Peter Maydell [Fri, 26 Jun 2020 15:55:20 +0000 (16:55 +0100)]
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
* Various fixes
* libdaxctl support to correctly align devdax character devices (Jingqi)
* initial-all-set support for live migration (Jay)
* forbid '-numa node, mem' for 5.1 and newer machine types (Igor)
* x87 fixes (Joseph)
* Tighten memory_region_access_valid (Michael) and fix fallout (myself)
* Replay fixes (Pavel)
* remotes/bonzini/tags/for-upstream: (31 commits)
i386: Mask SVM features if nested SVM is disabled
ibex_uart: fix XOR-as-pow
vmport: move compat properties to hw_compat_5_0
hyperv: vmbus: Remove the 2nd IRQ
kvm: i386: allow TSC to differ by NTP correction bounds without TSC scaling
numa: forbid '-numa node, mem' for 5.1 and newer machine types
osdep: Make MIN/MAX evaluate arguments only once
target/i386: Add notes for versioned CPU models
target/i386: reimplement fpatan using floatx80 operations
target/i386: reimplement fyl2x using floatx80 operations
target/i386: reimplement fyl2xp1 using floatx80 operations
target/i386: reimplement fprem, fprem1 using floatx80 operations
softfloat: return low bits of quotient from floatx80_modrem
softfloat: do not set denominator high bit for floatx80 remainder
softfloat: do not return pseudo-denormal from floatx80 remainder
softfloat: fix floatx80 remainder pseudo-denormal check for zero
softfloat: merge floatx80_mod and floatx80_rem
target/i386: reimplement f2xm1 using floatx80 operations
xen: Actually fix build without passthrough
Makefile: Install qemu-[qmp/ga]-ref.* into the directory "interop"
...
Eduardo Habkost [Tue, 23 Jun 2020 23:01:16 +0000 (19:01 -0400)]
i386: Mask SVM features if nested SVM is disabled
QEMU incorrectly validates FEAT_SVM feature flags against
GET_SUPPORTED_CPUID even if SVM features are being masked out by
cpu_x86_cpuid(). This can make QEMU print warnings on most AMD
CPU models, even when SVM nesting is disabled (which is the
default).
This bug was never detected before because of a Linux KVM bug:
until Linux v5.6, KVM was not filtering out SVM features in
GET_SUPPORTED_CPUID when nested was disabled. This KVM bug was
fixed in Linux v5.7-rc1, on Linux commit a50718cc3f43 ("KVM:
nSVM: Expose SVM features to L1 iff nested is enabled").
Fix the problem by adding a CPUID_EXT3_SVM dependency to all
FEAT_SVM feature flags in the feature_dependencies table.
Paolo Bonzini [Tue, 23 Jun 2020 10:28:08 +0000 (06:28 -0400)]
vmport: move compat properties to hw_compat_5_0
The patches that introduced the properties were submitted when QEMU 5.0
had not been released yet, so they got merged under the wrong heading.
Move them to hw_compat_5_0 so that 5.0 machine types get the pre-patch
behavior.
Fixes: b889212973da ("hw/i386/vmport: Propagate IOPort read to vCPU EAX register") Fixes: 0342ee761ef2 ("hw/i386/vmport: Set EAX to -1 on failed and unsupported commands") Fixes: f8bdc550370f ("hw/i386/vmport: Report vmware-vmx-type in CMD_GETVERSION") Fixes: aaacf1c15a22 ("hw/i386/vmport: Add support for CMD_GETBIOSUUID") Reported-by: Laurent Vivier <[email protected]> Cc: Liran Alon <[email protected]> Reviewed-by: Laurent Vivier <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]>
Marcelo Tosatti [Tue, 16 Jun 2020 16:58:05 +0000 (13:58 -0300)]
kvm: i386: allow TSC to differ by NTP correction bounds without TSC scaling
The Linux TSC calibration procedure is subject to small variations
(its common to see +-1 kHz difference between reboots on a given CPU, for example).
So migrating a guest between two hosts with identical processor can fail, in case
of a small variation in calibrated TSC between them.
Allow a conservative 250ppm error between host TSC and VM TSC frequencies,
rather than requiring an exact match. NTP daemon in the guest can
correct this difference.
Also change migration to accept this bound.
KVM_SET_TSC_KHZ depends on a kernel interface change. Without this change,
the behaviour remains the same: in case of a different frequency
between host and VM, KVM_SET_TSC_KHZ will fail and QEMU will exit.
Igor Mammedov [Tue, 9 Jun 2020 13:56:35 +0000 (09:56 -0400)]
numa: forbid '-numa node, mem' for 5.1 and newer machine types
Deprecation period is run out and it's a time to flip the switch
introduced by cd5ff8333a. Disable legacy option for new machine
types (since 5.1) and amend documentation.
'-numa node,memdev' shall be used instead of disabled option
with new machine types.
Eric Blake [Thu, 25 Jun 2020 16:26:02 +0000 (11:26 -0500)]
osdep: Make MIN/MAX evaluate arguments only once
I'm not aware of any immediate bugs in qemu where a second runtime
evaluation of the arguments to MIN() or MAX() causes a problem, but
proactively preventing such abuse is easier than falling prey to an
unintended case down the road. At any rate, here's the conversation
that sparked the current patch:
https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg05718.html
Update the MIN/MAX macros to only evaluate their argument once at
runtime; this uses typeof(1 ? (a) : (b)) to ensure that we are
promoting the temporaries to the same type as the final comparison (we
have to trigger type promotion, as typeof(bitfield) won't compile; and
we can't use typeof((a) + (b)) or even typeof((a) + 0), as some of our
uses of MAX are on void* pointers where such addition is undefined).
