Peter Maydell [Wed, 15 Aug 2018 21:11:08 +0000 (22:11 +0100)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches:
- Remove deprecated -drive options for geometry/serial/addr
- luks: Allow shared writers if the parents allow them (share-rw=on)
- qemu-img: Fix error when trying to convert to encrypted target image
- mirror: Fail gracefully for source == target
- I/O throttling: Fix behaviour during drain (always ignore the limits)
- bdrv_reopen() related fixes for bs->options/explicit_options content
- Documentation improvements
# gpg: Signature made Wed 15 Aug 2018 12:11:43 BST
# gpg: using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <[email protected]>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* remotes/kevin/tags/for-upstream: (21 commits)
qapi: block: Remove mentions of error types which were removed
block: Simplify append_open_options()
block: Update bs->options if bdrv_reopen() succeeds
block: Simplify bdrv_reopen_abort()
block: Remove children options from bs->{options,explicit_options}
qdict: Make qdict_extract_subqdict() accept dst = NULL
block: drop empty .bdrv_close handlers
block: make .bdrv_close optional
qemu-img: fix regression copying secrets during convert
mirror: Fail gracefully for source == target
qapi/block: Document restrictions for node names
block: Remove dead deprecation warning code
block: Remove deprecated -drive option serial
block: Remove deprecated -drive option addr
block: Remove deprecated -drive geometry options
luks: Allow share-rw=on
throttle-groups: Don't allow timers without throttled requests
qemu-iotests: Update 093 to improve the draining test
throttle-groups: Skip the round-robin if a member is being drained
qemu-iotests: Test removing a throttle group member with a pending timer
...
Peter Maydell [Wed, 15 Aug 2018 12:29:53 +0000 (13:29 +0100)]
Merge remote-tracking branch 'remotes/famz/tags/block-and-testing-pull-request' into staging
Block and testing patches for 3.1
- aio fixes by me
- nvme fixes by Paolo and me
- test improvements by Peter, Phil and me
# gpg: Signature made Wed 15 Aug 2018 04:11:43 BST
# gpg: using RSA key CA35624C6A9171C6
# gpg: Good signature from "Fam Zheng <[email protected]>"
# Primary key fingerprint: 5003 7CB7 9706 0F76 F021 AD56 CA35 624C 6A91 71C6
* remotes/famz/tags/block-and-testing-pull-request:
aio-posix: Improve comment around marking node deleted
tests/vm: Add vm-build-all/vm-clean-all in help text
tests/vm: Use make's --output-sync option
tests/vm: Bump guest RAM up from 2G to 4G
tests/vm: Propagate V=1 down into the make inside the VM
tests/vm: Pass the jobs parallelism setting to 'make check'
tests: vm: Add vm-clean-all
tests: Add centos VM testing
tests: Allow overriding archive path with SRC_ARCHIVE
tests: Add an option for snapshot (default: off)
docker: Install more packages in centos7
aio: Do aio_notify_accept only during blocking aio_poll
aio-posix: Don't count ctx->notifier as progress when polling
nvme: simplify plug/unplug
nvme: Fix nvme_init error handling
tests/vm: Add flex and bison to the vm image
tests/vm: Only use -cpu 'host' if KVM is available
Peter Maydell [Wed, 15 Aug 2018 11:00:53 +0000 (12:00 +0100)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20180814' into staging
target-arm queue:
* Implement more of ARMv6-M support
* Support direct execution from non-RAM regions;
use this to implmeent execution from small (<1K) MPU regions
* GICv2: implement the virtualization extensions
* support a virtualization-capable GICv2 in the virt and
xlnx-zynqmp boards
* arm: Fix return code of arm_load_elf() so we can detect
failure to load the file correctly
* Implement HCR_EL2.TGE ("trap general exceptions") bit
* Implement tailchaining for M profile cores
* Fix bugs in SVE compare, saturating add/sub, WHILE, MOVZ
* remotes/pmaydell/tags/pull-target-arm-20180814: (45 commits)
target/arm: Fix typo in helper_sve_movz_d
target/arm: Reorganize SVE WHILE
target/arm: Fix typo in do_sat_addsub_64
target/arm: Fix sign of sve_cmpeq_ppzw/sve_cmpne_ppzw
target/arm: Implement tailchaining for M profile cores
target/arm: Restore M-profile CONTROL.SPSEL before any tailchaining
target/arm: Initialize exc_secure correctly in do_v7m_exception_exit()
target/arm: Improve exception-taken logging
target/arm: Treat SCTLR_EL1.M as if it were zero when HCR_EL2.TGE is set
target/arm: Provide accessor functions for HCR_EL2.{IMO, FMO, AMO}
target/arm: Honour HCR_EL2.TGE when raising synchronous exceptions
target/arm: Honour HCR_EL2.TGE and MDCR_EL2.TDE in debug register access checks
target/arm: Mask virtual interrupts if HCR_EL2.TGE is set
arm: Fix return code of arm_load_elf
arm/virt: Add support for GICv2 virtualization extensions
xlnx-zynqmp: Improve GIC wiring and MMIO mapping
intc/arm_gic: Improve traces
intc/arm_gic: Implement maintenance interrupt generation
intc/arm_gic: Implement gic_update_virt() function
intc/arm_gic: Implement the virtual interface registers
...
