Commit Graph

15360 Commits

Author SHA1 Message Date
Peter Maydell
bac8e20367 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJWswswAAoJEO8Ells5jWIRmuAIAKfexolRpauVFoMt2w69Yrk4
 0XhaAuSaazsfU06azXKjrchBUgXbw4Y6lw3tkTos4lnd8m1ovfAzSTS4q28rZ+Tf
 u5M06Fi13oyhEViGS4gt6gTwmYPTx2FTBDMCL1OZvka7GPbVsweQn0IS18j1Q2xL
 ps2kruNTad7mUa2EypuBugm3woL8kGupLUX63aWKmnvqobwFDNTKJLWiFn5eXlbg
 Zq7LxmC4R3A5K9rD8wN16ScaK3RH2x83DXaRoddtSIRwdldxG9ZCv2oFKPZrr6WA
 HsJIjurMTXhaRxNL3PsGMd/MbT7gmNF5muq8kZnkORmGxfMvi3RUuBdyhrq1I0w=
 =2Uz/
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Thu 04 Feb 2016 08:26:24 GMT using RSA key ID 398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 6211

* remotes/jasowang/tags/net-pull-request:
  net/filter: Fix the output information for command 'info network'
  net: always walk through filters in reverse if traffic is egress
  net: netmap: use nm_open() to open netmap ports
  e1000: eliminate infinite loops on out-of-bounds transfer start
  slirp: Adding family argument to tcp_fconnect()
  slirp: Make udp_attach IPv6 compatible
  slirp: Add sockaddr_equal, make solookup family-agnostic
  slirp: Factorizing and cleaning solookup()
  slirp: Factorizing address translation
  slirp: Make Socket structure IPv6 compatible
  slirp: Adding address family switch for produced frames
  slirp: Generalizing and neutralizing ARP code
  slirp: goto bad in udp_input if sosendto fails
  cadence_gem: fix buffer overflow
  net: cadence_gem: check packet size in gem_recieve
  qemu-doc: Do not promote deprecated -smb and -redir options
  net/slirp: Tell the users when they are using deprecated options

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-04 14:17:11 +00:00
Peter Maydell
ae533a46a1 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQIcBAABAgAGBQJWsmNCAAoJEH3vgQaq/DkOQAEP/AwDY/JkKRQuTA2j8xvqxsrF
 ilzQhjvGva1WBU8iKP4L0ILvMbjzNrQh4LE31amY0Er+TDjRfqZkz7vc+/6cQ3uY
 FzXVKYySHbO3hbcamarr+sYu+T7D/6o4uvH04Vj0VDYiGJWcfKitBq2nfXbB55WW
 M9AgKLyMwvRPjfHu9Hp8BIIvQbQvzCnz0lB6q2Bzb4Gb/zR6qmXXXSLsTwXnfmD+
 LDLi/sN/hhdX2yMqNpDmNDqmGoX+NsK2C2AN0X9uEvQ0ePUcIScI338GfP9OeCGs
 To55rYGhyGCYdhEIGh8qdY47r87KrNxFtZXCMcv+oBbXuPIlpxZNESc+b5hzsWFp
 nAJq2FqVH0e69RDV/jl0TviNE8FO2auOZroD/VwWpY6Pk2rhYVUbc6dN13R69Bs5
 iGNEOBC1UI8eFOEEEoyHE+IHXCRodGUpDGa1oNzYvsPir1LKXoYqwwMjMCzDUUMA
 DEPdhQdj7Q9VzYI8GtTEuysunPfOGrjBsaMXvOgJMbU1wZqvqQU4gw5itJGeLGNC
 oc6yfIhmkv8j5N5l3qBzIOcU0iJGRlX2Z8pMPKjtvuLkkw6TBAm2Jal7Xkx8C3TX
 AGXE05khcq8y8wD3jtZJfpLlSkJoJpcD1BaAxig1H1t8hrtntUNnAQ9OfUnAuAZ5
 yjN4MOqG+rPelBqEaMMj
 =UnwI
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into staging

