1. 25 7月, 2017 4 次提交
    • P
      integratorcp: Don't migrate flash using vmstate_register_ram_global() · b2d1b050
      Peter Maydell 提交于
      Instead of migrating the flash by creating the memory region
      with memory_region_init_ram_nomigrate() and then calling
      vmstate_register_ram_global(), just use memory_region_init_ram(),
      which now handles migration registration automatically.
      
      This is a migration compatibility break for the integratorcp
      board, because the RAM region's migration name changes to
      include the device path. This is OK because we don't guarantee
      migration compatibility for this board.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Message-id: 1500310341-28931-1-git-send-email-peter.maydell@linaro.org
      b2d1b050
    • P
      mps2: Correctly set parent bus for SCC device · 3d75007e
      Peter Maydell 提交于
      A cut-and-paste error meant that instead of setting the
      qdev parent bus for the SCC device we were setting it
      twice for the ARMv7M container device. Fix this bug.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Message-id: 1500634509-28011-1-git-send-email-peter.maydell@linaro.org
      3d75007e
    • P
      fsl_imx*: Migrate ROM contents · eda40cc1
      Peter Maydell 提交于
      The fsl-imx* boards accidentally forgot to register the ROM memory
      regions for migration.  This used to require a manual step of calling
      vmstate_register_ram(), but following commits
      1cfe48c1..b08199c6 we can use memory_region_init_rom() to
      have it do the migration for us.
      
      This is a migration break, but the migration code currently does not
      handle the case of having two RAM regions which were not registered
      for migration, and so prior to this commit a migration load would
      always fail with:
        "qemu-system-arm: Length mismatch: 0x4000 in != 0x18000: Invalid argument"
      
      NB: migration appears at this point to be broken for this board
      anyway -- it succeeds but the destination hangs; probably some
      device in the system does not yet support migration.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Message-id: 1500309775-18361-1-git-send-email-peter.maydell@linaro.org
      eda40cc1
    • E
      target/arm: fix TCG temp leak in aarch64 rev16 · e4256c3c
      Emilio G. Cota 提交于
      Fix a TCG temporary leak in the new aarch64 rev16 handling.
      Signed-off-by: NEmilio G. Cota <cota@braap.org>
      Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      e4256c3c
  2. 24 7月, 2017 18 次提交
  3. 22 7月, 2017 2 次提交
    • A
      xen-mapcache: Fix the bug when overlapping emulated DMA operations may cause... · 7fb394ad
      Alexey G 提交于
      xen-mapcache: Fix the bug when overlapping emulated DMA operations may cause inconsistency in guest memory mappings
      
      Under certain circumstances normal xen-mapcache functioning may be broken
      by guest's actions. This may lead to either QEMU performing exit() due to
      a caught bad pointer (and with QEMU process gone the guest domain simply
      appears hung afterwards) or actual use of the incorrect pointer inside
      QEMU address space -- a write to unmapped memory is possible. The bug is
      hard to reproduce on a i440 machine as multiple DMA sources are required
      (though it's possible in theory, using multiple emulated devices), but can
      be reproduced somewhat easily on a Q35 machine using an emulated AHCI
      controller -- each NCQ queue command slot may be used as an independent
      DMA source ex. using READ FPDMA QUEUED command, so a single storage
      device on the AHCI controller port will be enough to produce multiple DMAs
      (up to 32). The detailed description of the issue follows.
      
      Xen-mapcache provides an ability to map parts of a guest memory into
      QEMU's own address space to work with.
      
      There are two types of cache lookups:
       - translating a guest physical address into a pointer in QEMU's address
         space, mapping a part of guest domain memory if necessary (while trying
         to reduce a number of such (re)mappings to a minimum)
       - translating a QEMU's pointer back to its physical address in guest RAM
      
      These lookups are managed via two linked-lists of structures.
      MapCacheEntry is used for forward cache lookups, while MapCacheRev -- for
      reverse lookups.
      
