Paolo Bonzini [Mon, 17 Dec 2018 16:32:38 +0000 (17:32 +0100)]
usb: move ehci_create_ich9_with_companions to hw/i386
This function is only needed when Q35 is in use. Moving it to
the same file that uses it lets you disable the entire USB
subsystem in x86_64-softmmu.mak; of course doing that will
cause -usb to break horribly, but one thing at a time.
Hongbo Zhang [Sat, 29 Dec 2018 10:00:57 +0000 (18:00 +0800)]
hw/usb: Add generic sys-bus EHCI controller
This patch introduces a new system bus generic EHCI controller.
For the system bus EHCI controller, we've already had "xlnx",
"exynos4210", "tegra2", "ppc4xx" and "fusbh200", they are specific and
only suitable for their own platforms, platforms such as an Arm server,
may need a generic system bus EHCI controller, this patch creates it,
and the kernel driver ehci_platform.c works well on it.
Jonathan Davies [Mon, 7 Jan 2019 17:51:40 +0000 (17:51 +0000)]
usb: drop unnecessary usb_device_post_load checks
In usb_device_post_load, certain values of dev->setup_len or
dev->setup_index can cause -EINVAL to be returned. One example is when
setup_len exceeds 4096, the hard-coded value of sizeof(dev->data_buf).
This can happen through legitimate guest activity and will cause all
subsequent attempts to migrate the guest to fail in vmstate_load_state.
The values of these variables can be set by USB packets originating in
the guest. There are two ways in which they can be set: in
do_token_setup and in do_parameter in hw/usb/core.c.
It is easy to craft a USB packet in a guest that causes do_token_setup
to set setup_len to a value larger than 4096. When this has been done
once, all subsequent attempts to migrate the VM will fail in
usb_device_post_load until the VM is next power-cycled or a
smaller-sized USB packet is sent to the device.
Sample code for achieving this in a VM started with "-device usb-tablet"
running Linux with CONFIG_HIDRAW=y and HID_MAX_BUFFER_SIZE > 4096:
int main() {
char buf[4097];
int fd = open("/dev/hidraw0", O_RDWR|O_NONBLOCK);
buf[0] = 0x1;
write(fd, buf, 4097);
return 0;
}
When this code is run in the VM, qemu will output:
usb_generic_handle_packet: ctrl buffer too small (4097 > 4096)
A subsequent attempt to migrate the VM will fail and output the
following on the destination host:
qemu-kvm: error while loading state for instance 0x0 of device '0000:00:06.7/1/usb-ptr'
qemu-kvm: load of migration failed: Invalid argument
The idea behind checking the values of setup_len and setup_index before
they are used is correct, but doing it in usb_device_post_load feels
arbitrary, and will cause unnecessary migration failures. Indeed, none
of the commit messages for c60174e8, 9f8e9895 and 719ffe1f justify why
post_load is the right place to do these checks. They correctly point
out that the important thing to protect is the usb_packet_copy.
Instead, the right place to do the checks is in do_token_setup and
do_parameter. Indeed, there are already some checks here. We can examine
each of the disjuncts currently tested in usb_device_post_load to see
whether any need adding to do_token_setup or do_parameter to improve
safety there:
* dev->setup_index < 0
- This test is not needed because setup_index is explicitly set to
0 in do_token_setup and do_parameter.
* dev->setup_len < 0
- In both do_token_setup and do_parameter, the value of setup_len
is computed by (s->setup_buf[7] << 8) | s->setup_buf[6]. Since
s->setup_buf is a byte array and setup_len is an int32_t, it's
impossible for this arithmetic to set setup_len's top bit, so it can
never be negative.
* dev->setup_index > dev->setup_len
- Since setup_index is 0, this is equivalent to the previous test,
so is redundant.
* dev->setup_len > sizeof(dev->data_buf)
- This condition is already explicitly checked in both
do_token_setup and do_parameter.
