aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-09-24make check-unit: use after free in test-opts-visitorAndrey Shinkevich
In the struct OptsVisitor, the 'repeated_opts' member points to a list in the 'unprocessed_opts' hash table after the list has been destroyed. A subsequent call to visit_type_int() references the deleted list. It results in use-after-free issue reproduced by running the test case under the Valgrind: valgrind tests/test-opts-visitor. A new mode ListMode::LM_TRAVERSED is declared to mark the list traversal completed. Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com> Message-Id: <1565024586-387112-1-git-send-email-andrey.shinkevich@virtuozzo.com>
2019-09-24qapi: Make visit_next_list()'s comment less confusingMarkus Armbruster
visit_next_list() returns non-null on success, null on failure. The comment's phrasing "until NULL return or error occurs" is needlessly confusing. Scratch the "or error occurs" part. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20190802122325.16520-1-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2019-09-23Merge remote-tracking branch ↵Peter Maydell
'remotes/davidhildenbrand/tags/s390x-tcg-2019-09-23' into staging Fix a bunch of BUGs in the mem-helpers (including the MVC instruction), especially, to make them behave correctly on faults. # gpg: Signature made Mon 23 Sep 2019 09:01:21 BST # gpg: using RSA key 1BD9CAAD735C4C3A460DFCCA4DDE10F700FF835A # gpg: issuer "david@redhat.com" # gpg: Good signature from "David Hildenbrand <david@redhat.com>" [unknown] # gpg: aka "David Hildenbrand <davidhildenbrand@gmail.com>" [full] # Primary key fingerprint: 1BD9 CAAD 735C 4C3A 460D FCCA 4DDE 10F7 00FF 835A * remotes/davidhildenbrand/tags/s390x-tcg-2019-09-23: (30 commits) tests/tcg: target/s390x: Test MVC tests/tcg: target/s390x: Test MVO s390x/tcg: MVO: Fault-safe handling s390x/tcg: MVST: Fault-safe handling s390x/tcg: MVZ: Fault-safe handling s390x/tcg: MVN: Fault-safe handling s390x/tcg: MVCIN: Fault-safe handling s390x/tcg: NC: Fault-safe handling s390x/tcg: XC: Fault-safe handling s390x/tcg: OC: Fault-safe handling s390x/tcg: MVCLU: Fault-safe handling s390x/tcg: MVC: Fault-safe handling on destructive overlaps s390x/tcg: MVCS/MVCP: Use access_memmove() s390x/tcg: Fault-safe memmove s390x/tcg: Fault-safe memset s390x/tcg: Always use MMU_USER_IDX for CONFIG_USER_ONLY s390x/tcg: MVST: Fix storing back the addresses to registers s390x/tcg: MVST: Check for specification exceptions s390x/tcg: MVCS/MVCP: Properly wrap the length s390x/tcg: MVCOS: Lengths are 32 bit in 24/31-bit mode ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-09-23Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20190923' into ↵Peter Maydell
staging - bugfixes in ccw bios - gen15a is called z15 - officially require a 3.15 kernel or later for kvm # gpg: Signature made Mon 23 Sep 2019 08:18:32 BST # gpg: using RSA key 117BBC80B5A61C7C # gpg: Good signature from "Christian Borntraeger (IBM) <borntraeger@de.ibm.com>" [full] # Primary key fingerprint: F922 9381 A334 08F9 DBAB FBCA 117B BC80 B5A6 1C7C * remotes/borntraeger/tags/s390x-20190923: s390x/cpumodel: Add the z15 name to the description of gen15a s390x/kvm: Officially require at least kernel 3.15 pc-bios/s390-ccw: Rebuild the s390-netboot.img firmware image pc-bios/s390-ccw/net: fix a possible memory leak in get_uuid() pc-bios/s390-ccw: Do not pre-initialize empty array Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-09-23Merge remote-tracking branch ↵Peter Maydell
'remotes/cminyard/tags/ipmi-for-release-2019-09-20' into staging ipmi: Some bug fixes and new interfaces Some bug fixes for the watchdog and hopeful the BT tests. Change the IPMI UUID handling to give the user the ability to set it or not have it. Add a PCI interface. Add an SMBus interfaces. -corey # gpg: Signature made Fri 20 Sep 2019 20:11:21 BST # gpg: using RSA key FD0D5CE67CE0F59A6688268661F38C90919BFF81 # gpg: Good signature from "Corey Minyard <cminyard@mvista.com>" [unknown] # gpg: aka "Corey Minyard <minyard@acm.org>" [unknown] # gpg: aka "Corey Minyard <corey@minyard.net>" [unknown] # gpg: aka "Corey Minyard <minyard@mvista.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: FD0D 5CE6 7CE0 F59A 6688 2686 61F3 8C90 919B FF81 * remotes/cminyard/tags/ipmi-for-release-2019-09-20: pc: Add an SMB0 ACPI device to q35 ipmi: Fix SSIF ACPI handling to use the right CRS acpi: Add i2c serial bus CRS handling ipmi: Add an SMBus IPMI interface ipmi: Add PCI IPMI interfaces smbios:ipmi: Ignore IPMI devices with no fwinfo function ipmi: Allow a size value to be passed for I/O space ipmi: Split out BT-specific code from ISA BT code ipmi: Split out KCS-specific code from ISA KCS code ipmi: Add a UUID device property qdev: Add a no default uuid property tests:ipmi: Fix IPMI BT tests ipmi: Generate an interrupt on watchdog pretimeout expiry ipmi: Fix the get watchdog command ipmi: Fix watchdog NMI handling Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-09-23tests/tcg: target/s390x: Test MVCDavid Hildenbrand
