[PULL 00/15] Misc bugfix patches for 2021-07-22

[PULL 00/15] Misc bugfix patches for 2021-07-22

[Paolo Bonzini]

The following changes since commit 143c2e0432859826c9e8d5b2baa307355f1a5332:

  Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2021-07-19' into staging (2021-07-19 19:06:05 +0100)

are available in the Git repository at:

  https://gitlab.com/bonzini/qemu.git tags/for-upstream

for you to fetch changes up to 0848f8aca6f7b13f2a755c2593b0a1cbb39f658e:

  configure: Let --without-default-features disable vhost-kernel and vhost-vdpa (2021-07-22 14:44:51 +0200)

----------------------------------------------------------------
Bugfixes.

----------------------------------------------------------------
Gerd Hoffmann (1):
      usb: fix usb-host dependency check

Jason Andryuk (1):
      vl: Parse legacy default_machine_opts

Lara Lazier (3):
      target/i386: Added V_INTR_PRIO check to virtual interrupts
      target/i386: Added consistency checks for CR4
      target/i386: Added consistency checks for EFER

Paolo Bonzini (4):
      qemu-config: never call the callback after an error, fix leak
      qemu-config: fix memory leak on ferror()
      chardev-spice: add missing module_obj directive
      meson: fix dependencies for modinfo

Stefan Hajnoczi (1):
      qemu-config: restore "machine" in qmp_query_command_line_options()

Thomas Huth (5):
      configure: Drop obsolete check for the alloc_size attribute
      configure: Fix --without-default-features propagation to meson
      configure: Allow vnc to get disabled with --without-default-features
      configure: Fix the default setting of the "xen" feature
      configure: Let --without-default-features disable vhost-kernel and vhost-vdpa

 chardev/spice.c                      |  1 +
 configure                            | 20 +++---------
 hw/usb/meson.build                   |  2 +-
 meson.build                          |  6 ++--
 softmmu/vl.c                         |  1 +
 target/i386/cpu.h                    | 44 ++++++++++++++++++++++++++
 target/i386/tcg/sysemu/misc_helper.c |  3 ++
 target/i386/tcg/sysemu/svm_helper.c  | 60 +++++++++++++++++++++++++++++++++---
 util/qemu-config.c                   | 16 +++++++---
 9 files changed, 125 insertions(+), 28 deletions(-)
-- 
2.31.1

[PULL 01/15] qemu-config: never call the callback after an error, fix leak

[Paolo Bonzini]

Ensure that the callback to qemu_config_foreach is never called upon
an error, by moving the invocation before the "out" label.

Cc: armbru@redhat.com
Fixes: 3770141139 ("qemu-config: parse configuration files to a QDict", 2021-06-04)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 util/qemu-config.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/qemu-config.c b/util/qemu-config.c
index 84ee6dc4ea..7db810f1e0 100644
--- a/util/qemu-config.c
+++ b/util/qemu-config.c
@@ -417,12 +417,12 @@ static int qemu_config_foreach(FILE *fp, QEMUConfigCB *cb, void *opaque,
         return res;
     }
     res = count;
-out:
     if (qdict) {
         cb(group, qdict, opaque, errp);
-        qobject_unref(qdict);
     }
+out:
     loc_pop(&loc);
+    qobject_unref(qdict);
     return res;
 }
 
-- 
2.31.1

[PULL 02/15] qemu-config: fix memory leak on ferror()

[Paolo Bonzini]

The leak is basically impossible to reach, since the only common way
to get ferror(fp) is by passing a directory to -readconfig.  In that
case, the error occurs before qdict is set to anything non-NULL.
However, it's theoretically possible to get there after an EIO.

Cc: armbru@redhat.com
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: f7544edcd3 ("qemu-config: add error propagation to qemu_config_parse", 2021-03-06)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 util/qemu-config.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/util/qemu-config.c b/util/qemu-config.c
index 7db810f1e0..fdf6cd69fc 100644
--- a/util/qemu-config.c
+++ b/util/qemu-config.c
@@ -414,7 +414,7 @@ static int qemu_config_foreach(FILE *fp, QEMUConfigCB *cb, void *opaque,
     if (ferror(fp)) {
         loc_pop(&loc);
         error_setg_errno(errp, errno, "Cannot read config file");
-        return res;
+        goto out_no_loc;
     }
     res = count;
     if (qdict) {
@@ -422,6 +422,7 @@ static int qemu_config_foreach(FILE *fp, QEMUConfigCB *cb, void *opaque,
     }
 out:
     loc_pop(&loc);
+out_no_loc:
     qobject_unref(qdict);
     return res;
 }
-- 
2.31.1

[PULL 03/15] vl: Parse legacy default_machine_opts

[Paolo Bonzini]

From: Jason Andryuk <jandryuk@gmail.com>

qemu can't start a xen vm after commit d8fb7d0969d5
"vl: switch -M parsing to keyval" with:

$ ./qemu-system-i386 -M xenfv
Unexpected error in object_property_find_err() at ../qom/object.c:1298:
qemu-system-i386: Property 'xenfv-3.1-machine.accel' not found
Aborted (core dumped)

The default_machine_opts handling doesn't process the legacy machine
options like "accel".  Call qemu_apply_legacy_machine_options to provide
the legacy handling.

Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Message-Id: <20210713021552.19110-1-jandryuk@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 softmmu/vl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/softmmu/vl.c b/softmmu/vl.c
index 4df1496101..f4d8630fc6 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -2126,6 +2126,7 @@ static void qemu_create_machine(QDict *qdict)
         QDict *default_opts =
             keyval_parse(machine_class->default_machine_opts, NULL, NULL,
                          &error_abort);
+        qemu_apply_legacy_machine_options(default_opts);
         object_set_properties_from_keyval(OBJECT(current_machine), default_opts,
                                           false, &error_abort);
         qobject_unref(default_opts);
-- 
2.31.1

[PULL 04/15] chardev-spice: add missing module_obj directive

[Paolo Bonzini]

The chardev-spicevmc class was not listed in chardev/spice.c, causing
"-chardev spicevmc" to fail when modules are enabled.

Reported-by: Frederic Bezies <fredbezies@gmail.com>
Fixes: 9f4a0f0978 ("modules: use modinfo for qom load", 2021-07-09)
Resolves: //gitlab.com/qemu-project/qemu/-/issues/488
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20210719164435.1227794-1-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 chardev/spice.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/chardev/spice.c b/chardev/spice.c
index 3ffb3fdc0d..bbffef4913 100644
--- a/chardev/spice.c
+++ b/chardev/spice.c
@@ -382,6 +382,7 @@ static const TypeInfo char_spicevmc_type_info = {
     .parent = TYPE_CHARDEV_SPICE,
     .class_init = char_spicevmc_class_init,
 };
+module_obj(TYPE_CHARDEV_SPICEVMC);
 
 static void char_spiceport_class_init(ObjectClass *oc, void *data)
 {
-- 
2.31.1

[PULL 05/15] usb: fix usb-host dependency check

[Paolo Bonzini]

From: Gerd Hoffmann <kraxel@redhat.com>

Fixes: 90540f3289 ("configure, meson: convert libusb detection to meson", 2021-06-25)
Reported-by: Programmingkid <programmingkidx@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210721081718.301343-1-kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/usb/meson.build | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/usb/meson.build b/hw/usb/meson.build
index 3ca6127937..de853d780d 100644
--- a/hw/usb/meson.build
+++ b/hw/usb/meson.build
@@ -72,7 +72,7 @@ if usbredir.found()
 endif
 
 # usb pass-through
-if config_host.has_key('CONFIG_USB_LIBUSB')
+if libusb.found()
   usbhost_ss = ss.source_set()
   usbhost_ss.add(when: ['CONFIG_USB', libusb],
                  if_true: files('host-libusb.c'))
-- 
2.31.1

[PULL 06/15] qemu-config: restore "machine" in qmp_query_command_line_options()

[Paolo Bonzini]

From: Stefan Hajnoczi <stefanha@redhat.com>

Commit d8fb7d0969d5c32b3d1b9e20b63ec6c0abe80be4 ("vl: switch -M parsing
to keyval") stopped adding the "machine" QemuOptsList. This causes
"machine" options to not show up in QMP query-command-line-options
output. For example, libvirt cannot detect that kernel_irqchip support
is available.

Adjust the "machine" opts enumeration in
qmp_query_command_line_options() so that options are properly reported.

Fixes: d8fb7d0969d5 ("vl: switch -M parsing to keyval")
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20210721151055.424580-1-stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 util/qemu-config.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/util/qemu-config.c b/util/qemu-config.c
index fdf6cd69fc..436ab63b16 100644
--- a/util/qemu-config.c
+++ b/util/qemu-config.c
@@ -255,8 +255,6 @@ CommandLineOptionInfoList *qmp_query_command_line_options(bool has_option,
             info->option = g_strdup(vm_config_groups[i]->name);
             if (!strcmp("drive", vm_config_groups[i]->name)) {
                 info->parameters = get_drive_infolist();
-            } else if (!strcmp("machine", vm_config_groups[i]->name)) {
-                info->parameters = query_option_descs(machine_opts.desc);
             } else {
                 info->parameters =
                     query_option_descs(vm_config_groups[i]->desc);
@@ -265,6 +263,13 @@ CommandLineOptionInfoList *qmp_query_command_line_options(bool has_option,
         }
     }
 
+    if (!has_option || !strcmp(option, "machine")) {
+        info = g_malloc0(sizeof(*info));
+        info->option = g_strdup("machine");
+        info->parameters = query_option_descs(machine_opts.desc);
+        QAPI_LIST_PREPEND(conf_list, info);
+    }
+
     if (conf_list == NULL) {
         error_setg(errp, "invalid option name: %s", option);
     }
-- 
2.31.1

[PULL 07/15] target/i386: Added V_INTR_PRIO check to virtual interrupts

[Paolo Bonzini]

From: Lara Lazier <laramglazier@gmail.com>

The APM2 states that The processor takes a virtual INTR interrupt
if V_IRQ and V_INTR_PRIO indicate that there is a virtual interrupt pending
whose priority is greater than the value in V_TPR.

