m25p80: don't let rogue SPI controllers cause buffer overruns
In normal operation we should never attempt to put more
data into the data[] array than it can hold. However if the
SPI controller connected to us misbehaves then it can send
us a sequence of commands that attempt this. Since the
controller might be in the guest (if the hardware does SPI
via bit-banging), catch the possible overrun conditions and
reset the flash internal state, logging them as guest errors.
Andrew Jones [Mon, 9 Jan 2017 11:40:23 +0000 (11:40 +0000)]
hw/arm/virt-acpi-build: Don't incorrectly claim architectural timer to be edge-triggered
This is the ACPI equivalent to "hw/arm/virt: Don't incorrectly claim
architectural timer to be edge-triggered" which fixes the DT for
machine types 2.9 and later.
Andrew Jones [Mon, 9 Jan 2017 11:40:23 +0000 (11:40 +0000)]
hw/arm/virt: remove VirtGuestInfo
by moving VirtGuestInfo.fw_cfg to VirtMachineState. This is the
mach-virt equivalent of "pc: Move PcGuestInfo.fw_cfg to
PCMachineState" and "pc: Eliminate PcGuestInfo struct" combined.
Andrew Jones [Mon, 9 Jan 2017 11:40:22 +0000 (11:40 +0000)]
hw/arm/virt-acpi-build: don't save VirtGuestInfo on AcpiBuildState
We can get to VirtMachineState without the need for saving a pointer
on AcpiBuildState. This is the mach-virt equivalent to "acpi: Don't save
PcGuestInfo on AcpiBuildState"
Andrew Jones [Mon, 9 Jan 2017 11:40:22 +0000 (11:40 +0000)]
hw/arm/virt-acpi-build: remove redundant members from VirtGuestInfo
Now that we pass VirtMachineState, and guest-info is just part of
that state, we can remove all the redundant members and access
the VirtMachineState directly.
Andrew Jones [Mon, 9 Jan 2017 11:40:22 +0000 (11:40 +0000)]
hw/arm/virt: pass VirtMachineState instead of VirtGuestInfo
Only two functions take VirtGuestInfo parameters. Now that guest-info
is part of VirtMachineState, and VirtMachineState is defined in the
virt header, pass that instead.
include/hw/arm/virt-acpi-build.h is only used for VirtGuestInfo,
which doesn't even necessarily have to be ACPI specific. Move
VirtGuestInfo to include/hw/arm/virt.h, allowing us to remove
include/hw/arm/virt-acpi-build.h, and to prepare for even more
code motion.
Andrew Jones [Mon, 9 Jan 2017 11:40:22 +0000 (11:40 +0000)]
hw/arm/virt: eliminate struct VirtGuestInfoState
Instead of allocating a new struct just for VirtGuestInfo and the
machine_done Notifier, place them inside VirtMachineState. This
is the mach-virt equivalent of "pc: Eliminate struct
PcGuestInfoState"
Andrew Jones [Mon, 9 Jan 2017 11:40:22 +0000 (11:40 +0000)]
hw/arm/virt: use VirtMachineState.gic_version
machvirt_init may need to probe for the gic version. If so, then
make sure the result is written to VirtMachineState. With the
state up to date, use it instead of a local variable. This is a
cleanup that prepares for VirtMachineState to be passed to functions
even outside hw/arm/virt.c
Peter Maydell [Mon, 9 Jan 2017 11:40:21 +0000 (11:40 +0000)]
hw/arm/virt: Don't incorrectly claim architectural timer to be edge-triggered
The architectural timers in ARM CPUs all have level triggered interrupts
(unless you're using KVM on a host kernel before 4.4, which misimplemented
them as edge-triggered).
We were incorrectly describing them in the device tree as edge triggered.
This can cause problems for guest kernels in 4.8 before rc6:
* pre-4.8 kernels ignore the values in the DT
* 4.8 before rc6 write the DT values to the GIC config registers
* newer than rc6 ignore the DT and insist that the timer interrupts
are level triggered regardless
Fix the DT so we're describing reality. For backwards-compatibility
purposes, only do this for the virt-2.9 machine onward.
