The i2c core and the at24c EEPROM should only be compiled and linked
on the machines that support i2c. Otherwise it's quite strange to see
the at24c-eeprom to be "available" on qemu-system-s390x for example.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1516634853-15883-1-git-send-email-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Coverity doesn't like the ignored return value introduced in
9d3b155186 (hw/block: Fix the return type), and other callers are
converted already in ceff3e1f01.
This one was added lately in d9bcd6f7f2 and missed the train. Do it
now.
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <20180118025245.13042-1-famz@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
QOM API learning curve is quite hard, in particular when devices inherit from
abstract parent.
To be more explicit about when a device class change the parent hooks, add few
helpers hoping a device class_init() will be easier to understand.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180114020412.26160-3-f4bug@amsat.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJadcD7AAoJEHWtZYAqC0IR8eoIAJn4Id/N+DB7xYvBBINUU/3H
At0+N2R+PZde4qfQ4PykaH9/7ES+JVPSJmeC7i+tXwzzC53NvXdb7bip1MQaueei
wSZiSviMKBIezfBCjZ075wNYxIeHHfHsJ7qM05ttyFl5ThRRiKSMIqDyfP8TYoBP
xLwk2F+sQ2SSMQkk1dGhDP2gvhSSemkPE9S100LJ4u7In49/2ZI6do9nlimHHrsY
AEwLZh+0A/hYBXKiIJUP9+5TRU29VS21GDECkpZ3iqCl078/DzUbph10uxsnwXvK
VRhc8+WrzNLO5Hmi+3oRupqDj6lHen8jpoGwy234WOYAaRaTERndVihHGFKs/DQ=
=MK+C
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/stefanberger/tags/pull-tpm-2018-02-03-1' into staging
Merge tpm 2018/02/03 v1
# gpg: Signature made Sat 03 Feb 2018 14:02:35 GMT
# gpg: using RSA key 75AD65802A0B4211
# gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211
* remotes/stefanberger/tags/pull-tpm-2018-02-03-1:
tpm: tis: move one-line function into caller
MAINTAINERS: add pointer to tpm-next repository
tpm: wrap stX_be_p in tpm_cmd_set_XYZ functions
tpm: Split off tpm_crb_reset function
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Wrap the calls to stl_be_p and stw_be_p in tpm_cmd_set_XYZ functions
that are similar to existing getters.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Split off the tpm_crb_reset function part from tpm_crb_realize
that we need to run every time the machine resets.
Also register our reset function with the system since TYPE_DEVICE
seems to not get a reset otherwise.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
long standing bug (read "specification violation") where the server
would send an invalid response when the client has cancelled an
in-flight request. This was causing annoying spurious EINTR returns
in linux. The fix comes with some related testing in QTEST.
Other patches are code cleanup and improvements.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEtIKLr5QxQM7yo0kQcdTV5YIvc9YFAlp0OmMACgkQcdTV5YIv
c9bM2w/+ORsH7ifYVoPZDwPdhLAVg8t4aU7ak7kWSOeuTZhE8WA6GL8T4rjnhZZ4
PbFZTye0fOsZZaT30sHUIwI/CGewvdx0kMJuX339XfwaWvsrF/8tHFA8QdreclVf
YlLJwD2yZRujWPCU8k5D3hUfH2YD/w68b9Hv7K2hgsPw1Zoq7pLi/B2/BK/62G1d
35nFG97xDmcScSybrIeLwaCIKW/wgjHsWgUgAVMpgaSwtu/JTtEG5JYCZLGO6HVa
p67zdVQbCKQcdPLLllcrnGdWlA4CGxCBe+WMQyL3eJ2VDEH6XTBX8DiLstIVlXfj
vXb7vjlsYxE6rdeiMXRZWDGK+jZIePmDsI6ILlpyL0rEphuBnjEMljCxyBnOp7gS
dMTFmhfP4mApaYxeENlpQ5noDeQ/Jr1c9YeeBh9UnZ7r16/m3f2/sEIh+6QTL7YD
iR7ZG5LF0eP5SJKoZNV0i4123A5I7v1ekn5N5q6Kf4PMcY11507lxZksPhckdPgp
FPhsJJ1JQzWMcfE1mKeiZXq5Cys4EUhUK6UrOFp6tO38H/3YMuYMAz25D46Xk3Zx
qGuptCaov9uPi+5uqKuG3aJ9nMIMW9ZJdMSWo2+kb4EX4hMiOewjOJtaKA11QeS+
YoEr3szKtVnPUKsiqm+lhHL6ec5B8NQB7f8Hl88pkoLBGQzMaWU=
=9T0i
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
This series is mostly about 9p request cancellation. It fixes a
long standing bug (read "specification violation") where the server
would send an invalid response when the client has cancelled an
in-flight request. This was causing annoying spurious EINTR returns
in linux. The fix comes with some related testing in QTEST.
Other patches are code cleanup and improvements.
# gpg: Signature made Fri 02 Feb 2018 10:16:03 GMT
# gpg: using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6
* remotes/gkurz/tags/for-upstream:
tests/virtio-9p: explicitly handle potential integer overflows
tests: virtio-9p: add FLUSH operation test
libqos/virtio: return length written into used descriptor
tests: virtio-9p: add WRITE operation test
tests: virtio-9p: add LOPEN operation test
tests: virtio-9p: use the synth backend
tests: virtio-9p: wait for completion in the test code
tests: virtio-9p: move request tag to the test functions
9pfs: Correctly handle cancelled requests
9pfs: drop v9fs_register_transport()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
add me as the IPMI maintainer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJac2AnAAoJEGHzjJCRm/+B6iQP/1fqOS8QBJ8YB7simoHf8Vz0
3Bfnphgr/T0U9Eqb7vJye3Aug3QpaBgxCynLLhLzG3tj9s4iCYFCqHehB/e9UoFV
ok1WU6REul/8pnUjMFif23YVqn3MvZcIqva0O9/eAatUbXfRKIp7r0WRCIbLc8CW
oGSzHsPKhJQ4pCl+Cbu+xOOAx3snOF6e92SAEKTRPeivYgXDyib+L4m00YyAuCa0
qOT9/WqgRQqRfqrMZ9fI9RD9cM4xVD5bcn/COmk/KB7v1T0/on2LtI/pp4KYIS2E
lcyCs1Hhoz2nz/Y0fdi83rhScJmomiLdLv0Su08Tr3u6WcOHnIqAzS5qqKRi7WaJ
JAXp/+VX4LwEBEntAUS5PBAuM4E9DzGsQp3xypsfQHgAD9dnGJC06VPC3iRjrIim
jtVrSftzEb/dq4iK5Kp+HmFpCUIJWgjJorTdkiQ8Nd1Ld/a2efjGyeE4H7eYwCrr
uNqO8k739vR059oBdGEY/2bKeNr9imNdFRKd9CsMHX4rxM048S8NwemmmsZFWiiR
Ik6POUTXFhQytBma2ZiArKUAS4VickLgDLIW2KV95y3z3eNyr+48patBUUQdqK36
TeWE+SdwW7Nu1yD7EJzl6o1iduSUl+d2MZ62RssG4javI3hsMnWiEgaqt1fMy9V2
cSOBe7c+LmIHcu1G7lY6
=xjBI
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/cminyard/tags/for-release-20180201' into staging
Lots of litte miscellaneous fixes for the IPMI code, plus
add me as the IPMI maintainer.
