Commit Graph

20154 Commits

Author SHA1 Message Date
Peter Maydell
30d9fefe1a input: switch devices to keycodemapdb, bugfixes.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJabvYEAAoJEEy22O7T6HE4uP0P/1X7LUon/S2EaxS34wZ7n4FQ
 fwLRUBwxGG6hcdqpO+4AJdrM/XCJa+h/ffVrJ2f39xSMzi1WU2E3FfcZNeBAR9s+
 +2RM4bepO5qAUTdsWYPGRJskLk6OfMt2IYSSldXHxzc1h513UoVpvCaY/xHpdm0a
 8Bd3q0OJGYVpu2uilUCjYxxujrhJ2qsa6R9gmYjnnEQNds3nD2an/1jCOZMAWvTC
 Ef9XdXBCgwGHjpNj2XA0OfR0ZwRgDJFMrImOuSqPBhPl6VL9HGvZp6LoK0tD2QYe
 u67mVQgGGdwlTEk+dCEnpR+exxMTzBGUO4/JW+4eMJdyJMxUfUkoJ9XL9Z3JIwpr
 L9DrjbW8tfxh3qI3ImP7uGa2xluZD3UGHWb7GIzthn5+aYkGQdRuO+kJFeD0jueW
 hRBzzyerLzAj3G/O0fV1ErH/Vk0vthALMQikgqxvdsmoLG8CNKlCUtc2OAsSiEMX
 SBcY2JO9eRy3uGLRmSIfOkNqTYVaJnkIS/513cfu+grntNIBkK/qSIaVXxoQpPbu
 cN+oRX5Jz6LWADhi35j+8he3pw8CqFw05t7Db9SF7aD+aJWVMCx2c2h/qgpL1sNn
 95BPJYA+7qoBaJSLDAvpl1tuvIDfYmvIV+yMefZjerhjTxZn8Zs4d67bENaXCOOo
 +Aq44LgjUgCYOWJvYGr8
 =FnNY
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/input-20180129-v2-pull-request' into staging

input: switch devices to keycodemapdb, bugfixes.

# gpg: Signature made Mon 29 Jan 2018 10:23:00 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/input-20180129-v2-pull-request:
  hw: convert virtio-input-hid device to keycodemapdb
  ui: fix alphabetical ordering of keymaps
  hw: convert the escc device to keycodemapdb
  hw: convert ps2 device to keycodemapdb
  ps2: check PS2Queue pointers in post_load routine
  input: virtio: don't send mouse wheel event twice
  input: add mouse side buttons to virtio input

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-29 15:52:27 +00:00
Daniel P. Berrange
ae6b06ab65 hw: convert virtio-input-hid device to keycodemapdb
Replace the keymap_qcode table with automatically generated
tables.

Missing entries in keymap_qcode now fixed:

  Q_KEY_CODE_ASTERISK -> KEY_KPASTERISK
  Q_KEY_CODE_KP_MULTIPLY -> KEY_KPASTERISK
  Q_KEY_CODE_STOP -> KEY_STOP
  Q_KEY_CODE_AGAIN -> KEY_AGAIN
  Q_KEY_CODE_PROPS -> KEY_PROPS
  Q_KEY_CODE_UNDO -> KEY_UNDO
  Q_KEY_CODE_FRONT -> KEY_FRONT
  Q_KEY_CODE_COPY -> KEY_COPY
  Q_KEY_CODE_OPEN -> KEY_OPEN
  Q_KEY_CODE_PASTE -> KEY_PASTE
  Q_KEY_CODE_FIND -> KEY_FIND
  Q_KEY_CODE_CUT -> KEY_CUT
  Q_KEY_CODE_LF -> KEY_LINEFEED
  Q_KEY_CODE_HELP -> KEY_HELP
  Q_KEY_CODE_COMPOSE -> KEY_COMPOSE
  Q_KEY_CODE_RO -> KEY_RO
  Q_KEY_CODE_HIRAGANA -> KEY_HIRAGANA
  Q_KEY_CODE_HENKAN -> KEY_HENKAN
  Q_KEY_CODE_YEN -> KEY_YEN
  Q_KEY_CODE_KP_COMMA -> KEY_KPCOMMA
  Q_KEY_CODE_KP_EQUALS -> KEY_KPEQUAL
  Q_KEY_CODE_POWER -> KEY_POWER
  Q_KEY_CODE_SLEEP -> KEY_SLEEP
  Q_KEY_CODE_WAKE -> KEY_WAKEUP
  Q_KEY_CODE_AUDIONEXT -> KEY_NEXTSONG
  Q_KEY_CODE_AUDIOPREV -> KEY_PREVIOUSSONG
  Q_KEY_CODE_AUDIOSTOP -> KEY_STOPCD
  Q_KEY_CODE_AUDIOPLAY -> KEY_PLAYPAUSE
  Q_KEY_CODE_AUDIOMUTE -> KEY_MUTE
  Q_KEY_CODE_VOLUMEUP -> KEY_VOLUMEUP
  Q_KEY_CODE_VOLUMEDOWN -> KEY_VOLUMEDOWN
  Q_KEY_CODE_MEDIASELECT -> KEY_MEDIA
  Q_KEY_CODE_MAIL -> KEY_MAIL
  Q_KEY_CODE_CALCULATOR -> KEY_CALC
  Q_KEY_CODE_COMPUTER -> KEY_COMPUTER
  Q_KEY_CODE_AC_HOME -> KEY_HOMEPAGE
  Q_KEY_CODE_AC_BACK -> KEY_BACK
  Q_KEY_CODE_AC_FORWARD -> KEY_FORWARD
  Q_KEY_CODE_AC_REFRESH -> KEY_REFRESH
  Q_KEY_CODE_AC_BOOKMARKS -> KEY_BOOKMARKS

NB, the virtio-input device reports a bitmask to the guest driver that
has a bit set for each Linux keycode that the host is able to send to
the guest.

Thus by adding these extra key mappings we are technically changing the
host<->guest ABI. This would also happen any time we defined new mappings
for QEMU keycodes in future.

When a keycode is removed from the list of possible keycodes that host can
send to the guest, it means that the guest OS will think it is possible
to receive a key that in pratice can never be generated, which is harmless.

When a keycode is added to the list of possible keycodes that the host can
send to the guest, it means that the guest OS can see an unexpected event.
The Linux virtio_input.c driver code simply forwards this event to the
input_event() method in the Linux input subsystem. This in turn calls
input_handle_event(), which then calls input_get_disposition(). This method
checks if the input event is present in the permitted keys bitmap, and if
not returns INPUT_IGNORE_EVENT. Thus the unexpected event will get dropped,
which is harmless.