Peter Maydell [Mon, 9 Jan 2017 11:40:21 +0000 (11:40 +0000)]
hw/arm/virt: Merge VirtBoardInfo and VirtMachineState
One of the purposes of VirtBoardInfo was to hold various
bits of state about the board. Now we have MachineState
and the subclass VirtMachineState to do this. Fold the
VirtBoardInfo into VirtMachineState rather than having
some flags in one struct and some in another with no
useful way to get between them.
In the process we drop the code for looking up the
memory map and irq map from the CPU model, because
in practice we always use the same maps in all cases.
For easier code review, this change removes the
VirtBoardInfo type but leaves all the variables which
used to be VirtBoardInfo* and are now VirtMachineState*
with their now-confusing 'vbi' names.
Corey Minyard [Mon, 9 Jan 2017 11:40:20 +0000 (11:40 +0000)]
i2c: Allow I2C devices to NAK start events
Add a return value to the event handler. Some I2C devices will
NAK if they have no data, so allow them to do this. This required
the following changes:
Go through all the event handlers and change them to return int
and return 0.
Modify i2c_start_transfer to terminate the transaction on a NAK.
Modify smbus handing to not assert if a NAK occurs on a second
operation, and terminate the transaction and return -1 instead.
Add some information on semantics to I2CSlaveClass.
Peter Maydell [Fri, 6 Jan 2017 15:18:09 +0000 (15:18 +0000)]
Merge remote-tracking branch 'remotes/gonglei/tags/cryptodev-next-20161224' into staging
cryptodev patches
- add xts mode support
- add 3DES algorithm support
- other trivial fixes
# gpg: Signature made Sat 24 Dec 2016 05:56:44 GMT
# gpg: using RSA key 0x2ED7FDE9063C864D
# gpg: Good signature from "Gonglei <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 3EF1 8E53 3459 E6D1 963A 3C05 2ED7 FDE9 063C 864D
* remotes/gonglei/tags/cryptodev-next-20161224:
cryptodev: add 3des-ede support
cryptodev: remove single-DES support in cryptodev
cryptodev: add xts(aes) support
cryptodev: fix the check of aes algorithm
Peter Maydell [Fri, 6 Jan 2017 12:10:40 +0000 (12:10 +0000)]
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
# gpg: Signature made Fri 06 Jan 2017 02:55:49 GMT
# gpg: using RSA key 0xEF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <[email protected]>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
fsl_etsec: Fix Tx BD ring wrapping handling
rtl8139: correctly handle PHY reset
record/replay: add network support
Andrey Smirnov [Thu, 5 Jan 2017 20:26:36 +0000 (12:26 -0800)]
fsl_etsec: Fix Tx BD ring wrapping handling
Current code that handles Tx buffer desciprtor ring scanning employs the
following algorithm:
1. Restore current buffer descriptor pointer from TBPTRn
2. Process current descriptor
3. If current descriptor has BD_WRAP flag set set current
descriptor pointer to start of the descriptor ring
4. If current descriptor points to start of the ring exit the
loop, otherwise increment current descriptor pointer and go
to #2
5. Store current descriptor in TBPTRn
The way the code is implemented results in buffer descriptor ring being
scanned starting at offset/descriptor #0. While covering 99% of the
cases, this algorithm becomes problematic for a number of edge cases.
Consider the following scenario: guest OS driver initializes descriptor
ring to N individual descriptors and starts sending data out. Depending
on the volume of traffic and probably guest OS driver implementation it
is possible that an edge case where a packet, spread across 2
descriptors is placed in descriptors N - 1 and 0 in that order(it is
easy to imagine similar examples involving more than 2 descriptors).
What happens then is aforementioned algorithm starts at descriptor 0,
sees a descriptor marked as BD_LAST, which it happily sends out as a
separate packet(very much malformed at this point) then the iteration
continues and the first part of the original packet is tacked to the
next transmission which ends up being bogus as well.