Signed-off-by: Lara Lazier <laramglazier@gmail.com>
Message-Id: <20210721152651.14683-1-laramglazier@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/tcg/sysemu/svm_helper.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/target/i386/tcg/sysemu/svm_helper.c b/target/i386/tcg/sysemu/svm_helper.c
index 00618cff23..72b03a345d 100644
--- a/target/i386/tcg/sysemu/svm_helper.c
+++ b/target/i386/tcg/sysemu/svm_helper.c
@@ -65,6 +65,16 @@ static inline void svm_load_seg_cache(CPUX86State *env, hwaddr addr,
                            sc->base, sc->limit, sc->flags);
 }
 
+static inline bool ctl_has_irq(uint32_t int_ctl)
+{
+    uint32_t int_prio;
+    uint32_t tpr;
+
+    int_prio = (int_ctl & V_INTR_PRIO_MASK) >> V_INTR_MASKING_SHIFT;
+    tpr = int_ctl & V_TPR_MASK;
+    return (int_ctl & V_IRQ_MASK) && (int_prio >= tpr);
+}
+
 void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
 {
     CPUState *cs = env_cpu(env);
@@ -290,7 +300,7 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
 
     env->hflags2 |= HF2_GIF_MASK;
 
-    if (int_ctl & V_IRQ_MASK) {
+    if (ctl_has_irq(int_ctl)) {
         CPUState *cs = env_cpu(env);
 
         cs->interrupt_request |= CPU_INTERRUPT_VIRQ;
-- 
2.31.1

[PULL 08/15] target/i386: Added consistency checks for CR4

[Paolo Bonzini]

From: Lara Lazier <laramglazier@gmail.com>

All MBZ bits in CR4 must be zero. (APM2 15.5)
Added reserved bitmask and added checks in both
helper_vmrun and helper_write_crN.

Signed-off-by: Lara Lazier <laramglazier@gmail.com>
Message-Id: <20210721152651.14683-2-laramglazier@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/cpu.h                    | 39 ++++++++++++++++++++++++++++
 target/i386/tcg/sysemu/misc_helper.c |  3 +++
 target/i386/tcg/sysemu/svm_helper.c  |  9 ++++---
 3 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 5d98a4e7c0..1f7e8d7f0a 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -240,6 +240,7 @@ typedef enum X86Seg {
 #define CR4_OSFXSR_SHIFT 9
 #define CR4_OSFXSR_MASK (1U << CR4_OSFXSR_SHIFT)
 #define CR4_OSXMMEXCPT_MASK  (1U << 10)
+#define CR4_UMIP_MASK   (1U << 11)
 #define CR4_LA57_MASK   (1U << 12)
 #define CR4_VMXE_MASK   (1U << 13)
 #define CR4_SMXE_MASK   (1U << 14)
@@ -251,6 +252,14 @@ typedef enum X86Seg {
 #define CR4_PKE_MASK   (1U << 22)
 #define CR4_PKS_MASK   (1U << 24)
 
+#define CR4_RESERVED_MASK \
+(~(target_ulong)(CR4_VME_MASK | CR4_PVI_MASK | CR4_TSD_MASK \
+                | CR4_DE_MASK | CR4_PSE_MASK | CR4_PAE_MASK \
+                | CR4_MCE_MASK | CR4_PGE_MASK | CR4_PCE_MASK \
+                | CR4_OSFXSR_MASK | CR4_OSXMMEXCPT_MASK |CR4_UMIP_MASK \
+                | CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \
+                | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK))
+
 #define DR6_BD          (1 << 13)
 #define DR6_BS          (1 << 14)
 #define DR6_BT          (1 << 15)
@@ -2196,6 +2205,36 @@ static inline bool hyperv_feat_enabled(X86CPU *cpu, int feat)
     return !!(cpu->hyperv_features & BIT(feat));
 }
 
+static inline uint64_t cr4_reserved_bits(CPUX86State *env)
+{
+    uint64_t reserved_bits = CR4_RESERVED_MASK;
+    if (!env->features[FEAT_XSAVE]) {
+        reserved_bits |= CR4_OSXSAVE_MASK;
+    }
+    if (!(env->features[FEAT_7_0_EBX] & CPUID_7_0_EBX_SMEP)) {
+        reserved_bits |= CR4_SMEP_MASK;
+    }
+    if (!(env->features[FEAT_7_0_EBX] & CPUID_7_0_EBX_SMAP)) {
+        reserved_bits |= CR4_SMAP_MASK;
+    }
+    if (!(env->features[FEAT_7_0_EBX] & CPUID_7_0_EBX_FSGSBASE)) {
+        reserved_bits |= CR4_FSGSBASE_MASK;
+    }
+    if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_PKU)) {
+        reserved_bits |= CR4_PKE_MASK;
+    }
+    if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_LA57)) {
+        reserved_bits |= CR4_LA57_MASK;
+    }
+    if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_UMIP)) {
+        reserved_bits |= CR4_UMIP_MASK;
+    }
+    if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_PKS)) {
+        reserved_bits |= CR4_PKS_MASK;
+    }
+    return reserved_bits;
+}
+
 #if defined(TARGET_X86_64) && \
     defined(CONFIG_USER_ONLY) && \
     defined(CONFIG_LINUX)
diff --git a/target/i386/tcg/sysemu/misc_helper.c b/target/i386/tcg/sysemu/misc_helper.c
index db0d8a9d79..a2af2c9bba 100644
--- a/target/i386/tcg/sysemu/misc_helper.c
+++ b/target/i386/tcg/sysemu/misc_helper.c
@@ -99,6 +99,9 @@ void helper_write_crN(CPUX86State *env, int reg, target_ulong t0)
         cpu_x86_update_cr3(env, t0);
         break;
     case 4:
+        if (t0 & cr4_reserved_bits(env)) {
+            cpu_vmexit(env, SVM_EXIT_ERR, 0, GETPC());
+        }
         if (((t0 ^ env->cr[4]) & CR4_LA57_MASK) &&
             (env->hflags & HF_CS64_MASK)) {
             raise_exception_ra(env, EXCP0D_GPF, GETPC());
diff --git a/target/i386/tcg/sysemu/svm_helper.c b/target/i386/tcg/sysemu/svm_helper.c
index 72b03a345d..d7d7a86aa9 100644
--- a/target/i386/tcg/sysemu/svm_helper.c
+++ b/target/i386/tcg/sysemu/svm_helper.c
@@ -85,6 +85,7 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
     uint32_t int_ctl;
     uint32_t asid;
     uint64_t new_cr0;
+    uint64_t new_cr4;
 