If the guest OS reboots, or otherwise re-initializes the virt-input device,
it will read the new keycode bitmap. No matter how many keys are defined,
the config space has a fixed 128 byte bitmap. There is, however, a size
field defiend which says how many bytes in the bitmap are used. So the guest
OS reads the size of the bitmap, and then it reads the data from bitmap upto
the designated size. So if the guest OS re-initializes at precisely the time
that QEMU is migrated across versions, in the worst case, it could conceivably
read the old size field, but then get the newly updated bitmap.  If a key were
added this is harmless, since it simply means it may not process the newly
added key. If a key were removed, then it could be readnig a byte from the
bitmap that was not initialized. Fortunately QEMU always memsets() the entire
bitmap to 0, prior to setting keybits. Thus the guest OS will simply read
zeros, which is again harmless.

Based on this analysis, it is believed that there is no need to preserve the
virtio-input-hid keymaps across migration, as the host<->guest ABI change is
harmless and self-resolving at time of guest reboot.

NB, this behaviour should perhaps be formalized in the virtio-input spec
to declare how guest OS drivers should be written to be robust in their
handling of the potentially changable key bitmaps.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20180117164118.8510-5-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-29 09:35:44 +01:00
Daniel P. Berrange
e709a61a8f hw: convert the escc device to keycodemapdb
Replace the qcode_to_keycode table with automatically
generated tables.

Missing entries in qcode_to_keycode now fixed:

 - Q_KEY_CODE_KP_COMMA -> 0x2d

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20180117164118.8510-3-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-29 09:30:25 +01:00
Daniel P. Berrange
ab8f9d49d6 hw: convert ps2 device to keycodemapdb
Replace the qcode_to_keycode_set1, qcode_to_keycode_set2,
and qcode_to_keycode_set3 tables with automatically
generated tables.

Missing entries in qcode_to_keycode_set1 now fixed:

 - Q_KEY_CODE_SYSRQ -> 0x54
 - Q_KEY_CODE_PRINT -> 0x54 (NB ignored due to special case)
 - Q_KEY_CODE_AGAIN -> 0xe005
 - Q_KEY_CODE_PROPS -> 0xe006
 - Q_KEY_CODE_UNDO -> 0xe007
 - Q_KEY_CODE_FRONT -> 0xe00c
 - Q_KEY_CODE_COPY -> 0xe078
 - Q_KEY_CODE_OPEN -> 0x64
 - Q_KEY_CODE_PASTE -> 0x65
 - Q_KEY_CODE_CUT -> 0xe03c
 - Q_KEY_CODE_LF -> 0x5b
 - Q_KEY_CODE_HELP -> 0xe075
 - Q_KEY_CODE_COMPOSE -> 0xe05d
 - Q_KEY_CODE_PAUSE -> 0xe046
 - Q_KEY_CODE_KP_EQUALS -> 0x59

And some mistakes corrected:

 - Q_KEY_CODE_HIRAGANA was mapped to 0x70 (Katakanahiragana)
   instead of of 0x77 (Hirigana)
 - Q_KEY_CODE_MENU was incorrectly mapped to the compose
   scancode (0xe05d) and is now mapped to 0xe01e
 - Q_KEY_CODE_FIND was mapped to 0xe065 (Search) instead
   of to 0xe041 (Find)
 - Q_KEY_CODE_POWER, SLEEP & WAKE had 0x0e instead of 0xe0
   as the prefix

Missing entries in qcode_to_keycode_set2 now fixed:

 - Q_KEY_CODE_PRINT -> 0x7f (NB ignored due to special case)
 - Q_KEY_CODE_COMPOSE -> 0xe02f
 - Q_KEY_CODE_PAUSE -> 0xe077
 - Q_KEY_CODE_KP_EQUALS -> 0x0f

And some mistakes corrected:

 - Q_KEY_CODE_HIRAGANA was mapped to 0x13 (Katakanahiragana)
   instead of of 0x62 (Hirigana)
 - Q_KEY_CODE_MENU was incorrectly mapped to the compose
   scancode (0xe02f) and is now not mapped
 - Q_KEY_CODE_FIND was mapped to 0xe010 (Search) and is now
   not mapped.
 - Q_KEY_CODE_POWER, SLEEP & WAKE had 0x0e instead of 0xe0
   as the prefix

Missing entries in qcode_to_keycode_set3 now fixed:

 - Q_KEY_CODE_ASTERISK -> 0x7e
 - Q_KEY_CODE_SYSRQ -> 0x57
 - Q_KEY_CODE_LESS -> 0x13
 - Q_KEY_CODE_STOP -> 0x0a
 - Q_KEY_CODE_AGAIN -> 0x0b
 - Q_KEY_CODE_PROPS -> 0x0c
 - Q_KEY_CODE_UNDO -> 0x10
 - Q_KEY_CODE_COPY -> 0x18
 - Q_KEY_CODE_OPEN -> 0x20
 - Q_KEY_CODE_PASTE -> 0x28
 - Q_KEY_CODE_FIND -> 0x30
 - Q_KEY_CODE_CUT -> 0x38
 - Q_KEY_CODE_HELP -> 0x09
 - Q_KEY_CODE_COMPOSE -> 0x8d
 - Q_KEY_CODE_AUDIONEXT -> 0x93
 - Q_KEY_CODE_AUDIOPREV -> 0x94
 - Q_KEY_CODE_AUDIOSTOP -> 0x98
 - Q_KEY_CODE_AUDIOMUTE -> 0x9c
 - Q_KEY_CODE_VOLUMEUP -> 0x95
 - Q_KEY_CODE_VOLUMEDOWN -> 0x9d
 - Q_KEY_CODE_CALCULATOR -> 0xa3
 - Q_KEY_CODE_AC_HOME -> 0x97

And some mistakes corrected:

 - Q_KEY_CODE_MENU was incorrectly mapped to the compose
   scancode (0x8d) and is now 0x91

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20180117164118.8510-2-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-29 09:30:25 +01:00
Prasad J Pandit
802cbcb730 ps2: check PS2Queue pointers in post_load routine
During Qemu guest migration, a destination process invokes ps2
post_load function. In that, if 'rptr' and 'count' values were
invalid, it could lead to OOB access or infinite loop issue.
Add check to avoid it.

Reported-by: Cyrille Chatras <cyrille.chatras@orange.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20171116075155.22378-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-29 09:30:25 +01:00
Miika S
a5f99be41e input: virtio: don't send mouse wheel event twice
On Linux, a mouse event is generated for both down and up when mouse
wheel is used. This caused virtio_input_send() to be called twice each
time the wheel was used.

