summaryrefslogtreecommitdiff
path: root/hw/scsi
AgeCommit message (Collapse)Author
2019-03-22trace-events: Shorten file names in commentsMarkus Armbruster
We spell out sub/dir/ in sub/dir/trace-events' comments pointing to source files. That's because when trace-events got split up, the comments were moved verbatim. Delete the sub/dir/ part from these comments. Gets rid of several misspellings. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20190314180929.27722-3-armbru@redhat.com Message-Id: <20190314180929.27722-3-armbru@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2019-03-12vhost-user: simplify vhost_user_init/vhost_user_cleanupMarc-André Lureau
Take a VhostUserState* that can be pre-allocated, and initialize it with the associated chardev. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Tiwei Bie <tiwei.bie@intel.com> Message-Id: <20190308140454.32437-4-marcandre.lureau@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2019-03-12spapr: Use CamelCase properlyDavid Gibson
The qemu coding standard is to use CamelCase for type and structure names, and the pseries code follows that... sort of. There are quite a lot of places where we bend the rules in order to preserve the capitalization of internal acronyms like "PHB", "TCE", "DIMM" and most commonly "sPAPR". That was a bad idea - it frequently leads to names ending up with hard to read clusters of capital letters, and means they don't catch the eye as type identifiers, which is kind of the point of the CamelCase convention in the first place. In short, keeping type identifiers look like CamelCase is more important than preserving standard capitalization of internal "words". So, this patch renames a heap of spapr internal type names to a more standard CamelCase. In addition to case changes, we also make some other identifier renames: VIOsPAPR* -> SpaprVio* The reverse word ordering was only ever used to mitigate the capital cluster, so revert to the natural ordering. VIOsPAPRVTYDevice -> SpaprVioVty VIOsPAPRVLANDevice -> SpaprVioVlan Brevity, since the "Device" didn't add useful information sPAPRDRConnector -> SpaprDrc sPAPRDRConnectorClass -> SpaprDrcClass Brevity, and makes it clearer this is the same thing as a "DRC" mentioned in many other places in the code This is 100% a mechanical search-and-replace patch. It will, however, conflict with essentially any and all outstanding patches touching the spapr code. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2019-03-11lsi: 810/895A are always little endianSven Schnelle
Signed-off-by: Sven Schnelle <svens@stackframe.org> Message-Id: <20190218175529.11237-1-svens@stackframe.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-11lsi: return dfifo valueSven Schnelle
Code was assigning DFIFO, but didn't return the value to users. Signed-off-by: Sven Schnelle <svens@stackframe.org> Message-Id: <20190305195519.24303-6-svens@stackframe.org>
2019-03-11lsi: use SCSI phase names instead of numbers in traceSven Schnelle
This makes trace logs much easier to read, especially for people who are not fluent in SCSI. Signed-off-by: Sven Schnelle <svens@stackframe.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190305195519.24303-5-svens@stackframe.org>
2019-03-11lsi: use enum type for s->msg_actionSven Schnelle
This makes the code easier to read - no functional change. Signed-off-by: Sven Schnelle <svens@stackframe.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190305195519.24303-4-svens@stackframe.org>
2019-03-11lsi: use enum type for s->waitingSven Schnelle
This makes the code easier to read - no functional change. Signed-off-by: Sven Schnelle <svens@stackframe.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190305195519.24303-3-svens@stackframe.org>
2019-03-11lsi: use ldn_le_p()/stn_le_p()Sven Schnelle
Instead of using the open-coded versions, use the helper already present as this makes the code easier to read and less error-prone. Signed-off-by: Sven Schnelle <svens@stackframe.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190305195519.24303-2-svens@stackframe.org>
2019-03-11scsi-disk: Fix crash if request is invaild or disk is no mediumZhengui Li
