Markus Armbruster [Tue, 23 Mar 2021 09:40:06 +0000 (10:40 +0100)]
qapi: Lift enum-specific code out of check_name_str()
check_name_str() masks leading digits when passed enum_member=True.
Only check_enum() does. Lift the masking into check_enum().
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-10-armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Markus Armbruster [Tue, 23 Mar 2021 09:40:05 +0000 (10:40 +0100)]
qapi: Permit flat union members for any tag value
Flat union branch names match the tag enum's member names. Omitted
branches default to "no members for this tag value".
Branch names starting with a digit get rejected like "'data' member
'0' has an invalid name". However, omitting the branch works.
This is because flat union tag values get checked twice: as enum
member name, and as union branch name. The former accepts leading
digits, the latter doesn't.
Branches whose names start with a digit therefore cannot have members.
Feels wrong. Get rid of the restriction by skipping the latter check.
This can expose c_name() to input it can't handle: a name starting
with a digit. Improve it to return a valid C identifier for any
input.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-9-armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[Commit message rewritten]
Markus Armbruster [Tue, 23 Mar 2021 09:40:04 +0000 (10:40 +0100)]
qapi: Fix to reject optional members with reserved names
check_type() fails to reject optional members with reserved names,
because it neglects to strip off the leading '*'. Fix that.
The stripping in check_name_str() is now useless. Drop.
Also drop the "no leading '*'" assertion, because valid_name.match()
ensures it can't fail.
Fixes: 9fb081e0b98409556d023c7193eeb68947cd1211
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-8-armbru@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Tue, 23 Mar 2021 09:40:03 +0000 (10:40 +0100)]
tests/qapi-schema: Tweak to demonstrate buggy member name check
Member name 'u' and names starting with 'has-' or 'has_' are reserved
for the generator. check_type() enforces this, covered by tests
reserved-member-u and reserved-member-has.
These tests neglect to cover optional members, where the name starts
with '*'. Tweak reserved-member-u to fix that. Test
reserved-member-has still covers non-optional members.
This demonstrates the reserved member name check is broken for
optional members. The next commit will fix it.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-7-armbru@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
[Commit message improved slightly]
Markus Armbruster [Tue, 23 Mar 2021 09:40:02 +0000 (10:40 +0100)]
tests/qapi-schema: Drop TODO comment on simple unions
Simple unions don't need more features, they need to die.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-6-armbru@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Tue, 23 Mar 2021 09:40:01 +0000 (10:40 +0100)]
tests/qapi-schema: Belatedly update comment on alternate clash
Commit
0426d53c65 "qapi: Simplify visiting of alternate types"
eliminated the implicit alternate enum, but neglected to update a
comment about it in a test. Do that now.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-5-armbru@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Tue, 23 Mar 2021 09:40:00 +0000 (10:40 +0100)]
tests/qapi-schema: Rework comments on longhand member definitions
A few old comments talk about "desired future use of defaults" and
"anonymous inline branch types". Kind of misleading since commit
87adbbffd4 "qapi: add a dictionary form for TYPE" added longhand
member definitions. Talk about that instead.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-4-armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Tue, 23 Mar 2021 09:39:59 +0000 (10:39 +0100)]
tests/qapi-schema: Drop redundant flat-union-inline test
flat-union-inline.json covers longhand branch definition with an
invalid type value. It's redundant: longhand branch definition is
covered by flat-union-inline-invalid-dict.json, and invalid type value
is covered by nested-struct-data.json. Drop the test.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-3-armbru@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Tue, 23 Mar 2021 09:39:58 +0000 (10:39 +0100)]
qapi/pragma: Tidy up after removal of deprecated commands
Commit
cbde7be900 "migrate: remove QMP/HMP commands for speed,
downtime and cache size" neglected to remove query-migrate-cache-size
from pragma returns-whitelist.
Commit
8af54b9172 "machine: remove 'query-cpus' QMP command" neglected
to remove CpuInfo & friends from pragma name-case-exceptions.
Remove these now.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210323094025.
3569441-2-armbru@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Peter Maydell [Tue, 23 Mar 2021 15:30:46 +0000 (15:30 +0000)]
Merge remote-tracking branch 'remotes/alistair/tags/pull-riscv-to-apply-
20210322-2' into staging
RISC-V PR for 6.0
This PR includes:
- Fix for vector CSR access
- Improvements to the Ibex UART device
- PMP improvements and bug fixes
- Hypervisor extension bug fixes
- ramfb support for the virt machine
- Fast read support for SST flash
- Improvements to the microchip_pfsoc machine
# gpg: Signature made Tue 23 Mar 2021 01:56:53 GMT
# gpg: using RSA key
F6C4AC46D4934868D3B8CE8F21E10D29DF977054
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [full]
# Primary key fingerprint: F6C4 AC46 D493 4868 D3B8 CE8F 21E1 0D29 DF97 7054
* remotes/alistair/tags/pull-riscv-to-apply-
20210322-2:
target/riscv: Prevent lost illegal instruction exceptions
docs/system: riscv: Add documentation for 'microchip-icicle-kit' machine
hw/riscv: microchip_pfsoc: Map EMMC/SD mux register
hw/block: m25p80: Support fast read for SST flashes
target/riscv: Add proper two-stage lookup exception detection
target/riscv: Fix read and write accesses to vsip and vsie
hw/riscv: allow ramfb on virt
hw/riscv: Add fw_cfg support to virt
target/riscv: Use background registers also for MSTATUS_MPV
target/riscv: Make VSTIP and VSEIP read-only in hip
target/riscv: Adjust privilege level for HLV(X)/HSV instructions
target/riscv: flush TLB pages if PMP permission has been changed
target/riscv: add log of PMP permission checking
target/riscv: propagate PMP permission to TLB page
hw/char: disable ibex uart receive if the buffer is full
target/riscv: fix vs() to return proper error code
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 23 Mar 2021 10:50:44 +0000 (10:50 +0000)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
pc,virtio,pci: fixes, features
Fixes all over the place.
ACPI index support.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Mon 22 Mar 2021 22:58:45 GMT
# gpg: using RSA key
5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469
# gpg: issuer "mst@redhat.com"
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full]
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [full]
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
# Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469
* remotes/mst/tags/for_upstream:
acpi: Move setters/getters of oem fields to X86MachineState
acpi: Set proper maximum size for "etc/acpi/rsdp" blob
acpi: Move maximum size logic into acpi_add_rom_blob()
microvm: Don't open-code "etc/table-loader"
acpi: Set proper maximum size for "etc/table-loader" blob
tests: acpi: update expected blobs
pci: acpi: add _DSM method to PCI devices
acpi: add aml_to_decimalstring() and aml_call6() helpers
pci: acpi: ensure that acpi-index is unique
pci: introduce acpi-index property for PCI device
tests: acpi: temporary whitelist DSDT changes
virtio-pmem: fix virtio_pmem_resp assign problem
vhost-user: Monitor slave channel in vhost_user_read()
vhost-user: Introduce nested event loop in vhost_user_read()
vhost-user: Convert slave channel to QIOChannelSocket
vhost-user: Factor out duplicated slave_fd teardown code
vhost-user: Fix double-close on slave_read() error path
vhost-user: Drop misleading EAGAIN checks in slave_read()
virtio: Fix virtio_mmio_read()/virtio_mmio_write()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Georg Kotheimer [Mon, 22 Mar 2021 12:16:09 +0000 (13:16 +0100)]
target/riscv: Prevent lost illegal instruction exceptions
When decode_insn16() fails, we fall back to decode_RV32_64C() for
further compressed instruction decoding. However, prior to this change,
we did not raise an illegal instruction exception, if decode_RV32_64C()
fails to decode the instruction. This means that we skipped illegal
compressed instructions instead of raising an illegal instruction
exception.
Instead of patching decode_RV32_64C(), we can just remove it,
as it is dead code since
f330433b363 anyway.
Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id:
20210322121609.
3097928-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Bin Meng [Mon, 22 Mar 2021 07:52:48 +0000 (15:52 +0800)]
docs/system: riscv: Add documentation for 'microchip-icicle-kit' machine
This adds the documentation to describe what is supported for the
'microchip-icicle-kit' machine, and how to boot the machine in QEMU.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210322075248.136255-2-bmeng.cn@gmail.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Bin Meng [Mon, 22 Mar 2021 07:52:47 +0000 (15:52 +0800)]
hw/riscv: microchip_pfsoc: Map EMMC/SD mux register
Since HSS commit
c20a89f8dcac, the Icicle Kit reference design has
been updated to use a register mapped at 0x4f000000 instead of a
GPIO to control whether eMMC or SD card is to be used. With this
support the same HSS image can be used for both eMMC and SD card
boot flow, while previously two different board configurations were
used. This is undocumented but one can take a look at the HSS code
HSS_MMCInit() in services/mmc/mmc_api.c.
