Commit Graph

46155 Commits

Author SHA1 Message Date
Alexey Kardashevskiy
705124ea6d vmstate: Define VARRAY with VMS_ALLOC
This allows dynamic allocation for migrating arrays.

Already existing VMSTATE_VARRAY_UINT32 requires an array to be
pre-allocated, however there are cases when the size is not known in
advance and there is no real need to enforce it.

This defines another variant of VMSTATE_VARRAY_UINT32 with WMS_ALLOC
flag which tells the receiving side to allocate memory for the array
before receiving the data.

The first user of it is a dynamic DMA window which existence and size
are totally dynamic.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-06-07 10:17:45 +10:00
Bharata B Rao
44f2e6c10e kvm: API to obtain max supported mem slots
Introduce kvm_get_max_memslots() API that can be used to obtain the
maximum number of memslots supported by KVM.

Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-06-07 10:17:45 +10:00
Talha Imran
a575d9ab2e target-ppc/fpu_helper: Fix efscmp* instructions handling
With specification at hand from the reference manual from Freescale
http://cache.nxp.com/files/32bit/doc/ref_manual/SPEPEM.pdf , I have found a fix
to efscmp* instructions handling in QEMU.

efscmp* instructions in QEMU set crD (Condition Register nibble) values as
(0b0100 << 2) = 0b10000 (consider the HELPER_SINGLE_SPE_CMP macro which left
shifts the value returned by efscmp* handler by 2 bits). A value of 0b10000 is
not correct according the to the reference manual.

The reference manual expects efscmp* instructions to return a value of 0bx1xx.
Please find attached a patch which disables left shifting in
HELPER_SINGLE_SPE_CMP macro. This macro is used by efscmp* and efstst*
instructions only. efstst* instruction handlers, in turn, call efscmp* handlers
too.

*Explanation:*
Traditionally, each crD (condition register nibble) consist of 4 bits, which is
set by comparisons as follows:
crD = W X Y Z
where
W = Less than
X = Greater than
Y = Equal to

However, efscmp* instructions being a special case return a binary result.
(efscmpeq will set the crD = 0bx1xx iff when op1 == op2 and 0bx0xx otherwise;
i.e. there is no notion of different crD values based on Less than, Greater
than and Equal to).

This effectively means that crD will store a "Greater than" comparison result
iff efscmp* instruction comparison is TRUE. Compiler exploits this feature by
checking for "Branch if Less than or Equal to" (ble instruction) OR "Branch if
Greater than" (bgt instruction) for Branch if FALSE OR Branch if TRUE
respectively after an efscmp* instruction. This can be seen in a assembly code
snippet below:

27          if (__real__ x != 3.0f || __imag__ x != 4.0f)
10000498:   lwz r10,8(r31)
1000049c:   lis r9,16448
100004a0:   efscmpeq cr7,r10,r9
100004a4:   ble- cr7,0x100004b8 <bar+60>  //jump to abort() call
100004a8:   lwz r10,12(r31)
100004ac:   lis r9,16512
100004b0:   efscmpeq cr7,r10,r9
100004b4:   bgt- cr7,0x100004bc <bar+64>  //skip abort() call
28            abort ();
100004b8:   bl 0x10000808 <abort>