Alberto Garcia [Fri, 29 Jun 2018 11:37:03 +0000 (14:37 +0300)]
block: Simplify append_open_options()
This function returns a BDS's driver-specific options, excluding also
those from its children. Since we have just removed all children
options from bs->options there's no need to do this last step.
We allow references to children, though ("backing": "node0"), so those
we still have to remove.
Alberto Garcia [Fri, 29 Jun 2018 11:37:01 +0000 (14:37 +0300)]
block: Simplify bdrv_reopen_abort()
If a bdrv_reopen_multiple() call fails, then the explicit_options
QDict has to be deleted for every entry in the reopen queue. This must
happen regardless of whether that entry's bdrv_reopen_prepare() call
succeeded or not.
Alberto Garcia [Fri, 29 Jun 2018 11:37:00 +0000 (14:37 +0300)]
block: Remove children options from bs->{options,explicit_options}
When bdrv_open_inherit() opens a BlockDriverState the options QDict
can contain options for some of its children, passed in the form of
child-name.option=value
So while each child is opened with that subset of options, those same
options remain stored in the parent BDS, leaving (at least) two copies
of each one of them ("child-name.option=value" in the parent and
"option=value" in the child).
Having the children options stored in the parent is unnecessary and it
can easily lead to an inconsistent state:
qemu-img: fix regression copying secrets during convert
When the convert command is creating an output file that needs
secrets, we need to ensure those secrets are passed to both the
blk_new_open and bdrv_create API calls.
This is done by qemu-img extracting all opts matching the name
suffix "key-secret". Unfortunately the code doing this was run after the
call to bdrv_create(), which meant the QemuOpts it was extracting
secrets from was now empty.
Previously this worked by luks as a bug meant the "key-secret"
parameters were not purged from the QemuOpts. This bug was fixed in
Kevin Wolf [Tue, 14 Aug 2018 09:52:25 +0000 (11:52 +0200)]
mirror: Fail gracefully for source == target
blockdev-mirror with the same node for source and target segfaults
today: A node is in its own backing chain, so mirror_start_job() decides
that this is an active commit. When adding the intermediate nodes with
block_job_add_bdrv(), it starts the iteration through the subchain with
the backing file of source, though, so it never reaches target and
instead runs into NULL at the base.
While we could fix that by starting with source itself, there is no
point in allowing mirroring a node into itself and I wouldn't be
surprised if this caused more problems later.
Kevin Wolf [Wed, 13 Jun 2018 09:01:30 +0000 (11:01 +0200)]
block: Remove dead deprecation warning code
This reinstates commit 6266e900b8083945cb766b45c124fb3c42932cb3,
which was temporarily reverted for the 3.0 release so that libvirt gets
some extra time to update their command lines.
We removed all options from the 'deprecated' array, so the code is dead
and can be removed as well.
Kevin Wolf [Wed, 13 Jun 2018 09:01:30 +0000 (11:01 +0200)]
block: Remove deprecated -drive option serial
This reinstates commit b0083267444a5e0f28391f6c2831a539f878d424,
which was temporarily reverted for the 3.0 release so that libvirt gets
some extra time to update their command lines.
The -drive option serial was deprecated in QEMU 2.10. It's time to
remove it.
Tests need to be updated to set the serial number with -global instead
of using the -drive option.
Kevin Wolf [Wed, 13 Jun 2018 09:01:30 +0000 (11:01 +0200)]
block: Remove deprecated -drive option addr
This reinstates commit eae3bd1eb7c6b105d30ec06008b3bc3dfc5f45bb,
which was temporarily reverted for the 3.0 release so that libvirt gets
some extra time to update their command lines.
The -drive option addr was deprecated in QEMU 2.10. It's time to remove
it.
Kevin Wolf [Wed, 13 Jun 2018 09:01:30 +0000 (11:01 +0200)]
block: Remove deprecated -drive geometry options
This reinstates commit a7aff6dd10b16b67e8b142d0c94c5d92c3fe88f6,
which was temporarily reverted for the 3.0 release so that libvirt gets
some extra time to update their command lines.
The -drive options cyls, heads, secs and trans were deprecated in
QEMU 2.10. It's time to remove them.
hd-geo-test tested both the old version with geometry options in -drive
and the new one with -device. Therefore the code using -drive doesn't
have to be replaced there, we just need to remove the -drive test cases.
This in turn allows some simplification of the code.
Fam Zheng [Tue, 14 Aug 2018 07:25:51 +0000 (15:25 +0800)]
luks: Allow share-rw=on
Format drivers such as qcow2 don't allow sharing the same image between
two QEMU instances in order to prevent image corruptions, because of
metadata cache. LUKS driver don't modify metadata except for when
creating image, so it is safe to relax the permission. This makes
share-rw=on property work on virtual devices.