However, we are unable to work around gcc refusing to compile ({}) in
a constant context (such as the array length of a static variable),
even when only used in the dead branch of a __builtin_choose_expr(),
so we have to provide a second macro pair MIN_CONST and MAX_CONST for
use when both arguments are known to be compile-time constants and
where the result must also be usable as a constant; this second form
evaluates arguments multiple times but that doesn't matter for
constants. By using a void expression as the expansion if a
non-constant is presented to this second form, we can enlist the
compiler to ensure the double evaluation is not attempted on
non-constants.
Alas, as both macros now rely on compiler intrinsics, they are no
longer usable in preprocessor #if conditions; those will just have to
be open-coded or the logic rewritten into #define or runtime 'if'
conditions (but where the compiler dead-code-elimination will probably
still apply).
I tested that both gcc 10.1.1 and clang 10.0.0 produce errors for all
forms of macro mis-use. As the errors can sometimes be cryptic, I'm
demonstrating the gcc output:
Use of MIN when MIN_CONST is needed:
In file included from /home/eblake/qemu/qemu-img.c:25:
/home/eblake/qemu/include/qemu/osdep.h:249:5: error: braced-group within expression allowed only inside a function
249 | ({ \
| ^
/home/eblake/qemu/qemu-img.c:92:12: note: in expansion of macro ‘MIN’
92 | char array[MIN(1, 2)] = "";
| ^~~
Use of MIN_CONST when MIN is needed:
/home/eblake/qemu/qemu-img.c: In function ‘is_allocated_sectors’:
/home/eblake/qemu/qemu-img.c:1225:15: error: void value not ignored as it ought to be
1225 | i = MIN_CONST(i, n);
| ^
Use of MIN in the preprocessor:
In file included from /home/eblake/qemu/accel/tcg/translate-all.c:20:
/home/eblake/qemu/accel/tcg/translate-all.c: In function ‘page_check_range’:
/home/eblake/qemu/include/qemu/osdep.h:249:6: error: token "{" is not valid in preprocessor expressions
249 | ({ \
| ^
Fix the resulting callsites that used #if or computed a compile-time
constant min or max to use the new macros. cpu-defs.h is interesting,
as CPU_TLB_DYN_MAX_BITS is sometimes used as a constant and sometimes
dynamic.
It may be worth improving glib's MIN/MAX definitions to be saner, but
that is a task for another day.
Joseph Myers [Tue, 23 Jun 2020 00:01:38 +0000 (00:01 +0000)]
target/i386: reimplement fpatan using floatx80 operations
The x87 fpatan emulation is currently based around conversion to
double. This is inherently unsuitable for a good emulation of any
floatx80 operation. Reimplement using the soft-float operations, as
for other such instructions.
Joseph Myers [Wed, 17 Jun 2020 23:24:29 +0000 (23:24 +0000)]
target/i386: reimplement fyl2x using floatx80 operations
The x87 fyl2x emulation is currently based around conversion to
double. This is inherently unsuitable for a good emulation of any
floatx80 operation. Reimplement using the soft-float operations,
building on top of the reimplementation of fyl2xp1 and factoring out
code to be shared between the two instructions.
The included test assumes that the result in round-to-nearest mode
should always be one of the two closest floating-point numbers to the
mathematically exact result (including that it should be exact, in the
exact cases which cover more cases than for fyl2xp1).
Joseph Myers [Wed, 17 Jun 2020 23:20:50 +0000 (23:20 +0000)]
target/i386: reimplement fyl2xp1 using floatx80 operations
The x87 fyl2xp1 emulation is currently based around conversion to
double. This is inherently unsuitable for a good emulation of any
floatx80 operation, even before considering that it is a particularly
naive implementation using double (adding 1 then using log rather than
attempting a better emulation using log1p).
Reimplement using the soft-float operations, as was done for f2xm1; as
in that case, m68k has related operations but not exactly this one and
it seemed safest to implement directly rather than reusing the m68k
code to avoid accumulation of errors.
A test is included with many randomly generated inputs. The
assumption of the test is that the result in round-to-nearest mode
should always be one of the two closest floating-point numbers to the
mathematical value of y * log2(x + 1); the implementation aims to do
somewhat better than that (about 70 correct bits before rounding). I
haven't investigated how accurate hardware is.
Intel manuals describe a narrower range of valid arguments to this
instruction than AMD manuals. The implementation accepts the wider
range (it's needed anyway for the core code to be reusable in a
subsequent patch reimplementing fyl2x), but the test only has inputs
in the narrower range so that it's valid on hardware that may reject
or produce poor results for inputs outside that range.
Code in the previous implementation that sets C2 for some out-of-range
arguments is not carried forward to the new implementation; C2 is
undefined for this instruction and I suspect that code was just
cut-and-pasted from the trigonometric instructions (fcos, fptan, fsin,
fsincos) where C2 *is* defined to be set for out-of-range arguments.
