aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-01-19system/cpu-timers: Introduce ICountMode enumeratorPhilippe Mathieu-Daudé
Rather than having to lookup for what the 0, 1, 2, ... icount values are, use a enum definition. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-ID: <20231208113529.74067-4-philmd@linaro.org>
2024-01-19system/cpu-timers: Have icount_configure() return a booleanPhilippe Mathieu-Daudé
Following the example documented since commit e3fe3988d7 ("error: Document Error API usage rules"), have icount_configure() return a boolean indicating whether an error is set or not. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20231208113529.74067-2-philmd@linaro.org>
2024-01-19target/alpha: Only build sys_helper.c on system emulationPhilippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20231207105426.49339-3-philmd@linaro.org>
2024-01-19target/alpha: Extract clk_helper.c from sys_helper.cPhilippe Mathieu-Daudé
Except helper_load_pcc(), all helpers from sys_helper.c are system-emulation specific. In preparation of restricting sys_helper.c to system emulation, extract helper_load_pcc() to clk_helper.c. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20231207105426.49339-2-philmd@linaro.org>
2024-01-19accel/tcg: Remove tb_invalidate_phys_page() from system emulationPhilippe Mathieu-Daudé
Since previous commit, tb_invalidate_phys_page() is not used anymore in system emulation. Make it static for user emulation and remove its public declaration in "exec/translate-all.h". Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20231130205600.35727-1-philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2024-01-19accel/tcg: Remove unused tb_invalidate_phys_addr()Philippe Mathieu-Daudé
Commit e3f7c801f1 introduced the TCGCPUOps::debug_check_breakpoint() handler, and commit 10c37828b2 "moved breakpoint recognition outside of translation", so "we no longer need to flush any TBs when changing BPs". The last target using tb_invalidate_phys_addr() was converted to the debug_check_breakpoint(), so this function is now unused. Remove it. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20231130203241.31099-1-philmd@linaro.org>
2024-01-19tests/tcg/xtensa: add icount/ibreak priority testMax Filippov
When icount and ibreak exceptions are due to happen on the same address icount has higher precedence. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-ID: <20231130171920.3798954-3-jcmvbkbc@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2024-01-19target/xtensa: use generic instruction breakpoint infrastructureMax Filippov
Don't embed ibreak exception generation into TB and don't invalidate TB on ibreak address change. Add CPUBreakpoint pointers to xtensa CPUArchState, use cpu_breakpoint_insert/cpu_breakpoint_remove_by_ref to manage ibreak breakpoints and provide TCGCPUOps::debug_check_breakpoint callback that recognizes valid instruction breakpoints. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-ID: <20231130171920.3798954-2-jcmvbkbc@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2024-01-19accel: Do not set CPUState::can_do_io in non-TCG accelsPhilippe Mathieu-Daudé
'can_do_io' is specific to TCG. It was added to other accelerators in 626cf8f4c6 ("icount: set can_do_io outside TB execution"), then likely copy/pasted in commit c97d6d2cdf ("i386: hvf: add code base from Google's QEMU repository"). Having it set in non-TCG code is confusing, so remove it from QTest / HVF / KVM. Fixes: 626cf8f4c6 ("icount: set can_do_io outside TB execution") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20231129205037.16849-1-philmd@linaro.org>
2024-01-19accel: Do not set CPUState::tcg_cflags in non-TCG accelsPhilippe Mathieu-Daudé
'tcg_cflags' is specific to TCG. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20231130075958.21285-1-philmd@linaro.org>
2024-01-19backends/cryptodev: Do not ignore throttle/backends ErrorsPhilippe Mathieu-Daudé