Signed-off-by: Talha Imran <talha_imran@mentor.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-06-07 10:17:44 +10:00
Peter Maydell
7646240580 target-arm queue:
* support instruction syndrome info for data aborts from A64 to EL2
  * add HSTR_EL2 register
  * fix incorrect ESR IL bits in various syndrome register cases
  * virt: fix limit of 64-bit ACPI/ECAM PCI MMIO range
  * gicv2: RAZ/WI non-sec access to sec interrupts
  * i2c: add aspeed i2c controller
  * virt: Reject gic-version=host for non-KVM (don't segv on aarch64 host)
  * xlnx-zynqmp: Add a secure prop to en/disable ARM Security Extensions
  * xlnx-zynqmp: Support KVM on AArch64 hosts
  * ptimer: Various fixes for awkward corner cases
  * char: QOMify various ARM UART models
  * char: get rid of qemu_char_get_next_serial
  * target-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation
  * zynqmp: Add the ZCU102 board
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJXVZ5HAAoJEDwlJe0UNgzedgEP/Rbtq8xctqTjXuDL9zvzdnSI
 Gvv25/DPuJJREERlXVJWM6WVf2MIaiqMIhEe1jjMj6K/tAvNd0ZX+0rioFGJ+F1c
 GVdb28nHg8u89TBBpZai23XrjCDtEIpOw/Yo7W2KOCdpfQgEAMIiFvsEe+8q26Dp
 XAlmcqKWmmxvM5CrOOKulALvzkWowg4nEZ72IoB/dAvXl9S23iEHXz8FdJZcIb/H
 I7m+zOoSlW+vicHDeHO7BuO91eqiUXfDOXbIUbUu14Jku8iE5sW6wlUKDiHeotQt
 qOVuFWcMBh09G+YH6DR1Y9+TTMvBYHvZX0+v2nABUu9L10RibWhxjzArktU8ioka
 U4tAGcIFrrbCcInGShFvT10vI9A1cqGgfUyZcR5zm1jVE2uwg7KDER0eu4qytSbM
 WpJfL7vIiCmqKyHji+v/TdGqmjRfY7MdU4DmJvzwCcSOo8NJ3AI38qTEVUZBcWPi
 QCQCeCncckcDcEbC4jfCisxNHdyALv3c5s4jQS9r9VmbOs4BuPRwxpmliQQnzMRv
 pPW66ftoUojphAqNqdefScOc6CjU6OrqnJxy+BanWxyEBwUnegDGH782FYx4blne
 g47z+vJrg4F4op1d/X7Tpm6FgwiYIBR/KW2QUKb954/65YpEH8Y08laOgaMKtwMV
 8XZYvv0/kPLyc0gjYaPt
 =mHQd
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160606-1' into staging

target-arm queue:
 * support instruction syndrome info for data aborts from A64 to EL2
 * add HSTR_EL2 register
 * fix incorrect ESR IL bits in various syndrome register cases
 * virt: fix limit of 64-bit ACPI/ECAM PCI MMIO range
 * gicv2: RAZ/WI non-sec access to sec interrupts
 * i2c: add aspeed i2c controller
 * virt: Reject gic-version=host for non-KVM (don't segv on aarch64 host)
 * xlnx-zynqmp: Add a secure prop to en/disable ARM Security Extensions
 * xlnx-zynqmp: Support KVM on AArch64 hosts
 * ptimer: Various fixes for awkward corner cases
 * char: QOMify various ARM UART models
 * char: get rid of qemu_char_get_next_serial
 * target-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation
 * zynqmp: Add the ZCU102 board

# gpg: Signature made Mon 06 Jun 2016 17:01:11 BST
# gpg:                using RSA key 0x3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"

* remotes/pmaydell/tags/pull-target-arm-20160606-1: (25 commits)
  zynqmp: Add the ZCU102 board
  target-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation
  char: get rid of qemu_char_get_next_serial
  hw/char: QOM'ify xilinx_uartlite model
  hw/char: QOM'ify stm32f2xx_usart model
  hw/char: QOM'ify digic-uart model
  hw/char: QOM'ify cadence_uart model
  hw/char: QOM'ify pl011 model
  hw/ptimer: Introduce ptimer_get_limit
  hw/ptimer: Support "on the fly" timer mode switch
  hw/ptimer: Update .delta on period/freq change
  hw/ptimer: Perform counter wrap around if timer already expired
  hw/ptimer: Fix issues caused by the adjusted timer limit value
  xlnx-zynqmp: Use the in kernel GIC model for KVM runs
  xlnx-zynqmp: Delay realization of GIC until post CPU realization
  xlnx-zynqmp: Make the RPU subsystem optional
  xlnx-zynqmp: Add a secure prop to en/disable ARM Security Extensions
  hw/arm/virt: Reject gic-version=host for non-KVM
  i2c: add aspeed i2c controller
  hw/intc/gic: RAZ/WI non-sec access to sec interrupts
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 17:02:42 +01:00
Alistair Francis
0c18c6c67e zynqmp: Add the ZCU102 board
Most Zynq UltraScale+ users will be targetting and using the ZCU102
board instead of the development focused EP108. To make our QEMU machine
names clearer add a ZCU102 machine model.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: cc82eec026b2febfca252d73362bb7084616c1ad.1464213234.git.alistair.francis@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:32 +01:00
Sergey Sorokin
6e99f76261 target-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation
Address size is 40-bit for the AArch32 stage 2 translation,
and t0sz can be negative (from -8 to 7),
so we need to adjust it to use the existing TTBR selecting logic.