Joseph Myers [Mon, 8 Jun 2020 16:58:23 +0000 (16:58 +0000)]
target/i386: reimplement fprem, fprem1 using floatx80 operations
The x87 fprem and fprem1 emulation is currently based around
conversion to double, which is inherently unsuitable for a good
emulation of any floatx80 operation. Reimplement using the soft-float
floatx80 remainder operations.
Joseph Myers [Mon, 8 Jun 2020 16:57:16 +0000 (16:57 +0000)]
softfloat: return low bits of quotient from floatx80_modrem
Both x87 and m68k need the low parts of the quotient for their
remainder operations. Arrange for floatx80_modrem to track those bits
and return them via a pointer.
The architectures using float32_rem and float64_rem do not appear to
need this information, so the *_rem interface is left unchanged and
the information returned only from floatx80_modrem. The logic used to
determine the low 7 bits of the quotient for m68k
(target/m68k/fpu_helper.c:make_quotient) appears completely bogus (it
looks at the result of converting the remainder to integer, the
quotient having been discarded by that point); this patch does not
change that, but the m68k maintainers may wish to do so.
Joseph Myers [Mon, 8 Jun 2020 16:56:47 +0000 (16:56 +0000)]
softfloat: do not set denominator high bit for floatx80 remainder
The floatx80 remainder implementation unnecessarily sets the high bit
of bSig explicitly. By that point in the function, arguments that are
invalid, zero, infinity or NaN have already been handled and
subnormals have been through normalizeFloatx80Subnormal, so the high
bit will already be set. Remove the unnecessary code.
Joseph Myers [Mon, 8 Jun 2020 16:56:20 +0000 (16:56 +0000)]
softfloat: do not return pseudo-denormal from floatx80 remainder
The floatx80 remainder implementation sometimes returns the numerator
unchanged when the denominator is sufficiently larger than the
numerator. But if the value to be returned unchanged is a
pseudo-denormal, that is incorrect. Fix it to normalize the numerator
in that case.
Joseph Myers [Mon, 8 Jun 2020 16:55:49 +0000 (16:55 +0000)]
softfloat: fix floatx80 remainder pseudo-denormal check for zero
The floatx80 remainder implementation ignores the high bit of the
significand when checking whether an operand (numerator) with zero
exponent is zero. This means it mishandles a pseudo-denormal
representation of 0x1p-16382L by treating it as zero. Fix this by
checking the whole significand instead.
Joseph Myers [Mon, 8 Jun 2020 16:55:11 +0000 (16:55 +0000)]
softfloat: merge floatx80_mod and floatx80_rem
The m68k-specific softfloat code includes a function floatx80_mod that
is extremely similar to floatx80_rem, but computing the remainder
based on truncating the quotient toward zero rather than rounding it
to nearest integer. This is also useful for emulating the x87 fprem
and fprem1 instructions. Change the floatx80_rem implementation into
floatx80_modrem that can perform either operation, with both
floatx80_rem and floatx80_mod as thin wrappers available for all
targets.
There does not appear to be any use for the _mod operation for other
floating-point formats in QEMU (the only other architectures using
_rem at all are linux-user/arm/nwfpe, for FPA emulation, and openrisc,
for instructions that have been removed in the latest version of the
architecture), so no change is made to the code for other formats.
Joseph Myers [Thu, 11 Jun 2020 23:45:48 +0000 (23:45 +0000)]
target/i386: reimplement f2xm1 using floatx80 operations
The x87 f2xm1 emulation is currently based around conversion to
double. This is inherently unsuitable for a good emulation of any
floatx80 operation, even before considering that it is a particularly
naive implementation using double (computing with pow and then
subtracting 1 rather than attempting a better emulation using expm1).
Reimplement using the soft-float operations, including additions and
multiplications with higher precision where appropriate to limit
accumulation of errors. I considered reusing some of the m68k code
for transcendental operations, but the instructions don't generally
correspond exactly to x87 operations (for example, m68k has 2^x and
e^x - 1, but not 2^x - 1); to avoid possible accumulation of errors
from applying multiple such operations each rounding to floatx80
precision, I wrote a direct implementation of 2^x - 1 instead. It
would be possible in principle to make the implementation more
efficient by doing the intermediate operations directly with
significands, signs and exponents and not packing / unpacking floatx80
format for each operation, but that would make it significantly more
complicated and it's not clear that's worthwhile; the m68k emulation
doesn't try to do that.
A test is included with many randomly generated inputs. The
assumption of the test is that the result in round-to-nearest mode
should always be one of the two closest floating-point numbers to the
mathematical value of 2^x - 1; the implementation aims to do somewhat
better than that (about 70 correct bits before rounding). I haven't
investigated how accurate hardware is.
Thomas Huth [Mon, 15 Jun 2020 07:26:29 +0000 (09:26 +0200)]
hw/scsi/megasas: Fix possible out-of-bounds array access in tracepoints
Some tracepoints in megasas.c use a guest-controlled value as an index
into the mfi_frame_desc[] array. Thus a malicious guest could cause an
out-of-bounds error here. Fortunately, the impact is very low since this
can only happen when the corresponding tracepoints have been enabled
before, but the problem should be fixed anyway with a proper check.
Jingqi Liu [Wed, 29 Apr 2020 08:50:10 +0000 (16:50 +0800)]
docs/nvdimm: add description of alignment requirement of device dax
For device dax (e.g., /dev/dax0.0), the NUM of 'align=NUM' option
needs to match the alignment requirement of the device dax.
It must be larger than or equal to the 'align' of device dax.
