According to my reading of the Intel documentation, the SYSRET instruction
is supposed to force the RPL bits of the %ss register to 3 when returning
to user mode. The actual sequence is:

SS.Selector <-- (IA32_STAR[63:48]+8) OR 3; (* RPL forced to 3 *)

However, the code in helper_sysret() leaves them at 0 (in other words, the "OR
3" part of the above sequence is missing). It does set the privilege level
bits of %cs correctly though.

This has caused me trouble with some of my VxWorks development: code that runs
okay on real hardware will crash on QEMU, unless I apply the patch below.
Signed-off-by: NBill Paul <wpaul@windriver.com>
Message-Id: <201503091548.01462.wpaul@windriver.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

These are "am53c974", "dc390", "lsi53c895a", "lsi53c810", "megasas",
"megasas-gen2".
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-Id: <1425925048-15482-5-git-send-email-armbru@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

When setting "realized" fails, scsi_bus_legacy_add_drive() passes the
error to qerror_report_err(), then returns an unspecific "Setting
drive property failed" error, which is reported further up the call
chain.

Example:

    $ qemu-system-x86_64 -nodefaults -S -display none \
    > -drive if=scsi,id=foo,file=tmp.qcow2 -global isa-fdc.driveA=foo
    qemu-system-x86_64: -drive if=scsi,id=foo,file=tmp.qcow2: Property 'scsi-disk.drive' can't take value 'foo', it's in use
    qemu-system-x86_64: Setting drive property failed
    qemu-system-x86_64: Initialization of device lsi53c895a failed: Device initialization failed

Clean up the obvious way: simply return the original error to the
caller.  Gets rid of the second message in the above error cascade.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-Id: <1425925048-15482-4-git-send-email-armbru@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Three kinds of callers:

1. On failure, report the error and abort

   Passing &error_abort does the job.  No functional change.

2. On failure, report the error and exit()

   This is qdev_prop_set_drive_nofail().  Error reporting moves from
   qdev_prop_set_drive() to its caller.  Because hiding away the error
   in the monitor right before exit() isn't helpful, replace
   qerror_report_err() by error_report_err().  Shouldn't make a
   difference, because qdev_prop_set_drive_nofail() should never be
   used in QMP context.

3. On failure, report the error and recover

   This is usb_msd_init() and scsi_bus_legacy_add_drive().  Error
   reporting and freeing the error object moves from
   qdev_prop_set_drive() to its callers.

   Because usb_msd_init() can't run in QMP context, replace
   qerror_report_err() by error_report_err() there.

   No functional change.

   scsi_bus_legacy_add_drive() calling qerror_report_err() is of
   course inappropriate, but this commit merely makes it more obvious.
   The next one will clean it up.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-Id: <1425925048-15482-3-git-send-email-armbru@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Commit a818a4b6 changed scsi_bus_legacy_handle_cmdline() to report
errors from scsi_bus_legacy_add_drive() with error_report() in
addition to returning them.  That's inappropriate.

Two kinds of callers:

1. realize methods (devices "esp", "virtio-scsi-device" and
   "spapr-vscsi")

   The error object gets passed up the call chain until it gets
   reported again and freed.

   Example:

   $ qemu-system-arm -M virt -S -display none \
   > -drive if=scsi,id=foo,bus=1,file=tmp.qcow2 \
   > -device nec-usb-xhci -device usb-storage,drive=foo \
   > -device virtio-scsi-pci
   qemu-system-arm: -drive if=scsi,id=foo,bus=1,file=tmp.qcow2: Property 'scsi-disk.drive' can't take value 'foo', it's in use
   qemu-system-arm: -drive if=scsi,id=foo,bus=1,file=tmp.qcow2: Setting drive property failed
   qemu-system-arm: -device virtio-scsi-pci: Setting drive property failed
   qemu-system-arm: -device virtio-scsi-pci: Device initialization failed
   qemu-system-arm: -device virtio-scsi-pci: Device 'virtio-scsi-pci' could not be initialized

   The second message in this error cascade comes from
   scsi_bus_legacy_handle_cmdline().  The error object then gets
   passed up to the qdev_init() called from
   virtio_scsi_pci_init_pci(), which reports it again.

2. init methods (devices "am53c974", "dc390", "lsi53c895a",
   "lsi53c810", "megasas", "megasas-gen2")

   init methods need to report their errors with qerror_report().
   These don't.  The inappropriate error_report() papers over the bug.

   error_report() isn't the same as qerror_report() in QMP context,
   but this can't actually happen: QMP can still only hot-plug, and
   callers call scsi_bus_legacy_handle_cmdline() only on cold-plug.
   Except for sysbus_esp_realize(), but that can't be hot-plugged at
   all, as far as I can tell.

