Peter Maydell [Fri, 14 Aug 2015 15:52:34 +0000 (16:52 +0100)]
Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into staging
# gpg: Signature made Fri 14 Aug 2015 14:54:27 BST using RSA key ID C0DE3057
# gpg: Good signature from "Jeffrey Cody <[email protected]>"
# gpg: aka "Jeffrey Cody <[email protected]>"
# gpg: aka "Jeffrey Cody <[email protected]>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 9957 4B4D 3474 90E7 9D98 D624 BDBE 7B27 C0DE 3057
* remotes/cody/tags/block-pull-request:
mirror: Fix coroutine reentrance
block/mirror: limit qiov to IOV_MAX elements
Kevin Wolf [Thu, 13 Aug 2015 08:41:50 +0000 (10:41 +0200)]
mirror: Fix coroutine reentrance
This fixes a regression introduced by commit dcfb3beb ("mirror: Do zero
write on target if sectors not allocated"), which was reported to cause
aborts with the message "Co-routine re-entered recursively".
The cause for this bug is the following code in mirror_iteration_done():
if (s->common.busy) {
qemu_coroutine_enter(s->common.co, NULL);
}
This has always been ugly because - unlike most places that reenter - it
doesn't have a specific yield that it pairs with, but is more
uncontrolled. What we really mean here is "reenter the coroutine if
it's in one of the four explicit yields in mirror.c".
This used to be equivalent with s->common.busy because neither
mirror_run() nor mirror_iteration() call any function that could yield.
However since commit dcfb3beb this doesn't hold true any more:
bdrv_get_block_status_above() can yield.
So what happens is that bdrv_get_block_status_above() wants to take a
lock that is already held, so it adds itself to the queue of waiting
coroutines and yields. Instead of being woken up by the unlock function,
however, it gets woken up by mirror_iteration_done(), which is obviously
wrong.
In most cases the code actually happens to cope fairly well with such
cases, but in this specific case, the unlock must already have scheduled
the coroutine for wakeup when mirror_iteration_done() reentered it. And
then the coroutine happened to process the scheduled restarts and tried
to reenter itself recursively.
This patch fixes the problem by pairing the reenter in
mirror_iteration_done() with specific yields instead of abusing
s->common.busy.
Peter Maydell [Thu, 13 Aug 2015 16:47:44 +0000 (17:47 +0100)]
Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150813' into staging
MIPS patches 2015-08-13
Changes:
* mips32r5-generic CPU updated and renamed to P5600
* improvements in LWL/LDL, logging and fulong2e
# gpg: Signature made Thu 13 Aug 2015 17:10:59 BST using RSA key ID 0B29DA6B
# gpg: Good signature from "Leon Alrae <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4 4FC0 5211 8E3C 0B29 DA6B
* remotes/lalrae/tags/mips-20150813:
target-mips: Use CPU_LOG_INT for logging related to interrupts
hw/pci-host/bonito: Avoid buffer overrun for bad LDMA/COP accesses
target-mips: simplify LWL/LDL mask generation
target-mips: update mips32r5-generic into P5600
Peter Maydell [Thu, 30 Jul 2015 15:33:42 +0000 (16:33 +0100)]
hw/pci-host/bonito: Avoid buffer overrun for bad LDMA/COP accesses
The LDMA and COP memory regions represent four 32 bit registers
each, but the memory regions themselves are 0x100 bytes large.
Add guards to the read and write accessors so that bogus accesses
beyond the four defined registers don't just run off the end of
the bonldma and boncop structs and into whatever lies beyond.
Yongbok Kim [Fri, 10 Jul 2015 11:10:52 +0000 (12:10 +0100)]
target-mips: update mips32r5-generic into P5600
As full specification of P5600 is available, mips32r5-generic should
be renamed to P5600 and corrected as its intention.
Correct PRid and detail of configuration.
Features which are not currently supported are described as FIXME.
Peter Maydell [Thu, 13 Aug 2015 14:07:34 +0000 (15:07 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
virtio,pc,acpi fixes, cleanups
Mostly cleanups, notably Eduardo's compat code rework,
and smbios rearrangement for use by ARM.
