Derek Su [Fri, 22 May 2020 07:53:57 +0000 (15:53 +0800)]
colo-compare: Fix memory leak in packet_enqueue()
The patch is to fix the "pkt" memory leak in packet_enqueue().
The allocated "pkt" needs to be freed if the colo compare
primary or secondary queue is too big.
Replace the error_report of full queue with a trace event.
Lukas Straub [Fri, 22 May 2020 07:53:56 +0000 (15:53 +0800)]
net/colo-compare.c: Correct ordering in complete and finalize
In colo_compare_complete, insert CompareState into net_compares
only after everything has been initialized.
In colo_compare_finalize, remove CompareState from net_compares
before anything is deinitialized.
Lukas Straub [Fri, 22 May 2020 07:53:55 +0000 (15:53 +0800)]
net/colo-compare.c: Check that colo-compare is active
If the colo-compare object is removed before failover and a
checkpoint happens, qemu crashes because it tries to lock
the destroyed event_mtx in colo_notify_compares_event.
Fix this by checking if everything is initialized by
introducing a new variable colo_compare_active which
is protected by a new mutex colo_compare_mutex. The new mutex
also protects against concurrent access of the net_compares
list and makes sure that colo_notify_compares_event isn't
active while we destroy event_mtx and event_complete_cond.
With this it also is again possible to use colo without
colo-compare (periodic mode) and to use multiple colo-compare
for multiple network interfaces.
Lukas Straub [Fri, 22 May 2020 07:53:53 +0000 (15:53 +0800)]
net/colo-compare.c: Fix deadlock in compare_chr_send
The chr_out chardev is connected to a filter-redirector
running in the main loop. qemu_chr_fe_write_all might block
here in compare_chr_send if the (socket-)buffer is full.
If another filter-redirector in the main loop want's to
send data to chr_pri_in it might also block if the buffer
is full. This leads to a deadlock because both event loops
get blocked.
Fix this by converting compare_chr_send to a coroutine and
putting the packets in a send queue.
Lukas Straub [Fri, 22 May 2020 07:53:51 +0000 (15:53 +0800)]
net/colo-compare.c: Create event_bh with the right AioContext
qemu_bh_new will set the bh to be executed in the main
loop. This causes crashes as colo_compare_handle_event assumes
that it has exclusive access the queues, which are also
concurrently accessed in the iothread.
Create the bh with the AioContext of the iothread to fulfill
these assumptions and fix the crashes. This is safe, because
the bh already takes the appropriate locks.
Jason Wang [Mon, 11 May 2020 04:04:53 +0000 (12:04 +0800)]
net: use peer when purging queue in qemu_flush_or_purge_queue_packets()
The sender of packet will be checked in the qemu_net_queue_purge() but
we use NetClientState not its peer when trying to purge the incoming
queue in qemu_flush_or_purge_packets(). This will trigger the assert
in virtio_net_reset since we can't pass the sender check:
hw/net/virtio-net.c:533: void virtio_net_reset(VirtIODevice *): Assertion
`!virtio_net_get_subqueue(nc)->async_tx.elem' failed.
#9 0x55a33fa31b78 in virtio_net_reset hw/net/virtio-net.c:533:13
#10 0x55a33fc88412 in virtio_reset hw/virtio/virtio.c:1919:9
#11 0x55a341d82764 in virtio_bus_reset hw/virtio/virtio-bus.c:95:9
#12 0x55a341dba2de in virtio_pci_reset hw/virtio/virtio-pci.c:1824:5
#13 0x55a341db3e02 in virtio_pci_common_write hw/virtio/virtio-pci.c:1252:13
#14 0x55a33f62117b in memory_region_write_accessor memory.c:496:5
#15 0x55a33f6205e4 in access_with_adjusted_size memory.c:557:18
#16 0x55a33f61e177 in memory_region_dispatch_write memory.c:1488:16
Sai Pavan Boddu [Tue, 12 May 2020 14:54:44 +0000 (20:24 +0530)]
net: cadence_gem: Fix the queue address update during wrap around
During wrap around and reset, queues are pointing to initial base
address of queue 0, irrespective of what queue we are dealing with.
Fix it by assigning proper base address every time.
When set, indicates a frame truncation caused by a frame
that does not fit within the current descriptor buffers,
and that the 21143 does not own the next descriptor.