Fix the init methods and drop the inappropriate error_report() in
scsi_bus_legacy_handle_cmdline().
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-Id: <1425925048-15482-2-git-send-email-armbru@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This fixes a NULL pointer dereference in s390x-softmmu.

On pretty much all other architectures, creating an MMIO region calls
cpu_reload_memory_map.  On s390, however, there are no MMIO regions
and everything is done via hypercalls.

Fixes: 9d82b5a7Reported-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

After forking, only the calling thread is duplicated in the child process.
The call_rcu thread has to be recreated in the child.  Exploit the fact
that only one thread exists (same as when constructors run), and just redo
the entire initialization to ensure the threads are in the proper state.

The only additional things to do are emptying the list of threads
registered with RCU, and unlocking the lock that was taken in the prepare
callback (implementations are allowed to fail pthread_mutex_init()
if the mutex is still locked).
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

PTHREAD_MUTEX_ERRORCHECK is completely broken with respect to fork.
The way to safely do fork is to bring all threads to a quiescent
state by acquiring locks (either in callers---as we do for the
iothread mutex---or using pthread_atfork's prepare callbacks)
and then release them in the child.

The problem is that releasing error-checking locks in the child
fails under glibc with EPERM, because the mutex stores a different
owner tid than the duplicated thread in the child process.  We
could make it work for locks acquired via pthread_atfork, by
recreating the mutex in the child instead of unlocking it
(we know that there are no other threads that could have taken
the mutex; but when the lock is acquired in fork's caller
that would not be possible.

The simplest solution is just to forgo error checking.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NAdemar Reis <areis@redhat.com>
Reviewed-by: NWei Huang <wei@redhat.com>
Message-Id: <1425338947-10296-3-git-send-email-stefanha@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The curses user interface shows both the accumulated total and the
current event counts.  Add column headers so it's clear what the numbers
mean.
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NAdemar Reis <areis@redhat.com>
Reviewed-by: NWei Huang <wei@redhat.com>
Message-Id: <1425338947-10296-2-git-send-email-stefanha@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The variable user in struct iscsi_url is a character array, not a pointer.
Therefore its address will never be NULL.

clang reports this error:

block/iscsi.c:1329:20: warning:
 comparison of array 'iscsi_url->user' not equal to a null pointer
 is always true [-Wtautological-pointer-compare]
Reviewed-by: NPeter Lieven <pl@kamp.de>
Acked-by: NPeter Lieven <pl@kamp.de>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Message-Id: <1425719670-5486-1-git-send-email-sw@weilnetz.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Patch queue for ppc - 2015-03-09

This is my current patch queue for 2.3. Highlights include:

  * pseries: 2.3 machine
  * pseries: Export RTC via QOM
  * pseries: EEH support
  * mac: save/restore support
  * fix POWER5 hosts
  * random bug fixes

# gpg: Signature made Mon Mar  9 14:00:53 2015 GMT using RSA key ID 03FEDC60
# gpg: Good signature from "Alexander Graf <agraf@suse.de>"
# gpg:                 aka "Alexander Graf <alex@csgraf.de>"

* remotes/agraf/tags/signed-ppc-for-upstream: (38 commits)
  target-ppc: Fix warnings from Sparse
  sPAPR: Implement sPAPRPHBClass EEH callbacks
  sPAPR: Implement EEH RTAS calls
  target-ppc: Add versions to server CPU descriptions
  PPC: Introduce the Virtual Time Base (VTB) SPR register
  PPC: Remove duplicate OPENPIC defines in default-configs
  ppc64-softmmu: Remove duplicated OPENPIC from config
  Revert "default-configs/ppc64: add all components of i82378 SuperIO chip used by prep"
  spapr_vio: Convert to realize()
  openpic: convert to vmstate
  openpic: switch IRQQueue queue from inline to bitmap
  openpic: fix up loadvm under -M mac99
  openpic: fix segfault on -M mac99 savevm
  target-ppc: force update of msr bits in cpu_post_load
  target-ppc: move sdr1 value change detection logic to helper_store_sdr1()
  cuda.c: include adb_poll_timer in VMStateDescription
  adb.c: include ADBDevice parent state in KBDState and MouseState
  macio.c: include parent PCIDevice state in VMStateDescription
  display cpu id dump state
  Openpic: check that cpu id is within the number of cpus
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Sparse report:

target-ppc/mmu-hash64.c:353:9: warning: returning void-valued expression
target-ppc/mmu-hash64.c:620:9: warning: returning void-valued expression
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The patch implements sPAPRPHBClass EEH callbacks so that the EEH
RTAS requests can be routed to VFIO for further handling.
Signed-off-by: NGavin Shan <gwshan@linux.vnet.ibm.com>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The emulation for EEH RTAS requests from guest isn't covered
by QEMU yet and the patch implements them.