# gpg: Signature made Wed 03 Feb 2016 20:29:54 GMT using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"

* remotes/jnsnow/tags/ide-pull-request:
  dma: remove now useless DMA_* functions
  sb16: use IsaDma interface instead of global DMA_* functions
  gus: use IsaDma interface instead of global DMA_* functions
  cs4231a: use IsaDma interface instead of global DMA_* functions
  fdc: use IsaDma interface instead of global DMA_* functions
  sparc64: disable floppy DMA
  sparc: disable floppy DMA
  magnum: disable floppy DMA for now
  i8257: implement the IsaDma interface
  isa: add an ISA DMA interface, and store it within the ISA bus
  i8257: move state definition to new independent header
  i8257: QOM'ify
  i8257: add missing const
  i8257: make the DMA running method per controller
  i8257: rename functions to start with i8257_ prefix
  i8257: rename struct dma_regs to I8257Regs
  i8257: rename struct dma_cont to I8257State
  i8257: pass ISA bus to DMA_init() function
  i82374: device only existed as ISA device, so simplify device
  fdc: fix detection under Linux

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-04 12:50:43 +00:00
Peter Maydell
071aacc9c9 target-arm queue:
* virt-acpi-build: add always-on property for timer
  * various fixes for EL2 and EL3 behaviour
  * arm: virt-acpi: each MADT.GICC entry as enabled unconditionally
  * target-arm: Don't report presence of EL2 if it doesn't exist
  * raspi: add raspberry pi 2 machine
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJWsk26AAoJEDwlJe0UNgzeWwAP/j5AWKgqsi9hpskq1BVtjc8P
 yZZlsRcSN8oyKMRoCXUCXztQhiBSYVABeeABH5JWsoxCK1CA6vBqkOl89ENfhwNZ
 TmeRh4BLCwfW+YIb9OG84JoVpCbvt6M7KYpCA3DJBy5GLOsO5vxd3E3BLN7O+dKH
 ljEcF0l+SlJAupK692A34nyS01dCs91xwP/kigOSPoVjpkUBOmSHrQhD4wTHjunr
 xj6fgc6rLqnG9TrNUkTn8aIB8lZ1j9VmJUetbp0x/Zo7TKcC8KObh+pYk3hik7JK
 PLhNJU0tPe55PEx+RLi8i6vYZp8Fqsl5qskjshl3uBtvK5TR0doxbIAu89raapWL
 Bg7xesN2H6Z+w0tq6TRLU4FhL+MtN0+wQy6PJ55NOkHVgZv9/i5keH4Xe/vZwMZd
 YGVhhrSSjfGmR878Rh6s7v1ZNFhAJenti4icd66e82InPl6UHf2SC34dLBpzW6SF
 qnmIt3BCHIDruwJKmWF71RAjmd9eR4xSEw1wcqoZF7UqghnQOBSuszEv8dlvRmES
 zNYgDqOjxQ79X3zmtXLKQ8UFoGQqhy3E2DF6lsHgxHCwcwHKKuro6Q3LQWnLZvau
 e5CVQShK2lU8o2dwMLmXakjoFGleCG0OsJBz9Ls89w1YV/c4X/UPFXwAJMhJ5P9v
 cYtw9ol7WJmT5yLxQGtI
 =Ul6h
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160203' into staging

target-arm queue:
 * virt-acpi-build: add always-on property for timer
 * various fixes for EL2 and EL3 behaviour
 * arm: virt-acpi: each MADT.GICC entry as enabled unconditionally
 * target-arm: Don't report presence of EL2 if it doesn't exist
 * raspi: add raspberry pi 2 machine