Signed-off-by: Sergey Sorokin <afarallax@yandex.ru>
Message-id: 1464974151-1231644-1-git-send-email-afarallax@yandex.ru
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:32 +01:00
xiaoqiang zhao
e5fabad7cc char: get rid of qemu_char_get_next_serial
since there is no user of qemu_char_get_next_serial any more,
it's time to let it go away.

Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-7-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:32 +01:00
xiaoqiang zhao
1b6d0781c2 hw/char: QOM'ify xilinx_uartlite model
* drop qemu_char_get_next_serial and use chardev prop
* create xilinx_uartlite_create wrapper function to create
  xilinx_uartlite device
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-6-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:32 +01:00
xiaoqiang zhao
7bd43519da hw/char: QOM'ify stm32f2xx_usart model
* drop qemu_char_get_next_serial and use chardev prop
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-5-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:32 +01:00
xiaoqiang zhao
746c3b3eba hw/char: QOM'ify digic-uart model
* drop qemu_char_get_next_serial and use chardev prop
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-4-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:31 +01:00
xiaoqiang zhao
4be12ea09a hw/char: QOM'ify cadence_uart model
* drop qemu_char_get_next_serial and use chardev prop
* create cadence_uart_create wrapper function to create
  cadence_uart_device
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-3-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:31 +01:00
xiaoqiang zhao
f0d1d2c115 hw/char: QOM'ify pl011 model
* drop qemu_char_get_next_serial and use chardev prop
* add pl011_create wrapper function to create pl011 uart device
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-2-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:31 +01:00
Dmitry Osipenko
578c4b2f23 hw/ptimer: Introduce ptimer_get_limit
Currently ptimer users are used to store copy of the limit value, because
ptimer doesn't provide facility to retrieve the limit. Let's provide it.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: 8f1fa9f90d8dbf8086fb02f3b4835eaeb4089cf6.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:31 +01:00
Dmitry Osipenko
869e92b5c3 hw/ptimer: Support "on the fly" timer mode switch
Allow switching between periodic <-> oneshot modes while timer is running.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: f030be6e28fbd219e1e8d22297aee367bd9af5bb.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:31 +01:00
Dmitry Osipenko
7ef6e3cf8d hw/ptimer: Update .delta on period/freq change
Delta value must be updated on period/freq change, otherwise running timer
would be restarted (counter reloaded with old delta). Only m68k/mcf520x
and arm/arm_timer devices are currently doing freq change correctly, i.e.
stopping the timer. Perform delta update to fix affected devices and
eliminate potential further mistakes.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: 4987ef5fdc128bb9a744fd794d3f609135c6a39c.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:30 +01:00
Dmitry Osipenko
5a50307b48 hw/ptimer: Perform counter wrap around if timer already expired
ptimer_get_count() might be called while QEMU timer already been expired.
In that case ptimer would return counter = 0, which might be undesirable
in case of polled timer. Do counter wrap around for periodic timer to keep
it distributed. In order to achieve more accurate emulation behaviour of
certain hardware, don't perform wrap around when in icount mode and return
counter = 0 in that case (that doesn't affect polled counter distribution).

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: 4ce381c7d24d85d165ff251d2875d16a4b6a5c04.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:30 +01:00
Dmitry Osipenko
e91171e302 hw/ptimer: Fix issues caused by the adjusted timer limit value
Multiple issues here related to the timer with a adjusted .limit value:

1) ptimer_get_count() returns incorrect counter value for the disabled
timer after loading the counter with a small value, because adjusted limit
value is used instead of the original.

For instance:
    1) ptimer_stop(t)
    2) ptimer_set_period(t, 1)
    3) ptimer_set_limit(t, 0, 1)
    4) ptimer_get_count(t) <-- would return 10000 instead of 0

2) ptimer_get_count() might return incorrect value for the timer running
with a adjusted limit value.