     cpu_svm_check_intercept_param(env, SVM_EXIT_VMRUN, 0, GETPC());
 
@@ -225,14 +226,16 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
     if ((new_cr0 & CR0_NW_MASK) && !(new_cr0 & CR0_CD_MASK)) {
         cpu_vmexit(env, SVM_EXIT_ERR, 0, GETPC());
     }
+    new_cr4 = x86_ldq_phys(cs, env->vm_vmcb + offsetof(struct vmcb, save.cr4));
+    if (new_cr4 & cr4_reserved_bits(env)) {
+        cpu_vmexit(env, SVM_EXIT_ERR, 0, GETPC());
+    }
     /* clear exit_info_2 so we behave like the real hardware */
     x86_stq_phys(cs,
              env->vm_vmcb + offsetof(struct vmcb, control.exit_info_2), 0);
 
     cpu_x86_update_cr0(env, new_cr0);
-    cpu_x86_update_cr4(env, x86_ldq_phys(cs,
-                                     env->vm_vmcb + offsetof(struct vmcb,
-                                                             save.cr4)));
+    cpu_x86_update_cr4(env, new_cr4);
     cpu_x86_update_cr3(env, x86_ldq_phys(cs,
                                      env->vm_vmcb + offsetof(struct vmcb,
                                                              save.cr3)));
-- 
2.31.1

[PULL 09/15] target/i386: Added consistency checks for EFER

[Paolo Bonzini]

From: Lara Lazier <laramglazier@gmail.com>

EFER.SVME has to be set, and EFER reserved bits must
be zero.
In addition the combinations
 * EFER.LMA or EFER.LME is non-zero and the processor does not support LM
 * non-zero EFER.LME and CR0.PG and zero CR4.PAE
 * non-zero EFER.LME and CR0.PG and zero CR0.PE
 * non-zero EFER.LME, CR0.PG, CR4.PAE, CS.L and CS.D
are all invalid.
(AMD64 Architecture Programmer's Manual, V2, 15.5)

Signed-off-by: Lara Lazier <laramglazier@gmail.com>
Message-Id: <20210721152651.14683-3-laramglazier@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/cpu.h                   |  5 ++++
 target/i386/tcg/sysemu/svm_helper.c | 39 +++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 1f7e8d7f0a..6c50d3ab4f 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -475,6 +475,11 @@ typedef enum X86Seg {
 #define MSR_EFER_SVME  (1 << 12)
 #define MSR_EFER_FFXSR (1 << 14)
 
+#define MSR_EFER_RESERVED\
+        (~(target_ulong)(MSR_EFER_SCE | MSR_EFER_LME\
+            | MSR_EFER_LMA | MSR_EFER_NXE | MSR_EFER_SVME\
+            | MSR_EFER_FFXSR))
+
 #define MSR_STAR                        0xc0000081
 #define MSR_LSTAR                       0xc0000082
 #define MSR_CSTAR                       0xc0000083
diff --git a/target/i386/tcg/sysemu/svm_helper.c b/target/i386/tcg/sysemu/svm_helper.c
index d7d7a86aa9..4d64ec378e 100644
--- a/target/i386/tcg/sysemu/svm_helper.c
+++ b/target/i386/tcg/sysemu/svm_helper.c
@@ -75,6 +75,41 @@ static inline bool ctl_has_irq(uint32_t int_ctl)
     return (int_ctl & V_IRQ_MASK) && (int_prio >= tpr);
 }
 