This behvaiour can be pretty reliably observed when scp'ing data from a
guest OS via TAP interface for files larger than 160K (every time for
700K+).
This patch changes the scanning algorithm to do the following:
1. Restore "current" buffer descriptor pointer from
TBPTRn
2. If "current" descriptor does not have BD_TX_READY set, goto #6
3. Process current descriptor
4. If "current" descriptor has BD_WRAP flag set "current"
descriptor pointer to start of the descriptor ring otherwise
set increment "current" by the size of one descriptor
5. Goto #1
6. Save "current" buffer descriptor in TBPTRn
This way we preserve the information about which descriptor was
processed last and always start where we left off avoiding the original
problem. On top of that, judging by the following excerpt from
MPC8548ERM (p. 14-48):
"... When the end of the TxBD ring is reached, eTSEC initializes TBPTRn
to the value in the corresponding TBASEn. The TBPTR register is
internally written by the eTSEC’s DMA controller during
transmission. The pointer increments by eight (bytes) each time a
descriptor is closed successfully by the eTSEC..."
revised algorithm might also a more correct way of emulating this aspect
of eTSEC peripheral.
Hervé Poussineau [Tue, 13 Dec 2016 19:44:41 +0000 (20:44 +0100)]
rtl8139: correctly handle PHY reset
According to datasheet:
"[Bit 15 of Basic Mode Control Register] sets the status and control registers
of the PHY (register 0062-0074) in a default state. This bit is self-clearing.
1 = software reset; 0 = normal operation."
This fixes the netcard detection failure in Minoca OS.
Pavel Dovgalyuk [Mon, 26 Sep 2016 08:08:21 +0000 (11:08 +0300)]
record/replay: add network support
This patch adds support of recording and replaying network packets in
irount rr mode.
Record and replay for network interactions is performed with the network filter.
Each backend must have its own instance of the replay filter as follows:
-netdev user,id=net1 -device rtl8139,netdev=net1
-object filter-replay,id=replay,netdev=net1
Replay network filter is used to record and replay network packets. While
recording the virtual machine this filter puts all packets coming from
the outer world into the log. In replay mode packets from the log are
injected into the network device. All interactions with network backend
in replay mode are disabled.
v5 changes:
- using iov_to_buf function instead of loop
Peter Maydell [Thu, 5 Jan 2017 12:44:22 +0000 (12:44 +0000)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
# gpg: Signature made Wed 04 Jan 2017 13:29:09 GMT
# gpg: using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>"
# gpg: aka "Stefan Hajnoczi <[email protected]>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha/tags/block-pull-request:
iothread: add poll-grow and poll-shrink parameters
aio: self-tune polling time
virtio: disable virtqueue notifications during polling
aio: add .io_poll_begin/end() callbacks
virtio: turn vq->notification into a nested counter
virtio-scsi: suppress virtqueue kick during processing
virtio-blk: suppress virtqueue kick during processing
iothread: add polling parameters
linux-aio: poll ring for completions
virtio: poll virtqueues for new buffers
aio: add polling mode to AioContext
aio: add AioPollFn and io_poll() interface
aio: add flag to skip fds to aio_dispatch()
HACKING: document #include order
Peter Maydell [Thu, 5 Jan 2017 10:53:57 +0000 (10:53 +0000)]
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
- transport specific callbacks (for Xen)
- fix crash (2.8 regression)
- 9p functional tests
# gpg: Signature made Tue 03 Jan 2017 17:30:58 GMT
# gpg: using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <[email protected]>"
# gpg: aka "Greg Kurz <[email protected]>"
# gpg: aka "Greg Kurz <[email protected]>"
# gpg: aka "Greg Kurz <[email protected]>"
# gpg: aka "Gregory Kurz (Groug) <[email protected]>"
# gpg: aka "Gregory Kurz (Cimai Technology) <[email protected]>"
# gpg: aka "Gregory Kurz (Meiosys Technology) <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2
* remotes/gkurz/tags/for-upstream:
tests: virtio-9p: ".." cannot be used to walk out of the shared directory
tests: virtio-9p: no slash in path elements during walk
tests: virtio-9p: add walk operation test
tests: virtio-9p: add attach operation test
tests: virtio-9p: add version operation test
9pfs: fix P9_NOTAG and P9_NOFID macros
tests: virtio-9p: code refactoring
tests: virtio-9p: rename PCI configuration test
9pfs: fix crash when fsdev is missing
9pfs: introduce init_out/in_iov_from_pdu
9pfs: call v9fs_init_qiov_from_pdu before v9fs_pack
9pfs: introduce transport specific callbacks
9pfs: move pdus to V9fsState
Stefan Hajnoczi [Thu, 1 Dec 2016 19:26:51 +0000 (19:26 +0000)]
aio: self-tune polling time
This patch is based on the algorithm for the kvm.ko halt_poll_ns
parameter in Linux. The initial polling time is zero.
