Our permission system is useful to define what operations are allowed
on a certain block node and includes things like BLK_PERM_WRITE or
BLK_PERM_RESIZE among others.

One of the permissions is BLK_PERM_GRAPH_MOD which allows "changing
the node that this BdrvChild points to". The exact meaning of this has
never been very clear, but it can be understood as "change any of the
links connected to the node". This can be used to prevent changing a
backing link, but it's too coarse.

This patch adds a new 'frozen' attribute to BdrvChild, which forbids
detaching the link from the node it points to, and new API to freeze
and unfreeze a backing chain.

After this change a few functions can fail, so they need additional
checks.
Signed-off-by: NAlberto Garcia <berto@igalia.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The implementation used blocks units rather than the expected bytes.

Fixes: c03e7ef1 ("nvme: Implement Write Zeroes")
Reported-by: NMing Lei <ming.lei@redhat.com>
Signed-off-by: NKeith Busch <keith.busch@intel.com>
Reviewed-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Until now, with auto-read-only=on we tried to open the file read-write
first and if that failed, read-only was tried. This is actually not good
enough for libvirt, which gives QEMU SELinux permissions for read-write
only as soon as it actually intends to write to the image. So we need to
be able to switch between read-only and read-write at runtime.

This patch makes auto-read-only dynamic, i.e. the file is opened
read-only as long as no user of the node has requested write
permissions, but it is automatically reopened read-write as soon as the
first writer is attached. Conversely, if the last writer goes away, the
file is reopened read-only again.

bs->read_only is no longer set for auto-read-only=on files even if the
file descriptor is opened read-only because it will be transparently
upgraded as soon as a writer is attached. This changes the output of
qemu-iotests 232.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

In order to be able to dynamically reopen the file read-only or
read-write, depending on the users that are attached, we need to be able
to switch to a different file descriptor during the permission change.

This interacts with reopen, which also creates a new file descriptor and
performs permission changes internally. In this case, the permission
change code must reuse the reopen file descriptor instead of creating a
third one.

In turn, reopen can drop its code to copy file locks to the new file
descriptor because that is now done when applying the new permissions.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

There is no reason why we can take locks on the new file descriptor only
in raw_reopen_commit() where error handling isn't possible any more.
Instead, we can already do this in raw_reopen_prepare().
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

We'll want to access the file descriptor in the reopen_state while
processing permission changes in the context of the repoen.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Using a different read-only setting for bs->open_flags than for the
flags to the driver's open function is just inconsistent and a bad idea.
After this patch, the temporary snapshot keeps being opened read-only if
read-only=on,snapshot=on is passed.

If we wanted to change this behaviour to make only the orginal image
file read-only, but the temporary overlay read-write (as the comment in
the removed code suggests), that change would have to be made in
bdrv_temp_snapshot_options() (where the comment suggests otherwise).

Addressing this inconsistency before introducing dynamic auto-read-only
is important because otherwise we would immediately try to reopen the
temporary overlay even though the file is already unlinked.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The way that reopen interacts with permission changes has one big
problem: Both operations are recursive, and the permissions are changes
for each node in the reopen queue.

For a simple graph that consists just of parent and child,
.bdrv_check_perm will be called twice for the child, once recursively
when adjusting the permissions of parent, and once again when the child
itself is reopened.

Even worse, the first .bdrv_check_perm call happens before
.bdrv_reopen_prepare was called for the child and the second one is
called afterwards.

Making sure that .bdrv_check_perm (and the other permission callbacks)
are called only once is hard. We can cope with multiple calls right now,
but as soon as file-posix gets a dynamic auto-read-only that may need to
open a new file descriptor, we get the additional requirement that all
of them are after the .bdrv_reopen_prepare call.

So reorder things in bdrv_reopen_multiple() to first call
.bdrv_reopen_prepare for all involved nodes and only then adjust
permissions.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NAlberto Garcia <berto@igalia.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

tests/virtio-blk-test uses a temporary image file that it deletes while
QEMU is still running, so it can't be reopened when writers are
attached or detached. Disable auto-read-only to keep it always writable.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Drop x- and x_ prefixes for latency histograms and update version to
4.0
Signed-off-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Signed-off-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The glfs_*_async() functions do a callback once finished. This callback
has changed its arguments, pre- and post-stat structures have been
added. This makes it possible to improve caching, which is useful for
Samba and NFS-Ganesha, but not so much for QEMU. Gluster 6 is the first
release that includes these new arguments.

