The current code compare i (int) with req->count (uint32_t) in a for
loop, risking an infinite loop if req->count is equal to UINT_MAX.
Also i is only used in comparisons or multiplications with unsigned
integers.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Dongxiao Xu <dongxiao.xu@intel.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Replace a lot of formulaic multiplications (containing casts, no less)
with calls to a pair of functions. This encapsulates in a single
place the operations which require care relating to integer overflow.
Cc: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
This patch corresponds to commit
840184a106bc24e745beda5c77e392f6cecd2bc9 from
git://xenbits.xensource.com/qemu-xen-unstable.git.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Refactor common code around calls to cpu_restore_state().
tb_find_pc() has now no external users, make it static.
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
* 'ppc-for-upstream' of git://repo.or.cz/qemu/agraf: (40 commits)
pseries: Increase default NVRAM size
target-ppc: Don't use hwaddr to represent hardware state
PPC: e500: pci: Export slot2irq calculation
PPC: E500plat: Make a lot of PCI slots available
PPC: E500: Move PCI slot information into params
PPC: E500: Generate dt pci irq map dynamically
PPC: E500: PCI: Make IRQ calculation more generic
PPC: E500: PCI: Make first slot qdev settable
openpic: Accelerate pending irq search
openpic: fix minor coding style issues
MSI-X: Fix endianness
PPC: e500: Declare pci bridge as bridge
PPC: e500: Add MSI support
openpic: add Shared MSI support
openpic: make brr1 model specific
openpic: convert to qdev
openpic: remove irq_out
openpic: rename openpic_t to OpenPICState
openpic: convert simple reg operations to builtin bitops
openpic: remove unused type variable
...
With MMU option xtensa architecture has two TLBs: ITLB and DTLB. ITLB is
only used for code access, DTLB is only for data. However TLB entries in
both TLBs have attribute field controlling write and exec access. These
bits need to be properly masked off depending on TLB type before being
used as tlb_set_page prot argument. Otherwise the following happens:
(1) ITLB entry for some PFN gets invalidated
(2) DTLB entry for the same PFN gets updated, attributes allow code
execution
(3) code at the page with that PFN is executed (possible due to step 2),
entry for the TB is written into the jump cache
(4) QEMU TLB entry for the PFN gets replaced with an entry for some
other PFN
(5) code in the TB from step 3 is executed (possible due to jump cache)
and it accesses data, for which there's no DTLB entry, causing DTLB
miss exception
(6) re-translation of the TB from step 5 is attempted, but there's no
QEMU TLB entry nor xtensa ITLB entry for that PFN, which causes ITLB
miss exception at the TB start address
(7) ITLB miss exception is handled by the guest, but execution is
resumed from the beginning of the faulting TB (the point where ITLB
miss occured), not from the point where DTLB miss occured, which is
wrong.
With that fix the above scenario causes ITLB miss exception (that used
to be step 7) at step 3, right at the beginning of the TB.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
This patch adds an x argument to qemu_pixman_linebuf_fill so it can
also be used to convert a partial scanline. Then fix tight + png/jpeg
encoding by passing in the x+y offset, so the data is read from the
correct screen location instead of the upper left corner.
Cc: 1087974@bugs.launchpad.net
Cc: qemu-stable@nongnu.org
Reported-by: Tim Hardeneck <thardeck@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Some w64 fixes by Stefan Weil found their way into 0.28.2,
so update the internal copy to that version to improve
windows support.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
This reverts commit 288fa40736.
The only reason old pixman versions didn't work was the missing
PIXMAN_TYPE_BGRA, which is properly #ifdef'ed now. So we don't
have to require a minimum pixman version.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
If no image file for NVRAM is specified, the pseries machine currently
creates a 16K non-persistent NVRAM by default. This basically works, but
is not large enough for current firmware and guest kernels to create all
the NVRAM partitions they would like to. Increasing the default size to
64K addresses this and stops the guest generating error messages.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Alexander Graf <agraf@suse.de>
The hwaddr type is somewhat vaguely defined as being able to contain bus
addresses on the widest possible bus in the system. For that reason it's
discouraged for representing specific pieces of persistent hardware state,
which should instead use an explicit width type that matches the bits
available in real hardware. In particular, because of the possibility that
the size of hwaddr might change if different buses are added to the target
in future, it's not suitable for use in vm state descriptions for savevm
and migration.
