From e69ba2b489d9cc6e976a29a58726d45361d85b9d Mon Sep 17 00:00:00 2001 From: David Gibson Date: Mon, 19 Mar 2018 17:05:05 +1100 Subject: [PATCH 1/7] target/ppc: Initialize lazy_tlb_flush correctly ppc_tr_init_disas_context() correctly sets lazy_tlb_flush to true on certain CPU models. However, it leaves it uninitialized, instead of setting it to false on all others. It wasn't caught before now because we didn't have examples in the tests that exercised this path. However it can now be caught using clang's undefined behaviour sanitizer and the sam460ex board. Suggested-by: Peter Maydell Signed-off-by: David Gibson Reviewed-by: Thomas Huth Reviewed-by: Greg Kurz --- target/ppc/translate.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/target/ppc/translate.c b/target/ppc/translate.c index 218665b408..3457d29f8e 100644 --- a/target/ppc/translate.c +++ b/target/ppc/translate.c @@ -7237,10 +7237,9 @@ static int ppc_tr_init_disas_context(DisasContextBase *dcbase, ctx->sf_mode = msr_is_64bit(env, env->msr); ctx->has_cfar = !!(env->flags & POWERPC_FLAG_CFAR); #endif - if (env->mmu_model == POWERPC_MMU_32B || - env->mmu_model == POWERPC_MMU_601 || - (env->mmu_model & POWERPC_MMU_64B)) - ctx->lazy_tlb_flush = true; + ctx->lazy_tlb_flush = env->mmu_model == POWERPC_MMU_32B + || env->mmu_model == POWERPC_MMU_601 + || (env->mmu_model & POWERPC_MMU_64B); ctx->fpu_enabled = !!msr_fp; if ((env->flags & POWERPC_FLAG_SPE) && msr_spe) From ddd835f32a18c087d3161213f47e89566ce05cc8 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Mon, 19 Mar 2018 15:00:46 +0100 Subject: [PATCH 2/7] hw/misc/macio: Fix crash when listing device properties of macio device MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The macio-newworld device can currently be used to abort QEMU unexpectedly: $ ppc-softmmu/qemu-system-ppc -S -M ref405ep,accel=qtest -qmp stdio {"QMP": {"version": {"qemu": {"micro": 50, "minor": 11, "major": 2}, "package": "build-all"}, "capabilities": []}} { 'execute': 'qmp_capabilities' } {"return": {}} { 'execute': 'device-list-properties', 'arguments': {'typename': 'macio-newworld'}} Unexpected error in qemu_chr_fe_init() at chardev/char-fe.c:222: Device 'serial0' is in use Aborted (core dumped) qdev properties should be set during realize(), not during instance_init(), so move the related code there to fix this problem. Signed-off-by: Thomas Huth Reviewed-by: Philippe Mathieu-Daudé Acked-by: Mark Cave-Ayland Signed-off-by: David Gibson --- hw/misc/macio/macio.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c index 454244f59e..b74a6572b0 100644 --- a/hw/misc/macio/macio.c +++ b/hw/misc/macio/macio.c @@ -115,6 +115,13 @@ static void macio_common_realize(PCIDevice *d, Error **errp) memory_region_add_subregion(&s->bar, 0x16000, sysbus_mmio_get_region(sysbus_dev, 0)); + qdev_prop_set_uint32(DEVICE(&s->escc), "disabled", 0); + qdev_prop_set_uint32(DEVICE(&s->escc), "frequency", ESCC_CLOCK); + qdev_prop_set_uint32(DEVICE(&s->escc), "it_shift", 4); + qdev_prop_set_chr(DEVICE(&s->escc), "chrA", serial_hds[0]); + qdev_prop_set_chr(DEVICE(&s->escc), "chrB", serial_hds[1]); + qdev_prop_set_uint32(DEVICE(&s->escc), "chnBtype", escc_serial); + qdev_prop_set_uint32(DEVICE(&s->escc), "chnAtype", escc_serial); object_property_set_bool(OBJECT(&s->escc), true, "realized", &err); if (err) { error_propagate(errp, err); @@ -341,13 +348,6 @@ static void macio_instance_init(Object *obj) object_property_add_child(obj, "dbdma", OBJECT(&s->dbdma), NULL); object_initialize(&s->escc, sizeof(s->escc), TYPE_ESCC); - qdev_prop_set_uint32(DEVICE(&s->escc), "disabled", 0); - qdev_prop_set_uint32(DEVICE(&s->escc), "frequency", ESCC_CLOCK); - qdev_prop_set_uint32(DEVICE(&s->escc), "it_shift", 