      Every guest physical address is broken down into 2 parts:
          address_index  = phys_addr >> MCACHE_BUCKET_SHIFT;
          address_offset = phys_addr & (MCACHE_BUCKET_SIZE - 1);
      
      MCACHE_BUCKET_SHIFT depends on a system (32/64) and is equal to 20 for
      a 64-bit system (which assumed for the further description). Basically,
      this means that we deal with 1 MB chunks and offsets within those 1 MB
      chunks. All mappings are created with 1MB-granularity, i.e. 1MB/2MB/3MB
      etc. Most DMA transfers typically are less than 1MB, however, if the
      transfer crosses any 1MB border(s) - than a nearest larger mapping size
      will be used, so ex. a 512-byte DMA transfer with the start address
      700FFF80h will actually require a 2MB range.
      
      Current implementation assumes that MapCacheEntries are unique for a given
      address_index and size pair and that a single MapCacheEntry may be reused
      by multiple requests -- in this case the 'lock' field will be larger than
      1. On other hand, each requested guest physical address (with 'lock' flag)
      is described by each own MapCacheRev. So there may be multiple MapCacheRev
      entries corresponding to a single MapCacheEntry. The xen-mapcache code
      uses MapCacheRev entries to retrieve the address_index & size pair which
      in turn used to find a related MapCacheEntry. The 'lock' field within
      a MapCacheEntry structure is actually a reference counter which shows
      a number of corresponding MapCacheRev entries.
      
      The bug lies in ability for the guest to indirectly manipulate with the
      xen-mapcache MapCacheEntries list via a special sequence of DMA
      operations, typically for storage devices. In order to trigger the bug,
      guest needs to issue DMA operations in specific order and timing.
      Although xen-mapcache is protected by the mutex lock -- this doesn't help
      in this case, as the bug is not due to a race condition.
      
      Suppose we have 3 DMA transfers, namely A, B and C, where
      - transfer A crosses 1MB border and thus uses a 2MB mapping
      - transfers B and C are normal transfers within 1MB range
      - and all 3 transfers belong to the same address_index
      
      In this case, if all these transfers are to be executed one-by-one
      (without overlaps), no special treatment necessary -- each transfer's
      mapping lock will be set and then cleared on unmap before starting
      the next transfer.
      The situation changes when DMA transfers overlap in time, ex. like this:
      
        |===== transfer A (2MB) =====|
      
                    |===== transfer B (1MB) =====|
      
                                |===== transfer C (1MB) =====|
       time --->
      
      In this situation the following sequence of actions happens:
      
      1. transfer A creates a mapping to 2MB area (lock=1)
      2. transfer B (1MB) tries to find available mapping but cannot find one
         because transfer A is still in progress, and it has 2MB size + non-zero
         lock. So transfer B creates another mapping -- same address_index,
         but 1MB size.
      3. transfer A completes, making 1st mapping entry available by setting its
         lock to 0
      4. transfer C starts and tries to find available mapping entry and sees
         that 1st entry has lock=0, so it uses this entry but remaps the mapping
         to a 1MB size
      5. transfer B completes and by this time
        - there are two locked entries in the MapCacheEntry list with the SAME
          values for both address_index and size
        - the entry for transfer B actually resides farther in list while
          transfer C's entry is first
      6. xen_ram_addr_from_mapcache() for transfer B gets correct address_index
         and size pair from corresponding MapCacheRev entry, but then it starts
         looking for MapCacheEntry with these values and finds the first entry
         -- which belongs to transfer C.
      
      At this point there may be following possible (bad) consequences:
      
      1. xen_ram_addr_from_mapcache() will use a wrong entry->vaddr_base value
         in this statement:
      
         raddr = (reventry->paddr_index << MCACHE_BUCKET_SHIFT) +
             ((unsigned long) ptr - (unsigned long) entry->vaddr_base);
      
      resulting in an incorrent raddr value returned from the function. The
      (ptr - entry->vaddr_base) expression may produce both positive and negative
      numbers and its actual value may differ greatly as there are many
      map/unmap operations take place. If the value will be beyond guest RAM
      limits then a "Bad RAM offset" error will be triggered and logged,
      followed by exit() in QEMU.
      
      2. If raddr value won't exceed guest RAM boundaries, the same sequence
      of actions will be performed for xen_invalidate_map_cache_entry() on DMA
      unmap, resulting in a wrong MapCacheEntry being unmapped while DMA
      operation which uses it is still active. The above example must
      be extended by one more DMA transfer in order to allow unmapping as the
      first mapping in the list is sort of resident.
      