Qemu will crash with the assertion error that "assert(r->req.aiocb != NULL)" in scsi_read_complete if request is invaild or disk is no medium. The error is below: qemu-kvm: hw/scsi/scsi_disk.c:299: scsi_read_complete: Assertion `r->req.aiocb != NULL' failed. This patch add a funtion scsi_read_complete_noio to fix it. Signed-off-by: Zhengui Li <lizhengui@huawei.com> Message-Id: <1551949966-20092-1-git-send-email-lizhengui@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-11lsi: check if SIGP bit is already set in Wait reselectSven Schnelle
If SIGP is set, the 'Wait for Reselection' command should jump immediately to the address stored in the second DWORD of the instruction. This fixes spurious hangs in the HP-UX 11.11 installer when the SIGP bit gets set by the kernel before the 'Wait for Reselection' command is executed by SCRIPTS. Signed-off-by: Sven Schnelle <svens@stackframe.org> Tested-by: Helge Deller <deller@gmx.de> Message-Id: <20190217113717.7077-1-svens@stackframe.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-11lsi: implement basic SBCL functionalitySven Schnelle
HP-UX checks this register after sending data to the target. If there's no valid information present, it assumes the client disconnected because the kernel sent to much data. Implement at least some of the SBCL functionality that is possible without having a real SCSI bus. Signed-off-by: Sven Schnelle <svens@stackframe.org> Message-Id: <20190215194021.20543-1-svens@stackframe.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-11virtio-scsi: Fix build with gcc 9Greg Kurz
Build fails with gcc 9: CC ppc64-softmmu/hw/scsi/virtio-scsi.o hw/scsi/virtio-scsi.c: In function ‘virtio_scsi_do_tmf’: hw/scsi/virtio-scsi.c:265:39: error: taking address of packed member of ‘struct virtio_scsi_ctrl_tmf_req’ may result in an unaligned pointer value [-Werror=address-of-packed-member] 265 | virtio_tswap32s(VIRTIO_DEVICE(s), &req->req.tmf.subtype); | ^~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors All the fields in struct virtio_scsi_ctrl_tmf_req are naturally aligned, so we could in theory drop QEMU_PACKED. Unfortunately, the header file is imported from linux which already has the packed attribute. Trying to fix that in the update-linux-headers.sh script is likely to produce ugliness. Turn the call to virtio_tswap32s() into an assignment instead. Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <155137678223.44753.5438092367451176318.stgit@bahia.lan> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07virtio: express virtio dependencies with KconfigYang Zhong
Signed-off-by: Yang Zhong <yang.zhong@intel.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20190123065618.3520-42-yang.zhong@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07scsi: express dependencies with KconfigPaolo Bonzini
This automatically removes the SCSI subsystem from the binary altogether if no controllers are selected. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Yang Zhong <yang.zhong@intel.com> Message-Id: <20190123065618.3520-34-yang.zhong@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07build: convert pci.mak to KconfigPaolo Bonzini
Instead of including the same list of devices for each target, set CONFIG_PCI to true, and make the devices default to present whenever PCI is available. However, s390x does not want all the PCI devices, so there is a separate symbol to enable them. Done mostly with the following script: while read i; do i=${i%=y}; i=${i#CONFIG_} sed -i -e'/^config '$i'$/!b' -en \ -e'a\' -e' default y if PCI_DEVICES\' -e' depends on PCI' \ `grep -lw $i hw/*/Kconfig` done < default-configs/pci.mak followed by replacing a few "depends on" clauses with "select" whenever the symbol is not really related to PCI. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Yang Zhong <yang.zhong@intel.com> Cc: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20190123065618.3520-31-yang.zhong@intel.com> Acked-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07build: switch to KconfigPaolo Bonzini