The tulip network driver in a qemu-system-hppa emulation is broken in
the sense that bigger network packages aren't received any longer and
thus even running e.g. "apt update" inside the VM fails.
The breakage was introduced by commit 8ffb7265af ("check frame size and
r/w data length") which added checks to prevent accesses outside of the
rx/tx buffers.
But the new checks were implemented wrong. The variable rx_frame_len
counts backwards, from rx_frame_size down to zero, and the variable len
is never bigger than rx_frame_len, so accesses just can't happen and the
checks are unnecessary.
On the contrary the checks now prevented bigger packages to be moved
into the rx buffers.
This patch reverts the wrong checks and were sucessfully tested with a
qemu-system-hppa emulation.
virtio-net: reference implementation of hash report
Suggest VIRTIO_NET_F_HASH_REPORT if specified in device
parameters.
If the VIRTIO_NET_F_HASH_REPORT is set,
the device extends configuration space. If the feature
is negotiated, the packet layout is extended to
accomodate the hash information. In this case deliver
packet's hash value and report type in virtio header
extension.
Use for configuration the same procedure as already
used for RSS. We add two fields in rss_data that
controls what the device does with the calculated hash
if rss_data.enabled is set. If field 'populate' is set
the hash is set in the packet, if field 'redirect' is
set the hash is used to decide the queue to place the
packet to.
If VIRTIO_NET_F_RSS negotiated and RSS is enabled, process
incoming packets, calculate packet's hash and place the
packet into respective RX virtqueue.
* remotes/kraxel/tags/microvm-20200617-pull-request:
microvm: move virtio base to 0xfeb00000
x86: move max-ram-below-4g to pc
microvm: drop max-ram-below-4g support
microvm: use 3G split unconditionally
qemu/exec.c: In function ‘address_space_translate_iommu’:
qemu/exec.c:431:28: note: parameter passing for argument of type \
‘MemTxAttrs’ {aka ‘struct MemTxAttrs’} changed in GCC 9.1
and many other repetitions. This structure, and the functions
amongst which it is passed, are not part of a QEMU public API.
Therefore we do not care how the compiler passes the argument,
so long as the compiler is self-consistent.
The only portion of QEMU which does have a public api, and so
must have a stable abi, is "qemu/plugin.h". We test this by
forcing -Wpsabi in tests/plugin/Makefile.
Clang 10 enables this by default with -Wtype-limit.
All of the instances flagged by this Werror so far have been
cases in which we really do want the compiler to optimize away
the test completely. Disabling the warning will avoid having
to add ifdefs to work around this.
Use a helper function to tidy the assembly of gcc_flags.
Separate flags that disable warnings from those that enable,
and sort the disable warnings to the end.
Wei Wang [Wed, 17 Jun 2020 20:13:05 +0000 (13:13 -0700)]
migration: fix xbzrle encoding rate calculation
It's reported an error of implicit conversion from "unsigned long" to
"double" when compiling with Clang 10. Simply make the encoding rate 0
when the encoded_size is 0.
Gerd Hoffmann [Fri, 29 May 2020 07:39:54 +0000 (09:39 +0200)]
microvm: use 3G split unconditionally
Looks like the logic was copied over from q35.
q35 does this for backward compatibility, there is no reason to do this
on microvm though. Also microvm doesn't need much mmio space, 1G is
more than enough. Using an mmio window smaller than 1G is bad for
gigabyte alignment and hugepages though. So split @ 3G unconditionally.
Gerd Hoffmann [Fri, 29 May 2020 07:22:24 +0000 (09:22 +0200)]
usb-host: workaround libusb bug
libusb seems to no allways call the completion callback for requests
canceled (which it is supposed to do according to the docs). So add
a limit to avoid qemu waiting forever.
Gerd Hoffmann [Fri, 5 Jun 2020 12:59:52 +0000 (14:59 +0200)]
usb: add hostdevice property to usb-host
The new property allows to specify usb host device name. Uses standard
qemu_open(), so both file system path (/dev/bus/usb/$bus/$dev on linux)
and file descriptor passing can be used.
Requires libusb 1.0.23 or newer. The hostdevice property is only
present in case qemu is compiled against a new enough library version,
so the presence of the property can be used for feature detection.