Alberto Garcia [Thu, 2 Aug 2018 14:50:26 +0000 (17:50 +0300)]
throttle-groups: Don't allow timers without throttled requests
Commit 6fccbb475bc6effc313ee9481726a1748b6dae57 fixed a bug caused by
QEMU attempting to remove a throttle group member with no pending
requests but an active timer set. This was the result of a previous
bdrv_drained_begin() call processing the throttled requests but
leaving the timer untouched.
Although the commit does solve the problem, the situation shouldn't
happen in the first place. If we try to drain a throttle group member
which has a timer set, we should cancel the timer instead of ignoring
it.
Alberto Garcia [Thu, 2 Aug 2018 14:50:25 +0000 (17:50 +0300)]
qemu-iotests: Update 093 to improve the draining test
The previous patch fixes a problem in which draining a block device
with more than one throttled request can make it wait first for the
completion of requests in other members of the same group.
This patch updates test_remove_group_member() in iotest 093 to
reproduce that scenario. This updated test would hang QEMU without the
fix from the previous patch.
Alberto Garcia [Thu, 2 Aug 2018 14:50:24 +0000 (17:50 +0300)]
throttle-groups: Skip the round-robin if a member is being drained
In the throttling code after an I/O request has been completed the
next one is selected from a different member using a round-robin
algorithm. This ensures that all members get a chance to finish their
pending I/O requests.
However, if a group member has its I/O limits disabled (because it's
being drained) then we should always give it priority in order to have
all its pending requests finished as soon as possible.
If we don't do this we could have a member in the process of being
drained waiting for the throttled requests of other members, for which
the I/O limits still apply.
This can have additional consequences: if we're running in qtest mode
(with QEMU_CLOCK_VIRTUAL) then timers can only fire if we advance the
clock manually, so attempting to drain a block device can hang QEMU in
the BDRV_POLL_WHILE() loop at the end of bdrv_do_drained_begin().
Alberto Garcia [Thu, 2 Aug 2018 14:50:23 +0000 (17:50 +0300)]
qemu-iotests: Test removing a throttle group member with a pending timer
A throttle group can have several members, and each one of them can
have several pending requests in the queue.
The requests are processed in a round-robin fashion, so the algorithm
decides the drive that is going to run the next request and sets a
timer in it. Once the timer fires and the throttled request is run
then the next drive from the group is selected and a new timer is set.
If the user tried to remove a drive from a group and that drive had a
timer set then the code was not taking care of setting up a new timer
in one of the remaining members of the group, freezing their I/O.
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f8e27262c48 in malloc (/lib64/libasan.so.5+0xeec48)
#1 0x7f8e26a5f3c5 in g_malloc (/lib64/libglib-2.0.so.0+0x523c5)
#2 0x555ab67078a8 in qstring_from_str /home/elmarco/src/qq/qobject/qstring.c:67
#3 0x555ab67071e4 in qstring_new /home/elmarco/src/qq/qobject/qstring.c:24
#4 0x555ab6713fbf in qstring_from_escaped_str /home/elmarco/src/qq/qobject/json-parser.c:144
#5 0x555ab671738c in parse_literal /home/elmarco/src/qq/qobject/json-parser.c:506
#6 0x555ab67179c3 in parse_value /home/elmarco/src/qq/qobject/json-parser.c:569
#7 0x555ab6715123 in parse_pair /home/elmarco/src/qq/qobject/json-parser.c:306
#8 0x555ab6715483 in parse_object /home/elmarco/src/qq/qobject/json-parser.c:357
#9 0x555ab671798b in parse_value /home/elmarco/src/qq/qobject/json-parser.c:561
#10 0x555ab6717a6b in json_parser_parse_err /home/elmarco/src/qq/qobject/json-parser.c:592
#11 0x555ab4fd4dcf in handle_qmp_command /home/elmarco/src/qq/monitor.c:4257
#12 0x555ab6712c4d in json_message_process_token /home/elmarco/src/qq/qobject/json-streamer.c:105
#13 0x555ab67e01e2 in json_lexer_feed_char /home/elmarco/src/qq/qobject/json-lexer.c:323
#14 0x555ab67e0af6 in json_lexer_feed /home/elmarco/src/qq/qobject/json-lexer.c:373
#15 0x555ab6713010 in json_message_parser_feed /home/elmarco/src/qq/qobject/json-streamer.c:124
#16 0x555ab4fd58ec in monitor_qmp_read /home/elmarco/src/qq/monitor.c:4337
#17 0x555ab6559df2 in qemu_chr_be_write_impl /home/elmarco/src/qq/chardev/char.c:175
#18 0x555ab6559e95 in qemu_chr_be_write /home/elmarco/src/qq/chardev/char.c:187
#19 0x555ab6560127 in fd_chr_read /home/elmarco/src/qq/chardev/char-fd.c:66
#20 0x555ab65d9c73 in qio_channel_fd_source_dispatch /home/elmarco/src/qq/io/channel-watch.c:84
#21 0x7f8e26a598ac in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4c8ac)
Direct leak of 4120 byte(s) in 1 object(s) allocated from:
#0 0x7f913458ce50 in calloc (/lib64/libasan.so.5+0xeee50)
#1 0x7f9133fd641d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5241d)
#2 0x5561c6643c95 in qdict_crumple_test_recursive /home/elmarco/src/qq/tests/check-block-qdict.c:438
#3 0x7f9133ff7c49 (/lib64/libglib-2.0.so.0+0x73c49)
common.py:873:13: E129 visually indented line with same indent as next logical line
common.py:1766:5: E741 ambiguous variable name 'l'
common.py:1784:1: E305 expected 2 blank lines after class or function definition, found 1
common.py:1833:1: E305 expected 2 blank lines after class or function definition, found 1
common.py:1843:1: E305 expected 2 blank lines after class or function definition, found 1
visit.py:181:18: E127 continuation line over-indented for visual indent
Presumably 0.15 was the version it was first introduced, but
qmp keeps evolving. There is no point in having that version
as test prefix, 'qmp' makes more sense here.
