Peter Maydell [Tue, 29 Jan 2019 12:00:19 +0000 (12:00 +0000)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20190129' into staging
target-arm queue:
* Fix validation of 32-bit address spaces for aa32 (fixes an assert introduced in ba97be9f4a4)
* v8m: Ensure IDAU is respected if SAU is disabled
* gdbstub: fix gdb_get_cpu(s, pid, tid) when pid and/or tid are 0
* exec.c: Use correct attrs in cpu_memory_rw_debug()
* accel/tcg/user-exec: Don't parse aarch64 insns to test for read vs write
* target/arm: Don't clear supported PMU events when initializing PMCEID1
* memory: add memory_region_flush_rom_device()
* microbit: Add stub NRF51 TWI magnetometer/accelerometer detection
* tests/microbit-test: extend testing of microbit devices
* checkpatch: Don't emit spurious warnings about block comments
* aspeed/smc: misc bug fixes
* xlnx-zynqmp: Don't create rpu-cluster if there are no RPUs
* xlnx-zynqmp: Realize cluster after putting RPUs in it
* accel/tcg: Add cluster number to TCG TB hash so differently configured
CPUs don't pick up cached TBs for the wrong kind of CPU
* remotes/pmaydell/tags/pull-target-arm-20190129: (23 commits)
gdbstub: Simplify gdb_get_cpu_pid() to use cpu->cluster_index
accel/tcg: Add cluster number to TCG TB hash
qom/cpu: Add cluster_index to CPUState
hw/arm/xlnx-zynqmp: Realize cluster after putting RPUs in it
aspeed/smc: snoop SPI transfers to fake dummy cycles
aspeed/smc: Add dummy data register
aspeed/smc: define registers for all possible CS
aspeed/smc: fix default read value
xlnx-zynqmp: Don't create rpu-cluster if there are no RPUs
checkpatch: Don't emit spurious warnings about block comments
tests/microbit-test: Check nRF51 UART functionality
tests/microbit-test: Make test independent of global_qtest
tests/libqtest: Introduce qtest_init_with_serial()
memory: add memory_region_flush_rom_device()
target/arm: Don't clear supported PMU events when initializing PMCEID1
MAINTAINERS: update microbit ARM board files
accel/tcg/user-exec: Don't parse aarch64 insns to test for read vs write
exec.c: Use correct attrs in cpu_memory_rw_debug()
tests/microbit-test: add TWI stub device test
arm: Stub out NRF51 TWI magnetometer/accelerometer detection
...
Peter Maydell [Tue, 29 Jan 2019 11:46:06 +0000 (11:46 +0000)]
accel/tcg: Add cluster number to TCG TB hash
Include the cluster number in the hash we use to look
up TBs. This is important because a TB that is valid
for one cluster at a given physical address and set
of CPU flags is not necessarily valid for another:
the two clusters may have different views of physical
memory, or may have different CPU features (eg FPU
present or absent).
We put the cluster number in the high 8 bits of the
TB cflags. This gives us up to 256 clusters, which should
be enough for anybody. If we ever need more, or need
more bits in cflags for other purposes, we could make
tb_hash_func() take more data (and expand qemu_xxhash7()
to qemu_xxhash8()).
Peter Maydell [Tue, 29 Jan 2019 11:46:05 +0000 (11:46 +0000)]
qom/cpu: Add cluster_index to CPUState
For TCG we want to distinguish which cluster a CPU is in, and
we need to do it quickly. Cache the cluster index in the CPUState
struct, by having the cluster object set cpu->cluster_index for
each CPU child when it is realized.
This means that board/SoC code must add all CPUs to the cluster
before realizing the cluster object. Regrettably QOM provides no
way to prevent adding children to a realized object and no way for
the parent to be notified when a new child is added to it, so
we don't have any way to enforce/assert this constraint; all
we can do is document it in a comment. We can at least put in a
check that the cluster contains at least one CPU, which should
catch the typical cases of "realized cluster too early" or
"forgot to parent the CPUs into it".
The restriction on how many clusters can exist in the system
is imposed by TCG code which will be added in a subsequent commit,
but the check to enforce it in cluster.c fits better in this one.
Peter Maydell [Tue, 29 Jan 2019 11:46:05 +0000 (11:46 +0000)]
hw/arm/xlnx-zynqmp: Realize cluster after putting RPUs in it
Currently the cluster implementation doesn't have any constraints
on the ordering of realizing the TYPE_CPU_CLUSTER and populating it
with child objects. We want to impose a constraint that realize
must happen only after all the child objects are added, so move
the realize of rpu_cluster. (The apu_cluster is already
realized after child population.)