With this commit, HSS image built from 2020.12 release boots again.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210322075248.136255-1-bmeng.cn@gmail.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Bin Meng [Sat, 6 Mar 2021 06:01:52 +0000 (14:01 +0800)]
hw/block: m25p80: Support fast read for SST flashes
Per SST25VF016B datasheet [1], SST flash requires a dummy byte after
the address bytes. Note only SPI mode is supported by SST flashes.
[1] http://ww1.microchip.com/downloads/en/devicedoc/s71271_04.pdf
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210306060152.7250-1-bmeng.cn@gmail.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Georg Kotheimer [Fri, 19 Mar 2021 14:14:59 +0000 (15:14 +0100)]
target/riscv: Add proper two-stage lookup exception detection
The current two-stage lookup detection in riscv_cpu_do_interrupt falls
short of its purpose, as all it checks is whether two-stage address
translation either via the hypervisor-load store instructions or the
MPRV feature would be allowed.
What we really need instead is whether two-stage address translation was
active when the exception was raised. However, in riscv_cpu_do_interrupt
we do not have the information to reliably detect this. Therefore, when
we raise a memory fault exception we have to record whether two-stage
address translation is active.
Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210319141459.
1196741-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Georg Kotheimer [Thu, 11 Mar 2021 09:47:38 +0000 (10:47 +0100)]
target/riscv: Fix read and write accesses to vsip and vsie
The previous implementation was broken in many ways:
- Used mideleg instead of hideleg to mask accesses
- Used MIP_VSSIP instead of VS_MODE_INTERRUPTS to mask writes to vsie
- Did not shift between S bits and VS bits (VSEIP <-> SEIP, ...)
Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210311094738.
1376795-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Asherah Connor [Thu, 18 Mar 2021 23:50:41 +0000 (10:50 +1100)]
hw/riscv: allow ramfb on virt
Allow ramfb on virt. This lets `-device ramfb' work.
Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210318235041.17175-3-ashe@kivikakk.ee
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Asherah Connor [Thu, 18 Mar 2021 23:50:40 +0000 (10:50 +1100)]
hw/riscv: Add fw_cfg support to virt
Provides fw_cfg for the virt machine on riscv. This enables
using e.g. ramfb later.
Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210318235041.17175-2-ashe@kivikakk.ee
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Georg Kotheimer [Thu, 11 Mar 2021 10:30:36 +0000 (11:30 +0100)]
target/riscv: Use background registers also for MSTATUS_MPV
The current condition for the use of background registers only
considers the hypervisor load and store instructions,
but not accesses from M mode via MSTATUS_MPRV+MPV.
Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210311103036.
1401073-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Georg Kotheimer [Thu, 11 Mar 2021 09:49:02 +0000 (10:49 +0100)]
target/riscv: Make VSTIP and VSEIP read-only in hip
Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210311094902.
1377593-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Georg Kotheimer [Thu, 11 Mar 2021 10:30:05 +0000 (11:30 +0100)]
target/riscv: Adjust privilege level for HLV(X)/HSV instructions
According to the specification the "field SPVP of hstatus controls the
privilege level of the access" for the hypervisor virtual-machine load
and store instructions HLV, HLVX and HSV.
Signed-off-by: Georg Kotheimer <georg.kotheimer@kernkonzept.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210311103005.
1400718-1-georg.kotheimer@kernkonzept.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jim Shu [Sun, 21 Feb 2021 14:01:22 +0000 (22:01 +0800)]
target/riscv: flush TLB pages if PMP permission has been changed
If PMP permission of any address has been changed by updating PMP entry,
flush all TLB pages to prevent from getting old permission.
Signed-off-by: Jim Shu <cwshu@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
1613916082-19528-4-git-send-email-cwshu@andestech.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jim Shu [Sun, 21 Feb 2021 14:01:21 +0000 (22:01 +0800)]
target/riscv: add log of PMP permission checking
Like MMU translation, add qemu log of PMP permission checking for
debugging.
Signed-off-by: Jim Shu <cwshu@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
1613916082-19528-3-git-send-email-cwshu@andestech.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jim Shu [Sun, 21 Feb 2021 14:01:20 +0000 (22:01 +0800)]
target/riscv: propagate PMP permission to TLB page
Currently, PMP permission checking of TLB page is bypassed if TLB hits
Fix it by propagating PMP permission to TLB page permission.
PMP permission checking also use MMU-style API to change TLB permission
and size.
Signed-off-by: Jim Shu <cwshu@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
1613916082-19528-2-git-send-email-cwshu@andestech.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Alexander Wagner [Tue, 9 Mar 2021 15:21:30 +0000 (16:21 +0100)]
hw/char: disable ibex uart receive if the buffer is full
Not disabling the UART leads to QEMU overwriting the UART receive buffer with
the newest received byte. The rx_level variable is added to allow the use of
the existing OpenTitan driver libraries.
Signed-off-by: Alexander Wagner <alexander.wagner@ulal.de>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210309152130.13038-1-alexander.wagner@ulal.de
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 23 Feb 2021 06:59:32 +0000 (14:59 +0800)]
target/riscv: fix vs() to return proper error code
vs() should return -RISCV_EXCP_ILLEGAL_INST instead of -1 if rvv feature
is not enabled.
If -1 is returned, exception will be raised and cs->exception_index will
be set to the negative return value. The exception will then be treated
as an instruction access fault instead of illegal instruction fault.
Signed-off-by: Frank Chang <frank.chang@sifive.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id:
20210223065935.20208-1-frank.chang@sifive.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Marian Postevca [Sun, 21 Feb 2021 00:17:36 +0000 (02:17 +0200)]
acpi: Move setters/getters of oem fields to X86MachineState
The code that sets/gets oem fields is duplicated in both PC and MICROVM
variants. This commit moves it to X86MachineState so that all x86
variants can use it and duplication is removed.
Signed-off-by: Marian Postevca <posteuca@mutex.one>
Message-Id: <
20210221001737.24499-2-posteuca@mutex.one>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
David Hildenbrand [Thu, 4 Mar 2021 10:55:54 +0000 (11:55 +0100)]
acpi: Set proper maximum size for "etc/acpi/rsdp" blob
Let's also set a maximum size for "etc/acpi/rsdp", so the maximum
size doesn't get implicitly set based on the initial table size. In my
experiments, the table size was in the range of 22 bytes, so a single
page (== what we used until now) seems to be good enough.
Now that we have defined maximum sizes for all currently used table types,
let's assert that we catch usage with new tables that need a proper maximum
size definition.
Also assert that our initial size does not exceed the maximum size; while
qemu_ram_alloc_internal() properly asserts that the initial RAMBlock size
is <= its maximum size, the result might differ when the host page size
is bigger than 4k.
Suggested-by: Laszlo Ersek <lersek@redhat.com>
Cc: Alistair Francis <alistair.francis@xilinx.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Shannon Zhao <shannon.zhaosl@gmail.com>
Cc: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <
20210304105554.121674-5-david@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
David Hildenbrand [Thu, 4 Mar 2021 10:55:53 +0000 (11:55 +0100)]
acpi: Move maximum size logic into acpi_add_rom_blob()
We want to have safety margins for all tables based on the table type.
Let's move the maximum size logic into acpi_add_rom_blob() and make it
dependent on the table name, so we don't have to replicate for each and
every instance that creates such tables.
Suggested-by: Laszlo Ersek <lersek@redhat.com>
Cc: Alistair Francis <alistair.francis@xilinx.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Shannon Zhao <shannon.zhaosl@gmail.com>
Cc: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <
20210304105554.121674-4-david@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
David Hildenbrand [Thu, 4 Mar 2021 10:55:52 +0000 (11:55 +0100)]
microvm: Don't open-code "etc/table-loader"
Let's just reuse ACPI_BUILD_LOADER_FILE.
Cc: Alistair Francis <alistair.francis@xilinx.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Shannon Zhao <shannon.zhaosl@gmail.com>
Cc: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <
20210304105554.121674-3-david@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
David Hildenbrand [Thu, 4 Mar 2021 10:55:51 +0000 (11:55 +0100)]
acpi: Set proper maximum size for "etc/table-loader" blob
The resizeable memory region / RAMBlock that is created for the cmd blob
has a maximum size of whole host pages (e.g., 4k), because RAMBlocks
work on full host pages. In addition, in i386 ACPI code:
acpi_align_size(tables->linker->cmd_blob, ACPI_BUILD_ALIGN_SIZE);
makes sure to align to multiples of 4k, padding with 0.