Peter Maydell [Fri, 26 Jun 2020 12:48:53 +0000 (13:48 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Pull request
# gpg: Signature made Wed 24 Jun 2020 11:01:57 BST
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>" [full]
# gpg: aka "Stefan Hajnoczi <[email protected]>" [full]
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha/tags/block-pull-request:
block/nvme: support nested aio_poll()
block/nvme: keep BDRVNVMeState pointer in NVMeQueuePair
block/nvme: clarify that free_req_queue is protected by q->lock
block/nvme: switch to a NVMeRequest freelist
block/nvme: don't access CQE after moving cq.head
block/nvme: drop tautologous assertion
block/nvme: poll queues without q->lock
check-block: enable iotests with SafeStack
configure: add flags to support SafeStack
coroutine: add check for SafeStack in sigaltstack
coroutine: support SafeStack in ucontext backend
minikconf: explicitly set encoding to UTF-8
Jingqi Liu [Wed, 29 Apr 2020 08:50:09 +0000 (16:50 +0800)]
exec: fetch the alignment of Linux devdax pmem character device nodes
If the backend file is devdax pmem character device, the alignment
specified by the option 'align=NUM' in the '-object memory-backend-file'
needs to match the alignment requirement of the devdax pmem character device.
This patch uses the interfaces of libdaxctl to fetch the devdax pmem file
'align', so that we can compare it with the NUM of 'align=NUM'.
The NUM needs to be larger than or equal to the devdax pmem file 'align'.
It also fixes the problem that mmap() returns failure in qemu_ram_mmap()
when the NUM of 'align=NUM' is less than the devdax pmem file 'align'.
Peter Maydell [Fri, 26 Jun 2020 11:14:18 +0000 (12:14 +0100)]
Merge remote-tracking branch 'remotes/mcayland/tags/qemu-macppc-20200626' into staging
qemu-macppc patches
# gpg: Signature made Fri 26 Jun 2020 10:15:36 BST
# gpg: using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F
# gpg: issuer "[email protected]"
# gpg: Good signature from "Mark Cave-Ayland <[email protected]>" [full]
# Primary key fingerprint: CC62 1AB9 8E82 200D 915C C9C4 5BC2 C56F AE0F 321F
* remotes/mcayland/tags/qemu-macppc-20200626: (22 commits)
adb: add ADB bus trace events
adb: use adb_device prefix for ADB device trace events
adb: only call autopoll callbacks when autopoll is not blocked
mac_via: rework ADB state machine to be compatible with both MacOS and Linux
mac_via: move VIA1 portB write logic into mos6522_q800_via1_write()
pmu: add adb_autopoll_block() and adb_autopoll_unblock() functions
cuda: add adb_autopoll_block() and adb_autopoll_unblock() functions
adb: add autopoll_blocked variable to block autopoll
adb: use adb_request() only for explicit requests
adb: add status field for holding information about the last ADB request
adb: keep track of devices with pending data
adb: introduce new ADBDeviceHasData method to ADBDeviceClass
mac_via: convert to use ADBBusState internal autopoll variables
pmu: convert to use ADBBusState internal autopoll variables
cuda: convert to use ADBBusState internal autopoll variables
adb: create autopoll variables directly within ADBBusState
adb: introduce realize/unrealize and VMStateDescription for ADB bus
pmu: honour autopoll_rate_ms when rearming the ADB autopoll timer
pmu: fix duplicate autopoll mask variable
cuda: convert ADB autopoll timer from ns to ms
...
Jingqi Liu [Wed, 29 Apr 2020 08:50:11 +0000 (16:50 +0800)]
configure: add libdaxctl support
Add a pair of configure options --{enable,disable}-libdaxctl to control
whether QEMU is compiled with libdaxctl [1]. Libdaxctl is a utility
library for managing the device dax subsystem.
QEMU uses mmap(2) to maps vNVDIMM backends and aligns the mapping
address to the page size (getpagesize(2)) by default. However, some
types of backends may require an alignment different than the page
size. The 'align' option is provided to memory-backend-file to allow
users to specify the proper alignment.
For device dax (e.g., /dev/dax0.0), the 'align' option needs to match
the alignment requirement of the device dax, which can be fetched
through the APIs of libdaxctl version 57 or up.
[1] Libdaxctl is a part of ndctl project.
The project's repository is: https://github.com/pmem/ndctl
For more information about libdaxctl APIs, you can refer to the
comments in source code of: pmem/ndctl/daxctl/lib/libdaxctl.c.
Pavel Dovgalyuk [Fri, 22 May 2020 06:35:27 +0000 (09:35 +0300)]
replay: synchronize on every virtual timer callback
Sometimes virtual timer callbacks depend on order
of virtual timer processing and warping of virtual clock.
Therefore every callback should be logged to make replay deterministic.
This patch creates a checkpoint before every virtual timer callback.
With these checkpoints virtual timers processing and clock warping
events order is completely deterministic.
Pavel Dovgalyuk [Fri, 22 May 2020 06:47:58 +0000 (09:47 +0300)]
replay: notify the main loop when there are no instructions
When QEMU is executed in console mode without any external event sources,
main loop may sleep for a very long time. But in case of replay
there is another event source - event log.
This patch adds main loop notification when the vCPU loop has nothing
to do and main loop should process the inputs from the event log.
memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
Memory API documentation documents valid .min_access_size and .max_access_size
fields and explains that any access outside these boundaries is blocked.