# gpg: Signature made Thu 01 Feb 2018 18:44:55 GMT
# gpg: using RSA key 61F38C90919BFF81
# gpg: Good signature from "Corey Minyard <cminyard@mvista.com>"
# gpg: aka "Corey Minyard <minyard@acm.org>"
# gpg: aka "Corey Minyard <corey@minyard.net>"
# gpg: aka "Corey Minyard <minyard@mvista.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FD0D 5CE6 7CE0 F59A 6688 2686 61F3 8C90 919B FF81
* remotes/cminyard/tags/for-release-20180201:
ipmi: Allow BMC device properties to be set
ipmi: disable IRQ and ATN on an external disconnect
ipmi: Fix macro issues
ipmi: Add the platform event message command
ipmi: Don't set the timestamp on add events that don't have it
ipmi: Fix SEL get/set time commands
Add maintainer for the IPMI code
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The idea is to send a victim request that will possibly block in the
server and to send a flush request to cancel the victim request.
This patch adds two test to verifiy that:
- the server does not reply to a victim request that was actually
cancelled
- the server replies to the flush request after replying to the
victim request if it could not cancel it
9p request cancellation reference:
http://man.cat-v.org/plan_9/5/flush
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(groug, change the test to only write a single byte to avoid
any alignment or endianess consideration)
virtio-gpu has special code path that bypassed vIOMMU protection. So
for now let's disable iommu_platform for the device until we fully
support that (if needed).
After the patch, both virtio-vga and virtio-gpu won't allow to boot with
iommu_platform parameter set.
CC: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-id: 20180131040401.3550-1-peterx@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Changes all the occurrances of dolog() to qemu_log_mask().
Signed-off-by: John Arbuckle <programmingkidx@gmail.com>
Message-id: 20180201172744.7504-1-programmingkidx@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
while here use TYPE_WM8750 and declare a data_req_cb() typedef.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20170919123053.32675-1-f4bug@amsat.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Trivial test of a successful write.
Signed-off-by: Greg Kurz <groug@kaod.org>
(groug, handle potential overflow when computing request size,
add missing g_free(buf),
backend handles one written byte at a time to validate
the server doesn't do short-reads)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
The purpose of virtio-9p-test is to test the virtio-9p device, especially
the 9p server state machine. We don't really care what fsdev backend we're
using. Moreover, if we want to be able to test the flush request or a
device reset with in-flights I/O, it is close to impossible to achieve
with a physical backend because we cannot ask it reliably to put an I/O
on hold at a specific point in time.
Fortunately, we can do that with the synthetic backend, which allows to
register callbacks on read/write accesses to a specific file. This will
be used by a later patch to test the 9P flush request.
The walk request test is converted to using the synth backend.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
# Background
I was investigating spurious non-deterministic EINTR returns from
various 9p file system operations in a Linux guest served from the
qemu 9p server.
## EINTR, ERESTARTSYS and the linux kernel
When a signal arrives that the Linux kernel needs to deliver to user-space
while a given thread is blocked (in the 9p case waiting for a reply to its
request in 9p_client_rpc -> wait_event_interruptible), it asks whatever
driver is currently running to abort its current operation (in the 9p case
causing the submission of a TFLUSH message) and return to user space.
In these situations, the error message reported is generally ERESTARTSYS.
If the userspace processes specified SA_RESTART, this means that the
system call will get restarted upon completion of the signal handler
delivery (assuming the signal handler doesn't modify the process state
in complicated ways not relevant here). If SA_RESTART is not specified,
ERESTARTSYS gets translated to EINTR and user space is expected to handle
the restart itself.
## The 9p TFLUSH command
The 9p TFLUSH commands requests that the server abort an ongoing operation.
The man page [1] specifies:
```
If it recognizes oldtag as the tag of a pending transaction, it should
abort any pending response and discard that tag.
[...]
When the client sends a Tflush, it must wait to receive the corresponding
Rflush before reusing oldtag for subsequent messages. If a response to the
flushed request is received before the Rflush, the client must honor the
response as if it had not been flushed, since the completed request may
signify a state change in the server
```
In particular, this means that the server must not send a reply with the
orignal tag in response to the cancellation request, because the client is
obligated to interpret such a reply as a coincidental reply to the original
request.
# The bug
When qemu receives a TFlush request, it sets the `cancelled` flag on the
relevant pdu. This flag is periodically checked, e.g. in
`v9fs_co_name_to_path`, and if set, the operation is aborted and the error
is set to EINTR. However, the server then violates the spec, by returning
to the client an Rerror response, rather than discarding the message
entirely. As a result, the client is required to assume that said Rerror
response is a result of the original request, not a result of the
cancellation and thus passes the EINTR error back to user space.
This is not the worst thing it could do, however as discussed above, the
correct error code would have been ERESTARTSYS, such that user space
programs with SA_RESTART set get correctly restarted upon completion of
the signal handler.
Instead, such programs get spurious EINTR results that they were not
expecting to handle.
It should be noted that there are plenty of user space programs that do not
set SA_RESTART and do not correctly handle EINTR either. However, that is
then a userspace bug. It should also be noted that this bug has been
mitigated by a recent commit to the Linux kernel [2], which essentially
prevents the kernel from sending Tflush requests unless the process is about
to die (in which case the process likely doesn't care about the response).
Nevertheless, for older kernels and to comply with the spec, I believe this
change is beneficial.
# Implementation
The fix is fairly simple, just skipping notification of a reply if
the pdu was previously cancelled. We do however, also notify the transport
layer that we're doing this, so it can clean up any resources it may be
holding. I also added a new trace event to distinguish
operations that caused an error reply from those that were cancelled.
One complication is that we only omit sending the message on EINTR errors in
order to avoid confusing the rest of the code (which may assume that a
client knows about a fid if it sucessfully passed it off to pud_complete
without checking for cancellation status). This does mean that if the server
acts upon the cancellation flag, it always needs to set err to EINTR. I
believe this is true of the current code.
[1] https://9fans.github.io/plan9port/man/man9/flush.html
[2] https://github.com/torvalds/linux/commit/9523feac272ccad2ad8186ba4fcc891
Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, send a zero-sized reply instead of detaching the buffer]
Signed-off-by: Greg Kurz <groug@kaod.org>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
No good reasons to do this outside of v9fs_device_realize_common().
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Now that we have the prerequisites in target/hppa/,
implement the hardware for a PA7100LC.
This also enables build for hppa-softmmu.
Signed-off-by: Helge Deller <deller@gmx.de>
[rth: Since it is all new code, squashed all branch development
withing hw/hppa/ to a single patch.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Otherwise there's no way to clear them without an external command,
and it could lock the OS in the VM if they were stuck.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Macro parameters should almost always have () around them when used.
llvm reported an error on this.
