Convert the VSRA, VSRI, VRSHR, VRSRA 2-reg-shift insns to decodetree.
(These are the last instructions in the group that are vectorized;
the rest all require looping over each element.)
Paul Zimmerman [Wed, 20 May 2020 23:53:47 +0000 (16:53 -0700)]
usb: add short-packet handling to usb-storage driver
The dwc-hsotg (dwc2) USB host depends on a short packet to
indicate the end of an IN transfer. The usb-storage driver
currently doesn't provide this, so fix it.
I have tested this change rather extensively using a PC
emulation with xhci, ehci, and uhci controllers, and have
not observed any regressions.
Paul Zimmerman [Wed, 20 May 2020 23:53:46 +0000 (16:53 -0700)]
dwc-hsotg (dwc2) USB host controller emulation
Add the dwc-hsotg (dwc2) USB host controller emulation code.
Based on hw/usb/hcd-ehci.c and hw/usb/hcd-ohci.c.
Note that to use this with the dwc-otg driver in the Raspbian
kernel, you must pass the option "dwc_otg.fiq_fsm_enable=0" on
the kernel command line.
Emulation of slave mode and of descriptor-DMA mode has not been
implemented yet. These modes are seldom used.
I have used some on-line sources of information while developing
this emulation, including:
http://www.capital-micro.com/PDF/CME-M7_Family_User_Guide_EN.pdf
which has a pretty complete description of the controller starting
on page 370.
https://sourceforge.net/p/wive-ng/wive-ng-mt/ci/master/tree/docs/DataSheets/RT3050_5x_V2.0_081408_0902.pdf
which has a description of the controller registers starting on
page 130.
Thanks to Felippe Mathieu-Daude for providing a cleaner method
of implementing the memory regions for the controller registers.
Paul Zimmerman [Wed, 20 May 2020 23:53:44 +0000 (16:53 -0700)]
dwc-hsotg (dwc2) USB host controller register definitions
Import the dwc-hsotg (dwc2) register definitions file from the
Linux kernel. This is a copy of drivers/usb/dwc2/hw.h from the
mainline Linux kernel, the only changes being to the header, and
two instances of 'u32' changed to 'uint32_t' to allow it to
compile. Checkpatch throws a boatload of errors due to the tab
indentation, but I would rather import it as-is than reformat it.
Paul Zimmerman [Wed, 20 May 2020 23:53:43 +0000 (16:53 -0700)]
raspi: add BCM2835 SOC MPHI emulation
Add BCM2835 SOC MPHI (Message-based Parallel Host Interface)
emulation. It is very basic, only providing the FIQ interrupt
needed to allow the dwc-otg USB host controller driver in the
Raspbian kernel to function.
Rather than passing an opcode to a helper, fully decode the
operation at translate time. Use clear_tail_16 to zap the
balance of the SVE register with the AdvSIMD write.
Rather than passing an opcode to a helper, fully decode the
operation at translate time. Use clear_tail_16 to zap the
balance of the SVE register with the AdvSIMD write.
With this conversion, we will be able to use the same helpers
with sve. This also fixes a bug in which we failed to clear
the high bits of the SVE register after an AdvSIMD operation.
With this conversion, we will be able to use the same helpers
with sve. In particular, pass 3 vector parameters for the
3-operand operations; for advsimd the destination register
is also an input.
This also fixes a bug in which we failed to clear the high bits
of the SVE register after an AdvSIMD operation.
Eden Mikitas [Tue, 2 Jun 2020 12:44:34 +0000 (13:44 +0100)]
hw/ssi/imx_spi: Removed unnecessary cast of rx data received from slave
When inserting the value retrieved (rx) from the spi slave, rx is pushed to
rx_fifo after being cast to uint8_t. rx_fifo is a fifo32, and the rx
register the driver uses is also 32 bit. This zeroes the 24 most
significant bits of rx. This proved problematic with devices that expect to
use the whole 32 bits of the rx register.
Eden Mikitas [Tue, 2 Jun 2020 12:44:34 +0000 (13:44 +0100)]
hw/ssi/imx_spi: changed while statement to prevent underflow
The while statement in question only checked if tx_burst is not 0.
tx_burst is a signed int, which is assigned the value put by the
guest driver in ECSPI_CONREG. The burst length can be anywhere
between 1 and 4096, and since tx_burst is always decremented by 8
it could possibly underflow, causing an infinite loop.