With an additional detection in ./configure, the new arguments can
conditionally get included in the glfs_io_cbk handler.
Signed-off-by: NNiels de Vos <ndevos@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

New versions of Glusters libgfapi.so have an updated glfs_ftruncate()
function that returns additional 'struct stat' structures to enable
advanced caching of attributes. This is useful for file servers, not so
much for QEMU. Nevertheless, the API has changed and needs to be
adopted.
Signed-off-by: NPrasanna Kumar Kalever <prasanna.kalever@redhat.com>
Signed-off-by: NNiels de Vos <ndevos@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Pflash and firmware configuration patches for 2019-03-11

# gpg: Signature made Mon 11 Mar 2019 21:59:12 GMT
# gpg:                using RSA key 3870B400EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653

* remotes/armbru/tags/pull-pflash-2019-03-11: (27 commits)
  docs/interop/firmware.json: Prefer -machine to if=pflash
  pc: Support firmware configuration with -blockdev
  pc_sysfw: Pass PCMachineState to pc_system_firmware_init()
  pc_sysfw: Remove unused PcSysFwDevice
  pflash_cfi01: Add pflash_cfi01_get_blk() helper
  vl: Create block backends before setting machine properties
  vl: Factor configure_blockdev() out of main()
  vl: Improve legibility of BlockdevOptions queue
  sysbus: Fix latent bug with onboard devices
  vl: Fix latent bug with -global and onboard devices
  qom: Move compat_props machinery from qdev to QOM
  qdev: Fix latent bug with compat_props and onboard devices
  pflash: Clean up after commit 368a354f, part 2
  pflash: Clean up after commit 368a354f, part 1
  mips_malta: Clean up definition of flash memory size somewhat
  hw/mips/malta: Restrict 'bios_size' variable scope
  hw/mips/malta: Remove fl_sectors variable
  mips_malta: Delete disabled, broken DEBUG_BOARD_INIT code
  r2d: Fix flash memory size, sector size, width, device ID
  ppc405_boards: Don't size flash memory to match backing image
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

ppc patch queue for 2019-03-10

This pull requests supersedes ppc-for-4.0-20190310.  Changes are:
 * Fixed a bunch of minor style problems
 * Suppressed warnings about Spectre/Meltdown mitigations with TCG
 * Added one more patch, a preliminary fix towards the not-quite-ready
   support for NVLink VFIO passthrough.

This is a final pull request before the 4.0 soft freeze.  Changes
include:
  * A Great Renaming to use camel case properly in spapr code
  * Optimization of some vector instructions
  * Support for POWER9 cpus in the powernv machine
  * Fixes a regression from the last pull request in handling VSX
    instructions with mixed operands from the FPR and VMX parts of the
    register array
  * Optimization hack to avoid scanning all the (empty) entries on a
    new IOMMU window
  * Add FSL I2C controller model for E500
  * Support for KVM acceleration of the H_PAGE_INIT hypercall on spapr
  * Update u-boot image for E500
  * Enable Specre/Meltdown mitigations by default on the new machine type
  * Enable large decrementer support for POWER9

# gpg: Signature made Tue 12 Mar 2019 08:14:51 GMT
# gpg:                using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full]
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full]
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full]
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown]
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-4.0-20190312: (62 commits)
  vfio: Make vfio_get_region_info_cap public
  Suppress test warnings about missing Spectre/Meltdown mitigations with TCG
  spapr: Use CamelCase properly
  target/ppc: Optimize x[sv]xsigdp using deposit_i64()
  target/ppc: Optimize xviexpdp() using deposit_i64()
  target/ppc: add HV support for POWER9
  ppc/pnv: add a "ibm,opal/power-mgt" device tree node on POWER9
  ppc/pnv: add more dummy XSCOM addresses
  ppc/pnv: activate XSCOM tests for POWER9
  ppc/pnv: POWER9 XSCOM quad support
  ppc/pnv: extend XSCOM core support for POWER9
  ppc/pnv: add a OCC model for POWER9
  ppc/pnv: add a OCC model class
  ppc/pnv: add SerIRQ routing registers
  ppc/pnv: add a LPC Controller model for POWER9
  ppc/pnv: add a 'dt_isa_nodename' to the chip
  ppc/pnv: add a LPC Controller class model
  ppc/pnv: lpc: fix OPB address ranges
  ppc/pnv: add a PSI bridge model for POWER9
  ppc/pnv: add a PSI bridge class model
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This makes vfio_get_region_info_cap() to be used in quirks.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Acked-by: NAlex Williamson <alex.williamson@redhat.com>
Message-Id: <20190307050518.64968-3-aik@ozlabs.ru>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The new pseries-4.0 machine type defaults to enabling Spectre/Meltdown
mitigations.  Unfortunately those mitigations aren't implemented for TCG
because we're not yet sure if they're necessary or how to implement them.
We don't fail fatally, but we do warn in this case, because it is quite
plausible that Spectre/Meltdown can be exploited through TCG (at least for
the guest to get access to the qemu address space).