Cédric Le Goater [Tue, 29 Jan 2019 11:46:05 +0000 (11:46 +0000)]
aspeed/smc: snoop SPI transfers to fake dummy cycles
The m25p80 models dummy cycles using byte transfers. This works well
when the transfers are initiated by the QEMU model of a SPI controller
but when these are initiated by the OS, it breaks emulation.
Snoop the SPI transfer to catch commands requiring dummy cycles and
replace them with byte transfers compatible with the m25p80 model.
Cédric Le Goater [Tue, 29 Jan 2019 11:46:05 +0000 (11:46 +0000)]
aspeed/smc: define registers for all possible CS
The model should expose one control register per possible CS. When
testing the validity of the register number in the read operation,
replace 's->num_cs' by 'ctrl->max_slaves' which represents the maximum
number of flash devices a controller can handle.
Peter Maydell [Tue, 29 Jan 2019 11:46:05 +0000 (11:46 +0000)]
xlnx-zynqmp: Don't create rpu-cluster if there are no RPUs
If we aren't going to create any RPUs, then don't create the
rpu-cluster unit. This allows us to add an assertion to the
cluster object that it contains at least one CPU, which helps
to avoid bugs in creating clusters and putting CPUs in them.
Peter Maydell [Tue, 29 Jan 2019 11:46:05 +0000 (11:46 +0000)]
checkpatch: Don't emit spurious warnings about block comments
In checkpatch we attempt to check for and warn about
block comments which start with /* or /** followed by a
non-blank. Unfortunately a bug in the regex meant that
we would incorrectly warn about comments starting with
"/**" with no following text:
git show 9813dc6ac3954d58ba16b3920556f106f97e1c67|./scripts/checkpatch.pl -
WARNING: Block comments use a leading /* on a separate line
#34: FILE: tests/libqtest.h:233:
+/**
The sequence "/\*\*?" was intended to match either "/*" or "/**",
but Perl's semantics for '?' allow it to backtrack and try the
"matches 0 chars" option if the "matches 1 char" choice leads to
a failure of the rest of the regex to match. Switch to "/\*\*?+"
which uses what perlre(1) calls the "possessive" quantifier form:
this means that if it matches the "/**" string it will not later
backtrack to matching just the "/*" prefix.
The other end of the regex is also wrong: it is attempting
to check for "/* or /** followed by something that isn't
just whitespace", but [ \t]*.+[ \t]* will match on pure
whitespace. This is less significant but means that a line
with just a comment-starter followed by trailing whitespace
will generate an incorrect warning about block comment style
as well as the correct error about trailing whitespace which
a different checkpatch test emits.
Stefan Hajnoczi [Tue, 29 Jan 2019 11:46:04 +0000 (11:46 +0000)]
memory: add memory_region_flush_rom_device()
ROM devices go via MemoryRegionOps->write() callbacks for write
operations and do not dirty/invalidate that memory. Device emulation
must be able to mark memory ranges that have been modified internally
(e.g. using memory_region_get_ram_ptr()).
Introduce the memory_region_flush_rom_device() API for this purpose.
This patch introduced two calls to get_pmceid() during CPU
initialization - one each for PMCEID0 and PMCEID1. In addition to
building the register values, get_pmceid() clears an internal array
mapping event numbers to their implementations (supported_event_map)
before rebuilding it. This is an optimization since much of the logic is
shared. However, since it was called twice, the contents of
supported_event_map reflect only the events in PMCEID1 (the second call
to get_pmceid()).
Fix this bug by moving the initialization of PMCEID0 and PMCEID1 back
into a single function call, and name it more appropriately since it is
doing more than simply generating the contents of the PMCEID[01]
registers.
Peter Maydell [Tue, 29 Jan 2019 11:46:04 +0000 (11:46 +0000)]
accel/tcg/user-exec: Don't parse aarch64 insns to test for read vs write
In cpu_signal_handler() for aarch64 hosts, currently we parse
the faulting instruction to see if it is a load or a store.
Since the 3.16 kernel (~2014), the kernel has provided us with
the syndrome register for a fault, which includes the WnR bit.
Use this instead if it is present, only falling back to
instruction parsing if not.
Peter Maydell [Tue, 29 Jan 2019 11:46:04 +0000 (11:46 +0000)]
exec.c: Use correct attrs in cpu_memory_rw_debug()
In the softmmu version of cpu_memory_rw_debug(), we ask the
CPU for the attributes to use for the virtual memory access,
and we correctly use those to identify the address space
index. However, we were not passing them in to the
address_space_write_rom() and address_space_rw() functions.