Peter Maydell [Fri, 5 Jun 2020 10:53:37 +0000 (11:53 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Pull request
# gpg: Signature made Fri 05 Jun 2020 10:47:27 BST
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>" [full]
# gpg: aka "Stefan Hajnoczi <[email protected]>" [full]
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha/tags/block-pull-request:
block: Factor out bdrv_run_co()
exec: Rename qemu_ram_writeback() as qemu_ram_msync()
hw/block: Let the NVMe emulated device be target-agnostic
memory: Extract memory_region_msync() from memory_region_writeback()
memory: Rename memory_region_do_writeback -> memory_region_writeback
fuzz: run the main-loop in fork-server process
fuzz: add mangled object name to linker script
fuzz: fix typo in i440fx-qtest-reboot arguments
fuzz: add datadir for oss-fuzz compatability
io_uring: use io_uring_cq_ready() to check for ready cqes
io_uring: retry io_uring_submit() if it fails with errno=EINTR
We have a few bdrv_*() functions that can either spawn a new coroutine
and wait for it with BDRV_POLL_WHILE() or use a fastpath if they are
alreeady running in a coroutine. All of them duplicate basically the
same code.
Factor the common code into a new function bdrv_run_co().
Without this, the time since the last main-loop keeps increasing, as the
fuzzer runs. The forked children need to handle all the "past-due"
timers, slowing them down, over time. With this change, the
parent/fork-server process runs the main-loop, while waiting on the
child, ensuring that the timer events do not pile up, over time.
Previously, we relied on "FuzzerTracePC*(.bss*)" to place libfuzzer's
fuzzer::TPC object into our contiguous shared-memory region. This does
not work for some libfuzzer builds, so this addition identifies the
region by its mangled name: *(.bss._ZN6fuzzer3TPCE);
io_uring: use io_uring_cq_ready() to check for ready cqes
In qemu_luring_poll_cb() we are not using the cqe peeked from the
CQ ring. We are using io_uring_peek_cqe() only to see if there
are cqes ready, so we can replace it with io_uring_cq_ready().
io_uring: retry io_uring_submit() if it fails with errno=EINTR
As recently documented [1], io_uring_enter(2) syscall can return an
error (errno=EINTR) if the operation was interrupted by a delivery
of a signal before it could complete.
This should happen when IORING_ENTER_GETEVENTS flag is used, for
example during io_uring_submit_and_wait() or during io_uring_submit()
when IORING_SETUP_IOPOLL is enabled.
We shouldn't have this problem for now, but it's better to prevent it.
While replacing fprintf() by qemu_log_mask() in commit 2b55f4d3504, we incorrectly used a 'tab = 4 spaces'
alignment, leading to misindented new code. Fix now.
ati-vga: check mm_index before recursive call (CVE-2020-13800)
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.
Peter Maydell [Thu, 4 Jun 2020 10:38:47 +0000 (11:38 +0100)]
Merge remote-tracking branch 'remotes/alistair/tags/pull-riscv-to-apply-20200603' into staging
This is a collection of RISC-V patches for 5.1.
This incldues removing deprecated features and part of the OpenTitan
support series.
# gpg: Signature made Wed 03 Jun 2020 17:12:43 BST
# gpg: using RSA key F6C4AC46D4934868D3B8CE8F21E10D29DF977054
# gpg: Good signature from "Alistair Francis <[email protected]>" [full]
# Primary key fingerprint: F6C4 AC46 D493 4868 D3B8 CE8F 21E1 0D29 DF97 7054
* remotes/alistair/tags/pull-riscv-to-apply-20200603:
riscv: Initial commit of OpenTitan machine
target/riscv: Add the lowRISC Ibex CPU
target/riscv: Don't set PMP feature in the cpu init
target/riscv: Disable the MMU correctly
target/riscv: Don't overwrite the reset vector
riscv/boot: Add a missing header include
riscv: sifive_e: Manually define the machine
docs: deprecated: Update the -bios documentation
target/riscv: Drop support for ISA spec version 1.09.1
target/riscv: Remove the deprecated CPUs
hw/riscv: spike: Remove deprecated ISA specific machines
hw/riscv: virt: Remove the riscv_ prefix of the machine* functions
hw/riscv: sifive_u: Remove the riscv_ prefix of the soc* functions
riscv: Change the default behavior if no -bios option is specified
riscv: Suppress the error report for QEMU testing with riscv_find_firmware()
Alistair Francis [Thu, 28 May 2020 18:04:15 +0000 (11:04 -0700)]
target/riscv: Don't set PMP feature in the cpu init
The PMP is enabled by default via the "pmp" property so there is no need
for us to set it in the init function. As all CPUs have PMP support just
remove the set_feature() call in the CPU init functions.