This commit adds a check for the button down state and only calls
virtio_input_send() when it is true.

Signed-off-by: Miika S <miika9764@gmail.com>
Message-Id: <20171222152531.1849-4-miika9764@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-29 09:30:25 +01:00
Miika S
2416760fa6 input: add mouse side buttons to virtio input
Signed-off-by: Miika S <miika9764@gmail.com>
Message-Id: <20171222152531.1849-3-miika9764@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-29 09:30:25 +01:00
Suraj Jitindar Singh
c59704b254 target/ppc/spapr: Add H-Call H_GET_CPU_CHARACTERISTICS
The new H-Call H_GET_CPU_CHARACTERISTICS is used by the guest to query
behaviours and available characteristics of the cpu.

Implement the handler for this new H-Call which formulates its response
based on the setting of the spapr_caps cap-cfpc, cap-sbbc and cap-ibs.

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-29 14:24:55 +11:00
Suraj Jitindar Singh
4be8d4e7d9 target/ppc/spapr_caps: Add new tristate cap safe_indirect_branch
Add new tristate cap cap-ibs to represent the indirect branch
serialisation capability.

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-29 14:24:55 +11:00
Suraj Jitindar Singh
09114fd817 target/ppc/spapr_caps: Add new tristate cap safe_bounds_check
Add new tristate cap cap-sbbc to represent the speculation barrier
bounds checking capability.

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-29 14:24:55 +11:00
Suraj Jitindar Singh
8f38eaf8f9 target/ppc/spapr_caps: Add new tristate cap safe_cache
Add new tristate cap cap-cfpc to represent the cache flush on privilege
change capability.

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-29 14:24:55 +11:00
Suraj Jitindar Singh
6898aed77f target/ppc/spapr_caps: Add support for tristate spapr_capabilities
spapr_caps are used to represent the level of support for various
capabilities related to the spapr machine type. Currently there is
only support for boolean capabilities.

Add support for tristate capabilities by implementing their get/set
functions. These capabilities can have the values 0, 1 or 2
corresponding to broken, workaround and fixed.

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-29 14:24:55 +11:00
Greg Kurz
9cbe305b60 spapr_pci: fix MSI/MSIX selection
In various place we don't correctly check if the device supports MSI or
MSI-X. This can cause devices to be advertised with MSI support, even
if they only support MSI-X (like virtio-pci-* devices for example):

                ethernet@0 {
                        ibm,req#msi = <0x1>; <--- wrong!
			.
			ibm,loc-code = "qemu_virtio-net-pci:0000:00:00.0";
			.
			ibm,req#msi-x = <0x3>;
                };

Worse, this can also cause the "ibm,change-msi" RTAS call to corrupt the
PCI status and cause migration to fail:

  qemu-system-ppc64: get_pci_config_device: Bad config data: i=0x6
    read: 0 device: 10 cmask: 10 wmask: 0 w1cmask:0
                              ^^
           PCI_STATUS_CAP_LIST bit which is assumed to be constant

This patch changes spapr_populate_pci_child_dt() to properly check for
MSI support using msi_present(): this ensures that PCIDevice::msi_cap
was set by msi_init() and that msi_nr_vectors_allocated() will look at
the right place in the config space.

Checking PCIDevice::msix_entries_nr is enough for MSI-X but let's add
a call to msix_present() there as well for consistency.

It also changes rtas_ibm_change_msi() to select the appropriate MSI
type in Function 1 instead of always selecting plain MSI. This new
behaviour is compliant with LoPAPR 1.1, as described in "Table 71.
ibm,change-msi Argument Call Buffer":

  Function 1: If Number Outputs is equal to 3, request to set to a new
           number of MSIs (including set to 0).
           If the “ibm,change-msix-capable” property exists and Number
           Outputs is equal to 4, request is to set to a new number of
           MSI or MSI-X (platform choice) interrupts (including set to
           0).

Since MSI is the the platform default (LoPAPR 6.2.3 MSI Option), let's
check for MSI support first.

And finally, it checks the input parameters are valid, as described in
LoPAPR 1.1 "R1–7.3.10.5.1–3":

  For the MSI option: The platform must return a Status of -3 (Parameter
  error) from ibm,change-msi, with no change in interrupt assignments if
  the PCI configuration address does not support MSI and Function 3 was
  requested (that is, the “ibm,req#msi” property must exist for the PCI
  configuration address in order to use Function 3), or does not support
  MSI-X and Function 4 is requested (that is, the “ibm,req#msi-x” property
  must exist for the PCI configuration address in order to use Function 4),
  or if neither MSIs nor MSI-Xs are supported and Function 1 is requested.

This ensures that the ret_intr_type variable contains a valid MSI type
for this device, and that spapr_msi_setmsg() won't corrupt the PCI status.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-29 14:24:41 +11:00
Mark Cave-Ayland
d0fcf3bde4 input: add missing newline from trace-events
This was accidentally omitted from 77cb0f5aaf "Split adb.c into adb.c, adb-mouse.c
and adb-kbd.c".

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-27 17:27:18 +11:00
Mark Cave-Ayland
0b0c5e90be uninorth: convert to trace-events
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-27 17:26:46 +11:00
Mark Cave-Ayland
b728fbbc27 grackle: convert to trace-events
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-27 17:25:59 +11:00
thuth@redhat.com
64b47457da ppc: Deprecate qemu-system-ppcemb
qemu-system-ppcemb has been once split of qemu-system-ppc to support
CPU page sizes < 4096 for some of the embedded 4xx PowerPC CPUs.
However, there was hardly any OS available in the wild that really
used such small page sizes (Linux uses 4096 on PPC), so there is
no known recent use case for this separate build anymore. It's
rather cumbersome to maintain a separate set of config switches for
this, and it's wasting compile and test time of all the developers
who have to build all QEMU targets to verify that their changes did
not break anything.