The effect of this was that a memory access from the gdbstub
to a device which had behaviour that was sensitive to the
memory attributes (such as some ARMv8M NVIC registers) was
incorrectly always performed as if non-secure, rather than
using the right security state for the CPU's current state.
Steffen Görtz [Tue, 29 Jan 2019 11:46:03 +0000 (11:46 +0000)]
arm: Stub out NRF51 TWI magnetometer/accelerometer detection
Recent microbit firmwares panic if the TWI magnetometer/accelerometer
devices are not detected during startup. We don't implement TWI (I2C)
so let's stub out these devices just to let the firmware boot.
Thomas Roth [Tue, 29 Jan 2019 11:46:03 +0000 (11:46 +0000)]
target/arm: v8m: Ensure IDAU is respected if SAU is disabled
The current behavior of v8m_security_lookup in helper.c only checks whether the
IDAU specifies a higher security if the SAU is enabled. If SAU.ALLNS is set to
1, this will lead to addresses being treated as non-secure, even though the
IDAU indicates that they must be secure.
This patch changes the behavior to also check the IDAU if the SAU is currently
disabled.
(This brings the behaviour here into line with the v8M Arm ARM
SecurityCheck() pseudocode.)
Signed-off-by: Thomas Roth <[email protected]>
Message-id: CAGGekkuc+-tvp5RJP7CM+Jy_hJF7eiRHZ96132sb=hPPCappKg@mail.gmail.com Reviewed-by: Peter Maydell <[email protected]>
[PMM: added pseudocode ref to the commit message, fixed comment style] Signed-off-by: Peter Maydell <[email protected]>
Emilio G. Cota [Wed, 16 Jan 2019 17:01:14 +0000 (12:01 -0500)]
tcg/i386: enable dynamic TLB sizing
As the following experiments show, this series is a net perf gain,
particularly for memory-heavy workloads. Experiments are run on an
Intel(R) Xeon(R) Gold 6142 CPU @ 2.60GHz.
1. System boot + shudown, debian aarch64:
- Before (v3.1.0):
Performance counter stats for './die.sh v3.1.0' (10 runs):
No improvement (within noise range). Note that for this workload,
increasing the time window too much can lead to perf degradation,
since it flushes the TLB *very* frequently.
3. x86_64 SPEC06int:
x86_64-softmmu speedup vs. v3.1.0 for SPEC06int (test set)
Host: Intel(R) Xeon(R) Gold 6142 CPU @ 2.60GHz (Skylake)
Emilio G. Cota [Wed, 16 Jan 2019 17:01:12 +0000 (12:01 -0500)]
cputlb: do not evict empty entries to the vtlb
Currently we evict an entry to the victim TLB when it doesn't match
the current address. But it could be that there's no match because
the current entry is empty (i.e. all -1's, for instance via tlb_flush).
Do not evict the entry to the vtlb in that case.
This change will help us keep track of the TLB's use rate, which
we'll use to implement a policy for dynamic TLB sizing.
* remotes/jnsnow/tags/ide-pull-request:
ide/via: Implement and use native PCI IDE mode
ide/via: Rename functions to match device name
ide/via: Remove vt82c686b_init_ports() function
sii3112: Remove duplicated code and use PCI IDE ops instead
ide: Get rid of CMD646BAR struct
cmd646: Move PCI IDE specific functions to ide/pci.c
cmd646: Remove IDEBus from CMD646BAR
cmd646: Remove unused variable
BALATON Zoltan [Fri, 25 Jan 2019 19:52:12 +0000 (14:52 -0500)]
ide/via: Implement and use native PCI IDE mode
This device only implemented ISA compatibility mode and native PCI IDE
mode was missing but no clients actually need ISA mode but to the
contrary, they usually want to switch to and use device in native
PCI IDE mode. Therefore implement native PCI mode and switch default
to that.
BALATON Zoltan [Fri, 25 Jan 2019 19:52:12 +0000 (14:52 -0500)]
ide/via: Rename functions to match device name
The device is called via-ide and the modelled IDE controller is not
specific to 82C686B but is also usable independently. Therefore, change
function name prefixes accordingly to match device name.
BALATON Zoltan [Fri, 25 Jan 2019 19:52:11 +0000 (14:52 -0500)]
ide/via: Remove vt82c686b_init_ports() function
This function is only called once from vt82c686b_ide_realize() and its
content is simple enough to not need a separate function but be
included in realize directly (as done in other IDE models except PIIX
currently).