4); - qdev_prop_set_chr(DEVICE(&s->escc), "chrA", serial_hds[0]); - qdev_prop_set_chr(DEVICE(&s->escc), "chrB", serial_hds[1]); - qdev_prop_set_uint32(DEVICE(&s->escc), "chnBtype", escc_serial); - qdev_prop_set_uint32(DEVICE(&s->escc), "chnAtype", escc_serial); qdev_set_parent_bus(DEVICE(&s->escc), sysbus_get_default()); object_property_add_child(obj, "escc", OBJECT(&s->escc), NULL); } From efb7db250adad82c4bb302f0a80e4ae0c641f0d6 Mon Sep 17 00:00:00 2001 From: David Gibson Date: Tue, 20 Mar 2018 13:01:18 +1100 Subject: [PATCH 3/7] target/ppc: Fix backwards migration of msr_mask MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 21b786f "PowerPC: Add TS bits into msr_mask" added the transaction states to msr_mask for recent POWER CPUs to allow correct migration of machines that are in certain interim transactional memory states. This was correct, but unfortunately breaks backwards of pseries-2.7 and earlier machine types which (stupidly) transferred the msr_mask in the migration stream and failed if it wasn't equal on each end. This works around the problem by masking out the new MSR bits in the compatibility code to send the msr_mask on old machine types. Signed-off-by: David Gibson Reviewed-by: Greg Kurz Tested-by: Greg Kurz Tested-by: Lukáš Doktor --- target/ppc/machine.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/target/ppc/machine.c b/target/ppc/machine.c index e475206c6a..0634cdb295 100644 --- a/target/ppc/machine.c +++ b/target/ppc/machine.c @@ -190,7 +190,15 @@ static int cpu_pre_save(void *opaque) /* Hacks for migration compatibility between 2.6, 2.7 & 2.8 */ if (cpu->pre_2_8_migration) { - cpu->mig_msr_mask = env->msr_mask; + /* Mask out bits that got added to msr_mask since the versions + * which stupidly included it in the migration stream. */ + target_ulong metamask = 0 +#if defined(TARGET_PPC64) + | (1ULL << MSR_TS0) + | (1ULL << MSR_TS1) +#endif + ; + cpu->mig_msr_mask = env->msr_mask & ~metamask; cpu->mig_insns_flags = env->insns_flags & insns_compat_mask; cpu->mig_insns_flags2 = env->insns_flags2 & insns_compat_mask2; cpu->mig_nb_BATs = env->nb_BATs; From 127f03e4426a7a8c5c63e277e0cdd88af80d0c8f Mon Sep 17 00:00:00 2001 From: Alexey Kardashevskiy Date: Thu, 5 Apr 2018 12:07:38 +1000 Subject: [PATCH 4/7] spapr: Initialize reserved areas list in FDT in H_CAS handler At the moment the device tree produced by the H_CAS handler has no reserved map initialized at all which is not correct as at least one empty record is required to be present as a marker of the end. This does not cause problems now as the only consumer is SLOF which does not look at the reserved map area. However when DTC's "Improve libfdt's memory safety" changeset hits the QEMU upstream, there will be errors reported and crashes observed. This fixes the problem by adding an empty entry to the reserved map, just like create_device_tree() does already. Signed-off-by: Alexey Kardashevskiy Signed-off-by: David Gibson --- hw/ppc/spapr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 2c0be8c898..a81570e7c8 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -865,6 +865,7 @@ int spapr_h_cas_compose_response(sPAPRMachineState *spapr, /* Create skeleton */ fdt_skel = g_malloc0(size); _FDT((fdt_create(fdt_skel, size))); + _FDT((fdt_finish_reservemap(fdt_skel))); _FDT((fdt_begin_node(fdt_skel, ""))); _FDT((fdt_end_node(fdt_skel))); _FDT((fdt_finish(fdt_skel))); From 99b336cdd906ba467a5fa0a1c4face3a9bde8d77 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Wed, 14 Mar 2018 05:28:55 +0100 Subject: [PATCH 5/7] tests/boot-serial: Test the sam460ex board We've got a U-Boot firmware for this board in our repository, and the firmware prints some output to the serial console, so we can check this board in the boot-serial tester, too. Signed-off-by: Thomas Huth Signed-off-by: David Gibson --- tests/boot-serial-test.