| Age | Commit message (Collapse) | Author |
|---|
|
According to TLFS, Hyper-V guest is supposed to check
HV_HYPERCALL_AVAILABLE privilege bit before accessing
HV_X64_MSR_GUEST_OS_ID/HV_X64_MSR_HYPERCALL MSRs but at least some
Windows versions ignore that. As KVM is very permissive and allows
accessing these MSRs unconditionally, no issue is observed. We may,
however, want to tighten the checks eventually. Conforming to the
spec is probably also a good idea.
Enable HV_HYPERCALL_AVAILABLE bit unconditionally.
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20210608120817.1325125-8-vkuznets@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
hv_cpuid_check_and_set() does too much:
- Checks if the feature is supported by KVM;
- Checks if all dependencies are enabled;
- Sets the feature bit in cpu->hyperv_features for 'passthrough' mode.
To reduce the complexity, move all the logic except for dependencies
check out of it. Also, in 'passthrough' mode we don't really need to
check dependencies because KVM is supposed to provide a consistent
set anyway.
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20210608120817.1325125-7-vkuznets@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
To make Hyper-V features appear in e.g. QMP query-cpu-model-expansion we
need to expand and set the corresponding CPUID leaves early. Modify
x86_cpu_get_supported_feature_word() to call newly intoduced Hyper-V
specific kvm_hv_get_supported_cpuid() instead of
kvm_arch_get_supported_cpuid(). We can't use kvm_arch_get_supported_cpuid()
as Hyper-V specific CPUID leaves intersect with KVM's.
Note, early expansion will only happen when KVM supports system wide
KVM_GET_SUPPORTED_HV_CPUID ioctl (KVM_CAP_SYS_HYPERV_CPUID).
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20210608120817.1325125-6-vkuznets@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
Return 'false' when hyperv_expand_features() sets an error.
No functional change intended.
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20210608120817.1325125-5-vkuznets@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
Currently, the only eVMCS version, supported by KVM (and described in TLFS)
is '1'. When Enlightened VMCS feature is enabled, QEMU takes the supported
eVMCS version range (from KVM_CAP_HYPERV_ENLIGHTENED_VMCS enablement) and
puts it to guest visible CPUIDs. When (and if) eVMCS ver.2 appears a
problem on migration is expected: it doesn't seem to be possible to migrate
from a host supporting eVMCS ver.2 to a host, which only support eVMCS
ver.1.
Hardcode eVMCS ver.1 as the result of 'hv-evmcs' enablement for now. Newer
eVMCS versions will have to have their own enablement options (e.g.
'hv-evmcs=2').
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20210608120817.1325125-4-vkuznets@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
Clarify the fact that 'hv-passthrough' only enables features which are
already known to QEMU and that it overrides all other 'hv-*' settings.
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20210608120817.1325125-3-vkuznets@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
Updated running scripts/update-syscalltbl.sh
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20210708215756.268805-4-laurent@vivier.eu>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
Updated running scripts/update-mips-syscall-args.sh
scripts/update-mips-syscall-args.sh has been updated to reflect
file directory changes in strace repository.
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20210708215756.268805-3-laurent@vivier.eu>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
Automatically generated using scripts/gensyscalls.sh
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
Message-Id: <20210708215756.268805-2-laurent@vivier.eu>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
'remotes/stefanha-gitlab/tags/tracing-pull-request' into staging
Pull request
# gpg: Signature made Mon 12 Jul 2021 17:49:46 BST
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full]
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [full]
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha-gitlab/tags/tracing-pull-request:
trace, lttng: require .pc files
trace/simple: add st_init_group
trace/simple: pass iter to st_write_event_mapping
trace: add trace_event_iter_init_group
trace: iter init tweaks
qemu-trace-stap: changing SYSTEMTAP_TAPSET considered harmful.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
The switch case of writing PCI 1 IO base address had an extra break
statement that made part of the code unreachable. This did not cause a
problem as guests ususally leave this register at its default value.
