We will want to check TBI for I and D simultaneously.
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 20190108223129.5570-22-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

We need to reuse this from helper-a64.c.  Provide a stub
definition for CONFIG_USER_ONLY.  This matches the stub
definitions that we removed for arm_regime_tbi{0,1} before.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-21-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

We will shortly want to talk about TBI as it relates to data.
Passing around a pair of variables is less convenient than a
single variable.
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 20190108223129.5570-20-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Split out functions to extract the virtual address parameters.
Let the functions choose T0 or T1 address space half, if present.
Extract (most of) the control bits that vary between EL or Tx.
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 20190108223129.5570-19-richard.henderson@linaro.org
[PMM: fixed minor checkpatch comment nits]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

While we could expose stage_1_mmu_idx, the combination is
probably going to be more useful.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-18-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The pattern

  ARMMMUIdx mmu_idx = core_to_arm_mmu_idx(env, cpu_mmu_index(env, false));

is computing the full ARMMMUIdx, stripping off the ARM bits,
and then putting them back.

Avoid the extra two steps with the appropriate helper function.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-17-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This function is, or will shortly become, too big to inline.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-16-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Not that there are any stores involved, but why argue with ARM's
naming convention.
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 20190108223129.5570-15-richard.henderson@linaro.org
[fixed trivial comment nit]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-14-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This will enable PAuth decode in a subsequent patch.
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 20190108223129.5570-13-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-12-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This function is only used by AArch64.  Code movement only.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-11-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-10-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-9-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Now properly signals unallocated for REV64 with SF=0.
Allows for the opcode2 field to be decoded shortly.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-8-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-7-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The cryptographic internals are stubbed out for now,
but the enable and trap bits are checked.
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 20190108223129.5570-6-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This path uses cpu_loop_exit_restore to unwind current processor state.
Suggested-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 20190108223129.5570-5-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

There are 5 bits of state that could be added, but to save
space within tbflags, add only a single enable bit.
Helpers will determine the rest of the state at runtime.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-4-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Post v8.4 bits taken from SysReg_v85_xml-00bet8.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-3-richard.henderson@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Add storage space for the 5 encryption keys.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
Message-id: 20190108223129.5570-2-richard.henderson@linaro.org
[PMM: use 0xf rather than -1 in FIELD_DP64() expressions to
 avoid clang warnings about implicit truncation from int to
 bitfield changing the value]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The PHY behind the MAC of an Aspeed SoC can be controlled using two
different MDC/MDIO interfaces. The same registers PHYCR (MAC60) and
PHYDATA (MAC64) are involved but they have a different layout.

BIT31 of the Feature Register (MAC40) controls which MDC/MDIO
interface is active.
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Reviewed-by: NAndrew Jeffery <andrew@aj.id.au>
Reviewed-by: NJoel Stanley <joel@jms.id.au>
Message-id: 20190111125759.31577-1-clg@kaod.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

In U-boot, we switch from S-SVC -> Mon -> Hyp mode when we want to
enter Hyp mode. The change into Hyp mode is done by doing an
exception return from Mon. This doesn't work with current QEMU.

The problem is that in bad_mode_switch() we refuse to allow
the change of mode.

Note that bad_mode_switch() is used to do validation for two situations:

 (1) changes to mode by instructions writing to CPSR.M
     (ie not exception take/return) -- this corresponds to the
     Armv8 Arm ARM pseudocode Arch32.WriteModeByInstr
 (2) changes to mode by exception return

Attempting to enter or leave Hyp mode via case (1) is forbidden in
v8 and UNPREDICTABLE in v7, and QEMU is correct to disallow it
there. However, we're already doing that check at the top of the
bad_mode_switch() function, so if that passes then we should allow
the case (2) exception return mode changes to switch into Hyp mode.

We want to test whether we're trying to return to the nonexistent
"secure Hyp" mode, so we need to look at arm_is_secure_below_el3()
rather than arm_is_secure(), since the latter is always true if
we're in Mon (EL3).
Signed-off-by: NAlexander Graf <agraf@suse.de>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 20190109152430.32359-1-agraf@suse.de
[PMM: rewrote commit message]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Let's report IO-coherent access is supported for translation
table walks, descriptor fetches and queues by setting the COHACC
override flag. Without that, we observe wrong command opcodes.
The DT description also advertises the dma coherency.