Peter Maydell [Fri, 3 Aug 2018 08:52:29 +0000 (09:52 +0100)]
tests/vm: Bump guest RAM up from 2G to 4G
Currently we run the guests in a VM which is given only 2G of RAM.
Since the guests are configured without any swap space, builds
can fail because the system runs out of memory and kills the
compiler, especially if the job count is set for a lot of
parallelism. Bump the setting up from 2G to 4G to give us some
more headroom.
Peter Maydell [Fri, 3 Aug 2018 08:52:28 +0000 (09:52 +0100)]
tests/vm: Propagate V=1 down into the make inside the VM
Invoking 'make vm-build-freebsd' and friends with V=1 should
propagate that verbosity setting down into the build run
inside the VM. Make sure we do that. This brings it into
line with how the container tests handle V=1.
Peter Maydell [Fri, 3 Aug 2018 08:52:27 +0000 (09:52 +0100)]
tests/vm: Pass the jobs parallelism setting to 'make check'
Our test suite works for parallel execution too, and this can
noticeably speed up a test run; pass the 'jobs' setting to
it as well as to the build proper.
Not using snapshot has the benefit of automatically persisting useful
test harnesses, such as docker images and ccache database. Although it
will lose some cleanness, it is imaginably useful for patchew.
Fam Zheng [Thu, 9 Aug 2018 13:22:59 +0000 (21:22 +0800)]
aio: Do aio_notify_accept only during blocking aio_poll
An aio_notify() pairs with an aio_notify_accept(). The former should
happen in the main thread or a vCPU thread, and the latter should be
done in the IOThread.
There is one rare case that the main thread or vCPU thread may "steal"
the aio_notify() event just raised by itself, in bdrv_set_aio_context()
[1]. The sequence is like this:
[1] is problematic. It will clear the ctx->notifier event so that
the blocked ppoll() will not return.
(For the curious, this bug was noticed when booting a number of VMs
simultaneously in RHV. One or two of the VMs will hit this race
condition, making the VIRTIO device unresponsive to I/O commands. When
it hangs, Seabios is busy waiting for a read request to complete (read
MBR), right after initializing the virtio-blk-pci device, using 100%
guest CPU. See also https://bugzilla.redhat.com/show_bug.cgi?id=1562750
for the original bug analysis.)
aio_notify() only injects an event when ctx->notify_me is set,
correspondingly aio_notify_accept() is only useful when ctx->notify_me
_was_ set. Move the call to it into the "blocking" branch. This will
effectively skip [1] and fix the hang.
Furthermore, blocking aio_poll is only allowed on home thread
(in_aio_context_home_thread), because otherwise two blocking
aio_poll()'s can steal each other's ctx->notifier event and cause
hanging just like described above.
It is wrong to leave this field as 1, as nvme_close() called in the
error handling code in nvme_file_open() will use it and try to free
s->queues again.
Another problem is the cleaning ups are duplicated between the fail*
labels of nvme_init() and nvme_file_open(), which calls nvme_close().
A third problem is nvme_close() misses g_free() and
event_notifier_cleanup().
Similar to 79f24568e5e70, this fixes the following warnings:
CHK version_gen.h
LEX convert-dtsv0-lexer.lex.c
make[1]: flex: Command not found
BISON dtc-parser.tab.c
make[1]: bison: Command not found
LEX dtc-lexer.lex.c
make[1]: flex: Command not found
The pseudocode for this operation is an increment + compare loop,
so comparing <= the maximum integer produces an all-true predicate.
Rather than bound in both the inline code and the helper, pass the
helper the number of predicate bits to set instead of the number
of predicate elements to set.
Peter Maydell [Tue, 14 Aug 2018 16:17:22 +0000 (17:17 +0100)]
target/arm: Implement tailchaining for M profile cores
Tailchaining is an optimization in handling of exception return
for M-profile cores: if we are about to pop the exception stack
for an exception return, but there is a pending exception which
is higher priority than the priority we are returning to, then
instead of unstacking and then immediately taking the exception
and stacking registers again, we can chain to the pending
exception without unstacking and stacking.
For v6M and v7M it is IMPDEF whether tailchaining happens for pending
exceptions; for v8M this is architecturally required. Implement it
in QEMU for all M-profile cores, since in practice v6M and v7M
hardware implementations generally do have it.
(We were already doing tailchaining for derived exceptions which
happened during exception return, like the validity checks and
stack access failures; these have always been required to be
tailchained for all versions of the architecture.)