Peter Maydell [Tue, 16 Jun 2020 13:57:15 +0000 (14:57 +0100)]
Merge remote-tracking branch 'remotes/stsquad/tags/pull-testing-and-plugin-160620-2' into staging
Testing and plugin updates
- clear up dtc warnings
- add support for --enable-tsan builds
- re-enable shippable cross builds
- serialise cirrus check steps
- fix check-tcg plugin issues
- add lockstep plugin
# gpg: Signature made Tue 16 Jun 2020 14:50:09 BST
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <[email protected]>" [full]
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* remotes/stsquad/tags/pull-testing-and-plugin-160620-2: (21 commits)
plugins: new lockstep plugin for debugging TCG changes
tests/tcg: ensure -cpu max also used for plugin run
tests/tcg: build plugin list from contents of src directory
cirrus.yml: serialise make check
Revert ".shippable: temporaily disable some cross builds"
tests: Disable select tests under TSan, which hit TSan issue.
docs: Added details on TSan to testing.rst
util: Added tsan annotate for thread name.
include/qemu: Added tsan.h for annotations.
tests/docker: Added docker build support for TSan.
thread: add tsan annotations to QemuSpin
translate-all: call qemu_spin_destroy for PageDesc
tcg: call qemu_spin_destroy for tb->jmp_lock
qht: call qemu_spin_destroy for head buckets
cputlb: destroy CPUTLB with tlb_destroy
thread: add qemu_spin_destroy
cpu: convert queued work to a QSIMPLEQ
configure: add --enable-tsan flag + fiber annotations for coroutine-ucontext
Makefile: remove old compatibility gunks
Makefile: dtc: update, build the libfdt target
...
Alex Bennée [Wed, 10 Jun 2020 15:55:05 +0000 (16:55 +0100)]
plugins: new lockstep plugin for debugging TCG changes
When we make changes to the TCG we sometimes cause regressions that
are deep into the execution cycle of the guest. Debugging this often
requires comparing large volumes of trace information to figure out
where behaviour has diverged.
The lockstep plugin utilises a shared socket so two QEMU's running
with the plugin will write their current execution position and wait
to receive the position of their partner process. When execution
diverges the plugins output where they were and the previous few
blocks before unloading themselves and letting execution continue.
Originally I planned for this to be most useful with -icount but it
turns out you can get divergence pretty quickly due to asynchronous
qemu_cpu_kick_rr_cpus() events causing one side to eventually run into
a short block a few cycles before the other side. For this reason I've
added a bit of tracking and I think the divergence reporting could be
finessed to report only if we really start to diverge in execution.
Alex Bennée [Mon, 15 Jun 2020 14:19:22 +0000 (15:19 +0100)]
tests/tcg: ensure -cpu max also used for plugin run
The check-tcg plugins build was failing because some special case
tests that needed -cpu max failed because the plugin variant hadn't
carried across the QEMU_OPTS tweak.
Guests which globally set QEMU_OPTS=-cpu FOO where unaffected.
Alex Bennée [Mon, 15 Jun 2020 14:19:21 +0000 (15:19 +0100)]
tests/tcg: build plugin list from contents of src directory
If you jump back and forth between branches while developing plugins
you end up debugging failures caused by plugins left in the build
directory. Fix this by basing plugins on the source tree instead.
Robert Foley [Fri, 12 Jun 2020 19:02:34 +0000 (20:02 +0100)]
docs: Added details on TSan to testing.rst
Adds TSan details to testing.rst.
This includes background and reference details on TSan,
and details on how to build and test with TSan
both with and without docker.
Robert Foley [Fri, 12 Jun 2020 19:02:32 +0000 (20:02 +0100)]
include/qemu: Added tsan.h for annotations.
These annotations will allow us to give tsan
additional hints. For example, we can inform
tsan about reads/writes to ignore to silence certain
classes of warnings.
We can also annotate threads so that the proper thread
naming shows up in tsan warning results.
Robert Foley [Fri, 12 Jun 2020 19:02:31 +0000 (20:02 +0100)]
tests/docker: Added docker build support for TSan.
Added a new docker for ubuntu 20.04.
This docker has support for Thread Sanitizer
including one patch we need in one of the header files.
https://github.com/llvm/llvm-project/commit/a72dc86cd
This command will build with tsan enabled:
make docker-test-tsan-ubuntu2004 V=1
Also added the TSAN suppresion file to disable certain
cases of TSAN warnings.
