Code change produced with:
    $ git grep '#include "exec/ioport.h"' memory.c | \
      cut -d: -f-1 | \
      xargs egrep -Li "(portio|cpu_(in|out).\()" | \
      xargs sed -i.bak '/#include "exec\/ioport.h"/d'
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180528232719.4721-5-f4bug@amsat.org>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Code change produced with:
    $ git grep '#include "exec/address-spaces.h"' target | \
      cut -d: -f-1 | \
      xargs egrep -L "(get_system_|address_space_)" | \
      xargs sed -i.bak '/#include "exec\/address-spaces.h"/d'
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180528232719.4721-4-f4bug@amsat.org>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NCornelia Huck <cohuck@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Code change produced with:
    $ git grep '#include "exec/address-spaces.h"' accel | \
      cut -d: -f-1 | \
      xargs egrep -L "(get_system_|address_space_)" | \
      xargs sed -i.bak '/#include "exec\/address-spaces.h"/d'
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180528232719.4721-3-f4bug@amsat.org>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

No declaration of "hw/vfio/vfio-common.h" directly requires to include
the "exec/address-spaces.h" header.  To simplify dependencies and
ease the upcoming cleanup of "exec/address-spaces.h", directly include
it in the source file where the declaration are used.
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180528232719.4721-2-f4bug@amsat.org>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NCornelia Huck <cohuck@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

If CONFIG_SECCOMP is undefined, the option 'elevateprivileges' remains
compiled. This would make libvirt set the corresponding capability and
then trigger failure during guest startup. This patch moves the code
regarding seccomp command line options to qemu-seccomp.c file and
wraps qemu_opts_foreach finding sandbox option with CONFIG_SECCOMP.
Because parse_sandbox() is moved into qemu-seccomp.c file, change
seccomp_start() to static function.
Signed-off-by: NYi Min Zhao <zyimin@linux.ibm.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Tested-by: NJán Tomko <jtomko@redhat.com>
Acked-by: NEduardo Otubo <otubo@redhat.com>
Message-Id: <20180531032937.1925-1-zyimin@linux.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This pull request includes:
- fixes for some comments
- netlink update and fix
- rework/cleanup fo socket.h,
  including fixes for SPARC part.

# gpg: Signature made Fri 25 May 2018 09:16:21 BST
# gpg:                using RSA key F30C38BD3F2FBE3C
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>"
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>"
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>"
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier2/tags/linux-user-for-2.13-pull-request:
  gdbstub: Clarify what gdb_handlesig() is doing
  linux-user: define TARGET_SO_REUSEPORT
  linux-user: copy sparc/sockbits.h definitions from linux
  linux-user: update ARCH_HAS_SOCKET_TYPES use
  linux-user: move ppc socket.h definitions to ppc/sockbits.h
  linux-user: move socket.h generic definitions to generic/sockbits.h
  linux-user: move sparc/sparc64 socket.h definitions to sparc/sockbits.h
  linux-user: move alpha socket.h definitions to alpha/sockbits.h
  linux-user: move mips socket.h definitions to mips/sockbits.h
  linux-user: Fix payload size logic in host_to_target_cmsg()
  linux-user: update comments to point to tcg_exec_init()
  linux-user: update netlink emulation
  linux-user: Assert on bad type in thunk_type_align() and thunk_type_size()
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

gdb_handlesig()'s behaviour is not entirely obvious at first
glance. Add a doc comment for it, and also add a comment
explaining why it's ok for gdb_do_syscallv() to ignore
gdb_handlesig()'s return value. (Coverity complains about
this: CID 1390850.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Message-Id: <20180515181958.25837-1-peter.maydell@linaro.org>
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>

Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180519092956.15134-9-laurent@vivier.eu>

Values defined for sparc are not correct.
Copy the content of "arch/sparc/include/uapi/asm/socket.h"
to fix them.
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-Id: <20180519092956.15134-8-laurent@vivier.eu>

to be like in the kernel and rename it TARGET_ARCH_HAS_SOCKET_TYPES
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-Id: <20180519092956.15134-7-laurent@vivier.eu>

Change conditional #ifdef part by #undef of the symbols
redefined for PPC relative to generic/socket.h
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-Id: <20180519092956.15134-6-laurent@vivier.eu>

and include the file from architectures without specific definitions
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-Id: <20180519092956.15134-5-laurent@vivier.eu>

No code change.
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180519092956.15134-4-laurent@vivier.eu>

No code change.
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180519092956.15134-3-laurent@vivier.eu>

No code change.
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180519092956.15134-2-laurent@vivier.eu>

Coverity points out that there's a missing break in the switch in
host_to_target_cmsg() where we update tgt_len for
cmsg_level/cmsg_type combinations which require a different length
for host and target (CID 1385425).  To avoid duplicating the default
case (target length same as host) in both switches, set that before
the switch so that only the cases which want to override it need any
code.