Peter Maydell [Tue, 14 Aug 2018 16:17:22 +0000 (17:17 +0100)]
target/arm: Restore M-profile CONTROL.SPSEL before any tailchaining
On exception return for M-profile, we must restore the CONTROL.SPSEL
bit from the EXCRET value before we do any kind of tailchaining,
including for the derived exceptions on integrity check failures.
Otherwise we will give the guest an incorrect EXCRET.SPSEL value on
exception entry for the tailchained exception.
Peter Maydell [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
target/arm: Initialize exc_secure correctly in do_v7m_exception_exit()
In do_v7m_exception_exit(), we use the exc_secure variable to track
whether the exception we're returning from is secure or non-secure.
Unfortunately the statement initializing this was accidentally
inside an "if (env->v7m.exception != ARMV7M_EXCP_NMI)" conditional,
which meant that we were using the wrong value for NMI handlers.
Move the initialization out to the right place.
Peter Maydell [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
target/arm: Improve exception-taken logging
Improve the exception-taken logging by logging in
v7m_exception_taken() the exception we're going to take
and whether it is secure/nonsecure.
This requires us to move logging at many callsites from after the
call to before it, so that the logging appears in a sensible order.
(This will make tail-chaining produce more useful logs; for the
current callers of v7m_exception_taken() we know which exception
we're going to take, so custom log messages at the callsite sufficed;
for tail-chaining only v7m_exception_taken() knows the exception
number that we're going to tail-chain to.)
Peter Maydell [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
target/arm: Treat SCTLR_EL1.M as if it were zero when HCR_EL2.TGE is set
One of the required effects of setting HCR_EL2.TGE is that when
SCR_EL3.NS is 1 then SCTLR_EL1.M must behave as if it is zero for
all purposes except direct reads. That is, it effectively disables
the MMU for the NS EL0/EL1 translation regime.
Peter Maydell [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
target/arm: Provide accessor functions for HCR_EL2.{IMO, FMO, AMO}
The IMO, FMO and AMO bits in HCR_EL2 are defined to "behave as
1 for all purposes other than direct reads" if HCR_EL2.TGE
is set and HCR_EL2.E2H is 0, and to "behave as 0 for all
purposes other than direct reads" if HCR_EL2.TGE is set
and HRC_EL2.E2H is 1.
To avoid having to check E2H and TGE everywhere where we test IMO and
FMO, provide accessors arm_hcr_el2_imo(), arm_hcr_el2_fmo()and
arm_hcr_el2_amo(). We don't implement ARMv8.1-VHE yet, so the E2H
case will never be true, but we include the logic to save effort when
we eventually do get to that.
(Note that in several of these callsites the change doesn't
actually make a difference as either the callsite is handling
TGE specially anyway, or the CPU can't get into that situation
with TGE set; we change everywhere for consistency.)
Peter Maydell [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
target/arm: Honour HCR_EL2.TGE when raising synchronous exceptions
Whene we raise a synchronous exception, if HCR_EL2.TGE is set then
exceptions targeting NS EL1 must be redirected to EL2. Implement
this in raise_exception() -- all synchronous exceptions go through
this function.
(Asynchronous exceptions go via arm_cpu_exec_interrupt(), which
already honours HCR_EL2.TGE when it determines the target EL
in arm_phys_excp_target_el().)
Peter Maydell [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
target/arm: Honour HCR_EL2.TGE and MDCR_EL2.TDE in debug register access checks
Some debug registers can be trapped via MDCR_EL2 bits TDRA, TDOSA,
and TDA, which we implement in the functions access_tdra(),
access_tdosa() and access_tda(). If MDCR_EL2.TDE or HCR_EL2.TGE
are 1, the TDRA, TDOSA and TDA bits should behave as if they were 1.
Implement this by having the access functions check MDCR_EL2.TDE
and HCR_EL2.TGE.
Peter Maydell [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
target/arm: Mask virtual interrupts if HCR_EL2.TGE is set
If the "trap general exceptions" bit HCR_EL2.TGE is set, we
must mask all virtual interrupts (as per DDI0487C.a D1.14.3).
Implement this in arm_excp_unmasked().
Luc Michel [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
xlnx-zynqmp: Improve GIC wiring and MMIO mapping
This commit improve the way the GIC is realized and connected in the
ZynqMP SoC. The security extensions are enabled only if requested in the
machine state. The same goes for the virtualization extensions.
All the GIC to APU CPU(s) IRQ lines are now connected, including FIQ,
vIRQ and vFIQ. The missing CPU to GIC timers IRQ connections are also
added (HYP and SEC timers).
The GIC maintenance IRQs are back-wired to the correct GIC PPIs.
Finally, the MMIO mappings are reworked to take into account the ZynqMP
specifics. The GIC (v)CPU interface is aliased 16 times:
* for the first 0x1000 bytes from 0xf9010000 to 0xf901f000
* for the second 0x1000 bytes from 0xf9020000 to 0xf902f000
Mappings of the virtual interface and virtual CPU interface are mapped
only when virtualization extensions are requested. The
XlnxZynqMPGICRegion struct has been enhanced to be able to catch all
this information.