Lingfeng Yang [Fri, 12 Jun 2020 19:02:23 +0000 (20:02 +0100)]
configure: add --enable-tsan flag + fiber annotations for coroutine-ucontext
We tried running QEMU under tsan in 2016, but tsan's lack of support for
longjmp-based fibers was a blocker:
https://groups.google.com/forum/#!topic/thread-sanitizer/se0YuzfWazw
Fortunately, thread sanitizer gained fiber support in early 2019:
https://reviews.llvm.org/D54889
This patch brings tsan support upstream by importing the patch that annotated
QEMU's coroutines as tsan fibers in Android's QEMU fork:
https://android-review.googlesource.com/c/platform/external/qemu/+/844675
Tested with '--enable-tsan --cc=clang-9 --cxx=clang++-9 --disable-werror'
configure flags.
Claudio Fontana [Fri, 12 Jun 2020 19:02:21 +0000 (20:02 +0100)]
Makefile: dtc: update, build the libfdt target
dtc submodule update, now call the libfdt target from the new
dtc Makefile, which has been changed to not require bison, flex, etc.
This removes warnings during the build.
scripts/ symlink and tests directory creation are not necessary,
and neither is calling the clean rule explicitly.
Peter Maydell [Tue, 16 Jun 2020 12:36:31 +0000 (13:36 +0100)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200616' into staging
* hw: arm: Set vendor property for IMX SDHCI emulations
* sd: sdhci: Implement basic vendor specific register support
* hw/net/imx_fec: Convert debug fprintf() to trace events
* target/arm/cpu: adjust virtual time for all KVM arm cpus
* Implement configurable descriptor size in ftgmac100
* hw/misc/imx6ul_ccm: Implement non writable bits in CCM registers
* target/arm: More Neon decodetree conversion work
* remotes/armbru/tags/pull-qom-2020-06-15: (84 commits)
MAINTAINERS: Make section QOM cover hw/core/*bus.c as well
qdev: qdev_init_nofail() is now unused, drop
qdev: Convert bus-less devices to qdev_realize() with Coccinelle
qdev: Use qdev_realize() in qdev_device_add()
qdev: Make qdev_realize() support bus-less devices
s390x/event-facility: Simplify creation of SCLP event devices
microbit: Eliminate two local variables in microbit_init()
sysbus: sysbus_init_child_obj() is now unused, drop
sysbus: Convert qdev_set_parent_bus() use with Coccinelle, part 4
sysbus: Convert qdev_set_parent_bus() use with Coccinelle, part 3
sysbus: Convert qdev_set_parent_bus() use with Coccinelle, part 2
sysbus: Convert qdev_set_parent_bus() use with Coccinelle, part 1
qdev: Drop qdev_realize() support for null bus
sysbus: Convert to sysbus_realize() etc. with Coccinelle
sysbus: New sysbus_realize(), sysbus_realize_and_unref()
sysbus: Tidy up sysbus_init_child_obj()'s @childsize arg, part 2
hw/arm/armsse: Pass correct child size to sysbus_init_child_obj()
sysbus: Tidy up sysbus_init_child_obj()'s @childsize arg, part 1
microbit: Tidy up sysbus_init_child_obj() @child argument
sysbus: Drop useless OBJECT() in sysbus_init_child_obj() calls
...
fangying [Tue, 16 Jun 2020 09:32:29 +0000 (10:32 +0100)]
target/arm/cpu: adjust virtual time for all KVM arm cpus
Virtual time adjustment was implemented for virt-5.0 machine type,
but the cpu property was enabled only for host-passthrough and max
cpu model. Let's add it for any KVM arm cpu which has the generic
timer feature enabled.
Peter Maydell [Tue, 16 Jun 2020 09:32:28 +0000 (10:32 +0100)]
target/arm: Convert Neon VDUP (scalar) to decodetree
Convert the Neon VDUP (scalar) insn to decodetree. (Note that we
can't call this just "VDUP" as we used that already in vfp.decode for
the "VDUP (general purpose register" insn.)