If the event loop is woken up within the maximum polling time it means
polling could be effective, so grow polling time.
If the event loop is woken up beyond the maximum polling time it means
polling is not effective, so shrink polling time.
If the event loop makes progress within the current polling time then
the sweet spot has been reached.
This algorithm adjusts the polling time so it can adapt to variations in
workloads. The goal is to reach the sweet spot while also recognizing
when polling would hurt more than help.
Two new trace events, poll_grow and poll_shrink, are added for observing
polling time adjustment.
Stefan Hajnoczi [Thu, 1 Dec 2016 19:26:49 +0000 (19:26 +0000)]
aio: add .io_poll_begin/end() callbacks
The begin and end callbacks can be used to prepare for the polling loop
and clean up when polling stops. Note that they may only be called once
for multiple aio_poll() calls if polling continues to succeed. Once
polling fails the end callback is invoked before aio_poll() resumes file
descriptor monitoring.
Stefan Hajnoczi [Thu, 1 Dec 2016 19:26:48 +0000 (19:26 +0000)]
virtio: turn vq->notification into a nested counter
Polling should disable virtqueue notifications but that requires nested
virtio_queue_set_notification() calls. Turn vq->notification into a
counter so it is possible to do nesting.
Stefan Hajnoczi [Thu, 1 Dec 2016 19:26:44 +0000 (19:26 +0000)]
linux-aio: poll ring for completions
The Linux AIO userspace ABI includes a ring that is shared with the
kernel. This allows userspace programs to process completions without
system calls.
Add an AioContext poll handler to check for completions in the ring.
Stefan Hajnoczi [Thu, 1 Dec 2016 19:26:42 +0000 (19:26 +0000)]
aio: add polling mode to AioContext
The AioContext event loop uses ppoll(2) or epoll_wait(2) to monitor file
descriptors or until a timer expires. In cases like virtqueues, Linux
AIO, and ThreadPool it is technically possible to wait for events via
polling (i.e. continuously checking for events without blocking).
Polling can be faster than blocking syscalls because file descriptors,
the process scheduler, and system calls are bypassed.
The main disadvantage to polling is that it increases CPU utilization.
In classic polling configuration a full host CPU thread might run at
100% to respond to events as quickly as possible. This patch implements
a timeout so we fall back to blocking syscalls if polling detects no
activity. After the timeout no CPU cycles are wasted on polling until
the next event loop iteration.
The run_poll_handlers_begin() and run_poll_handlers_end() trace events
are added to aid performance analysis and troubleshooting. If you need
to know whether polling mode is being used, trace these events to find
out.
Note that the AioContext is now re-acquired before disabling notify_me
in the non-polling case. This makes the code cleaner since notify_me
was enabled outside the non-polling AioContext release region. This
change is correct since it's safe to keep notify_me enabled longer
(disabling is an optimization) but potentially causes unnecessary
event_notifer_set() calls. I think the chance of performance regression
is small here.