Fixes a703b4f6 ("hw/arm/virt-acpi-build: Add smmuv3 node in IORT table")
Signed-off-by: NEric Auger <eric.auger@redhat.com>
Reported-by: NShameerali Kolothum Thodi <shameerali.kolothum.thodi@huawei.com>
Tested-by: NShameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Reviewed-by: NAndrew Jones <drjones@redhat.com>
Message-id: 20190107101041.765-1-eric.auger@redhat.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

When the device is disabled, the internal circuitry keeps the data
register loaded and doesn't update it.
Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: NAlistair Francis <alistair.francis@wdc.com>
Message-id: 20190104182057.8778-1-philmd@redhat.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

s390x updates:
- clang compilation fixes
- fixes in zpci hotplug code
- handle unimplemented diag 308 subcodes correctly
- add common fmb in zpci

# gpg: Signature made Fri 18 Jan 2019 12:13:26 GMT
# gpg:                using RSA key DECF6B93C6F02FAF
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>"
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>"
# gpg:                 aka "Cornelia Huck <cohuck@redhat.com>"
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck/tags/s390x-20190118:
  s390x/pci: add common function measurement block
  s390x/pci: Ignore the unplug call if we already have a release_timer
  s390x/pci: Always delete and free the release_timer
  s390x/pci: Move some hotplug checks to the pre_plug handler
  s390x/pci: Use hotplug_dev instead of looking up the host bridge
  s390x/pci: Set the iommu region size mpcifc request
  s390x/pci: Send correct event on hotplug
  configure: Only build the s390-ccw bios if the compiler supports -march=z900
  s390x: Return specification exception for unimplemented diag 308 subcodes
  pc-bios/s390-ccw: Use proper register names for Clang
  s390: avoid potential null dereference in s390_pcihost_unplug()
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Python queue, 2019-01-17

Fixes:
* Actually test different Python versions on Travis CI
* Fix qemu.py error message when qemu dies from signal

Cleanups:
* Track Python version on config-host.mak
* Remove fixed crashes from scripts/device-crash-test
* Acceptance tests: Linux initrd checking test
* Fix utf-8 mangling at scripts/replay-dump.py
* Remove unused python imports from multiple scripts

# gpg: Signature made Thu 17 Jan 2019 20:16:41 GMT
# gpg:                using RSA key 2807936F984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D C5A6

* remotes/ehabkost/tags/python-next-pull-request:
  scripts/replay-dump.py: fix utf-8 mangling
  qemu.py: Fix error message when qemu dies from signal
  Acceptance tests: add Linux initrd checking test
  check-help: visual and content improvements
  Travis CI: make specified Python versions usable on jobs
  check-venv: use recorded Python version
  configure: keep track of Python version
  scripts: Remove unused python imports
  scripts/device-crash-test: Remove known crashes
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

pci, pc, virtio: fixes, features

tpm physical presence interface
rsc support in virtio net
ivshmem is removed
misc cleanups and fixes all over the place
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Fri 18 Jan 2019 02:11:11 GMT
# gpg:                using RSA key 281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (49 commits)
  migration: Use strnlen() for fixed-size string
  migration: Fix stringop-truncation warning
  hw/acpi: Use QEMU_NONSTRING for non NUL-terminated arrays
  block/sheepdog: Use QEMU_NONSTRING for non NUL-terminated arrays
  qemu/compiler: Define QEMU_NONSTRING
  acpi: update expected files
  hw: acpi: Fix memory hotplug AML generation error
  tpm: clear RAM when "memory overwrite" requested
  acpi: add ACPI memory clear interface
  acpi: build TPM Physical Presence interface
  acpi: expose TPM/PPI configuration parameters to firmware via fw_cfg
  tpm: allocate/map buffer for TPM Physical Presence interface
  tpm: add a "ppi" boolean property
  hw/misc/edu: add msi_uninit() for pci_edu_uninit()
  virtio: Make disable-legacy/disable-modern compat properties optional
  globals: Allow global properties to be optional
  virtio: virtio 9p really requires CONFIG_VIRTFS to work
  virtio: split virtio crypto bits from virtio-pci.h
  virtio: split virtio gpu bits from virtio-pci.h
  virtio: split virtio serial bits from virtio-pci
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Common function measurement block is used to report zPCI internal
counters of successful pcilg/stg/stb and rpcit instructions to
a memory location provided by the program.

This patch introduces a new ZpciFmb structure and schedules a timer
callback to copy the zPCI measures to the FMB in the guest memory
at an interval time set to 4s.