For instance:
    1) ptimer_stop(t)
    2) ptimer_set_period(t, 1)
    3) ptimer_set_limit(t, 10, 1)
    4) ptimer_run(t)
    5) ptimer_get_count(t) <-- might return value > 10

3) Neither ptimer_set_period() nor ptimer_set_freq() are adjusting the
limit value, so it is still possible to make timer timeout value
arbitrary small.

For instance:
    1) ptimer_set_period(t, 10000)
    2) ptimer_set_limit(t, 1, 0)
    3) ptimer_set_period(t, 1) <-- bypass limit correction

Fix all of the above issues by adjusting timer period instead of the limit.
Perform the adjustment for periodic timer only. Use the delta value instead
of the limit to make decision whether adjustment is required, as limit could
be altered while timer is running, resulting in incorrect value returned by
ptimer_get_count.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: cd141f74f5737480ec586b9c7d18cce1d69884e2.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:30 +01:00
Edgar E. Iglesias
2a0ee672c9 xlnx-zynqmp: Use the in kernel GIC model for KVM runs
Use the in kernel GIC model when running with KVM enabled.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1464173555-12800-5-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:30 +01:00
Edgar E. Iglesias
0776d9679d xlnx-zynqmp: Delay realization of GIC until post CPU realization
Delay the realization of the GIC until after CPUs are
realized. This is needed for KVM as the in-kernel GIC
model will fail if it is realized with no available CPUs.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1464173555-12800-4-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:30 +01:00
Edgar E. Iglesias
6ed92b14f6 xlnx-zynqmp: Make the RPU subsystem optional
The way we currently model the RPU subsystem is of quite
limited use. In addition to that, it causes problems for
KVM and for GDB debugging.

Make the RPU optional by adding a has_rpu property and
default to having it disabled.

This changes the default setup from having the RPU to not
longer having it.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1464173555-12800-3-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:29 +01:00
Edgar E. Iglesias
37d42473d1 xlnx-zynqmp: Add a secure prop to en/disable ARM Security Extensions
Add a secure prop to en/disable ARM Security Extensions.
This is particularly useful for KVM runs.

Default to disabled to match the behavior of KVM.

This changes the default setup from having the ARM Security
Extensions to not longer having them.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1464173555-12800-2-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:29 +01:00
Cole Robinson
0bf8039dca hw/arm/virt: Reject gic-version=host for non-KVM
If you try to gic-version=host with TCG on a KVM aarch64 host,
qemu segfaults, since host requires KVM APIs.

Explicitly reject gic-version=host if KVM is not enabled

https://bugzilla.redhat.com/show_bug.cgi?id=1339977
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Message-id: b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e.1464273085.git.crobinso@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:29 +01:00
Cédric Le Goater
1602001195 i2c: add aspeed i2c controller
The Aspeed AST2400 integrates a set of 14 I2C/SMBus bus controllers
directly connected to the APB bus. They can be programmed as master or
slave but the propopsed model only supports the master mode.

On the TODO list, we also have :

 - improve and harden the state machine.
 - bus recovery support (used by the Linux driver).
 - transfer mode state machine bits. this is not strictly necessary as
   it is mostly used for debug. The bus busy bit is deducted from the
   I2C core engine of qemu.
 - support of the pool buffer: 2048 bytes of internal SRAM (not used
   by the Linux driver).

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 1464704307-25178-1-git-send-email-clg@kaod.org
[PMM: removed unused functions aspeed_i2c_bus_get_state() and
 aspeed_i2c_bus_set_state()]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:29 +01:00
Jens Wiklander
fea8a08e16 hw/intc/gic: RAZ/WI non-sec access to sec interrupts
Treat non-secure accesses to registers and bits in registers of secure
interrupts as RAZ/WI.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Message-id: 1464273945-2055-1-git-send-email-jens.wiklander@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:29 +01:00
Ard Biesheuvel
e40c3d2e7f hw/arm/virt: fix limit of 64-bit ACPI/ECAM PCI MMIO range
Set the MMIO range limit field to 'base + size - 1' as required.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1463856217-17969-1-git-send-email-ard.biesheuvel@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:28 +01:00
Peter Maydell
78f1edb19f target-arm: Don't try to set ESR IL bit in arm_cpu_do_interrupt_aarch64()
Remove some incorrect code from arm_cpu_do_interrupt_aarch64()
which attempts to set the IL bit in the syndrome register based
on the value of env->thumb. This is wrong in several ways:
 * IL doesn't indicate Thumb-vs-ARM, it indicates instruction
   length (which may be 16 or 32 for Thumb and is always 32 for ARM)
 * not every syndrome format uses IL like this -- for some IL is
   always set, and for some it is always clear
 * the code is changing esr_el[new_el] even for interrupt entry,
   which is not supposed to modify ESR_ELx at all