For example, if our cmd_blob is created with a size of 2k, the maximum
size is 4k - we cannot grow beyond that. Growing might be required
due to guest action when rebuilding the tables, but also on incoming
migration.
This automatic generation of the maximum size used to be sufficient,
however, there are cases where we cross host pages now when growing at
runtime: we exceed the maximum size of the RAMBlock and can crash QEMU when
trying to resize the resizeable memory region / RAMBlock:
$ build/qemu-system-x86_64 --enable-kvm \
-machine q35,nvdimm=on \
-smp 1 \
-cpu host \
-m size=2G,slots=8,maxmem=4G \
-object memory-backend-file,id=mem0,mem-path=/tmp/nvdimm,size=256M \
-device nvdimm,label-size=131072,memdev=mem0,id=nvdimm0,slot=1 \
-nodefaults \
-device vmgenid \
-device intel-iommu
Results in:
Unexpected error in qemu_ram_resize() at ../softmmu/physmem.c:1850:
qemu-system-x86_64: Size too large: /rom@etc/table-loader:
0x2000 > 0x1000: Invalid argument
In this configuration, we consume exactly 4k (32 entries, 128 bytes each)
when creating the VM. However, once the guest boots up and maps the MCFG,
we also create the MCFG table and end up consuming 2 additional entries
(pointer + checksum) -- which is where we try resizing the memory region
/ RAMBlock, however, the maximum size does not allow for it.
Currently, we get the following maximum sizes for our different
mutable tables based on behavior of resizeable RAMBlock:
hw table max_size
------- ---------------------------------------------------------
virt "etc/acpi/tables" ACPI_BUILD_TABLE_MAX_SIZE (0x200000)
virt "etc/table-loader" HOST_PAGE_ALIGN(initial_size)
virt "etc/acpi/rsdp" HOST_PAGE_ALIGN(initial_size)
i386 "etc/acpi/tables" ACPI_BUILD_TABLE_MAX_SIZE (0x200000)
i386 "etc/table-loader" HOST_PAGE_ALIGN(initial_size)
i386 "etc/acpi/rsdp" HOST_PAGE_ALIGN(initial_size)
microvm "etc/acpi/tables" ACPI_BUILD_TABLE_MAX_SIZE (0x200000)
microvm "etc/table-loader" HOST_PAGE_ALIGN(initial_size)
microvm "etc/acpi/rsdp" HOST_PAGE_ALIGN(initial_size)
Let's set the maximum table size for "etc/table-loader" to 64k, so we
can properly grow at runtime, which should be good enough for the future.
Migration is not concerned with the maximum size of a RAMBlock, only
with the used size - so existing setups are not affected. Of course, we
cannot migrate a VM that would have crash when started on older QEMU from
new QEMU to older QEMU without failing early on the destination when
synchronizing the RAM state:
qemu-system-x86_64: Size too large: /rom@etc/table-loader: 0x2000 > 0x1000: Invalid argument
qemu-system-x86_64: error while loading state for instance 0x0 of device 'ram'
qemu-system-x86_64: load of migration failed: Invalid argument
We'll refactor the code next, to make sure we get rid of this implicit
behavior for "etc/acpi/rsdp" as well and to make the code easier to
grasp.
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Cc: Alistair Francis <alistair.francis@xilinx.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Shannon Zhao <shannon.zhaosl@gmail.com>
Cc: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <
20210304105554.121674-2-david@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Igor Mammedov [Mon, 15 Mar 2021 18:01:02 +0000 (14:01 -0400)]
tests: acpi: update expected blobs
expected changes are:
* larger BNMR operation region
* new PIDX field and method to fetch acpi-index
* PDSM method that implements PCI device _DSM +
per device _DSM that calls PDSM
@@ -221,10 +221,11 @@ DefinitionBlock ("", "DSDT", 1, "BOCHS ", "BXPC ", 0x00000001)
B0EJ, 32
}
- OperationRegion (BNMR, SystemIO, 0xAE10, 0x04)
+ OperationRegion (BNMR, SystemIO, 0xAE10, 0x08)
Field (BNMR, DWordAcc, NoLock, WriteAsZeros)
{
- BNUM, 32
+ BNUM, 32,
+ PIDX, 32
}
Mutex (BLCK, 0x00)
@@ -236,6 +237,52 @@ DefinitionBlock ("", "DSDT", 1, "BOCHS ", "BXPC ", 0x00000001)
Release (BLCK)
Return (Zero)
}
+
+ Method (AIDX, 2, NotSerialized)
+ {
+ Acquire (BLCK, 0xFFFF)
+ BNUM = Arg0
+ PIDX = (One << Arg1)
+ Local0 = PIDX /* \_SB_.PCI0.PIDX */
+ Release (BLCK)
+ Return (Local0)
+ }
+
+ Method (PDSM, 6, Serialized)
+ {
+ If ((Arg0 == ToUUID ("
e5c937d0-3553-4d7a-9117-
ea4d19c3434d") /* Device Labeling Interface */))
+ {
+ Local0 = AIDX (Arg4, Arg5)
+ If ((Arg2 == Zero))
+ {
+ If ((Arg1 == 0x02))
+ {
+ If (!((Local0 == Zero) | (Local0 == 0xFFFFFFFF)))
+ {
+ Return (Buffer (One)
+ {
+ 0x81 // .
+ })
+ }
+ }
+
+ Return (Buffer (One)
+ {
+ 0x00 // .
+ })
+ }
+ ElseIf ((Arg2 == 0x07))
+ {
+ Local1 = Package (0x02)
+ {
+ Zero,
+ ""
+ }
+ Local1 [Zero] = Local0
+ Return (Local1)
+ }
+ }
+ }
}
Scope (_SB)
@@ -785,7 +832,7 @@ DefinitionBlock ("", "DSDT", 1, "BOCHS ", "BXPC ", 0x00000001)
0xAE00, // Range Minimum
0xAE00, // Range Maximum
0x01, // Alignment
- 0x14, // Length
+ 0x18, // Length
)
})
}
@@ -842,11 +889,22 @@ DefinitionBlock ("", "DSDT", 1, "BOCHS ", "BXPC ", 0x00000001)
Device (S00)
{
Name (_ADR, Zero) // _ADR: Address
+ Name (_SUN, Zero) // _SUN: Slot User Number
+ Method (_DSM, 4, Serialized) // _DSM: Device-Specific Method
+ {
+ Return (PDSM (Arg0, Arg1, Arg2, Arg3, BSEL, _SUN))
+ }
}
Device (S10)
{
Name (_ADR, 0x00020000) // _ADR: Address
+ Name (_SUN, 0x02) // _SUN: Slot User Number
+ Method (_DSM, 4, Serialized) // _DSM: Device-Specific Method
+ {
+ Return (PDSM (Arg0, Arg1, Arg2, Arg3, BSEL, _SUN))
+ }
+
Method (_S1D, 0, NotSerialized) // _S1D: S1 Device State
{
Return (Zero)
[...]
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <
20210315180102.
3008391-7-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Igor Mammedov [Mon, 15 Mar 2021 18:01:01 +0000 (14:01 -0400)]
pci: acpi: add _DSM method to PCI devices
Implement _DSM according to:
PCI Firmware Specification 3.1
4.6.7. DSM for Naming a PCI or PCI Express Device Under
Operating Systems
and wire it up to cold and hot-plugged PCI devices.
Feature depends on ACPI hotplug being enabled (as that provides
PCI devices descriptions in ACPI and MMIO registers that are
reused to fetch acpi-index).
acpi-index should work for
- cold plugged NICs:
$QEMU -device e1000,acpi-index=100
=> 'eno100'
- hot-plugged
(monitor) device_add e1000,acpi-index=200,id=remove_me
=> 'eno200'
- re-plugged
(monitor) device_del remove_me
(monitor) device_add e1000,acpi-index=1
=> 'eno1'
Windows also sees index under "PCI Label Id" field in properties
dialog but otherwise it doesn't seem to have any effect.
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <
20210315180102.
3008391-6-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Igor Mammedov [Mon, 15 Mar 2021 18:01:00 +0000 (14:01 -0400)]
acpi: add aml_to_decimalstring() and aml_call6() helpers
it will be used by follow up patches
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <
20210315180102.