The patch defines constants used by EEH RTAS calls and adds
callbacks sPAPRPHBClass::{eeh_set_option, eeh_get_state, eeh_reset,
eeh_configure}, which are going to be used as follows:

  * RTAS calls are received in spapr_pci.c, sanity check is done
    there.
  * RTAS handlers handle what they can. If there is something it
    cannot handle and the corresponding sPAPRPHBClass callback is
    defined, it is called.
  * Those callbacks are only implemented for VFIO now. They do ioctl()
    to the IOMMU container fd to complete the calls. Error codes from
    that ioctl() are transferred back to the guest.

[aik: defined RTAS tokens for EEH RTAS calls]
Signed-off-by: NGavin Shan <gwshan@linux.vnet.ibm.com>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

5b79b1ca "target-ppc: Create versionless CPU class per family if KVM" added
a dynamic CPU class registration with the name of the CPU family which
QEMU is running on. For example, this allowed specifying "-cpu POWER7"
on every version of POWER7 machine, not just the one which POWER7 was
an alias of. I.e. before 5b79b1ca, "-cpu POWER7" would not work on real
POWER7 2.1 and would work on POWER7 2.3 only. The same story for POWER8.

However that patch broke POWER5+ support as POWER5+ CPU uses the same
name as the CPU class so dynamic registering of the POWER5+ class failed.

This redefines POWER5+ server CPUs by adding a version to them and adding
an alias for TCG case. KVM will use dynamically registered CPUs.

While we are here, do the same for 970 CPU.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This patch adds basic support for the VTB.

PowerISA:
The Virtual Time Base (VTB) is a 64-bit incrementing counter.
Virtual Time Base increments at the same rate as the Time Base until its value
becomes 0xFFFF_FFFF_FFFF_FFFF (2 64 - 1); at the next increment its value
becomes 0x0000_0000_0000_0000. There is no interrupt or other indication when
this occurs.

The operation of the Virtual Time Base has the following additional
properties.
1. Loading a GPR from the Virtual Time Base has no effect on the accuracy of
the Virtual Time Base.
2. Copying the contents of a GPR to the Virtual Time Base replaces the
contents of the Virtual Time Base with the contents of the GPR.
Signed-off-by: NCyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The CONFIG_OPENPIC variable was declared multiple times. We only need it once.
Signed-off-by: NAlexander Graf <agraf@suse.de>

Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This reverts commit 9c998424 as even when
it was applied, all supposedly new config options were already enabled.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Bonus fix: always set an error on failure.  Some failures were silent
before, except for the generic error set by device_realize().
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NAlexander Graf <agraf@suse.de>
Reviewed-by: NJuan Quintela <quintela@redhat.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This is in preparation for using VMSTATE_BITMAP in a followup vmstate
migration patch.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Issuing loadvm under -M mac99 would fail for two reasons: firstly an incorrect
version number for openpic would cause openpic_load() to abort, and secondly
a cut/paste error when restoring the IVPR and IDR registers caused subsequent
vmstate sections to become misaligned and abort early.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: NAlexander Graf <agraf@suse.de>

A simple copy/paste error causes savevm on -M mac99 to segfault.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Since env->msr has already been restored by the time cpu_post_load is called,
make sure that ppc_store_msr() is explicitly called with all msr bits except
MSR_TGPR marked as invalid.

This solves the issue where MSR flags aren't set correctly when restoring a VM
snapshot, in particular the internal env->excp_prefix value when MSR_EP has
been altered by a guest.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Otherwise when cpu_post_load calls ppc_store_sdr1() when restoring a VM
snapshot the value is deemed unchanged and so the internal env->htab*
variables aren't set correctly.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Make sure that we include the adb_poll_timer when saving the VM state for
client OSs that use it, e.g. Darwin.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The parent ADBDevice contains the device id on the ADB bus. Make sure that
this state is included in both its subclasses since some clients (such as
OpenBIOS) reprogram each device id after enumeration.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This ensures that the macio PCI device is correctly configured when restoring
from a VM snapshot.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Signed-off-by: NFabien Chouteau <chouteau@adacore.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Signed-off-by: NFabien Chouteau <chouteau@adacore.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

When the guest switches the interrupt endian mode, which essentially
means a global machine endian switch, we want to change the VGA
framebuffer endian mode as well in order to be backward compatible
with existing guests who don't know about the new endian control
register.
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The VGA device model now supports having the framebuffer in either endian,
and can be switched between these by the guest via a register in the qext
region.