+static inline bool is_efer_invalid_state (CPUX86State *env)
+{
+    if (!(env->efer & MSR_EFER_SVME)) {
+        return true;
+    }
+
+    if (env->efer & MSR_EFER_RESERVED) {
+        return true;
+    }
+
+    if ((env->efer & (MSR_EFER_LMA | MSR_EFER_LME)) &&
+            !(env->features[FEAT_8000_0001_EDX] & CPUID_EXT2_LM)) {
+        return true;
+    }
+
+    if ((env->efer & MSR_EFER_LME) && (env->cr[0] & CR0_PG_MASK)
+                                && !(env->cr[4] & CR4_PAE_MASK)) {
+        return true;
+    }
+
+    if ((env->efer & MSR_EFER_LME) && (env->cr[0] & CR0_PG_MASK)
+                                && !(env->cr[0] & CR0_PE_MASK)) {
+        return true;
+    }
+
+    if ((env->efer & MSR_EFER_LME) && (env->cr[0] & CR0_PG_MASK)
+                                && (env->cr[4] & CR4_PAE_MASK)
+                                && (env->segs[R_CS].flags & DESC_L_MASK)
+                                && (env->segs[R_CS].flags & DESC_B_MASK)) {
+        return true;
+    }
+
+    return false;
+}
+
 void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
 {
     CPUState *cs = env_cpu(env);
@@ -291,6 +326,10 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
     }
 #endif
 
+    if (is_efer_invalid_state(env)) {
+        cpu_vmexit(env, SVM_EXIT_ERR, 0, GETPC());
+    }
+
     switch (x86_ldub_phys(cs,
                       env->vm_vmcb + offsetof(struct vmcb, control.tlb_ctl))) {
     case TLB_CONTROL_DO_NOTHING:
-- 
2.31.1

[PULL 10/15] configure: Drop obsolete check for the alloc_size attribute

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

We recently bumped our requirement for Clang to at least version 6.0.
And according to:

 https://releases.llvm.org/6.0.0/tools/clang/docs/AttributeReference.html

Clang v6.0 supports the alloc_size attribute. Thus we can drop this
check in the configure script now.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210714072855.785566-1-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/configure b/configure
index 63f38fa94c..026704f15a 100755
--- a/configure
+++ b/configure
@@ -3266,18 +3266,6 @@ if ! compile_prog "$glib_cflags" "$glib_libs" ; then
 	       "build target"
 fi
 
-# Silence clang 3.5.0 warnings about glib attribute __alloc_size__ usage
-cat > $TMPC << EOF
-#include <glib.h>
-int main(void) { return 0; }
-EOF
-if ! compile_prog "$glib_cflags -Werror" "$glib_libs" ; then
-    if cc_has_warning_flag "-Wno-unknown-attributes"; then
-        glib_cflags="-Wno-unknown-attributes $glib_cflags"
-        CONFIGURE_CFLAGS="-Wno-unknown-attributes $CONFIGURE_CFLAGS"
-    fi
-fi
-
 # Silence clang warnings triggered by glib < 2.57.2
 cat > $TMPC << EOF
 #include <glib.h>
-- 
2.31.1

[PULL 11/15] meson: fix dependencies for modinfo

[Paolo Bonzini]

modinfo runs the preprocessor and therefore needs all generated input files
to be there.  The "depends" clause does not work in Meson 0.55.3, so for
now use "input".

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 meson.build | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meson.build b/meson.build
index 6e4d2d8034..eb85fe8e44 100644
--- a/meson.build
+++ b/meson.build
@@ -2335,9 +2335,9 @@ foreach d, list : modules
         # https://github.com/mesonbuild/meson/pull/8900
         modinfo_files += custom_target(d + '-' + m + '.modinfo',
                                        output: d + '-' + m + '.modinfo',
-                                       input: module_ss.sources(),
+                                       input: module_ss.sources() + genh,
                                        capture: true,
-                                       command: [modinfo_collect, '@INPUT@'])
+                                       command: [modinfo_collect, module_ss.sources()])
       endif
     else
       if d == 'block'
-- 
2.31.1

[PULL 12/15] configure: Fix --without-default-features propagation to meson

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

A typo prevents that many features get disabled when the user
runs "configure" with the --without-default-features switch.

Reported-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210713093155.677589-2-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 026704f15a..19c4bc1192 100755
--- a/configure
+++ b/configure
@@ -5206,7 +5206,7 @@ if test "$skip_meson" = no; then
         -Ddocs=$docs -Dsphinx_build=$sphinx_build -Dinstall_blobs=$blobs \
         -Dvhost_user_blk_server=$vhost_user_blk_server -Dmultiprocess=$multiprocess \
         -Dfuse=$fuse -Dfuse_lseek=$fuse_lseek -Dguest_agent_msi=$guest_agent_msi -Dbpf=$bpf\
-        $(if test "$default_features" = no; then echo "-Dauto_features=disabled"; fi) \
+        $(if test "$default_feature" = no; then echo "-Dauto_features=disabled"; fi) \
 	-Dtcg_interpreter=$tcg_interpreter \
         $cross_arg \
         "$PWD" "$source_path"
-- 
2.31.1

[PULL 13/15] configure: Allow vnc to get disabled with --without-default-features

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

There's no reason why we should keep VNC enabled when the user
specified --without-default-features.