Delete the code, and instead rely on the syndrome value in
env->exception.syndrome having already been set up with the
correct value of IL.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1463487258-27468-3-git-send-email-peter.maydell@linaro.org
2016-06-06 16:59:28 +01:00
Peter Maydell
04ce861ea5 target-arm: Set IL bit in syndromes for insn abort, watchpoint, swstep
For some exception syndrome types, the IL bit should always be set.
This includes the instruction abort, watchpoint and software step
syndrome types; add the missing ARM_EL_IL bit to the syndrome
values returned by syn_insn_abort(), syn_swstep() and syn_watchpoint().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1463487258-27468-2-git-send-email-peter.maydell@linaro.org
2016-06-06 16:59:28 +01:00
Edgar E. Iglesias
aaa1f954d4 target-arm: A64: Create Instruction Syndromes for Data Aborts
Add support for generating the ISS (Instruction Specific Syndrome) for
Data Abort exceptions taken from AArch64.
These syndromes are used by hypervisors for example to trap and emulate
memory accesses.

We save the decoded data out-of-band with the TBs at translation time.
When exceptions hit, the extra data attached to the TB is used to
recreate the state needed to encode instruction syndromes.
This avoids the need to emit moves with every load/store.

Based on a suggestion from Peter Maydell.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1462464601-10888-2-git-send-email-edgar.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:28 +01:00
Alistair Francis
2a5a9abd4b target-arm: Add the HSTR_EL2 register
Add the Hypervisor System Trap Register for EL2.

This register is used early in the Linux boot and without it the kernel
aborts with a "Synchronous Abort" error.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: ea5aae4b10283de4705b864fe9d4bd2eaddaacae.1463174342.git.alistair.francis@xilinx.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 16:59:28 +01:00
Peter Maydell
280b2358cd readdir_r() to readdir() conversion, various minor cleanups
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAldVR/QACgkQAvw66wEB28JwVQCgiTy4bpShd9GiFgJ+eoSgJnt5
 lLcAn3rnv44g0SpW5M7aK4I8RzyEig0X
 =vbbR
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

readdir_r() to readdir() conversion, various minor cleanups

# gpg: Signature made Mon 06 Jun 2016 10:52:52 BST
# gpg:                using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <gkurz@fr.ibm.com>"
# gpg:                 aka "Greg Kurz <groug@free.fr>"
# gpg:                 aka "Greg Kurz <gkurz@linux.vnet.ibm.com>"
# gpg:                 aka "Gregory Kurz (Groug) <groug@free.fr>"
# gpg:                 aka "Gregory Kurz (Cimai Technology) <gkurz@cimai.com>"
# gpg:                 aka "Gregory Kurz (Meiosys Technology) <gkurz@meiosys.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894  DBA2 02FC 3AEB 0101 DBC2

* remotes/gkurz/tags/for-upstream:
  9p: switch back to readdir()
  9p: add locking to V9fsDir
  9p: introduce the V9fsDir type
  9p: drop useless out: label
  9p: drop useless inclusion of hw/i386/pc.h
  9p/fsdev: remove obsolete references to virtio
  9p: some more cleanup in #include directives