3008391-5-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Igor Mammedov [Mon, 15 Mar 2021 18:00:59 +0000 (14:00 -0400)]
pci: acpi: ensure that acpi-index is unique
it helps to avoid device naming conflicts when guest OS is
configured to use acpi-index for naming.
Spec ialso says so:
PCI Firmware Specification Revision 3.2
4.6.7. _DSM for Naming a PCI or PCI Express Device Under Operating Systems
"
Instance number must be unique under \_SB scope. This instance number does not have to
be sequential in a given system configuration.
"
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <
20210315180102.
3008391-4-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Igor Mammedov [Mon, 15 Mar 2021 18:00:58 +0000 (14:00 -0400)]
pci: introduce acpi-index property for PCI device
In x86/ACPI world, linux distros are using predictable
network interface naming since systemd v197. Which on
QEMU based VMs results into path based naming scheme,
that names network interfaces based on PCI topology.
With itm on has to plug NIC in exactly the same bus/slot,
which was used when disk image was first provisioned/configured
or one risks to loose network configuration due to NIC being
renamed to actually used topology.
That also restricts freedom to reshape PCI configuration of
VM without need to reconfigure used guest image.
systemd also offers "onboard" naming scheme which is
preferred over PCI slot/topology one, provided that
firmware implements:
"
PCI Firmware Specification 3.1
4.6.7. DSM for Naming a PCI or PCI Express Device Under
Operating Systems
"
that allows to assign user defined index to PCI device,
which systemd will use to name NIC. For example, using
-device e1000,acpi-index=100
guest will rename NIC to 'eno100', where 'eno' is default
prefix for "onboard" naming scheme. This doesn't require
any advance configuration on guest side to com in effect
at 'onboard' scheme takes priority over path based naming.
Hope is that 'acpi-index' it will be easier to consume by
management layer, compared to forcing specific PCI topology
and/or having several disk image templates for different
topologies and will help to simplify process of spawning
VM from the same template without need to reconfigure
guest NIC.
This patch adds, 'acpi-index'* property and wires up
a 32bit register on top of pci hotplug register block
to pass index value to AML code at runtime.
Following patch will add corresponding _DSM code and
wire it up to PCI devices described in ACPI.
*) name comes from linux kernel terminology
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <
20210315180102.
3008391-3-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Igor Mammedov [Mon, 15 Mar 2021 18:00:57 +0000 (14:00 -0400)]
tests: acpi: temporary whitelist DSDT changes
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <
20210315180102.
3008391-2-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Peter Maydell [Mon, 22 Mar 2021 18:50:25 +0000 (18:50 +0000)]
Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-
20210322' into staging
SD/MMC patches queue
- Fix build error when DEBUG_SD is on
- Perform SD ERASE operation
- SDHCI ADMA heap buffer overflow
(CVE-2020-17380, CVE-2020-25085, CVE-2021-3409)
# gpg: Signature made Mon 22 Mar 2021 17:13:43 GMT
# gpg: using RSA key
FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* remotes/philmd/tags/sdmmc-
20210322:
hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed
hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable
hw/sd: sdhci: Correctly set the controller status for ADMA
hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress
hw/sd: sdhci: Don't transfer any data when command time out
hw/sd: sd: Actually perform the erase operation
hw/sd: sd: Fix build error when DEBUG_SD is on
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Bin Meng [Wed, 3 Mar 2021 12:26:39 +0000 (20:26 +0800)]
hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed
If the block size is programmed to a different value from the
previous one, reset the data pointer of s->fifo_buffer[] so that
s->fifo_buffer[] can be filled in using the new block size in
the next transfer.
With this fix, the following reproducer:
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xe000002c 0x1 0x05
write 0xe0000005 0x1 0x02
write 0xe0000007 0x1 0x01
write 0xe0000028 0x1 0x10
write 0x0 0x1 0x23
write 0x2 0x1 0x08
write 0xe000000c 0x1 0x01
write 0xe000000e 0x1 0x20
write 0xe000000f 0x1 0x00
write 0xe000000c 0x1 0x32
write 0xe0000004 0x2 0x0200
write 0xe0000028 0x1 0x00
write 0xe0000003 0x1 0x40
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-6-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Bin Meng [Wed, 3 Mar 2021 12:26:38 +0000 (20:26 +0800)]
hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable
The codes to limit the maximum block size is only necessary when
SDHC_BLKSIZE register is writable.
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-5-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Bin Meng [Wed, 3 Mar 2021 12:26:37 +0000 (20:26 +0800)]
hw/sd: sdhci: Correctly set the controller status for ADMA
When an ADMA transfer is started, the codes forget to set the
controller status to indicate a transfer is in progress.
With this fix, the following 2 reproducers:
https://paste.debian.net/plain/
1185136
https://paste.debian.net/plain/
1185141
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-4-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Bin Meng [Wed, 3 Mar 2021 12:26:36 +0000 (20:26 +0800)]
hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress
Per "SD Host Controller Standard Specification Version 7.00"
chapter 2.2.1 SDMA System Address Register:
This register can be accessed only if no transaction is executing
(i.e., after a transaction has stopped).
With this fix, the following reproducer:
outl 0xcf8 0x80001010
outl 0xcfc 0xfbefff00
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xfbefff2c 0x1 0x05
write 0xfbefff0f 0x1 0x37
write 0xfbefff0a 0x1 0x01
write 0xfbefff0f 0x1 0x29
write 0xfbefff0f 0x1 0x02
write 0xfbefff0f 0x1 0x03
write 0xfbefff04 0x1 0x01
write 0xfbefff05 0x1 0x01
write 0xfbefff07 0x1 0x02
write 0xfbefff0c 0x1 0x33
write 0xfbefff0e 0x1 0x20
write 0xfbefff0f 0x1 0x00
write 0xfbefff2a 0x1 0x01
write 0xfbefff0c 0x1 0x00
write 0xfbefff03 0x1 0x00
write 0xfbefff05 0x1 0x00
write 0xfbefff2a 0x1 0x02
write 0xfbefff0c 0x1 0x32
write 0xfbefff01 0x1 0x01
write 0xfbefff02 0x1 0x01
write 0xfbefff03 0x1 0x01
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-3-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Bin Meng [Wed, 3 Mar 2021 12:26:35 +0000 (20:26 +0800)]
hw/sd: sdhci: Don't transfer any data when command time out
At the end of sdhci_send_command(), it starts a data transfer if the
command register indicates data is associated. But the data transfer
should only be initiated when the command execution has succeeded.
With this fix, the following reproducer:
outl 0xcf8 0x80001810
outl 0xcfc 0xe1068000
outl 0xcf8 0x80001804
outw 0xcfc 0x7
write 0xe106802c 0x1 0x0f
write 0xe1068004 0xc 0x2801d10101fffffbff28a384
write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
write 0xe1068003 0x1 0xfe
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
-device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive \
-monitor none -serial none -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-2-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Bin Meng [Sat, 20 Feb 2021 08:58:13 +0000 (16:58 +0800)]
hw/sd: sd: Actually perform the erase operation
At present the sd_erase() does not erase the requested range of card
data to 0xFFs. Let's make the erase operation actually happen.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-Id: <
1613811493-58815-1-git-send-email-bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Bin Meng [Sun, 28 Feb 2021 05:06:09 +0000 (13:06 +0800)]
hw/sd: sd: Fix build error when DEBUG_SD is on
"qemu-common.h" should be included to provide the forward declaration
of qemu_hexdump() when DEBUG_SD is on.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <
20210228050609.24779-1-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Peter Maydell [Mon, 22 Mar 2021 14:26:13 +0000 (14:26 +0000)]
Merge remote-tracking branch 'remotes/philmd/tags/mips-fixes-
20210322' into staging
MIPS patches queue
- Fix array overrun (Coverity CID
1450831)
- Deprecate KVM TE (Trap-and-Emul)
# gpg: Signature made Mon 22 Mar 2021 14:06:48 GMT
# gpg: using RSA key
FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* remotes/philmd/tags/mips-fixes-
20210322:
target/mips: Deprecate Trap-and-Emul KVM support
target/mips/mxu_translate.c: Fix array overrun for D16MIN/D16MAX
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Wang Liang [Wed, 17 Mar 2021 02:41:45 +0000 (22:41 -0400)]
virtio-pmem: fix virtio_pmem_resp assign problem
ret in virtio_pmem_resp is a uint32_t variable, which should be assigned
using virtio_stl_p.
The kernel side driver does not guarantee virtio_pmem_resp to be initialized
to zero in advance, So sometimes the flush operation will fail.
