There is a not-so-subtle race in QSLIST_INSERT_HEAD_ATOMIC.

Because atomic_cmpxchg returns the old value instead of a success flag,
QSLIST_INSERT_HEAD_ATOMIC was checking for success by comparing against
the second argument to atomic_cmpxchg.  Unfortunately, this only works
if the second argument is a local or thread-local variable.

If it is in memory, it can be subject to common subexpression elimination
(and then everything's fine) or reloaded after the atomic_cmpxchg,
depending on the compiler's whims.  If the latter happens, the race can
happen.  A thread can sneak in, doing something on elm->field.sle_next
after the atomic_cmpxchg and before the comparison.  This causes a wrong
failure, and then two threads are using "elm" at the same time.  In the
case discovered by Christian, the sequence was likely something like this:

    thread 1                   | thread 2
    QSLIST_INSERT_HEAD_ATOMIC  |
      atomic_cmpxchg succeeds  |
      elm added to list        |
                               | steal release_pool
                               | QSLIST_REMOVE_HEAD
                               | elm removed from list
                               | ...
                               | QSLIST_INSERT_HEAD_ATOMIC
                               |   (overwrites sle_next)
      spurious failure         |
      atomic_cmpxchg succeeds  |
      elm added to list again  |
                               |
    steal release_pool         |
    QSLIST_REMOVE_HEAD         |
    elm removed again          |

The last three steps could be done by a third thread as well.
A reproducer that failed in a matter of seconds is as follows:

- the guest has 32 VCPUs on a 28 core host (hyperthreading was enabled),
  memory was 16G just to err on the safe side (the host has 64G, but hey
  at least you need no s390)

- the guest has 24 null-aio virtio-blk devices using dataplane
  (-object iothread,id=ioN -drive if=none,id=blkN,driver=null-aio,size=500G
  -device virtio-blk-pci,iothread=ioN,drive=blkN)

- the guest also has a single network interface.  It's only doing loopback
  tests so slirp vs. tap and the model doesn't matter.

- the guest is running fio with the following script:

     [global]
     rw=randread
     blocksize=16k
     ioengine=libaio
     runtime=10m
     buffered=0
     fallocate=none
     time_based
     iodepth=32

     [virtio1a]
     filename=/dev/block/252\:16

     [virtio1b]
     filename=/dev/block/252\:16

     ...

     [virtio24a]
     filename=/dev/block/252\:384

     [virtio24b]
     filename=/dev/block/252\:384

     [listen1]
     protocol=tcp
     ioengine=net
     port=12345
     listen
     rw=read
     bs=4k
     size=1000g

     [connect1]
     protocol=tcp
     hostname=localhost
     ioengine=net
     port=12345
     protocol=tcp
     rw=write
     startdelay=1
     size=1000g

     ...

     [listen8]
     protocol=tcp
     ioengine=net
     port=12352
     listen
     rw=read
     bs=4k
     size=1000g

     [connect8]
     protocol=tcp
     hostname=localhost
     ioengine=net
     port=12352
     rw=write
     startdelay=1
     size=1000g

Moral of the story: I should refrain from writing more clever stuff.
At least it looks like it is not too clever to be undebuggable.
Reported-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Tested-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1426002357-6889-1-git-send-email-pbonzini@redhat.com
Fixes: c740ad92Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

vnc: bugfixes and cleanups.

# gpg: Signature made Thu Mar 12 08:58:39 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20150312-1:
  vnc: fix segmentation fault when invalid vnc parameters are specified
  vnc: avoid possible file handler leak
  ui/console: fix OVERFLOW_BEFORE_WIDEN
  ui: fix regression in x509verify parameter for VNC server
  vnc: switch to inet_listen_opts
  vnc: remove dead code
  vnc: drop display+ws_display from VncDisplay
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