Luc Michel [Tue, 14 Aug 2018 16:17:21 +0000 (17:17 +0100)]
intc/arm_gic: Improve traces
Add some traces to the ARM GIC to catch register accesses (distributor,
(v)cpu interface and virtual interface), and to take into account
virtualization extensions (print `vcpu` instead of `cpu` when needed).
Also add some virtualization extensions specific traces: LR updating
and maintenance IRQ generation.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Implement gic_update_virt() function
Add the gic_update_virt() function to update the vCPU interface states
and raise vIRQ and vFIQ as needed. This commit renames gic_update() to
gic_update_internal() and generalizes it to handle both cases, with a
`virt' parameter to track whether we are updating the CPU or vCPU
interfaces.
The main difference between CPU and vCPU is the way we select the best
IRQ. This part has been split into the gic_get_best_(v)irq functions.
For the virt case, the LRs are iterated to find the best candidate.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Wire the vCPU interface
Add the read/write functions to handle accesses to the vCPU interface.
Those accesses are forwarded to the real CPU interface, with the CPU id
being converted to the corresponding vCPU id (vCPU id = CPU id +
GIC_NCPU).
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Implement virtualization extensions in gic_cpu_(read|write)
Implement virtualization extensions in the gic_cpu_read() and
gic_cpu_write() functions. Those are the last bits missing to fully
support virtualization extensions in the CPU interface path.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Implement virtualization extensions in gic_(deactivate|complete_irq)
Implement virtualization extensions in the gic_deactivate_irq() and
gic_complete_irq() functions.
When the guest writes an invalid vIRQ to V_EOIR or V_DIR, since the
GICv2 specification is not entirely clear here, we adopt the behaviour
observed on real hardware:
* When V_CTRL.EOIMode is false (EOI split is disabled):
- In case of an invalid vIRQ write to V_EOIR:
-> If some bits are set in H_APR, an invalid vIRQ write to V_EOIR
triggers a priority drop, and increments V_HCR.EOICount.
-> If V_APR is already cleared, nothing happen
- An invalid vIRQ write to V_DIR is ignored.
* When V_CTRL.EOIMode is true:
- In case of an invalid vIRQ write to V_EOIR:
-> If some bits are set in H_APR, an invalid vIRQ write to V_EOIR
triggers a priority drop.
-> If V_APR is already cleared, nothing happen
- An invalid vIRQ write to V_DIR increments V_HCR.EOICount.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Implement virtualization extensions in gic_acknowledge_irq
Implement virtualization extensions in the gic_acknowledge_irq()
function. This function changes the state of the highest priority IRQ
from pending to active.
When the current CPU is a vCPU, modifying the state of an IRQ modifies
the corresponding LR entry. However if we clear the pending flag before
setting the active one, we lose track of the LR entry as it becomes
invalid. The next call to gic_get_lr_entry() will fail.
To overcome this issue, we call gic_activate_irq() before
gic_clear_pending(). This does not change the general behaviour of
gic_acknowledge_irq.
We also move the SGI case in gic_clear_pending_sgi() to enhance
code readability as the virtualization extensions support adds a if-else
level.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Implement virtualization extensions in gic_(activate_irq|drop_prio)
Implement virtualization extensions in gic_activate_irq() and
gic_drop_prio() and in gic_get_prio_from_apr_bits() called by
gic_drop_prio().
When the current CPU is a vCPU:
- Use GIC_VIRT_MIN_BPR and GIC_VIRT_NR_APRS instead of their non-virt
counterparts,
- the vCPU APR is stored in the virtual interface, in h_apr.
Add some helper functions to gic_internal.h to get or change the state
of an IRQ. When the current CPU is not a vCPU, the call is forwarded to
the GIC distributor. Otherwise, it acts on the list register matching
the IRQ in the current CPU virtual interface.
gic_clear_active can have a side effect on the distributor, even in the
vCPU case, when the correponding LR has the HW field set.
Use those functions in the CPU interface code path to prepare for the
vCPU interface implementation.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Refactor secure/ns access check in the CPU interface
An access to the CPU interface is non-secure if the current GIC instance
implements the security extensions, and the memory access is actually
non-secure. Until then, it was checked with tests such as
if (s->security_extn && !attrs.secure) { ... }
in various places of the CPU interface code.
With the implementation of the virtualization extensions, those tests
must be updated to take into account whether we are in a vCPU interface
or not. This is because the exposed vCPU interface does not implement
security extensions.
This commits replaces all those tests with a call to the
gic_cpu_ns_access() function to check if the current access to the CPU
interface is non-secure. This function takes into account whether the
current CPU is a vCPU or not.
Note that this function is used only in the (v)CPU interface code path.
The distributor code path is left unchanged, as the distributor is not
exposed to vCPUs at all.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Add virtualization extensions helper macros and functions
Add some helper macros and functions related to the virtualization
extensions to gic_internal.h.