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 15:17:52 +01:00
Peter Maydell
e854d0cf78 virtio-gpu: scanout fix, live migration support
vmsvga: security fixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXVSCcAAoJEEy22O7T6HE4Zf4P/35npT1VyXPpT7of/4fF/2+k
 zD1mGkB6cd4Zv45A9XkiT9RtaJJdOVnjVNftPp2J7t063lccGUOqbzEohh5At6Bl
 dbtjjbl/WBl+gDRRGGsPT+vHSYkzUBXWaNUeAnph7bgqTaRAm6U18sEnZmdHo6+9
 /Sdtb+hVcoPPrq9g9qspd3DU7anMdbjTMrPepkFVKozK0fHn+LRCDxS5RWFz51C2
 bcQAgPqT1TBYzrrcz8oFCBuDnaxCqHrSiawB/oh6uZwtcG9GGJqYJiDOmvGzJbDN
 RIwWZeOLcOBF2BRNI2AY6abMJkMTcMztEn8iNU8lZmSswgJ6cS+4YBjCsQfCxrcR
 aipbzI405D03oWJGSZed08Ud7Prp+tRHnOk/IU6zX5uT84U/0PVKTgUB9/xwq7L7
 LSKKQUgG6AwCwg5XNneoj2O6H8CgbQGdZ2BVAiN66bYF/6TDG6msXkVotyWttjfK
 Y8DbkHiwcNrbI8vcKed/VGSUEoidk/NljiGeflzgwPoVlB2dbr6LPov2HNHFW/0/
 /3rRatJhLgucjSeIdDU63ze/4If119YYwtj9EykN/Yhizmjsx0+st6BCsgyTjJXj
 HQ/hAk9wGCc/vhILHVoGQ5NOUqcfS05plyBXKF+GREugN7t/RE/kdtob54NeSqmP
 Jr0v3GmCn1zfKS6sw/iu
 =pera
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160606-1' into staging

virtio-gpu: scanout fix, live migration support
vmsvga: security fixes

# gpg: Signature made Mon 06 Jun 2016 08:05:00 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-20160606-1:
  virtio-gpu: add live migration support
  vmsvga: don't process more than 1024 fifo commands at once
  vmsvga: shadow fifo registers
  vmsvga: add more fifo checks
  vmsvga: move fifo sanity checks to vmsvga_fifo_length
  virtio-gpu: fix scanout rectangles

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 13:58:24 +01:00
Mark Cave-Ayland
890e48d7fc scsi-disk: fix reads from scsi-disk devices
Commit fcaafb1001 accidentally broke reads from
scsi-disk devices when being updated from its original form to use the new
byte-based block functions. Add the extra missing sector to offset conversion
in order to restore read functionality.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1464931021-25117-1-git-send-email-mark.cave-ayland@ilande.co.uk
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 13:23:41 +01:00
Peter Maydell
8625c3ffc8 audio: pa volume fix, some qomifying.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXVR/BAAoJEEy22O7T6HE4QqkQAMZ4lAbBvJGVQg473Q1nGc1i
 DpRD5uy0tWcDzYw5FnJ1zw78scpp2w4UzMl5w/SBi/G6B3aJnOKLELpEqaTXI9lv
 FnXrfgThol4un+/GmXsUTYhvG5aPK43y2iWNJzNJttg17NNjROAxSd9pP8K0u/lp
 8jGzjc+XPUnAZcy5q9ticV++LmgGyKIhNowgA2BlcoVHSyK6BkgJrXjThPrTbBLk
 hK38BhW0RMxAmuiR2dbfwZKDY9taoAftaNp2UeamDDc15M36CDCFoMHL5Ztqmitb
 SKz+7hMKQUFILhpSQdoZJbJNLe9L+4ThLAHN9dbvOkPW1Fdk5WUKJRnpDXnoyVQX
 pPHFTQiAobWzAYxUrK8qIGcafqaqcmAKN0VHdqE7VUkGIZW4bRrAG/RQ6o1PHsL3
 xtMTn9ChSSMXq86PNkRT5Z2Mr0A0WcBUhKLf5zdvCgESs2GYS+J+GF8vUMr8SnNI
 Qr6wuXow7U+su3fSBbBdimRDkAcM5BxaZjopbjOfI1Ydso+YglTxPxT7JbULuEn2
 etCZaffiTTtc+5u7Gac0OxlcV2lhVHuWaenvdpODJLjjHSBE1XFkLIbJlvwGr6LK
 eV25w3q/YHLkcvlrN5Hy13hmX6gVjZtOabSsnxB78dM+xUPSn62RoepxWSbj2Z9j
 I4J/D3H+SBpeJ/iV+2y/
 =FQbx
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20160606-1' into staging

audio: pa volume fix, some qomifying.