The make_device_config.sh script is replaced by minikconf, which is modified to support the same command line as its predecessor. The roots of the parsing are default-configs/*.mak, Kconfig.host and hw/Kconfig. One difference with make_device_config.sh is that all symbols have to be defined in a Kconfig file, including those coming from the configure script. This is the reason for the Kconfig.host file introduced in the previous patch. Whenever a file in default-configs/*.mak used $(...) to refer to a config-host.mak symbol, this is replaced by a Kconfig dependency; this part must be done already in this patch for bisectability. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Yang Zhong <yang.zhong@intel.com> Acked-by: Thomas Huth <thuth@redhat.com> Message-Id: <20190123065618.3520-28-yang.zhong@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07kconfig: introduce kconfig filesPaolo Bonzini
The Kconfig files were generated mostly with this script: for i in `grep -ho CONFIG_[A-Z0-9_]* default-configs/* | sort -u`; do set fnord `git grep -lw $i -- 'hw/*/Makefile.objs' ` shift if test $# = 1; then cat >> $(dirname $1)/Kconfig << EOF config ${i#CONFIG_} bool EOF git add $(dirname $1)/Kconfig else echo $i $* fi done sed -i '$d' hw/*/Kconfig for i in hw/*; do if test -d $i && ! test -f $i/Kconfig; then touch $i/Kconfig git add $i/Kconfig fi done Whenever a symbol is referenced from multiple subdirectories, the script prints the list of directories that reference the symbol. These symbols have to be added manually to the Kconfig files. Kconfig.host and hw/Kconfig were created manually. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Yang Zhong <yang.zhong@intel.com> Message-Id: <20190123065618.3520-27-yang.zhong@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-17qdev: pass an Object * to qbus_set_hotplug_handler()Michael Roth
Certain devices types, like memory/CPU, are now being handled using a hotplug interface provided by a top-level MachineClass. Hotpluggable host bridges are another such device where it makes sense to use a machine-level hotplug handler. However, unlike those devices, host-bridges have a parent bus (the main system bus), and devices with a parent bus use a different mechanism for registering their hotplug handlers: qbus_set_hotplug_handler(). This interface currently expects a handler to be a subclass of DeviceClass, but this is not the case for MachineClass, which derives directly from ObjectClass. Internally, the interface only requires an ObjectClass, so expose that in qbus_set_hotplug_handler(). Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Acked-by: Halil Pasic <pasic@linux.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <154999589921.690774.3640149277362188566.stgit@bahia.lan> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2019-02-05scsi-generic: Convert from DPRINTF() macro to trace eventsLaurent Vivier
Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20181211163105.31834-3-lvivier@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-05scsi-disk: Convert from DPRINTF() macro to trace eventsLaurent Vivier
Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20181211163105.31834-2-lvivier@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-05scsi-generic: avoid possible out-of-bounds access to r->bufPaolo Bonzini
Whenever the allocation length of a SCSI request is shorter than the size of the VPD page list, page_idx is used blindly to index into r->buf. Even though the stores in the insertion sort are protected against overflows, the same is not true of the reads and the final store of 0xb0. This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid out-of-bounds access to VPD page list", 2018-11-06), except that here the allocation length can be chosen by the guest. Note that according to the SCSI standard, the contents of the PAGE LENGTH field are not altered based on the allocation length. The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD page list sorted", 2018-11-06) but the overflow was already possible before. Reported-by: Kevin Wolf <kwolf@redhat.com> Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-01scsi-disk: Add device_id propertyKevin Wolf