Hence there is no need to bolster the existing checks in do_token_setup
or do_parameter, and we can safely remove these checks from
usb_device_post_load without reducing safety but allowing migrations to
proceed regardless of what USB packets have been generated by the guest.
hw: ccid-card-emulated: cleanup resource when realize in error path
The emulated_realize method was changed so that it jumps to a cleanup
label to de-initialize state upon error. This change failed to ensure
the success path exited the method before this point though. So the
mutexes are always destroyed even in normal operation. The result is
as crashtastic as expected:
Li Qiang [Wed, 21 Nov 2018 05:10:25 +0000 (21:10 -0800)]
fw_cfg: Fix -boot reboot-timeout error checking
fw_cfg_reboot() gets option parameter "reboot-timeout" with
qemu_opt_get(), then converts it to an integer by hand. It neglects to
check that conversion for errors, and fails to reject negative values.
Positive values above the limit get reported and replaced by the limit.
This patch checks for conversion errors properly, and reject all values
outside 0...0xffff.
Li Qiang [Wed, 21 Nov 2018 05:10:24 +0000 (21:10 -0800)]
fw_cfg: Fix -boot bootsplash error checking
fw_cfg_bootsplash() gets option parameter "splash-time"
with qemu_opt_get(), then converts it to an integer by hand.
It neglects to check that conversion for errors. This is
needlessly complicated and error-prone. But as "splash-time
not specified" is not the same as "splash-time=T" for any T,
we need use qemu_opt_get() to check if splash time exists.
This patch also make the qemu exit when finding or loading
splash file failed.
Li Qiang [Thu, 1 Nov 2018 06:02:28 +0000 (23:02 -0700)]
fw_cfg: Improve error message when can't load splash file
read_splashfile() reports "failed to read splash file" without
further details. Get the details from g_file_get_contents(), and
include them in the error message. Also remove unnecessary 'res'
variable.
Peter Maydell [Fri, 4 Jan 2019 13:22:51 +0000 (13:22 +0000)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Pull request
Bug fixes for the .dmg image file format.
# gpg: Signature made Fri 04 Jan 2019 11:21:18 GMT
# gpg: using RSA key 9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>"
# gpg: aka "Stefan Hajnoczi <[email protected]>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha/tags/block-pull-request:
dmg: don't skip zero chunk
dmg: use enumeration type instead of hard coding number
dmg: fix binary search
dmg: Fixing wrong dmg block type value for block terminator.
yuchenlin [Thu, 3 Jan 2019 11:47:00 +0000 (19:47 +0800)]
dmg: don't skip zero chunk
The dmg file has many tables which describe: "start from sector XXX to
sector XXX, the compression method is XXX and where the compressed data
resides on".
Each sector in the expanded file should be covered by a table. The table
will describe the offset of compressed data (or raw depends on the type)
in the dmg.
For example:
[-----------The expanded file------------]
[---bzip table ---]/* zeros */[---zlib---]
^
| if we want to read this sector.
we will find bzip table which contains this sector, and get the
compressed data offset, read it from dmg, uncompress it, finally write to
expanded file.
If we skip zero chunk (table), some sector cannot find the table which
will cause search_chunk() return s->n_chunks, dmg_read_chunk() return -1
and finally causing dmg_co_preadv() return EIO.
See:
[-----------The expanded file------------]
[---bzip table ---]/* zeros */[---zlib---]
^
| if we want to read this sector.
Oops, we cannot find the table contains it...
In the original implementation, we don't have zero table. When we try to
read sector inside the zero chunk. We will get EIO, and skip reading.
After this patch, we treat zero chunk the same as ignore chunk, it will
directly write zero and avoid some sector may not find the table.
Julio Faracco [Fri, 28 Dec 2018 14:50:55 +0000 (12:50 -0200)]
dmg: Fixing wrong dmg block type value for block terminator.
This is a trivial patch to fix a wrong value for block terminator.
The old value was 0x7fffffff which is wrong. It was not affecting the
code because QEMU dmg block is not handling block terminator right now.
Neverthless, it should be fixed.