      The patch modifies the behavior in which MapCacheEntry's are added to the
      list, avoiding duplicates.
      Signed-off-by: NAlexey Gerasimenko <x1917x@gmail.com>
      Signed-off-by: NStefano Stabellini <sstabellini@kernel.org>
      7fb394ad
    • I
      9e6bdb92
  4. 21 7月, 2017 16 次提交
    • P
      configure: Drop ancient Solaris 9 and earlier support · 91939262
      Peter Maydell 提交于
      Solaris 9 was released in 2002, its successor Solaris 10 was
      released in 2005, and Solaris 9 was end-of-lifed in 2014.
      Nobody has stepped forward to express interest in supporting
      Solaris of any flavour, so removing support for the ancient
      versions seems uncontroversial.
      
      In particular, this allows us to remove a use of 'uname'
      in configure that won't work if you're cross-compiling.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NDaniel P. Berrange <berrange@redhat.com>
      Message-id: 1499955697-28045-1-git-send-email-peter.maydell@linaro.org
      91939262
    • P
      configure: Never use 'uname' to identify target OS · 951fedfc
      Peter Maydell 提交于
      For a very long time we have used 'uname -s' as our fallback if
      we don't identify the target OS using a compiler #define. This
      obviously doesn't work for cross-compilation, and we've had
      a comment suggesting we fix this in configure for a long time.
      Since we now have an exhaustive list of which OSes we can run
      on (thanks to commit 898be3e0 making an unrecognized OS
      be a fatal error), we know which ones we're missing.
      
      Add check_define tests for the remaining OSes we support.  The
      defines checked are based on ones we already use in the codebase for
      identifying the host OS (with the exception of GNU/kFreeBSD).
      We can now set bogus_os immediately rather than doing it later.
      
      We leave the comment about uname being bad untouched, since
      there is still a use of it for the fallback for unrecognized
      host CPU type.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-id: 1499958932-23839-1-git-send-email-peter.maydell@linaro.org
      951fedfc
    • P
      bsd-user/main.c: Fix unused variable warning · e4335180
      Peter Maydell 提交于
      On OpenBSD the compiler warns:
      bsd-user/main.c:622:21: warning: variable 'sig' set but not used [-Wunused-but-set-variable]
      
      This is because a lot of the signal delivery code is #if-0'd
      out as unused. Reshuffle #ifdefs a bit to silence the warning.
      
      (We make the minimum change here rather than removing all the
      bsd-user patchset which should make this all work correctly and
      there's no point giving them an awkward rebase task.)
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NThomas Huth <thuth@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Message-id: 1500395194-21455-5-git-send-email-peter.maydell@linaro.org
      e4335180
    • P
      bsd-user/bsdload.c: Remove write-only id_change variable · 4a65a86a
      Peter Maydell 提交于
      On OpenBSD the compiler complains:
      bsd-user/bsdload.c:54:17: warning: variable 'id_change' set but not used [-Wunused-but-set-variable]
      
      This is dead code that was originally copied from linux-user.
      We fixed this in linux-user in commit 331c23b5 in 2011;
      delete the useless code from bsd-user too.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NThomas Huth <thuth@redhat.com>
      Message-id: 1500395194-21455-4-git-send-email-peter.maydell@linaro.org
      4a65a86a
    • M
      block/vpc: fix uninitialised variable compiler warning · c8115f8e
      Mark Cave-Ayland 提交于
      Since commit cfc87e00 "block/vpc.c: Handle write failures in
      get_image_offset()" older versions of gcc (in this case 4.7) incorrectly
      warn that "ret" can be used uninitialised in vpc_co_pwritev().
      
      Setting ret to 0 at the start of vpc_co_pwritev() prevents the warning
      in gcc 4.7 and enables compilation with -Werror to succeed.
      Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      Message-id: 1500625265-23844-1-git-send-email-mark.cave-ayland@ilande.co.uk
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      c8115f8e
    • P
      Merge remote-tracking branch 'remotes/yongbok/tags/mips-20170721' into staging · ff9b5475
      Peter Maydell 提交于
      MIPS patches 2017-07-21
      
      Changes:
      * Add Enhanced Virtual Addressing (EVA) support
      
      # gpg: Signature made Fri 21 Jul 2017 03:25:15 BST
      # gpg:                using RSA key 0x2238EB86D5F797C2
      # gpg: Good signature from "Yongbok Kim <yongbok.kim@imgtec.com>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the owner.
      # Primary key fingerprint: 8600 4CF5 3415 A5D9 4CFA  2B5C 2238 EB86 D5F7 97C2
      