Alistair Francis [Tue, 26 May 2020 23:06:02 +0000 (16:06 -0700)]
target/riscv: Disable the MMU correctly
Previously if we didn't enable the MMU it would be enabled in the
realize() function anyway. Let's ensure that if we don't want the MMU we
disable it. We also don't need to enable the MMU as it will be enabled
in realize() by default.
Alistair Francis [Thu, 23 Apr 2020 21:09:37 +0000 (14:09 -0700)]
riscv/boot: Add a missing header include
As the functions declared in this header use the symbol_fn_t
typedef itself declared in "hw/loader.h", we need to include
it here to make the header file self-contained.
Bin Meng [Fri, 1 May 2020 12:19:05 +0000 (05:19 -0700)]
riscv: Change the default behavior if no -bios option is specified
Per QEMU deprecated doc, QEMU 4.1 introduced support for the -bios
option in QEMU for RISC-V for the virt machine and sifive_u machine.
The default behavior has been that QEMU does not automatically load
any firmware if no -bios option is included.
Now 2 releases passed, it's time to change the default behavior to
load the default OpenSBI firmware automatically. The firmware is
included with the QEMU release and no user interaction is required.
All a user needs to do is specify the kernel they want to boot with
the -kernel option.
Bin Meng [Fri, 1 May 2020 15:50:54 +0000 (08:50 -0700)]
riscv: Suppress the error report for QEMU testing with riscv_find_firmware()
We only ship plain binary bios images in the QEMU source. With Spike
machine that uses ELF images as the default bios, running QEMU test
will complain hence let's suppress the error report for QEMU testing.
Peter Maydell [Tue, 2 Jun 2020 17:16:38 +0000 (18:16 +0100)]
Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200602' into staging
Vector rotate support
Signal handling support for NetBSD arm/aarch64
# gpg: Signature made Tue 02 Jun 2020 17:43:05 BST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "[email protected]"
# gpg: Good signature from "Richard Henderson <[email protected]>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F
* remotes/rth/tags/pull-tcg-20200602:
accel/tcg: Provide a NetBSD specific aarch64 cpu_signal_handler
accel/tcg: Adjust cpu_signal_handler for NetBSD/arm
tcg: Improve move ops in liveness_pass_2
target/s390x: Use tcg_gen_gvec_rotl{i,s,v}
target/ppc: Use tcg_gen_gvec_rotlv
tcg/ppc: Implement INDEX_op_rot[lr]v_vec
tcg/aarch64: Implement INDEX_op_rotl{i,v}_vec
tcg/i386: Implement INDEX_op_rotl{i,s,v}_vec
tcg: Implement gvec support for rotate by scalar
tcg: Remove expansion to shift by vector from do_shifts
tcg: Implement gvec support for rotate by vector
tcg: Implement gvec support for rotate by immediate
If the output of the move is dead, then the last use is in
the store. If we propagate the input to the store, then we
can remove the move opcode entirely.
For immediate rotate , we can implement this in two instructions,
using SLI. For variable rotate, the oddness of aarch64 right-shift-
as-negative-left-shift means a backend-specific expansion works best.
No host backend support yet, but the interfaces for rotls
are in place. Only implement left-rotate for now, as the
only known use of vector rotate by scalar is s390x, so any
right-rotate would be unused and untestable.
tcg: Remove expansion to shift by vector from do_shifts
We do not reflect this expansion in tcg_can_emit_vecop_list,
so it is unused and unusable. However, we actually perform
the same expansion in do_gvec_shifts, so it is also unneeded.
No host backend support yet, but the interfaces for rotlv
and rotrv are in place.
Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
---
v3: Drop the generic expansion from rot to shift; we can do better
for each backend, and then this code becomes unused.
tcg: Implement gvec support for rotate by immediate
No host backend support yet, but the interfaces for rotli
are in place. Canonicalize immediate rotate to the left,
based on a survey of architectures, but provide both left
and right shift interfaces to the translators.
Peter Maydell [Mon, 1 Jun 2020 20:34:47 +0000 (21:34 +0100)]
Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20200601a' into staging
Migration/virtio/hmp pull 2020-06-01
A mixed pull with:
- RDMA migration fix (CID 1428762)
- HMP qom-get addition and qom-set cleanup
- a virtiofsd fix
- COLO fixes
Signed-off-by: Dr. David Alan Gilbert <[email protected]>
# gpg: Signature made Mon 01 Jun 2020 19:37:15 BST
# gpg: using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <[email protected]>" [full]
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7
* remotes/dgilbert/tags/pull-migration-20200601a:
migration/migration.c: Fix hang in ram_save_host_page
migration/colo.c: Move colo_notify_compares_event to the right place
migration/colo.c: Relaunch failover even if there was an error
migration/colo.c: Flush ram cache only after receiving device state
migration/colo.c: Use cpu_synchronize_all_states()
migration/colo.c: Use event instead of semaphore
migration/vmstate: Remove unnecessary MemoryRegion forward declaration
virtiofsd: remove symlink fallbacks
hmp: Simplify qom-set
hmp: Implement qom-get HMP command
migration/rdma: cleanup rdma context before g_free to avoid memleaks
migration/rdma: fix potential nullptr access in rdma_start_incoming_migration
Peter Maydell [Mon, 1 Jun 2020 18:19:18 +0000 (19:19 +0100)]
Merge remote-tracking branch 'remotes/bkoppelmann2/tags/pull-tricore-20200601' into staging
Remove ctx->env ptr, add TriCore gdb stub
# gpg: Signature made Mon 01 Jun 2020 16:06:35 BST
# gpg: using RSA key 6E636A7E83F2DD0CFA6E6E370AD2C6396B69CA14
# gpg: issuer "[email protected]"
# gpg: Good signature from "Bastian Koppelmann <[email protected]>" [full]
# Primary key fingerprint: 6E63 6A7E 83F2 DD0C FA6E 6E37 0AD2 C639 6B69 CA14
* remotes/bkoppelmann2/tags/pull-tricore-20200601:
target/tricore: Implement gdbstub
target/tricore: Implement tricore_cpu_get_phys_page_debug
target/tricore: Raise EXCP_DEBUG in gen_goto_tb() for singlestep
target/tricore: Move translate feature check to ctx
target/tricore: Don't save pc in generate_qemu_excp
Lukas Straub [Wed, 20 May 2020 20:42:32 +0000 (22:42 +0200)]
migration/migration.c: Fix hang in ram_save_host_page
migration_rate_limit will erroneously ratelimit a shutdown socket,
which causes the migration thread to hang in ram_save_host_page
if the socket is shutdown.
Fix this by explicitly testing if the socket has errors or was
shutdown in migration_rate_limit.
Lukas Straub [Mon, 11 May 2020 11:11:01 +0000 (13:11 +0200)]
migration/colo.c: Move colo_notify_compares_event to the right place
If the secondary has to failover during checkpointing, it still is
in the old state (i.e. different state than primary). Thus we can't
expose the primary state until after the checkpoint is sent.
This fixes sporadic connection reset of client connections during
failover.
Lukas Straub [Mon, 11 May 2020 11:10:55 +0000 (13:10 +0200)]
migration/colo.c: Relaunch failover even if there was an error
If vmstate_loading is true, secondary_vm_do_failover will set failover
status to FAILOVER_STATUS_RELAUNCH and return success without initiating
failover. However, if there is an error during the vmstate_loading
section, failover isn't relaunched. Instead we then wait for
failover on colo_incoming_sem.
Fix this by relaunching failover even if there was an error. Also,
to make this work properly, set vmstate_loading to false when
returning during the vmstate_loading section.
Lukas Straub [Mon, 11 May 2020 11:10:48 +0000 (13:10 +0200)]
migration/colo.c: Use cpu_synchronize_all_states()
cpu_synchronize_all_pre_loadvm() marks all vcpus as dirty, so the
registers are loaded from CPUState before we continue running
the vm. However if we failover during checkpoint, CPUState is not
initialized and the registers are loaded with garbage. This causes
guest hangs and crashes.