Peter Maydell [Fri, 4 Jan 2019 10:11:18 +0000 (10:11 +0000)]
Merge remote-tracking branch 'remotes/amarkovic/tags/mips-queue-december-2018-v3' into staging
MIPS queue for December 2018 - v3
# gpg: Signature made Thu 03 Jan 2019 16:53:47 GMT
# gpg: using RSA key D4972A8967F75A65
# gpg: Good signature from "Aleksandar Markovic <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8526 FBF1 5DA3 811F 4A01 DD75 D497 2A89 67F7 5A65
* remotes/amarkovic/tags/mips-queue-december-2018-v3: (44 commits)
tests/tcg: mips: Test R5900 three-operand MADDU1
tests/tcg: mips: Test R5900 three-operand MADDU
tests/tcg: mips: Test R5900 three-operand MADD1
tests/tcg: mips: Test R5900 three-operand MADD
disas: nanoMIPS: Add a note on documentation
disas: nanoMIPS: Reorder declarations and definitions of gpr decoders
disas: nanoMIPS: Comment the decoder of 'gpr1' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr1' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr2.reg2' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr2.reg2' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr2.reg1' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr2.reg1' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr4.zero' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr4.zero' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr4' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr4' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr3.src.store' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr3.src.store' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr3' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr3' gpr encoding type
...
Fix order of extraction function invocations so that extraction
goes from MSB side to LSB side of the given instruction coding
content. This is desireable because of consistency and easier
visual spotting of errors.
After this patch, all such invocations should be in the desired
order.
Fix order of extraction function invocations so that extraction
goes from MSB side to LSB side of the given instruction coding
content. This is desireable because of consistency and easier
visual spotting of errors.
target/mips: MXU: Add handlers for logic instructions
Add translation handlers for four logic MXU instructions.
It should be noted that there is an error in MXU documentation (dated
June 2017) regarding opcodes for this group of instructions. This was
confirmed by running tests on hardware, and also by looking up other
related public source trees (binutils, Android NDK). In initial MXU
patches to QEMU, opcodes for MXU logic instructions were created to
be in accordance with the MXU documentation, therefore the error from
was propagated. This patch corrects that, changing the involved code.
Besides that, as MXU was designed and implemented only for 32-bit
CPUs, corresponding preprosessor conditions were added around MXU
code, which allows more flexible implementation of MXU handlers.
target/mips: MXU: Add generic naming for optn2 constants
Add generic naming involving generig suffixes OPTN0, OPTN1, OPTN2,
OPTN3 for four optn2 constants. Existing suffixes WW, LW, HW, XW
are not quite appropriate for some instructions using optn2.
target/mips: MXU: Add missing opcodes/decoding for LX* instructions
Add missing opcodes and decoding engine for LXB, LXH, LXW, LXBU,
and LXHU instructions. They were for some reason forgotten in
previous commits. The MXU opcode list and decoding engine should
be now complete.
Paul Burton [Thu, 27 Dec 2018 15:32:11 +0000 (16:32 +0100)]
atomics: Set ATOMIC_REG_SIZE=8 for MIPS n32
ATOMIC_REG_SIZE is currently defined as the default sizeof(void *) for
all MIPS host builds, including those using the n32 ABI. n32 is the
MIPS64 ILP32 ABI and as such tcg/mips/tcg-target.h defines
TCG_TARGET_REG_BITS as 64 for n32 builds. If we attempt to build QEMU
for an n32 host with support for a 64b target architecture then
TCG_OVERSIZED_GUEST is 0 and accel/tcg/cputlb.c attempts to use
atomic_* functions. This fails because ATOMIC_REG_SIZE is 4, causing
the calls to QEMU_BUILD_BUG_ON(sizeof(*ptr) > ATOMIC_REG_SIZE) in the
various atomic_* functions to generate errors.
Fix this by defining ATOMIC_REG_SIZE as 8 for all MIPS64 builds, which
will cover both n32 (ILP32) & n64 (LP64) ABIs in much the same was as
we already do for x86_64/x32.