misc fixes and cleanups

A bunch of fixes all over the place, some of the
bugs fixed are actually regressions.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Wed Mar 11 17:48:30 2015 GMT using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (25 commits)
  virtio-scsi: remove empty wrapper for cmd
  virtio-scsi: clean out duplicate cdb field
  virtio-scsi: fix cdb/sense size
  uapi/virtio_scsi: allow overriding CDB/SENSE size
  virtio-scsi: drop duplicate CDB/SENSE SIZE
  exec: don't include hw/boards for linux-user
  acpi: specify format for build_append_namestring
  MAINTAINERS: drop aliguori@amazon.com
  tpm: Move memory subregion function into realize function
  virtio-pci: Convert to realize()
  pci: Convert pci_nic_init() to Error to avoid qdev_init()
  machine: query mem-merge machine property
  machine: query dump-guest-core machine property
  hw/boards: make it safe to include for linux-user
  machine: query phandle-start machine property
  machine: query kvm-shadow-mem machine property
  kvm: add machine state to kvm_arch_init
  machine: query kernel-irqchip property
  machine: allowed/required kernel-irqchip support
  machine: replace qemu opts with iommu property
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Reproducer:
 #./qemu-system-x86_64 -vnc :0,ip
qemu-system-x86_64: -vnc :1,ip: Invalid parameter 'ip'
Segmentation fault (core dumped)
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

vs->lsock may equal to 0, modify the check condition,
avoid possible vs->lsock leak.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The 'x509verify' parameter is documented as taking a path to the
x509 certificates, ie the same syntax as the 'x509' parameter.

  commit 4db14629
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   Tue Sep 16 12:33:03 2014 +0200

    vnc: switch to QemuOpts, allow multiple servers

caused a regression by turning 'x509verify' into a boolean
parameter instead. This breaks setup from libvirt and is not
consistent with the docs.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Use inet_listen_opts instead of inet_listen.  Allows us to drop some
pointless indirection:  Format strings just to parse them again later on.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Tested-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>

If vs->ws_enabled is set ws_display is non-NULL.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>

Nobody cares about those strings, they are only used to check whenever
the vnc server / websocket support is enabled or not.  Add bools for
this and drop the strings.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>

MIPS patches 2015-03-11

Changes:
* use VMStateDescription for MIPS CPU

# gpg: Signature made Wed Mar 11 15:01:52 2015 GMT using RSA key ID 0B29DA6B
# gpg: Can't check signature: public key not found

* remotes/lalrae/tags/mips-20150311:
  target-mips: add missing MSACSR and restore fp_status and hflags
  target-mips: replace cpu_save/cpu_load with VMStateDescription
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The anonymous struct only has a single field now, drop the wrapper
structure.
Suggested-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>

cdb is now part of cmd, drop it from req.
There's also nothing to check using build assert now.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>

Commit "virtio-scsi: use standard-headers" added
cdb and sense into req/rep structures, which
breaks uses of sizeof for these structures,
since qemu adds its own arrays on top.

To fix, redefine CDB/sense field size to 0.
Reported-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

QEMU wants to use virtio scsi structures with
a different VIRTIO_SCSI_CDB_SIZE/VIRTIO_SCSI_SENSE_SIZE,
let's add ifdefs to allow overriding them.

Keep the old defines under new names:
VIRTIO_SCSI_CDB_DEFAULT_SIZE/VIRTIO_SCSI_SENSE_DEFAULT_SIZE,
since that's what these values really are:
defaults for cdb/sense size fields.
Suggested-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>

This is duplicated from the kernel header,
drop our copy.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

As noted by Andreas, hw/boards.h shouldn't be used outside softmmu code.
Include it conditionally, and drop the (now unnecessary) ifdef guards in
hw/boards.h
Reported-by: NAndreas Färber <afaerber@suse.de>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>

Will catch users if we misused it.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NIgor Mammedov <imammedo@redhat.com>

It's sad when a friend leaves, but we have to move on.

Drop Anthony's email from MAINTAINERS so he stops getting
irrelevant email.

Got Anthony's ack off-list.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NAnthony Liguori <aliguori@amazon.com>

Move the memory subregion function into the DeviceClass realize function
due to isa_address_space (now) crashing if called in the instance init
function.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

qdev_init() is deprecated, and will be removed when its callers have
been weaned off it.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Running
    qemu-bin ... -machine pc,mem-merge=on
leads to crash:
    x86_64-softmmu/qemu-system-x86_64 -machine pc,dump-guest-core=on
    qemu-system-x86_64: qemu/util/qemu-option.c:387: qemu_opt_get_bool_helper:
    Assertion `opt->desc && opt->desc->type == QEMU_OPT_BOOL' failed.  Aborted
    (core dumped)

This happens because the commit e79d5a6 ("machine: remove qemu_machine_opts
global list") removed the global option descriptions and moved them to
MachineState's QOM properties.