An error while attemping to update the FMB, would generate an error
event to the guest.

The pcilg/stg/stb and rpcit interception handlers increase the
related counter on a successful call.
The guest shall pass a null FMBA (FMB address) in the FIB (Function
Information Block) when it issues a Modify PCI Function Control
instruction to switch off FMB and stop the corresponding timer.
Signed-off-by: NYi Min Zhao <zyimin@linux.ibm.com>
Signed-off-by: NPierre Morel <pmorel@linux.ibm.com>
Message-Id: <1546969050-8884-2-git-send-email-pmorel@linux.ibm.com>
Acked-by: NDavid Hildenbrand <david@redhat.com>
Reviewed-by: NCollin Walling <walling@linux.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

... otherwise two successive calls to qdev_unplug() (e.g. by an impatient
user) will effectively overwrite pbdev->release_timer, resulting in a
memory leak. We are already processing the unplug.

If there is already a release_timer, the unplug will be performed after
the timeout.

Can be easily triggered by
(hmp) device_add virtio-mouse-pci,id=test
(hmp) stop
(hmp) device_del test
(hmp) device_del test
Signed-off-by: NDavid Hildenbrand <david@redhat.com>
Message-Id: <20190114103110.10909-5-david@redhat.com>
Reviewed-by: NCollin Walling <walling@linux.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

We should always get rid of it. I don't see a reason to keep the timer
alive if the devices are going away. This looks like a memory leak.

(hmp) device_add virtio-mouse-pci,id=test
(hmp) device_del test
-> guest notified, timer pending.
-> guest does not react for some reason (e.g. crash)
-> s390_pcihost_timer_cb(). Timer not pending anymore. qmp_unplug().

-> Device deleted. Timer expired (not pending) but not freed.
Signed-off-by: NDavid Hildenbrand <david@redhat.com>
Message-Id: <20190114103110.10909-4-david@redhat.com>
Reviewed-by: NCollin Walling <walling@linux.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

Let's move most of the checks to the new pre_plug handler. As a PCI
bridge is just a PCI device, we can simplify the code.

Notes: We cannot yet move the MSIX check or device ID creation +
zPCI device creation to the pre_plug handler as both parts are not
fixed before actual device realization (and therefore after pre_plug and
before plug). Once that part is factored out, we can move these parts to
the pre_plug handler, too and therefore remove all possible errors from
the plug handler.
Reviewed-by: NCollin Walling <walling@linux.ibm.com>
Signed-off-by: NDavid Hildenbrand <david@redhat.com>
Message-Id: <20190114103110.10909-3-david@redhat.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

We directly have it in our hands.
Signed-off-by: NDavid Hildenbrand <david@redhat.com>
Message-Id: <20190114103110.10909-2-david@redhat.com>
Reviewed-by: NCollin Walling <walling@linux.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

The size of the accessible iommu memory region in the guest
is given to the IOMMU by the guest through the mpcifc request
specifying the PCI Base Address and the PCI Address Limit.

Let's set the size of the IOMMU region to:
    (PCI Address Limit) - (PCI Base Address) + 1.

Fixes: f7c40aa1 ("s390x/pci: fix failures of dma map/unmap")
Signed-off-by: NPierre Morel <pmorel@linux.ibm.com>
Message-Id: <1547125207-16907-2-git-send-email-pmorel@linux.ibm.com>
Acked-by: NCollin Walling <walling@linux.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

Comit 2c28c490 ("s390x/pci: let pci devices start in configured mode")
changed the initial state of zPCI devices from ZPCI_FS_STANDBY to
ZPCI_FS_DISABLED (a.k.a. configured). However we still only send a
HP_EVENT_RESERVED_TO_STANDBY event to the guest, indicating a wrong
state.

Let's send a HP_EVENT_TO_CONFIGURED event instead, to match the actual
state the device is in.

This fixes hotplugged devices having to be enabled explicitly in the
guest e.g. via echo 1 > /sys/bus/pci/slots/00000000/power.

On real HW, a PCI device always pops up in the STANDBY state. In QEMU,
we decided to let it show up directly in the configured state (as
configuring it is otherwise just an extra burden for the admin). We can
safely bypass the STANDBY state when hotplugging PCI devices to a guest.