The new device_id property specifies which value to use for the vendor specific designator in the Device Identification VPD page. In particular, this is necessary for libvirt to maintain guest ABI compatibility when no serial number is given and a VM is switched from -drive (where the BlockBackend name is used) to -blockdev (where the vendor specific designator is left out by default). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2019-02-01scsi-disk: Don't use empty string as device idKevin Wolf
scsi-disk includes in the Device Identification VPD page, depending on configuration amongst others, a vendor specific designator that consists either of the serial number if given or the BlockBackend name (which is a host detail that better shouldn't have been leaked to the guest, but now we have to maintain it for compatibility). With anonymous BlockBackends, i.e. scsi-disk devices constructed with drive=<node-name>, and no serial number explicitly specified, this ends up as an empty string. If this happens to more than one disk, we have accidentally signalled to the OS that this is a multipath setup, which is obviously not what was intended. Instead of using an empty string for the vendor specific designator, simply leave out that designator, which makes Linux detect such setups as separate disks again. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2019-02-01virtio-scsi: Forbid devices with different iothreads sharing a blockdevAlberto Garcia
This patch forbids attaching a disk to a SCSI device if its using a different AioContext. Test case included. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2019-02-01scsi-disk: Acquire the AioContext in scsi_*_realize()Alberto Garcia
This fixes a crash when attaching two disks with the same blockdev to a SCSI device that is using iothreads. Test case included. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2019-02-01virtio-scsi: Move BlockBackend back to the main AioContext on unplugAlberto Garcia
This fixes a crash when attaching a disk to a SCSI device using iothreads, then detaching it and reattaching it again. Test case included. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2019-01-14qemu: avoid memory leak while remove diskJian Wang
Memset vhost_dev to zero in the vhost_dev_cleanup function. This causes dev.vqs to be NULL, so that vqs does not free up space when calling the g_free function. This will result in a memory leak. But you can't release vqs directly in the vhost_dev_cleanup function, because vhost_net will also call this function, and vhost_net's vqs is assigned by array. In order to solve this problem, we first save the pointer of vqs, and release the space of vqs after vhost_dev_cleanup is called. Signed-off-by: Jian Wang <wangjian161@huawei.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2019-01-11avoid TABs in files that only contain a fewPaolo Bonzini
Most files that have TABs only contain a handful of them. Change them to spaces so that we don't confuse people. disas, standard-headers, linux-headers and libdecnumber are imported from other projects and probably should be exempted from the check. Outside those, after this patch the following files still contain both 8-space and TAB sequences at the beginning of the line. Many of them have a majority of TABs, or were initially committed with all tabs. bsd-user/i386/target_syscall.h bsd-user/x86_64/target_syscall.h crypto/aes.c hw/audio/fmopl.c hw/audio/fmopl.h hw/block/tc58128.c hw/display/cirrus_vga.c hw/display/xenfb.c hw/dma/etraxfs_dma.c hw/intc/sh_intc.c hw/misc/mst_fpga.c hw/net/pcnet.c hw/sh4/sh7750.c hw/timer/m48t59.c hw/timer/sh_timer.c include/crypto/aes.h include/disas/bfd.h include/hw/sh4/sh.h libdecnumber/decNumber.c linux-headers/asm-generic/unistd.h linux-headers/linux/kvm.h linux-user/alpha/target_syscall.h linux-user/arm/nwfpe/double_cpdo.c linux-user/arm/nwfpe/fpa11_cpdt.c linux-user/arm/nwfpe/fpa11_cprt.c linux-user/arm/nwfpe/fpa11.h linux-user/flat.h linux-user/flatload.c linux-user/i386/target_syscall.h linux-user/ppc/target_syscall.h linux-user/sparc/target_syscall.h linux-user/syscall.c linux-user/syscall_defs.h linux-user/x86_64/target_syscall.h slirp/cksum.c slirp/if.c slirp/ip.h slirp/ip_icmp.c slirp/ip_icmp.h slirp/ip_input.c slirp/ip_output.c slirp/mbuf.c slirp/misc.c slirp/sbuf.c slirp/socket.c