Peter Maydell [Tue, 16 Jun 2020 09:32:28 +0000 (10:32 +0100)]
target/arm: Convert Neon VTBL, VTBX to decodetree
Convert the Neon VTBL, VTBX instructions to decodetree. The actual
implementation of the insn is copied across to the new trans function
unchanged except for renaming 'tmp5' to 'tmp4'.
Peter Maydell [Tue, 16 Jun 2020 09:32:28 +0000 (10:32 +0100)]
target/arm: Convert Neon VEXT to decodetree
Convert the Neon VEXT insn to decodetree. Rather than keeping the
old implementation which used fixed temporaries cpu_V0 and cpu_V1
and did the extraction with by-hand shift and logic ops, we use
the TCG extract2 insn.
We don't need to special case 0 or 8 immediates any more as the
optimizer is smart enough to throw away the dead code.
Peter Maydell [Tue, 16 Jun 2020 09:32:27 +0000 (10:32 +0100)]
target/arm: Convert Neon 2-reg-scalar float multiplies to decodetree
Convert the float versions of VMLA, VMLS and VMUL in the Neon
2-reg-scalar group to decodetree.
Signed-off-by: Peter Maydell <[email protected]>
---
As noted in the comment on the WRAP_FP_FN macro, we could have
had a do_2scalar_fp() function, but for 3 insns it seemed
simpler to just do the wrapping to get hold of the fpstatus ptr.
(These are the only fp insns in the group.) Reviewed-by: Richard Henderson <[email protected]>
Peter Maydell [Tue, 16 Jun 2020 09:32:27 +0000 (10:32 +0100)]
target/arm: Convert Neon 2-reg-scalar integer multiplies to decodetree
Convert the VMLA, VMLS and VMUL insns in the Neon "2 registers and a
scalar" group to decodetree. These are 32x32->32 operations where
one of the inputs is the scalar, followed by a possible accumulate
operation of the 32-bit result.
The refactoring removes some of the oddities of the old decoder:
* operands to the operation and accumulation were often
reversed (taking advantage of the fact that most of these ops
are commutative); the new code follows the pseudocode order
* the Q bit in the insn was in a local variable 'u'; in the
new code it is decoded into a->q
Peter Maydell [Tue, 16 Jun 2020 09:32:25 +0000 (10:32 +0100)]
target/arm: Convert Neon 3-reg-diff VABAL, VABDL to decodetree
Convert the Neon 3-reg-diff insns VABAL and VABDL to decodetree.
Like almost all the remaining insns in this group, these are
a combination of a two-input operation which returns a double width
result and then a possible accumulation of that double width
result into the destination.
Peter Maydell [Tue, 16 Jun 2020 09:32:25 +0000 (10:32 +0100)]
target/arm: Convert Neon 3-reg-diff prewidening ops to decodetree
Convert the "pre-widening" insns VADDL, VSUBL, VADDW and VSUBW
in the Neon 3-registers-different-lengths group to decodetree.
These insns work by widening one or both inputs to double their
size, performing an add or subtract at the doubled size and
then storing the double-size result.
As usual, rather than copying the loop of the original decoder
(which needs awkward code to avoid problems when source and
destination registers overlap) we just unroll the two passes.
Peter Maydell [Tue, 16 Jun 2020 09:06:57 +0000 (10:06 +0100)]
Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-06-16' into staging
* Latest fuzzer patches from Alexander
* Fixes for the qtest bios-tables-test
* LGPL information cleanup in qtest code
* sh4 acceptance test
* Improved submodule handling for the s390x CI test
s390x/event-facility: Simplify creation of SCLP event devices
init_event_facility() creates the SCLP events bus with two SCLP event
devices (sclpquiesce and sclp-cpu-hotplug). It leaves the devices
unrealized. A comment explains they will be realized "via the bus".
The bus's realize method sclp_events_bus_realize() indeed realizes all
unrealized devices on this bus. It carries a TODO comment claiming
this "has to be done in common code". No other bus realize method
realizes its devices.
The common code in question is bus_set_realized(), which has a TODO
comment asking for recursive realization. It's been asking for years.
The only devices sclp_events_bus_realize() will ever realize are the
two init_event_facility() puts there.
Simplify as follows:
* Make the devices members of the event facility instance struct, just
like the bus. object_initialize_child() is simpler than
object_property_add_child() and object_unref().
* Realize them in the event facility realize method.
This is in line with how such things are done elsewhere.
projects / qemu.git / log