Reported-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210713093155.677589-3-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure   | 2 +-
 meson.build | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index 19c4bc1192..468aac58e2 100755
--- a/configure
+++ b/configure
@@ -304,7 +304,7 @@ virtiofsd="auto"
 virtfs="auto"
 libudev="auto"
 mpath="auto"
-vnc="enabled"
+vnc="auto"
 sparse="auto"
 vde="$default_feature"
 vnc_sasl="auto"
diff --git a/meson.build b/meson.build
index eb85fe8e44..cb3856fc35 100644
--- a/meson.build
+++ b/meson.build
@@ -930,7 +930,7 @@ vnc = not_found
 png = not_found
 jpeg = not_found
 sasl = not_found
-if get_option('vnc').enabled()
+if not get_option('vnc').disabled()
   vnc = declare_dependency() # dummy dependency
   png = dependency('libpng', required: get_option('vnc_png'),
                    method: 'pkg-config', kwargs: static_kwargs)
-- 
2.31.1

[PULL 14/15] configure: Fix the default setting of the "xen" feature

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

The "xen" variable should either contain "enabled", "disabled" or
nothing (for auto detection). But when the user currently runs the
configure script with --without-default-features, it gets set to
"no" instead. This does not work as expected, the feature will still
be enabled if the Xen headers are present. Thus set the variable
to "disabled" instead if default_feature switch has been set.

Reported-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210713093155.677589-4-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 468aac58e2..40fa8cc26e 100755
--- a/configure
+++ b/configure
@@ -311,7 +311,7 @@ vnc_sasl="auto"
 vnc_jpeg="auto"
 vnc_png="auto"
 xkbcommon="auto"
-xen="$default_feature"
+xen=${default_feature:+disabled}
 xen_ctrl_version="$default_feature"
 xen_pci_passthrough="auto"
 linux_aio="$default_feature"
-- 
2.31.1

[PULL 15/15] configure: Let --without-default-features disable vhost-kernel and vhost-vdpa

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

The vhost_kernel and vhost_vdpa variables should be pre-initialized with
the $default_feature setting so that these features get disabled when
the user runs the configure scripts with --without-default-features.

Reported-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210713093155.677589-5-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/configure b/configure
index 40fa8cc26e..2a6d23a844 100755
--- a/configure
+++ b/configure
@@ -321,6 +321,7 @@ attr="auto"
 xfs="$default_feature"
 tcg="enabled"
 membarrier="$default_feature"
+vhost_kernel="$default_feature"
 vhost_net="$default_feature"
 vhost_crypto="$default_feature"
 vhost_scsi="$default_feature"
@@ -328,6 +329,7 @@ vhost_vsock="$default_feature"
 vhost_user="no"
 vhost_user_blk_server="auto"
 vhost_user_fs="$default_feature"
+vhost_vdpa="$default_feature"
 bpf="auto"
 kvm="auto"
 hax="auto"
-- 
2.31.1

Re: [PULL 04/15] chardev-spice: add missing module_obj directive

[Philippe Mathieu-Daudé]

On 7/22/21 5:36 PM, Paolo Bonzini wrote:
> The chardev-spicevmc class was not listed in chardev/spice.c, causing
> "-chardev spicevmc" to fail when modules are enabled.
> 
> Reported-by: Frederic Bezies <fredbezies@gmail.com>
> Fixes: 9f4a0f0978 ("modules: use modinfo for qom load", 2021-07-09)
> Resolves: //gitlab.com/qemu-project/qemu/-/issues/488

Thanks for the detail of updating to full url, however "https:'
got lost ;) Gitlab doesn't notice because of the leading '//'
I suppose. Not worth respining the pullreq.

> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Message-Id: <20210719164435.1227794-1-pbonzini@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  chardev/spice.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/chardev/spice.c b/chardev/spice.c
> index 3ffb3fdc0d..bbffef4913 100644
> --- a/chardev/spice.c
> +++ b/chardev/spice.c
> @@ -382,6 +382,7 @@ static const TypeInfo char_spicevmc_type_info = {
>      .parent = TYPE_CHARDEV_SPICE,
>      .class_init = char_spicevmc_class_init,
>  };
> +module_obj(TYPE_CHARDEV_SPICEVMC);
>  
>  static void char_spiceport_class_init(ObjectClass *oc, void *data)
>  {
> 

Re: [PULL 00/15] Misc bugfix patches for 2021-07-22

[Peter Maydell]

On Thu, 22 Jul 2021 at 16:39, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
> The following changes since commit 143c2e0432859826c9e8d5b2baa307355f1a5332:
>
>   Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2021-07-19' into staging (2021-07-19 19:06:05 +0100)
>
> are available in the Git repository at:
>
>   https://gitlab.com/bonzini/qemu.git tags/for-upstream
>
> for you to fetch changes up to 0848f8aca6f7b13f2a755c2593b0a1cbb39f658e:
>
>   configure: Let --without-default-features disable vhost-kernel and vhost-vdpa (2021-07-22 14:44:51 +0200)
>
> ----------------------------------------------------------------
> Bugfixes.
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM

Re: [PULL 08/15] target/i386: Added consistency checks for CR4

[Richard W.M. Jones]

On Thu, Jul 22, 2021 at 05:36:05PM +0200, Paolo Bonzini wrote:
> From: Lara Lazier <laramglazier@gmail.com>
> 
> All MBZ bits in CR4 must be zero. (APM2 15.5)
> Added reserved bitmask and added checks in both
> helper_vmrun and helper_write_crN.
> 
> Signed-off-by: Lara Lazier <laramglazier@gmail.com>
> Message-Id: <20210721152651.14683-2-laramglazier@gmail.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

FYI this commit causes a regression with -cpu max (regression analyzed
by Daniel Berrange).  See:

https://bugzilla.redhat.com/show_bug.cgi?id=1999700

Rich.