This is what devices seem to assume.
However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.
Naturally, this breaks a bunch of devices.
Revert to the documented behaviour.
Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.
Jay Zhou [Wed, 4 Mar 2020 02:55:54 +0000 (10:55 +0800)]
kvm: support to get/set dirty log initial-all-set capability
Since the new capability KVM_DIRTY_LOG_INITIALLY_SET of
KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2 has been introduced in the
kernel, tweak the userspace side to detect and enable this
capability.
Mark Cave-Ayland [Tue, 23 Jun 2020 20:49:33 +0000 (21:49 +0100)]
mac_via: rework ADB state machine to be compatible with both MacOS and Linux
The existing ADB state machine is designed to work with Linux which has a different
interpretation of the state machine detailed in "Guide to the Macintosh Family
Hardware". In particular the current Linux implementation includes an extra change
to IDLE state when switching the VIA between send and receive modes which does not
occur in MacOS, and omitting this transition causes the current mac_via ADB state
machine to fail.
Rework the ADB state machine accordingly so that it can enumerate and autopoll the
ADB under both Linux and MacOS, including the addition of the new adb_autopoll_block()
and adb_autopoll_unblock() functions.
Mark Cave-Ayland [Tue, 23 Jun 2020 20:49:32 +0000 (21:49 +0100)]
mac_via: move VIA1 portB write logic into mos6522_q800_via1_write()
Currently the logic is split between the mos6522 portB_write() callback and
the memory region used to capture the VIA1 MMIO accesses. Move everything
into the latter mos6522_q800_via1_write() function to keep all the logic in
one place to make it easier to follow.
Mark Cave-Ayland [Tue, 23 Jun 2020 20:49:29 +0000 (21:49 +0100)]
adb: add autopoll_blocked variable to block autopoll
Whilst autopoll is enabled it is necessary to prevent the ADB buffer contents
from being overwritten until the host has read back the response in its
entirety.
Add adb_autopoll_block() and adb_autopoll_unblock() functions in preparation
for ensuring that the ADB buffer contents are protected for explicit ADB
requests.
Mark Cave-Ayland [Tue, 23 Jun 2020 20:49:27 +0000 (21:49 +0100)]
adb: add status field for holding information about the last ADB request
Currently only 2 bits are defined: one to indicate if the request timed out (no
reply) and another to indicate whether the request was the result of an autopoll
operation.
Mark Cave-Ayland [Tue, 23 Jun 2020 20:49:26 +0000 (21:49 +0100)]
adb: keep track of devices with pending data
Add a new pending variable to ADBBusState which is a bitmask indicating which
ADB devices have data to send. Update the bitmask every time that an ADB
request is executed.
Mark Cave-Ayland [Tue, 23 Jun 2020 20:49:21 +0000 (21:49 +0100)]
adb: create autopoll variables directly within ADBBusState
Rather than each ADB implementation requiring its own functions to manage
autopoll state, timers, and autopoll masks prepare to move this information
directly into ADBBusState.
Add external functions within adb.h to allow each ADB implementation to
manage the new autopoll variables.
Mark Cave-Ayland [Tue, 23 Jun 2020 20:49:16 +0000 (21:49 +0100)]
adb: fix adb-mouse read length and revert disable-reg3-direct-writes workaround
Commit 84051eb400 "adb: add property to disable direct reg 3 writes" introduced
a workaround for spurious writes to ADB register 3 when MacOS 9 enables
autopoll on the mouse device. Further analysis shows that the problem is that
only a partial request is sent, and since the len parameter is ignored then
stale data from the previous request is used causing the incorrect address
assignment.
Remove the disable-reg3-direct-writes workaround and instead check the length
parameter when the write is attempted, discarding the invalid request.
Peter Maydell [Fri, 26 Jun 2020 08:30:29 +0000 (09:30 +0100)]
Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-5.1-20200626' into staging
ppc patch queue 2020-06-26
Here's another pull request for qemu-5.1. Not very much in this one,
just a handful of assorted minor fixes and cleanups.
I'm about to go on holiday for a couple of weeks, so this will be my
last PR before the freeze, and maybe the last for 5.1 at all. If
there's some super important fix we need, Greg Kurz will handle it.
Greg Kurz [Mon, 22 Jun 2020 06:57:18 +0000 (08:57 +0200)]
ppc/pnv: Silence missing BMC warning with qtest
The device introspect test in qtest emits some warnings with the
the pnv machine types during the "nodefaults" phase:
TEST check-qtest-ppc64: tests/qtest/device-introspect-test
qemu-system-ppc64: warning: machine has no BMC device. Use '-device
ipmi-bmc-sim,id=bmc0 -device isa-ipmi-bt,bmc=bmc0,irq=10' to define
one
qemu-system-ppc64: warning: machine has no BMC device. Use '-device
ipmi-bmc-sim,id=bmc0 -device isa-ipmi-bt,bmc=bmc0,irq=10' to define
one
qemu-system-ppc64: warning: machine has no BMC device. Use '-device
ipmi-bmc-sim,id=bmc0 -device isa-ipmi-bt,bmc=bmc0,irq=10' to define
one
This is expected since the pnv machine doesn't create the internal
BMC simulator fallback when "-nodefaults" is passed on the command
line, but these warnings appear in ci logs and confuse people.