Signed-off-by: Michael S. Tsirkin <[email protected]>
# gpg: Signature made Thu 13 Aug 2015 12:59:16 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <[email protected]>"
# gpg: aka "Michael S. Tsirkin <[email protected]>"
* remotes/mst/tags/for_upstream: (24 commits)
MAINTAINERS: list smbios maintainers
smbios: move smbios code into a common folder
smbios: remove dependency on x86 e820 tables
smbios: extract x86 smbios building code into a function
acpi: avoid potential uninitialized access to cpu_hp_io_base
virtio-net: remove useless codes
pci: allow 0 address for PCI IO/MEM regions
pc: Remove redundant arguments from pc_memory_init()
pc: Remove redundant arguments from pc_cmos_init()
pc: Remove redundant arguments from *load_linux()
pc: Use PCMachineState as pc_guest_info_init() argument
pc: Move {above,below}_4g_mem_size variables to PCMachineState
pc: Use PCMachineState for pc_memory_init() argument
pc: Use PCMachineState for pc_cmos_init() argument
pc: Eliminate pc_default_machine_options()
pc: Eliminate pc_common_machine_options()
pc: Move PCMachineClass, PCMachineState to qemu/typedefs.h
pc: Rename pc_machine variables to pcms
pc: Use error_abort when registering properties
target-i386: Remove x86_cpu_compat_set_features()
...
Wei Huang [Wed, 12 Aug 2015 02:08:20 +0000 (22:08 -0400)]
smbios: move smbios code into a common folder
To share smbios among different architectures, this patch moves SMBIOS
code (smbios.c and smbios.h) from x86 specific folders into new
hw/smbios directories. As a result, CONFIG_SMBIOS=y is defined in
x86 default config files.
Wei Huang [Wed, 12 Aug 2015 02:08:19 +0000 (22:08 -0400)]
smbios: remove dependency on x86 e820 tables
Current smbios builds type 19 table from e820, which is x86 specific.
This patch removes smbios' dependency on e820 by passing an array
of memory area to smbios_get_tables().
acpi: avoid potential uninitialized access to cpu_hp_io_base
When building QEMU with Mingw64 toolchain I see a warning
CC x86_64-softmmu/hw/i386/acpi-build.o
hw/i386/acpi-build.c: In function 'acpi_build':
hw/i386/acpi-build.c:1138:9: warning: 'pm.cpu_hp_io_base' may be used uninitialized in this function [-Wmaybe-uninitialized]
aml_append(crs,
^
hw/i386/acpi-build.c:1666:16: note: 'pm.cpu_hp_io_base' was declared here
AcpiPmInfo pm;
^
In acpi_get_pm_info() some of the fields are pre-initialized
to 0, but this one was missed.
Jason Wang [Mon, 3 Aug 2015 05:20:38 +0000 (13:20 +0800)]
virtio-net: remove useless codes
After commit 40bad8f3deba15e2074ff34cfe923c12916b1cc5("virtio-net: fix
used len for tx"), async_tx.len was no longer used afterwards. So
remove useless codes with it.
Eduardo Habkost [Fri, 7 Aug 2015 19:55:48 +0000 (16:55 -0300)]
pc: Eliminate pc_default_machine_options()
The only PC machines that didn't call pc_default_machine_options() were
isaps and xenfv. Both were already overwriting max_cpus, and only isapc
was not overwriting hot_add_cpu.
After making isapc set hot_add_cpu to NULL, we can move the
pc_default_machine_options() code the PC common class_init.
The existing i440fx initialization code sets a PCI config register that
isn't documented anywhere in the Intel 440FX datasheet. Register 0x57 is
DRAMC (DRAM Control) and has nothing to do with the RAM size.
This was implemented in commit ec5f92ce6ac8ec09056be77e03c941be188648fa
because old coreboot code tried to read registers 0x5a-0x5f,0x56,0x57 to
get the RAM size from QEMU, but I couldn't find out why coreboot did
that. I assume it was a mistake, and the original code was supposed to
be reading the DRB[0-7] registers (offsets 0x60-0x67).