# gpg: Signature made Wed 03 Feb 2016 18:58:02 GMT using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"

* remotes/pmaydell/tags/pull-target-arm-20160203:
  raspi: add raspberry pi 2 machine
  arm/boot: move highbank secure board setup code to common routine
  bcm2836: add bcm2836 SoC device
  bcm2836_control: add bcm2836 ARM control logic
  bcm2835_peripherals: add rollup device for bcm2835 peripherals
  bcm2835_ic: add bcm2835 interrupt controller
  bcm2835_property: add bcm2835 property channel
  bcm2835_mbox: add BCM2835 mailboxes
  target-arm: Don't report presence of EL2 if it doesn't exist
  libvixl: Avoid std::abs() of 64-bit type
  arm: virt-acpi: each MADT.GICC entry as enabled unconditionally
  target-arm: Implement the S2 MMU inputsize > pamax check
  target-arm: Rename check_s2_startlevel to check_s2_mmu_setup
  target-arm: Apply S2 MMU startlevel table size check to AArch64
  hw/arm: Setup EL1 and EL2 in AArch64 mode for 64bit Linux boots
  target-arm: Make various system registers visible to EL3
  virt-acpi-build: add always-on property for timer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-04 11:06:35 +00:00
Laszlo Ersek
dd793a7488 e1000: eliminate infinite loops on out-of-bounds transfer start
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
iterating over a set of descriptors that the guest's e1000 driver
prepares:

- the TDLEN and RDLEN registers store the total size of the descriptor
  area,

- while the TDH and RDH registers store the offset (in whole tx / rx
  descriptors) into the area where the transfer is supposed to start.

Each time a descriptor is processed, the TDH and RDH register is bumped
(as appropriate for the transfer direction).

QEMU already contains logic to deal with bogus transfers submitted by the
guest:

- Normally, the transmit case wants to increase TDH from its initial value
  to TDT. (TDT is allowed to be numerically smaller than the initial TDH
  value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
  that QEMU currently has here is a check against reaching the original
  TDH value again -- a complete wraparound, which should never happen.

- In the receive case RDH is increased from its initial value until
  "total_size" bytes have been received; preferably in a single step, or
  in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
  RX descriptors are skipped without receiving data, while RDH is
  incremented just the same. QEMU tries to prevent an infinite loop
  (processing only null RX descriptors) by detecting whether RDH assumes
  its original value during the loop. (Again, wrapping from RDLEN to 0 is
  normal.)

What both directions miss is that the guest could program TDLEN and RDLEN
so low, and the initial TDH and RDH so high, that these registers will
immediately be truncated to zero, and then never reassume their initial
values in the loop -- a full wraparound will never occur.

The condition that expresses this is:

  xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)

i.e., TDH or RDH start out after the last whole rx or tx descriptor that
fits into the TDLEN or RDLEN sized area.

This condition could be checked before we enter the loops, but
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
bogus DMA addresses, so we just extend the existing failsafes with the
above condition.

This is CVE-2016-1981.

Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Prasad Pandit <ppandit@redhat.com>
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: qemu-stable@nongnu.org
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-02-04 14:13:11 +08:00
Michael S. Tsirkin
d7f053652f cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest.  If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.

Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-02-04 13:22:06 +08:00
Prasad J Pandit
244381ec19 net: cadence_gem: check packet size in gem_recieve
While receiving packets in 'gem_receive' routine, if Frame Check
Sequence(FCS) is enabled, it copies the packet into a local
buffer without checking its size. Add check to validate packet
length against the buffer size to avoid buffer overflow.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-02-04 13:22:06 +08:00
Peter Maydell
382d34ff9f -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJWsiEWAAoJEJykq7OBq3PIGXYIALsxSU9HYOBqt/7J5E07EUxS
 ef3pu/CnMSHw3I/oLVe+pdpwyKMEhRRa75t8DSl4+UodsPXyZ/YtuBTm2v7J+FXD
 tjOoDYimAuDqeJU+km4O3PRUKSUKIlo0V4g7DRWF1qCCC4xw8SwmkBvfax7oFf3a
 ew3s0Lw/v11/foe5lKTkgTBgoXKk/Oc1E3rhSsOb7WvZq0CbrhRV3R5Lp0jbXkjF
 1LMijbsQvzQY7v07r4FcZ2vwhdI5eUXQOKg6sHMBqBbNdrR0zEQeylgdXq7H2rqm
 RhdkK4Dd1bs4K1gk4TXNhysd7/U5gRJhGqeBkYCI12lNY9AJwyH0OBcBxGZBV6U=
 =pTqw
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging

# gpg: Signature made Wed 03 Feb 2016 15:47:34 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/tracing-pull-request:
  log: add "-d trace:PATTERN"
  trace: switch default backend to "log"
  trace: convert stderr backend to log
  log: move qemu-log.c into util/ directory
  log: do not unnecessarily include qom/cpu.h
  trace: add "-trace help"
  trace: add "-trace enable=..."
  trace: no need to call trace_backend_init in different branches now
  trace: split trace_init_file out of trace_init_backends
  trace: split trace_init_events out of trace_init_backends
  trace: fix documentation
  trace: track enabled events in a separate array
  trace: count number of enabled events

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 19:00:33 +00:00
Hervé Poussineau
ba0a71022c dma: remove now useless DMA_* functions
Keep only DMA_init function as a wrapper around DMA controllers creation.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-20-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:58 -05:00
Hervé Poussineau
f203c16ea2 sb16: use IsaDma interface instead of global DMA_* functions
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-19-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:58 -05:00
Hervé Poussineau
467be5f2f0 gus: use IsaDma interface instead of global DMA_* functions
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-18-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:58 -05:00
Hervé Poussineau
2d01109133 cs4231a: use IsaDma interface instead of global DMA_* functions
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-17-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:58 -05:00
Hervé Poussineau
c8a35f1cf0 fdc: use IsaDma interface instead of global DMA_* functions
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-16-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:58 -05:00
Hervé Poussineau
c3ae40e12c sparc64: disable floppy DMA
All functions relative to DMA (DMA_*() functions) are stubs on sparc64 platform.
Disable the DMA of the floppy controller, instead of calling these stubs.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-15-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:57 -05:00
Hervé Poussineau
dd446051b7 sparc: disable floppy DMA
All functions relative to DMA (DMA_*() functions) are stubs on sparc platform.
Disable the DMA in the floppy controller, instead of calling these stubs.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-14-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:57 -05:00
Hervé Poussineau
020e298699 magnum: disable floppy DMA for now
Floppy uses the DMA controller in rc4030 chipset, and not the i8259 from the ISA bus.
It's better to disable DMA than to call the wrong DMA controller.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-13-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:57 -05:00
Hervé Poussineau
16ffe36360 i8257: implement the IsaDma interface
Rewrite the global DMA_*() functions to use the IsaDma interface.
Note that these functions will be deleted in a few commits.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-12-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:57 -05:00
Hervé Poussineau
5484f30b2c isa: add an ISA DMA interface, and store it within the ISA bus
This will permit to deprecate global DMA_*() functions.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-11-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:57 -05:00
Hervé Poussineau
f5f19ee2e4 i8257: move state definition to new independent header
We will now be able to embed the i8257 interrupt controller in another object.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-10-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:56 -05:00
Hervé Poussineau
340e19ebf2 i8257: QOM'ify
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-9-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:56 -05:00
Hervé Poussineau
8d3c4c81f3 i8257: add missing const
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-8-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:56 -05:00
Hervé Poussineau
b9ebd28c62 i8257: make the DMA running method per controller
This removes some static/global variables, and we're now running only the
required controller (master or slave)

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-7-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:56 -05:00
Hervé Poussineau
74c47de010 i8257: rename functions to start with i8257_ prefix
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-6-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:56 -05:00
Hervé Poussineau
0eee6d6262 i8257: rename struct dma_regs to I8257Regs
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-5-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:55 -05:00
Hervé Poussineau
6a128b1330 i8257: rename struct dma_cont to I8257State
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-4-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:55 -05:00
Hervé Poussineau
5714694192 i8257: pass ISA bus to DMA_init() function
i8257 DMA controller exists on one ISA bus, so let's specify it at initialization.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-3-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:55 -05:00
Hervé Poussineau
449ae7eca9 i82374: device only existed as ISA device, so simplify device
Merge ISAi82374State fields into parent structure I82374State.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1453843944-26833-2-git-send-email-hpoussin@reactos.org
Signed-off-by: John Snow <jsnow@redhat.com>
2016-02-03 11:28:55 -05:00
John Snow
fd9bdbd345 fdc: fix detection under Linux
Accidentally, I removed a "feature" where empty drives had geometry
values applied to them, which allows seek on empty drives to work
"by accident," as QEMU actually tries to disallow that.