Not having a BMC isn't recommended but it is still a supported
configuration, so a straightforward fix is to just silent this
warning when qtest is enabled.
Peter Maydell [Thu, 25 Jun 2020 20:20:44 +0000 (21:20 +0100)]
Merge remote-tracking branch 'remotes/xtensa/tags/20200625-xtensa' into staging
target/xtensa fixes for 5.1:
- fix access to special registers missing in the core configuration;
- fix simcall opcode behavior for new hardware;
- drop gen_io_end call from xtensa translator.
* remotes/xtensa/tags/20200625-xtensa:
target/xtensa: drop gen_io_end call
target/xtensa: fix simcall for newer hardware
target/xtensa: fetch HW version from configuration overlay
target/xtensa: work around missing SR definitions
Peter Maydell [Thu, 25 Jun 2020 15:52:42 +0000 (16:52 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
virtio,acpi,pci: fixes, cleanups.
Fixes, cleanups in ACPI, PCI, virtio.
Signed-off-by: Michael S. Tsirkin <[email protected]>
# gpg: Signature made Thu 25 Jun 2020 07:48:47 BST
# gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469
# gpg: issuer "[email protected]"
# gpg: Good signature from "Michael S. Tsirkin <[email protected]>" [full]
# gpg: aka "Michael S. Tsirkin <[email protected]>" [full]
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
# Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469
* remotes/mst/tags/for_upstream:
Rename use_acpi_pci_hotplug to more appropriate use_acpi_hotplug_bridge
Stop vhost-user sending uninitialized mmap_offsets
docs/specs/tpm: ACPI boot now supported for TPM/ARM
arm/acpi: Add the TPM2.0 device under the DSDT
acpi: Some build_tpm2() code reshape
tests/acpi: update expected data files
acpi: q35: drop _SB.PCI0.ISA.LPCD opregion.
acpi: drop build_piix4_pm()
acpi: drop serial/parallel enable bits from dsdt
acpi: simplify build_isa_devices_aml()
acpi: factor out fw_cfg_add_acpi_dsdt()
acpi: move aml builder code for i8042 (kbd+mouse) device
floppy: move cmos_get_fd_drive_type() from pc
floppy: make isa_fdc_get_drive_max_chs static
acpi: move aml builder code for floppy device
acpi: bios-tables-test: show more context on asl diffs
qtest: allow DSDT acpi table changes
* remotes/armbru/tags/pull-qdev-2020-06-23:
sd/milkymist-memcard: Fix error API violation
sd/pxa2xx_mmci: Don't crash on pxa2xx_mmci_init() error
arm/aspeed: Drop aspeed_board_init_flashes() parameter @errp
qdev: Make qdev_prop_set_drive() match the other helpers
qdev: Reject chardev property override
qdev: Reject drive property override
qdev: Improve netdev property override error a bit
qdev: Eliminate get_pointer(), set_pointer()
blockdev: Deprecate -drive with bogus interface type
docs/qdev-device-use.txt: Update section "Default Devices"
fdc: Deprecate configuring floppies with -global isa-fdc
fdc: Open-code fdctrl_init_isa()
fdc: Reject clash between -drive if=floppy and -global isa-fdc
iotests/172: Cover -global floppy.drive=...
iotests/172: Cover empty filename and multiple use of drives
iotests/172: Include "info block" in test output
Ani Sinha [Tue, 16 Jun 2020 12:31:39 +0000 (12:31 +0000)]
Rename use_acpi_pci_hotplug to more appropriate use_acpi_hotplug_bridge
Currently, the option use_acpi_pci_hotplug is being used to control device
hotplug capability using ACPI for slots of cold plugged bridges. Hence, we
are renaming this option to better reflect what it actually does.
Prior to this change, the vhost_user_fill_msg_region function filled out
all elements of the VhostUserMemoryRegion struct except the mmap_offset.
This function is often called on uninitialized structs, which are then
copied into VHOST_USER_SET_MEM_TABLE and VHOST_USER_ADD/REM_MEM_REG
messages. In some cases, where the mmap_offset was not needed, it was
left uninitialized, causing QEMU to send the backend uninitialized data,
which Coverity flagged as a series of issues.
This change augments the vhost_user_fill_msg_region API, adding a
mmap_offset paramenter, forcing the caller to initialize mmap_offset.
Eric Auger [Mon, 22 Jun 2020 14:06:19 +0000 (16:06 +0200)]
arm/acpi: Add the TPM2.0 device under the DSDT
In case it is dynamically instantiated, add the TPM 2.0 device object
under the DSDT table in the ACPI namespace. Its HID is MSFT0101
while its current resource settings (CRS) property is initialized
with the guest physical address and MMIO size of the device.