Remove redundant parenthesis and put parenthesis around the entire
macros with assignments in case they are used in an expression.
The macros were doing ((v) & 1) for a binary input, but that only works
if v == 0 or if v & 1. Changed to !!(v) so they work for all values.
Remove some unused macros.
Reported in https://bugs.launchpad.net/bugs/1651167
An audit of these changes found no semantic changes; this is just
cleanups for proper style and to avoid a compiler warning.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
This lets an event be added to the SEL as if a sensor had generated
it. The OpenIPMI driver uses it for storing panic event information.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
According to the spec, from section "32.3 OEM SEL Record - Type
E0h-FFh", event types from 0x0e to 0xff do not have a timestamp.
So don't set it when adding those types. This required putting
the timestamp in a temporary buffer, since it's still required
to set the last addition time.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
The minimum message size was on the wrong commands, for getting
the time it's zero and for setting the time it's 6.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
With the addition of default-configs/hppa-softmmu.mak, this
will compile. It is not enabled with this patch, however.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJab54VAAoJEHWtZYAqC0IRZ+IH+QFtVX3R9fVxlSmFtPs7L9+s
a+WbbVbYf0toiTg1taRoYgyGkryc8Gtw8VJrN2iowM8KFjEx+h2cZ3qoRd15GqP6
jFAGb0lc6tjOk0O5pDiJU8hErSrIda8biBp/I0QDz3RkXeGrAZ7FrQemj0FXQjEG
0o+xGstCYKrVfGxrnDysfvyGSDOad0HnBqwc0rerbVjBJe5p8UErP8DSPsNCaj6W
qbSSgySeMnTeXGOwIXgCW43eTEJG13eBQ/rNJRqrcoIXiBd/txPb+c+E1iBBAmrF
XZHxS4v8vP+8rVRgBut4sIr2psx1DZvktHRThJDgu+Cyv6h7c6okQ0wxmo0+9bo=
=k7Fh
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/stefanberger/tags/pull-tpm-2018-01-26-2' into staging
Merge tpm 2018/01/26 v2
# gpg: Signature made Mon 29 Jan 2018 22:20:05 GMT
# gpg: using RSA key 0x75AD65802A0B4211
# gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211
* remotes/stefanberger/tags/pull-tpm-2018-01-26-2:
tpm: add CRB device
tpm: report backend request error
tpm: replace GThreadPool with AIO threadpool
tpm: lookup cancel path under tpm device class
tpm: fix alignment issues
tpm: Set the flags of the CMD_INIT command to 0
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
tpm_crb is a device for TPM 2.0 Command Response Buffer (CRB)
Interface as defined in TCG PC Client Platform TPM Profile (PTP)
Specification Family “2.0” Level 00 Revision 01.03 v22.
The PTP allows device implementation to switch between TIS and CRB
model at run time, but given that CRB is a simpler device to
implement, I chose to implement it as a different device.
The device doesn't implement other locality than 0 for now (my laptop
TPM doesn't either, so I assume this isn't so bad)
Tested with some success with Linux upstream and Windows 10, seabios &
modified ovmf. The device is recognized and correctly transmit
command/response with passthrough & emu. However, we are missing PPI
ACPI part atm.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use an Error** for request to let the caller handle error reporting.
This will also allow to inform the frontend of a backend error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since Linux commit 313d21eeab9282e, tpm devices have their own device
class "tpm" and the cancel path must be looked up under
/sys/class/tpm/ instead of /sys/class/misc/.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The new tpm-crb-test fails on sparc host:
TEST: tests/tpm-crb-test... (pid=230409)
/i386/tpm-crb/test:
Broken pipe
FAIL
GTester: last random seed: R02S29cea50247fe1efa59ee885a26d51a85
(pid=230423)
FAIL: tests/tpm-crb-test
and generates a new clang sanitizer runtime warning:
/home/petmay01/linaro/qemu-for-merges/hw/tpm/tpm_util.h:36:24: runtime
error: load of misaligned address 0x7fdc24c00002 for type 'const
uint32_t' (aka 'const unsigned int'), which requires 4 byte alignment
0x7fdc24c00002: note: pointer points here
<memory cannot be printed>
The sparc architecture does not allow misaligned loads and will
segfault if you try them. For example, this function:
static inline uint32_t tpm_cmd_get_size(const void *b)
{
return be32_to_cpu(*(const uint32_t *)(b + 2));
}
Should read,
return ldl_be_p(b + 2);
As a general rule you can't take an arbitrary pointer into a byte
buffer and try to interpret it as a structure or a pointer to a
larger-than-bytesize-data simply by casting the pointer.
Use this clean up as an opportunity to remove unnecessary temporary
buffers and casts.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The flags of the CMD_INIT control channel command were not
initialized properly. Fix this and set to 0.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Replace the keymap_qcode table with automatically generated
tables.
Missing entries in keymap_qcode now fixed:
Q_KEY_CODE_ASTERISK -> KEY_KPASTERISK
Q_KEY_CODE_KP_MULTIPLY -> KEY_KPASTERISK
Q_KEY_CODE_STOP -> KEY_STOP
Q_KEY_CODE_AGAIN -> KEY_AGAIN
Q_KEY_CODE_PROPS -> KEY_PROPS
Q_KEY_CODE_UNDO -> KEY_UNDO
Q_KEY_CODE_FRONT -> KEY_FRONT
Q_KEY_CODE_COPY -> KEY_COPY
Q_KEY_CODE_OPEN -> KEY_OPEN
Q_KEY_CODE_PASTE -> KEY_PASTE
Q_KEY_CODE_FIND -> KEY_FIND
Q_KEY_CODE_CUT -> KEY_CUT
Q_KEY_CODE_LF -> KEY_LINEFEED
Q_KEY_CODE_HELP -> KEY_HELP
Q_KEY_CODE_COMPOSE -> KEY_COMPOSE
Q_KEY_CODE_RO -> KEY_RO
Q_KEY_CODE_HIRAGANA -> KEY_HIRAGANA
Q_KEY_CODE_HENKAN -> KEY_HENKAN
Q_KEY_CODE_YEN -> KEY_YEN
Q_KEY_CODE_KP_COMMA -> KEY_KPCOMMA
Q_KEY_CODE_KP_EQUALS -> KEY_KPEQUAL
Q_KEY_CODE_POWER -> KEY_POWER
Q_KEY_CODE_SLEEP -> KEY_SLEEP
Q_KEY_CODE_WAKE -> KEY_WAKEUP
Q_KEY_CODE_AUDIONEXT -> KEY_NEXTSONG
Q_KEY_CODE_AUDIOPREV -> KEY_PREVIOUSSONG
Q_KEY_CODE_AUDIOSTOP -> KEY_STOPCD
Q_KEY_CODE_AUDIOPLAY -> KEY_PLAYPAUSE
Q_KEY_CODE_AUDIOMUTE -> KEY_MUTE
Q_KEY_CODE_VOLUMEUP -> KEY_VOLUMEUP
Q_KEY_CODE_VOLUMEDOWN -> KEY_VOLUMEDOWN
Q_KEY_CODE_MEDIASELECT -> KEY_MEDIA
Q_KEY_CODE_MAIL -> KEY_MAIL
Q_KEY_CODE_CALCULATOR -> KEY_CALC
Q_KEY_CODE_COMPUTER -> KEY_COMPUTER
Q_KEY_CODE_AC_HOME -> KEY_HOMEPAGE
Q_KEY_CODE_AC_BACK -> KEY_BACK
Q_KEY_CODE_AC_FORWARD -> KEY_FORWARD
Q_KEY_CODE_AC_REFRESH -> KEY_REFRESH
Q_KEY_CODE_AC_BOOKMARKS -> KEY_BOOKMARKS
NB, the virtio-input device reports a bitmask to the guest driver that
has a bit set for each Linux keycode that the host is able to send to
the guest.
