sdk/emulator/qemu.git
8 years agoMerge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
Peter Maydell [Tue, 7 Jun 2016 14:30:25 +0000 (15:30 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

pc, pci, virtio: new features, cleanups, fixes

This includes some infrastructure for ipmi smbios tables.
Beginning of acpi hotplug rework by Igor for supporting >255 CPUs.
Misc cleanups and fixes.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Tue 07 Jun 2016 13:55:22 BST
# gpg:                using RSA key 0x281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream: (25 commits)
  virtio: move bi-endian target support to a single location
  pc-dimm: introduce realize callback
  pc-dimm: get memory region from ->get_memory_region()
  acpi: make bios_linker_loader_add_checksum() API offset based
  acpi: make bios_linker_loader_add_pointer() API offset based
  tpm: apci: cleanup TCPA table initialization
  acpi: cleanup bios_linker_loader_cleanup()
  acpi: simplify bios_linker API by removing redundant 'table' argument
  acpi: convert linker from GArray to BIOSLinker structure
  pc: use AcpiDeviceIfClass.send_event to issue GPE events
  acpi: extend ACPI interface to provide send_event hook
  pc: Postpone SMBIOS table installation to post machine init
  ipmi: rework the fwinfo to be fetched from the interface
  tests: acpi: update tables with consolidated legacy cpu-hotplug AML
  pc: acpi: cpuhp-legacy: switch ProcessorID to possible_cpus idx
  pc: acpi: simplify build_legacy_cpu_hotplug_aml() signature
  pc: acpi: consolidate legacy CPU hotplug in one file
  pc: acpi: mark current CPU hotplug functions as legacy
  pc: acpi: cpu-hotplug: make AML CPU_foo defines local to cpu_hotplug_acpi_table.c
  pc: acpi: consolidate \GPE._E02 with the rest of CPU hotplug AML
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agodocker: Don't use eval trick on Makefile
Eduardo Habkost [Mon, 6 Jun 2016 15:53:54 +0000 (12:53 -0300)]
docker: Don't use eval trick on Makefile

The eval trick for defining DOCKER_SRC_COPY doesn't do anything
useful, as DOCKER_SRC_COPY is immediately expanded just after it
is defined, and CUR_TIME is already defined using ":=". Simply
define it using ":=" so it is evaluated only once.

The eval trick was also triggering an weird error on Travis builds:
  qemu/tests/docker/Makefile.include:34: *** unterminated variable reference.  Stop.

The issue is not easily reproducible (maybe it's a bug in some
versions of Make), but it is avoided if removing the eval trick.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agovirtio: move bi-endian target support to a single location
Greg Kurz [Tue, 31 May 2016 08:09:54 +0000 (10:09 +0200)]
virtio: move bi-endian target support to a single location

Paolo's recent cpu.h cleanups broke legacy virtio for ppc64 LE guests (and
arm BE guests as well, even if I have not verified that). Especially, commit
"33c11879fd42 qemu-common: push cpu.h inclusion out of qemu-common.h" has
the side-effect of silently hiding the TARGET_IS_BIENDIAN macro from the
virtio memory accessors, and thus fully disabling support of endian changing
targets.

To be sure this cannot happen again, let's gather all the bi-endian bits
where they belong in include/hw/virtio/virtio-access.h.

The changes in hw/virtio/vhost.c are safe because vhost_needs_vring_endian()
is not called on a hot path and non bi-endian targets will return false
anyway.

While here, also rename TARGET_IS_BIENDIAN to be more precise: it is only for
legacy virtio and bi-endian guests.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agopc-dimm: introduce realize callback
Xiao Guangrong [Fri, 20 May 2016 08:19:59 +0000 (16:19 +0800)]
pc-dimm: introduce realize callback

nvdimm needs to  check if the backend memory is large enough to contain
label data and init its memory region when the device is realized, so
introduce realize callback which is called after common dimm has been
realize

Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
8 years agopc-dimm: get memory region from ->get_memory_region()
Xiao Guangrong [Fri, 20 May 2016 08:19:58 +0000 (16:19 +0800)]
pc-dimm: get memory region from ->get_memory_region()

Curretly, the memory region of backed memory is all directly
mapped to guest's address space, however, it will be not true
for nvdimm device if we introduce nvdimm label which only can
be indirectly accessed by ACPI DSM method

Also it improves the comments a bit to reflect this fact

Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
8 years agoacpi: make bios_linker_loader_add_checksum() API offset based
Igor Mammedov [Thu, 19 May 2016 13:19:30 +0000 (15:19 +0200)]
acpi: make bios_linker_loader_add_checksum() API offset based

It should help to make clear that bios_linker works in terms
of offsets within a file. Also it should prevent mistakes
where user passes as arguments pointers to unrelated to file blobs.

While at it, considering that it's a ACPI checksum and
it's initial value must be 0, move checksum field zeroing
into bios_linker_loader_add_checksum() instead of doing it
at every call site manually before bios_linker_loader_add_checksum()
is called.

In addition add extra boundary checks.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agoacpi: make bios_linker_loader_add_pointer() API offset based
Igor Mammedov [Thu, 19 May 2016 13:19:29 +0000 (15:19 +0200)]
acpi: make bios_linker_loader_add_pointer() API offset based

cleanup bios_linker_loader_add_pointer() API by switching
arguments to taking offsets relative to corresponding files
instead of doing pointer arithmetic on behalf of user which
were confusing.

Also make offset inside of source file explicit in API
so that user won't have to manually set it in
destination file blob and while at it add additional
boundary checks.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agotpm: apci: cleanup TCPA table initialization
Igor Mammedov [Thu, 19 May 2016 13:19:28 +0000 (15:19 +0200)]
tpm: apci: cleanup TCPA table initialization

At the time build_tpm_tcpa() is called the tcpalog size is
always 0, so log_area_start_address which is actually offset
from the start of ACPI_BUILD_TPMLOG_FILE is always 0.

Also as 'TCPA' is allocated 0 filled, there is no point
in calculating always 0 log_area_start_address and set
tcpa->log_area_start_address to it since the field should
always point to start of ACPI_BUILD_TPMLOG_FILE.
Make code easier to read dropping not needed offset
calculations.
While at that move tcpalog allocation closer to the code
that defines its size.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agoacpi: cleanup bios_linker_loader_cleanup()
Igor Mammedov [Thu, 19 May 2016 13:19:27 +0000 (15:19 +0200)]
acpi: cleanup bios_linker_loader_cleanup()

bios_linker_loader_cleanup() is called only from one place
and returned value is immediately freed wich makes returning
pointer from bios_linker_loader_cleanup() useless.

Cleanup bios_linker_loader_cleanup() by freeing
data there so that caller won't have to free it.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agoacpi: simplify bios_linker API by removing redundant 'table' argument
Igor Mammedov [Thu, 19 May 2016 13:19:26 +0000 (15:19 +0200)]
acpi: simplify bios_linker API by removing redundant 'table' argument

'table' argument in bios_linker_add_foo() commands is
a data blob of one of files also passed to the same API.
So instead of passing blob in every API call, add and keep
file name association with related blob at bios_linker_loader_alloc()
time.