Fix this by using cpu_synchronize_all_states(), which initializes
CPUState from the current cpu registers additionally to marking
the vcpus as dirty.
Lukas Straub [Mon, 11 May 2020 11:10:44 +0000 (13:10 +0200)]
migration/colo.c: Use event instead of semaphore
If multiple packets miscompare in a short timeframe, the semaphore
value will be increased multiple times. This causes multiple
checkpoints even if one would be sufficient.
Fix this by using a event instead of a semaphore for triggering
checkpoints. Now, checkpoint requests will be ignored until the
checkpoint event is sent to colo-compare (which releases the
miscompared packets).
Benchmark results (iperf3):
Client-to-server tcp:
without patch: ~66 Mbit/s
with patch: ~61 Mbit/s
Server-to-client tcp:
without patch: ~702 Kbit/s
with patch: ~16 Mbit/s
Miklos Szeredi [Thu, 14 May 2020 14:07:36 +0000 (16:07 +0200)]
virtiofsd: remove symlink fallbacks
Path lookup in the kernel has special rules for looking up magic symlinks
under /proc. If a filesystem operation is instructed to follow symlinks
(e.g. via AT_SYMLINK_FOLLOW or lack of AT_SYMLINK_NOFOLLOW), and the final
component is such a proc symlink, then the target of the magic symlink is
used for the operation, even if the target itself is a symlink. I.e. path
lookup is always terminated after following a final magic symlink.
I was erronously assuming that in the above case the target symlink would
also be followed, and so workarounds were added for a couple of operations
to handle the symlink case. Since the symlink can be handled simply by
following the proc symlink, these workardouds are not needed.
Also remove the "norace" option, which disabled the workarounds.
Commit bdfd66788349 ("virtiofsd: Fix xattr operations") already dealt with
the same issue for xattr operations.
This started off as Andreas Färber's implementation from
March 2015, but after feedback from Paolo and Markus it morphed into
using the json output which handles structs reasonably.
Use with qom-list to find the members of an object.
Peter Maydell [Mon, 1 Jun 2020 12:43:59 +0000 (13:43 +0100)]
Merge remote-tracking branch 'remotes/amarkovic/tags/mips-queue-june-01-2020' into staging
MIPS queue for June 1st, 2020
# gpg: Signature made Mon 01 Jun 2020 12:29:25 BST
# gpg: using RSA key D4972A8967F75A65
# gpg: Good signature from "Aleksandar Markovic <[email protected]>" [full]
# Primary key fingerprint: 8526 FBF1 5DA3 811F 4A01 DD75 D497 2A89 67F7 5A65
* remotes/amarkovic/tags/mips-queue-june-01-2020:
hw/mips: fuloong2e: Set preferred page size to 16KB
target/mips: Support variable page size
target/mips: Add more CP0 register for save/restore
hw/mips: Add CPU IRQ3 delivery for KVM
configure: Add KVM target support for MIPS64
tests/Makefile: Fix description of "make check"
Traditionally, MIPS use 4KB page size, but Loongson prefer 16KB page
size in system emulator. So, let's define TARGET_PAGE_BITS_VARY and
TARGET_PAGE_BITS_MIN to support variable page size.
Huacai Chen [Sun, 3 May 2020 10:20:17 +0000 (18:20 +0800)]
hw/mips: Add CPU IRQ3 delivery for KVM
Currently, KVM/MIPS only deliver I/O interrupt via IP2, this patch add
IP3 delivery as well, because Loongson-3 based machine use both IRQ2
(CPU's IP2) and IRQ3 (CPU's IP3).
Peter Maydell [Sun, 31 May 2020 20:49:07 +0000 (21:49 +0100)]
Merge remote-tracking branch 'remotes/philmd-gitlab/tags/python-next-20200531' into staging
Python queue:
* migration acceptance test fix
* introduce pylintrc & flake8 config
* various cleanups (Python3, style)
* vm-test can set QEMU_LOCAL=1 to use locally built binaries
* refactored BootLinuxBase & LinuxKernelTest acceptance classes
projects / qemu.git / log