Thus by adding these extra key mappings we are technically changing the
host<->guest ABI. This would also happen any time we defined new mappings
for QEMU keycodes in future.
When a keycode is removed from the list of possible keycodes that host can
send to the guest, it means that the guest OS will think it is possible
to receive a key that in pratice can never be generated, which is harmless.
When a keycode is added to the list of possible keycodes that the host can
send to the guest, it means that the guest OS can see an unexpected event.
The Linux virtio_input.c driver code simply forwards this event to the
input_event() method in the Linux input subsystem. This in turn calls
input_handle_event(), which then calls input_get_disposition(). This method
checks if the input event is present in the permitted keys bitmap, and if
not returns INPUT_IGNORE_EVENT. Thus the unexpected event will get dropped,
which is harmless.
If the guest OS reboots, or otherwise re-initializes the virt-input device,
it will read the new keycode bitmap. No matter how many keys are defined,
the config space has a fixed 128 byte bitmap. There is, however, a size
field defiend which says how many bytes in the bitmap are used. So the guest
OS reads the size of the bitmap, and then it reads the data from bitmap upto
the designated size. So if the guest OS re-initializes at precisely the time
that QEMU is migrated across versions, in the worst case, it could conceivably
read the old size field, but then get the newly updated bitmap. If a key were
added this is harmless, since it simply means it may not process the newly
added key. If a key were removed, then it could be readnig a byte from the
bitmap that was not initialized. Fortunately QEMU always memsets() the entire
bitmap to 0, prior to setting keybits. Thus the guest OS will simply read
zeros, which is again harmless.
Based on this analysis, it is believed that there is no need to preserve the
virtio-input-hid keymaps across migration, as the host<->guest ABI change is
harmless and self-resolving at time of guest reboot.
NB, this behaviour should perhaps be formalized in the virtio-input spec
to declare how guest OS drivers should be written to be robust in their
handling of the potentially changable key bitmaps.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20180117164118.8510-5-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Replace the qcode_to_keycode table with automatically
generated tables.
Missing entries in qcode_to_keycode now fixed:
- Q_KEY_CODE_KP_COMMA -> 0x2d
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20180117164118.8510-3-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Replace the qcode_to_keycode_set1, qcode_to_keycode_set2,
and qcode_to_keycode_set3 tables with automatically
generated tables.
Missing entries in qcode_to_keycode_set1 now fixed:
- Q_KEY_CODE_SYSRQ -> 0x54
- Q_KEY_CODE_PRINT -> 0x54 (NB ignored due to special case)
- Q_KEY_CODE_AGAIN -> 0xe005
- Q_KEY_CODE_PROPS -> 0xe006
- Q_KEY_CODE_UNDO -> 0xe007
- Q_KEY_CODE_FRONT -> 0xe00c
- Q_KEY_CODE_COPY -> 0xe078
- Q_KEY_CODE_OPEN -> 0x64
- Q_KEY_CODE_PASTE -> 0x65
- Q_KEY_CODE_CUT -> 0xe03c
- Q_KEY_CODE_LF -> 0x5b
- Q_KEY_CODE_HELP -> 0xe075
- Q_KEY_CODE_COMPOSE -> 0xe05d
- Q_KEY_CODE_PAUSE -> 0xe046
- Q_KEY_CODE_KP_EQUALS -> 0x59
And some mistakes corrected:
- Q_KEY_CODE_HIRAGANA was mapped to 0x70 (Katakanahiragana)
instead of of 0x77 (Hirigana)
- Q_KEY_CODE_MENU was incorrectly mapped to the compose
scancode (0xe05d) and is now mapped to 0xe01e
- Q_KEY_CODE_FIND was mapped to 0xe065 (Search) instead
of to 0xe041 (Find)
- Q_KEY_CODE_POWER, SLEEP & WAKE had 0x0e instead of 0xe0
as the prefix
Missing entries in qcode_to_keycode_set2 now fixed:
- Q_KEY_CODE_PRINT -> 0x7f (NB ignored due to special case)
- Q_KEY_CODE_COMPOSE -> 0xe02f
- Q_KEY_CODE_PAUSE -> 0xe077
- Q_KEY_CODE_KP_EQUALS -> 0x0f
And some mistakes corrected:
- Q_KEY_CODE_HIRAGANA was mapped to 0x13 (Katakanahiragana)
instead of of 0x62 (Hirigana)
- Q_KEY_CODE_MENU was incorrectly mapped to the compose
scancode (0xe02f) and is now not mapped
- Q_KEY_CODE_FIND was mapped to 0xe010 (Search) and is now
not mapped.
- Q_KEY_CODE_POWER, SLEEP & WAKE had 0x0e instead of 0xe0
as the prefix
Missing entries in qcode_to_keycode_set3 now fixed:
- Q_KEY_CODE_ASTERISK -> 0x7e
- Q_KEY_CODE_SYSRQ -> 0x57
- Q_KEY_CODE_LESS -> 0x13
- Q_KEY_CODE_STOP -> 0x0a
- Q_KEY_CODE_AGAIN -> 0x0b
- Q_KEY_CODE_PROPS -> 0x0c
- Q_KEY_CODE_UNDO -> 0x10
- Q_KEY_CODE_COPY -> 0x18
- Q_KEY_CODE_OPEN -> 0x20
- Q_KEY_CODE_PASTE -> 0x28
- Q_KEY_CODE_FIND -> 0x30
- Q_KEY_CODE_CUT -> 0x38
- Q_KEY_CODE_HELP -> 0x09
- Q_KEY_CODE_COMPOSE -> 0x8d
- Q_KEY_CODE_AUDIONEXT -> 0x93
- Q_KEY_CODE_AUDIOPREV -> 0x94
- Q_KEY_CODE_AUDIOSTOP -> 0x98
- Q_KEY_CODE_AUDIOMUTE -> 0x9c
- Q_KEY_CODE_VOLUMEUP -> 0x95
- Q_KEY_CODE_VOLUMEDOWN -> 0x9d
- Q_KEY_CODE_CALCULATOR -> 0xa3
- Q_KEY_CODE_AC_HOME -> 0x97
And some mistakes corrected:
- Q_KEY_CODE_MENU was incorrectly mapped to the compose
scancode (0x8d) and is now 0x91
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20180117164118.8510-2-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
During Qemu guest migration, a destination process invokes ps2
post_load function. In that, if 'rptr' and 'count' values were
invalid, it could lead to OOB access or infinite loop issue.