Stefan Hajnoczi [Thu, 1 Dec 2016 19:26:40 +0000 (19:26 +0000)]
aio: add flag to skip fds to aio_dispatch()
Polling mode will not call ppoll(2)/epoll_wait(2). Therefore we know
there are no fds ready and should avoid looping over fd handlers in
aio_dispatch().
Greg Kurz [Tue, 3 Jan 2017 16:28:44 +0000 (17:28 +0100)]
tests: virtio-9p: ".." cannot be used to walk out of the shared directory
According to the 9P spec at http://man.cat-v.org/plan_9/5/intro, the
parent directory of the root directory of a server's tree is itself.
This test hence checks that the qid of the root directory as returned by
attach is the same as the qid of ".." when walking from the root directory.
Greg Kurz [Tue, 3 Jan 2017 16:28:44 +0000 (17:28 +0100)]
tests: virtio-9p: add walk operation test
The walk operation is used to traverse the directory tree and to associate
paths to fids. A single walk can be used to traverse up to P9_MAXWELEM path
elements at the same time.
The test creates a path with P9_MAXWELEM elements on the backend (à la
'mkdir -p') and issues a walk operation. The walk is expected to succeed
without error.
Greg Kurz [Tue, 3 Jan 2017 16:28:44 +0000 (17:28 +0100)]
tests: virtio-9p: add attach operation test
The attach operation is used to establish a connection between the
client and the server. After this, the client is able to access the
underlying filesystem and do I/O.
This test simply ensures the operation succeeds without error.
Greg Kurz [Tue, 3 Jan 2017 16:28:44 +0000 (17:28 +0100)]
tests: virtio-9p: add version operation test
This patch lays the foundations to be able to test 9P operations and
provides a test for the version operation as a first example.
A 9P request is composed of a T-message sent by the client (guest) to the
server (QEMU), and a R-message sent by the server back to the client.
The following general calls are available to implement requests for any
9P operations:
v9fs_req_init(): allocates the request structure and the guest memory for
the T-message
v9fs_req_send(): allocates the guest memory for the R-message and sends the
T-message to QEMU
v9fs_req_recv(): waits for QEMU to answer and does some sanity checks on the
returned R-message header
v9fs_req_free(): releases the guest memory and the request structure
Helpers are provided, to be used by each specific 9P operation to copy data
to/from the guest memory.
The version operation is used to negotiate the 9P protocol version to be
used and the maximum buffer size for exchanged data. It is necessarily
the first message of a 9P session. For simplicity, the maximum buffer size
is hardcoded to 4k, which should be enough for functional tests.
The test simply advertises the "9P2000.L" version to QEMU and expects QEMU
to answer it is supported.
Greg Kurz [Tue, 3 Jan 2017 16:28:44 +0000 (17:28 +0100)]
9pfs: fix P9_NOTAG and P9_NOFID macros
The u16 and u32 types don't exist in QEMU common headers. It never broke
build because these two macros aren't use by the current code, but this
is about to change with the future addition of functional tests for 9P.
Also, these should have enclosing parenthesis to be usable in any
syntactical situation.
As suggested by Eric Blake, let's use UINT16_MAX and UINT32_MAX to address
both issues.
Not all 9pfs transports share memory between request and response. For
those who don't, it is necessary to know how much memory is required in
the response.
Split the existing init_iov_from_pdu function in two:
init_out_iov_from_pdu (for writes) and init_in_iov_from_pdu (for reads).
init_in_iov_from_pdu takes an additional size parameter to specify the
memory required for the response message.
9pfs: call v9fs_init_qiov_from_pdu before v9fs_pack
v9fs_xattr_read should not access VirtQueueElement elems directly.
Move v9fs_init_qiov_from_pdu up in the file and call
v9fs_init_qiov_from_pdu before v9fs_pack. Use v9fs_pack on the new
iovec.
Li Qiang [Thu, 29 Dec 2016 08:11:26 +0000 (03:11 -0500)]
virtio-gpu-3d: fix memory leak in resource attach backing
If the virgl_renderer_resource_attach_iov function fails the
'res_iovs' will be leaked. Add check of the return value to
free the 'res_iovs' when failing.