And find blob by name looking up allocated file entries
inside of bios_linker_add_foo() commands.

It will:
 - make API less confusing,
 - enforce calling bios_linker_loader_alloc() before
   calling any bios_linker_add_foo()
 - make sure that blob is the correct one, i.e.
   associated with the right file name

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agoacpi: convert linker from GArray to BIOSLinker structure
Igor Mammedov [Thu, 19 May 2016 13:19:25 +0000 (15:19 +0200)]
acpi: convert linker from GArray to BIOSLinker structure

Patch just changes type of of linker variables to
a structure, there aren't any functional changes.

Converting linker to a structure will allow to extend
it functionality in follow up patch adding sanity blob
checks.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agopc: use AcpiDeviceIfClass.send_event to issue GPE events
Igor Mammedov [Tue, 31 May 2016 10:01:17 +0000 (12:01 +0200)]
pc: use AcpiDeviceIfClass.send_event to issue GPE events

it reduces number of args passed in handlers by 1 and
a number of used proxy wrappers saving ~20LOC.
Also it allows to make cpu/mem hotplug code more
universal as it would allow ARM to reuse it without
rewrite by providing its own send_event callback
to trigger events usiong GPIO instead of GPE
as fixed hadrware ACPI model doen't have GPE at all.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agoacpi: extend ACPI interface to provide send_event hook
Igor Mammedov [Tue, 31 May 2016 09:57:57 +0000 (11:57 +0200)]
acpi: extend ACPI interface to provide send_event hook

send_event() hook will allow to send ACPI event in
a target specific way (GPE or GPIO based impl.)
it will also simplify proxy wrappers in piix4pm/ich9
that access ACPI regs and SCI which are part of
piix4pm/lcp_ich9 devices and call acpi_foo() API directly.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agopc: Postpone SMBIOS table installation to post machine init
Corey Minyard [Tue, 24 May 2016 17:37:18 +0000 (12:37 -0500)]
pc: Postpone SMBIOS table installation to post machine init

This is the same place that the ACPI SSDT table gets added, so that
devices can add themselves to the SMBIOS table.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agoipmi: rework the fwinfo to be fetched from the interface
Corey Minyard [Tue, 24 May 2016 17:37:17 +0000 (12:37 -0500)]
ipmi: rework the fwinfo to be fetched from the interface

Instead of scanning IPMI devices from a fwinfo list, allow
the fwinfo to be fetched from the IPMI interface class.
Then the code looking for IPMI fwinfo can scan devices on a
bus and look for ones that implement the IPMI class.

This will let the ACPI scope be defined by the calling
code so the IPMI code doesn't have to know the scope.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agotests: acpi: update tables with consolidated legacy cpu-hotplug AML
Igor Mammedov [Tue, 17 May 2016 14:43:04 +0000 (16:43 +0200)]
tests: acpi: update tables with consolidated legacy cpu-hotplug AML

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agopc: acpi: cpuhp-legacy: switch ProcessorID to possible_cpus idx
Igor Mammedov [Tue, 17 May 2016 14:43:03 +0000 (16:43 +0200)]
pc: acpi: cpuhp-legacy: switch ProcessorID to possible_cpus idx

In legacy cpu-hotplug ProcessorID == APIC ID is used
in MADT and cpu-hotplug AML. It was fine as both
are 8bit and unique. Spec depricated Processor()
with corresponding ProcessorID and advises to use
Device() and UID instead of it.

However UID is just 32bit and it can't fit ARM's
arch_id(MPIDR) which is 64bit. Also in case of
sparse arch_id() distribution, managment/lookup
of maps by arch_id(APIC ID/MPIDR) becomes complex
and expensive.

In preparation to common CPU hotplug with ARM
and to simplify lookup in possible_cpus[] map
switch ProcessorID to possible_cpus index in
MADT.

Legacy cpu-hotplug considerations:
HW interface of it is APIC ID based bitmask so
it's impossible to change, also CPON package in
AML also APIC ID based as well all the methods.

To avoid massive rewrite of AML keep is so and
just break assumption that ProcessorID == APIC ID,
ammending CPU_MAT_METHOD to accept APIC ID and
possible_cpus index, it needs them both to patch
MADT entry template. Also switch to possible_cpus
index Processor(ProcessorID) AML.
That way changes to MADT/AML are minimal and kept
inside AML/MADT not affecting external interfaces.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agopc: acpi: simplify build_legacy_cpu_hotplug_aml() signature
Igor Mammedov [Tue, 17 May 2016 14:43:02 +0000 (16:43 +0200)]
pc: acpi: simplify build_legacy_cpu_hotplug_aml() signature

since IO block used by CPU hotplug is fixed size and
initialized it the same file as build_legacy_cpu_hotplug_aml()
just use ACPI_GPE_PROC_LEN directly instead of passing
it around in several files.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agopc: acpi: consolidate legacy CPU hotplug in one file
Igor Mammedov [Tue, 17 May 2016 14:43:01 +0000 (16:43 +0200)]
pc: acpi: consolidate legacy CPU hotplug in one file

Since AML part of CPU hotplug is tightly coupled with
its hardware part (IO port layout/protocol), move
build_legacy_cpu_hotplug_aml() to cpu_hotplug.c
and remove empty cpu_hotplug_acpi_table.c

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agopc: acpi: mark current CPU hotplug functions as legacy
Igor Mammedov [Tue, 17 May 2016 14:43:00 +0000 (16:43 +0200)]
pc: acpi: mark current CPU hotplug functions as legacy

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agopc: acpi: cpu-hotplug: make AML CPU_foo defines local to cpu_hotplug_acpi_table.c
Igor Mammedov [Tue, 17 May 2016 14:42:59 +0000 (16:42 +0200)]
pc: acpi: cpu-hotplug: make AML CPU_foo defines local to cpu_hotplug_acpi_table.c

now as those defines are used only locally inside of
cpu_hotplug_acpi_table.c, move them out of header file.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agopc: acpi: consolidate \GPE._E02 with the rest of CPU hotplug AML
Igor Mammedov [Tue, 17 May 2016 14:42:58 +0000 (16:42 +0200)]
pc: acpi: consolidate \GPE._E02 with the rest of CPU hotplug AML

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agopc: acpi: consolidate CPU hotplug AML
Igor Mammedov [Tue, 17 May 2016 14:42:57 +0000 (16:42 +0200)]
pc: acpi: consolidate CPU hotplug AML

move the former SSDT part of CPU hoplug close to DSDT part.
AML is only moved but there isn't any functional change.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 years agopc: acpi: remove AML for empty/not used GPE handlers
Igor Mammedov [Tue, 17 May 2016 14:42:56 +0000 (16:42 +0200)]
pc: acpi: remove AML for empty/not used GPE handlers

ACPI spec requires GPE handlers only for GPE events
that hardware implements.
So remove AML for not supported by QEMU device model
events.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agoacpi: add aml_refof()
Igor Mammedov [Tue, 17 May 2016 14:42:55 +0000 (16:42 +0200)]
acpi: add aml_refof()

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agoacpi: add aml_debug()
Igor Mammedov [Tue, 17 May 2016 14:42:54 +0000 (16:42 +0200)]
acpi: add aml_debug()

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agotests: acpi: report names of expected files in verbose mode
Igor Mammedov [Thu, 26 May 2016 09:46:45 +0000 (11:46 +0200)]
tests: acpi: report names of expected files in verbose mode

print expected file name if it doesn't exists if
verbose mode is enabled*. It helps to avoid running
bios-tables-test under debugger to figure out missing
file name.