Seeks on empty drives should work, though, but the easiest thing is to
restore the misfeature where empty drives have non-zero geometries
applied.

Document the hack accordingly.

[Maintainer edit]

This fix corrects a regression introduced in d5d47efc, where
pick_geometry was modified such that it would not operate on empty
drives, and as a result if there is no diskette inserted, QEMU
no longer populates it with geometry bounds. As a result, seek fails
when QEMU denies to move the current track, but reports success anyway.
This can confuse the guest, leading to kernel panics in the guest.


Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1454106932-17236-1-git-send-email-jsnow@redhat.com
2016-02-03 11:28:55 -05:00
Andrew Baumann
1df7d1f930 raspi: add raspberry pi 2 machine
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 15:00:47 +00:00
Andrew Baumann
716536a9b6 arm/boot: move highbank secure board setup code to common routine
The new version is slightly different, to support Rasbperry Pi (in
particular, Pi1's arm11 core which doesn't support v7 instructions
such as MOVW).

Tested-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 15:00:46 +00:00
Andrew Baumann
bad5623690 bcm2836: add bcm2836 SoC device
This is the SoC for Raspberry Pi 2.

Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 15:00:46 +00:00
Andrew Baumann
cc28296d82 bcm2836_control: add bcm2836 ARM control logic
This module is specific to the bcm2836 (Pi2). It implements the top
level interrupt controller, and mailboxes used for inter-processor
synchronisation.

Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 15:00:45 +00:00
Andrew Baumann
7c62aeb82a bcm2835_peripherals: add rollup device for bcm2835 peripherals
This device maintains all the non-CPU peripherals on bcm2835 (Pi1)
which are also present on bcm2836 (Pi2). It also implements the
private address spaces used for DMA and mailboxes.

Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 15:00:45 +00:00
Andrew Baumann
e3ece3e34d bcm2835_ic: add bcm2835 interrupt controller
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 15:00:44 +00:00
Andrew Baumann
04f1ab15b9 bcm2835_property: add bcm2835 property channel
This sits behind the mailbox interface, and implements
request/response queries for system properties. The
framebuffer-related properties will be added in a later patch.

Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 15:00:44 +00:00
Andrew Baumann
99494e696e bcm2835_mbox: add BCM2835 mailboxes
This adds the system mailboxes which are used to communicate with a
number of GPU peripherals on Pi/Pi2.

Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 14:56:32 +00:00
Igor Mammedov
6d152ebaf4 arm: virt-acpi: each MADT.GICC entry as enabled unconditionally
in current impl. condition

build_madt() {
  ...
  if (test_bit(i, cpuinfo->found_cpus))

is always true since loop handles only present CPUs
in range [0..smp_cpus).
But to fill usless cpuinfo->found_cpus we do unnecessary
scan over QOM tree to find the same CPUs.
So mark GICC as present always and drop not needed
code that fills cpuinfo->found_cpus.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1454323689-248759-1-git-send-email-imammedo@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 13:46:34 +00:00
Edgar E. Iglesias
48d21a576a hw/arm: Setup EL1 and EL2 in AArch64 mode for 64bit Linux boots
When booting Linux on AArch64 enabled cores, setup EL1 and
EL2 to use AArch64.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 13:46:33 +00:00
Andrew Jones
a43e68a08b virt-acpi-build: add always-on property for timer
This patch is the ACPI equivalent of "hw/arm/virt: Add always-on
property to the virt board timer". The timer is always on, and
thus setting this informs Linux that it may switch off the periodic
timer. Switching off the periodic timer substantially reduces the
number of interrupts the host needs to inject.