Add check to avoid it.
Reported-by: Cyrille Chatras <cyrille.chatras@orange.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20171116075155.22378-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
On Linux, a mouse event is generated for both down and up when mouse
wheel is used. This caused virtio_input_send() to be called twice each
time the wheel was used.
This commit adds a check for the button down state and only calls
virtio_input_send() when it is true.
Signed-off-by: Miika S <miika9764@gmail.com>
Message-Id: <20171222152531.1849-4-miika9764@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The new H-Call H_GET_CPU_CHARACTERISTICS is used by the guest to query
behaviours and available characteristics of the cpu.
Implement the handler for this new H-Call which formulates its response
based on the setting of the spapr_caps cap-cfpc, cap-sbbc and cap-ibs.
Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add new tristate cap cap-ibs to represent the indirect branch
serialisation capability.
Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add new tristate cap cap-sbbc to represent the speculation barrier
bounds checking capability.
Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add new tristate cap cap-cfpc to represent the cache flush on privilege
change capability.
Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
spapr_caps are used to represent the level of support for various
capabilities related to the spapr machine type. Currently there is
only support for boolean capabilities.
Add support for tristate capabilities by implementing their get/set
functions. These capabilities can have the values 0, 1 or 2
corresponding to broken, workaround and fixed.
Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In various place we don't correctly check if the device supports MSI or
MSI-X. This can cause devices to be advertised with MSI support, even
if they only support MSI-X (like virtio-pci-* devices for example):
ethernet@0 {
ibm,req#msi = <0x1>; <--- wrong!
.
ibm,loc-code = "qemu_virtio-net-pci:0000:00:00.0";
.
ibm,req#msi-x = <0x3>;
};
Worse, this can also cause the "ibm,change-msi" RTAS call to corrupt the
PCI status and cause migration to fail:
qemu-system-ppc64: get_pci_config_device: Bad config data: i=0x6
read: 0 device: 10 cmask: 10 wmask: 0 w1cmask:0
^^
PCI_STATUS_CAP_LIST bit which is assumed to be constant
This patch changes spapr_populate_pci_child_dt() to properly check for
MSI support using msi_present(): this ensures that PCIDevice::msi_cap
was set by msi_init() and that msi_nr_vectors_allocated() will look at
the right place in the config space.
Checking PCIDevice::msix_entries_nr is enough for MSI-X but let's add
a call to msix_present() there as well for consistency.
It also changes rtas_ibm_change_msi() to select the appropriate MSI
type in Function 1 instead of always selecting plain MSI. This new
behaviour is compliant with LoPAPR 1.1, as described in "Table 71.
ibm,change-msi Argument Call Buffer":
Function 1: If Number Outputs is equal to 3, request to set to a new
number of MSIs (including set to 0).
If the “ibm,change-msix-capable” property exists and Number
Outputs is equal to 4, request is to set to a new number of
MSI or MSI-X (platform choice) interrupts (including set to
0).
Since MSI is the the platform default (LoPAPR 6.2.3 MSI Option), let's
check for MSI support first.
And finally, it checks the input parameters are valid, as described in
LoPAPR 1.1 "R1–7.3.10.5.1–3":
For the MSI option: The platform must return a Status of -3 (Parameter
error) from ibm,change-msi, with no change in interrupt assignments if
the PCI configuration address does not support MSI and Function 3 was
requested (that is, the “ibm,req#msi” property must exist for the PCI
configuration address in order to use Function 3), or does not support
MSI-X and Function 4 is requested (that is, the “ibm,req#msi-x” property
must exist for the PCI configuration address in order to use Function 4),
or if neither MSIs nor MSI-Xs are supported and Function 1 is requested.
This ensures that the ret_intr_type variable contains a valid MSI type
for this device, and that spapr_msi_setmsg() won't corrupt the PCI status.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This was accidentally omitted from 77cb0f5aaf "Split adb.c into adb.c, adb-mouse.c
and adb-kbd.c".
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
qemu-system-ppcemb has been once split of qemu-system-ppc to support
CPU page sizes < 4096 for some of the embedded 4xx PowerPC CPUs.
However, there was hardly any OS available in the wild that really
used such small page sizes (Linux uses 4096 on PPC), so there is
no known recent use case for this separate build anymore. It's
rather cumbersome to maintain a separate set of config switches for
this, and it's wasting compile and test time of all the developers
who have to build all QEMU targets to verify that their changes did
not break anything.
Except for the small CPU page sizes, qemu-system-ppc can be used as
a full replacement for qemu-system-ppcemb since it contains all the
embedded 4xx PPC boards and CPUs, too. Thus let's start the deprecation
process for qemu-system-ppcemb to see whether somebody still needs
the small page sizes or whether we could finally remove this unloved
separate build.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJaawAdAAoJECnFlngPa8qDvB4H/RkbG3qLNVyIj1LHQu9JA72p
gyzs8hZ7wAzLH+JljqRYPmcHsNnkLRM6O1ukTqDKbE3+0arkp4/SmLtIuHjCiV1B
QplONj39hVr578ZrgKQ1eIP0G285nWFeCUFC8aYFkLK6rJpYpKAu/FSFLrfel5SQ
so4w4d/AZK9k9DkFO16d7wW+UXacyuN+mf1SVSSM0ckuu6aKOuvAf6rVEIHdp4AM
BVI36wooFvaJZ4VCYEpm5XD5zAMRkkkhIOHzEQEiUhtLCOCg72JLD/GkhmjXoQU+
TuEyGTAGfoIrvQqcfewsCx/pcGWievdHeT4Qh4KqC9rMCPuYrz9HXmKxJNXw54c=
=x4JI
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/edgar/tags/edgar/xilinx-next-2018-01-26.for-upstream' into staging
Xilinx queue
# gpg: Signature made Fri 26 Jan 2018 10:17:01 GMT
# gpg: using RSA key 0x29C596780F6BCA83
# gpg: Good signature from "Edgar E. Iglesias (Xilinx key) <edgar.iglesias@xilinx.com>"
# gpg: aka "Edgar E. Iglesias <edgar.iglesias@gmail.com>"
# Primary key fingerprint: AC44 FEDC 14F7 F1EB EDBF 4151 29C5 9678 0F6B CA83
* remotes/edgar/tags/edgar/xilinx-next-2018-01-26.for-upstream:
xlnx-zynqmp: Connect the IPI device to the ZynqMP SoC
xlnx-zynqmp-pmu: Connect the IPI device to the PMU
xlnx-zynqmp-ipi: Initial version of the Xilinx IPI device
xlnx-zynqmp-pmu: Connect the PMU interrupt controller
xlnx-pmu-iomod-intc: Add the PMU Interrupt controller
aarch64-softmmu.mak: Use an ARM specific config
xlnx-zynqmp-pmu: Add the CPU and memory
xlnx-zynqmp-pmu: Initial commit of the ZynqMP PMU
microblaze: boot.c: Don't try to find NULL file
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
This is the initial version of the Inter Processor Interrupt device.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Add the PMU IO Module Interrupt controller device.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
In preperation for having an ARM and MicroBlaze ZynqMP machine let's
split out the current ARM specific config options.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Acked-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Connect the MicroBlaze CPU and the ROM and RAM memory regions.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
The Xilinx ZynqMP SoC has two main processing systems in it. The ARM
processing system (which is already modeled in QEMU) and the MicroBlaze
Power Management Unit (PMU). This is the inital work for adding support
for the PMU.