slirp/socket.h slirp/tcp_input.c slirp/tcpip.h slirp/tcp_output.c slirp/tcp_subr.c slirp/tcp_timer.c slirp/tftp.c slirp/udp.c slirp/udp.h target/cris/cpu.h target/cris/mmu.c target/cris/op_helper.c target/sh4/helper.c target/sh4/op_helper.c target/sh4/translate.c tcg/sparc/tcg-target.inc.c tests/tcg/cris/check_addo.c tests/tcg/cris/check_moveq.c tests/tcg/cris/check_swap.c tests/tcg/multiarch/test-mmap.c ui/vnc-enc-hextile-template.h ui/vnc-enc-zywrle.h util/envlist.c util/readline.c The following have only TABs: bsd-user/i386/target_signal.h bsd-user/sparc64/target_signal.h bsd-user/sparc64/target_syscall.h bsd-user/sparc/target_signal.h bsd-user/sparc/target_syscall.h bsd-user/x86_64/target_signal.h crypto/desrfb.c hw/audio/intel-hda-defs.h hw/core/uboot_image.h hw/sh4/sh7750_regnames.c hw/sh4/sh7750_regs.h include/hw/cris/etraxfs_dma.h linux-user/alpha/termbits.h linux-user/arm/nwfpe/fpopcode.h linux-user/arm/nwfpe/fpsr.h linux-user/arm/syscall_nr.h linux-user/arm/target_signal.h linux-user/cris/target_signal.h linux-user/i386/target_signal.h linux-user/linux_loop.h linux-user/m68k/target_signal.h linux-user/microblaze/target_signal.h linux-user/mips64/target_signal.h linux-user/mips/target_signal.h linux-user/mips/target_syscall.h linux-user/mips/termbits.h linux-user/ppc/target_signal.h linux-user/sh4/target_signal.h linux-user/sh4/termbits.h linux-user/sparc64/target_syscall.h linux-user/sparc/target_signal.h linux-user/x86_64/target_signal.h linux-user/x86_64/termbits.h pc-bios/optionrom/optionrom.h slirp/mbuf.h slirp/misc.h slirp/sbuf.h slirp/tcp.h slirp/tcp_timer.h slirp/tcp_var.h target/i386/svm.h target/sparc/asi.h target/xtensa/core-dc232b/xtensa-modules.inc.c target/xtensa/core-dc233c/xtensa-modules.inc.c target/xtensa/core-de212/core-isa.h target/xtensa/core-de212/xtensa-modules.inc.c target/xtensa/core-fsf/xtensa-modules.inc.c target/xtensa/core-sample_controller/core-isa.h target/xtensa/core-sample_controller/xtensa-modules.inc.c target/xtensa/core-test_kc705_be/core-isa.h target/xtensa/core-test_kc705_be/xtensa-modules.inc.c tests/tcg/cris/check_abs.c tests/tcg/cris/check_addc.c tests/tcg/cris/check_addcm.c tests/tcg/cris/check_addoq.c tests/tcg/cris/check_bound.c tests/tcg/cris/check_ftag.c tests/tcg/cris/check_int64.c tests/tcg/cris/check_lz.c tests/tcg/cris/check_openpf5.c tests/tcg/cris/check_sigalrm.c tests/tcg/cris/crisutils.h tests/tcg/cris/sys.c tests/tcg/i386/test-i386-ssse3.c ui/vgafont.h Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20181213223737.11793-3-pbonzini@redhat.com> Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com> Acked-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Eric Blake <eblake@redhat.com> Acked-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-11qemu/queue.h: simplify reverse access to QTAILQPaolo Bonzini
The new definition of QTAILQ does not require passing the headname, remove it. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-11scsi: esp: Defer command completion until previous interrupts have been handledGuenter Roeck
The guest OS reads RSTAT, RSEQ, and RINTR, and expects those registers to reflect a consistent state. However, it is possible that the registers can change after RSTAT was read, but before RINTR is read, when esp_command_complete() is called. Guest OS qemu -------- ---- [handle interrupt] Read RSTAT esp_command_complete() RSTAT = STAT_ST esp_dma_done() RSTAT |= STAT_TC RSEQ = 0 RINTR = INTR_BS Read RSEQ Read RINTR RINTR = 0 RSTAT &= ~STAT_TC RSEQ = SEQ_CD The guest OS would then try to handle INTR_BS combined with an old value of RSTAT. This sometimes resulted in lost events, spurious interrupts, guest OS confusion, and stalled SCSI operations. A typical guest error log (observed with various versions of Linux) looks as follows. scsi host1: Spurious irq, sreg=13. ... scsi host1: Aborting command [84531f10:2a] scsi host1: Current command [f882eea8:35] scsi host1: Queued command [84531f10:2a] scsi host1: Active command [f882eea8:35] scsi host1: Dumping command log scsi host1: ent[15] CMD val[44] sreg[90] seqreg[00] sreg2[00] ireg[20] ss[00] event[0c] scsi host1: ent[16] CMD val[01] sreg[90] seqreg[00] sreg2[00] ireg[20] ss[02] event[0c] scsi host1: ent[17] CMD val[43] sreg[90] seqreg[00] sreg2[00] ireg[20] ss[02] event[0c] scsi host1: ent[18] EVENT val[0d] sreg[92] seqreg[04] sreg2[00] ireg[18] ss[00] event[0c] ... Defer handling command completion until previous interrupts have been handled to fix the problem. Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2019-01-11esp-pci: Fix status register write erase controlGuenter Roeck