Signed-off-by: Wang Liang <wangliangzz@inspur.com>
Message-Id: <
20210317024145.271212-1-wangliangzz@126.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Pankaj Gupta <pankaj.gupta@cloud.ionos.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Greg Kurz [Fri, 12 Mar 2021 09:22:11 +0000 (10:22 +0100)]
vhost-user: Monitor slave channel in vhost_user_read()
Now that everything is in place, have the nested event loop to monitor
the slave channel. The source in the main event loop is destroyed and
recreated to ensure any pending even for the slave channel that was
previously detected is purged. This guarantees that the main loop
wont invoke slave_read() based on an event that was already handled
by the nested loop.
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <
20210312092212.782255-7-groug@kaod.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Greg Kurz [Fri, 12 Mar 2021 09:22:10 +0000 (10:22 +0100)]
vhost-user: Introduce nested event loop in vhost_user_read()
A deadlock condition potentially exists if a vhost-user process needs
to request something to QEMU on the slave channel while processing a
vhost-user message.
This doesn't seem to affect any vhost-user implementation so far, but
this is currently biting the upcoming enablement of DAX with virtio-fs.
The issue is being observed when the guest does an emergency reboot while
a mapping still exits in the DAX window, which is very easy to get with
a busy enough workload (e.g. as simulated by blogbench [1]) :
- QEMU sends VHOST_USER_GET_VRING_BASE to virtiofsd.
- In order to complete the request, virtiofsd then asks QEMU to remove
the mapping on the slave channel.
All these dialogs are synchronous, hence the deadlock.
As pointed out by Stefan Hajnoczi:
When QEMU's vhost-user master implementation sends a vhost-user protocol
message, vhost_user_read() does a "blocking" read during which slave_fd
is not monitored by QEMU.
The natural solution for this issue is an event loop. The main event
loop cannot be nested though since we have no guarantees that its
fd handlers are prepared for re-entrancy.
Introduce a new event loop that only monitors the chardev I/O for now
in vhost_user_read() and push the actual reading to a one-shot handler.
A subsequent patch will teach the loop to monitor and process messages
from the slave channel as well.
[1] https://github.com/jedisct1/Blogbench
Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <
20210312092212.782255-6-groug@kaod.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Greg Kurz [Fri, 12 Mar 2021 09:22:09 +0000 (10:22 +0100)]
vhost-user: Convert slave channel to QIOChannelSocket
The slave channel is implemented with socketpair() : QEMU creates
the pair, passes one of the socket to virtiofsd and monitors the
other one with the main event loop using qemu_set_fd_handler().
In order to fix a potential deadlock between QEMU and a vhost-user
external process (e.g. virtiofsd with DAX), we want to be able to
monitor and service the slave channel while handling vhost-user
requests.
Prepare ground for this by converting the slave channel to be a
QIOChannelSocket. This will make monitoring of the slave channel
as simple as calling qio_channel_add_watch_source(). Since the
connection is already established between the two sockets, only
incoming I/O (G_IO_IN) and disconnect (G_IO_HUP) need to be
serviced.
This also allows to get rid of the ancillary data parsing since
QIOChannelSocket can do this for us. Note that the MSG_CTRUNC
check is dropped on the way because QIOChannelSocket ignores this
case. This isn't a problem since slave_read() provisions space for
8 file descriptors, but affected vhost-user slave protocol messages
generally only convey one. If for some reason a buggy implementation
passes more file descriptors, no need to break the connection, just
like we don't break it if some other type of ancillary data is
received : this isn't explicitely violating the protocol per-se so
it seems better to ignore it.
The current code errors out on short reads and writes. Use the
qio_channel_*_all() variants to address this on the way.
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <
20210312092212.782255-5-groug@kaod.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Greg Kurz [Fri, 12 Mar 2021 09:22:08 +0000 (10:22 +0100)]
vhost-user: Factor out duplicated slave_fd teardown code
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <
20210312092212.782255-4-groug@kaod.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Greg Kurz [Fri, 12 Mar 2021 09:22:07 +0000 (10:22 +0100)]
vhost-user: Fix double-close on slave_read() error path
Some message types, e.g. VHOST_USER_SLAVE_VRING_HOST_NOTIFIER_MSG,
can convey file descriptors. These must be closed before returning
from slave_read() to avoid being leaked. This can currently be done
in two different places:
[1] just after the request has been processed
[2] on the error path, under the goto label err:
These path are supposed to be mutually exclusive but they are not
actually. If the VHOST_USER_NEED_REPLY_MASK flag was passed and the
sending of the reply fails, both [1] and [2] are performed with the
same descriptor values. This can potentially cause subtle bugs if one
of the descriptor was recycled by some other thread in the meantime.
This code duplication complicates rollback for no real good benefit.
Do the closing in a unique place, under a new fdcleanup: goto label
at the end of the function.
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <
20210312092212.782255-3-groug@kaod.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Greg Kurz [Fri, 12 Mar 2021 09:22:06 +0000 (10:22 +0100)]
vhost-user: Drop misleading EAGAIN checks in slave_read()
slave_read() checks EAGAIN when reading or writing to the socket
fails. This gives the impression that the slave channel is in
non-blocking mode, which is certainly not the case with the current
code base. And the rest of the code isn't actually ready to cope
with non-blocking I/O.
Just drop the checks everywhere in this function for the sake of
clarity.
Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <
20210312092212.782255-2-groug@kaod.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Laurent Vivier [Sun, 14 Mar 2021 20:03:00 +0000 (21:03 +0100)]
virtio: Fix virtio_mmio_read()/virtio_mmio_write()
Both functions don't check the personality of the interface (legacy or
modern) before accessing the configuration memory and always use
virtio_config_readX()/virtio_config_writeX().
With this patch, they now check the personality and in legacy mode
call virtio_config_readX()/virtio_config_writeX(), otherwise call
virtio_config_modern_readX()/virtio_config_modern_writeX().
This change has been tested with virtio-mmio guests (virt stretch/armhf and
virt sid/m68k) and virtio-pci guests (pseries RHEL-7.3/ppc64 and /ppc64le).
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <
20210314200300.
3259170-1-laurent@vivier.eu>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Jiaxun Yang [Wed, 17 Mar 2021 01:12:35 +0000 (09:12 +0800)]
target/mips: Deprecate Trap-and-Emul KVM support
Upstream kernel had removed both host[1] and guest[2] support.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=
45c7e8af4a5e3f0bea4ac209eea34118dd57ac64
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=
a1515ec7204edca770c07929df8538fcdb03ad46
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <
20210317011235.7425-1-jiaxun.yang@flygoat.com>
[PMD: Specify mentioned kernel is Linux]
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Peter Maydell [Tue, 16 Mar 2021 13:13:53 +0000 (13:13 +0000)]
target/mips/mxu_translate.c: Fix array overrun for D16MIN/D16MAX
Coverity reported (CID
1450831) an array overrun in
gen_mxu_D16MAX_D16MIN():
1103 } else if (unlikely((XRb == 0) || (XRa == 0))) {
....
1112 if (opc == OPC_MXU_D16MAX) {
1113 tcg_gen_smax_i32(mxu_gpr[XRa - 1], t0, t1);
1114 } else {
1115 tcg_gen_smin_i32(mxu_gpr[XRa - 1], t0, t1);
1116 }
>>> Overrunning array "mxu_gpr" of 15 8-byte elements at element
index
4294967295 (byte offset
34359738367) using index "XRa - 1U"
(which evaluates to
4294967295).
This happens because the code is confused about which of XRa, XRb and
XRc is the output, and which are the inputs. XRa is the output, but
most of the conditions separating out different special cases are
written as if XRc is the output, with the result that we can end up
in the code path that assumes XRa is non-0 even when it is zero.
Fix the erroneous code, bringing it in to line with the structure
used in functions like gen_mxu_S32MAX_S32MIN() and
gen_mxu_Q8MAX_Q8MIN().
Fixes: CID 1450831
Fixes: bb84cbf38505bd1d8
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <
20210316131353.4533-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Peter Maydell [Mon, 22 Mar 2021 11:24:55 +0000 (11:24 +0000)]
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
# gpg: Signature made Mon 22 Mar 2021 09:35:08 GMT
# gpg: using RSA key
EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
net/eth: Add an assert() and invert if() statement to simplify code
net/eth: Read ip6_ext_hdr_routing buffer before accessing it
net/eth: Check iovec has enough data earlier
net/eth: Check size earlier in _eth_get_rss_ex_dst_addr()
net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argument
net/eth: Simplify _eth_get_rss_ex_dst_addr()
net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr()
net/colo-compare.c: Optimize removal of secondary packet
net/colo-compare.c: Fix memory leak for non-tcp packet
hw/net: virtio-net: Initialize nc->do_not_pad to true
net: Pad short frames to minimum size before sending from SLiRP/TAP
net: Add a 'do_not_pad" to NetClientState
net: eth: Add a helper to pad a short Ethernet frame
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 22 Mar 2021 10:05:45 +0000 (10:05 +0000)]
Merge remote-tracking branch 'remotes/thuth-gitlab/tags/pull-request-2021-03-21' into staging
* Small fixes for the unit tests
* Compilation fixes for Illumos et al.