Fixes: dcdf98a9015 ("Add emulation of Marvell MV64361 PPC system
controller")
Reported-by: Coverity (CID 1458135)
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-Id: <20210712131259.B705B7456E3@zero.eik.bme.hu>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
|
This is all about TPM fixes and improvements.
The change log is:
Alexey Kardashevskiy (2):
tcgbios: Fix warnings
version: update to 20210711
Stefan Berger (9):
tcgbios: Fix details in log entries
tcgbios: Fix a typo in the sha256 algo description
tcgbios: Add implementations for sha1, sha384, and sha512
tpm: Add firmware API call 2HASH-EXT-LOG
tcgbios: Change format of S_CRTM_VERSION string to ucs-2
tcgbios: Use assembly for 32 bit rotr in sha256
tcgbios: Use The proper sha function for each PCR bank
tcgbios: Add test cases and test script to run them
Travis: Add script for running tests on Travis
Thomas Huth (1):
Fix bad header guard in version.h
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
|
Linux needs setprop to fix up the device tree, otherwise it's not
finding devices and cannot boot. Since recent VOF change now we need
to add a callback to allow this which is what this patch does.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-Id: <20210709132920.6544E7457EF@zero.eik.bme.hu>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
|
SD/MMC patches queue
- sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)
# gpg: Signature made Mon 12 Jul 2021 11:28:13 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* remotes/philmd/tags/sdmmc-20210712:
hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)
hw/sd/sdcard: Extract address_in_range() helper, log invalid accesses
hw/sd/sdcard: When card is in wrong state, log which state it is
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
The mapping from file-descriptors to translator functions is not guarded
on realloc which may cause invalid function pointers to be read from a
previously deallocated mapping.
Signed-off-by: Owen Anderson <oanderso@google.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20210701221255.107976-1-oanderso@google.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
Now than target_to_host_errno() always return an errno, we can
remove the unused and arbitrary ERRNO_TABLE_SIZE definition.
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210708170550.1846343-9-f4bug@amsat.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
Convert the host_to_target_errno_table[] array to a switch
case to allow compiler optimizations (such noticing the identity
function when host and guest errnos match). Extract the errnos
list as to a new includible unit, using a generic macro. Remove
the code related to target_to_host_errno_table[] initialization.
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210708170550.1846343-8-f4bug@amsat.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210708170550.1846343-7-f4bug@amsat.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210708170550.1846343-6-f4bug@amsat.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210708170550.1846343-5-f4bug@amsat.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
We want to access the target errno indepently of the rest of the
linux-user code. Move the header containing the generic errno
definitions ('errno_defs.h') to 'generic/target_errno_defs.h',
create a new 'target_errno_defs.h' in each target which itself
includes 'generic/target_errno_defs.h'.
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210708170550.1846343-4-f4bug@amsat.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
We want to have one generic target_errno.h (API to access target
errno), and will add target errno definitions in target_errno_defs.h.
The sparc target already have its errnos in an header, simply rename
it.
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210708170550.1846343-3-f4bug@amsat.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
Affected targets: alpha, hppa, mips/64, sparc
Fixes: fe8ed7d5794 ("linux-user: Handle ERFKILL and EHWPOISON")
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210708170550.1846343-2-f4bug@amsat.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
|
into staging
s390x updates:
- add gen16 cpumodels
- refactor/cleanup some code
- bugfixes
# gpg: Signature made Thu 08 Jul 2021 12:26:21 BST
# gpg: using EDDSA key 69A3B536F5CBFC65208026C1DE88BB5641DE66C1
# gpg: issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown]
# gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cohuck@kernel.org>" [unknown]
# gpg: aka "Cornelia Huck <cohuck@redhat.com>" [unknown]
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF
# Subkey fingerprint: 69A3 B536 F5CB FC65 2080 26C1 DE88 BB56 41DE 66C1
* remotes/cohuck-gitlab/tags/s390x-20210708:
target/s390x: split sysemu part of cpu models
target/s390x: move kvm files into kvm/
target/s390x: remove kvm-stub.c
target/s390x: use kvm_enabled() to wrap call to kvm_s390_get_hpage_1m
target/s390x: make helper.c sysemu-only
target/s390x: split cpu-dump from helper.c
target/s390x: move sysemu-only code out to cpu-sysemu.c
target/s390x: start moving TCG-only code to tcg/
target/s390x: rename internal.h to s390x-internal.h
target/s390x: remove tcg-stub.c
hw/s390x: only build tod-tcg from the CONFIG_TCG build
hw/s390x: tod: make explicit checks for accelerators when initializing
hw/s390x: rename tod-qemu.c to tod-tcg.c
target/s390x: meson: add target_user_arch
s390x/tcg: Fix m5 vs. m4 field for VECTOR MULTIPLY SUM LOGICAL
target/s390x: Fix CC set by CONVERT TO FIXED/LOGICAL
s390x/cpumodel: add 3931 and 3932
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
The next version of lttng-libs will not require liburcu at run time anymore.