Peter Maydell [Wed, 24 Jun 2020 20:19:53 +0000 (21:19 +0100)]
Merge remote-tracking branch 'remotes/stefanberger/tags/pull-tpm-2020-06-23-1' into staging
Merge tpm 2020/06/23 v1
# gpg: Signature made Tue 23 Jun 2020 12:35:03 BST
# gpg: using RSA key B818B9CADF9089C2D5CEC66B75AD65802A0B4211
# gpg: Good signature from "Stefan Berger <[email protected]>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211
* remotes/stefanberger/tags/pull-tpm-2020-06-23-1:
tpm: Move backend code under the 'backends/' directory
hw/tpm: Make 'tpm_util.h' publicly accessible as "sysemu/tpm_util.h"
hw/tpm: Move DEFINE_PROP_TPMBE() macro to 'tmp_prop.h' local header
hw/tpm: Move few declarations from 'tpm_util.h' to 'tpm_int.h'
hw/tpm: Make TRACE_TPM_UTIL_SHOW_BUFFER check local to tpm_util.c
hw/tpm: Remove unnecessary 'tpm_int.h' header inclusion
hw/tpm: Move 'hw/acpi/tpm.h' inclusion from header to sources
hw/tpm: Include missing 'qemu/option.h' header
hw/tpm: Do not include 'qemu/osdep.h' in header
hw/tpm: Rename TPMDEV as TPM_BACKEND in Kconfig
backends: Add TPM files into their own directory
docs/specs/tpm: Correct header path name
st_set_trace_file() accidentally enables tracing. It's called
unconditionally during startup, which is why QEMU built with the
simple trace backend always writes a trace file "trace-$PID".
This has been broken for quite a while. I didn't track down the exact
commit.
There is an effort in progress to generate a QEMU Python
package. As I'm not sure this old email is still valid,
update it to not produce package with broken maintainer
email.
Peter Maydell [Tue, 23 Jun 2020 17:57:05 +0000 (18:57 +0100)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200623' into staging
target-arm queue:
* util/oslib-posix : qemu_init_exec_dir implementation for Mac
* target/arm: Last parts of neon decodetree conversion
* hw/arm/virt: Add 5.0 HW compat props
* hw/watchdog/cmsdk-apb-watchdog: Add trace event for lock status
* mps2: Add CMSDK APB watchdog, FPGAIO block, S2I devices and I2C devices
* mps2: Add some unimplemented-device stubs for audio and GPIO
* mps2-tz: Use the ARM SBCon two-wire serial bus interface
* target/arm: Check supported KVM features globally (not per vCPU)
* tests/qtest/arm-cpu-features: Add feature setting tests
* arm/virt: Add memory hot remove support
* remotes/pmaydell/tags/pull-target-arm-20200623: (42 commits)
arm/virt: Add memory hot remove support
tests/qtest/arm-cpu-features: Add feature setting tests
target/arm: Check supported KVM features globally (not per vCPU)
hw/arm/mps2-tz: Use the ARM SBCon two-wire serial bus interface
hw/arm/mps2: Add audio I2S interface as unimplemented device
hw/arm/mps2: Add I2C devices
hw/arm/mps2: Add SPI devices
hw/arm/mps2: Map the FPGA I/O block
hw/arm/mps2: Add CMSDK AHB GPIO peripherals as unimplemented devices
hw/arm/mps2: Add CMSDK APB watchdog device
hw/arm/mps2: Rename CMSDK AHB peripheral region
hw/arm/mps2: Document CMSDK/FPGA APB subsystem sections
hw/arm: Use TYPE_VERSATILE_I2C instead of hardcoded string
hw/i2c: Add header for ARM SBCon two-wire serial bus interface
hw/i2c/versatile_i2c: Add SCL/SDA definitions
hw/i2c/versatile_i2c: Add definitions for register addresses
hw/watchdog/cmsdk-apb-watchdog: Add trace event for lock status
target/arm: Remove dead code relating to SABA and UABA
target/arm: Remove unnecessary gen_io_end() calls
target/arm: Move some functions used only in translate-neon.inc.c to that file
...
Stefan Hajnoczi [Wed, 17 Jun 2020 13:22:01 +0000 (14:22 +0100)]
block/nvme: support nested aio_poll()
QEMU block drivers are supposed to support aio_poll() from I/O
completion callback functions. This means completion processing must be
re-entrant.
The standard approach is to schedule a BH during completion processing
and cancel it at the end of processing. If aio_poll() is invoked by a
callback function then the BH will run. The BH continues the suspended
completion processing.
All of this means that request A's cb() can synchronously wait for
request B to complete. Previously the nvme block driver would hang
because it didn't process completions from nested aio_poll().
Stefan Hajnoczi [Wed, 17 Jun 2020 13:22:00 +0000 (14:22 +0100)]
block/nvme: keep BDRVNVMeState pointer in NVMeQueuePair
Passing around both BDRVNVMeState and NVMeQueuePair is unwieldy. Reduce
the number of function arguments by keeping the BDRVNVMeState pointer in
NVMeQueuePair. This will come in handly when a BH is introduced in a
later patch and only one argument can be passed to it.
Stefan Hajnoczi [Wed, 17 Jun 2020 13:21:58 +0000 (14:21 +0100)]
block/nvme: switch to a NVMeRequest freelist
There are three issues with the current NVMeRequest->busy field:
1. The busy field is accidentally accessed outside q->lock when request
submission fails.
2. Waiters on free_req_queue are not woken when a request is returned
early due to submission failure.
2. Finding a free request involves scanning all requests. This makes
request submission O(n^2).
Switch to an O(1) freelist that is always accessed under the lock.
Also differentiate between NVME_QUEUE_SIZE, the actual SQ/CQ size, and
NVME_NUM_REQS, the number of usable requests. This makes the code
simpler than using NVME_QUEUE_SIZE everywhere and having to keep in mind
that one slot is reserved.
Stefan Hajnoczi [Wed, 17 Jun 2020 13:21:57 +0000 (14:21 +0100)]
block/nvme: don't access CQE after moving cq.head
Do not access a CQE after incrementing q->cq.head and releasing q->lock.