Testing note: AArch64 guests (the only ones currently booting with
ACPI) do not actually need this patch to determine it can turn the
periodic timer off. I therefore used a hacked guest kernel to ensure
this patch works as the equivalent DT patch does.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1453380893-26174-1-git-send-email-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03 13:46:32 +00:00
Gerd Hoffmann
321c9adba5 virtio-gpu: block any rendering until client (ui) is done
Wire up gl_block callback, so ui code can request to stop
virtio-gpu rendering.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-02-03 10:41:36 +01:00
Gerd Hoffmann
0c55a1cfd3 virtio-gpu: add support to enable/disable command processing
So we can stop rendering for a while in case we have to.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2016-02-03 10:41:36 +01:00
Gerd Hoffmann
3eb769fd1c virtio-gpu: maintain command queue
We'll go take out the commands we receive out of the virt queue and put
them into a linked list, to decouple virtio queue handling from actual
command processing.

Also move cmd processing to new virtio_gpu_handle_ctrl func, so we can
easily kick it from different places.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-02-03 10:41:36 +01:00
Gerd Hoffmann
8d94c1ca53 virtio-gpu: fix memory leak in error path
Found by Coverity Scan, buf not freed on error.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2016-02-03 10:41:36 +01:00
Paolo Bonzini
508127e243 log: do not unnecessarily include qom/cpu.h
Split the bits that require it to exec/log.h.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Denis V. Lunev <den@openvz.org>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Message-id: 1452174932-28657-8-git-send-email-den@openvz.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-02-03 09:19:10 +00:00
Peter Maydell
c65db7705b Block patches
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJWsOYgAAoJEDuxQgLoOKyt/DUH/1hIzxS+qyh3iko0B5O0aWny
 PJObgy4004T9yClYDOPRvoNfoFAw63iOkfnMArnzTETEaPR94DJXYM0uTLY8Pyht
 wNcAZm44FlYKhEOOXqFslE6Z1arOR2s2wTYGn4s6BvkGbGlHCWr7N7n5trMpLAMJ
 /jAT+PNAgJrxlI/vVDeitFhQYABwXmBdPpf1kgn28IepBAI62de1rJubX27WoWuQ
 j1+VwhbKCWFwE4PqDHVVo2Wm+Gv5A53alB6Adpx6+5xXYLWBBq/nNg1SwDXfD0+q
 gk7Qiwso+7fFWMX6mx2qgvdXBI2R4NlLoQAzA6sjWF1v4hf76/wjNQLsg+1+qXo=
 =BEb2
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-for-peter-2016-02-02' into staging

Block patches

# gpg: Signature made Tue 02 Feb 2016 17:23:44 GMT using RSA key ID E838ACAD
# gpg: Good signature from "Max Reitz <mreitz@redhat.com>"