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/boot-serial-test.c b/tests/boot-serial-test.c index 5b24cd26c1..011525d8cf 100644 --- a/tests/boot-serial-test.c +++ b/tests/boot-serial-test.c @@ -79,12 +79,14 @@ static testdef_t tests[] = { { "ppc", "40p", "-boot d", "Booting from device d" }, { "ppc", "g3beige", "", "PowerPC,750" }, { "ppc", "mac99", "", "PowerPC,G4" }, + { "ppc", "sam460ex", "-m 256", "DRAM: 256 MiB" }, { "ppc64", "ppce500", "", "U-Boot" }, { "ppc64", "prep", "-boot e", "Booting from device e" }, { "ppc64", "40p", "-m 192", "Memory size: 192 MB" }, { "ppc64", "mac99", "", "PowerPC,970FX" }, { "ppc64", "pseries", "", "Open Firmware" }, { "ppc64", "powernv", "-cpu POWER8", "OPAL" }, + { "ppc64", "sam460ex", "-device e1000", "8086 100e" }, { "i386", "isapc", "-cpu qemu32 -device sga", "SGABIOS" }, { "i386", "pc", "-device sga", "SGABIOS" }, { "i386", "q35", "-device sga", "SGABIOS" }, From f8815532dcf145dfde8da42697556239bb95c849 Mon Sep 17 00:00:00 2001 From: BALATON Zoltan Date: Fri, 6 Apr 2018 00:42:48 +0200 Subject: [PATCH 6/7] sam460ex: Fix timer frequency and clock multipliers We only emulate timer running at CPU frequency which is what most guests expect so set the frequency to match real hardware. This also allows setting clock multipliers which caused slowdown previously due to wrong timer frequency. Signed-off-by: BALATON Zoltan Signed-off-by: David Gibson --- hw/ppc/ppc440_uc.c | 3 +-- hw/ppc/sam460ex.c | 7 ++++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/hw/ppc/ppc440_uc.c b/hw/ppc/ppc440_uc.c index 976ab2b5d8..e312fdba70 100644 --- a/hw/ppc/ppc440_uc.c +++ b/hw/ppc/ppc440_uc.c @@ -392,8 +392,7 @@ static uint32_t dcr_read_sdr(void *opaque, int dcrn) case SDR0_CFGDATA: switch (sdr->addr) { case SDR0_STRP0: - /* FIXME: Is this correct? This breaks timing in U-Boot */ - ret = 0; /*(0xb5 << 8) | (1 << 4) | 9 */ + ret = (0xb5 << 8) | (1 << 4) | 9; break; case SDR0_STRP1: ret = (5 << 29) | (2 << 26) | (1 << 24); diff --git a/hw/ppc/sam460ex.c b/hw/ppc/sam460ex.c index 70b8e76d9c..dfff262f96 100644 --- a/hw/ppc/sam460ex.c +++ b/hw/ppc/sam460ex.c @@ -67,6 +67,7 @@ IRQ12 = SM502_INT */ +#define CPU_FREQ 1150000000 #define SDRAM_NR_BANKS 4 /* FIXME: See u-boot.git 8ac41e, also fix in ppc440_uc.c */ @@ -253,8 +254,8 @@ static int sam460ex_load_device_tree(hwaddr addr, char *filename; int fdt_size; void *fdt; - uint32_t tb_freq = 50000000; - uint32_t clock_freq = 50000000; + uint32_t tb_freq = CPU_FREQ; + uint32_t clock_freq = CPU_FREQ; filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, BINARY_DEVICE_TREE_FILE); if (!filename) { @@ -416,7 +417,7 @@ static void sam460ex_init(MachineState *machine) boot_info = g_malloc0(sizeof(*boot_info)); env->load_info = boot_info; - ppc_booke_timers_init(cpu, 50000000, 0); + ppc_booke_timers_init(cpu, CPU_FREQ, 0); ppc_dcr_init(env, NULL, NULL); /* PLB arbitrer */ From 6b3913e0858488ef3358c1683605d6894a6cadb0 Mon Sep 17 00:00:00 2001 From: BALATON Zoltan Date: Sun, 8 Apr 2018 12:31:24 +0200 Subject: [PATCH 7/7] roms/u-boot-sam460ex: Change to qemu git mirror and update Now that we have a mirror of this repo on git.qemu.org change the submodule to use that and update it to latest commit which fixes a dangling symlink and removes two big binaries that are not needed. Signed-off-by: BALATON Zoltan Signed-off-by: David Gibson --- .gitmodules | 2 +- roms/u-boot-sam460ex | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index c613722e3c..49e9c2e3f4 100644 --- a/.gitmodules +++ b/.gitmodules @@ -45,4 +45,4 @@ url = git://github.com/hdeller/seabios-hppa.git [submodule "roms/u-boot-sam460ex"] path = roms/u-boot-sam460ex - url = git://github.com/zbalaton/u-boot-sam460ex + url = git://git.qemu.org/u-boot-sam460ex.git diff --git a/roms/u-boot-sam460ex b/roms/u-boot-sam460ex index 119aa277f7..8ee007c421 160000 --- a/roms/u-boot-sam460ex +++ b/roms/u-boot-sam460ex @@ -1 +1 @@ -Subproject commit 119aa277f74a4a2d3f7ab6c9471292308eba14e4 +Subproject commit 8ee007c4216fd6a0d760589e8405ce4494497aa0