# gpg: Signature made Mon 06 Jun 2016 08:01:21 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-audio-20160606-1:
  hw/audio: QOM'ify milkymist-ac97.c
  hw/audio: QOM'ify intel-hda
  hw/audio: QOM cleanup for intel-hda
  hw/audio: QOM'ify cs4231.c
  audio: pa: Set volume of recording stream instead of recording device

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 12:47:37 +01:00
Peter Maydell
b0491a1a17 Check address ranges for disassembly
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXVFOkAAoJEK0ScMxN0CebhTMIAI4nrVasyw8+d7jKlZ1/ybO8
 Kpjs9oQqgEClaN4JTjsNOgTkX0PEr8qy9aXPDmVwPLbNigaTLAOGq6w3icoE/edC
 RTkKVmZ9OOtaJn/sbCR6mmkKNWZlJUCZ13L4i9Cl4WTwqR5LXFTCZRrdBvp1qgDj
 s7+n/XXUKFNo6tZ7jqQ+qXZpxVzIobZ6sdKiZKa8sJkgQ95m+U1/WoJyy0yrx97Q
 IiIoWBurLz3q9Q093Po/rgN337et0qQFEhETnkSF2MITI9+7647I/OdwGio/2Ox3
 n4tHH9U0bZ/HhZQXvybMdua3ixcuPumdv7Ruy22HNvvxMi9E4GIKv/9nDGlDSV4=
 =xp4j
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/rth/tags/pull-tgt-20160605' into staging

Check address ranges for disassembly

# gpg: Signature made Sun 05 Jun 2016 17:30:28 BST
# gpg:                using RSA key 0xAD1270CC4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"

* remotes/rth/tags/pull-tgt-20160605:
  target-*: dfilter support for in_asm

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 12:04:59 +01:00
Peter Wu
5819e3e072 gdbstub: avoid busy loop while waiting for gdb
While waiting for a gdb response, or while sending an acknowledgement
there is not much to do, so do not mark the socket as non-blocking to
avoid a busy loop while paused at gdb. This only affects the user-mode
emulation (qemu-arm -g 1234 ./a.out).

Note that this issue was reported before at
https://lists.nongnu.org/archive/html/qemu-devel/2013-02/msg02277.html.

While at it, close the gdb client fd on EOF or error while reading.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 11:15:54 +01:00
Greg Kurz
635324e83e 9p: switch back to readdir()
This patch changes the 9p code to use readdir() again instead of
readdir_r(), which is deprecated in glibc 2.24.

All the locking was put in place by a previous patch.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-06 11:52:34 +02:00
Greg Kurz
7cde47d4a8 9p: add locking to V9fsDir
If several threads concurrently call readdir() with the same directory
stream pointer, it is possible that they all get a pointer to the same
dirent structure, whose content is overwritten each time readdir() is
called.

We must thus serialize accesses to the dirent structure.

This may be achieved with a mutex like below:

lock_mutex();

readdir();

// work with the dirent

unlock_mutex();

This patch adds all the locking, to prepare the switch to readdir().

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-06 11:52:34 +02:00
Greg Kurz
f314ea4e30 9p: introduce the V9fsDir type
If we are to switch back to readdir(), we need a more complex type than
DIR * to be able to serialize concurrent accesses to the directory stream.

This patch introduces a placeholder type and fixes all users.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-06 11:52:34 +02:00
Greg Kurz
8762a46d36 9p: drop useless out: label
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-06 11:52:34 +02:00
Greg Kurz
beff62e683 9p: drop useless inclusion of hw/i386/pc.h
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-06 11:52:34 +02:00
Greg Kurz
af8b38b0d1 9p/fsdev: remove obsolete references to virtio
Most of the 9p code is now virtio agnostic. This patch does a final cleanup:
- drop references to Virtio from the header comments
- fix includes

Also drop a couple of leading empty lines while here.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-06 11:52:34 +02:00
Greg Kurz
aae91ad9ae 9p: some more cleanup in #include directives
The "9p-attr.h" header isn't needed by 9p synth and virtio 9p.