* remotes/maxreitz/tags/pull-block-for-peter-2016-02-02: (50 commits)
  block: qemu-iotests - add test for snapshot, commit, snapshot bug
  block: set device_list.tqe_prev to NULL on BDS removal
  iotests: Add "qemu-img map" test for VMDK extents
  qemu-img: Make MapEntry a QAPI struct
  qemu-img: In "map", use the returned "file" from bdrv_get_block_status
  block: Use returned *file in bdrv_co_get_block_status
  vmdk: Return extent's file in bdrv_get_block_status
  vmdk: Fix calculation of block status's offset
  vpc: Assign bs->file->bs to file in vpc_co_get_block_status
  vdi: Assign bs->file->bs to file in vdi_co_get_block_status
  sheepdog: Assign bs to file in sd_co_get_block_status
  qed: Assign bs->file->bs to file in bdrv_qed_co_get_block_status
  parallels: Assign bs->file->bs to file in parallels_co_get_block_status
  iscsi: Assign bs to file in iscsi_co_get_block_status
  raw: Assign bs to file in raw_co_get_block_status
  qcow2: Assign bs->file->bs to file in qcow2_co_get_block_status
  qcow: Assign bs->file->bs to file in qcow_co_get_block_status
  block: Add "file" output parameter to block status query functions
  block: acquire in bdrv_query_image_info
  iotests: Add test for block jobs and BDS ejection
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-02 18:04:04 +00:00
Peter Maydell
3bb1e822ca usb: two ehci fixes.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJWsKsgAAoJEEy22O7T6HE4gPUP/2KhBKSoLh+sxuyDYtlSV28c
 GZXAEKTed9BK+aCFKQl63Nlu8mJUEIxkqokSBKYdY/rXrGTeyYZoLHQ4yU/8PmcF
 zThQrOOKHMv0B5m3ZfU3pjuD8bkzT3ao3ZwpLNooQvr71nKsLTfi2HlV4B0kKQWg
 wJqu8HXFBcsaTn4fxzCSw613ZtU6jOIXIm1MaIq3U3DMS5L7qiT/eOpbgUGJK110
 V9mzvCYovKK5hYkdkwHXEVHcN+uRLPxDyxXyOBCuAQrB2+7SFFTtff+OFqb0+Txw
 VheZfRuHmWUj/YhevzorntYgu8L2OcVuRZm0LGwOkTikx/FgSzfl3LLbL5pxChVi
 0CYKez4ZHA5o2T1s40kg+y78o9Ko+8o1YOaPVzvR9JM8cMG9LhRblmaORDjoQiWB
 Z6XUzoT8138kG+d8gXlhAFcuHar3uei9XYnPXfNg+dRnf7KjofRVintYQJbmNkBV
 8tvGyRBIlZ/TkW0fF4YFGxRjRfT/zbTPhjUZP6n8umh5pRkhKRuTKtJXMKKMT8J5
 xpFY8j63OVfkhrQPxplZcwJfessZTmpimrlm+LjJQzSEclM5kVoAzCNoYGnRTYf0
 CkQeSKJBFLQa94HNxmGiYjTiYIJsycfF7x8VTcMLavQAuiOjb3wc2Fji15dCrb4Y
 3I2cSNiltVGLUkqulDAz
 =ys3c
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160202-1' into staging

usb: two ehci fixes.

# gpg: Signature made Tue 02 Feb 2016 13:12:00 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20160202-1:
  ehci: update irq on reset
  usb: check page select value while processing iTD

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-02 17:01:56 +00:00
Max Reitz
5b9e0e4693 virtio-scsi: Catch BDS-BB removal/insertion
Make use of the BDS-BB removal and insertion notifiers to remove or set
up, respectively, virtio-scsi's op blockers.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-02-02 17:50:46 +01:00
Max Reitz
1b1e0659a4 virtio-blk: Functions for op blocker management
Put the code for setting up and removing op blockers into an own
function, respectively. Then, we can invoke those functions whenever a
BDS is removed from an virtio-blk BB or inserted into it.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-02-02 17:50:46 +01:00
Max Reitz
abb3e55b5b Revert "hw/block/fdc: Implement tray status"
This reverts the changes that commit
2e1280e8ff applied to hw/block/fdc.c;
also, an additional case of drv->media_inserted use has crept in since,
which is replaced by a call to blk_is_inserted().