BALATON Zoltan [Fri, 25 Jan 2019 19:52:11 +0000 (14:52 -0500)]
sii3112: Remove duplicated code and use PCI IDE ops instead
Parts of the SiI3112 mmio are identical to PCI IDE registers so we can
use the corresponding functions that were factored out into ide/pci.c.
This removes code duplication and simplifies the SiI3112 model which
also helped to spot a copy paste error where reading status of the
2nd channel read the 1st channel instead. This is also fixed here.
BALATON Zoltan [Fri, 25 Jan 2019 19:52:11 +0000 (14:52 -0500)]
ide: Get rid of CMD646BAR struct
Now that no CMD646 specific parts are left in CMD646BAR (all remaining
members are really PCI IDE specific) this struct can be deleted moving
the memory regions for PCI IDE BARs to PCIIDEState where they better
belong. The CMD646 PCI IDE model is adjusted accordingly.
BALATON Zoltan [Fri, 25 Jan 2019 19:52:11 +0000 (14:52 -0500)]
cmd646: Move PCI IDE specific functions to ide/pci.c
The io mem ops callbacks are not specific to CMD646 but really follow
the PCI IDE spec so move these from cmd646.c to pci.c to allow other
PCI IDE implementations to use them.
BALATON Zoltan [Fri, 25 Jan 2019 19:52:11 +0000 (14:52 -0500)]
cmd646: Remove IDEBus from CMD646BAR
The cmd646 io mem ops callbacks only need the IDEBus which is
currently passed via a CMD646BAR struct. No need to wrap it up like
that, we can pass it directly to these callbacks which then allows to
drop the IDEBus from the CMD646BAR.
Peter Maydell [Fri, 25 Jan 2019 16:31:02 +0000 (16:31 +0000)]
Merge remote-tracking branch 'remotes/amarkovic/tags/mips-queue-january-25-2019' into staging
MIPS queue for January 25, 2019
# gpg: Signature made Fri 25 Jan 2019 13:25:57 GMT
# gpg: using RSA key D4972A8967F75A65
# gpg: Good signature from "Aleksandar Markovic <[email protected]>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8526 FBF1 5DA3 811F 4A01 DD75 D497 2A89 67F7 5A65
* remotes/amarkovic/tags/mips-queue-january-25-2019:
docs/qemu-cpu-models: Add MIPS/nanoMIPS QEMU supported CPU models
qemu-doc: Add nanoMIPS ISA information
tests: tcg: mips: Remove old directories
tests: tcg: mips: Add two new Makefiles
tests: tcg: mips: Move source files to new locations
MAINTAINERS: Update MIPS sections
target/mips: Add I6500 core configuration
target/mips: nanoMIPS: Fix branch handling
disas: nanoMIPS: Amend DSP instructions related comments
target/mips: Extend gen_scwp() functionality to support EVA
target/mips: Correct the second argument type of cpu_supports_isa()
target/mips: nanoMIPS: Rename macros for extracting 3-bit-coded GPR numbers
target/mips: nanoMIPS: Remove an unused macro
target/mips: nanoMIPS: Remove duplicate macro definitions
Peter Maydell [Fri, 25 Jan 2019 11:52:12 +0000 (11:52 +0000)]
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2019-01-24' into staging
QAPI patches for 2019-01-24
# gpg: Signature made Thu 24 Jan 2019 14:25:19 GMT
# gpg: using RSA key 3870B400EB918653
# gpg: Good signature from "Markus Armbruster <[email protected]>"
# gpg: aka "Markus Armbruster <[email protected]>"
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
* remotes/armbru/tags/pull-qapi-2019-01-24:
json: Fix % handling when not interpolating
qmp: Add examples to qom list, get, and set commands
qapi: Eliminate indirection through qmp_event_get_func_emit()
qapi: Belatedly update docs for commit 9c2f56e9f9d
* remotes/vivier2/tags/trivial-patches-pull-request:
hw/i386/pc.c: fix one typo in function name
virtio-net: Fix a typo
ppc: e6500 registers SPR 604 twice
contrib/gitdm: Fix a typo
MAINTAINERS: Fix utf-8 mangling
target/mips: Extend gen_scwp() functionality to support EVA
Extend gen_scwp() functionality to support EVA by adding an
additional argument, modify internals of the function to handle
new functionality, and accordingly change its invocations.
target/mips: Correct the second argument type of cpu_supports_isa()
"insn_flags" bitfield was expanded from 32-bit to 64-bit in commit f9c9cd63e3. However, this was not reflected on the second argument
of the function cpu_supports_isa(). By chance, this did not create
some wrong behavior, since the left-most halves of all instances of
the second argument are currently all zeros. However, this is still
a bug waiting to happen. Correct this by changing the type of the
second argument to be always 64-bit.