      * remotes/yongbok/tags/mips-20170721:
        target/mips: Enable CP0_EBase.WG on MIPS64 CPUs
        target/mips: Add EVA support to P5600
        target/mips: Implement segmentation control
        target/mips: Add segmentation control registers
        target/mips: Add an MMU mode for ERL
        target/mips: Abstract mmu_idx from hflags
        target/mips: Check memory permissions with mem_idx
        target/mips: Decode microMIPS EVA load & store instructions
        target/mips: Decode MIPS32 EVA load & store instructions
        target/mips: Prepare loads/stores for EVA
        target/mips: Add CP0_Ebase.WG (write gate) support
        target/mips: Weaken TLB flush on UX,SX,KX,ASID changes
        target/mips: Fix TLBWI shadow flush for EHINV,XI,RI
        target/mips: Fix MIPS64 MFC0 UserLocal on BE host
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      ff9b5475
    • P
      Merge remote-tracking branch... · 14e16753
      Peter Maydell 提交于
      Merge remote-tracking branch 'remotes/stsquad/tags/pull-ci-updates-for-softfreeze-180717-2' into staging
      
      Final CI updates for soft-freeze
      
      Tweaks from Paolo for J=x Travis compiles
      Bunch of updated cross-compile targets from Philippe
      Additional debug tools in travis image from Me
      
      # gpg: Signature made Tue 18 Jul 2017 11:00:26 BST
      # gpg:                using RSA key 0xFBD0DB095A9E2A44
      # gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>"
      # Primary key fingerprint: 6685 AE99 E751 67BC AFC8  DF35 FBD0 DB09 5A9E 2A44
      
      * remotes/stsquad/tags/pull-ci-updates-for-softfreeze-180717-2: (32 commits)
        docker: install clang since Shippable setup_ve() verify it is available
        docker: warn users to use newer debian8/debian9 base image
        docker: add debian Ports base image
        shippable: add win32/64 targets
        docker: add MXE (M cross environment) base image for MinGW-w64
        shippable: add mips64el targets
        docker: add debian/mips64el image
        shippable: use debian/mips[eb] targets
        docker: add debian/mips[eb] images
        shippable: add powerpc target
        docker: add debian/powerpc based on Jessie
        docker: add 'apt-fake' script which generate fake debian packages
        docker: add qemu:debian-jessie based on outdated jessie release
        shippable: add x86_64 targets
        shippable: add ppc64el targets
        shippable: add armel targets
        docker: enable nettle to extend code coverage on arm64
        docker: enable gcrypt to extend code coverage on amd64
        docker: enable netmap to extend code coverage on amd64
        docker: enable virgl to extend code coverage on amd64
        ...
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      14e16753
    • P
      bsd-user/elfload.c: Fix set-but-not-used warnings · 71025956
      Peter Maydell 提交于
      Fix various warnings about set-but-not-used variables on OpenBSD:
      
      bsd-user/elfload.c:1158:15: warning: variable 'mapped_addr' set but not used [-Wunused-but-set-variable]
      bsd-user/elfload.c:1165:9: warning: variable 'status' set but not used [-Wunused-but-set-variable]
      bsd-user/elfload.c:1168:15: warning: variable 'elf_stack' set but not used [-Wunused-but-set-variable]
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-id: 1500395194-21455-3-git-send-email-peter.maydell@linaro.org
      71025956
    • P
      bsd-user/mmap.c: Move __thread attribute to right place · 06943a62
      Peter Maydell 提交于
      Avoid a compiler warning on OpenBSD:
      bsd-user/mmap.c:28:1: warning: '__thread' is not at beginning of declaration [-Wold-style-declaration]
      by moving the __thread attribute to its proper place.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-id: 1500395194-21455-2-git-send-email-peter.maydell@linaro.org
      06943a62
    • P
      Use qemu_tolower() and qemu_toupper(), not tolower() and toupper() · 95a5befc
      Peter Maydell 提交于
      On NetBSD, where tolower() and toupper() are implemented using an
      array lookup, the compiler warns if you pass a plain 'char'
      to these functions:
      
      gdbstub.c:914:13: warning: array subscript has type 'char'
      
      This reflects the fact that toupper() and tolower() give
      undefined behaviour if they are passed a value that isn't
      a valid 'unsigned char' or EOF.
      