The GICH_LR_* macros help extracting specific fields of a list register
value. The only tricky one is the priority field as only the MSB are
stored. The value must be shifted accordingly to obtain the correct
priority value.
gic_is_vcpu() and gic_get_vcpu_real_id() help with (v)CPU id manipulation
to abstract the fact that vCPU id are in the range
[ GIC_NCPU; (GIC_NCPU + num_cpu) [.
gic_lr_* and gic_virq_is_valid() help with the list registers.
gic_get_lr_entry() returns the LR entry for a given (vCPU, irq) pair. It
is meant to be used in contexts where we know for sure that the entry
exists, so we assert that entry is actually found, and the caller can
avoid the NULL check on the returned pointer.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Add the virtualization extensions to the GIC state
Add the necessary parts of the virtualization extensions state to the
GIC state. We choose to increase the size of the CPU interfaces state to
add space for the vCPU interfaces (the GIC_NCPU_VCPU macro). This way,
we'll be able to reuse most of the CPU interface code for the vCPUs.
The only exception is the APR value, which is stored in h_apr in the
virtual interface state for vCPUs. This is due to some complications
with the GIC VMState, for which we don't want to break backward
compatibility. APRs being stored in 2D arrays, increasing the second
dimension would lead to some ugly VMState description. To avoid
that, we keep it in h_apr for vCPUs.
The vCPUs are numbered from GIC_NCPU to (GIC_NCPU * 2) - 1. The
`gic_is_vcpu` function help to determine if a given CPU id correspond to
a physical CPU or a virtual one.
For the in-kernel KVM VGIC, since the exposed VGIC does not implement
the virtualization extensions, we report an error if the corresponding
property is set to true.
Luc Michel [Tue, 14 Aug 2018 16:17:20 +0000 (17:17 +0100)]
intc/arm_gic: Remove some dead code and put some functions static
Some functions are now only used in arm_gic.c, put them static. Some of
them where only used by the NVIC implementation and are not used
anymore, so remove them.
Luc Michel [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
intc/arm_gic: Implement GICD_ISACTIVERn and GICD_ICACTIVERn registers
Implement GICD_ISACTIVERn and GICD_ICACTIVERn registers in the GICv2.
Those registers allow to set or clear the active state of an IRQ in the
distributor.
Luc Michel [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
intc/arm_gic: Refactor operations on the distributor
In preparation for the virtualization extensions implementation,
refactor the name of the functions and macros that act on the GIC
distributor to make that fact explicit. It will be useful to
differentiate them from the ones that will act on the virtual
interfaces.
Peter Maydell [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
accel/tcg: Check whether TLB entry is RAM consistently with how we set it up
We set up TLB entries in tlb_set_page_with_attrs(), where we have
some logic for determining whether the TLB entry is considered
to be RAM-backed, and thus has a valid addend field. When we
look at the TLB entry in get_page_addr_code(), we use different
logic for determining whether to treat the page as RAM-backed
and use the addend field. This is confusing, and in fact buggy,
because the code in tlb_set_page_with_attrs() correctly decides
that rom_device memory regions not in romd mode are not RAM-backed,
but the code in get_page_addr_code() thinks they are RAM-backed.
This typically results in "Bad ram pointer" assertion if the
guest tries to execute from such a memory region.
Fix this by making get_page_addr_code() just look at the
TLB_MMIO bit in the code_address field of the TLB, which
tlb_set_page_with_attrs() sets if and only if the addend
field is not valid for code execution.
Peter Maydell [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
target/arm: Allow execution from small regions
Now that we have full support for small regions, including execution,
we can remove the workarounds where we marked all small regions as
non-executable for the M-profile MPU and SAU.
Peter Maydell [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
accel/tcg: Return -1 for execution from MMIO regions in get_page_addr_code()
Now that all the callers can handle get_page_addr_code() returning -1,
remove all the code which tries to handle execution from MMIO regions
or small-MMU-region RAM areas. This will mean that we can correctly
execute from these areas, rather than ending up either aborting QEMU
or delivering an incorrect guest exception.
Peter Maydell [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
accel/tcg: tb_gen_code(): Create single-insn TB for execution from non-RAM
If get_page_addr_code() returns -1, this indicates that there is no RAM
page we can read a full TB from. Instead we must create a TB which
contains a single instruction and which we do not cache, so it is
executed only once.
Since this means we can now have TBs which are not in any page list,
we also need to make tb_phys_invalidate() handle them (by not trying
to remove them from a nonexistent page list).
Peter Maydell [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
accel/tcg: Handle get_page_addr_code() returning -1 in tb_check_watchpoint()
When we support execution from non-RAM MMIO regions, get_page_addr_code()
will return -1 to indicate that there is no RAM at the requested address.
Handle this in tb_check_watchpoint() -- if the exception happened for a
PC which doesn't correspond to RAM then there is no need to invalidate
any TBs, because the one-instruction TB will not have been cached.
Peter Maydell [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
accel/tcg: Handle get_page_addr_code() returning -1 in hashtable lookups
When we support execution from non-RAM MMIO regions, get_page_addr_code()
will return -1 to indicate that there is no RAM at the requested address.
Handle this in the cpu-exec TB hashtable lookup code, treating it as
"no match found".
Note that the call to get_page_addr_code() in tb_lookup_cmp() needs
no changes -- a return of -1 will already correctly result in the
function returning false.