Except for the small CPU page sizes, qemu-system-ppc can be used as
a full replacement for qemu-system-ppcemb since it contains all the
embedded 4xx PPC boards and CPUs, too. Thus let's start the deprecation
process for qemu-system-ppcemb to see whether somebody still needs
the small page sizes or whether we could finally remove this unloved
separate build.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-27 17:25:27 +11:00
Peter Maydell
e607bbee55 Xilinx queue
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJaawAdAAoJECnFlngPa8qDvB4H/RkbG3qLNVyIj1LHQu9JA72p
 gyzs8hZ7wAzLH+JljqRYPmcHsNnkLRM6O1ukTqDKbE3+0arkp4/SmLtIuHjCiV1B
 QplONj39hVr578ZrgKQ1eIP0G285nWFeCUFC8aYFkLK6rJpYpKAu/FSFLrfel5SQ
 so4w4d/AZK9k9DkFO16d7wW+UXacyuN+mf1SVSSM0ckuu6aKOuvAf6rVEIHdp4AM
 BVI36wooFvaJZ4VCYEpm5XD5zAMRkkkhIOHzEQEiUhtLCOCg72JLD/GkhmjXoQU+
 TuEyGTAGfoIrvQqcfewsCx/pcGWievdHeT4Qh4KqC9rMCPuYrz9HXmKxJNXw54c=
 =x4JI
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/edgar/tags/edgar/xilinx-next-2018-01-26.for-upstream' into staging

Xilinx queue

# gpg: Signature made Fri 26 Jan 2018 10:17:01 GMT
# gpg:                using RSA key 0x29C596780F6BCA83
# gpg: Good signature from "Edgar E. Iglesias (Xilinx key) <edgar.iglesias@xilinx.com>"
# gpg:                 aka "Edgar E. Iglesias <edgar.iglesias@gmail.com>"
# Primary key fingerprint: AC44 FEDC 14F7 F1EB EDBF  4151 29C5 9678 0F6B CA83

* remotes/edgar/tags/edgar/xilinx-next-2018-01-26.for-upstream:
  xlnx-zynqmp: Connect the IPI device to the ZynqMP SoC
  xlnx-zynqmp-pmu: Connect the IPI device to the PMU
  xlnx-zynqmp-ipi: Initial version of the Xilinx IPI device
  xlnx-zynqmp-pmu: Connect the PMU interrupt controller
  xlnx-pmu-iomod-intc: Add the PMU Interrupt controller
  aarch64-softmmu.mak: Use an ARM specific config
  xlnx-zynqmp-pmu: Add the CPU and memory
  xlnx-zynqmp-pmu: Initial commit of the ZynqMP PMU
  microblaze: boot.c: Don't try to find NULL file

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-26 14:24:25 +00:00
Alistair Francis
0ab7bbc75b xlnx-zynqmp: Connect the IPI device to the ZynqMP SoC
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:09 +01:00
Alistair Francis
07b30201e6 xlnx-zynqmp-pmu: Connect the IPI device to the PMU
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:09 +01:00
Alistair Francis
b350735ef6 xlnx-zynqmp-ipi: Initial version of the Xilinx IPI device
This is the initial version of the Inter Processor Interrupt device.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:09 +01:00
Alistair Francis
633a91b687 xlnx-zynqmp-pmu: Connect the PMU interrupt controller
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:09 +01:00
Alistair Francis
c859b566e8 xlnx-pmu-iomod-intc: Add the PMU Interrupt controller
Add the PMU IO Module Interrupt controller device.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:09 +01:00
Alistair Francis
07c4a51a29 aarch64-softmmu.mak: Use an ARM specific config
In preperation for having an ARM and MicroBlaze ZynqMP machine let's
split out the current ARM specific config options.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Acked-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:09 +01:00
Alistair Francis
133d23b3ad xlnx-zynqmp-pmu: Add the CPU and memory
Connect the MicroBlaze CPU and the ROM and RAM memory regions.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:09 +01:00
Alistair Francis
4690bf4e9a xlnx-zynqmp-pmu: Initial commit of the ZynqMP PMU
The Xilinx ZynqMP SoC has two main processing systems in it. The ARM
processing system (which is already modeled in QEMU) and the MicroBlaze
Power Management Unit (PMU). This is the inital work for adding support
for the PMU.

The PMU susbsystem runs along side the ARM system on hardware, but due
to architecture limitations in QEMU the two instances are seperate for
the time being.

Let's follow the same setup we do with the ARM system, where there is an
SoC device and a ZCU102 board. Although the PMU is less board specific
we are still going to follow the same split as maybe in future we can
connect the PMU device to the ARM ZCU102 board. As the machine will be
fairly small let's keep them both together in one file.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:09 +01:00
Alistair Francis
d4c6d3600b microblaze: boot.c: Don't try to find NULL file
Previously if no device tree was passed to microblaze_load_kernel() then
qemu_find_file() would try to find a NULL pointer. To avoid this put a
check around qemu_find_file().

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2018-01-26 11:09:02 +01:00
Philippe Mathieu-Daudé
80ae865468 usb-ccid: convert CCIDCardClass::exitfn() -> unrealize()
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180125171432.13554-4-f4bug@amsat.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-26 07:59:33 +01:00
Philippe Mathieu-Daudé
c7516699fc usb-ccid: inline ccid_card_initfn() in ccid_card_realize()
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180125171432.13554-3-f4bug@amsat.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-26 07:59:33 +01:00
Mao Zhongyi
cc847bfd16 hw/usb/ccid: Make ccid_card_init() take an error parameter
Replace init() of CCIDCardClass with realize, then convert
ccid_card_init(), ccid_card_initfn() and it's callbacks to
take an Error** in ordor to report the error more clearly.

Signed-off-by: Mao Zhongyi <maozy.fnst@cn.fujitsu.com>
Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180125171432.13554-2-f4bug@amsat.org
[PMD: fixed s->card assignation in ccid_card_realize()]
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-26 07:59:33 +01:00
Fam Zheng
395b953959 usb-storage: Fix share-rw option parsing
Because usb-storage creates an internal scsi device, we should propagate
options. We already do so for bootindex etc, but failed to take care of
share-rw. Fix it in an apparent way: add a new parameter to
scsi_bus_legacy_add_drive and pass in s->conf.share_rw.

Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20180117005222.4781-1-famz@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-26 07:58:34 +01:00
Thomas Huth
99761176ee usb: Remove legacy -usbdevice options (host, serial, disk and net)
The option have been marked as deprecated since QEMU 2.10, and so far
nobody complained that the host, serial, disk and net options are urgently
required anymore. So let's now get rid at least of this legacy pile, to
simplify the usb code quite a bit.

This patch removes the usbdevices host, serial, disk and net. These devices
use their own complicated parameter parsing mechanisms, so they are just
ugly to maintain, without real benefit for the users (the users can use the
corresponding "-device" parameters instead which have the same complexity
as the "-usbdevice" devices here).