Let's add a test that especially verifies that no data will be touched in case we cross page boundaries and one page access triggers a fault. Before the fault-safe handling fixes, the test failes with: TEST mvc on s390x data modified during a fault make[2]: *** [../Makefile.target:116: run-mvc] Error 1 Acked-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23tests/tcg: target/s390x: Test MVODavid Hildenbrand
Let's add the simple test based on the example from the PoP. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVO: Fault-safe handlingDavid Hildenbrand
Each operand can have a maximum length of 16. Make sure to prepare all reads/writes before writing. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVST: Fault-safe handlingDavid Hildenbrand
Access at most single pages and document why. Using the access helpers might over-indicate watchpoints within the same page, I guess we can live with that. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVZ: Fault-safe handlingDavid Hildenbrand
We can process a maximum of 256 bytes, crossing two pages. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVN: Fault-safe handlingDavid Hildenbrand
We can process a maximum of 256 bytes, crossing two pages. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCIN: Fault-safe handlingDavid Hildenbrand
We can process a maximum of 256 bytes, crossing two pages. Calculate the accessed range upfront - src is accessed right-to-left. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: NC: Fault-safe handlingDavid Hildenbrand
We can process a maximum of 256 bytes, crossing two pages. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: XC: Fault-safe handlingDavid Hildenbrand
We can process a maximum of 256 bytes, crossing two pages. While at it, increment the length once. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: OC: Fault-safe handlingDavid Hildenbrand
We can process a maximum of 256 bytes, crossing two pages. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCLU: Fault-safe handlingDavid Hildenbrand
The last remaining bit is padding with two bytes. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVC: Fault-safe handling on destructive overlapsDavid Hildenbrand
The last remaining bit for MVC is handling destructive overlaps in a fault-safe way. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCS/MVCP: Use access_memmove()David Hildenbrand
As we are moving between address spaces, we can use access_memmove() without checking for destructive overlaps (especially of real storage locations): "Each storage operand is processed left to right. The storage-operand-consistency rules are the same as for MOVE (MVC), except that when the operands overlap in real storage, the use of the common real- storage locations is not necessarily recognized." Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: Fault-safe memmoveDavid Hildenbrand
Replace fast_memmove() variants by access_memmove() variants, that first try to probe access to all affected pages (maximum is two pages). Introduce access_get_byte()/access_set_byte(). We might be able to speed up memmove in special cases even further (do single-byte access, use memmove() for remaining bytes in page), however, we'll skip that for now. In MVCOS, simply always call access_memmove_as() and drop the TODO about LAP. LAP is already handled in the MMU. Get rid of adj_len_to_page(), which is now unused. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: Fault-safe memsetDavid Hildenbrand
Replace fast_memset() by access_memset(), that first tries to probe access to all affected pages (maximum is two). We'll use the same mechanism for other types of accesses soon. Only in very rare cases (especially TLB_NOTDIRTY), we'll have to fallback to ld/st helpers. Try to speed up that case as suggested by Richard. We'll rework most involved handlers soon to do all accesses via new fault-safe helpers, especially MVC. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: Always use MMU_USER_IDX for CONFIG_USER_ONLYDavid Hildenbrand