Document that coreboot-specific register offset in a macro and a
comment, for future reference.
The old rules.mak loads dependency .d files using include directive
with file glob pattern "*.d". This breaks the build when build tree has
left-over *.d files from another build.
This patch fixes this by
- loading precise list of .d files made from *.o and *.mo.
- specifying explicit list of required dependency info files for
*.hex autogenerated sources.
Note that Makefile still includes some .d in root directory by including
"*.d".
In rules like "bar/%.o: %.c" there is a difference between $(*D) and
$(@D). $(*D) expands to '.', while $(@D) expands to 'bar'. It is
cleaner to generate *.d in the same directory where appropriate *.o
resides. This allows precise including of dependency info from .d files.
As a hack, we also touch two sources for generated *.hex files. Without
this hack, anyone doing "git pull; make" will not get *.hex rebuilt
correctly since the dependency file would be missing.
Peter Maydell [Thu, 13 Aug 2015 11:04:24 +0000 (12:04 +0100)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20150813' into staging
target-arm queue:
* i.MX code cleanup/refactorings
* i.MX UART fix to work with uninitialized chardev
* minor GIC code refactorings
* implement the ARM Secure physical timer
* implement the ARM Hypervisor timer
# gpg: Signature made Thu 13 Aug 2015 11:40:56 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <[email protected]>"
* remotes/pmaydell/tags/pull-target-arm-20150813: (27 commits)
i.MX: Fix UART driver to work with unitialized "chardev" device
hw/cpu/a15mpcore: Wire up hyp and secure physical timer interrupts
hw/arm/virt: Wire up secure timer interrupt
target-arm: Add AArch32 banked register access to secure physical timer
target-arm: Add the AArch64 view of the Secure physical timer
target-arm: Add debug check for mismatched cpreg resets
Introduce gic_class_name() instead of repeating condition
hw/arm/gic: Kill code duplication
Merge memory_region_init_reservation() into memory_region_init_io()
i.MX: Fix Coding style for GPT emulator
i.MX: Split GPT emulator in a header file and a source file
i.MX: Fix Coding style for EPIT emulator
i.MX: Split EPIT emulator in a header file and a source file
i.MX: Fix Coding style for CCM emulator
i.MX: Split CCM emulator in a header file and a source file
i.MX: Fix Coding style for AVIC emulator.
i.MX: Split AVIC emulator in a header file and a source file
i.MX:Fix Coding style for UART emulator.
i.MX: Move serial initialization to init/realize of DeviceClass.
i.MX: Split UART emulator in a header file and a source file
...
Peter Maydell [Thu, 13 Aug 2015 10:26:22 +0000 (11:26 +0100)]
hw/arm/virt: Wire up secure timer interrupt
Wire up the secure timer interrupt. Since we've defined
that the plain old physical timer is the NS timer, we can
drop the now-out-of-date comment about QEMU not having TZ.
Use a data-driven loop to wire up the timer interrupts, since
we now have four of them and the code is the same for each.
Peter Maydell [Thu, 13 Aug 2015 10:26:22 +0000 (11:26 +0100)]
target-arm: Add AArch32 banked register access to secure physical timer
If EL3 is AArch32, then the secure physical timer is accessed via
banking of the registers used for the non-secure physical timer.
Implement this banking.
Note that the access controls for the AArch32 banked registers
remain the same as the physical-timer checks; they are not the
same as the controls on the AArch64 secure timer registers.
Peter Maydell [Thu, 13 Aug 2015 10:26:22 +0000 (11:26 +0100)]
target-arm: Add the AArch64 view of the Secure physical timer
On CPUs with EL3, there are two physical timers, one for Secure and one
for Non-secure. Implement this extra timer and the AArch64 registers
which access it.
Peter Maydell [Thu, 13 Aug 2015 10:26:21 +0000 (11:26 +0100)]
target-arm: Add debug check for mismatched cpreg resets
It's easy to accidentally define two cpregs which both try
to reset the same underlying state field (for instance a
clash between an AArch64 EL3 definition and an AArch32
banked register definition). if the two definitions disagree
about the reset value then the result is dependent on which
one happened to be reached last in the hashtable enumeration.