Note that the other rather simple -usbdevice options (mouse, tablet, etc.)
are not removed yet (the code is really simple here, so it does not hurt
much to keep it), as well as the two devices "braille" and "bt" which are
easier to use with -usbdevice than with -device.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1515519171-20315-1-git-send-email-thuth@redhat.com

[kraxel] delete some usb_host_device_open() leftovers.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-26 07:15:08 +01:00
Peter Maydell
2077fef91d target-arm queue:
* target/arm: Fix address truncation in 64-bit pagetable walks
  * i.MX: Fix FEC/ENET receive functions
  * target/arm: preparatory refactoring for SVE emulation
  * hw/intc/arm_gic: Prevent the GIC from signaling an IRQ when it's "active and pending"
  * hw/intc/arm_gic: Fix C_RPR value on idle priority
  * hw/intc/arm_gic: Fix group priority computation for group 1 IRQs
  * hw/intc/arm_gic: Fix the NS view of C_BPR when C_CTRL.CBPR is 1
  * hw/arm/virt: Check that the CPU realize method succeeded
  * sdhci: fix a NULL pointer dereference due to uninitialized AddressSpace object
  * xilinx_spips: Correct usage of an uninitialized local variable
  * pl110: Implement vertical compare/next base interrupts
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJaadStAAoJEDwlJe0UNgzeABwP/jJs1ajbRnnwr2eFYno9Wa7p
 jpSHD/4pxMbZVYAPrc5z+EoPw8Fy/qETlzRLlcO4KfmrxHotpoKEPAQBIOohs7Uy
 PZgPhVqic1hAQBlp2wkK9SSL5XFyfI0PHCY3Rb0dGWPSu5eoLlXCglbgajOBbM9r
 t/0KUQPhILfYeDbZ7oO6XLC51F87M0zxmE5GG2Z8feHDSw2zqmZc/jw8nGNkQXKr
 0gniMN2QQyxKEjp6zYa9lmCnvpBMErKo3xl9J3tZ2TgzOSWaX0S1gk3FWh0kNYhk
 ktnnimUzku/gOoCorMf5o7nPCNQqpR4Jgpw3S27j7WfgxGyrgfxT74k4XR/g8nNO
 LGkNzlsdEjHpVe8wTPQZ4LtPcw8ozHQB/Yu77iRaweQipk6PeyoUuoMDrxHq0oX6
 W9rgvwmOJu2xmHyUe1NZuUwiZ9xdidlFg+9TMENLkbzb2xzxYa1qmbVQz7u5d7cx
 zPgy9iy7S77wAwPwHgul3sQlVLxxKSi7Iw+Ka+51uEJ3pbW/JPpZCATi00LGjQZF
 41j5wOPj/LR+B0peay4cneF9DDR5Vxqe+Lg1QMicaj74xP1Q+dvVwvE5e3/XUaiT
 nr42iNjK0HJCqyvvkd6u/ONW8rbSmeL5FF5eEzC6DxAArTBkdJ90tFklinMH/Ovy
 oaBPvo5zP8TSqwDMx6yc
 =aF9Y
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20180125' into staging

target-arm queue:
 * target/arm: Fix address truncation in 64-bit pagetable walks
 * i.MX: Fix FEC/ENET receive functions
 * target/arm: preparatory refactoring for SVE emulation
 * hw/intc/arm_gic: Prevent the GIC from signaling an IRQ when it's "active and pending"
 * hw/intc/arm_gic: Fix C_RPR value on idle priority
 * hw/intc/arm_gic: Fix group priority computation for group 1 IRQs
 * hw/intc/arm_gic: Fix the NS view of C_BPR when C_CTRL.CBPR is 1
 * hw/arm/virt: Check that the CPU realize method succeeded
 * sdhci: fix a NULL pointer dereference due to uninitialized AddressSpace object
 * xilinx_spips: Correct usage of an uninitialized local variable
 * pl110: Implement vertical compare/next base interrupts

# gpg: Signature made Thu 25 Jan 2018 12:59:25 GMT
# gpg:                using RSA key 0x3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20180125: (21 commits)
  pl110: Implement vertical compare/next base interrupts
  xilinx_spips: Correct usage of an uninitialized local variable
  sdhci: fix a NULL pointer dereference due to uninitialized AddresSpace object
  hw/arm/virt: Check that the CPU realize method succeeded
  hw/intc/arm_gic: Fix the NS view of C_BPR when C_CTRL.CBPR is 1
  hw/intc/arm_gic: Fix group priority computation for group 1 IRQs
  hw/intc/arm_gic: Fix C_RPR value on idle priority
  hw/intc/arm_gic: Prevent the GIC from signaling an IRQ when it's "active and pending"
  target/arm: Simplify fp_exception_el for user-only
  target/arm: Hoist store to flags output in cpu_get_tb_cpu_state
  target/arm: Move cpu_get_tb_cpu_state out of line
  target/arm: Add ARM_FEATURE_SVE
  vmstate: Add VMSTATE_UINT64_SUB_ARRAY
  target/arm: Add aa{32, 64}_vfp_{dreg, qreg} helpers
  target/arm: Change the type of vfp.regs
  target/arm: Use pointers in neon tbl helper
  target/arm: Use pointers in neon zip/uzp helpers
  target/arm: Use pointers in crypto helpers
  target/arm: Mark disas_set_insn_syndrome inline
  i.MX: Fix FEC/ENET receive funtions
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 17:04:47 +00:00
Peter Maydell
a3f9362af5 qemu-sparc update
-----BEGIN PGP SIGNATURE-----
 
 iQFSBAABCAA8FiEEzGIauY6CIA2RXMnEW8LFb64PMh8FAlpp31oeHG1hcmsuY2F2
 ZS1heWxhbmRAaWxhbmRlLmNvLnVrAAoJEFvCxW+uDzIfHBUIALvehH1Ita5kO+i1
 MGKe8D39xfFHbF2q445BdYkK5qgfyswG48wf+a+U0xmDfrG/MVevd7ho/1P3mZNJ
 2fXRPkkkNJ8THsVPKTIZB/ZJUa0xQ+9Om6O+mT3IDqLKB0qxnj+DanCs1oIKW1Yn
 OAldd4sReDQhs7zxPpFrQqFt4pUi24v3TiQbm3lB7j9cGDw+vbMBVyTI9MAagtxI
 g4CJOdO9Vq9xAbnHcVUo2E1DJnKII2UUpU2KT7qNX/pTX/Rtd2jldrcDysHy55ku
 BL7jfwVsfSwuNNy1TDStZsNJMIm1791QUjaHI4kNhEyo3wu7PyAOTdrfYXOYj4LS
 QAm+2qM=
 =VLKg
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-signed' into staging

qemu-sparc update

# gpg: Signature made Thu 25 Jan 2018 13:44:58 GMT
# gpg:                using RSA key 0x5BC2C56FAE0F321F
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>"
# Primary key fingerprint: CC62 1AB9 8E82 200D 915C  C9C4 5BC2 C56F AE0F 321F