*)
verbose mode is enabled if "V" env. variable is set

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
8 years agoMerge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.7-20160607' into staging
Peter Maydell [Tue, 7 Jun 2016 11:54:25 +0000 (12:54 +0100)]
Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.7-20160607' into staging

ppc patch queue for 2016-05-31

Latest patch queue for ppc.  Several significant things in here:
  * A bunch of patches from BenH fixing things in TCG
     - This should fix several regressions introduced by recent
       patches for better HV mode support
     - It also fixes some other bugs discovered along the way
  * Some fixes and cleanups for Mac machine types from Marc
    Cave-Ayland
  * Preliminary patches towards dynamic DMA window support from Alexey
    Kardashevskiy
      - This includes a patch to migration code code
  * Increase number of hotpluggable memory slots
      - Includes a change to KVM generic code, ACKed by Paolo
  * Another TCG fix for an SPE instruction

# gpg: Signature made Tue 07 Jun 2016 11:46:57 BST
# gpg:                using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.7-20160607: (26 commits)
  ppc: Do not take exceptions on unknown SPRs in privileged mode
  ppc: Add missing slbfee. instruction on ppc64 BookS processors
  ppc: Fix slbia decode
  ppc: Fix mtmsr decoding
  ppc: POWER7 has lq/stq instructions and stq need to check ISA
  ppc: POWER7 had ACOP and PID registers
  ppc: Batch TLB flushes on 32-bit 6xx/7xx/7xxx in hash mode
  ppc: Fix tlb invalidations on 6xx/7xx/7xxx 32-bit processors
  ppc: Properly tag the translation cache based on MMU mode
  dbdma: use DMA memory interface for memory accesses
  macio: use DMA memory interface for non-block ATAPI transfers
  target-ppc: fixup bitrot in mmu_helper.c debug statements
  spapr_pci: Drop cannot_instantiate_with_device_add_yet=false
  ppc: fix hrfid, tlbia and slbia privilege
  ppc: Fix hreg_store_msr() so that non-HV mode cannot alter MSR:HV
  ppc: Better figure out if processor has HV mode
  spapr: Introduce pseries-2.7 machine type
  spapr: Increase hotpluggable memory slots to 256
  spapr_pci: Add and export DMA resetting helper
  spapr_pci: Reset DMA config on PHB reset
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoppc: Do not take exceptions on unknown SPRs in privileged mode
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:28 +0000 (12:50 +1000)]
ppc: Do not take exceptions on unknown SPRs in privileged mode

The architecture specifies that mtspr/mfspr on an unknown SPR number
should act as a nop in privileged mode.

I haven't removed the warning however as it can be useful for
diagnosing.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: Add missing slbfee. instruction on ppc64 BookS processors
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:27 +0000 (12:50 +1000)]
ppc: Add missing slbfee. instruction on ppc64 BookS processors

Used to lookup SLB entries by address, for some reason it was missing.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: Fix slbia decode
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:26 +0000 (12:50 +1000)]
ppc: Fix slbia decode

Since at least the 2.05 architecture, the slbia instruction takes an
IH field in the opcode to provide some control on the effect of the
slbia on the ERATs (level-1 TLB).

We can safely ignore it as we always flush the whole qemu TLB but
we should allow the bits in the decode.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: Fix mtmsr decoding
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:25 +0000 (12:50 +1000)]
ppc: Fix mtmsr decoding

We had code to handle the L bit in the opcode but we didn't
allow it in the decode mask.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: POWER7 has lq/stq instructions and stq need to check ISA
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:24 +0000 (12:50 +1000)]
ppc: POWER7 has lq/stq instructions and stq need to check ISA

The PPC_64BX instruction flag is used for a couple of newer
instructions currently on POWER8 but our implementation for
them works for POWER7 too (and already does the proper checking
of what is permitted) with one exception: stq needs to check
the ISA version.

This fixes the latter and add the instructions to POWER7

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: POWER7 had ACOP and PID registers
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:23 +0000 (12:50 +1000)]
ppc: POWER7 had ACOP and PID registers

We only had them on POWER8, add them to POWER7 as well

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: Batch TLB flushes on 32-bit 6xx/7xx/7xxx in hash mode
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:22 +0000 (12:50 +1000)]
ppc: Batch TLB flushes on 32-bit 6xx/7xx/7xxx in hash mode

This ports the existing 64-bit mechanism to 32-bit, thus series
of 64 tlbie's followed by a sync like some versions of Darwin
(ab)use will result in a single flush.

We apply a pending flush on any sync instruction though, as Darwin
doesn't use tlbsync on non-SMP systems.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: Fix tlb invalidations on 6xx/7xx/7xxx 32-bit processors
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:21 +0000 (12:50 +1000)]
ppc: Fix tlb invalidations on 6xx/7xx/7xxx 32-bit processors

The processor only uses some bits of the address and invalidates an
entire congruence class. Some OSes such as Darwin and HelenOS take
advantage of this and occasionally invalidate the entire TLB by just
doing a series of 64 consecutive tlbie for example.

Our code tries to be too smart here only invalidating a segment
congruence class (ie, allowing more address bits to be relevant
in the invalidation), this fails miserably on those OSes.

Instead don't bother, do like ppc64 and blow the whole tlb when tlbie
is executed.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: Properly tag the translation cache based on MMU mode
Benjamin Herrenschmidt [Tue, 7 Jun 2016 02:50:20 +0000 (12:50 +1000)]
ppc: Properly tag the translation cache based on MMU mode

We used to always flush the TLB when changing relocation mode in
MSR:IR and MSR:DR (ie. MMU on/off for Instructions and Data).

We don't anymore since we have split mmu_idx for instruction and data.

However, since we hard code the mmu_idx in the translated code, we
now need to also make sure MSR:IR and MSR:DR are part of the hflags
used to tag translated code, so that we use different translated
code for different MMU settings.

Darwin gets hurt by this problem.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agodbdma: use DMA memory interface for memory accesses
Mark Cave-Ayland [Sun, 5 Jun 2016 22:36:43 +0000 (23:36 +0100)]
dbdma: use DMA memory interface for memory accesses

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agomacio: use DMA memory interface for non-block ATAPI transfers
Mark Cave-Ayland [Sun, 5 Jun 2016 22:36:42 +0000 (23:36 +0100)]
macio: use DMA memory interface for non-block ATAPI transfers

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agotarget-ppc: fixup bitrot in mmu_helper.c debug statements
Mark Cave-Ayland [Fri, 3 Jun 2016 13:58:09 +0000 (14:58 +0100)]
target-ppc: fixup bitrot in mmu_helper.c debug statements

This fixes compilation of mmu_helper.c when all of the debug #defines at
the start of the file are enabled.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agospapr_pci: Drop cannot_instantiate_with_device_add_yet=false
Markus Armbruster [Fri, 3 Jun 2016 13:04:34 +0000 (15:04 +0200)]
spapr_pci: Drop cannot_instantiate_with_device_add_yet=false

It's become redundant since it was added in commit 09aa9a5 "spapr-pci:
enable adding PHB via -device".

Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: fix hrfid, tlbia and slbia privilege
Cédric Le Goater [Fri, 3 Jun 2016 12:11:20 +0000 (14:11 +0200)]
ppc: fix hrfid, tlbia and slbia privilege

commit 74693da98894 ('ppc: tlbie, tlbia and tlbisync are HV only')
introduced some extra checks on the instruction privilege. slbia was
changed wrongly and hrfid, tlbia were forgotten.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: Fix hreg_store_msr() so that non-HV mode cannot alter MSR:HV
Benjamin Herrenschmidt [Fri, 3 Jun 2016 12:11:18 +0000 (14:11 +0200)]
ppc: Fix hreg_store_msr() so that non-HV mode cannot alter MSR:HV

This helper is only used by the various instructions that can alter
MSR and not interrupts. Add a comment to that effect to the interrupt
code as well in case somebody wants to change this

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoppc: Better figure out if processor has HV mode
Benjamin Herrenschmidt [Fri, 3 Jun 2016 12:11:19 +0000 (14:11 +0200)]
ppc: Better figure out if processor has HV mode

We use an env. flag which is set to the initial value of MSR_HVB in
the msr_mask. We also adjust the POWER8 mask to set SHV.

Also use this to adjust ctx.hv so that it is *set* when the processor
doesn't have an HV mode (970 with Apple mode for example), thus enabling
hypervisor instructions/SPRs.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
[clg: ctx.hv used to be defined only for the hypervisor kernel
      (HV=1|PR=0). It is now defined also when PR=1 and conditions are
      fixed accordingly.
      stripped unwanted tabs.]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agospapr: Introduce pseries-2.7 machine type
Bharata B Rao [Fri, 3 Jun 2016 05:49:42 +0000 (11:19 +0530)]
spapr: Introduce pseries-2.7 machine type

Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agospapr: Increase hotpluggable memory slots to 256
Bharata B Rao [Thu, 2 Jun 2016 14:07:37 +0000 (19:37 +0530)]
spapr: Increase hotpluggable memory slots to 256

KVM now supports 512 memslots on PowerPC (earlier it was 32). Allow half
of it (256) to be used as hotpluggable memory slots.

Instead of hard coding the max value, use the KVM supplied value if KVM
is enabled. Otherwise resort to the default value of 32.

Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agospapr_pci: Add and export DMA resetting helper
Alexey Kardashevskiy [Wed, 1 Jun 2016 08:57:39 +0000 (18:57 +1000)]
spapr_pci: Add and export DMA resetting helper

This will be later used by the "ibm,reset-pe-dma-window" RTAS handler
which resets the DMA configuration to the defaults.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agospapr_pci: Reset DMA config on PHB reset
Alexey Kardashevskiy [Wed, 1 Jun 2016 08:57:36 +0000 (18:57 +1000)]
spapr_pci: Reset DMA config on PHB reset

LoPAPR dictates that during system reset all DMA windows must be removed
and the default DMA32 window must be created so does the patch.

At the moment there is just one window supported so no change in
behaviour is expected.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agospapr_iommu: Add root memory region
Alexey Kardashevskiy [Wed, 1 Jun 2016 08:57:35 +0000 (18:57 +1000)]
spapr_iommu: Add root memory region

We are going to have multiple DMA windows at different offsets on
a PCI bus. For the sake of migration, we will have as many TCE table
objects pre-created as many windows supported.
So we need a way to map windows dynamically onto a PCI bus
when migration of a table is completed but at this stage a TCE table
object does not have access to a PHB to ask it to map a DMA window
backed by just migrated TCE table.

This adds a "root" memory region (UINT64_MAX long) to the TCE object.
This new region is mapped on a PCI bus with enabled overlapping as
there will be one root MR per TCE table, each of them mapped at 0.
The actual IOMMU memory region is a subregion of the root region and
a TCE table enables/disables this subregion and maps it at
the specific offset inside the root MR which is 1:1 mapping of
a PCI address space.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agospapr_iommu: Migrate full state
Alexey Kardashevskiy [Wed, 1 Jun 2016 08:57:34 +0000 (18:57 +1000)]
spapr_iommu: Migrate full state

The source guest could have reallocated the default TCE table and
migrate bigger/smaller table. This adds reallocation in post_load()
if the default table size is different on source and destination.

This adds @bus_offset, @page_shift to the migration stream as
a subsection so when DDW is added, migration to older machines will
still be possible. As @bus_offset and @page_shift are not used yet,
this makes no change in behavior.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agospapr_iommu: Introduce "enabled" state for TCE table
Alexey Kardashevskiy [Wed, 1 Jun 2016 08:57:33 +0000 (18:57 +1000)]
spapr_iommu: Introduce "enabled" state for TCE table

Currently TCE tables are created once at start and their sizes never
change. We are going to change that by introducing a Dynamic DMA windows
support where DMA configuration may change during the guest execution.

This changes spapr_tce_new_table() to create an empty zero-size IOMMU
memory region (IOMMU MR). Only LIOBN is assigned by the time of creation.
It still will be called once at the owner object (VIO or PHB) creation.

This introduces an "enabled" state for TCE table objects, some
helper functions are added:
- spapr_tce_table_enable() receives TCE table parameters, stores in
sPAPRTCETable and allocates a guest view of the TCE table
(in the user space or KVM) and sets the correct size on the IOMMU MR;
- spapr_tce_table_disable() disposes the table and resets the IOMMU MR
size; it is made public as the following DDW code will be using it.

This changes the PHB reset handler to do the default DMA initialization
instead of spapr_phb_realize(). This does not make differenct now but
later with more than just one DMA window, we will have to remove them all
and create the default one on a system reset.

No visible change in behaviour is expected except the actual table
will be reallocated every reset. We might optimize this later.

The other way to implement this would be dynamically create/remove
the TCE table QOM objects but this would make migration impossible
as the migration code expects all QOM objects to exist at the receiver
so we have to have TCE table objects created when migration begins.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agovmstate: Define VARRAY with VMS_ALLOC
Alexey Kardashevskiy [Wed, 1 Jun 2016 08:57:32 +0000 (18:57 +1000)]
vmstate: Define VARRAY with VMS_ALLOC

This allows dynamic allocation for migrating arrays.

Already existing VMSTATE_VARRAY_UINT32 requires an array to be
pre-allocated, however there are cases when the size is not known in
advance and there is no real need to enforce it.

This defines another variant of VMSTATE_VARRAY_UINT32 with WMS_ALLOC
flag which tells the receiving side to allocate memory for the array
before receiving the data.