However, in some cases (e.g. LE OS on the pseries machine) we have
existing guest that don't know about the endian switch register, but other
parts of the qemu code have better information to set a default endianness
than the VGA code does of itself.

In order to allow them to set a correct default endianness in these cases,
without breaking abstraction walls, this patch exposes the VGA framebuffer
endianness via a writable QOM property.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
[agraf: use instance_init for property exposure]
Signed-off-by: NAlexander Graf <agraf@suse.de>

We call try_create_xics() to create a "xics-kvm".  If it fails, we
call it again to fall back to plain "xics".

try_create_xics() uses qdev_init().  qdev_init()'s error handling has
an unwanted side effect: it calls qerror_report_err(), which prints to
stderr.  Looks like an error, but isn't.

In QMP context, it would stash the error in the monitor instead,
making the QMP command fail.  Fortunately, it's only called from board
initialization, never in QMP context.

Clean up by cutting out the qdev_init() middle-man: set property
"realized" directly.

While there, improve the error message when we can't satisfy an
explicit user request for "xics-kvm", and exit(1) instead of abort().
Simplify the abort when we can't create "xics".
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
[agraf: squash in fix for uninitialized variable from mdroth]
Signed-off-by: NAlexander Graf <agraf@suse.de>

We call ppce500_init_mpic_kvm() to create a "kvm-openpic".  If it
fails, we call ppce500_init_mpic_qemu() to fall back to plain
"openpic".

ppce500_init_mpic_kvm() uses qdev_init().  qdev_init()'s error
handling has an unwanted side effect: it calls qerror_report_err(),
which prints to stderr.  Looks like an error, but isn't.

In QMP context, it would stash the error in the monitor instead,
making the QMP command fail.  Fortunately, it's only called from board
initialization, never in QMP context.

Clean up by cutting out the qdev_init() middle-man: set property
"realized" directly.

While there, improve the error message when we can't satisfy an
explicit user request for "kvm-openpic", and exit(1) instead of
abort().
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

On x86, the guest's RTC can be read with QMP, either from the RTC device's
"date" property or via the "rtc-time" property on the machine (which is an
alias to the former).  This is set up in the mc146818rtc driver, and
doesn't work on other targets.

This patch adds a similar "date" property to the pseries machine's RTAS RTC
and adds a compatible alias to the machine.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The initial creation of the PAPR RTC qdev class left a wart - the rtc's
offset was left in the sPAPREnvironment structure, accessed via a global.

This patch moves it into the RTC device's own state structure, were it
belongs.  This requires a small change to the migration stream format.  In
order to handle incoming streams from older versions, we also need to
retain the rtc_offset field in the sPAPREnvironment structure, so that it
can be loaded into via the vmsd, then pushed into the RTC device.

Since we're changing the migration format, this also takes the opportunity
to:

  * Change the rtc offset from a value in seconds to a value in
    nanoseconds, allowing nanosecond offsets between host and guest
    rtc time, if desired.

  * Remove both the already unused "next_irq" field and now unused
    "rtc_offset" field from the new version of the spapr migration
    stream
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

At present the PAPR RTC isn't a "device" as such - it's accessed only via
firmware/hypervisor calls, and is handled in the sPAPR core code.  This
becomes inconvenient as we extend it in various ways.

This patch makes the PAPR RTC a separate device in the qemu device model.

For now, the only piece of device state - the rtc_offset - is still kept in
the global sPAPREnvironment structure.  That's clearly wrong, but leaving
it to be fixed in a following patch makes for a clearer separation between
the internal re-organization of the device, and the behavioural changes
(because the migration stream format needs to change slightly when the
offset is moved into the device's own state).
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>

In the 'pseries' machine the real time clock is provided by a
paravirtualized firmware interface rather than a device per se; the RTAS
get-time-of-day and set-time-of-day calls.

Out current implementations of those work directly off host time (with
an offset), not respecting options such as clock=vm which can be
specified in the -rtc command line option.

This patch reworks the RTAS RTC code to respect those options, primarily
by basing them on the qemu_clock_get_ns(rtc_clock) function instead of
directly on qemu_get_timedate() (which essentially handles host time, not
virtual rtc time).

As a bonus, this means our get-time-of-day function now also returns
nanoseconds.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NAlexander Graf <agraf@suse.de>