* remotes/mcayland/tags/qemu-sparc-signed:
  sun4u: implement power device
  sparc64: convert hw/sparc64/sparc64.c from DPRINTF macros to trace events
  sabre: convert from SABRE_DPRINTF macro to trace-events
  apb: rename apb.c to sabre.c
  sun4u: rename apb variables and constants
  apb: rename QOM type from TYPE_APB to TYPE_SABRE
  apb: QOMify sabre PCI host bridge
  apb: change pbm_pci_host prefix functions to use sabre_pci prefix
  apb: rename APB functions to use sabre prefix
  simba: rename PBMPCIBridge and QOM types to reflect simba naming
  apb: split simba PCI bridge into hw/pci-bridge/simba.c
  sparc/leon3 irqmp: fix IRQ software ack

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 16:24:56 +00:00
Peter Maydell
b3bbe959b5 vga: fix for CVE-2018-5683
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJaaaRjAAoJEEy22O7T6HE4OTUQAMEW5xw5yLGwsD71myJ/W8R4
 Eufa8gLGXSQ1ovc/1MkRhMN5HOstT8h4YQjEj1L1w0Fd6Ruva8LM1SdTQad6H7aj
 bwdSZh5bPbRdDBf8p7zJjl2Msj/oe+CSS4prlt32s4xQXIPFQNqvSEX/+46wol+q
 FllYBVWhwpgORVPp6IMxCUFFshZbznZpre8dbxLQmyOXXMLSCmUw/f1xevGZFVUB
 jb93AUQ4Arex65258kP0piyjnd36PgH7VyWyPAJ9MDFQibxGRv0aixVQIufm6zjm
 tqbhRmVfcykqQm0aqC2PnywehUO1EfTv6JwwnRaJPsAC+oq/P3I/gFPoP9gsFIU6
 kZuTQ5sLa+XNDmkOpz3qMIBE67tX28rPPq1W4ekHsYheIkTqg/GiEsZuzNjP63AA
 d2CEs09bVDHQMhBlhjKRrYao9yojICmp4pOt3Lb79DbB7rd57XVrQb8BDbd/utwu
 knCPYsSI3tiucLvIlBl2wgjkuwv1IVLu8TB7JQtQ8qZARgL10hUcAW34WOyriF+y
 OkA/nk/Tt8VgED2kD6ttR88fOwtByfnhS5+y2w8gxDfRwRDFsSO4MQP8nmj/rLuJ
 lX6jwr6oh0u0IJSTWUaC2MPWmRkz3kuwBDR42KWGbYp/EgLuqMSdMfv/WgC7t4+s
 3FztQ3+vPB2lZ9DWUboi
 =K9aN
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180125-pull-request' into staging

vga: fix for CVE-2018-5683

# gpg: Signature made Thu 25 Jan 2018 09:33:23 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/vga-20180125-pull-request:
  vga: check the validation of memory addr when draw text

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 15:28:56 +00:00
Mark Cave-Ayland
25c5d5acfb sun4u: implement power device
This inbuilt device contains a single 4-byte register, of which bit 24 is used
to power down the machine on a real Ultra 5.

The power device exists at offset 0x724000 on a real machine, but due to the
current configuration of the BARs in QEMU it must be located lower in PCI IO
space.

For the moment we place the power device at offset 0x7240 as a reminder of its
original location and raise the base PCI IO address from 0x4000 to 0x8000.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Artyom Tarasenko <atar4qemu@gmail.com>
2018-01-25 13:39:39 +00:00
Mark Cave-Ayland
be75bbe2d7 sparc64: convert hw/sparc64/sparc64.c from DPRINTF macros to trace events
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
2018-01-25 13:39:34 +00:00
Linus Walleij
24da047af0 pl110: Implement vertical compare/next base interrupts
This implements rudimentary support for interrupt generation on the
PL110. I am working on a new DRI/KMS driver for Linux and since that
uses the blanking interrupt, we need something to fire here. Without
any interrupt support Linux waits for a while and then gives ugly
messages about the vblank not working in the console (it does not
hang perpetually or anything though, DRI is pretty forgiving).

I solved it for now by setting up a timer to fire at 60Hz and pull
the interrupts for "vertical compare" and "next memory base"
at this interval. This works fine and fires roughly the same number
of IRQs on QEMU as on the hardware and leaves the console clean
and nice.

People who want to create more accurate emulation can probably work
on top of this if need be. It is certainly closer to the hardware
behaviour than what we have today anyway.

Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Message-id: 20180123225654.5764-1-linus.walleij@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: folded long lines]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:30 +00:00
Francisco Iglesias
fbe5dac7b2 xilinx_spips: Correct usage of an uninitialized local variable
Coverity found that the variable tx_rx in the function
xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
patch corrects this by always initializing tx_rx to zeros.

Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-id: 20180124215708.30400-1-frasse.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:30 +00:00
Philippe Mathieu-Daudé
02e57e1c14 sdhci: fix a NULL pointer dereference due to uninitialized AddresSpace object
missed in 60765b6cee.

  Thread 1 "qemu-system-aarch64" received signal SIGSEGV, Segmentation fault.
  address_space_init (as=0x0, root=0x55555726e410, name=name@entry=0x555555e3f0a7 "sdhci-dma") at memory.c:3050
  3050	    as->root = root;
  (gdb) bt
  #0  address_space_init (as=0x0, root=0x55555726e410, name=name@entry=0x555555e3f0a7 "sdhci-dma") at memory.c:3050
  #1  0x0000555555af62c3 in sdhci_sysbus_realize (dev=<optimized out>, errp=0x7fff7f931150) at hw/sd/sdhci.c:1564
  #2  0x00005555558b25e5 in zynqmp_sdhci_realize (dev=0x555557051520, errp=0x7fff7f931150) at hw/sd/zynqmp-sdhci.c:151
  #3  0x0000555555a2e7f3 in device_set_realized (obj=0x555557051520, value=<optimized out>, errp=0x7fff7f931270) at hw/core/qdev.c:966
  #4  0x0000555555ba3f74 in property_set_bool (obj=0x555557051520, v=<optimized out>, name=<optimized out>, opaque=0x555556e04a20,
      errp=0x7fff7f931270) at qom/object.c:1906
  #5  0x0000555555ba51f4 in object_property_set (obj=obj@entry=0x555557051520, v=v@entry=0x5555576dbd60,
      name=name@entry=0x555555dd6306 "realized", errp=errp@entry=0x7fff7f931270) at qom/object.c:1102

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180123132051.24448-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:30 +00:00
Peter Maydell
c88bc3e0db hw/arm/virt: Check that the CPU realize method succeeded
We were passing a NULL error pointer to the object_property_set_bool()
call that realizes the CPU object. This meant that we wouldn't detect
failure, and would plough blindly on to crash later trying to use a
NULL CPU object pointer. Detect errors and fail instead.

