When running the s390x virtio machine we can potentially use uninitialized
memory for the virtio device backing ram. That can lead to weird breakge.

So let's better initialize it to 0 properly.
Reported-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>

---

v1 -> v2:

  - use target_phys_addr_t

Including tcg_out_ld, tcg_out_st, tcg_out_mov, tcg_out_movi.
Signed-off-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Reviewed-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Most targets did not name the enum; tci used TCGRegister.
Signed-off-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Reviewed-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Now that we have code in place to do refcounting of online CPUs, we
can drag the TCG code along and implement shutdown for that one too,
so it doesn't feel left out by its KVM counterpart.
Signed-off-by: NAlexander Graf <agraf@suse.de>

On s390 a shutdown is the state of all CPUs being either stopped
or disabled (for interrupts) waiting. We have to track the overall
number of running CPUs to call the shutdown sequence accordingly.
This patch implements the counting and shutdown handling for the
kvm path in qemu.
Lets also wrap changes to env->halted and env->exception_index.
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The default kernel command line for s390 is
"root=/dev/ram0 ro"

When overriding this line, we have to ensure to also copy the \0 to
avoid false lines, for example, -append "root=/dev/vda" will result in
"root=/dev/vda0 ro" with the current code.
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This patch fixes the reset hypercall which is supposed to also
reset the device status in device memory.
This fixes the following bug:

[root@localhost driver]# echo virtio0 > unbind
[   35.056966] ------------[ cut here ]------------
[   35.057054] kernel BUG at drivers/virtio/virtio.c:157!
[   35.057113] illegal operation: 0001 [#1] SMP
[   35.057181] Modules linked in:
[   35.057243] CPU: 0 Not tainted 3.0.0-rc1-00180-g0792644-dirty #51
[   35.057323] Process bash (pid: 497, task: 000000003e58c538, ksp: 000000003ef43978)
[   35.057409] Krnl PSW : 0704100180000000 00000000003d46f8 (virtio_check_driver_offered_feature+0x0/0x38)
[   35.057528]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:1 PM:0 EA:3
[   35.057616] Krnl GPRS: 0000000000000000 0000000040000000 0000000000000007 0000000000000000
[   35.057716]            00000000003b3be4 0000000000000001 000000003ef4d380 000000003f1cff00
[   35.057805]            000000003ef43f18 00000000005ca620 0000000000000008 0000000000838e88
[   35.057919]            000000000083c860 000000003f7c2e00 00000000003d46b0 000000003ef43d10
[   35.058027] Krnl Code: 00000000003d46e8: f0b00004ebcf	srp	4(12,%r0),3023(%r14),0
[   35.058115]            00000000003d46ee: f0a0000407f4	srp	4(11,%r0),2036,0
[   35.058207]            00000000003d46f4: a7f40001		brc	15,3d46f6
[   35.058295]           >00000000003d46f8: e31020900004	lg	%r1,144(%r2)
[   35.058383]            00000000003d46fe: bf2f1080		icm	%r2,15,128(%r1)
[   35.058470]            00000000003d4702: a784000d		brc	8,3d471c
[   35.058557]            00000000003d4706: e32010780004	lg	%r2,120(%r1)
[   35.058645]            00000000003d470c: 59302000		c	%r3,0(%r2)
[   35.058748] Call Trace:
[   35.058777] ([<00000000003d469e>] virtio_dev_remove+0x36/0x90)
[   35.058852]  [<00000000003f3a40>] __device_release_driver+0x7c/0xec
[   35.058936]  [<00000000003f3ae8>] device_release_driver+0x38/0x48
[   35.059023]  [<00000000003f2a98>] driver_unbind+0xa4/0xc4
[   35.059111]  [<00000000002acb70>] sysfs_write_file+0xe8/0x19c
[   35.059226]  [<000000000022e7a4>] vfs_write+0xb0/0x18c
[   35.059317]  [<000000000022eb18>] SyS_write+0x58/0xb4
[   35.059398]  [<000000000057e674>] sysc_noemu+0x16/0x1c
[   35.059475]  [<000003fffd44b6c0>] 0x3fffd44b6c0
[   35.059531] Last Breaking-Event-Address:
[   35.059576]  [<00000000003d46f4>] virtio_dev_remove+0x8c/0x90
[   35.059646]
[   35.059661] ---[ end trace 9b1959188f21ee11 ]---

Signed-off-by: Christian Borntraeger<borntraeger@de.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

An s390x OS does reboot and shutdown triggers through hypercalls that
we didn't implement on the TCG backend yet. That means that so far we
couldn't shut down virtual machines for example, having them hang on
shutdown when not using KVM.

With this patch, this restriction is gone. We can now shut down and
reboot s390x virtual machines even when using the TCG backend.
Signed-off-by: NAlexander Graf <agraf@suse.de>

The rrbe instruction resets the reference bit in the given storage key.
So far, we merely made it a nop and also returned an invalid CC value,
so that the kernel never knew if a page actually got accessed.

This patch implements it properly, flushing the R bit and returning the
correct CC value.
Signed-off-by: NAlexander Graf <agraf@suse.de>

When the s390x maps a page or writes happen to a page, the R and C
bits get updated. The easiest way to implement this in qemu is to
simply update them whenever we map a TLB translation and act according
to the permissions.
Signed-off-by: NAlexander Graf <agraf@suse.de>

When running 31-bit code we can potentially map the same virtual
address twice - once as 0x0yyyyyyy and once as 0x8yyyyyyy, because
the upper bit gets ignored.