>  target/i386/cpu.h                    | 39 ++++++++++++++++++++++++++++
>  target/i386/tcg/sysemu/misc_helper.c |  3 +++
>  target/i386/tcg/sysemu/svm_helper.c  |  9 ++++---
>  3 files changed, 48 insertions(+), 3 deletions(-)
> 
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index 5d98a4e7c0..1f7e8d7f0a 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -240,6 +240,7 @@ typedef enum X86Seg {
>  #define CR4_OSFXSR_SHIFT 9
>  #define CR4_OSFXSR_MASK (1U << CR4_OSFXSR_SHIFT)
>  #define CR4_OSXMMEXCPT_MASK  (1U << 10)
> +#define CR4_UMIP_MASK   (1U << 11)
>  #define CR4_LA57_MASK   (1U << 12)
>  #define CR4_VMXE_MASK   (1U << 13)
>  #define CR4_SMXE_MASK   (1U << 14)
> @@ -251,6 +252,14 @@ typedef enum X86Seg {
>  #define CR4_PKE_MASK   (1U << 22)
>  #define CR4_PKS_MASK   (1U << 24)
>  
> +#define CR4_RESERVED_MASK \
> +(~(target_ulong)(CR4_VME_MASK | CR4_PVI_MASK | CR4_TSD_MASK \
> +                | CR4_DE_MASK | CR4_PSE_MASK | CR4_PAE_MASK \
> +                | CR4_MCE_MASK | CR4_PGE_MASK | CR4_PCE_MASK \
> +                | CR4_OSFXSR_MASK | CR4_OSXMMEXCPT_MASK |CR4_UMIP_MASK \
> +                | CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \
> +                | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK))
> +
>  #define DR6_BD          (1 << 13)
>  #define DR6_BS          (1 << 14)
>  #define DR6_BT          (1 << 15)
> @@ -2196,6 +2205,36 @@ static inline bool hyperv_feat_enabled(X86CPU *cpu, int feat)
>      return !!(cpu->hyperv_features & BIT(feat));
>  }
>  
> +static inline uint64_t cr4_reserved_bits(CPUX86State *env)
> +{
> +    uint64_t reserved_bits = CR4_RESERVED_MASK;
> +    if (!env->features[FEAT_XSAVE]) {
> +        reserved_bits |= CR4_OSXSAVE_MASK;
> +    }
> +    if (!(env->features[FEAT_7_0_EBX] & CPUID_7_0_EBX_SMEP)) {
> +        reserved_bits |= CR4_SMEP_MASK;
> +    }
> +    if (!(env->features[FEAT_7_0_EBX] & CPUID_7_0_EBX_SMAP)) {
> +        reserved_bits |= CR4_SMAP_MASK;
> +    }
> +    if (!(env->features[FEAT_7_0_EBX] & CPUID_7_0_EBX_FSGSBASE)) {
> +        reserved_bits |= CR4_FSGSBASE_MASK;
> +    }
> +    if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_PKU)) {
> +        reserved_bits |= CR4_PKE_MASK;
> +    }
> +    if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_LA57)) {
> +        reserved_bits |= CR4_LA57_MASK;
> +    }
> +    if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_UMIP)) {
> +        reserved_bits |= CR4_UMIP_MASK;
> +    }
> +    if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_PKS)) {
> +        reserved_bits |= CR4_PKS_MASK;
> +    }
> +    return reserved_bits;
> +}
> +
>  #if defined(TARGET_X86_64) && \
>      defined(CONFIG_USER_ONLY) && \
>      defined(CONFIG_LINUX)
> diff --git a/target/i386/tcg/sysemu/misc_helper.c b/target/i386/tcg/sysemu/misc_helper.c
> index db0d8a9d79..a2af2c9bba 100644
> --- a/target/i386/tcg/sysemu/misc_helper.c
> +++ b/target/i386/tcg/sysemu/misc_helper.c
> @@ -99,6 +99,9 @@ void helper_write_crN(CPUX86State *env, int reg, target_ulong t0)
>          cpu_x86_update_cr3(env, t0);
>          break;
>      case 4:
> +        if (t0 & cr4_reserved_bits(env)) {
> +            cpu_vmexit(env, SVM_EXIT_ERR, 0, GETPC());
> +        }
>          if (((t0 ^ env->cr[4]) & CR4_LA57_MASK) &&
>              (env->hflags & HF_CS64_MASK)) {
>              raise_exception_ra(env, EXCP0D_GPF, GETPC());
> diff --git a/target/i386/tcg/sysemu/svm_helper.c b/target/i386/tcg/sysemu/svm_helper.c
> index 72b03a345d..d7d7a86aa9 100644
> --- a/target/i386/tcg/sysemu/svm_helper.c
> +++ b/target/i386/tcg/sysemu/svm_helper.c
> @@ -85,6 +85,7 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
>      uint32_t int_ctl;
>      uint32_t asid;
>      uint64_t new_cr0;
> +    uint64_t new_cr4;
>  
>      cpu_svm_check_intercept_param(env, SVM_EXIT_VMRUN, 0, GETPC());
>  
> @@ -225,14 +226,16 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
>      if ((new_cr0 & CR0_NW_MASK) && !(new_cr0 & CR0_CD_MASK)) {
>          cpu_vmexit(env, SVM_EXIT_ERR, 0, GETPC());
>      }
> +    new_cr4 = x86_ldq_phys(cs, env->vm_vmcb + offsetof(struct vmcb, save.cr4));
> +    if (new_cr4 & cr4_reserved_bits(env)) {
> +        cpu_vmexit(env, SVM_EXIT_ERR, 0, GETPC());
> +    }
>      /* clear exit_info_2 so we behave like the real hardware */
>      x86_stq_phys(cs,
>               env->vm_vmcb + offsetof(struct vmcb, control.exit_info_2), 0);
>  
>      cpu_x86_update_cr0(env, new_cr0);
> -    cpu_x86_update_cr4(env, x86_ldq_phys(cs,
> -                                     env->vm_vmcb + offsetof(struct vmcb,
> -                                                             save.cr4)));
> +    cpu_x86_update_cr4(env, new_cr4);
>      cpu_x86_update_cr3(env, x86_ldq_phys(cs,
>                                       env->vm_vmcb + offsetof(struct vmcb,
>                                                               save.cr3)));
> -- 
> 2.31.1
> 
> 