Peter Maydell [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
accel/tcg: Pass read access type through to io_readx()
The io_readx() function needs to know whether the load it is
doing is an MMU_DATA_LOAD or an MMU_INST_FETCH, so that it
can pass the right value to the cpu_transaction_failed()
function. Plumb this information through from the softmmu
code.
This is currently not often going to give the wrong answer,
because usually instruction fetches go via get_page_addr_code().
However once we switch over to handling execution from non-RAM by
creating single-insn TBs, the path for an insn fetch to generate
a bus error will be through cpu_ld*_code() and io_readx(),
so without this change we will generate a d-side fault when we
should generate an i-side fault.
We also have to pass the access type via a CPU struct global
down to unassigned_mem_read(), for the benefit of the targets
which still use the cpu_unassigned_access() hook (m68k, mips,
sparc, xtensa).
Julia Suvorova [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
nvic: Change NVIC to support ARMv6-M
The differences from ARMv7-M NVIC are:
* ARMv6-M only supports up to 32 external interrupts
(configurable feature already). The ICTR is reserved.
* Active Bit Register is reserved.
* ARMv6-M supports 4 priority levels against 256 in ARMv7-M.
Julia Suvorova [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
arm: Add ARMv6-M programmer's model support
Forbid stack alignment change. (CCR)
Reserve FAULTMASK, BASEPRI registers.
Report any fault as a HardFault. Disable MemManage, BusFault and
UsageFault, so they always escalated to HardFault. (SHCSR)
Julia Suvorova [Tue, 14 Aug 2018 16:17:19 +0000 (17:17 +0100)]
nvic: Handle ARMv6-M SCS reserved registers
Handle SCS reserved registers listed in ARMv6-M ARM D3.6.1.
All reserved registers are RAZ/WI. ARM_FEATURE_M_MAIN is used for the
checks, because these registers are reserved in ARMv8-M Baseline too.
virtio-gpu: fix crashes upon warm reboot with vga mode
With vga=775 on the Linux command line a first boot of the VM running
Linux works fine. After a warm reboot it crashes during Linux boot.
Before that, valgrind points out bad memory write to console
surface. The VGA code is not aware that virtio-gpu got a message
surface scanout when the display is disabled. Let's reset VGA graphic
mode when it is the case, so that a new display surface is created
when doing further VGA operations.
Peter Maydell [Tue, 7 Aug 2018 11:45:01 +0000 (12:45 +0100)]
slirp: Correct size check in m_inc()
The data in an mbuf buffer is not necessarily at the start of the
allocated buffer. (For instance m_adj() allows data to be trimmed
from the start by just advancing the pointer and reducing the length.)
This means that the allocated buffer size (m->m_size) and the
amount of space from the m_data pointer to the end of the
buffer (M_ROOM(m)) are not necessarily the same.
Commit 864036e251f54c9 tried to change the m_inc() function from
taking the new allocated-buffer-size to taking the new room-size,
but forgot to change the initial "do we already have enough space"
check. This meant that if we were trying to extend a buffer which
had a leading gap between the buffer start and the data, we might
incorrectly decide it didn't need to be extended, and then
overrun the end of the buffer, causing memory corruption and
an eventual crash.
Change the "already big enough?" condition from checking the
argument against m->m_size to checking against M_ROOM().
This only makes a difference for the callsite in m_cat();
the other three callsites all start with a freshly allocated
mbuf from m_get(), which will have m->m_size == M_ROOM(m).
Thomas Huth [Thu, 19 Jul 2018 13:02:00 +0000 (15:02 +0200)]
target/xtensa/cpu: Set owner of memory region in xtensa_cpu_initfn
The instance_init function of the xtensa CPUs creates a memory region,
but does not set an owner, so the memory region is not destroyed
correctly when the CPU object is removed. This can happen when
introspecting the CPU devices, so introspecting the CPU device will
leave a dangling memory region object in the QOM tree. Make sure to
set the right owner here to fix this issue.
Peter Maydell [Mon, 6 Aug 2018 12:34:45 +0000 (13:34 +0100)]
hw/intc/arm_gicv3_common: Move gicd shift bug handling to gicv3_post_load
The code currently in gicv3_gicd_no_migration_shift_bug_post_load()
that handles migration from older QEMU versions with a particular
bug is misplaced. We need to run this after migration in all cases,
not just the cases where the "arm_gicv3/gicd_no_migration_shift_bug"
subsection is present, so it must go in a post_load hook for the
top level VMSD, not for the subsection. Move it.
Peter Maydell [Mon, 6 Aug 2018 12:34:44 +0000 (13:34 +0100)]
hw/intc/arm_gicv3_common: Move post_load hooks to top-level VMSD
Contrary to the the impression given in docs/devel/migration.rst,
the migration code does not run the pre_load hook for a
subsection unless the subsection appears on the wire, and so
this is not a place where you can set the default value for
state for the "subsection not present" case. Instead this needs
to be done in a pre_load hook for whatever is the parent VMSD
of the subsection.
We got this wrong in two of the subsection definitions in
the GICv3 migration structs; fix this.
projects / qemu.git / log