This create noise in our testcases though.  So, modify the affected tests
to explicitly disable the mitigations to suppress these warnings.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The qemu coding standard is to use CamelCase for type and structure names,
and the pseries code follows that... sort of.  There are quite a lot of
places where we bend the rules in order to preserve the capitalization of
internal acronyms like "PHB", "TCE", "DIMM" and most commonly "sPAPR".

That was a bad idea - it frequently leads to names ending up with hard to
read clusters of capital letters, and means they don't catch the eye as
type identifiers, which is kind of the point of the CamelCase convention in
the first place.

In short, keeping type identifiers look like CamelCase is more important
than preserving standard capitalization of internal "words".  So, this
patch renames a heap of spapr internal type names to a more standard
CamelCase.

In addition to case changes, we also make some other identifier renames:
  VIOsPAPR* -> SpaprVio*
    The reverse word ordering was only ever used to mitigate the capital
    cluster, so revert to the natural ordering.
  VIOsPAPRVTYDevice -> SpaprVioVty
  VIOsPAPRVLANDevice -> SpaprVioVlan
    Brevity, since the "Device" didn't add useful information
  sPAPRDRConnector -> SpaprDrc
  sPAPRDRConnectorClass -> SpaprDrcClass
    Brevity, and makes it clearer this is the same thing as a "DRC"
    mentioned in many other places in the code

This is 100% a mechanical search-and-replace patch.  It will, however,
conflict with essentially any and all outstanding patches touching the
spapr code.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20190309214255.9952-3-f4bug@amsat.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The t0 tcg_temp register is now unused, remove it.
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20190309214255.9952-2-f4bug@amsat.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

We now have enough support to boot a PowerNV machine with a POWER9
processor. Allow HV mode on POWER9.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-16-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

Activate only stop0 and stop1 levels. We should not need more levels
when under QEMU.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-15-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

To improve OPAL/skiboot support. We don't need to strictly model these
XSCOM accesses.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-14-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

We now have enough support to let the XSCOM test run on POWER9.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-13-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The POWER9 processor does not support per-core frequency control. The
cores are arranged in groups of four, along with their respective L2
and L3 caches, into a structure known as a Quad. The frequency must be
managed at the Quad level.

Provide a basic Quad model to fake the settings done by the firmware
on the Non-Cacheable Unit (NCU). Each core pair (EX) needs a special
BAR setting for the TIMA area of XIVE because it resides on the same
address on all chips.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-12-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

Provide a new class attribute to define XSCOM operations per CPU
family and add a couple of XSCOM addresses controlling the power
management states of the core on POWER9.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-11-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The OCC on POWER9 is very similar to the one found on POWER8. Provide
the same routines with P9 values for the registers and IRQ number.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-10-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

To ease the introduction of the OCC model for POWER9, provide a new
class attributes to define XSCOM operations per CPU family and a PSI
IRQ number.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
Message-Id: <20190307223548.20516-9-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

This is just a simple reminder that SerIRQ routing should be
addressed.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-8-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The LPC Controller on POWER9 is very similar to the one found on
POWER8 but accesses are now done via on MMIOs, without the XSCOM and
ECCB logic. The device tree is populated differently so we add a
specific POWER9 routine for the purpose.

SerIRQ routing is yet to be done.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-7-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The ISA bus has a different DT nodename on POWER9. Compute the name
when the PnvChip is realized, that is before it is used by the machine
to populate the device tree with the ISA devices.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-6-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

It will ease the introduction of the LPC Controller model for POWER9.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
Message-Id: <20190307223548.20516-5-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The PowerNV LPC Controller exposes different sets of registers for
each of the functional units it encompasses, among which the OPB
(On-Chip Peripheral Bus) Master and Arbitrer and the LPC HOST
Controller.

The mapping addresses of each register range are correct but the sizes
are too large. Fix the sizes and define the OPB Arbitrer range to fill
the gap between the OPB Master registers and the LPC HOST Controller
registers.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-4-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The PSI bridge on POWER9 is very similar to POWER8. The BAR is still
set through XSCOM but the controls are now entirely done with MMIOs.
More interrupts are defined and the interrupt controller interface has
changed to XIVE. The POWER9 model is a first example of the usage of
the notify() handler of the XiveNotifier interface, linking the PSI
XiveSource to its owning device model.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-3-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

To ease the introduction of the PSI bridge model for POWER9, abstract
the POWER chip differences in a PnvPsi class model and introduce a
specific Pnv8Psi type for POWER8. POWER8 interface to the interrupt
controller is still XICS whereas POWER9 uses the new XIVE model.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Message-Id: <20190307223548.20516-2-clg@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

When using -drive to configure the hd drive for the New World machine, the node
name "disk" should be used instead of the "hd" alias.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20190307212058.4890-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

When using -drive to configure the hd drive for the Old World machine, the node
name "disk" should be used instead of the "hd" alias.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20190307212058.4890-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>