The first user of it is a dynamic DMA window which existence and size
are totally dynamic.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agokvm: API to obtain max supported mem slots
Bharata B Rao [Wed, 1 Jun 2016 09:51:24 +0000 (15:21 +0530)]
kvm: API to obtain max supported mem slots

Introduce kvm_get_max_memslots() API that can be used to obtain the
maximum number of memslots supported by KVM.

Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agotarget-ppc/fpu_helper: Fix efscmp* instructions handling
Talha Imran [Thu, 19 May 2016 12:11:35 +0000 (17:11 +0500)]
target-ppc/fpu_helper: Fix efscmp* instructions handling

With specification at hand from the reference manual from Freescale
http://cache.nxp.com/files/32bit/doc/ref_manual/SPEPEM.pdf , I have found a fix
to efscmp* instructions handling in QEMU.

efscmp* instructions in QEMU set crD (Condition Register nibble) values as
(0b0100 << 2) = 0b10000 (consider the HELPER_SINGLE_SPE_CMP macro which left
shifts the value returned by efscmp* handler by 2 bits). A value of 0b10000 is
not correct according the to the reference manual.

The reference manual expects efscmp* instructions to return a value of 0bx1xx.
Please find attached a patch which disables left shifting in
HELPER_SINGLE_SPE_CMP macro. This macro is used by efscmp* and efstst*
instructions only. efstst* instruction handlers, in turn, call efscmp* handlers
too.

*Explanation:*
Traditionally, each crD (condition register nibble) consist of 4 bits, which is
set by comparisons as follows:
crD = W X Y Z
where
W = Less than
X = Greater than
Y = Equal to

However, efscmp* instructions being a special case return a binary result.
(efscmpeq will set the crD = 0bx1xx iff when op1 == op2 and 0bx0xx otherwise;
i.e. there is no notion of different crD values based on Less than, Greater
than and Equal to).

This effectively means that crD will store a "Greater than" comparison result
iff efscmp* instruction comparison is TRUE. Compiler exploits this feature by
checking for "Branch if Less than or Equal to" (ble instruction) OR "Branch if
Greater than" (bgt instruction) for Branch if FALSE OR Branch if TRUE
respectively after an efscmp* instruction. This can be seen in a assembly code
snippet below:

27          if (__real__ x != 3.0f || __imag__ x != 4.0f)
10000498:   lwz r10,8(r31)
1000049c:   lis r9,16448
100004a0:   efscmpeq cr7,r10,r9
100004a4:   ble- cr7,0x100004b8 <bar+60>  //jump to abort() call
100004a8:   lwz r10,12(r31)
100004ac:   lis r9,16512
100004b0:   efscmpeq cr7,r10,r9
100004b4:   bgt- cr7,0x100004bc <bar+64>  //skip abort() call
28            abort ();
100004b8:   bl 0x10000808 <abort>

Signed-off-by: Talha Imran <talha_imran@mentor.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
8 years agoMerge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160606-1' into...
Peter Maydell [Mon, 6 Jun 2016 16:02:42 +0000 (17:02 +0100)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160606-1' into staging

target-arm queue:
 * support instruction syndrome info for data aborts from A64 to EL2
 * add HSTR_EL2 register
 * fix incorrect ESR IL bits in various syndrome register cases
 * virt: fix limit of 64-bit ACPI/ECAM PCI MMIO range
 * gicv2: RAZ/WI non-sec access to sec interrupts
 * i2c: add aspeed i2c controller
 * virt: Reject gic-version=host for non-KVM (don't segv on aarch64 host)
 * xlnx-zynqmp: Add a secure prop to en/disable ARM Security Extensions
 * xlnx-zynqmp: Support KVM on AArch64 hosts
 * ptimer: Various fixes for awkward corner cases
 * char: QOMify various ARM UART models
 * char: get rid of qemu_char_get_next_serial
 * target-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation
 * zynqmp: Add the ZCU102 board

# gpg: Signature made Mon 06 Jun 2016 17:01:11 BST
# gpg:                using RSA key 0x3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"

* remotes/pmaydell/tags/pull-target-arm-20160606-1: (25 commits)
  zynqmp: Add the ZCU102 board
  target-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation
  char: get rid of qemu_char_get_next_serial
  hw/char: QOM'ify xilinx_uartlite model
  hw/char: QOM'ify stm32f2xx_usart model
  hw/char: QOM'ify digic-uart model
  hw/char: QOM'ify cadence_uart model
  hw/char: QOM'ify pl011 model
  hw/ptimer: Introduce ptimer_get_limit
  hw/ptimer: Support "on the fly" timer mode switch
  hw/ptimer: Update .delta on period/freq change
  hw/ptimer: Perform counter wrap around if timer already expired
  hw/ptimer: Fix issues caused by the adjusted timer limit value
  xlnx-zynqmp: Use the in kernel GIC model for KVM runs
  xlnx-zynqmp: Delay realization of GIC until post CPU realization
  xlnx-zynqmp: Make the RPU subsystem optional
  xlnx-zynqmp: Add a secure prop to en/disable ARM Security Extensions
  hw/arm/virt: Reject gic-version=host for non-KVM
  i2c: add aspeed i2c controller
  hw/intc/gic: RAZ/WI non-sec access to sec interrupts
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agozynqmp: Add the ZCU102 board
Alistair Francis [Mon, 6 Jun 2016 15:59:32 +0000 (16:59 +0100)]
zynqmp: Add the ZCU102 board

Most Zynq UltraScale+ users will be targetting and using the ZCU102
board instead of the development focused EP108. To make our QEMU machine
names clearer add a ZCU102 machine model.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: cc82eec026b2febfca252d73362bb7084616c1ad.1464213234.git.alistair.francis@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agotarget-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation
Sergey Sorokin [Mon, 6 Jun 2016 15:59:32 +0000 (16:59 +0100)]
target-arm: Fix TTBR selecting logic on AArch32 Stage 2 translation

Address size is 40-bit for the AArch32 stage 2 translation,
and t0sz can be negative (from -8 to 7),
so we need to adjust it to use the existing TTBR selecting logic.

Signed-off-by: Sergey Sorokin <afarallax@yandex.ru>
Message-id: 1464974151-1231644-1-git-send-email-afarallax@yandex.ru
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agochar: get rid of qemu_char_get_next_serial
xiaoqiang zhao [Mon, 6 Jun 2016 15:59:32 +0000 (16:59 +0100)]
char: get rid of qemu_char_get_next_serial

since there is no user of qemu_char_get_next_serial any more,
it's time to let it go away.

Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-7-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/char: QOM'ify xilinx_uartlite model
xiaoqiang zhao [Mon, 6 Jun 2016 15:59:32 +0000 (16:59 +0100)]
hw/char: QOM'ify xilinx_uartlite model

* drop qemu_char_get_next_serial and use chardev prop
* create xilinx_uartlite_create wrapper function to create
  xilinx_uartlite device
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-6-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/char: QOM'ify stm32f2xx_usart model
xiaoqiang zhao [Mon, 6 Jun 2016 15:59:32 +0000 (16:59 +0100)]
hw/char: QOM'ify stm32f2xx_usart model

* drop qemu_char_get_next_serial and use chardev prop
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-5-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/char: QOM'ify digic-uart model
xiaoqiang zhao [Mon, 6 Jun 2016 15:59:31 +0000 (16:59 +0100)]
hw/char: QOM'ify digic-uart model

* drop qemu_char_get_next_serial and use chardev prop
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-4-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/char: QOM'ify cadence_uart model
xiaoqiang zhao [Mon, 6 Jun 2016 15:59:31 +0000 (16:59 +0100)]
hw/char: QOM'ify cadence_uart model

* drop qemu_char_get_next_serial and use chardev prop
* create cadence_uart_create wrapper function to create
  cadence_uart_device
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-3-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/char: QOM'ify pl011 model
xiaoqiang zhao [Mon, 6 Jun 2016 15:59:31 +0000 (16:59 +0100)]
hw/char: QOM'ify pl011 model

* drop qemu_char_get_next_serial and use chardev prop
* add pl011_create wrapper function to create pl011 uart device
* change affected board code to use the new way

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1465028065-5855-2-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/ptimer: Introduce ptimer_get_limit
Dmitry Osipenko [Mon, 6 Jun 2016 15:59:31 +0000 (16:59 +0100)]
hw/ptimer: Introduce ptimer_get_limit

Currently ptimer users are used to store copy of the limit value, because
ptimer doesn't provide facility to retrieve the limit. Let's provide it.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: 8f1fa9f90d8dbf8086fb02f3b4835eaeb4089cf6.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/ptimer: Support "on the fly" timer mode switch
Dmitry Osipenko [Mon, 6 Jun 2016 15:59:31 +0000 (16:59 +0100)]
hw/ptimer: Support "on the fly" timer mode switch

Allow switching between periodic <-> oneshot modes while timer is running.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: f030be6e28fbd219e1e8d22297aee367bd9af5bb.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/ptimer: Update .delta on period/freq change
Dmitry Osipenko [Mon, 6 Jun 2016 15:59:30 +0000 (16:59 +0100)]
hw/ptimer: Update .delta on period/freq change

Delta value must be updated on period/freq change, otherwise running timer
would be restarted (counter reloaded with old delta). Only m68k/mcf520x
and arm/arm_timer devices are currently doing freq change correctly, i.e.
stopping the timer. Perform delta update to fix affected devices and
eliminate potential further mistakes.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: 4987ef5fdc128bb9a744fd794d3f609135c6a39c.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/ptimer: Perform counter wrap around if timer already expired
Dmitry Osipenko [Mon, 6 Jun 2016 15:59:30 +0000 (16:59 +0100)]
hw/ptimer: Perform counter wrap around if timer already expired

ptimer_get_count() might be called while QEMU timer already been expired.
In that case ptimer would return counter = 0, which might be undesirable
in case of polled timer. Do counter wrap around for periodic timer to keep
it distributed. In order to achieve more accurate emulation behaviour of
certain hardware, don't perform wrap around when in icount mode and return
counter = 0 in that case (that doesn't affect polled counter distribution).

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: 4ce381c7d24d85d165ff251d2875d16a4b6a5c04.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/ptimer: Fix issues caused by the adjusted timer limit value
Dmitry Osipenko [Mon, 6 Jun 2016 15:59:30 +0000 (16:59 +0100)]
hw/ptimer: Fix issues caused by the adjusted timer limit value

Multiple issues here related to the timer with a adjusted .limit value:

1) ptimer_get_count() returns incorrect counter value for the disabled
timer after loading the counter with a small value, because adjusted limit
value is used instead of the original.

For instance:
    1) ptimer_stop(t)
    2) ptimer_set_period(t, 1)
    3) ptimer_set_limit(t, 0, 1)
    4) ptimer_get_count(t) <-- would return 10000 instead of 0

2) ptimer_get_count() might return incorrect value for the timer running
with a adjusted limit value.

For instance:
    1) ptimer_stop(t)
    2) ptimer_set_period(t, 1)
    3) ptimer_set_limit(t, 10, 1)
    4) ptimer_run(t)
    5) ptimer_get_count(t) <-- might return value > 10

3) Neither ptimer_set_period() nor ptimer_set_freq() are adjusting the
limit value, so it is still possible to make timer timeout value
arbitrary small.

For instance:
    1) ptimer_set_period(t, 10000)
    2) ptimer_set_limit(t, 1, 0)
    3) ptimer_set_period(t, 1) <-- bypass limit correction

Fix all of the above issues by adjusting timer period instead of the limit.
Perform the adjustment for periodic timer only. Use the delta value instead
of the limit to make decision whether adjustment is required, as limit could
be altered while timer is running, resulting in incorrect value returned by
ptimer_get_count.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: cd141f74f5737480ec586b9c7d18cce1d69884e2.1464367869.git.digetx@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoxlnx-zynqmp: Use the in kernel GIC model for KVM runs
Edgar E. Iglesias [Mon, 6 Jun 2016 15:59:30 +0000 (16:59 +0100)]
xlnx-zynqmp: Use the in kernel GIC model for KVM runs

Use the in kernel GIC model when running with KVM enabled.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1464173555-12800-5-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoxlnx-zynqmp: Delay realization of GIC until post CPU realization
Edgar E. Iglesias [Mon, 6 Jun 2016 15:59:30 +0000 (16:59 +0100)]
xlnx-zynqmp: Delay realization of GIC until post CPU realization

Delay the realization of the GIC until after CPUs are
realized. This is needed for KVM as the in-kernel GIC
model will fail if it is realized with no available CPUs.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1464173555-12800-4-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoxlnx-zynqmp: Make the RPU subsystem optional
Edgar E. Iglesias [Mon, 6 Jun 2016 15:59:29 +0000 (16:59 +0100)]
xlnx-zynqmp: Make the RPU subsystem optional

The way we currently model the RPU subsystem is of quite
limited use. In addition to that, it causes problems for
KVM and for GDB debugging.

Make the RPU optional by adding a has_rpu property and
default to having it disabled.

This changes the default setup from having the RPU to not
longer having it.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1464173555-12800-3-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoxlnx-zynqmp: Add a secure prop to en/disable ARM Security Extensions
Edgar E. Iglesias [Mon, 6 Jun 2016 15:59:29 +0000 (16:59 +0100)]
xlnx-zynqmp: Add a secure prop to en/disable ARM Security Extensions

Add a secure prop to en/disable ARM Security Extensions.
This is particularly useful for KVM runs.

Default to disabled to match the behavior of KVM.

This changes the default setup from having the ARM Security
Extensions to not longer having them.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1464173555-12800-2-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/arm/virt: Reject gic-version=host for non-KVM
Cole Robinson [Mon, 6 Jun 2016 15:59:29 +0000 (16:59 +0100)]
hw/arm/virt: Reject gic-version=host for non-KVM

If you try to gic-version=host with TCG on a KVM aarch64 host,
qemu segfaults, since host requires KVM APIs.