Li Qiang [Tue, 29 Nov 2016 02:29:25 +0000 (21:29 -0500)]
virtio-gpu: call cleanup mapping function in resource destroy
If the guest destroy the resource before detach banking, the 'iov'
and 'addrs' field in resource is not freed thus leading memory
leak issue. This patch avoid this.
Laurent Vivier [Wed, 9 Nov 2016 13:46:07 +0000 (14:46 +0100)]
target-m68k: Implement 680x0 movem
680x0 movem can load/store words and long words and can use more
addressing modes. Coldfire can only use long words with (Ax) and
(d16,Ax) addressing modes.
Laurent Vivier [Mon, 11 Jan 2016 00:33:26 +0000 (01:33 +0100)]
target-m68k: add cas/cas2 ops
Implement CAS using cmpxchg.
Implement CAS2 using helper and either cmpxchg when
the 32bit addresses are consecutive, or with
parallel_cpus+cpu_loop_exit_atomic() otherwise.
Laurent Vivier [Fri, 28 Oct 2016 18:42:23 +0000 (20:42 +0200)]
target-m68k: add 680x0 divu/divs variants
Update helper to set the throwing location in case of div-by-0.
Cleanup divX.w and add quad word variants of divX.l.
Signed-off-by: Laurent Vivier <[email protected]> Reviewed-by: Richard Henderson <[email protected]>
[laurent: modified to clear Z on overflow, as found with risu]
* remotes/pmaydell/tags/pull-target-arm-20161227: (25 commits)
target-arm: Add VBAR support to ARM1176 CPUs
hw/i2c: Add a NULL check for i2c slave init callbacks
hw/arm: remove trailing whitespace
aspeed/smc: set the number of flash modules for the FMC controller
aspeed/smc: improve segment register support
aspeed/scu: fix SCU region size
aspeed: change SoC revision of the palmetto-bmc machine
aspeed: add the definitions for the AST2400 A1 SoC
aspeed: add a memory region for SRAM
aspeed: add support for the romulus-bmc board
aspeed: extend the board configuration with flash models
aspeed: attach the second SPI controller object to the SoC
aspeed: remove cannot_destroy_with_object_finalize_yet
aspeed: QOMify the CPU object and attach it to the SoC
m25p80: add support for the mx66l1g45g
hw/arm/virt: add 2.9 machine type
hw/intc/arm_gicv3: Don't signal Pending+Active interrupts to CPU
hw/intc/arm_gicv3: Remove incorrect usage of fieldoffset
target-arm: Log AArch64 exception returns
hw/intc/arm_gicv3_common: fix aff3 in typer
...
Cédric Le Goater [Tue, 27 Dec 2016 14:59:30 +0000 (14:59 +0000)]
target-arm: Add VBAR support to ARM1176 CPUs
ARM1176 CPUs have TrustZone support and can use the Vector Base
Address Register, but currently, qemu only adds VBAR support to ARMv7
CPUs. Fix this by adding a new feature ARM_FEATURE_VBAR which can used
for ARMv7 and ARM1176 CPUs.
The VBAR feature is always set for ARMv7 because some legacy boards
require it even if this is not architecturally correct.
Cédric Le Goater [Tue, 27 Dec 2016 14:59:28 +0000 (14:59 +0000)]
aspeed/smc: improve segment register support
The HW does not enforce all the rules in the specs and allows a few
"curious" setups like zero size segments and overlaps. So change the
model to be in sync but keep the warnings which are always interesting
for debug.
Cédric Le Goater [Tue, 27 Dec 2016 14:59:27 +0000 (14:59 +0000)]
aspeed: add support for the romulus-bmc board
The Romulus machine is an OpenPOWER system with an AST2500 SoC for
the BMC and a POWER9 chip for the host. It does not make much
difference for qemu a part from the fact that the FMC controller has
two SPI flash module.