Although we basically ignore the index all the time for CONFIG_USER_ONLY, let's simply skip all the checks and always return MMU_USER_IDX in cpu_mmu_index() and get_mem_index(). Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVST: Fix storing back the addresses to registersDavid Hildenbrand
24 and 31-bit address space handling is wrong when it comes to storing back the addresses to the register. While at it, read gprs 0 implicitly. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVST: Check for specification exceptionsDavid Hildenbrand
Bit position 32-55 of general register 0 must be zero. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCS/MVCP: Properly wrap the lengthDavid Hildenbrand
... and don't perform any move in case the length is zero. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCOS: Lengths are 32 bit in 24/31-bit modeDavid Hildenbrand
Triggered by a review comment from Richard, also MVCOS has a 32-bit length in 24/31-bit addressing mode. Add a new helper. Rename wrap_length() to wrap_length31(). Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCS/MVCP: Check for special operation exceptionsDavid Hildenbrand
Let's perform the documented checks. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCLU/MVCLE: Process max 4k bytes at a timeDavid Hildenbrand
Let's stay within single pages. ... and indicate cc=3 in case there is work remaining. Keep unicode padding simple. While reworking, properly wrap the addresses. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVPG: Properly wrap the addressesDavid Hildenbrand
We have to mask of any unused bits. While at it, document what exactly is missing. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVPG: Check for specification exceptionsDavid Hildenbrand
Perform the checks documented in the PoP. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVC: Use is_destructive_overlap()David Hildenbrand
Let's use the new helper, that also detects destructive overlaps when wrapping. We'll make the remaining code (e.g., fast_memmove()) aware of wrapping later. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVC: Increment the length onceDavid Hildenbrand
Let's increment the length once. While at it, cleanup the comment. The memset() example is given as a programming note in the PoP, so drop the description. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCL: Process max 4k bytes at a timeDavid Hildenbrand
Process max 4k bytes at a time, writing back registers between the accesses. The instruction is interruptible. "For operands longer than 2K bytes, access exceptions are not recognized for locations more than 2K bytes beyond the current location being processed." Note that on z/Architecture, 2k vs. 4k access cannot get differentiated as long as pages are not crossed. This seems to be a leftover from ESA/390. Simply stay within single pages. MVCL handling is quite different than MVCLE/MVCLU handling, so split up the handlers. Defer interrupt handling, as that will require more thought, add a TODO for that. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCL: Detect destructive overlapsDavid Hildenbrand
We'll have to zero-out unused bit positions, so make sure to write the addresses back. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: MVCL: Zero out unused bits of addressDavid Hildenbrand
We have to zero out unused bits in 24 and 31-bit addressing mode. Provide a new helper. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/tcg: Reset exception_index to -1 instead of 0David Hildenbrand
We use the marker "-1" for "no exception". s390_cpu_do_interrupt() might get confused by that. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: David Hildenbrand <david@redhat.com>
2019-09-23s390x/cpumodel: Add the z15 name to the description of gen15aChristian Borntraeger
We now know that gen15a is called z15. Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2019-09-23s390x/kvm: Officially require at least kernel 3.15Thomas Huth
Since QEMU v2.10, the KVM acceleration does not work on older kernels anymore since the code accidentally requires the KVM_CAP_DEVICE_CTRL capability now - it should have been optional instead. Instead of fixing the bug, we asked in the ChangeLog of QEMU 2.11 - 3.0 that people should speak up if they still need support of QEMU running with KVM on older kernels, but seems like nobody really complained. Thus let's make this official now and turn it into a proper error message, telling the users to use at least kernel 3.15 now. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20190913091443.27565-1-thuth@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2019-09-23Merge tag 's390-ccw-bios-2019-09-18' of https://gitlab.com/huth/qemu into ↵Christian Borntraeger