Therefore, it is expected that distros will not include the urcubp libraries
anymore when installing lttng-ust-devel.
To avoid future problems, just require pkg-config to detect lttng-ust.
The .pc files for lttng-ust correctly include liburcubp.a for static
builds, and have always done since pkg-config files were added in 2011.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20210712155710.520889-1-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Add helper function and call it for each trace event group added.
Makes sure that events added at module load time are initialized
properly.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20210601132414.432430-6-kraxel@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Pass an iter to st_write_event_mapping, so the function can interate
different things depending on how we initialize the iter.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20210601132414.432430-5-kraxel@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
This allows to interate over an event group.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20210601132414.432430-4-kraxel@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Rename trace_event_iter_init() to trace_event_iter_init_pattern(),
add trace_event_iter_init_all() for interating over all events.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20210601132414.432430-3-kraxel@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Setting SYSTEMTAP_TAPSET to some value other than
/usr/share/systemtap/tapsets results in systemtap not finding the
standard tapset library any more, which in turn breaks tracing because
pid() and other standard systemtap functions are not available any more.
So using SYSTEMTAP_TAPSET to point systemtap to the qemu probes will
only work for the prefix=/usr installs because both qemu and system
tapsets in the same directory then. All other prefixes are broken.
Fix that by using the "-I $tapsetdir" command line switch instead.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20210601132414.432430-2-kraxel@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Signed-off-by: Kostiantyn Kostiuk <konstantin@daynix.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
|
|
Although unlikely, qemu might hang in nbd_send_request().
Allow recovery in this case by registering the yank function before
calling it.
Signed-off-by: Lukas Straub <lukasstraub2@web.de>
Message-Id: <20210704000730.1befb596@gecko.fritz.box>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
Reword the paragraphs to list the JSON key first, rather than in the
middle of prose.
Suggested-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20210707184125.2551140-1-eblake@redhat.com>
Reviewed-by: Nir Soffer <nsoffer@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
|
|
The recently-added NBD context qemu:allocation-depth is able to
distinguish between locally-present data (even when that data is
sparse) [shown as depth 1 over NBD], and data that could not be found
anywhere in the backing chain [shown as depth 0]; and the libnbd
project was recently patched to give the human-readable name "absent"
to an allocation-depth of 0. But qemu-img map --output=json predates
that addition, and has the unfortunate behavior that all portions of
the backing chain that resolve without finding a hit in any backing
layer report the same depth as the final backing layer. This makes it
harder to reconstruct a qcow2 backing chain using just 'qemu-img map'
output, especially when using "backing":null to artificially limit a
backing chain, because it is impossible to distinguish between a
QCOW2_CLUSTER_UNALLOCATED (which defers to a [missing] backing file)
and a QCOW2_CLUSTER_ZERO_PLAIN cluster (which would override any
backing file), since both types of clusters otherwise show as
"data":false,"zero":true" (but note that we can distinguish a
QCOW2_CLUSTER_ZERO_ALLOCATED, which would also have an "offset":
listing).