Per AM53C974 datasheet, definition of "SCSI Bus and Control (SBAC)" register: Bit 24 'STATUS' Write Erase Control This bit controls the Write Erase feature on bits 3:1 and bit 6 of the DMA Status Register ((B)+54h). When this bit is programmed to '1', the state of bits 3:1 are preserved when read. Bits 3:1 are only cleared when a '1' is written to the corresponding bit location. For example, to clear bit 1, the value of '0000_0010b' should be written to the register. When the DMA Status Preserve bit is '0', bits 3:1 are cleared when read. The status register is currently defined to bit 12, not bit 24. Also, its implementation is reversed: The status is auto-cleared if the bit is set to 1, and must be cleared explicitly when the bit is set to 0. This results in spurious interrupts reported by the Linux kernel, and in some cases even results in stalled SCSI operations. Set SBAC_STATUS to bit 24 and reverse the logic to fix the problem. Signed-off-by: Guenter Roeck <linux@roeck-us.net> Message-Id: <1543442171-24863-1-git-send-email-linux@roeck-us.net> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-27vmstate: constify VMStateFieldMarc-André Lureau
Because they are supposed to remain const. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20181114132931.22624-1-marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-27lsi: Reselection needed to remove pending commands from queueGeorge Kennedy
Under heavy IO (e.g. fio) the queue is not checked frequently enough for pending commands. As a result some pending commands are timed out by the linux sym53c8xx driver, which sends SCSI Abort messages for the timed out commands. The SCSI Abort messages result in linux errors, which show up on the console and in /var/log/messages. e.g. sd 0:0:3:0: [sdd] tag#33 ABORT operation started scsi target0:0:3: control msgout: 80 20 47 d sd 0:0:3:0: ABORT operation complete. scsi target0:0:4: message d sent on bad reselection Now following a WAIT DISCONNECT Script instruction, and if there is no current command, check for a pending command on the queue and if one exists call lsi_reselect(). Signed-off-by: George Kennedy <george.kennedy@oracle.com> Message-Id: <1541776692-12271-1-git-send-email-george.kennedy@oracle.com> [For safety, add a s->current check in lsi_update_irq - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-22scsi-disk: Fix crash if underlying host file or disk returns errorRichard W.M. Jones
Commit 40dce4ee6 "scsi-disk: fix rerror/werror=ignore" introduced a bug which causes qemu to crash with the assertion error below if the host file or disk returns an error: qemu-system-x86_64: hw/scsi/scsi-bus.c:1374: scsi_req_complete: Assertion `req->status == -1' failed. Kevin Wolf suggested this fix: < kwolf> Hm, should the final return false; in that patch actually be a return true? < kwolf> Because I think he didn't intend to change anything except BLOCK_ERROR_ACTION_IGNORE Buglink: https://bugs.launchpad.net/qemu/+bug/1804323 Fixes: 40dce4ee61c68395f6d463fae792f61b7c003bce Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-08Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
* icount fix (Clement) * dumping fixes for non-volatile memory (Marc-André, myself) * x86 emulation fix (Rudolf) * recent Hyper-V CPUID flag (Vitaly) * Q35 doc fix (Daniel) * lsi fix (Prasad) * SCSI block limits emulation fixes (myself) * qemu_thread_atexit rework (Peter) * ivshmem memory leak fix (Igor) # gpg: Signature made Tue 06 Nov 2018 21:34:30 GMT # gpg: using RSA key BFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: util/qemu-thread-posix: Fix qemu_thread_atexit* for OSX include/qemu/thread.h: Document qemu_thread_atexit* API scsi-generic: do not do VPD emulation for sense other than ILLEGAL_REQUEST