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

Re: [PULL 08/15] target/i386: Added consistency checks for CR4

[Daniel P. Berrangé]

On Tue, Aug 31, 2021 at 06:03:04PM +0100, Richard W.M. Jones wrote:
> On Thu, Jul 22, 2021 at 05:36:05PM +0200, Paolo Bonzini wrote:
> > From: Lara Lazier <laramglazier@gmail.com>
> > 
> > All MBZ bits in CR4 must be zero. (APM2 15.5)
> > Added reserved bitmask and added checks in both
> > helper_vmrun and helper_write_crN.
> > 
> > Signed-off-by: Lara Lazier <laramglazier@gmail.com>
> > Message-Id: <20210721152651.14683-2-laramglazier@gmail.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> FYI this commit causes a regression with -cpu max (regression analyzed
> by Daniel Berrange).  See:

Specifically this commit breaks the ability to boot current fedora
kernels with --cpu max.   Disabling 'la57' feature makes it work
again. Similarly enabling 'la57' on any named CPU model makes that
then break.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [PULL 08/15] target/i386: Added consistency checks for CR4

[Daniel P. Berrangé]

On Tue, Aug 31, 2021 at 06:03:04PM +0100, Richard W.M. Jones wrote:
> On Thu, Jul 22, 2021 at 05:36:05PM +0200, Paolo Bonzini wrote:
> > From: Lara Lazier <laramglazier@gmail.com>
> > 
> > All MBZ bits in CR4 must be zero. (APM2 15.5)
> > Added reserved bitmask and added checks in both
> > helper_vmrun and helper_write_crN.
> > 
> > Signed-off-by: Lara Lazier <laramglazier@gmail.com>
> > Message-Id: <20210721152651.14683-2-laramglazier@gmail.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> FYI this commit causes a regression with -cpu max (regression analyzed
> by Daniel Berrange).  See:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1999700
> 
> Rich.
> 
> >  target/i386/cpu.h                    | 39 ++++++++++++++++++++++++++++
> >  target/i386/tcg/sysemu/misc_helper.c |  3 +++
> >  target/i386/tcg/sysemu/svm_helper.c  |  9 ++++---
> >  3 files changed, 48 insertions(+), 3 deletions(-)
> > 
> > diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> > index 5d98a4e7c0..1f7e8d7f0a 100644
> > --- a/target/i386/cpu.h
> > +++ b/target/i386/cpu.h
> > @@ -240,6 +240,7 @@ typedef enum X86Seg {
> >  #define CR4_OSFXSR_SHIFT 9
> >  #define CR4_OSFXSR_MASK (1U << CR4_OSFXSR_SHIFT)
> >  #define CR4_OSXMMEXCPT_MASK  (1U << 10)
> > +#define CR4_UMIP_MASK   (1U << 11)
> >  #define CR4_LA57_MASK   (1U << 12)
> >  #define CR4_VMXE_MASK   (1U << 13)
> >  #define CR4_SMXE_MASK   (1U << 14)
> > @@ -251,6 +252,14 @@ typedef enum X86Seg {
> >  #define CR4_PKE_MASK   (1U << 22)
> >  #define CR4_PKS_MASK   (1U << 24)
> >  
> > +#define CR4_RESERVED_MASK \
> > +(~(target_ulong)(CR4_VME_MASK | CR4_PVI_MASK | CR4_TSD_MASK \
> > +                | CR4_DE_MASK | CR4_PSE_MASK | CR4_PAE_MASK \
> > +                | CR4_MCE_MASK | CR4_PGE_MASK | CR4_PCE_MASK \
> > +                | CR4_OSFXSR_MASK | CR4_OSXMMEXCPT_MASK |CR4_UMIP_MASK \
> > +                | CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \
> > +                | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK))
> > +

This is missing  CR4_LA57_MASK, and adding that makes Fedora kernels
boot again.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|