s390-next Small fixes for the s390-ccw firmware
2019-09-20pc: Add an SMB0 ACPI device to q35Corey Minyard
This is so I2C devices can be found in the ACPI namespace. Currently that's only IPMI, but devices can be easily added now. Adding the devices required some PCI information, and the bus itself to be added to the PCMachineState structure. Note that this only works on Q35, the ACPI for PIIX4 is not capable of handling an SMBus device. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Corey Minyard <cminyard@mvista.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2019-09-20ipmi: Fix SSIF ACPI handling to use the right CRSCorey Minyard
Pass in the CRS so that it can be set to the SMBus for IPMI later. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-09-20acpi: Add i2c serial bus CRS handlingCorey Minyard
This will be required for getting IPMI SSIF (SMBus interface) into the ACPI tables. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-09-20ipmi: Add an SMBus IPMI interfaceCorey Minyard
Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-09-20ipmi: Add PCI IPMI interfacesCorey Minyard
Pretty straightforward, just hook the current KCS and BT code into the PCI system with the proper configuration. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: M: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-09-20smbios:ipmi: Ignore IPMI devices with no fwinfo functionCorey Minyard
Not all devices have fwinfo (like the coming PCI one), so ignore them if the their fwinfo function is NULL. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-09-20ipmi: Allow a size value to be passed for I/O spaceCorey Minyard
PCI device I/O must be >= 8 bytes in length or they don't work. Allow the size to be passed in, the default size of 2 or 3 won't work. Signed-off-by: Corey Minyard <cminyard@mvista.com>
2019-09-20ipmi: Split out BT-specific code from ISA BT codeCorey Minyard
Get ready for PCI and other BT interfaces. No functional changes, just split the code into generic BT code and ISA-specific BT code. Signed-off-by: Corey Minyard <cminyard@mvista.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2019-09-20ipmi: Split out KCS-specific code from ISA KCS codeCorey Minyard
Get ready for PCI and other KCS interfaces. No functional changes, just split the code into the generic KCS code and the ISA-specific code. Signed-off-by: Corey Minyard <cminyard@mvista.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2019-09-20ipmi: Add a UUID device propertyCorey Minyard
Using the UUID that qemu generates probably isn't the best thing to do, allow it to be passed in via properties, and use QemuUUID for the type. If the UUID is not set, return an unsupported command error. This way we are not providing an all-zero (or randomly generated) GUID to the IPMI user. This lets the host fall back to the other method of using the get device id command to determind the BMC being accessed. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Cédric Le Goater <clg@kaod.org> Cc: David Gibson <david@gibson.dropbear.id.au> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com>
2019-09-20qdev: Add a no default uuid propertyCorey Minyard
This is for IPMI, which will behave differently if the UUID is not set. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Fam Zheng <famz@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2019-09-20tests:ipmi: Fix IPMI BT testsCorey Minyard
The IPMI BT tests had a race condition, if it receive an IPMI command to enable interrupt, it would write the message to enable interrupts after it wrote the command response. So the test code could receive the command response and issue the next command before the device handled the interrupt enable command, and thus no interrupt. So send the message to enable interrupt before the command response. Also add some sleeps to give qemu time to handle responses, there was no delay before, and it could result in an invalid timeout. And re-enable the tests, as hopefully they are fixed now. Note that I was unable to reproduce this even with the instructions Peter gave me, but hopefully this fixes the issue. Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Corey Minyard <cminyard@mvista.com>