While here, also drop last references to virtio from 9p synth since it is
now transport agnostic code.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-06 11:52:34 +02:00
Dmitry Fleytman
de5dca1b79 e1000e: Fix build with gcc 4.6.3 and ust tracing
This patch fixes used-uninitialized false
positive while compiling with ust tracing
backend plus gcc 4.6.3:

hw/net/e1000e.c: In function ‘e1000e_io_write’:
hw/net/e1000e.c:170:39: error: ‘idx’ may be used uninitialized in this function [-Werror=uninitialized]
hw/net/e1000e.c: In function ‘e1000e_io_read’:
hw/net/e1000e.c:145:35: error: ‘idx’ may be used uninitialized in this function [-Werror=uninitialized]
cc1: all warnings being treated as errors
make: *** [hw/net/e1000e.o] Error 1

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-id: 1465023763-10773-1-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06 09:42:54 +01:00
Gerd Hoffmann
0c244e50ee virtio-gpu: add live migration support
Store some additional state for cursor and resource backing storage,
so we can write out and reload things.  Implement vmsave+vmload for
2d mode.  Continue blocking live migration in 3d/virgl mode.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464009727-7753-1-git-send-email-kraxel@redhat.com
2016-06-06 09:04:34 +02:00
Gerd Hoffmann
4e68a0ee17 vmsvga: don't process more than 1024 fifo commands at once
vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off.  So we can simply exit the loop,
without having to worry about how processing will continue.

Fixes: CVE-2016-4453
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
2016-06-06 09:04:29 +02:00
Gerd Hoffmann
7e486f7577 vmsvga: shadow fifo registers
The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization.  Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us.  So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
2016-06-06 09:04:24 +02:00
Gerd Hoffmann
c2e3c54d39 vmsvga: add more fifo checks
Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
2016-06-06 09:04:19 +02:00
Gerd Hoffmann
5213602678 vmsvga: move fifo sanity checks to vmsvga_fifo_length
Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
changes the fifo registers afterwards.  Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
2016-06-06 09:03:51 +02:00
Richard Henderson
4910e6e42e target-*: dfilter support for in_asm
The arm target was handled by 06486077, but other targets
were ignored.  This handles all the rest which actually support
disassembly (that is, skipping moxie and tilegx).

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>
2016-06-05 09:26:24 -07:00
Peter Maydell
6b3532b20b vnc: keyboard delay, colormap support
ui: misc bugfixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJXUSuIAAoJEEy22O7T6HE4egUP/iVtfRVi95fqOMj4e7QDlO3K
 Xf7Yn36sHi9Ov4GF5EbCAfkJQQfYHJDFyN1XibuUfH5LSRR/Z1a4mFAiSTi1jbB/
 mMxFA/wbKJ1Qr+fbA3yDBdj+A0DM0YRkwvBmdtgmkhrc7nzH2AAKt5mcHaCJW7+u
 CkBiuBfSG2QvrNSYe3hhQ5TfuXnHfAVyxDRRkA12Vj28ismfGX+vvbIg3sKWvd98
 o01TrX1fBJOoGDWyA1mDei0HbZXqYMdU0ioBcxc+LwhNgr89TxTHgGnWZOYJiF43
 Y22uddpuxdXCET9GbyOGYl8Y28yJtihxhl2/rTyVMTHNL8WShxZv+KWL2riUc03Q
 hgC4D4PRhD0MdJ1ONNmYiN5ss0fxHCgymF2kQ6CZEo71qpn3wR6WTlsbaKbD/M8B
 1lEDlOYKm8e3ncCAJO75icyYnjUt2aCgPZY1XciW7RWVBm36TP+fAGEAktlGSvku
 hbBwlXa13DSLjyCmbif3eXPb+l4M5QP6+DG1tZPmRknTbsgWvzC74GwVqfQlKfvW
 zvIxZecXFGZO2burLcEYejq/+YRolpLxuWIyVtwmpSGtycNepFe0cmss/JiIrCbb
 KPCQl6dBZosRfbS8xlHhXBq4yVGqgnJ6QOBJ9HVxO3WNGSsS+miv2A/C6p/q/bSD
 g4L/YX5GD42jeSKrkXnM
 =qX3g
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20160603-1' into staging

vnc: keyboard delay, colormap support
ui: misc bugfixes

# gpg: Signature made Fri 03 Jun 2016 08:02:32 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-ui-20160603-1:
  vnc: add configurable keyboard delay
  sdl2: skip init without outputs
  vnc: Add support for color map
  SDL2: add bgrx pixel format
  gtk: fix unchecked vc dereference
  ui: spice: Exit if gl=on EGL init fails
  ui: egl: Replace fprintf with error_report

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-03 12:03:36 +01:00