Explicitly reject gic-version=host if KVM is not enabled

https://bugzilla.redhat.com/show_bug.cgi?id=1339977
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Message-id: b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e.1464273085.git.crobinso@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoi2c: add aspeed i2c controller
Cédric Le Goater [Mon, 6 Jun 2016 15:59:29 +0000 (16:59 +0100)]
i2c: add aspeed i2c controller

The Aspeed AST2400 integrates a set of 14 I2C/SMBus bus controllers
directly connected to the APB bus. They can be programmed as master or
slave but the propopsed model only supports the master mode.

On the TODO list, we also have :

 - improve and harden the state machine.
 - bus recovery support (used by the Linux driver).
 - transfer mode state machine bits. this is not strictly necessary as
   it is mostly used for debug. The bus busy bit is deducted from the
   I2C core engine of qemu.
 - support of the pool buffer: 2048 bytes of internal SRAM (not used
   by the Linux driver).

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 1464704307-25178-1-git-send-email-clg@kaod.org
[PMM: removed unused functions aspeed_i2c_bus_get_state() and
 aspeed_i2c_bus_set_state()]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/intc/gic: RAZ/WI non-sec access to sec interrupts
Jens Wiklander [Mon, 6 Jun 2016 15:59:29 +0000 (16:59 +0100)]
hw/intc/gic: RAZ/WI non-sec access to sec interrupts

Treat non-secure accesses to registers and bits in registers of secure
interrupts as RAZ/WI.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Message-id: 1464273945-2055-1-git-send-email-jens.wiklander@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agohw/arm/virt: fix limit of 64-bit ACPI/ECAM PCI MMIO range
Ard Biesheuvel [Mon, 6 Jun 2016 15:59:28 +0000 (16:59 +0100)]
hw/arm/virt: fix limit of 64-bit ACPI/ECAM PCI MMIO range

Set the MMIO range limit field to 'base + size - 1' as required.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1463856217-17969-1-git-send-email-ard.biesheuvel@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agotarget-arm: Don't try to set ESR IL bit in arm_cpu_do_interrupt_aarch64()
Peter Maydell [Mon, 6 Jun 2016 15:59:28 +0000 (16:59 +0100)]
target-arm: Don't try to set ESR IL bit in arm_cpu_do_interrupt_aarch64()

Remove some incorrect code from arm_cpu_do_interrupt_aarch64()
which attempts to set the IL bit in the syndrome register based
on the value of env->thumb. This is wrong in several ways:
 * IL doesn't indicate Thumb-vs-ARM, it indicates instruction
   length (which may be 16 or 32 for Thumb and is always 32 for ARM)
 * not every syndrome format uses IL like this -- for some IL is
   always set, and for some it is always clear
 * the code is changing esr_el[new_el] even for interrupt entry,
   which is not supposed to modify ESR_ELx at all

Delete the code, and instead rely on the syndrome value in
env->exception.syndrome having already been set up with the
correct value of IL.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1463487258-27468-3-git-send-email-peter.maydell@linaro.org

8 years agotarget-arm: Set IL bit in syndromes for insn abort, watchpoint, swstep
Peter Maydell [Mon, 6 Jun 2016 15:59:28 +0000 (16:59 +0100)]
target-arm: Set IL bit in syndromes for insn abort, watchpoint, swstep

For some exception syndrome types, the IL bit should always be set.
This includes the instruction abort, watchpoint and software step
syndrome types; add the missing ARM_EL_IL bit to the syndrome
values returned by syn_insn_abort(), syn_swstep() and syn_watchpoint().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1463487258-27468-2-git-send-email-peter.maydell@linaro.org

8 years agotarget-arm: A64: Create Instruction Syndromes for Data Aborts
Edgar E. Iglesias [Mon, 6 Jun 2016 15:59:28 +0000 (16:59 +0100)]
target-arm: A64: Create Instruction Syndromes for Data Aborts

Add support for generating the ISS (Instruction Specific Syndrome) for
Data Abort exceptions taken from AArch64.
These syndromes are used by hypervisors for example to trap and emulate
memory accesses.

We save the decoded data out-of-band with the TBs at translation time.
When exceptions hit, the extra data attached to the TB is used to
recreate the state needed to encode instruction syndromes.
This avoids the need to emit moves with every load/store.

Based on a suggestion from Peter Maydell.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1462464601-10888-2-git-send-email-edgar.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agotarget-arm: Add the HSTR_EL2 register
Alistair Francis [Mon, 6 Jun 2016 15:59:28 +0000 (16:59 +0100)]
target-arm: Add the HSTR_EL2 register

Add the Hypervisor System Trap Register for EL2.

This register is used early in the Linux boot and without it the kernel
aborts with a "Synchronous Abort" error.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: ea5aae4b10283de4705b864fe9d4bd2eaddaacae.1463174342.git.alistair.francis@xilinx.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
Peter Maydell [Mon, 6 Jun 2016 14:17:52 +0000 (15:17 +0100)]
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

readdir_r() to readdir() conversion, various minor cleanups

# gpg: Signature made Mon 06 Jun 2016 10:52:52 BST
# gpg:                using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <gkurz@fr.ibm.com>"
# gpg:                 aka "Greg Kurz <groug@free.fr>"
# gpg:                 aka "Greg Kurz <gkurz@linux.vnet.ibm.com>"
# gpg:                 aka "Gregory Kurz (Groug) <groug@free.fr>"
# gpg:                 aka "Gregory Kurz (Cimai Technology) <gkurz@cimai.com>"
# gpg:                 aka "Gregory Kurz (Meiosys Technology) <gkurz@meiosys.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894  DBA2 02FC 3AEB 0101 DBC2

* remotes/gkurz/tags/for-upstream:
  9p: switch back to readdir()
  9p: add locking to V9fsDir
  9p: introduce the V9fsDir type
  9p: drop useless out: label
  9p: drop useless inclusion of hw/i386/pc.h
  9p/fsdev: remove obsolete references to virtio
  9p: some more cleanup in #include directives

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160606-1' into staging
Peter Maydell [Mon, 6 Jun 2016 12:58:24 +0000 (13:58 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160606-1' into staging

virtio-gpu: scanout fix, live migration support
vmsvga: security fixes

# gpg: Signature made Mon 06 Jun 2016 08:05:00 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-20160606-1:
  virtio-gpu: add live migration support
  vmsvga: don't process more than 1024 fifo commands at once
  vmsvga: shadow fifo registers
  vmsvga: add more fifo checks
  vmsvga: move fifo sanity checks to vmsvga_fifo_length
  virtio-gpu: fix scanout rectangles

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoscsi-disk: fix reads from scsi-disk devices
Mark Cave-Ayland [Fri, 3 Jun 2016 05:17:01 +0000 (06:17 +0100)]
scsi-disk: fix reads from scsi-disk devices

Commit fcaafb1001b9c42817714dd3b2aadcfdb997b53d accidentally broke reads from
scsi-disk devices when being updated from its original form to use the new
byte-based block functions. Add the extra missing sector to offset conversion
in order to restore read functionality.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1464931021-25117-1-git-send-email-mark.cave-ayland@ilande.co.uk
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20160606-1' into staging
Peter Maydell [Mon, 6 Jun 2016 11:47:37 +0000 (12:47 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20160606-1' into staging

audio: pa volume fix, some qomifying.