This fixes a bug where we would have used the wrong length
for SOL_SOCKET/SO_TIMESTAMP messages where the target and
host have differently sized 'struct timeval' (ie one is 32
bit and the other is 64 bit).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NLaurent Vivier <laurent@vivier.eu>
Message-Id: <20180518184715.29833-1-peter.maydell@linaro.org>
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>

cpu_init() was replaced by cpu_create() since 2.12 but comments
weren't updated. So update stale comments to point that page
sizes arei actually initialized by tcg_exec_init(). Also move
another qemu_host_page_size related comment before tcg_exec_init()
where it belongs.
Signed-off-by: NIgor Mammedov <imammedo@redhat.com>
Reviewed-by: NLaurent Vivier <laurent@vivier.eu>
Message-Id: <1526557877-293151-1-git-send-email-imammedo@redhat.com>
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>

Update enums with entries from linux 4.17

Translate entries that generate logs with iproute2 4.9.0 and
host kernel 4.15:

  # ip address show
  Unknown host QEMU_IFLA type: 43
  Unknown host QEMU_IFLA type: 43
  Unknown host QEMU_IFLA type: 43
  Unknown QEMU_IFLA_BR type 41
  Unknown QEMU_IFLA_BR type 42
  Unknown QEMU_IFLA_BR type 43
  Unknown QEMU_IFLA_BR type 44
  Unknown host QEMU_IFLA type: 43
  Unknown QEMU_IFLA_BR type 41
  Unknown QEMU_IFLA_BR type 42
  Unknown QEMU_IFLA_BR type 43
  Unknown QEMU_IFLA_BR type 44
  Unknown host QEMU_IFLA type: 43
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Message-Id: <20180516221213.11111-1-laurent@vivier.eu>

In thunk_type_align() and thunk_type_size() we currently return
-1 if the value at the type_ptr isn't one of the TYPE_* values
we understand. However, this should never happen, and if it does
then the calling code will go confusingly wrong because none
of the callsites try to handle an error return. Switch to an
assertion instead, so that if this does somehow happen we'll have
a nice clear backtrace of what happened rather than a weird crash
or misbehaviour.

This also silences various Coverity complaints about not handling
the negative return value (CID 1005735, 1005736, 1005738, 1390582).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NLaurent Vivier <laurent@vivier.eu>
Message-Id: <20180514174616.19601-1-peter.maydell@linaro.org>
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>

vga: catch depth 0
hw/display: add new bochs-display device
some cleanups.

# gpg: Signature made Thu 24 May 2018 16:45:46 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/vga-20180524-pull-request:
  MAINTAINERS: add vga entries
  bochs-display: add pcie support
  bochs-display: add dirty tracking support
  hw/display: add new bochs-display device
  vga-pci: use PCI_VGA_MMIO_SIZE
  vga: move bochs vbe defines to header file
  vga: catch depth 0
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

pc, pci, virtio, vhost: fixes, features

Beginning of merging vDPA, new PCI ID, a new virtio balloon stat, intel
iommu rework fixing a couple of security problems (no CVEs yet), fixes
all over the place.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Wed 23 May 2018 15:41:32 BST
# gpg:                using RSA key 281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (28 commits)
  intel-iommu: rework the page walk logic
  util: implement simple iova tree
  intel-iommu: trace domain id during page walk
  intel-iommu: pass in address space when page walk
  intel-iommu: introduce vtd_page_walk_info
  intel-iommu: only do page walk for MAP notifiers
  intel-iommu: add iommu lock
  intel-iommu: remove IntelIOMMUNotifierNode
  intel-iommu: send PSI always even if across PDEs
  nvdimm: fix typo in label-size definition
  contrib/vhost-user-blk: enable protocol feature for vhost-user-blk
  hw/virtio: Fix brace Werror with clang 6.0.0
  libvhost-user: Send messages with no data
  vhost-user+postcopy: Use qemu_set_nonblock
  virtio: support setting memory region based host notifier
  vhost-user: support receiving file descriptors in slave_read
  vhost-user: add Net prefix to internal state structure
  linux-headers: add kvm header for mips
  linux-headers: add unistd.h on all arches
  update-linux-headers.sh: unistd.h, kvm consistency
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Block layer patches:

- Generic background jobs
- qemu-iotests fixes for NFS and the 'migration' group
- sheepdog: Minor code simplification