* Update the FreeBSD VM to 12.2
# gpg: Signature made Sun 21 Mar 2021 16:51:42 GMT
# gpg: using RSA key
27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5
* remotes/thuth-gitlab/tags/pull-request-2021-03-21:
FreeBSD: Upgrade to 12.2 release
contrib: ivshmem client and server build fix for SunOS.
configure: fix for SunOS based systems
tests/unit/test-block-iothread: fix maybe-uninitialized error on GCC 11
docs/devel/testing.rst: Fix references to unit tests
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Philippe Mathieu-Daudé [Wed, 10 Mar 2021 18:31:23 +0000 (19:31 +0100)]
net/eth: Add an assert() and invert if() statement to simplify code
To simplify the function body, invert the if() statement, returning
earlier.
Since we already checked there is enough data in the iovec buffer,
simply add an assert() call to consume the bytes_read variable.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Philippe Mathieu-Daudé [Wed, 10 Mar 2021 18:31:22 +0000 (19:31 +0100)]
net/eth: Read ip6_ext_hdr_routing buffer before accessing it
We can't know the caller read enough data in the memory pointed
by ext_hdr to cast it as a ip6_ext_hdr_routing.
Declare rt_hdr on the stack and fill it again from the iovec.
Since we already checked there is enough data in the iovec buffer,
simply add an assert() call to consume the bytes_read variable.
This fix a 2 bytes buffer overrun in eth_parse_ipv6_hdr() reported
by QEMU fuzzer:
$ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \
-accel qtest -monitor none \
-serial none -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001004
outw 0xcfc 0x7
write 0x25 0x1 0x86
write 0x26 0x1 0xdd
write 0x4f 0x1 0x2b
write 0xe1020030 0x4 0x190002e1
write 0xe102003a 0x2 0x0807
write 0xe1020048 0x4 0x12077cdd
write 0xe1020400 0x4 0xba077cdd
write 0xe1020420 0x4 0x190002e1
write 0xe1020428 0x4 0x3509d807
write 0xe1020438 0x1 0xe2
EOF
=================================================================
==
2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818
READ of size 1 at 0x7ffdef904902 thread T0
#0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17
#1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17
#2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14
#3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9
#4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29
#5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9
#6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9
#7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9
#8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5
Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame
#0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Stack left redzone: f1
Stack right redzone: f3
==
2859770==ABORTING
Add the corresponding qtest case with the fuzzer reproducer.
FWIW GCC 11 similarly reported:
net/eth.c: In function 'eth_parse_ipv6_hdr':
net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
| ~~~~~^~~~~~~
net/eth.c:485:24: note: while referencing 'ext_hdr'
485 | struct ip6_ext_hdr ext_hdr;
| ^~~~~~~
net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
| ~~~~~^~~~~~~~~
net/eth.c:485:24: note: while referencing 'ext_hdr'
485 | struct ip6_ext_hdr ext_hdr;
| ^~~~~~~
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1879531
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Philippe Mathieu-Daudé [Wed, 10 Mar 2021 18:31:21 +0000 (19:31 +0100)]
net/eth: Check iovec has enough data earlier
We want to check fields from ip6_ext_hdr_routing structure
and if correct read the full in6_address. Let's directly check
if our iovec contains enough data for everything, else return
early.
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Philippe Mathieu-Daudé [Wed, 10 Mar 2021 18:31:20 +0000 (19:31 +0100)]
net/eth: Check size earlier in _eth_get_rss_ex_dst_addr()
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Philippe Mathieu-Daudé [Wed, 10 Mar 2021 18:31:19 +0000 (19:31 +0100)]
net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argument
The 'offset' argument represents the offset to the ip6_ext_hdr
header, rename it as 'ext_hdr_offset'.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Philippe Mathieu-Daudé [Wed, 10 Mar 2021 18:31:18 +0000 (19:31 +0100)]
net/eth: Simplify _eth_get_rss_ex_dst_addr()
The length field is already contained in the ip6_ext_hdr structure.
Check it direcly in eth_parse_ipv6_hdr() before calling
_eth_get_rss_ex_dst_addr(), which gets a bit simplified.
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Philippe Mathieu-Daudé [Wed, 10 Mar 2021 18:31:17 +0000 (19:31 +0100)]
net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr()
The in6_address comes after the ip6_ext_hdr_routing header,
not after the ip6_ext_hdr one. Fix the offset.
Cc: qemu-stable@nongnu.org
Reported-by: Stefano Garzarella <sgarzare@redhat.com>
Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality")
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Lukas Straub [Thu, 18 Mar 2021 04:11:52 +0000 (12:11 +0800)]
net/colo-compare.c: Optimize removal of secondary packet
g_queue_remove needs to look up the list entry first, but we
already have it as result and can remove it directly with
g_queue_delete_link.
Signed-off-by: Lukas Straub <lukasstraub2@web.de>
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Reviewed-by: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Lukas Straub [Thu, 18 Mar 2021 04:11:51 +0000 (12:11 +0800)]
net/colo-compare.c: Fix memory leak for non-tcp packet
Additional to removing the packet from the secondary queue,
we also need to free it.
Signed-off-by: Lukas Straub <lukasstraub2@web.de>
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Reviewed-by: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Bin Meng [Wed, 17 Mar 2021 06:26:30 +0000 (14:26 +0800)]
hw/net: virtio-net: Initialize nc->do_not_pad to true
For virtio-net, there is no need to pad the Ethernet frame size to
60 bytes before sending to it.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Bin Meng [Wed, 17 Mar 2021 06:26:29 +0000 (14:26 +0800)]
net: Pad short frames to minimum size before sending from SLiRP/TAP
The minimum Ethernet frame length is 60 bytes. For short frames with
smaller length like ARP packets (only 42 bytes), on a real world NIC
it can choose either padding its length to the minimum required 60
bytes, or sending it out directly to the wire. Such behavior can be
hardcoded or controled by a register bit. Similarly on the receive
path, NICs can choose either dropping such short frames directly or
handing them over to software to handle.
On the other hand, for the network backends like SLiRP/TAP, they
don't expose a way to control the short frame behavior. As of today
they just send/receive data from/to the other end connected to them,
which means any sized packet is acceptable. So they can send and
receive short frames without any problem. It is observed that ARP
packets sent from SLiRP/TAP are 42 bytes, and SLiRP/TAP just send
these ARP packets to the other end which might be a NIC model that
does not allow short frames to pass through.
To provide better compatibility, for packets sent from QEMU network
backends like SLiRP/TAP, we change to pad short frames before sending
it out to the other end, if the other end does not forbid it via the
nc->do_not_pad flag. This ensures a backend as an Ethernet sender
does not violate the spec. But with this change, the behavior of
dropping short frames from SLiRP/TAP interfaces in the NIC model
cannot be emulated because it always receives a packet that is spec
complaint. The capability of sending short frames from NIC models is
still supported and short frames can still pass through SLiRP/TAP.
This commit should be able to fix the issue as reported with some
NIC models before, that ARP requests get dropped, preventing the
guest from becoming visible on the network. It was workarounded in
these NIC models on the receive path, that when a short frame is
received, it is padded up to 60 bytes.