In particular, this will be necessary to detect the user error
of using "-cpu host" without "-enable-kvm" once we make the host
CPU type be registered unconditionally rather than only in
kvm_arch_init().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:30 +00:00
Luc MICHEL
421a3c224e hw/intc/arm_gic: Fix the NS view of C_BPR when C_CTRL.CBPR is 1
When C_CTRL.CBPR is 1, the Non-Secure view of C_BPR is altered:
  - A Non-Secure read of C_BPR should return the BPR value plus 1,
  saturated to 7,
  - A Non-Secure write should be ignored.

Signed-off-by: Luc MICHEL <luc.michel@git.antfield.fr>
Message-id: 20180119145756.7629-6-luc.michel@greensocs.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: fixed comment typo]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:30 +00:00
Luc MICHEL
fc05a6f22a hw/intc/arm_gic: Fix group priority computation for group 1 IRQs
When determining the group priority of a group 1 IRQ, if C_CTRL.CBPR is
0, the non-secure BPR value is used. However, this value must be
incremented by one so that it matches the secure world number of
implemented priority bits (NS world has one less priority bit compared
to the Secure world).

Signed-off-by: Luc MICHEL <luc.michel@git.antfield.fr>
Message-id: 20180119145756.7629-5-luc.michel@greensocs.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: add assert, as the gicv3 code has]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:30 +00:00
Luc MICHEL
71aa735b0a hw/intc/arm_gic: Fix C_RPR value on idle priority
When there is no active interrupts in the GIC, a read to the C_RPR
register should return the value of the "Idle priority", which is either
the maximum value an IRQ priority field can be set to, or 0xff.

Since the QEMU GIC model implements all the 8 priority bits, the Idle
priority is 0xff.

Internally, when there is no active interrupt, the running priority
value is 0x100. The gic_get_running_priority function returns an uint8_t
and thus, truncate this value to 0x00 when returning it. This is wrong since
a value of 0x00 correspond to the maximum possible priority.

This commit fixes the returned value when the internal value is 0x100.

Note that it is correct for the Non-Secure view to return 0xff even
though from the NS world point of view, only 7 priority bits are
implemented. The specification states that the Idle priority can be 0xff
even when not all the 8 priority bits are implemented. This has been
verified against a real GICv2 hardware on a Xilinx ZynqMP based board.

Regarding the ARM11MPCore version of the GIC, the specification is not
clear on that point, so this commit does not alter its behavior.

Signed-off-by: Luc MICHEL <luc.michel@git.antfield.fr>
Message-id: 20180119145756.7629-4-luc.michel@greensocs.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:30 +00:00
Luc MICHEL
91f4e18d95 hw/intc/arm_gic: Prevent the GIC from signaling an IRQ when it's "active and pending"
In the GIC, when an IRQ is acknowledged, its state goes from "pending"
to:
   - "active" if the corresponding IRQ pin has been de-asserted
   - "active and pending" otherwise.
The GICv2 manual states that when a IRQ becomes active (or active and
pending), the GIC should either signal another (higher priority) IRQ to
the CPU if there is one, or de-assert the CPU IRQ pin.

The current implementation of the GIC in QEMU does not check if the
IRQ is already active when looking for pending interrupts with
sufficient priority in gic_update(). This can lead to signaling an
interrupt that is already active.

This usually happens when splitting priority drop and interrupt
deactivation. On priority drop, the IRQ stays active until deactivation.
If it becomes pending again, chances are that it will be incorrectly
selected as best_irq in gic_update().

This commit fixes this by checking if the IRQ is not already active when
looking for best_irq in gic_update().

Note that regarding the ARM11MPCore GIC version, the corresponding
manual is not clear on that point, but it has has no priority
drop/interrupt deactivation separation, so this case should not happen.

Signed-off-by: Luc MICHEL <luc.michel@git.antfield.fr>
Message-id: 20180119145756.7629-3-luc.michel@greensocs.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:29 +00:00
Jean-Christophe Dubois
1b58d58f76 i.MX: Fix FEC/ENET receive funtions
The actual imx_eth_enable_rx() function is buggy.

It updates s->regs[ENET_RDAR] after calling qemu_flush_queued_packets().

qemu_flush_queued_packets() is going to call imx_XXX_receive() which itself
is going to call imx_eth_enable_rx().

By updating s->regs[ENET_RDAR] after calling qemu_flush_queued_packets()
we end up updating the register with an outdated value which might
lead to disabling the receive function in the i.MX FEC/ENET device.

This patch change the place where the register update is done so that the
register value stays up to date and the receive function can keep
running.

Reported-by: Fyleo <fyleo45@gmail.com>
Tested-by: Fyleo  <fyleo45@gmail.com>
Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Message-id: 20180113113445.2705-1-jcd@tribudubois.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Tested-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 11:45:28 +00:00
Peter Maydell
0f79bfe38a -----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJaZ0sNAAoJEPMMOL0/L7480bQP/i5QO0c4MrXJ7VaEa1u6ubfv
 AELpodvD6hm0qDT8OIH/4g1PRFZvB1OGg1wd8sZg/aLLbxfiKQ0kR+6Kq+W6LLJY
 qD4xddVZnBVlcSDwGn6Rg3bStgISOBr+Z7fAOtLOFc6BJz5JryU4PSPLXIb4gxtX
 0DXPXnSSTj+yZUjoG408aqAAlFRgbbXcY9Yhx3hblEO3ZJWAv7qrtoL67PEgB4kh
 j2t/6SSpEvsrmsb1g4N0/NMb6csOAwcA3kiTiOE2fGhc6vS7hUpcQPDQi/FHfkWD
 Q9Qe5y1TUE+JCc1VAdjWy3+42yH+IFpJo8lshJZw0tSGk3GCXeRUI6jlsawMphq/
 Xo9zrIcXcTY/1ZWB9FWypr0orFLMphQPY6cwEu/60QvzQA8coeJk27zqXgL/G78y
 7bNqLhMVz1JkKO4uCkRGQVJuijLo3aO3OeFSEnl8QoZInoOaPd+aVh/FCs57hV3r
 mcXT+ab9lbNrx0BTMI8Cr4HzvHH5cAfNg8hK/hh9rVHkAopLGvHkNJWOLbtAawds
 MulpKlLMnuntU/LGfAVU+ccttWt8Hfd5vRwS3Ex99sTIU/yBYh8iSAHh0lweE00p
 RmGMuVn+aXwcnDAsTXR6+8Zn5GzK+o9eifwlFdhI7AkCPwhra4fVodi0d/0imvGE
 XHLy02hVBGUp+Hoyf0/r
 =2ycl
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-2.12-pull-request' into staging