The task of reconstructing a qcow2 chain was made harder in commit
0da9856851 (nbd: server: Report holes for raw images), because prior
to that point, it was possible to abuse NBD's block status command to
see which portions of a qcow2 file resulted in BDRV_BLOCK_ALLOCATED
(showing up as NBD_STATE_ZERO in isolation) vs. missing from the chain
(showing up as NBD_STATE_ZERO|NBD_STATE_HOLE); but now qemu reports
more accurate sparseness information over NBD.
An obvious solution is to make 'qemu-img map --output=json' add an
additional "present":false designation to any cluster lacking an
allocation anywhere in the chain, without any change to the "depth"
parameter to avoid breaking existing clients. The iotests have
several examples where this distinction demonstrates the additional
accuracy.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20210701190655.2131223-3-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
[eblake: fix more iotest fallout]
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
Enhance the test to inspect what qemu-nbd is advertising during
handshake, and rename it now that we support useful iotest names.
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20210701190655.2131223-2-eblake@redhat.com>
|
|
MIPS patches queue
- Rename Raven ASIC PCI bridge, add PCI_IO_BASE_ADDR definition
- Various Toshiba TX79 opcodes implemented
- Rewrite UHI errno_mips() using switch statement
- Few fixes and improvements in the SONIC model (dp8393x)
# gpg: Signature made Sun 11 Jul 2021 22:12:49 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* remotes/philmd/tags/mips-20210711:
dp8393x: don't force 32-bit register access
dp8393x: Rewrite dp8393x_get() / dp8393x_put()
dp8393x: Store CAM registers as 16-bit
dp8393x: Replace 0x40 magic value by SONIC_REG_COUNT definition
dp8393x: Replace address_space_rw(is_write=1) by address_space_write()
dp8393x: fix CAM descriptor entry index
target/mips: Rewrite UHI errno_mips() using switch statement
target/mips/tx79: Introduce SQ opcode (Store Quadword)
target/mips/tx79: Introduce LQ opcode (Load Quadword)
target/mips/tx79: Introduce PROT3W opcode (Parallel Rotate 3 Words)
target/mips/tx79: Introduce PPACW opcode (Parallel Pack to Word)
target/mips/tx79: Introduce PCGT* (Parallel Compare for Greater Than)
target/mips/tx79: Introduce PCEQ* opcodes (Parallel Compare for Equal)
target/mips/tx79: Introduce PEXTL[BHW] opcodes (Parallel Extend Lower)
target/mips/tx79: Introduce PEXTUW (Parallel Extend Upper from Word)
target/mips/tx79: Introduce PSUB* opcodes (Parallel Subtract)
target/mips/tx79: Introduce PAND/POR/PXOR/PNOR opcodes (parallel logic)
hw/pci-host/raven: Add PCI_IO_BASE_ADDR definition
hw/pci-host: Rename Raven ASIC PCI bridge as raven.c
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers an assertion:
qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed.
==11578== ERROR: libFuzzer: deadly signal
#8 0x7ffff628e091 in __assert_fail
#9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9
#10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38
#11 0x5555588d777c in sd_do_command hw/sd/sd.c
#12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16
#13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
#14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
#15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5
Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
for multi block reads"), check the address range before sending
the status of the write protection bits.
Include the qtest reproducer provided by Alexander Bulekov:
$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed.
Reported-by: OSS-Fuzz (Issue 29225)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210702155900.148665-4-f4bug@amsat.org>
|
|
Multiple commands have to check the address requested is valid.
Extract this code pattern as a new address_in_range() helper, and
log invalid accesses as guest errors.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210624142209.1193073-3-f4bug@amsat.org>
|
|
We report the card is in an inconsistent state, but don't precise
in which state it is. Add this information, as it is useful when
debugging problems.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210624142209.1193073-2-f4bug@amsat.org>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
|
|
into staging
Add translator_use_goto_tb.
Cleanups in prep of breakpoint fixes.
Misc fixes.