# gpg: Signature made Wed 23 May 2018 13:33:49 BST
# gpg:                using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream: (46 commits)
  qemu-iotests: Test job-* with block jobs
  iotests: Move qmp_to_opts() to VM
  blockjob: Remove BlockJob.driver
  job: Add query-jobs QMP command
  job: Add lifecycle QMP commands
  job: Add JOB_STATUS_CHANGE QMP event
  job: Introduce qapi/job.json
  job: Move progress fields to Job
  job: Add job_transition_to_ready()
  job: Add job_is_ready()
  job: Add job_dismiss()
  job: Add job_yield()
  block: Cancel job in bdrv_close_all() callers
  job: Move completion and cancellation to Job
  job: Move transactions to Job
  job: Switch transactions to JobTxn
  job: Move job_finish_sync() to Job
  job: Move .complete callback to Job
  job: Add job_drain()
  job: Convert block_job_cancel_async() to Job
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Xen 2018/05/22

# gpg: Signature made Tue 22 May 2018 19:44:06 BST
# gpg:                using RSA key 894F8F4870E1AE90
# gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"
# gpg:                 aka "Stefano Stabellini <sstabellini@kernel.org>"
# Primary key fingerprint: D04E 33AB A51F 67BA 07D3  0AEA 894F 8F48 70E1 AE90

* remotes/sstabellini-http/tags/xen-20180522-tag:
  xen_disk: be consistent with use of xendev and blkdev->xendev
  xen_disk: use a single entry iovec
  xen_backend: make the xen_feature_grant_copy flag private
  xen_disk: remove use of grant map/unmap
  xen_backend: add an emulation of grant copy
  xen: remove other open-coded use of libxengnttab
  xen_disk: remove open-coded use of libxengnttab
  xen_backend: add grant table helpers
  xen: add a meaningful declaration of grant_copy_segment into xen_common.h
  checkpatch: generalize xen handle matching in the list of types
  xen-hvm: create separate function for ioreq server initialization
  xen_pt: Present the size of 64 bit BARs correctly
  configure: Add explanation for --enable-xen-pci-passthrough
  xen/pt: use address_space_memory object for memory region hooks
  xen-pvdevice: Introduce a simplistic xen-pvdevice save state
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

target/lm32: BQL patch

# gpg: Signature made Tue 22 May 2018 19:25:30 BST
# gpg:                using RSA key B458ABB0D8D378E3
# gpg: Good signature from "Michael Walle <michael@walle.cc>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2190 3E48 4537 A7C2 90CE  3EB2 B458 ABB0 D8D3 78E3

* remotes/mwalle/tags/lm32-queue/20180521:
  lm32: take BQL before writing IP/IM register
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Add entries for standard vga, virtio-gpu and cirrus.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180522165058.15404-7-kraxel@redhat.com

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Message-id: 20180522165058.15404-6-kraxel@redhat.com

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180522165058.15404-5-kraxel@redhat.com

After writing up the virtual mdev device emulating a display supporting
the bochs vbe dispi interface (mbochs.ko) and seeing how simple it
actually is I've figured that would be useful for qemu too.

So, here it is, -device bochs-display.  It is basically -device VGA
without legacy vga emulation.  PCI bar 0 is the framebuffer, PCI bar 2
is mmio with the registers.  The vga registers are simply not there
though, neither in the legacy ioport location nor in the mmio bar.
Consequently it is PCI class DISPLAY_OTHER not DISPLAY_VGA.

So there is no text mode emulation, no weird video modes (planar,
256color palette), no memory window at 0xa0000.  Just a linear
framebuffer in the pci memory bar.  And the amount of code to emulate
this (and therefore the attack surface) is an order of magnitude smaller
when compared to vga emulation.

Compatibility wise it works with OVMF (latest git master).
The bochs-drm.ko linux kernel module can handle it just fine too.
So UEFI guests should not see any functional difference to VGA.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Tested-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180522165058.15404-4-kraxel@redhat.com

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180522165058.15404-3-kraxel@redhat.com

Create a new header file, move the bochs vbe dispi interface
defines to it, so they can be used outside vga code.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180522165058.15404-2-kraxel@redhat.com

depth == 0 is used to indicate 256 color modes.  Our region calculation
goes wrong in that case.  So detect that and just take the safe code
path we already have for the wraparound case.

While being at it also catch depth == 15 (where our region size
calculation goes wrong too).  And make the comment more verbose,
explaining what is going on here.

Without this windows guest install might trigger an assert due to trying
to check dirty bitmap outside the snapshot region.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1575541Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Message-id: 20180514103117.21059-1-kraxel@redhat.com

This patch fixes a potential small window that the DMA page table might
be incomplete or invalid when the guest sends domain/context
invalidations to a device.  This can cause random DMA errors for
assigned devices.