The PMU susbsystem runs along side the ARM system on hardware, but due
to architecture limitations in QEMU the two instances are seperate for
the time being.
Let's follow the same setup we do with the ARM system, where there is an
SoC device and a ZCU102 board. Although the PMU is less board specific
we are still going to follow the same split as maybe in future we can
connect the PMU device to the ARM ZCU102 board. As the machine will be
fairly small let's keep them both together in one file.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Previously if no device tree was passed to microblaze_load_kernel() then
qemu_find_file() would try to find a NULL pointer. To avoid this put a
check around qemu_find_file().
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Replace init() of CCIDCardClass with realize, then convert
ccid_card_init(), ccid_card_initfn() and it's callbacks to
take an Error** in ordor to report the error more clearly.
Signed-off-by: Mao Zhongyi <maozy.fnst@cn.fujitsu.com>
Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180125171432.13554-2-f4bug@amsat.org
[PMD: fixed s->card assignation in ccid_card_realize()]
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Because usb-storage creates an internal scsi device, we should propagate
options. We already do so for bootindex etc, but failed to take care of
share-rw. Fix it in an apparent way: add a new parameter to
scsi_bus_legacy_add_drive and pass in s->conf.share_rw.
Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20180117005222.4781-1-famz@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The option have been marked as deprecated since QEMU 2.10, and so far
nobody complained that the host, serial, disk and net options are urgently
required anymore. So let's now get rid at least of this legacy pile, to
simplify the usb code quite a bit.
This patch removes the usbdevices host, serial, disk and net. These devices
use their own complicated parameter parsing mechanisms, so they are just
ugly to maintain, without real benefit for the users (the users can use the
corresponding "-device" parameters instead which have the same complexity
as the "-usbdevice" devices here).
Note that the other rather simple -usbdevice options (mouse, tablet, etc.)
are not removed yet (the code is really simple here, so it does not hurt
much to keep it), as well as the two devices "braille" and "bt" which are
easier to use with -usbdevice than with -device.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1515519171-20315-1-git-send-email-thuth@redhat.com
[kraxel] delete some usb_host_device_open() leftovers.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* target/arm: Fix address truncation in 64-bit pagetable walks
* i.MX: Fix FEC/ENET receive functions
* target/arm: preparatory refactoring for SVE emulation
* hw/intc/arm_gic: Prevent the GIC from signaling an IRQ when it's "active and pending"
* hw/intc/arm_gic: Fix C_RPR value on idle priority
* hw/intc/arm_gic: Fix group priority computation for group 1 IRQs
* hw/intc/arm_gic: Fix the NS view of C_BPR when C_CTRL.CBPR is 1
* hw/arm/virt: Check that the CPU realize method succeeded
* sdhci: fix a NULL pointer dereference due to uninitialized AddressSpace object
* xilinx_spips: Correct usage of an uninitialized local variable
* pl110: Implement vertical compare/next base interrupts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJaadStAAoJEDwlJe0UNgzeABwP/jJs1ajbRnnwr2eFYno9Wa7p
jpSHD/4pxMbZVYAPrc5z+EoPw8Fy/qETlzRLlcO4KfmrxHotpoKEPAQBIOohs7Uy
PZgPhVqic1hAQBlp2wkK9SSL5XFyfI0PHCY3Rb0dGWPSu5eoLlXCglbgajOBbM9r
t/0KUQPhILfYeDbZ7oO6XLC51F87M0zxmE5GG2Z8feHDSw2zqmZc/jw8nGNkQXKr
0gniMN2QQyxKEjp6zYa9lmCnvpBMErKo3xl9J3tZ2TgzOSWaX0S1gk3FWh0kNYhk
ktnnimUzku/gOoCorMf5o7nPCNQqpR4Jgpw3S27j7WfgxGyrgfxT74k4XR/g8nNO
LGkNzlsdEjHpVe8wTPQZ4LtPcw8ozHQB/Yu77iRaweQipk6PeyoUuoMDrxHq0oX6
W9rgvwmOJu2xmHyUe1NZuUwiZ9xdidlFg+9TMENLkbzb2xzxYa1qmbVQz7u5d7cx
zPgy9iy7S77wAwPwHgul3sQlVLxxKSi7Iw+Ka+51uEJ3pbW/JPpZCATi00LGjQZF
41j5wOPj/LR+B0peay4cneF9DDR5Vxqe+Lg1QMicaj74xP1Q+dvVwvE5e3/XUaiT
nr42iNjK0HJCqyvvkd6u/ONW8rbSmeL5FF5eEzC6DxAArTBkdJ90tFklinMH/Ovy
oaBPvo5zP8TSqwDMx6yc
=aF9Y
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20180125' into staging
target-arm queue:
* target/arm: Fix address truncation in 64-bit pagetable walks
* i.MX: Fix FEC/ENET receive functions
* target/arm: preparatory refactoring for SVE emulation
* hw/intc/arm_gic: Prevent the GIC from signaling an IRQ when it's "active and pending"
* hw/intc/arm_gic: Fix C_RPR value on idle priority
* hw/intc/arm_gic: Fix group priority computation for group 1 IRQs
* hw/intc/arm_gic: Fix the NS view of C_BPR when C_CTRL.CBPR is 1
* hw/arm/virt: Check that the CPU realize method succeeded
* sdhci: fix a NULL pointer dereference due to uninitialized AddressSpace object
* xilinx_spips: Correct usage of an uninitialized local variable
* pl110: Implement vertical compare/next base interrupts
# gpg: Signature made Thu 25 Jan 2018 12:59:25 GMT
# gpg: using RSA key 0x3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg: aka "Peter Maydell <pmaydell@gmail.com>"
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* remotes/pmaydell/tags/pull-target-arm-20180125: (21 commits)
pl110: Implement vertical compare/next base interrupts
xilinx_spips: Correct usage of an uninitialized local variable
sdhci: fix a NULL pointer dereference due to uninitialized AddresSpace object
hw/arm/virt: Check that the CPU realize method succeeded
hw/intc/arm_gic: Fix the NS view of C_BPR when C_CTRL.CBPR is 1
hw/intc/arm_gic: Fix group priority computation for group 1 IRQs
hw/intc/arm_gic: Fix C_RPR value on idle priority
hw/intc/arm_gic: Prevent the GIC from signaling an IRQ when it's "active and pending"
target/arm: Simplify fp_exception_el for user-only
target/arm: Hoist store to flags output in cpu_get_tb_cpu_state
target/arm: Move cpu_get_tb_cpu_state out of line
target/arm: Add ARM_FEATURE_SVE
vmstate: Add VMSTATE_UINT64_SUB_ARRAY
target/arm: Add aa{32, 64}_vfp_{dreg, qreg} helpers
target/arm: Change the type of vfp.regs
target/arm: Use pointers in neon tbl helper
target/arm: Use pointers in neon zip/uzp helpers
target/arm: Use pointers in crypto helpers
target/arm: Mark disas_set_insn_syndrome inline
i.MX: Fix FEC/ENET receive funtions
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This inbuilt device contains a single 4-byte register, of which bit 24 is used
to power down the machine on a real Ultra 5.