This patch purges such unwise uses of hwaddr from the ppc target code,
which turns out to be just one. The ppcemb_tlb_t struct, used on a number
of embedded ppc models to represent a TLB entry contains a hwaddr for the
real address field. This patch changes it to be a fixed uint64_t which is
suitable enough for all machine types which use this structure.
Other uses of hwaddr in CPUPPCState turn out not to be problematic:
htab_base and htab_mask are just used for the convenience of the TCG code;
the underlying machine state is the SDR1 register, which is stored with
a suitable type already. Likewise the mpic_cpu_base field is only used
internally and does not represent fundamental hardware state which needs to
be saved.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Alexander Graf <agraf@suse.de>
We need the calculation method to get from a PCI slot ID to its respective
interrupt line twice. Once in the internal map function and once when
assembling the device tree.
So let's extract the calculation to a separate function that can be called
by both users.
Signed-off-by: Alexander Graf <agraf@suse.de>
The ppce500 machine doesn't have to stick to hardware limitations,
as it's defined as being fully device tree based.
Thus we can change the initial PCI slot ID to 0x1 which gives us a
whopping 31 PCI devices we can support with this machine now!
Signed-off-by: Alexander Graf <agraf@suse.de>
We have a params struct that allows us to expose differences between
e500 machine models. Include PCI slot information there, so we can have
different machines with different PCI slot topology.
Signed-off-by: Alexander Graf <agraf@suse.de>
Today we're hardcoding the PCI interrupt map in the e500 machine file.
Instead, let's write it dynamically so that different machine types
can have different slot properties.
Signed-off-by: Alexander Graf <agraf@suse.de>
The IRQ line calculation is more or less hardcoded today. Instead, let's
write it as an algorithmic function that theoretically allows an arbitrary
number of PCI slots.
Signed-off-by: Alexander Graf <agraf@suse.de>
Today the first slot id in our e500 pci implementation is hardcoded to
0x11. Keep it there as default, but allow users to change the default to
a different id.
Signed-off-by: Alexander Graf <agraf@suse.de>
When we're done with one interrupt, we need to search for the next pending
interrupt in the queue. This search has grown quite big now that we have
more than 256 possible irq lines.
So let's memorize how many interrupts we have pending in our bitmaps, so
that we can always bail out in the usual case - the one where we're all done.
Signed-off-by: Alexander Graf <agraf@suse.de>
The MSI-X vector tables are usually stored in little endian in memory,
so let's mark the accessors as such.
This fixes MSI-X on e500 for me.
Signed-off-by: Alexander Graf <agraf@suse.de>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Now that our interrupt controller supports MSIs, let's expose that feature
to the guest through the device tree!
Signed-off-by: Alexander Graf <agraf@suse.de>
The OpenPIC allows MSI access through shared MSI registers. Implement
them for the MPC8544 MPIC, so we can support MSIs.
Signed-off-by: Alexander Graf <agraf@suse.de>
Now that we can properly distinguish between openpic model differences,
let's move brr1 out of the raven code path.
Signed-off-by: Alexander Graf <agraf@suse.de>
This patch converts the OpenPIC device to qdev. Along the way it
renames the "openpic" target to "raven" and the "mpic" target to
"fsl_mpic_20", to better reflect the actual models they implement.
This way we have a generic OpenPIC device now that can handle
different flavors of the OpenPIC specification.
Signed-off-by: Alexander Graf <agraf@suse.de>
The current openpic emulation contains half-ready code for bypass mode.
Remove it, so that when someone wants to finish it they can start from a
clean state.
Signed-off-by: Alexander Graf <agraf@suse.de>
The openpic code has its own bitmap code to access bits inside of a
bitmap. However, that is overkill when we simply want to check for a
bit inside of a uint32_t.
So instead, let's use normal bit masks and C builtin shifts and ands.
Signed-off-by: Alexander Graf <agraf@suse.de>
The openpic source irqs are carrying around a type indicator that
is never accessed by anything. Remove it.
Signed-off-by: Alexander Graf <agraf@suse.de>
The only difference between the "openpic" and "mpic" memory api subregion
descriptors is the endianness. Unify them as openpic accessors with explicit
endianness markers in their names.
Signed-off-by: Alexander Graf <agraf@suse.de>
The openpic and mpic reset handlers are almost identical. Combine
them and extract the differences into state variables.
Signed-off-by: Alexander Graf <agraf@suse.de>
The IRQ raise mechanisms of the OpenPIC and MPIC controllers is identical,
just that the MPIC one can also raise critical interrupts.
Combine those two and check for critical raise capability during runtime.