The following 2 commits seem to be the one to workaround this issue
in e1000 and vmxenet3 before, and should probably be reverted.
commit
78aeb23eded2 ("e1000: Pad short frames to minimum size (60 bytes)")
commit
40a87c6c9b11 ("vmxnet3: Pad short frames to minimum size (60 bytes)")
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Bin Meng [Wed, 17 Mar 2021 06:26:28 +0000 (14:26 +0800)]
net: Add a 'do_not_pad" to NetClientState
This adds a flag in NetClientState, so that a net client can tell
its peer that the packets do not need to be padded to the minimum
size of an Ethernet frame (60 bytes) before sending to it.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Bin Meng [Wed, 17 Mar 2021 06:26:27 +0000 (14:26 +0800)]
net: eth: Add a helper to pad a short Ethernet frame
Add a helper to pad a short Ethernet frame to the minimum required
length, which can be used by backends' code.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Warner Losh [Sun, 7 Mar 2021 15:56:54 +0000 (08:56 -0700)]
FreeBSD: Upgrade to 12.2 release
FreeBSD 12.1 has reached end of life. Use 12.2 instead so that FreeBSD's
project's packages will work. Update which timezone to pick. Work around a QEMU
bug that incorrectly raises an exception on a CRC32 instruction with the FPU
disabled. The qemu bug is described here:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg784158.html
Signed-off-by: Warner Losh <imp@bsdimp.com>
Message-Id: <
20210307155654.993-2-imp@bsdimp.com>
[thuth: Disable gnutls to work-around a problem with libtasn1]
Signed-off-by: Thomas Huth <thuth@redhat.com>
David CARLIER [Sat, 18 Jul 2020 13:20:55 +0000 (14:20 +0100)]
contrib: ivshmem client and server build fix for SunOS.
sun is a macro on these systems, thus renaming the variables on the
client and server.
Signed-off-by: David Carlier <devnexen@gmail.com>
Message-Id: <CA+XhMqzHPG5ezqY-YxbA+tMoadA3VDFWBX8_LaLC5YsQOMrz+A@mail.gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
David CARLIER [Sat, 18 Jul 2020 13:19:10 +0000 (14:19 +0100)]
configure: fix for SunOS based systems
local directive make the configure fails on these systems.
Signed-off-by: David Carlier <devnexen@gmail.com>
Message-Id: <CA+XhMqy95D8X-QvBcEfL=a-Rkgy6aJtheskkqZwQkreru+T_Wg@mail.gmail.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Emanuele Giuseppe Esposito [Fri, 19 Mar 2021 11:22:18 +0000 (12:22 +0100)]
tests/unit/test-block-iothread: fix maybe-uninitialized error on GCC 11
When building qemu with GCC 11, test-block-iothread produces the following
warning:
../tests/unit/test-block-iothread.c:148:11: error: ‘buf’ may be used
uninitialized [-Werror=maybe-uninitialized]
This is caused by buf[512] left uninitialized and passed to
bdrv_save_vmstate() that expects a const uint8_t *, so the compiler
assumes it will be read and expects the parameter to be initialized.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <
20210319112218.49609-1-eesposit@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Wainer dos Santos Moschetta [Thu, 18 Mar 2021 17:44:07 +0000 (14:44 -0300)]
docs/devel/testing.rst: Fix references to unit tests
With the recent move of the unit tests to tests/unit directory some
instructions under the "Unit tests" section became imprecise, which
are fixed by this change.
Fixes: da668aa15b99 ("tests: Move unit tests into a separate directory")
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Willian Rampazzo <willianr@redhat.com>
Message-Id: <
20210318174407.
2299930-1-wainersm@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Peter Maydell [Fri, 19 Mar 2021 18:01:17 +0000 (18:01 +0000)]
Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging
* fixes for i386 TCG paging
* fixes for Hyper-V enlightenments
* avoid uninitialized variable warning
# gpg: Signature made Fri 19 Mar 2021 14:38:12 GMT
# gpg: using RSA key
F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini-gitlab/tags/for-upstream:
tests/qtest: cleanup the testcase for bug
1878642
hw/intc/i8259: Refactor pic_read_irq() to avoid uninitialized variable
i386: Make migration fail when Hyper-V reenlightenment was enabled but 'user_tsc_khz' is unset
i386: Fix 'hypercall_hypercall' typo
target/i386: svm: do not discard high 32 bits of EXITINFO1
target/i386: fail if toggling LA57 in 64-bit mode
target/i386: allow modifying TCG phys-addr-bits
qom: use qemu_printf to print help for user-creatable objects
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 19 Mar 2021 16:40:00 +0000 (16:40 +0000)]
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2021-03-16-v4' into staging
QAPI patches patches for 2021-03-16
# gpg: Signature made Fri 19 Mar 2021 15:06:52 GMT
# gpg: using RSA key
354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg: issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
* remotes/armbru/tags/pull-qapi-2021-03-16-v4:
qapi: New -compat deprecated-input=crash
qapi: Implement deprecated-input=reject for QMP command arguments
qapi: Implement deprecated-input=reject for QMP commands
test-util-sockets: Add stub for monitor_set_cur()
qapi: Implement deprecated-output=hide for QMP introspection
monitor: Drop query-qmp-schema 'gen': false hack
qapi: Implement deprecated-output=hide for QMP event data
qapi: Implement deprecated-output=hide for QMP events
qapi: Implement deprecated-output=hide for QMP command results
qemu-options: New -compat to set policy for deprecated interfaces
qemuutil: remove qemu_set_fd_handler duplicate symbol
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 19 Mar 2021 15:24:59 +0000 (15:24 +0000)]
Merge remote-tracking branch 'remotes/armbru/tags/pull-qom-fdc-2021-03-16-v5' into staging
QOM and fdc patches patches for 2021-03-16
# gpg: Signature made Fri 19 Mar 2021 14:18:47 GMT
# gpg: using RSA key
354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg: issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
* remotes/armbru/tags/pull-qom-fdc-2021-03-16-v5:
memory: Drop "qemu:" prefix from QOM memory region type names
hw: Replace anti-social QOM type names
blockdev: Drop deprecated bogus -drive interface type
fdc: Inline fdctrl_connect_drives() into fdctrl_realize_common()
fdc: Drop deprecated floppy configuration
docs/system/deprecated: Fix note on fdc drive properties
fuzz: Avoid deprecated misuse of -drive if=sd
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Markus Armbruster [Thu, 18 Mar 2021 15:55:19 +0000 (16:55 +0100)]
qapi: New -compat deprecated-input=crash
Policy "crash" calls abort() when deprecated input is received.
Bugs in integration tests may mask the error from policy "reject".
Provide a larger hammer: crash outright. Masking that seems unlikely.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-12-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:18 +0000 (16:55 +0100)]
qapi: Implement deprecated-input=reject for QMP command arguments
This policy rejects deprecated input, and thus permits "testing the
future". Implement it for QMP command arguments: reject commands with
deprecated ones. Example: when QEMU is run with -compat
deprecated-input=reject, then
{"execute": "eject", "arguments": {"device": "cd"}}
fails like this
{"error": {"class": "GenericError", "desc": "Deprecated parameter 'device' disabled by policy"}}
When the deprecated parameter is removed, the error will change to
{"error": {"class": "GenericError", "desc": "Parameter 'device' is unexpected"}}
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-11-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:17 +0000 (16:55 +0100)]
qapi: Implement deprecated-input=reject for QMP commands
This policy rejects deprecated input, and thus permits "testing the
future". Implement it for QMP commands: make deprecated ones fail.
Example: when QEMU is run with -compat deprecated-input=reject, then
{"execute": "query-cpus"}
fails like this
{"error": {"class": "CommandNotFound", "desc": "Deprecated command query-cpus disabled by policy"}}
When the deprecated command is removed, the error will change to
{"error": {"class": "CommandNotFound", "desc": "The command query-cpus has not been found"}}
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-10-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:16 +0000 (16:55 +0100)]
test-util-sockets: Add stub for monitor_set_cur()
Without this stub, the next commit fails to link. I suspect the real
cause is
947e47448d "monitor: Use getter/setter functions for
cur_mon".
Cc: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-9-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:15 +0000 (16:55 +0100)]
qapi: Implement deprecated-output=hide for QMP introspection
This policy suppresses deprecated bits in output, and thus permits
"testing the future". Implement it for QMP command query-qmp-schema:
suppress information on deprecated commands, events and object type
members, i.e. anything that has the special feature flag "deprecated".
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-8-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:14 +0000 (16:55 +0100)]
monitor: Drop query-qmp-schema 'gen': false hack
QMP commands return their response as a generated QAPI type, which the
monitor core converts to JSON via QObject.
query-qmp-schema's response is the generated introspection data. This
is a QLitObject since commit
7d0f982bfb "qapi: generate a literal
qobject for introspection", v2.12). Before, it was a string. Instead
of converting QLitObject / string -> QObject -> QAPI type
SchemaInfoList -> QObject -> JSON, we take a shortcut: the command is
'gen': false, so it can return the QObject instead of the QAPI type.
Slightly simpler and more efficient.
The next commit will filter the response for output policy, and this
is easier in the SchemaInfoList representation. Drop the shortcut.