The power device exists at offset 0x724000 on a real machine, but due to the
current configuration of the BARs in QEMU it must be located lower in PCI IO
space.
For the moment we place the power device at offset 0x7240 as a reminder of its
original location and raise the base PCI IO address from 0x4000 to 0x8000.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Artyom Tarasenko <atar4qemu@gmail.com>
This implements rudimentary support for interrupt generation on the
PL110. I am working on a new DRI/KMS driver for Linux and since that
uses the blanking interrupt, we need something to fire here. Without
any interrupt support Linux waits for a while and then gives ugly
messages about the vblank not working in the console (it does not
hang perpetually or anything though, DRI is pretty forgiving).
I solved it for now by setting up a timer to fire at 60Hz and pull
the interrupts for "vertical compare" and "next memory base"
at this interval. This works fine and fires roughly the same number
of IRQs on QEMU as on the hardware and leaves the console clean
and nice.
People who want to create more accurate emulation can probably work
on top of this if need be. It is certainly closer to the hardware
behaviour than what we have today anyway.
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Message-id: 20180123225654.5764-1-linus.walleij@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: folded long lines]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Coverity found that the variable tx_rx in the function
xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
patch corrects this by always initializing tx_rx to zeros.
Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-id: 20180124215708.30400-1-frasse.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
We were passing a NULL error pointer to the object_property_set_bool()
call that realizes the CPU object. This meant that we wouldn't detect
failure, and would plough blindly on to crash later trying to use a
NULL CPU object pointer. Detect errors and fail instead.
In particular, this will be necessary to detect the user error
of using "-cpu host" without "-enable-kvm" once we make the host
CPU type be registered unconditionally rather than only in
kvm_arch_init().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When C_CTRL.CBPR is 1, the Non-Secure view of C_BPR is altered:
- A Non-Secure read of C_BPR should return the BPR value plus 1,
saturated to 7,
- A Non-Secure write should be ignored.
Signed-off-by: Luc MICHEL <luc.michel@git.antfield.fr>
Message-id: 20180119145756.7629-6-luc.michel@greensocs.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: fixed comment typo]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When determining the group priority of a group 1 IRQ, if C_CTRL.CBPR is
0, the non-secure BPR value is used. However, this value must be
incremented by one so that it matches the secure world number of
implemented priority bits (NS world has one less priority bit compared
to the Secure world).
Signed-off-by: Luc MICHEL <luc.michel@git.antfield.fr>
Message-id: 20180119145756.7629-5-luc.michel@greensocs.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: add assert, as the gicv3 code has]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When there is no active interrupts in the GIC, a read to the C_RPR
register should return the value of the "Idle priority", which is either
the maximum value an IRQ priority field can be set to, or 0xff.
Since the QEMU GIC model implements all the 8 priority bits, the Idle
priority is 0xff.
Internally, when there is no active interrupt, the running priority
value is 0x100. The gic_get_running_priority function returns an uint8_t
and thus, truncate this value to 0x00 when returning it. This is wrong since
a value of 0x00 correspond to the maximum possible priority.
This commit fixes the returned value when the internal value is 0x100.
Note that it is correct for the Non-Secure view to return 0xff even
though from the NS world point of view, only 7 priority bits are
implemented. The specification states that the Idle priority can be 0xff
even when not all the 8 priority bits are implemented. This has been
verified against a real GICv2 hardware on a Xilinx ZynqMP based board.
Regarding the ARM11MPCore version of the GIC, the specification is not
clear on that point, so this commit does not alter its behavior.
Signed-off-by: Luc MICHEL <luc.michel@git.antfield.fr>
Message-id: 20180119145756.7629-4-luc.michel@greensocs.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
In the GIC, when an IRQ is acknowledged, its state goes from "pending"
to:
- "active" if the corresponding IRQ pin has been de-asserted
- "active and pending" otherwise.
The GICv2 manual states that when a IRQ becomes active (or active and
pending), the GIC should either signal another (higher priority) IRQ to
the CPU if there is one, or de-assert the CPU IRQ pin.
The current implementation of the GIC in QEMU does not check if the
IRQ is already active when looking for pending interrupts with
sufficient priority in gic_update(). This can lead to signaling an
interrupt that is already active.
This usually happens when splitting priority drop and interrupt
deactivation. On priority drop, the IRQ stays active until deactivation.
If it becomes pending again, chances are that it will be incorrectly
selected as best_irq in gic_update().
This commit fixes this by checking if the IRQ is not already active when
looking for best_irq in gic_update().
Note that regarding the ARM11MPCore GIC version, the corresponding
manual is not clear on that point, but it has has no priority
drop/interrupt deactivation separation, so this case should not happen.
Signed-off-by: Luc MICHEL <luc.michel@git.antfield.fr>
Message-id: 20180119145756.7629-3-luc.michel@greensocs.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The actual imx_eth_enable_rx() function is buggy.
It updates s->regs[ENET_RDAR] after calling qemu_flush_queued_packets().
qemu_flush_queued_packets() is going to call imx_XXX_receive() which itself
is going to call imx_eth_enable_rx().
By updating s->regs[ENET_RDAR] after calling qemu_flush_queued_packets()
we end up updating the register with an outdated value which might
lead to disabling the receive function in the i.MX FEC/ENET device.
This patch change the place where the register update is done so that the
register value stays up to date and the receive function can keep
running.
Reported-by: Fyleo <fyleo45@gmail.com>
Tested-by: Fyleo <fyleo45@gmail.com>
Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Message-id: 20180113113445.2705-1-jcd@tribudubois.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Tested-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
redhat_5.11.qcow2 -device pcnet -vga cirrus,
then use VNC client to connect to VM, and excute the code below in guest
OS will lead to qemu crash:
int main()
{
iopl(3);
srand(time(NULL));
int a,b;
while(1){
a = rand()%0x100;
b = 0x3c0 + (rand()%0x20);
outb(a,b);
}
return 0;
}
The above code is writing the registers of VGA randomly.