Commit 8bca4613 added support for %% in json strings when interpolating,
but in doing so broke handling of % when not interpolating.
When parse_string() is fed a string token containing '%', it skips the
'%' regardless of ctxt->ap, i.e. even it's not interpolating. If the
'%' is the string's last character, it fails an assertion. Else, it
"merely" swallows the '%'.
Fix parse_string() to handle '%' specially only when interpolating.
To gauge the bug's impact, let's review non-interpolating users of this
parser, i.e. code passing NULL context to json_message_parser_init():
Filenames are trusted when they come from command line, QMP or HMP.
They are untrusted when they come from from image file headers.
Example: QCOW2 backing file name. Note that this is *not* the security
boundary between host and guest. It's the boundary between host and an
image file from an untrusted source.
Neither failing an assertion nor skipping a character in a filename of
your choice looks exploitable. Note that we don't support compiling
with NDEBUG.
Signed-off-by: Jon Diekema <[email protected]>
Message-Id: <CALvuzg43uSodseEHjNaRcPFBKKPTY2mcppUbYgiLL=QO9RxX_Q@mail.gmail.com>
[removed duplicated mail header in the commit message] Signed-off-by: Laurent Vivier <[email protected]>
io: ensure UNIX client doesn't unlink server socket
The qio_channel_socket_close method for was mistakenly unlinking the
UNIX server socket, even if the channel was a client connection. This
was not noticed with chardevs, since they never call close, but with the
VNC server, this caused the VNC server socket to be deleted after the
first client quit.
The qio_channel_socket_close method also needlessly reimplemented the
logic that already exists in socket_listen_cleanup(). Just call that
method directly, for listen sockets only.
This fixes a regression introduced in QEMU 3.0.0 with
Gerd Hoffmann [Thu, 24 Jan 2019 11:20:55 +0000 (12:20 +0100)]
audio: probe audio drivers by default
Add the drivers listed in audio_possible_drivers to audio_drv_list,
using the try-* variants. That way the probable drivers are compiled by
default if possible.
Additioal tweaks:
linux: reorder to: pa alsa sdl oss.
*bsd: drop pa.
Gerd Hoffmann [Thu, 24 Jan 2019 11:20:53 +0000 (12:20 +0100)]
audio: check for pulseaudio daemon pidfile
Check whenever the pulseaudio daemon pidfile is present before trying to
initialize the pulseaudio backend. Just return NULL if that is not the
case, so qemu will check the next backend in line.
In case the user explicitly configured a non-default pulseaudio server
skip the check.
Gerd Hoffmann [Thu, 24 Jan 2019 11:20:51 +0000 (12:20 +0100)]
audio: allow optional audio drivers.
For those audio drivers which can be probed (sdl, alsa, pulse) add a
try-$name variants. Unlike the variants without try- prefix they will
not error out on probe failure, the driver will be dropped from the list
instead. Mainly useful for the audio_drv_list default values.
Peter Maydell [Thu, 24 Jan 2019 12:01:02 +0000 (12:01 +0000)]
Merge remote-tracking branch 'remotes/stsquad/tags/pull-fpu-next-230119-2' into staging
Some more softfloat/fpu fixes
- make check-softfloat
- fixes for fp-bench
- workaround broken host fma
- compile fix for s390x/clang
- fixed for bigendian (v2)
- minor makefile tweaks (v2)
# gpg: Signature made Wed 23 Jan 2019 11:37:53 GMT
# gpg: using RSA key FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <[email protected]>"
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* remotes/stsquad/tags/pull-fpu-next-230119-2:
tests/Makefile: add check-softfloat rule
scripts/archive-source: include softfloat tests
tests/Makefile: add floating point tests
include/fpu/softfloat: Fix compilation with Clang on s390x
softfloat: enforce softfloat if the host's FMA is broken
tests/fp/platform.h: include config-host.h
fp-test: fix signature of slow_clear_flags and qemu_clear_flags
tests/fp/Makefile: do not use gcc-only -W flags
berkeley-testfloat-3: pull changes
fp-bench: remove wrong exponent raise in fill_random
fp-bench: fix update_random_ops