Peter Maydell [Tue, 27 Dec 2016 14:59:25 +0000 (14:59 +0000)]
hw/intc/arm_gicv3: Don't signal Pending+Active interrupts to CPU
The GICv3 requires that we only signal Pending interrupts to
the CPU. This category does not include Pending+Active interrupts,
which means we need to check whether the interrupt is Active in
the gicr_int_pending() and gicd_int_pending() functions.
Interrupts are rarely in the Active+Pending state, but KVM
uses this as part of its handling of the virtual timer, so
this bug was causing KVM to go into an infinite loop of
taking the vtimer interrupt when the guest first triggered it.
Peter Maydell [Tue, 27 Dec 2016 14:59:25 +0000 (14:59 +0000)]
hw/intc/arm_gicv3: Remove incorrect usage of fieldoffset
In the ARMCPRegInfo definitions for the GICv3 CPU interface
registers, we were trying to use .fieldoffset to specify
the locations of data fields within the GICv3CPUState struct.
This is completely broken, because .fieldoffset is for offsets
into the CPUARMState struct. We didn't notice because we
were only using this for reads to BPR0, AP0R<n>, IGRPEN0
and CTLR_EL3, and Linux doesn't use these registers.
Replace the .fieldoffset uses with explicit read functions.
We add s->be_data within do_vec_ld/st. Adding it here means that
we have the wrong bits set in SIZE for a big-endian host, leading
to g_assert_not_reached in write_vec_element and read_vec_element.
Since CPUARMState.vfp.regs is not 16 byte aligned, the ^ 8 fixup used
for a big-endian host doesn't do what's intended. Fix this by adding
in the vfp.regs offset after computing the inter-register offset.
Julian Brown [Tue, 27 Dec 2016 14:59:23 +0000 (14:59 +0000)]
Correct value of ARM Cortex-A8 MVFR1 register.
The value of the MVFR1 (Media and VFP Feature Register 1) register for
the Cortex-A8 appears to be incorrect (according to the TRM, DDI0344K),
with the "full denormal arithmetic" and "propagation of NaN" fields
holding both 0 instead of both 1.
I had a go tracing the history of the use of this value, and it seems
it's always just been wrong in QEMU: maybe it was derived from early
documentation, or guessed based on the use of a "VFP Lite" implementation
in the Cortex-A8.
Depending on the startup/early-boot code in use, this can manifest as
failure to perform denormal arithmetic properly: in our case, selecting
a Cortex-A8 CPU when using QEMU as an instruction-set simulator for
bare-metal GCC testing caused tests using denormal arithmetic to
fail. Problems might be masked (or not occur) when using a full OS kernel
with suitable trap handlers (I'm not sure).
Andrew Gacek [Tue, 27 Dec 2016 14:59:23 +0000 (14:59 +0000)]
cadence_uart: Check if receiver timeout counter is disabled
When register Rcvr_timeout_reg0 (R_RTOR in cadence_uart.c) is set to
0, the receiver timeout counter should be disabled. See page 1801 of
"Zynq-7000 AP SoC Technical Reference Manual". This commit adds a
such a check before setting the receive timeout interrupt.
Alistair Francis [Tue, 27 Dec 2016 14:59:22 +0000 (14:59 +0000)]
cadence_uart: Check baud rate generator and divider values on migration
The Cadence UART device emulator calculates speed by dividing the
baud rate by a 'baud rate generator' & 'baud rate divider' value.
The device specification defines these register values to be
non-zero and within certain limits. Checks were recently added when
writing to these registers but not when restoring from migration.
This patch adds checks when restoring from migration to avoid divide by
zero errors.
Longpeng(Mike) [Thu, 8 Dec 2016 02:44:02 +0000 (10:44 +0800)]
cryptodev: add 3des-ede support
This patch add 3des-ede support for cryptodev. However this is effective
only when backend using libgcrypt/nettle, because cipher-builtin doesn't
support 3des-ede yet.
projects / qemu.git / log