We can write VGA CRT controller registers index 0x0C or 0x0D
(which is the start address register) to modify the
the display memory address of the upper left pixel
or character of the screen. The address may be out of the
range of vga ram. So we should check the validation of memory address
when reading or writing it to avoid segfault.
Signed-off-by: linzhecheng <linzhecheng@huawei.com>
Message-id: 20180111132724.13744-1-linzhecheng@huawei.com
Fixes: CVE-2018-5683
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJaZyzMAAoJEH8JsnLIjy/WSOYP/jHffS2fOHtdLQU42G76HN0K
jkhSUE8cuKFzgxuJDJhv10AGsGZvDIaRhuumPIFArQkcEwsFDfd0UqzC5GkCnhfn
6frVPsRSUp9BqXqha1+6vOgVRobdBXPpS25ERfanTsbu3aPEDRnGpxmpMvyyimft
BTUnWNCg2lM6bojXrC6oy7MqUdi9p9PviMcQAfnN07SmGa+s6tS2Jc9znvZwgL06
o+oPukWVTAiub5qcH18BLA3T8xcCXWANdY9pUnNj7mXHoxg3kYzzYBArYDh6Kyju
BkSEML1kNcUACFAZ+LSqQpnoc8/5cP+jY5cOBGtUUgjZSns/xnAZxALltds0I4m3
fqQM68oOTX7squAYAaKYVYMirime6aa2OAn2afxPJildPp8uH4lNust95yiUyyJQ
oqA3zfAnP5FfmTnzjLG7smYlRUlcHp8eMPyOKHxp3BuqTMbWY5KQETyDMk3QVnZr
7fSFIdT4sRTdroKXUKHHu3RLFyCo77EBovxY2oUtt6v43qxQhLx0IFwW6jHrcLK9
ifLOr1CqdgwH/OU7h6rzoLcGLX5/eOTxwcCbU0kP2cx4E60VBXmSaDq9TiwQhbeV
4HteS+EP6R0WpCiAvsFl2aUd6iwDRHeYt0aKpYyUuTVrW2mfmLPaQP+tJLjEoaHF
H5HlbNWy2gFAB2uQtmOd
=gjNZ
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches
# gpg: Signature made Tue 23 Jan 2018 12:38:36 GMT
# gpg: using RSA key 0x7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* remotes/kevin/tags/for-upstream: (29 commits)
iotests: Disable some tests for compat=0.10
iotests: Split 177 into two parts for compat=0.10
iotests: Make 059 pass on machines with little RAM
iotests: Filter compat-dependent info in 198
iotests: Make 191 work with qcow2 options
iotests: Make 184 image-less
iotests: Make 089 compatible with compat=0.10
iotests: Fix 067 for compat=0.10
iotests: Fix 059's reference output
iotests: Fix 051 for compat=0.10
iotests: Fix 020 for vmdk
iotests: Skip 103 for refcount_bits=1
iotests: Forbid 020 for non-file protocols
iotests: Drop format-specific in _filter_img_info
iotests: Fix _img_info for backslashes
block/vmdk: Add blkdebug events
block/qcow: Add blkdebug events
qcow2: No persistent dirty bitmaps for compat=0.10
block/vmdk: Fix , instead of ; at end of line
qemu-iotests: Fix locking issue in 102
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Michael S. Tsirkin <mst@redhat.com>
CC: Marcel Apfelbaum <marcel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
[for addition of trace-events to hw/pci-host]
Acked-by: Michael S. Tsirkin <mst@redhat.com>
This is the final stage in correcting the naming convention with respect to
sabre, APB and PBM. It is effectively a file rename from apb.c to sabre.c
along with touching up a few constants to remove the remaining references
to APB.
Note that as part of the rename process the configuration variable
CONFIG_PCI_APB is changed to CONFIG_PCI_SABRE.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
In order to reflect the previous change of TYPE_APB to TYPE_SABRE, update
the corresponding variable names to keep the terminology consistent.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
Similarly rename the corresponding APBState typedef to SabreState.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
This is the proper name for the PBM host bridge as referenced in the Sun
documentation.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
As hinted in the comment at the top of the file, the naming convention for the
APB types/QOM functions isn't correct. As a starting point we can at least
rename the APB type and related functions to improve the readability of apb.c.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
Here we rename PBMPCIBridge to SimbaPCIBridge and the QOM type from
TYPE_PBM_PCI_BRIDGE to TYPE_SIMBA_PCI_BRIDGE in improve the clarity
of the device name.
Also touch up the relevant spots in apb.c and various other function
names as appropriate.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
Move the QOM type and macros into a new include/hw/pci-bridge/simba.h
file, and add a new CONFIG_SIMBA Makefile.objs variable which is enabled
for sparc64-softmmu builds only.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Michael S. Tsirkin <mst@redhat.com>
CC: Marcel Apfelbaum <marcel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Artyom Tarasenko <atar4qemu@gmail.com>
With the LEON3 IRQ controller IRQs can be acknowledged 2 ways:
* Explicitly by software writing to the CLEAR_OFFSET register
* Implicitly when the procesor is done running the trap handler attached
to the IRQ.
The actual IRQMP code only allows the implicit processor triggered IRQ ack.
If software write explicitly to the CLEAR_OFFSET register, this will clear
the pending bit in the register value but this will not lower the ongoing
raised IRQ with the processor. The IRQ will be kept raised to the LEON
processor until the related trap handler is run and the processor implicitly
ack the interrupt. So with the actual IRQMP code trap handler have to be run
even if the software has already done its job by clearing the pending bit.
This feature has been tested on another LEON3 simulator (tsim_leon3 from
Gaisler) and it turns out that the Qemu implementation is not equivalent to
the tsim one. In tsim, if software does clear a pending interrupt before
the related interrupt handler is triggered the said interrupt handler will
not be called.
This patch brings the Qemu IRQMP implementation in line with the tsim
implementation by allowing IRQ to be acknowledged by software only.
Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Reviewed-by: Fabien Chouteau <chouteau@adacore.com>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
This reverts commit 4fe6d78b2e as it is
reported to break cleanup and migration.
Cc: Gal Hammer <ghammer@redhat.com>
Cc: Sitong Liu <siliu@redhat.com>
Cc: Xiaoling Gao <xiagao@redhat.com>
Suggested-by: Greg Kurz <groug@kaod.org>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Jose Ricardo Ziviani <joserz@linux.vnet.ibm.com>
Reported-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
This reverts commit 6f0bb23072.
This reverts commit f87d72f5c5 as that is
reported to break cleanup and migration.
Cc: Gal Hammer <ghammer@redhat.com>
Cc: Sitong Liu <siliu@redhat.com>
Cc: Xiaoling Gao <xiagao@redhat.com>
Suggested-by: Greg Kurz <groug@kaod.org>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Jose Ricardo Ziviani <joserz@linux.vnet.ibm.com>
Reported-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
linux-user binaries don't need firmware and NMI,
so don't add them in this case, move QDEV
firmware functions to qdev-fw.c
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20171103193802.11876-1-laurent@vivier.eu>