# gpg: Signature made Mon 06 Jun 2016 08:01:21 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-audio-20160606-1:
  hw/audio: QOM'ify milkymist-ac97.c
  hw/audio: QOM'ify intel-hda
  hw/audio: QOM cleanup for intel-hda
  hw/audio: QOM'ify cs4231.c
  audio: pa: Set volume of recording stream instead of recording device

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agoMerge remote-tracking branch 'remotes/rth/tags/pull-tgt-20160605' into staging
Peter Maydell [Mon, 6 Jun 2016 11:04:59 +0000 (12:04 +0100)]
Merge remote-tracking branch 'remotes/rth/tags/pull-tgt-20160605' into staging

Check address ranges for disassembly

# gpg: Signature made Sun 05 Jun 2016 17:30:28 BST
# gpg:                using RSA key 0xAD1270CC4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"

* remotes/rth/tags/pull-tgt-20160605:
  target-*: dfilter support for in_asm

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agogdbstub: avoid busy loop while waiting for gdb
Peter Wu [Sun, 5 Jun 2016 14:35:48 +0000 (16:35 +0200)]
gdbstub: avoid busy loop while waiting for gdb

While waiting for a gdb response, or while sending an acknowledgement
there is not much to do, so do not mark the socket as non-blocking to
avoid a busy loop while paused at gdb. This only affects the user-mode
emulation (qemu-arm -g 1234 ./a.out).

Note that this issue was reported before at
https://lists.nongnu.org/archive/html/qemu-devel/2013-02/msg02277.html.

While at it, close the gdb client fd on EOF or error while reading.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years ago9p: switch back to readdir()
Greg Kurz [Mon, 6 Jun 2016 09:52:34 +0000 (11:52 +0200)]
9p: switch back to readdir()

This patch changes the 9p code to use readdir() again instead of
readdir_r(), which is deprecated in glibc 2.24.

All the locking was put in place by a previous patch.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
8 years ago9p: add locking to V9fsDir
Greg Kurz [Mon, 6 Jun 2016 09:52:34 +0000 (11:52 +0200)]
9p: add locking to V9fsDir

If several threads concurrently call readdir() with the same directory
stream pointer, it is possible that they all get a pointer to the same
dirent structure, whose content is overwritten each time readdir() is
called.

We must thus serialize accesses to the dirent structure.

This may be achieved with a mutex like below:

lock_mutex();

readdir();

// work with the dirent

unlock_mutex();

This patch adds all the locking, to prepare the switch to readdir().

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
8 years ago9p: introduce the V9fsDir type
Greg Kurz [Mon, 6 Jun 2016 09:52:34 +0000 (11:52 +0200)]
9p: introduce the V9fsDir type

If we are to switch back to readdir(), we need a more complex type than
DIR * to be able to serialize concurrent accesses to the directory stream.

This patch introduces a placeholder type and fixes all users.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
8 years ago9p: drop useless out: label
Greg Kurz [Mon, 6 Jun 2016 09:52:34 +0000 (11:52 +0200)]
9p: drop useless out: label

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
8 years ago9p: drop useless inclusion of hw/i386/pc.h
Greg Kurz [Mon, 6 Jun 2016 09:52:34 +0000 (11:52 +0200)]
9p: drop useless inclusion of hw/i386/pc.h

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
8 years ago9p/fsdev: remove obsolete references to virtio
Greg Kurz [Mon, 6 Jun 2016 09:52:34 +0000 (11:52 +0200)]
9p/fsdev: remove obsolete references to virtio

Most of the 9p code is now virtio agnostic. This patch does a final cleanup:
- drop references to Virtio from the header comments
- fix includes

Also drop a couple of leading empty lines while here.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
8 years ago9p: some more cleanup in #include directives
Greg Kurz [Mon, 6 Jun 2016 09:52:34 +0000 (11:52 +0200)]
9p: some more cleanup in #include directives

The "9p-attr.h" header isn't needed by 9p synth and virtio 9p.

While here, also drop last references to virtio from 9p synth since it is
now transport agnostic code.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
8 years agoe1000e: Fix build with gcc 4.6.3 and ust tracing
Dmitry Fleytman [Sat, 4 Jun 2016 07:02:43 +0000 (10:02 +0300)]
e1000e: Fix build with gcc 4.6.3 and ust tracing

This patch fixes used-uninitialized false
positive while compiling with ust tracing
backend plus gcc 4.6.3:

hw/net/e1000e.c: In function ‘e1000e_io_write’:
hw/net/e1000e.c:170:39: error: ‘idx’ may be used uninitialized in this function [-Werror=uninitialized]
hw/net/e1000e.c: In function ‘e1000e_io_read’:
hw/net/e1000e.c:145:35: error: ‘idx’ may be used uninitialized in this function [-Werror=uninitialized]
cc1: all warnings being treated as errors
make: *** [hw/net/e1000e.o] Error 1

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-id: 1465023763-10773-1-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8 years agovirtio-gpu: add live migration support
Gerd Hoffmann [Mon, 23 May 2016 13:22:07 +0000 (15:22 +0200)]
virtio-gpu: add live migration support

Store some additional state for cursor and resource backing storage,
so we can write out and reload things.  Implement vmsave+vmload for
2d mode.  Continue blocking live migration in 3d/virgl mode.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464009727-7753-1-git-send-email-kraxel@redhat.com

8 years agovmsvga: don't process more than 1024 fifo commands at once
Gerd Hoffmann [Mon, 30 May 2016 07:09:21 +0000 (09:09 +0200)]
vmsvga: don't process more than 1024 fifo commands at once

vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off.  So we can simply exit the loop,
without having to worry about how processing will continue.

Fixes: CVE-2016-4453
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com

8 years agovmsvga: shadow fifo registers
Gerd Hoffmann [Mon, 30 May 2016 07:09:20 +0000 (09:09 +0200)]
vmsvga: shadow fifo registers

The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization.  Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us.  So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com

8 years agovmsvga: add more fifo checks
Gerd Hoffmann [Mon, 30 May 2016 07:09:19 +0000 (09:09 +0200)]
vmsvga: add more fifo checks

Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com

8 years agovmsvga: move fifo sanity checks to vmsvga_fifo_length
Gerd Hoffmann [Mon, 30 May 2016 07:09:18 +0000 (09:09 +0200)]
vmsvga: move fifo sanity checks to vmsvga_fifo_length

Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
changes the fifo registers afterwards.  Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com

8 years agotarget-*: dfilter support for in_asm
Richard Henderson [Wed, 20 Apr 2016 18:39:35 +0000 (11:39 -0700)]
target-*: dfilter support for in_asm

The arm target was handled by 06486077, but other targets
were ignored.  This handles all the rest which actually support
disassembly (that is, skipping moxie and tilegx).

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>