It is unlikely that this causes problems in practice but it's a latent
bug.
The reason why it should be safe at the moment is that completion
processing is not re-entrant and the CQ doorbell isn't written until the
end of nvme_process_completion().
Make this change now because QEMU expects completion processing to be
re-entrant and later patches will do that.
Stefan Hajnoczi [Wed, 17 Jun 2020 13:21:55 +0000 (14:21 +0100)]
block/nvme: poll queues without q->lock
A lot of CPU time is spent simply locking/unlocking q->lock during
polling. Check for completion outside the lock to make q->lock disappear
from the profile.
Daniele Buono [Fri, 29 May 2020 20:51:22 +0000 (16:51 -0400)]
check-block: enable iotests with SafeStack
SafeStack is a stack protection technique implemented in llvm. It is
enabled with a -fsanitize flag.
iotests are currently disabled when any -fsanitize option is used,
because such options tend to produce additional warnings and false
positives.
While common -fsanitize options are used to verify the code and not
added in production, SafeStack's main use is in production environments
to protect against stack smashing.
Since SafeStack does not print any warning or false positive, enable
iotests when SafeStack is the only -fsanitize option used.
This is likely going to be a production binary and we want to make sure
it works correctly.
Daniele Buono [Fri, 29 May 2020 20:51:21 +0000 (16:51 -0400)]
configure: add flags to support SafeStack
This patch adds a flag to enable/disable the SafeStack instrumentation
provided by LLVM.
On enable, make sure that the compiler supports the flags, and that we
are using the proper coroutine implementation (coroutine-ucontext).
On disable, explicitly disable the option if it was enabled by default.
While SafeStack is supported only on Linux, NetBSD, FreeBSD and macOS,
we are not checking for the O.S. since this is already done by LLVM.
Daniele Buono [Fri, 29 May 2020 20:51:20 +0000 (16:51 -0400)]
coroutine: add check for SafeStack in sigaltstack
Current implementation of LLVM's SafeStack is not compatible with
code that uses an alternate stack created with sigaltstack().
Since coroutine-sigaltstack relies on sigaltstack(), it is not
compatible with SafeStack. The resulting binary is incorrect, with
different coroutines sharing the same unsafe stack and producing
undefined behavior at runtime.
In the future LLVM may provide a SafeStack implementation compatible with
sigaltstack(). In the meantime, if SafeStack is desired, the coroutine
implementation from coroutine-ucontext should be used.
As a safety check, add a control in coroutine-sigaltstack to throw a
preprocessor #error if SafeStack is enabled and we are trying to
use coroutine-sigaltstack to implement coroutines.
Daniele Buono [Fri, 29 May 2020 20:51:19 +0000 (16:51 -0400)]
coroutine: support SafeStack in ucontext backend
LLVM's SafeStack instrumentation does not yet support programs that make
use of the APIs in ucontext.h
With the current implementation of coroutine-ucontext, the resulting
binary is incorrect, with different coroutines sharing the same unsafe
stack and producing undefined behavior at runtime.
This fix allocates an additional unsafe stack area for each coroutine,
and sets the new unsafe stack pointer before calling swapcontext() in
qemu_coroutine_new.
This is the only place where the pointer needs to be manually updated,
since sigsetjmp/siglongjmp are already instrumented by LLVM to properly
support SafeStack.
The additional stack is then freed in qemu_coroutine_delete.
Stefan Hajnoczi [Thu, 21 May 2020 15:36:16 +0000 (16:36 +0100)]
minikconf: explicitly set encoding to UTF-8
QEMU currently only has ASCII Kconfig files but Linux actually uses
UTF-8. Explicitly specify the encoding and that we're doing text file
I/O.
It's unclear whether or not QEMU will ever need Unicode in its Kconfig
files. If we start using the help text then it will become an issue
sooner or later. Make this change now for consistency with Linux
Kconfig.
The Error ** argument must be NULL, &error_abort, &error_fatal, or a
pointer to a variable containing NULL. Passing an argument of the
latter kind twice without clearing it in between is wrong: if the
first call sets an error, it no longer points to NULL for the second
call.
milkymist_memcard_realize() is wrong that way: it passes &err to
qdev_prop_set_drive_err() and qdev_realize_and_unref(). Currently
harmless, because the latter uses it only as first argument of
error_propagate().
Making qdev_prop_set_drive_err() fail involves abuse of -global.
Leave handling that to qdev_prop_set_drive(), like we do elsewhere.
sd/pxa2xx_mmci: Don't crash on pxa2xx_mmci_init() error
On error, pxa2xx_mmci_init() reports to stderr and returns NULL.
Callers don't check for errors. Machines akita, borzoi, mainstone,
spitz, terrier, tosa, and z2 crash shortly after, like this:
$ qemu-system-aarch64 -M akita -drive if=sd,readonly=on
qemu-system-aarch64: failed to init SD card: Cannot use read-only drive as SD card
Segmentation fault (core dumped)
Machines connex and verdex reach the check for orphaned drives first:
$ aarch64-softmmu/qemu-system-aarch64 -M connex -drive if=sd,readonly=on -accel qtest
qemu-system-aarch64: failed to init SD card: Cannot use read-only drive as SD card
qemu-system-aarch64: -drive if=sd,readonly=on: machine type does not support if=sd,bus=0,unit=0
projects / qemu.git / log