Add a consistency check to detect and assert in these cases:
after reset, we run a second pass where we check that the
reset operation doesn't change the value of the register.
Rename gt_cnt_reset to gt_timer_reset as the function really
resets the timers and not the counters. Move the registration
from counter regs to timer regs.
Peter Maydell [Wed, 5 Aug 2015 15:02:00 +0000 (16:02 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
virtio fix for 2.4
Fixes migration in virtio 1 mode.
We still have a known bug with memory hotplug, it doesn't
look like we can fix that in time for 2.4.
Signed-off-by: Michael S. Tsirkin <[email protected]>
# gpg: Signature made Wed 05 Aug 2015 15:57:39 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <[email protected]>"
# gpg: aka "Michael S. Tsirkin <[email protected]>"
Sascha Silbe [Tue, 4 Aug 2015 14:48:25 +0000 (16:48 +0200)]
block: don't register quorum driver if SHA256 support is unavailable
Commit 488981a4 [block: convert quorum blockdrv to use crypto APIs]
broke qemu-iotest 041 on hosts with GnuTLS < 2.10.0. It converted a
compile-time check to a run-time check at device open time. The result
is that we now advertise a feature (the quorum block driver) that will
never work (on those hosts). There's no way (short of parsing
human-readable error messages) for qemu-iotests or any other API
consumer to recognise that the quorum block driver isn't _actually_
available and shouldn't be used or tested.
Move the run-time check to bdrv_quorum_init() to avoid registering the
quorum block driver if we know it cannot work. This way API consumers
can recognise it's unavailable.
Jason Wang [Wed, 5 Aug 2015 09:50:07 +0000 (17:50 +0800)]
virtio: fix 1.0 virtqueue migration
1.0 does not requires physically-contiguous pages layout for a
virtqueue. So we could not infer avail and used from desc. This means
we need to migrate vring.avail and vring.used when host support virtio
1.0. This fixes malfunction of virtio 1.0 device after migration.
Peter Maydell [Tue, 4 Aug 2015 15:51:24 +0000 (16:51 +0100)]
Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' into staging
X86 queue, 2015-08-04
# gpg: Signature made Tue 04 Aug 2015 16:49:42 BST using RSA key ID 984DC5A6
# gpg: Good signature from "Eduardo Habkost <[email protected]>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF D1AA 2807 936F 984D C5A6
* remotes/ehabkost/tags/x86-pull-request:
target-i386: fix IvyBridge xlevel in PC_COMPAT_2_3
Peter Maydell [Tue, 4 Aug 2015 11:57:06 +0000 (12:57 +0100)]
Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150804' into staging
MIPS patches 2015-08-04
Changes:
* fix semihosting for microMIPS R6
* fix an abort when booting mips64 kernel with --enable-tcg-debug
# gpg: Signature made Tue 04 Aug 2015 12:32:17 BST using RSA key ID 0B29DA6B
# gpg: Good signature from "Leon Alrae <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4 4FC0 5211 8E3C 0B29 DA6B
* remotes/lalrae/tags/mips-20150804:
target-mips: Copy restrictions from ext/ins to dext/dins
target-mips: fix semihosting for microMIPS R6
target-mips: Copy restrictions from ext/ins to dext/dins
The checks in dins is required to avoid triggering an assertion
in tcg_gen_deposit_tl. The check in dext is just for completeness.
Fold the other D cases in via fallthru.
In this case the errant dins appears to be data, not code, as
translation failed to stop after a break insn.
Leon Alrae [Mon, 3 Aug 2015 12:01:19 +0000 (13:01 +0100)]
target-mips: fix semihosting for microMIPS R6
In semihosting mode the SDBBP 1 instructions should trigger UHI syscall,
but in QEMU this does not happen for recently added microMIPS R6.
Consequently bare metal microMIPS R6 programs supporting UHI will not run.
Anthony PERARD [Mon, 3 Aug 2015 14:29:21 +0000 (15:29 +0100)]
migration: Fix regression for xenfv and pc,accel=xen machine.