Fixes: 2c28c490 ("s390x/pci: let pci devices start in configured mode")
Reported-by: NCornelia Huck <cohuck@redhat.com>
Signed-off-by: NDavid Hildenbrand <david@redhat.com>
Message-Id: <20190110210358.24035-1-david@redhat.com>
Tested-by: NCornelia Huck <cohuck@redhat.com>
Reviewed-by: NPierre Morel <pmorel@linux.ibm.com>
Reviewed-by: NCollin Walling <walling@linux.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

We want to build our s390-ccw bios with -march=z900 so that it also
works with the oldest s390x CPU that we support with TCG. However,
Clang on s390x does not support -march=z900 anymore, so we can not
use this compiler to build the s390-ccw bios. Thus add a proper test
to the configure script to see whether the compiler is usable.
Signed-off-by: NThomas Huth <thuth@redhat.com>
Message-Id: <1547470346-18416-1-git-send-email-thuth@redhat.com>
Acked-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

The architecture specifies specification exceptions for all
unavailable subcodes.

The presence of subcodes is indicated by checking some query subcode.
For example 6 will indicate that 3-6 are available. So future systems
might call new subcodes to check for new features. This should not
trigger a hw error, instead we return the architectured specification
exception.
Signed-off-by: NJanosch Frank <frankja@linux.ibm.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20190111113657.66195-3-frankja@linux.ibm.com>
Reviewed-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: NDavid Hildenbrand <david@redhat.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

When compiling the s390-ccw firmware with Clang 7.0.1, I get the
following errors:

pc-bios/s390-ccw/start.S:62:19: error: invalid use of length addressing
        stctg 0,0,0(15)
                  ^
pc-bios/s390-ccw/start.S:63:12: error: invalid use of length addressing
        oi 6(15), 0x2
           ^
pc-bios/s390-ccw/start.S:64:19: error: invalid use of length addressing
        lctlg 0,0,0(15)
                  ^
pc-bios/s390-ccw/start.S:76:19: error: invalid use of length addressing
        stctg 0,0,0(15)
                  ^
pc-bios/s390-ccw/start.S:77:12: error: invalid use of length addressing
        ni 6(15), 0xfd
           ^
pc-bios/s390-ccw/start.S:78:19: error: invalid use of length addressing
        lctlg 0,0,0(15)
                  ^
pc-bios/s390-ccw/start.S:79:12: error: invalid operand for instruction
        br 14
           ^

Let's use proper register names like in the rest of this file to fix it.
Signed-off-by: NThomas Huth <thuth@redhat.com>
Message-Id: <1547123559-30476-1-git-send-email-thuth@redhat.com>
Reviewed-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

When getting the 'pbdev', the if...else has no default branch.
From Coverity, the 'pbdev' maybe null when the 'dev' is not
the TYPE_PCI_BRIDGE/TYPE_PCI_DEVICE/TYPE_S390_PCI_DEVICE.
This patch adds a default branch for device plug and unplug.

Spotted by Coverity: CID 1398593
Signed-off-by: NLi Qiang <liq3ea@163.com>
Message-Id: <20190108151114.33140-1-liq3ea@163.com>
Reviewed-by: NDavid Hildenbrand <david@redhat.com>
Reviewed-by: NHalil Pasic <pasic@linux.ibm.com>
Reviewed-by: NCollin Walling <walling@linux.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

GCC 8 introduced the -Wstringop-overflow, which detect buffer overflow
by string-modifying functions declared in <string.h>, such strncpy(),
used in global_state_store_running().

GCC indeed found an incorrect use of strlen(), because this array
is loaded by VMSTATE_BUFFER(runstate, GlobalState) then parsed
using qapi_enum_parse which does not get the buffer length.

Use strnlen() which returns sizeof(s->runstate) if the array is not
NUL-terminated, assert the size is within range, and enforce the array
to be NUL-terminated to avoid an overflow in qapi_enum_parse().

This fixes:

    CC      migration/global_state.o
  qemu/migration/global_state.c: In function 'global_state_pre_save':
  qemu/migration/global_state.c:109:15: error: 'strlen' argument 1 declared attribute 'nonstring' [-Werror=stringop-overflow=]
       s->size = strlen((char *)s->runstate) + 1;
                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
  qemu/migration/global_state.c:24:13: note: argument 'runstate' declared here
       uint8_t runstate[100] QEMU_NONSTRING;
               ^~~~~~~~
  cc1: all warnings being treated as errors
  make: *** [qemu/rules.mak:69: migration/global_state.o] Error 1
Suggested-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>