Fix this by querying machine properties through designated wrappers.
Signed-off-by: NMarcel Apfelbaum <marcel@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Running
    qemu-bin ... -machine pc,dump-guest-core=on
leads to crash:
    x86_64-softmmu/qemu-system-x86_64 -machine pc,dump-guest-core=on
    qemu-system-x86_64: qemu/util/qemu-option.c:387: qemu_opt_get_bool_helper:
    Assertion `opt->desc && opt->desc->type == QEMU_OPT_BOOL' failed.  Aborted
    (core dumped)

This happens because the commit e79d5a6 ("machine: remove qemu_machine_opts
global list") removed the global option descriptions and moved them to
MachineState's QOM properties.

Fix this by querying machine properties through designated wrappers.
Signed-off-by: NMarcel Apfelbaum <marcel@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Make it safe to include hw/boards.h in exec.c
for linux-user configurations.
We don't need any of its contents though.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Commit e79d5a6 ("machine: remove qemu_machine_opts global list") removed
the global option descriptions and moved them to MachineState's QOM
properties.

Query phandle-start by accessing machine properties through designated
wrappers.
Signed-off-by: NMarcel Apfelbaum <marcel@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Commit e79d5a6 ("machine: remove qemu_machine_opts global list") removed
the global option descriptions and moved them to MachineState's QOM
properties.

Query kvm-shadow-mem by accessing machine properties through designated
wrappers.
Signed-off-by: NMarcel Apfelbaum <marcel@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Needed to query machine's properties.
Signed-off-by: NMarcel Apfelbaum <marcel@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Running
    x86_64-softmmu/qemu-system-x86_64 -machine pc,kernel_irqchip=on -enable-kvm
leads to crash:
    qemu-system-x86_64: qemu/util/qemu-option.c:387: qemu_opt_get_bool_helper:
    Assertion `opt->desc && opt->desc->type == QEMU_OPT_BOOL' failed.  Aborted
    (core dumped)

This happens because the commit e79d5a6 ("machine: remove qemu_machine_opts
global list") removed the global option descriptions and moved them to
MachineState's QOM properties.

Fix this by querying machine properties through designated wrappers.
Signed-off-by: NMarcel Apfelbaum <marcel@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

The code using kernel-irqchip property requires 'allowed/required'
functionality. Replace machine's kernel_irqchip field with two fields
representing the new functionality and expose them through wrappers.
Signed-off-by: NMarcel Apfelbaum <marcel@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Fixes a QEMU crash when passing iommu parameter in command line.
Running
    x86_64-softmmu/qemu-system-x86_64 -machine pc,iommu=on -enable-kvm
leads to crash:
    qemu-system-x86_64: qemu/util/qemu-option.c:387: qemu_opt_get_bool_helper:
    Assertion `opt->desc && opt->desc->type == QEMU_OPT_BOOL' failed.
    Aborted (core dumped)

This happens because commit e79d5a6 ("machine: remove qemu_machine_opts global
list") removed the global option descriptions and moved them to MachineState's
QOM properties.

Fix this by querying machine properties through designated wrappers.
Signed-off-by: NMarcel Apfelbaum <marcel@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

target-arm queue:
 * fix a bug in bitops.h
 * implement SD card support on integratorcp
 * add a missing 'compatible' property for Cortex-A57
 * add Netduino 2 machine model
 * fix command line parsing bug for CPU options with multiple CPUs