Signed-off-by: Alexander Graf <agraf@suse.de>
The "openpic" controller is currently using one big region and does
subregion dispatching manually. Move this to the memory api.
Signed-off-by: Alexander Graf <agraf@suse.de>
The MPIC source irq handler suddenly became identical to the standard
OpenPIC source irq handler. Combine them into the same function.
Signed-off-by: Alexander Graf <agraf@suse.de>
The openpic code was still using the old mmio memory api. Convert it to
be a generic memory api user and clean up some code that becomes redundant
that way.
Signed-off-by: Alexander Graf <agraf@suse.de>
MPIC interrupt numbers in Linux (device tree) and in QEMU are different,
because QEMU takes the sparseness of the IRQ number space into account.
Remove that cleverness and instead assume a flat number space. This makes
the code easier to understand, because we are actually aligned with Linux
on the view of our worlds.
Signed-off-by: Alexander Graf <agraf@suse.de>
The openpic code had a few WIP bits left that nobody reanimated within
the last few years. Remove that code.
Signed-off-by: Alexander Graf <agraf@suse.de>
Acked-by: Hervé Poussineau <hpoussin@reactos.org>
The PAPR specification requires that every bus or device mediated by the
IOMMU have a unique Logical IO Bus Number (LIOBN). This patch adds a check
to enforce this, which will help catch errors in configuration earlier.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Alexander Graf <agraf@suse.de>
PCI Root complex have TYPE-1 configuration header while PCI endpoint
have type-0 configuration header. The type-1 configuration header have
a BAR (BAR0). In Freescale PCI controller BAR0 is used for mapping pci
address space to CCSR address space. This can used for 2 purposes: 1)
for MSI interrupt generation 2) Allow CCSR registers access when configured
as PCI endpoint, which I am not sure is a use case with QEMU-KVM guest.
What I observed is that when guest read the size of BAR0 of host controller
configuration header (TYPE1 header) then it always reads it as 0. When
looking into the QEMU hw/ppce500_pci.c, I do not find the PCI controller
device registering BAR0. I do not find any other controller also doing so
may they do not use BAR0.
There are two issues when BAR0 is not there (which I can think of):
1) There should be BAR0 emulated for PCI Root complex (TYPE1 header) and
when reading the size of BAR0, it should give size as per real h/w.
2) Do we need this BAR0 inbound address translation?
When BAR0 is of non-zero size then it will be configured for PCI
address space to local address(CCSR) space translation on inbound access.
The primary use case is for MSI interrupt generation. The device is
configured with an address offsets in PCI address space, which will be
translated to MSI interrupt generation MPIC registers. Currently I do
not understand the MSI interrupt generation mechanism in QEMU and also
IIRC we do not use QEMU MSI interrupt mechanism on e500 guest machines.
But this BAR0 will be used when using MSI on e500.
I can see one more issue, There are ATMUs emulated in hw/ppce500_pci.c,
but i do not see these being used for address translation.
So far that works because pci address space and local address space are 1:1
mapped. BAR0 inbound translation + ATMU translation will complete the address
translation of inbound traffic.
Signed-off-by: Bharat Bhushan <bharat.bhushan@freescale.com>
[agraf: fix double variable assignment w/o read]
Signed-off-by: Alexander Graf <agraf@suse.de>
All devices are also placed under CCSR memory region.
The CCSR memory region is exported to pci device. The MSI interrupt
generation is the main reason to export the CCSR region to PCI device.
This put the requirement to move mpic under CCSR region, but logically
all devices should be under CCSR. So this patch places all emulated
devices under ccsr region.
Signed-off-by: Bharat Bhushan <bharat.bhushan@freescale.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Now that we have implemented PAPR compatible NVRAM interfaces in qemu, this
updates the SLOF firmware to actually initialize and use the NVRAM as a
PAPR guest firmware is expected to do.
This SLOF update also includes an ugly but useful workaround for a bug in
the SLES11 installer which caused it to fail under KVM.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Alexander Graf <agraf@suse.de>
The PAPR specification requires a certain amount of NVRAM, accessed via
RTAS, which we don't currently implement in qemu. This patch addresses
this deficiency, implementing the NVRAM as a VIO device, with some glue to
instantiate it automatically based on a machine option.
The machine option specifies a drive id, which is used to back the NVRAM,
making it persistent. If nothing is specified, the driver instead simply
allocates space for the NVRAM, which will not be persistent
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Alexander Graf <agraf@suse.de>