a production environment.

http://wiki.qemu.org/download/qemu-2.7.0-rc2.tar.bz2

Known issues with this release candidate:

 * does not build on OpenBSD or NetBSD. We expect to fix this for rc3.

A note from the maintainer:

  Ideally for rc3 (aiming for Monday 15th) we will only put
  in release critical bugfixes, in which case we'll be in
  shape to do a final release by the 19th. If we slip beyond
  that (and in particular if we need an rc4) then the timing
  of KVM Forum means final release will not be until the 29th.

You can help improve the quality of the QEMU 2.7 release by testing this
release and reporting bugs on Launchpad:

https://bugs.launchpad.net/qemu/

The release plan, as well a documented known issues for release
candidates, are available at:

http://wiki.qemu.org/Planning/2.7

Please add entries to the ChangeLog for the 2.7 release below:

http://wiki.qemu.org/ChangeLog/2.7

  1   2   3   4   >