scsi-generic: avoid invalid access to struct when emulating block limits scsi-generic: avoid out-of-bounds access to VPD page list scsi-generic: keep VPD page list sorted lsi53c895a: check message length value is valid scripts/dump-guest-memory: Synchronize with guest_phys_blocks_region_add memory-mapping: skip non-volatile memory regions in GuestPhysBlockList nvdimm: set non-volatile on the memory region memory: learn about non-volatile memory region target/i386: Clear RF on SYSCALL instruction MAINTAINERS: remove or downgrade myself to reviewer from some subsystems ivshmem: fix memory backend leak i386: clarify that the Q35 machine type implements a P35 chipset x86: hv_evmcs CPU flag support icount: fix deadlock when all cpus are sleeping Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-06scsi-generic: do not do VPD emulation for sense other than ILLEGAL_REQUESTPaolo Bonzini
Pass other sense, such as UNIT_ATTENTION or BUSY, directly to the guest. Reported-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-06scsi-generic: avoid invalid access to struct when emulating block limitsPaolo Bonzini
Emulation of the block limits VPD page called back into scsi-disk.c, which however expected the request to be for a SCSIDiskState and accessed a scsi-generic device outside the bounds of its struct (namely to retrieve s->max_unmap_size and s->max_io_size). To avoid this, move the emulation code to a separate function that takes a new SCSIBlockLimits struct and marshals it into the VPD response format. Reported-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-06scsi-generic: avoid out-of-bounds access to VPD page listPaolo Bonzini
A device can report an excessive number of VPD pages when asked for a list; this can cause an out-of-bounds access to buf in scsi_generic_set_vpd_bl_emulation. It should not happen, but it is technically not incorrect so handle it: do not check any byte past the allocation length that was sent to the INQUIRY command. Reported-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-06scsi-generic: keep VPD page list sortedPaolo Bonzini
Block limits emulation is just placing 0xb0 as the final byte of the VPD pages list. However, VPD page numbers must be sorted, so change that to an in-place insert. Since I couldn't find any disk that triggered the loop more than once, this was tested by adding manually 0xb1 at the end of the list and checking that 0xb0 was added before. Reported-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-06lsi53c895a: check message length value is validPrasad J Pandit
While writing a message in 'lsi_do_msgin', message length value in 'msg_len' could be invalid due to an invalid migration stream. Add an assertion to avoid an out of bounds access, and reject the incoming migration data if it contains an invalid message length. Discovered by Deja vu Security. Reported by Oracle. Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <20181026194314.18663-1-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-05vhost-scsi: prevent using uninitialized vqsyuchenlin
There are 3 virtqueues (ctrl, event and cmd) for virtio scsi device, but seabios will only set the physical address for the 3rd one (cmd). Then in vhost_virtqueue_start(), virtio_queue_get_desc_addr() will be 0 for ctrl and event vq. In this case, ctrl and event vq are not initialized. vhost_verify_ring_mappings may use uninitialized vhost_virtqueue such that vhost_verify_ring_part_mapping returns ENOMEM. When encountered this problem, we got the following logs: qemu-system-x86_64: Unable to map available ring for ring 0 qemu-system-x86_64: Verify ring failure on region 0 Signed-off-by: Forrest Liu <forrestl@synology.com> Signed-off-by: yuchenlin <yuchenlin@synology.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2018-10-19scsi-disk: fix rerror/werror=ignorePaolo Bonzini
rerror=ignore was returning true from scsi_handle_rw_error but the callers were not calling scsi_req_complete when rerror=ignore returns true (this is the correct thing to do when true is returned after executing a passthrough command). Fix this by calling it in scsi_handle_rw_error. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-19scsi-disk: fix double completion of failing passthrough requestsPaolo Bonzini