      We have qemu_tolower() and qemu_toupper() to avoid this problem;
      use them.
      
      (The use in scsi-generic.c does not trigger the warning because
      it passes a uint8_t; we switch it anyway, for consistency.)
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NRichard Henderson <rth@twiddle.net>
      Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> for the s390 part.
      Acked-by: NDavid Gibson <david@gibson.dropbear.id.au>
      Message-id: 1500568290-7966-1-git-send-email-peter.maydell@linaro.org
      95a5befc
    • P
      util/oslib-posix.c: Avoid warning on NetBSD · 02ffa034
      Peter Maydell 提交于
      On NetBSD the compiler warns:
      util/oslib-posix.c: In function 'sigaction_invoke':
      util/oslib-posix.c:589:5: warning: missing braces around initializer [-Wmissing-braces]
           siginfo_t si = { 0 };
           ^
      util/oslib-posix.c:589:5: warning: (near initialization for 'si.si_pad') [-Wmissing-braces]
      
      because on this platform siginfo_t is defined as
        typedef union siginfo {
                char    si_pad[128];    /* Total size; for future expansion */
                struct _ksiginfo _info;
        } siginfo_t;
      
      Avoid this warning by initializing the struct with {} instead;
      this is a GCC extension but we use it all over the codebase already.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Message-id: 1500568341-8389-1-git-send-email-peter.maydell@linaro.org
      02ffa034
    • J
      target/mips: Enable CP0_EBase.WG on MIPS64 CPUs · bad63a80
      James Hogan 提交于
      Enable the CP0_EBase.WG (write gate) on the I6400 and MIPS64R2-generic
      CPUs. This allows 64-bit guests to run KVM itself, which uses
      CP0_EBase.WG to point CP0_EBase at XKPhys.
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Cc: Yongbok Kim <yongbok.kim@imgtec.com>
      Cc: Aurelien Jarno <aurelien@aurel32.net>
      Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>
      Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
      bad63a80
    • J
      target/mips: Add EVA support to P5600 · 574da58e
      James Hogan 提交于
      Add the Enhanced Virtual Addressing (EVA) feature to the P5600 core
      configuration, along with the related Segmentation Control (SC) feature
      and writable CP0_EBase.WG bit.
      
      This allows it to run Malta EVA kernels.
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>
      Cc: Aurelien Jarno <aurelien@aurel32.net>
      Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
      574da58e
    • J
      target/mips: Implement segmentation control · 480e79ae
      James Hogan 提交于
      Implement the optional segmentation control feature in the virtual to
      physical address translation code.
      
      The fixed legacy segment and xkphys handling is replaced with a dynamic
      layout based on the segmentation control registers (which should be set
      up even when the feature is not exposed to the guest).
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Cc: Yongbok Kim <yongbok.kim@imgtec.com>
      Cc: Aurelien Jarno <aurelien@aurel32.net>
      Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>
      [yongbok.kim@imgtec.com:
        cosmetic changes]
      Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
      480e79ae
    • J
      target/mips: Add segmentation control registers · cec56a73
      James Hogan 提交于
      The optional segmentation control registers CP0_SegCtl0, CP0_SegCtl1 &
      CP0_SegCtl2 control the behaviour and required privilege of the legacy
      virtual memory segments.
      
      Add them to the CP0 interface so they can be read and written when
      CP0_Config3.SC=1, and initialise them to describe the standard legacy
      layout so they can be used in future patches regardless of whether they
      are exposed to the guest.
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Cc: Yongbok Kim <yongbok.kim@imgtec.com>
      Cc: Aurelien Jarno <aurelien@aurel32.net>
      Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>
      Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
      cec56a73
    • J
      target/mips: Add an MMU mode for ERL · 42c86612
      James Hogan 提交于
      The segmentation control feature allows a legacy memory segment to
      become unmapped uncached at error level (according to CP0_Status.ERL),
      and in fact the user segment is already treated in this way by QEMU.
      
      Add a new MMU mode for this state so that QEMU's mappings don't persist
      between ERL=0 and ERL=1.
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>
      Cc: Aurelien Jarno <aurelien@aurel32.net>
      [yongbok.kim@imgtec.com:
        cosmetic changes]
      Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
      42c86612