# gpg: Signature made Wed Mar 11 14:14:22 2015 GMT using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20150311:
  bitops.h: sextract64() return type should be int64_t, not uint64_t
  integrator/cp: Implement CARDIN and WPROT signals
  integrator/cp: Model CP control registers as sysbus device
  target-arm: Add missing compatible property to A57
  netduino2: Add the Netduino 2 Machine
  stm32f205: Add the stm32f205 SoC
  stm32f2xx_SYSCFG: Add the stm32f2xx SYSCFG
  stm32f2xx_USART: Add the stm32f2xx USART Controller
  stm32f2xx_timer: Add the stm32f2xx Timer
  hw/arm/virt: fix cmdline parsing bug with CPU options and smp > 1
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

s390x/kvm: Features and fixes for 2.3

- an extension to the elf loader to allow relocations
- make the ccw bios relocatable. This allows for bigger ramdisks
  or smaller guests
- Handle all slow SIGPs in QEMU (instead of kernel) for better
  compliance and correctness
- tell the KVM module the maximum guest size. This allows KVM
  to reduce the number or page table levels
- Several fixes/cleanups

# gpg: Signature made Wed Mar 11 10:17:13 2015 GMT using RSA key ID B5A61C7C
# gpg: Good signature from "Christian Borntraeger (IBM) <borntraeger@de.ibm.com>"

* remotes/borntraeger/tags/s390x-20150310:
  s390-ccw: rebuild BIOS
  s390/bios: Make the s390-ccw.img relocatable
  elf-loader: Provide the possibility to relocate s390 ELF files
  s390-ccw.img: Reinitialize guessing on reboot
  s390-ccw.img: Allow bigger ramdisk sizes or offsets
  s390x/kvm: passing max memory size to accelerator
  virtio-ccw: Convert to realize()
  virtio-s390: Convert to realize()
  virtio-s390: s390_virtio_device_init() can't fail, simplify
  s390x/kvm: enable the new SIGP handling in user space
  s390x/kvm: deliver SIGP RESTART directly if stopped
  s390x: add function to deliver restart irqs
  s390x/kvm: SIGP START is only applicable when STOPPED
  s390x/kvm: implement handling of new SIGP orders
  s390x/kvm: trace all SIGP orders
  s390x/kvm: helper to set the SIGP status in SigpInfo
  s390x/kvm: pass the SIGP instruction parameter to the SIGP handler
  s390x/kvm: more details for SIGP handler with one destination vcpu
  s390x: introduce defines for SIGP condition codes
  synchronize Linux headers to 4.0-rc3
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

clang undefined behaviour sanitizer reports:
> hw/pci/shpc.c:162:27: runtime error: left shift of 1 by 31 places
> cannot be represented in type 'int'

Caused by the usual lack of a 'U' qualifier on a constant 1 being
shifted left. Fix it up.
Reported-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

commit ecdc7bab
    "acpi: fix aml_equal term implementation"
dropped a useless Zero in generated code,
update expected files appropriately.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

virtio-serial: fix crash on port hotplug when a previously-added port
did not have the 'name' property set.

# gpg: Signature made Wed Mar 11 11:13:53 2015 GMT using RSA key ID 854083B6
# gpg: Good signature from "Amit Shah <amit@amitshah.net>"
# gpg:                 aka "Amit Shah <amit@kernel.org>"
# gpg:                 aka "Amit Shah <amitshah@gmx.net>"

* remotes/amit/tags/vser-for-2.3-1:
  virtio-serial: fix segfault on NULL port names
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Save MSACSR state. Also remove fp_status, msa_fp_status, hflags and restore
them in post_load() from the architectural registers.
Float exception flags are not present in vmstate. Information they carry
is used only by softfloat caller who translates them into MIPS FCSR.Cause,
FCSR.Flags and then they are cleared. Therefore there is no need for saving
them in vmstate.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Create VMStateDescription for MIPS CPU. The new structure contains exactly the
same fields as before, therefore leaving existing version_id.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>

The documentation for sextract64() claims that the return type is
an int64_t, but the code itself disagrees. Fix the return type to
conform to the documentation and to bring it into line with
sextract32(), which returns int32_t.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Message-id: 1423231328-15662-1-git-send-email-peter.maydell@linaro.org

This allows to use the SD card emulation of the board: Forward the
signals from the pl181 top the CP control register emulation, report the
current state via CP_INTREG, deliver CARDIN IRQ to the secondary
interrupt controller and also support clearing that line via CP_INTREG.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Message-id: c55d9fb28d19ec83625cb0074b3b6f2e5958caf6.1426004843.git.jan.kiszka@siemens.com
Reviewed-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>