If a command fails with a sense that scsi_sense_buf_to_errno converts to ECANCELED/EAGAIN/ENOTCONN or with a unit attention, scsi_req_complete is called twice. This caused a crash. Reported-by: Wangguang <wang.guangA@h3c.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-19call HotplugHandler->plug() as the last step in device realizationIgor Mammedov
When [2] was fixed it was agreed that adding and calling post_plug() callback after device_reset() was low risk approach to hotfix issue right before release. So it was merged instead of moving already existing plug() callback after device_reset() is called which would be more risky and require all plug() callbacks audit. Looking at the current plug() callbacks, it doesn't seem that moving plug() callback after device_reset() is breaking anything, so here goes agreed upon [3] proper fix which essentially reverts [1][2] and moves plug() callback after device_reset(). This way devices always comes to plug() stage, after it's been fully initialized (including being reset), which fixes race condition [2] without need for an extra post_plug() callback. 1. (25e897881 "qdev: add HotplugHandler->post_plug() callback") 2. (8449bcf94 "virtio-scsi: fix hotplug ->reset() vs event race") 3. https://www.mail-archive.com/qemu-devel@nongnu.org/msg549915.html Signed-off-by: Igor Mammedov <imammedo@redhat.com> Message-Id: <1539696820-273275-1-git-send-email-imammedo@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Tested-by: Pierre Morel<pmorel@linux.ibm.com> Acked-by: Pierre Morel<pmorel@linux.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-02hw/scsi/mptendian: Avoid taking address of fields in packed structsPeter Maydell
Taking the address of a field in a packed struct is a bad idea, because it might not be actually aligned enough for that pointer type (and thus cause a crash on dereference on some host architectures). Newer versions of clang warn about this. Avoid the bug by not using the "modify in place" byte swapping functions. This patch was produced with the following simple spatch script: @@ expression E; @@ -le16_to_cpus(&E); +E = le16_to_cpu(E); @@ expression E; @@ -le32_to_cpus(&E); +E = le32_to_cpu(E); @@ expression E; @@ -le64_to_cpus(&E); +E = le64_to_cpu(E); @@ expression E; @@ -cpu_to_le16s(&E); +E = cpu_to_le16(E); @@ expression E; @@ -cpu_to_le32s(&E); +E = cpu_to_le32(E); @@ expression E; @@ -cpu_to_le64s(&E); +E = cpu_to_le64(E); followed by some minor tidying of overlong lines and bad indent. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20180927134852.21490-1-peter.maydell@linaro.org> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-02lsi53c895a: convert to trace-eventsMark Cave-Ayland
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Message-Id: <20180917053229.4853-1-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-02scsi-block: Deprecate rotation_rateFam Zheng
This option is added together with scsi-disk but is never honoured, becuase we don't emulate the VPD page for scsi-block. We could intercept and inject the user specified value like for max xfer len, but it's probably not helpful since the intent of 070f80095ad was for random entropy aspects, not for performance. If emulated rotation rate is desired, scsi-hd is more suitable. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <20180917083138.3948-1-famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-09-25lsi53c895a: add optional external IRQ via qdevMark Cave-Ayland
On some early machines the on-board PCI devices IRQs are wired directly to the interrupt controller instead of via the PCI host bridge. Add an optional external IRQ that if wired up via qdev will replace the in-built PCI IRQ. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Fam Zheng <famz@redhat.com> Reviewed-by: Hervé Poussineau <hpoussin@reactos.org> Tested-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-09-25scsi: remove unused lsi53c895a_create() and lsi53c810_create() functionsMark Cave-Ayland
Now that these functions are no longer required they can be removed. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>