That commit changed tests/fdc-test.c, too, because after it, one less
TRAY_MOVED event would be emitted when executing 'change' on an empty
drive. However, now, no TRAY_MOVED events will be emitted at all, and
the tray_open status returned by query-block will always be false,
necessitating (different) changes to tests/fdc-test.c and iotest 118,
which is why this patch is not a pure revert of said commit.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 1454096953-31773-4-git-send-email-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
2016-02-02 17:47:04 +01:00
Peter Maydell
958e369360 audio: Clean up includes
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJWsKfeAAoJEEy22O7T6HE4Z74QAI+wj9IfERD0CX2ZQOuxLtDZ
 cH8OlhfTX7A38yIay+xrRDnW2ZfFGHqxcPh8BtkP2h7jTojKl0HVuS5HDllkReqa
 sVY5g0sk7bdcO2nhA57XCKK0uW8hv9NcxLhX6LwNMrvNKIw9SAoo+oT+7GxRHfra
 tmY4+gm65KEPxy/htP7nrq/ClD4N6W6tjQ5yShataDEBRKd2LJ/60erPPXjVRQ69
 iH0iw2QSRGljpZKNT76/MvVHcH0PvshEFpKbcmO75X/unLvbUCfa6q9jlHUv1r9u
 0afdogq/enBwBCgnvC1gC47KogyHxTQznPUnHcU50CHO6/iVOi0C9QaVRq7xbBdY
 ct4lnZ7FmGbmAgxXUNNES8F5wlMX6HEo7nv8Md8tZK/+hW0X1OFHHRlp+G641RgQ
 D0ByO29nTVKX3rgtoJsSnVt9NCtubjYr9Pv/c1lIbeOZdc1qDG53W9o/fv7CUlEu
 5sz8UJOKWdMjaS0PPF+m03IJ4o3QuWGGjexQTJ6WmAduYtbdGRIpSj6O0Oem0+sY
 8ZFhoMZ9GConX0+kkmt9IXcbgFEZQsBgEseKTJums8TQNsv1omLBz1rkaQN32w50
 zTB+1zV38A6d1gx/GJzqxGZdagbtxZn4yPDwyUpMmqqX36dQBkq6Qakqo+HgKLWp
 nSARa1vZf9GC6kifUNx9
 =jOlf
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20160202-1' into staging

audio: Clean up includes

# gpg: Signature made Tue 02 Feb 2016 12:58:06 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-audio-20160202-1:
  audio: Clean up includes

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-02 14:55:01 +00:00
Peter Maydell
dce0238c74 nvme: generate OpenFirmware device path in the "bootorder" fw_cfg file
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJWsKbsAAoJEEy22O7T6HE4e58QAITA++LhG9ulH0YBtWbY5pnF
 7eTbO/QiDKjepV+/P92SbBVhv7gFROCJdUFqqGs+b8aGolxcyzghZafUE0HWYirR
 JQ8vtF2yHTUN9IAdq/qv2xlukci78PtuDnC2tybXNbIqcOXGOllPq6hVcRSrt8lE
 t5tfF7+Jc0QwTIvLhj5FcMa2kChz5rbp0UAF9hjSufRwfqukFVDhFb3zxJze5226
 V1kpeSAA2WhPnyi+F77NRl7ucOKhfdN816Wkj8xpSCpIrfiuCtTVlKXD+M0FuPU8
 BH6VrQZqGu2WFY5RldKjnMpw2wUTJuavLd/IEfGDC6XgRQUtyTIcNBFxFg02HWM7
 WL5T/BApoRcadzl5MToIRMeEKwaAnmWkGctHY26TfOsbk2dQhXTHzhAYcTRPT/WM
 ag3Vsorr6k8Iwn/yWkGSBGz6LBejh9zq/DsGjeJepFxkQLd4Dw39DzgsBwoLhUcM
 zBRib/p5dF1GFPdpcAOjK1GV4a/rpQYpKJ7DjIjtkA865ocKoEW2fVA8ApRqUh2K
 +JDRnFI7LMG4izshSrNLQbWswaqsuRwcSjU11DepJquGglRBdhvfgKhL3yKXpna7
 a4+XbgrrwMCURNictcgi6WD+Gncw92OMfonki61CrLZhkqhye/TQfseucKYvru7g
 lcvRDp54suBPxviT9OZa
 =tAQf
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-fwcfg-20160202-1' into staging

nvme: generate OpenFirmware device path in the "bootorder" fw_cfg file

# gpg: Signature made Tue 02 Feb 2016 12:54:04 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-fwcfg-20160202-1:
  nvme: generate OpenFirmware device path in the "bootorder" fw_cfg file

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-02 14:27:12 +00:00