This fix migration from the same QEMU version and from previous QEMU
version.
>From the global state section, we don't need runstate with Xen. Right now,
the way the Xen toolstack knows when QEMU is ready is when QEMU reach
"running" runstate.
The configuration section and the section footers are not going to be
present in previous version of QEMU with xenfv machine, so we skip them.
The Xen toolstack libxenlight does not specify a particular version of the
'pc' machine, so migration from older version of QEMU used by Xen to newer
one would break due to missing "configuration" section and section footers.
Anthony PERARD [Mon, 3 Aug 2015 14:29:19 +0000 (15:29 +0100)]
migration: Fix global state with Xen.
When doing migration via the QMP command xen_save_devices_state, the
current runstate is not store into the global state section. Also the
current runstate is not the one we want on the receiver side.
During migration, the Xen toolstack paused QEMU before save the devices
state. Also, the toolstack expect QEMU to autostart when the migration is
finished.
So this patch store "running" as it's current runstate.
Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)
pci_piix3_xen_ide_unplug should completely unhook the unplugged
IDEDevice from the corresponding BlockBackend, otherwise the next call
to release_drive will try to detach the drive again.
Peter Maydell [Mon, 3 Aug 2015 12:09:10 +0000 (13:09 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request' into staging
Pull request
# gpg: Signature made Mon Aug 3 13:08:25 2015 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>"
# gpg: aka "Stefan Hajnoczi <[email protected]>"
* remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request:
rtl8139: check TCP Data Offset field (CVE-2015-5165)
rtl8139: skip offload on short TCP header (CVE-2015-5165)
rtl8139: check IP Total Length field (CVE-2015-5165)
rtl8139: check IP Header Length field (CVE-2015-5165)
rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Stefan Hajnoczi [Wed, 15 Jul 2015 16:17:28 +0000 (17:17 +0100)]
rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Stefan Hajnoczi [Wed, 15 Jul 2015 16:13:32 +0000 (17:13 +0100)]
rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Peter Maydell [Mon, 3 Aug 2015 10:44:07 +0000 (11:44 +0100)]
Merge remote-tracking branch 'remotes/aurel/tags/pull-tcg-mips-s390-20150803' into staging
TCG MIPS and S390 fixes for 2.4.
# gpg: Signature made Mon Aug 3 09:09:59 2015 BST using RSA key ID 1DDD8C9B
# gpg: Good signature from "Aurelien Jarno <[email protected]>"
# gpg: aka "Aurelien Jarno <[email protected]>"
# gpg: aka "Aurelien Jarno <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 7746 2642 A9EF 94FD 0F77 196D BA9C 7806 1DDD 8C9B
* remotes/aurel/tags/pull-tcg-mips-s390-20150803:
tcg/mips: fix add2
tcg/s390x: Mask TCGMemOp appropriately for indexing
tcg/mips: Mask TCGMemOp appropriately for indexing
tcg/mips: fix TLB loading for BE host with 32-bit guests
Peter Maydell [Mon, 3 Aug 2015 09:44:23 +0000 (10:44 +0100)]
Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into staging
# gpg: Signature made Fri Jul 31 23:24:06 2015 BST using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <[email protected]>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB
# Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E
* remotes/jnsnow/tags/ide-pull-request:
ahci: fix ICC mask definition
macio: re-add TRIM support
The add2 code in the tcg_out_addsub2 function doesn't take into account
the case where rl == al == bl. In that case we can't compute the carry
after the addition. As it corresponds to a multiplication by 2, the
carry bit is the bit 31.
While this is a corner case, this prevents x86-64 guests to boot on a
MIPS host.
tcg/mips: fix TLB loading for BE host with 32-bit guests
For 32-bit guest, we load a 32-bit address from the TLB, so there is no
need to compensate for the low or high part. This fixes 32-bit guests on
big-endian hosts.
Commit bd4214fc dropped TRIM support by mistake. Given it is still
advertised to the host when using a drive with discard=on, this cause
the IDE bus to hang when the host issues a TRIM command.
This patch fixes that by re-adding the TRIM code, ported to the new
new DMA implementation.
projects / qemu.git / log