MAINTAINERS: Add Aleksandar Rikalo as a reviewer for MIPS content
Add Aleksandar Rikalo as a reviewer for MIPS content. Aleksandar
brings to us more than six years of experience in working on a variety
of development tools for MIPS architectures, and will greatly help
QEMU community understand and support intricacies of MIPS better.
Future nanoMIPS user mode will also have its .mak file, and
because of that "*mips*" was used instead of "mips*" as a
shorthand in the new item in MAINTAINERS.
Peter Maydell [Thu, 3 Jan 2019 13:26:30 +0000 (13:26 +0000)]
Merge remote-tracking branch 'remotes/palmer/tags/riscv-for-master-3.2-part1' into staging
RISC-V Changes for 3.2, Part 1
This pull request contains the first set of RISC-V patches I'd like to
target for the 3.2 development cycle. It's really just a collection of
bug fixes with one major new feature: PCIe can now be attached to RISC-V
guests.
This has passed my usual test of booting the latest Linux RC into a
Fedora disk image on the virt machine.
# gpg: Signature made Fri 21 Dec 2018 16:01:29 GMT
# gpg: using RSA key EF4CA1502CCBAB41
# gpg: Good signature from "Palmer Dabbelt <[email protected]>"
# gpg: aka "Palmer Dabbelt <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 00CE 76D1 8349 60DF CE88 6DF8 EF4C A150 2CCB AB41
* remotes/palmer/tags/riscv-for-master-3.2-part1:
MAINTAINERS: Mark RISC-V as Supported
riscv/cpu: use device_class_set_parent_realize
target/riscv/pmp.c: Fix pmp_decode_napot()
sifive_uart: Implement interrupt pending register
RISC-V: Enable second UART on sifive_e and sifive_u
RISC-V: Fix PLIC pending bitfield reads
RISC-V: Fix CLINT timecmp low 32-bit writes
RISC-V: Add hartid and \n to interrupt logging
sifive_u: Set 'clock-frequency' DT property for SiFive UART
sifive_u: Add clock DT node for GEM ethernet
riscv: Enable VGA and PCIE_VGA
hw/riscv/virt: Connect the gpex PCIe
hw/riscv/virt: Adjust memory layout spacing
hw/riscv/virt: Increase the number of interrupts
Free the argument register only after we have verified that the
temporary is not already in that register. This case is likely
now that we are back propagating the preferred register.
Use this to notice the opcodes that exit the TB, which implies
that local temps are really dead and need not be synced.
Previously we so marked the true end of the TB, but that was
immediately overwritten by the la_bb_end invoked by any
TCG_OPF_BB_END opcode, like exit_tb.
No need for a "tcg_" prefix for a static function; we already
have another "la_" prefix for indicating liveness analysis.
Pass in nb_globals and nb_temps, as we will already have them
in registers for other loops within the parent function.
tcg: Improve register allocation for matching constraints
Try harder to honor the output_pref. When we're forced to allocate
a second register for the input, it does not need to use the input
constraint; that will be honored by the register we allocate for the
output and a move is already required.
Allocate storage for, but do not yet fill in, per-opcode
preferences for the output operands. Pass it in to the
register allocation routines for output operands.
This new argument will aid register allocation by indicating how
the temporary will be used in future. If the preference cannot
be satisfied, fall back to the constraints of the current insn.
Short circuit the preference when it cannot be satisfied or if
it does not further constrain the operation.
With an eye toward optimizing function call sequences, optimize
for the preferred_reg set containing a single register.
Delete trivially dead code that follows unconditional branches and
noreturn helpers. These can occur either via optimization or via
the structure of a target's translator following an exception.
In file included from /usr/include/signal.h:306,
from include/qemu/osdep.h:101,
from disas/microblaze.c:36:
/usr/include/riscv64-linux-gnu/sys/ucontext.h:36: note: this is the location of the previous definition
# define REG_SP 2
projects / qemu.git / log