This is a major change to the VT-d shadow page walking logic. It
includes but is not limited to:

- For each VTDAddressSpace, now we maintain what IOVA ranges we have
  mapped and what we have not.  With that information, now we only send
  MAP or UNMAP when necessary.  Say, we don't send MAP notifies if we
  know we have already mapped the range, meanwhile we don't send UNMAP
  notifies if we know we never mapped the range at all.

- Introduce vtd_sync_shadow_page_table[_range] APIs so that we can call
  in any places to resync the shadow page table for a device.

- When we receive domain/context invalidation, we should not really run
  the replay logic, instead we use the new sync shadow page table API to
  resync the whole shadow page table without unmapping the whole
  region.  After this change, we'll only do the page walk once for each
  domain invalidations (before this, it can be multiple, depending on
  number of notifiers per address space).

While at it, the page walking logic is also refactored to be simpler.

CC: QEMU Stable <qemu-stable@nongnu.org>
Reported-by: NJintack Lim <jintack@cs.columbia.edu>
Tested-by: NJintack Lim <jintack@cs.columbia.edu>
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Introduce a simplest iova tree implementation based on GTree.

CC: QEMU Stable <qemu-stable@nongnu.org>
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

This patch only modifies the trace points.

Previously we were tracing page walk levels.  They are redundant since
we have page mask (size) already.  Now we trace something much more
useful which is the domain ID of the page walking.  That can be very
useful when we trace more than one devices on the same system, so that
we can know which map is for which domain.

CC: QEMU Stable <qemu-stable@nongnu.org>
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

We pass in the VTDAddressSpace too.  It'll be used in the follow up
patches.

CC: QEMU Stable <qemu-stable@nongnu.org>
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

During the recursive page walking of IOVA page tables, some stack
variables are constant variables and never changed during the whole page
walking procedure.  Isolate them into a struct so that we don't need to
pass those contants down the stack every time and multiple times.

CC: QEMU Stable <qemu-stable@nongnu.org>
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

For UNMAP-only IOMMU notifiers, we don't need to walk the page tables.
Fasten that procedure by skipping the page table walk.  That should
boost performance for UNMAP-only notifiers like vhost.

CC: QEMU Stable <qemu-stable@nongnu.org>
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

SECURITY IMPLICATION: this patch fixes a potential race when multiple
threads access the IOMMU IOTLB cache.

Add a per-iommu big lock to protect IOMMU status.  Currently the only
thing to be protected is the IOTLB/context cache, since that can be
accessed even without BQL, e.g., in IO dataplane.

Note that we don't need to protect device page tables since that's fully
controlled by the guest kernel.  However there is still possibility that
malicious drivers will program the device to not obey the rule.  In that
case QEMU can't really do anything useful, instead the guest itself will
be responsible for all uncertainties.

CC: QEMU Stable <qemu-stable@nongnu.org>
Reported-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

That is not really necessary.  Removing that node struct and put the
list entry directly into VTDAddressSpace.  It simplfies the code a lot.
Since at it, rename the old notifiers_list into vtd_as_with_notifiers.

CC: QEMU Stable <qemu-stable@nongnu.org>
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

SECURITY IMPLICATION: without this patch, any guest with both assigned
device and a vIOMMU might encounter stale IO page mappings even if guest
has already unmapped the page, which may lead to guest memory
corruption.  The stale mappings will only be limited to the guest's own
memory range, so it should not affect the host memory or other guests on
the host.

During IOVA page table walking, there is a special case when the PSI
covers one whole PDE (Page Directory Entry, which contains 512 Page
Table Entries) or more.  In the past, we skip that entry and we don't
notify the IOMMU notifiers.  This is not correct.  We should send UNMAP
notification to registered UNMAP notifiers in this case.

For UNMAP only notifiers, this might cause IOTLBs cached in the devices
even if they were already invalid.  For MAP/UNMAP notifiers like
vfio-pci, this will cause stale page mappings.

This special case doesn't trigger often, but it is very easy to be
triggered by nested device assignments, since in that case we'll
possibly map the whole L2 guest RAM region into the device's IOVA
address space (several GBs at least), which is far bigger than normal
kernel driver usages of the device (tens of MBs normally).

Without this patch applied to L1 QEMU, nested device assignment to L2
guests will dump some errors like:

qemu-system-x86_64: VFIO_MAP_DMA: -17
qemu-system-x86_64: vfio_dma_map(0x557305420c30, 0xad000, 0x1000,
                    0x7f89a920d000) = -17 (File exists)

CC: QEMU Stable <qemu-stable@nongnu.org>
Acked-by: NJason Wang <jasowang@redhat.com>
[peterx: rewrite the commit message]
Signed-off-by: NPeter Xu <peterx@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>