# gpg: Signature made Sat 10 Jul 2021 16:29:14 BST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F
* remotes/rth-gitlab/tags/pull-tcg-20210710: (41 commits)
cpu: Add breakpoint tracepoints
tcg: Remove TCG_TARGET_HAS_goto_ptr
accel/tcg: Log tb->cflags with -d exec
accel/tcg: Split out log_cpu_exec
accel/tcg: Move tb_lookup to cpu-exec.c
accel/tcg: Move helper_lookup_tb_ptr to cpu-exec.c
target/i386: Use cpu_breakpoint_test in breakpoint_handler
tcg: Fix prologue disassembly
target/xtensa: Use translator_use_goto_tb
target/tricore: Use tcg_gen_lookup_and_goto_ptr
target/tricore: Use translator_use_goto_tb
target/sparc: Use translator_use_goto_tb
target/sh4: Use translator_use_goto_tb
target/s390x: Remove use_exit_tb
target/s390x: Use translator_use_goto_tb
target/rx: Use translator_use_goto_tb
target/riscv: Use translator_use_goto_tb
target/ppc: Use translator_use_goto_tb
target/openrisc: Use translator_use_goto_tb
target/nios2: Use translator_use_goto_tb
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
staging
* More SVM fixes (Lara)
* Module annotation database (Gerd)
* Memory leak fixes (myself)
* Build fixes (myself)
* --with-devices-* support (Alex)
# gpg: Signature made Fri 09 Jul 2021 17:23:52 BST
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini-gitlab/tags/for-upstream: (48 commits)
meson: Use input/output for entitlements target
configure: allow the selection of alternate config in the build
configs: rename default-configs to configs and reorganise
hw/arm: move CONFIG_V7M out of default-devices
hw/arm: add dependency on OR_IRQ for XLNX_VERSAL
meson: Introduce target-specific Kconfig
meson: switch function tests from compilation to linking
vl: fix leak of qdict_crumple return value
target/i386: fix exceptions for MOV to DR
target/i386: Added DR6 and DR7 consistency checks
target/i386: Added MSRPM and IOPM size check
monitor/tcg: move tcg hmp commands to accel/tcg, register them dynamically
usb: build usb-host as module
monitor/usb: register 'info usbhost' dynamically
usb: drop usb_host_dev_is_scsi_storage hook
monitor: allow register hmp commands
accel: build tcg modular
accel: add tcg module annotations
accel: build qtest modular
accel: add qtest module annotations
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Commit 3fe9a838ec "dp8393x: Always use 32-bit accesses" set .impl.min_access_size
and .impl.max_access_size to 4 to try and fix the Linux jazzsonic driver which uses
32-bit accesses.
The problem with forcing the register access to 32-bit in this way is that since the
dp8393x uses 16-bit registers, a manual endian swap is required for devices on big
endian machines with 32-bit accesses.
For both access sizes and machine endians the QEMU memory API can do the right thing
automatically: all that is needed is to set .impl.min_access_size to 2 to declare that
the dp8393x implements 16-bit registers.
Normally .impl.max_access_size should also be set to 2, however that doesn't quite
work in this case since the register stride is specified using a (dynamic) it_shift
property which is applied during the MMIO access itself. The effect of this is that
for a 32-bit access the memory API performs 2 x 16-bit accesses, but the use of
it_shift within the MMIO access itself causes the register value to be repeated in both
the top 16-bits and bottom 16-bits. The Linux jazzsonic driver expects the stride to be
zero-extended up to access size and therefore fails to correctly detect the dp8393x
device due to the extra data in the top 16-bits.
The solution here is to remove .impl.max_access_size so that the memory API will
correctly zero-extend the 16-bit registers to the access size up to and including
it_shift. Since it_shift is never greater than 2 than this will always do the right
thing for both 16-bit and 32-bit accesses regardless of the machine endian, allowing
the manual endian swap code to be removed.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Fixes: 3fe9a838ec ("dp8393x: Always use 32-bit accesses")
Message-Id: <20210705214929.17222-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Finn Thain <fthain@linux-m68k.org>
Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
|
Instead of accessing N registers via a single address_space API
call using a temporary buffer (stored in the device state) and
updating each register, move the address_space call in the
register put/get. The load/store and word size checks are moved
to put/get too. This simplifies a bit, making the code easier
to read.