This replaces the manual command registration by a generated one. The
manual registration makes the command available before the machine is
built by passing flag QCO_ALLOW_PRECONFIG. To keep it available
there, we need need to add 'allow-preconfig': true to its definition
in the schema.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-7-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:13 +0000 (16:55 +0100)]
qapi: Implement deprecated-output=hide for QMP event data
This policy suppresses deprecated bits in output, and thus permits
"testing the future". Implement it for QMP event data: suppress
deprecated members.
No QMP event data is deprecated right now.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-6-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:12 +0000 (16:55 +0100)]
qapi: Implement deprecated-output=hide for QMP events
This policy suppresses deprecated bits in output, and thus permits
"testing the future". Implement it for QMP events: suppress
deprecated ones.
No QMP event is deprecated right now.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-5-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:11 +0000 (16:55 +0100)]
qapi: Implement deprecated-output=hide for QMP command results
This policy suppresses deprecated bits in output, and thus permits
"testing the future". Implement it for QMP command results. Example:
when QEMU is run with -compat deprecated-output=hide, then
{"execute": "query-cpus-fast"}
yields
{"return": [{"thread-id": 9805, "props": {"core-id": 0, "thread-id": 0, "socket-id": 0}, "qom-path": "/machine/unattached/device[0]", "cpu-index": 0, "target": "x86_64"}]}
instead of
{"return": [{"arch": "x86", "thread-id": 22436, "props": {"core-id": 0, "thread-id": 0, "socket-id": 0}, "qom-path": "/machine/unattached/device[0]", "cpu-index": 0, "target": "x86_64"}]}
Note the suppression of deprecated member "arch".
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-4-armbru@redhat.com>
Markus Armbruster [Thu, 18 Mar 2021 15:55:10 +0000 (16:55 +0100)]
qemu-options: New -compat to set policy for deprecated interfaces
New option -compat lets you configure what to do when deprecated
interfaces get used. This is intended for testing users of the
management interfaces. It is experimental.
-compat deprecated-input=<input-policy> configures what to do when
deprecated input is received. Input policy can be "accept" (accept
silently), or "reject" (reject the request with an error).
-compat deprecated-output=<out-policy> configures what to do when
deprecated output is sent. Output policy can be "accept" (pass on
unchanged), or "hide" (filter out the deprecated parts).
Default is "accept". Policies other than "accept" are implemented
later in this series.
For now, -compat covers only syntactic aspects of QMP, i.e. stuff
tagged with feature 'deprecated'. We may want to extend it to cover
semantic aspects, CLI, and experimental features.
Note that there is no good way for management application to detect
presence of -compat: it's not visible output of query-qmp-schema or
query-command-line-options. Tolerable, because it's meant for
testing. If running with -compat fails, skip the test.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <
20210318155519.
1224118-3-armbru@redhat.com>
Paolo Bonzini [Thu, 18 Mar 2021 15:55:09 +0000 (16:55 +0100)]
qemuutil: remove qemu_set_fd_handler duplicate symbol
libqemuutil has two definitions of qemu_set_fd_handler. This
is not needed since the only users of the function are
qemu-io.c and the emulators, both of which already include
util/main-loop.c.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <
d0c5aa88-029e-4328-7a53-
482a3010c5f8@redhat.com>
Tested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210318155519.
1224118-2-armbru@redhat.com>
Paolo Bonzini [Fri, 19 Mar 2021 08:44:42 +0000 (04:44 -0400)]
tests/qtest: cleanup the testcase for bug
1878642
Clean up the writes to the configuration space and the PM region, and
rename the test to lpc-ich9-test.
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Markus Armbruster [Thu, 4 Mar 2021 14:02:29 +0000 (15:02 +0100)]
memory: Drop "qemu:" prefix from QOM memory region type names
Almost all QOM type names consist only of letters, digits, '-', '_',
and '.'. Just two contain ':': "qemu:memory-region" and
"qemu:iommu-memory-region". Neither can be plugged with -object.
Rename them to "memory-region" and "iommu-memory-region".
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210304140229.575481-3-armbru@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Markus Armbruster [Thu, 4 Mar 2021 14:02:28 +0000 (15:02 +0100)]
hw: Replace anti-social QOM type names
Several QOM type names contain ',':
ARM,bitband-memory
etraxfs,pic
etraxfs,serial
etraxfs,timer
fsl,imx25
fsl,imx31
fsl,imx6
fsl,imx6ul
fsl,imx7
grlib,ahbpnp
grlib,apbpnp
grlib,apbuart
grlib,gptimer
grlib,irqmp
qemu,register
SUNW,bpp
SUNW,CS4231
SUNW,DBRI
SUNW,DBRI.prom
SUNW,fdtwo
SUNW,sx
SUNW,tcx
xilinx,zynq_slcr
xlnx,zynqmp
xlnx,zynqmp-pmu-soc
xlnx,zynq-xadc
These are all device types. They can't be plugged with -device /
device_add, except for xlnx,zynqmp-pmu-soc, and I doubt that one
actually works.
They *can* be used with -device / device_add to request help.
Usability is poor, though: you have to double the comma, like this:
$ qemu-system-x86_64 -device SUNW,,fdtwo,help
Trap for the unwary. The fact that this was broken in
device-introspect-test for more than six years until commit
e27bd49876
fixed it demonstrates that "the unwary" includes seasoned developers.
One QOM type name contains ' ': "ICH9 SMB". Because having to
remember just one way to quote would be too easy.
Rename the "SUNW,FOO types to "sun-FOO". Summarily replace ',' and '
' by '-' in the other type names.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210304140229.575481-2-armbru@redhat.com>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Markus Armbruster [Tue, 9 Mar 2021 16:12:13 +0000 (17:12 +0100)]
blockdev: Drop deprecated bogus -drive interface type
Drop the crap deprecated in commit
a1b40bda08 "blockdev: Deprecate
-drive with bogus interface type" (v5.1.0).
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id:
20210309161214.
1402527-5-armbru@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Tue, 9 Mar 2021 16:12:12 +0000 (17:12 +0100)]
fdc: Inline fdctrl_connect_drives() into fdctrl_realize_common()
The previous commit rendered the name fdctrl_connect_drives() somewhat
misleading. Get rid of it by inlining the (now pretty simple)
function into its only caller.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id:
20210309161214.
1402527-4-armbru@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Tue, 9 Mar 2021 16:12:11 +0000 (17:12 +0100)]
fdc: Drop deprecated floppy configuration
Drop the crap deprecated in commit
4a27a638e7 "fdc: Deprecate
configuring floppies with -global isa-fdc" (v5.1.0).
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id:
20210309161214.
1402527-3-armbru@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Tue, 9 Mar 2021 16:12:10 +0000 (17:12 +0100)]
docs/system/deprecated: Fix note on fdc drive properties
Commit
4a27a638e7 "fdc: Deprecate configuring floppies with -global
isa-fdc" actually deprecated any use of floppy controller driver
properties, not just with -global. Correct the deprecation note
accordingly.
Fixes: 4a27a638e718b445648de6b27c709353551d9b44
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id:
20210309161214.
1402527-2-armbru@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
Markus Armbruster [Fri, 19 Mar 2021 13:20:08 +0000 (14:20 +0100)]
fuzz: Avoid deprecated misuse of -drive if=sd
qemu-fuzz-i386-target-generic-fuzz-sdhci-v3 uses -drive=sd where it
should use -drive if=none instead. This prints a deprecation warning:
$ ./build-oss-fuzz/DEST_DIR/qemu-fuzz-i386-target-generic-fuzz-sdhci-v3 -runs=1 -seed=1
[ASan warnings snipped...]
--> i386: -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive: warning: bogus if=sd is deprecated, use if=none
INFO: Seed: 1
[More normal output snipped...]
Support for this usage will be gone soon. Adjust the test.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
20210319132008.
1830950-1-armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Philippe Mathieu-Daudé [Thu, 18 Mar 2021 16:30:59 +0000 (17:30 +0100)]
hw/intc/i8259: Refactor pic_read_irq() to avoid uninitialized variable
Some compiler versions are smart enough to detect a potentially
uninitialized variable, but are not smart enough to detect that this
cannot happen due to the code flow:
../hw/intc/i8259.c: In function ‘pic_read_irq’:
../hw/intc/i8259.c:203:13: error: ‘irq2’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
203 | irq = irq2 + 8;
| ~~~~^~~~~~~~~~
Restrict irq2 variable use to the inner statement.
Fixes: 78ef2b6989f ("i8259: Reorder intack in pic_read_irq")
Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <
20210318163059.
3686596-1-philmd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This page took 0.115933 seconds and 4 git commands to generate.
projects / qemu.git / log