# gpg: Signature made Tue 23 Jan 2018 14:47:41 GMT
# gpg:                using RSA key 0xF30C38BD3F2FBE3C
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>"
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>"
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>"
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier2/tags/linux-user-for-2.12-pull-request:
  linux-user: implement renameat2
  page_unprotect(): handle calls to pages that are PAGE_WRITE
  linux-user: Propagate siginfo_t through to handle_cpu_signal()
  linux-user: remove nmi.c and fw-path-provider.c
  linux-user: Add getcpu() support
  linux-user: Add AT_SECURE auxval
  linux-user: Fix sched_get/setaffinity conversion
  linux-user/mmap.c: Avoid choosing NULL as start address
  linux-user: Translate flags argument to dup3 syscall
  linux-user: Don't use CMSG_ALIGN(sizeof struct cmsghdr)
  linux-user: Fix length calculations in host_to_target_cmsg()
  linux-user: wrap fork() in a start/end exclusive section
  linux-user: Fix locking order in fork_start()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-25 09:53:53 +00:00
linzhecheng
191f59dc17 vga: check the validation of memory addr when draw text
Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
redhat_5.11.qcow2  -device pcnet -vga cirrus,
then use VNC client to connect to VM, and excute the code below in guest
OS will lead to qemu crash:

int main()
 {
    iopl(3);
    srand(time(NULL));
    int a,b;
    while(1){
	a = rand()%0x100;
	b = 0x3c0 + (rand()%0x20);
        outb(a,b);
    }
    return 0;
}

The above code is writing the registers of VGA randomly.
We can write VGA CRT controller registers index 0x0C or 0x0D
(which is the start address register) to modify the
the display memory address of the upper left pixel
or character of the screen. The address may be out of the
range of vga ram. So we should check the validation of memory address
when reading or writing it to avoid segfault.

Signed-off-by: linzhecheng <linzhecheng@huawei.com>
Message-id: 20180111132724.13744-1-linzhecheng@huawei.com
Fixes: CVE-2018-5683
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-25 10:18:39 +01:00
Peter Maydell
f78b6f9b11 Block layer patches
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaZyzMAAoJEH8JsnLIjy/WSOYP/jHffS2fOHtdLQU42G76HN0K
 jkhSUE8cuKFzgxuJDJhv10AGsGZvDIaRhuumPIFArQkcEwsFDfd0UqzC5GkCnhfn
 6frVPsRSUp9BqXqha1+6vOgVRobdBXPpS25ERfanTsbu3aPEDRnGpxmpMvyyimft
 BTUnWNCg2lM6bojXrC6oy7MqUdi9p9PviMcQAfnN07SmGa+s6tS2Jc9znvZwgL06
 o+oPukWVTAiub5qcH18BLA3T8xcCXWANdY9pUnNj7mXHoxg3kYzzYBArYDh6Kyju
 BkSEML1kNcUACFAZ+LSqQpnoc8/5cP+jY5cOBGtUUgjZSns/xnAZxALltds0I4m3
 fqQM68oOTX7squAYAaKYVYMirime6aa2OAn2afxPJildPp8uH4lNust95yiUyyJQ
 oqA3zfAnP5FfmTnzjLG7smYlRUlcHp8eMPyOKHxp3BuqTMbWY5KQETyDMk3QVnZr
 7fSFIdT4sRTdroKXUKHHu3RLFyCo77EBovxY2oUtt6v43qxQhLx0IFwW6jHrcLK9
 ifLOr1CqdgwH/OU7h6rzoLcGLX5/eOTxwcCbU0kP2cx4E60VBXmSaDq9TiwQhbeV
 4HteS+EP6R0WpCiAvsFl2aUd6iwDRHeYt0aKpYyUuTVrW2mfmLPaQP+tJLjEoaHF
 H5HlbNWy2gFAB2uQtmOd
 =gjNZ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches

# gpg: Signature made Tue 23 Jan 2018 12:38:36 GMT
# gpg:                using RSA key 0x7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream: (29 commits)
  iotests: Disable some tests for compat=0.10
  iotests: Split 177 into two parts for compat=0.10
  iotests: Make 059 pass on machines with little RAM
  iotests: Filter compat-dependent info in 198
  iotests: Make 191 work with qcow2 options
  iotests: Make 184 image-less
  iotests: Make 089 compatible with compat=0.10
  iotests: Fix 067 for compat=0.10
  iotests: Fix 059's reference output
  iotests: Fix 051 for compat=0.10
  iotests: Fix 020 for vmdk
  iotests: Skip 103 for refcount_bits=1
  iotests: Forbid 020 for non-file protocols
  iotests: Drop format-specific in _filter_img_info
  iotests: Fix _img_info for backslashes
  block/vmdk: Add blkdebug events
  block/qcow: Add blkdebug events
  qcow2: No persistent dirty bitmaps for compat=0.10
  block/vmdk: Fix , instead of ; at end of line
  qemu-iotests: Fix locking issue in 102
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-24 22:55:57 +00:00
Peter Maydell
834a336eb9 virtio: quick fix
Fixes a regression in virtio that's causing issues
 for many people.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJaaMBYAAoJECgfDbjSjVRpH9cH/izjScalZuvCN57+fqEtDW6C
 oudm+wWac91qAKY4U8UfWsR1Aph8bGqZKXwBPM7c/DTdzPAPjBmkY+P/E392wWAY
 6IoJIRTyQUYhABuftWt61UV6+waEGDFXegGlgcse8JZ/ddD62v/9Bll78w4nfivE
 w5DvMBYPzVJV4N7Q7CiP3XOf4qHD9TNAd/s6wSdmPCLT0VztLYsjvrfwuEY58bTa
 i3W16BUV3R1SUGBq+EWG2LjAUfyUDleTyTVA6tI+hWbazPFHDFfZO9/xFsAfgTpv
 Wmx45OAhPwr8lVeatF9ljh1AxBQUiUHHBN8rRKljU5evEERS/4lrR/FXWdalEvI=
 =2+BS
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio: quick fix

Fixes a regression in virtio that's causing issues
for many people.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Wed 24 Jan 2018 17:20:24 GMT
# gpg:                using RSA key 0x281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream:
  Revert "qemu: add a cleanup callback function to EventNotifier"
  Revert "virtio: postpone the execution of event_notifier_cleanup function"
  Revert "virtio: improve virtio devices initialization time"

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-24 19:24:26 +00:00