This also should be reflected in the tlb invalidation path, so we
really invalidate also the transparently created tlb entries.
Signed-off-by: NAlexander Graf <agraf@suse.de>

While running perl, we encountered the ldeb instruction to be used,
so we implement it :).
Signed-off-by: NAlexander Graf <agraf@suse.de>

Signed-off-by: NJuha Riihimäki <juha.riihimaki@nokia.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

also gracefully fail on nand_device_init() for unsupported block
size instead of aborting.
Signed-off-by: NJuha Riihimäki <juha.riihimaki@nokia.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

Depending on the considered baseboard the bit used to
reset the platform is different.

Here is the list of considered Realview/Versatile platforms:

Realview/Versatile AB for ARM926EJ-S: BOARD_ID = 0x100 = BOARD_ID_PB9
http://infocenter.arm.com/help/topic/com.arm.doc.dui0225d/CACCIFGI.html

RealView Emulation Baseboard: BOARD_ID = 0x140 = BOARD_ID_EB
No reset register

RealView PB for Cortex-A8: BOARD_ID = 0x178 = BOARD_ID_PBA8
http://infocenter.arm.com/help/topic/com.arm.doc.dui0417d/BBACIGAD.html

RealView PB for Cortex-A9: BOARD_ID = 0x182 = BOARD_ID_PBX
http://infocenter.arm.com/help/topic/com.arm.doc.dui0440b/CACCHBFB.html

Motherboard Express =C2=B5ATX: BOARD_ID = 0x190 = BOARD_ID_VEXPRESS
No reset register
Signed-off-by: NJean-Christophe DUBOIS <jcd@tribudubois.net>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

Fix an error in commit afd4a652 which meant that writing a zero
to the RW bits in the PMCR wouldn't actually clear them. (Error
spotted by Andrzej Zaborowski.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

"!X == 2" is always false (spotted by Coverity), so the checks
for whether rndis is in the correct state would never fire.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

'info mtree' accesses invalid memory in two cases, both due to incorrect
(and unsafe) usage of QTAILQ_FOREACH_SAFE().
Reported-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NAvi Kivity <avi@redhat.com>

With -icount, The vm_clock is updated with help from TCG (it counts
instructions at 2^ICOUNT ns/instructions). With KVM, the instruction
count is not available so KVM cannot provide this help.
Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

There are only three counter/timers on the integrator board:
correct the bounds check to avoid an array overrun. (Spotted
by Coverity, see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Fix a bug in handling the write-one-to-clear bits in the PMCR
which meant that we would always clear the bit even if the
value written was a zero. Spotted by Coverity (see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Remove a pointless comparison of an array to null. (There is
no need to check whether s->out[i] is non-null as qemu_set_irq
will do that for us.) Spotted by Coverity (see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Remove a check for g_malloc failing: this never happens.
Also use g_malloc rather than g_malloc0 as we immediately
memset the entire region and so zero-initialising it is pointless.
Spotted by Coverity (see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

If a malloc() in copy_elf_strings() failed we would call memset()
before the "did malloc fail?" check. Fix this by moving to the
glib alloc/free routines for this memory so we can use g_try_malloc0
rather than having a separate memset(). Spotted by Coverity (see
bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Avoid a crash due to null pointer dereference if a guest attempts
to access banked registers for a nonexistent bank. Spotted by
Coverity (see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Migration with fd uses s->mon to pass the fd.  But we only assign the
s->mon for !detached migration.  Fix it.  Once there add a comment
indicating that s->mon has two uses.

Bug reported by:  Wen Congyang <wency@cn.fujitsu.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>
CC:  Wen Congyang <wency@cn.fujitsu.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

'sed -i' is not defined in POSIX. It doesn't work on Mac OS X the way
it's used in configure (without suffix argument). This patch implements
Peter Maydell's idea of xattr.h detection.

Cc: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NPavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

machine defaults to find_default_machine(),
then gets overridden via -M and machine_parse().

If no -M is specified and find_default_machine() returns NULL
(when no machine compiled in), exit with an error.

Avoids a segfault when setting machine->max_cpus.
Signed-off-by: NAndreas Färber <andreas.faerber@web.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

cache=unsafe completely ignored bdrv_flush, because flushing the host disk
costs a lot of performance. However, this means that qcow2 images (and
potentially any other format) can lose data even after the guest has issued a
flush if the qemu process crashes/is killed. In case of a host crash, data loss
is certainly expected with cache=unsafe, but if just the qemu process dies this
is a bit too unsafe.

Now that we have two separate flush functions, we can choose to flush
everythign to the OS, but don't enforce that it's physically written to the
disk.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

qcow2 has a writeback metadata cache, so flushing a qcow2 image actually
consists of writing back that cache to the protocol and only then flushes the
protocol in order to get everything stable on disk.

This introduces a separate bdrv_co_flush_to_os to reflect the split.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

There are two different types of flush that you can do: Flushing one level up
to the OS (i.e. writing data to the host page cache) or flushing it all the way
down to the disk. The existing functions flush to the disk, reflect this in the
function name.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Fix a use-while-uninitialized of the fd_type[] array (introduced
in commit 34d4260e, noticed by Coverity). This is more theoretical
than practical, since it's quite hard to get here with floppy==NULL
(the qdev_try_create() of the isa-fdc device has to fail).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The Data Offset field in the Dynamic Disk Header is an 8 byte field.
Although the specification (2006-10-11) gives an example of initializing
only the first 4 bytes, images generated by Microsoft on Windows initialize
all 8 bytes.

Failure to initialize all 8 bytes results in errors from utilities
like Citrix's vhd-util which checks specifically for the proper Data
Offset field initialization.
Signed-off-by: NCharles Arnold <carnold@suse.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

This is cleaner, because we do not need to close the block device when
there is an error opening /dev/nbdX.  It was done this way only to
print errors before daemonizing.

At the same time, use atexit to ensure that the block device is closed
whenever we exit.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>