Co-developed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Co-developed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Finn Thain <fthain@linux-m68k.org>
Message-Id: <20210710174954.2577195-8-f4bug@amsat.org>
|
|
Per the DP83932C datasheet from July 1995:
4.0 SONIC Registers
4.1 THE CAM UNIT
The Content Addressable Memory (CAM) consists of sixteen
48-bit entries for complete address filtering of network
packets. Each entry corresponds to a 48-bit destination
address that is user programmable and can contain any
combination of Multicast or Physical addresses. Each entry
is partitioned into three 16-bit CAM cells accessible
through CAM Address Ports (CAP 2, CAP 1 and CAP 0) with
CAP0 corresponding to the least significant 16 bits of
the Destination Address and CAP2 corresponding to the
most significant bits.
Store the CAM registers as 16-bit as it simplifies the code.
Having now the CAM registers as arrays of 3 uint16_t, we can avoid
using the VMSTATE_BUFFER_UNSAFE macro by using VMSTATE_UINT16_2DARRAY
which is more appropriate. This breaks the migration stream however.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Finn Thain <fthain@linux-m68k.org>
Message-Id: <20210710174954.2577195-5-f4bug@amsat.org>
Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
|
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Finn Thain <fthain@linux-m68k.org>
Message-Id: <20210710174954.2577195-3-f4bug@amsat.org>
Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
|
Replace address_space_rw(is_write=1) by address_space_write()
and remove pointless cast.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Finn Thain <fthain@linux-m68k.org>
Message-Id: <20210710174954.2577195-2-f4bug@amsat.org>
Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
|
Currently when a LOAD CAM command is executed the entries are loaded into the
CAM from memory in order which is incorrect. According to the datasheet the
first entry in the CAM descriptor is the entry index which means that each
descriptor may update any single entry in the CAM rather than the Nth entry.
Decode the CAM entry index and use it store the descriptor in the appropriate
slot in the CAM. This fixes the issue where the MacOS toolbox loads a single
CAM descriptor into the final slot in order to perform a loopback test which
must succeed before the Ethernet port is enabled.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Finn Thain <fthain@linux-m68k.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210625065401.30170-10-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
|
Linking on Haiku OS fails:
/boot/system/develop/tools/bin/../lib/gcc/x86_64-unknown-haiku/8.3.0/../../../../x86_64-unknown-haiku/bin/ld:
error: libqemu-mips-softmmu.fa.p/target_mips_tcg_sysemu_mips-semi.c.o(.rodata) is too large (0xffff405a bytes)
/boot/system/develop/tools/bin/../lib/gcc/x86_64-unknown-haiku/8.3.0/../../../../x86_64-unknown-haiku/bin/ld:
final link failed: memory exhausted
collect2: error: ld returned 1 exit status
This is because the host_to_mips_errno[] uses errno as index,
for example:
static const uint16_t host_to_mips_errno[] = {
[ENAMETOOLONG] = 91,
...
and Haiku defines [*] ENAMETOOLONG as:
12 /* Error baselines */
13 #define B_GENERAL_ERROR_BASE INT_MIN
..
22 #define B_STORAGE_ERROR_BASE (B_GENERAL_ERROR_BASE + 0x6000)
...
106 #define B_NAME_TOO_LONG (B_STORAGE_ERROR_BASE + 4)
...
211 #define ENAMETOOLONG B_TO_POSIX_ERROR(B_NAME_TOO_LONG)
so the array ends up beeing indeed too big.
Since POSIX errno can't be use as indexes on Haiku,
rewrite errno_mips() using a switch statement.
[*] https://github.com/haiku/haiku/blob/r1beta3/headers/os/support/Errors.h#L130
Reported-by: Richard Zak <richard.j.zak@gmail.com>
Suggested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210706130723.1178961-1-f4bug@amsat.org>
|
|
Introduce the SQ opcode (Store Quadword).
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210214175912.732946-27-f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
|
Introduce the LQ opcode (Load Quadword) and remove unreachable code.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210214175912.732946-26-f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