Both cryptodev_backend_set_throttle() and CryptoDevBackendClass::init() can set their Error** argument. Do not ignore them, return early on failure. Without that, running into another failure trips error_setv()'s assertion. Use the ERRP_GUARD() macro as suggested in commit ae7c80a7bd ("error: New macro ERRP_GUARD()"). Cc: qemu-stable@nongnu.org Fixes: e7a775fd9f ("cryptodev: Account statistics") Fixes: 2580b452ff ("cryptodev: support QoS") Reviewed-by: zhenwei pi <pizhenwei@bytedance.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20231120150418.93443-1-philmd@linaro.org>
2024-01-19hw/timer/hpet: Convert DPRINTF to trace eventsDaniel Hoffman
This conversion is pretty straight-forward. Standardized some formatting so the +0 and +4 offset cases can recycle the same message. Signed-off-by: Daniel Hoffman <dhoff749@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20231118231129.2840388-1-dhoff749@gmail.com> [PMD: Fixed few string formats] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2024-01-18Merge tag 'pull-target-arm-20240118' of ↵Peter Maydell
https://git.linaro.org/people/pmaydell/qemu-arm into staging target-arm queue: * docs/devel/docs: Document .hx file syntax * arm_pamax() no longer needs to do feature propagation * docs/system/arm/virt.rst: Improve 'highmem' option docs * STM32L4x5 Implement SYSCFG and EXTI devices * hw/timer: fix systick trace message * hw/arm/virt: Consolidate valid CPU types * load_elf: fix iterator's type for elf file processing # -----BEGIN PGP SIGNATURE----- # # iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmWpHM4ZHHBldGVyLm1h # eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3pZxD/sGIXvTeoOCsum7OFpArKoQ # J+wcy74pO526IDzjudgtwP8kFW09oVblMPgrt/68F9LY4Oa7sDNAZX/Xqlhs/hdJ # SVbOXArRmyLvgLpn8KVii9xk9iI/olMGt0S6KcXAErdgFud+JcCevbS0D5fAF4Ua # /G/4ldnwr+WcYUA5IIoi02ymSBm5VNeH2bKu0MPS3xpizjzgOFxWTBYwq3zkZYWD # w5GjH9+F+IC67CiAlCLvuQBqpGLdRwFBttU05hLtGXuSlnvS+FtJTooI7gGD17CR # 2wTa7qF716qDN1lNSIvxA6t8/dWNMIYCZYdlxJml476WzP3jECpth2WFWqE0G3yg # Orr7sFVB8X6JmtlR34srW6e3CZA3t+4FIWqcdELFLi5IQtJeer90jqQ9xwx4SttJ # nsHdy5M8txWSa61yAaDTXMID/smVlC7sWTKJrR9kV7v5+b9OPQ/R8k0mCODl5Aer # mzAVuCvUQVYK3j7fzprGrlldla57s3v78OAhqACLgKflK0+aJSJjglulPrSMK1z5 # bRPS5jLZjFwEi2VaLVg3LPJiBMDj1s/wAl0ycfCQSv2oEzvmpkw+Ar1HDc2NFe+d # 9dunbdhAZJMwh+ABIg7iMj+l0ncOXDa4DS+6BnjRxfECCa172u3viq1HATkLLAFI # GTkcJ5hIQzNEeg9ob0MDIg== # =Rfpe # -----END PGP SIGNATURE----- # gpg: Signature made Thu 18 Jan 2024 12:42:54 GMT # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate] # gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * tag 'pull-target-arm-20240118' of https://git.linaro.org/people/pmaydell/qemu-arm: load_elf: fix iterator's type for elf file processing hw/arm/virt: Consolidate valid CPU types hw/timer: fix systick trace message tests/qtest: Add STM32L4x5 SYSCFG QTest testcase hw/arm: Connect STM32L4x5 SYSCFG to STM32L4x5 SoC hw/misc: Implement STM32L4x5 SYSCFG tests/qtest: Add STM32L4x5 EXTI QTest testcase hw/arm: Connect STM32L4x5 EXTI to STM32L4x5 SoC hw/misc: Implement STM32L4x5 EXTI docs/system/arm/virt.rst: Improve 'highmem' option docs target/arm: arm_pamax() no longer needs to do feature propagation docs/devel/docs: Document .hx file syntax Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-18Merge tag 'pull-request-2024-01-16' of https://gitlab.com/thuth/qemu into ↵Peter Maydell
staging * Improve the timeouts for some problematic qtests * Enable some ROP mitigation compiler switches # -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmWmNDURHHRodXRoQHJl # ZGhhdC5jb20ACgkQLtnXdP5wLbVM0w/+Nafbtnw9Q1gp633CIYQRsNDGiKiCND5H # epLfd3DFAG2jATZm/hIIrV3dlEkGRQh916XKik572eUm2yyu3i3EqVNooTcLr0k/ # 4MI1ZzG0rnAnAr15zVdUaDCiaGdlpcSGTwLDAlQjIR4n0MdugQ/bkrfkDRU0YD/6 # mv/yDck5fHOUDm88LA7Gxep0G7U8Wi8oiQXx+WlbQpmDHfBJM7ERQSPhXobtVtFO # 8wpceUcMwlGBecxEsRggrRhdn09CJUyuirP8UHG4rT8xMjkXpqHJVqZ+gVDyV65J # y9y6snCk+oFyCTDSstQxVbzHg/1C4xE2gVUMaXv4Wu1TcCgBpF1WDQymXb35Buuh # pbgAaF1ZsBGwE7rUUJIF3NBTpjmedP4NbCR2EPsiL06w08mG7IRuU/b8JStuAHef # qUqxiHfpEwAxXY8O83XOvBb+zJ625OQHGi/MGDnaYczBfqBJAx2AKiuSmMWBAWo2 # gO4kQX25sPzov6xsLcjEwh0HcJ9W5mkGRJ/x8GSjWnvDlGBDBYWPUShJlohDKGU0 # 4+JGk4+8RKMoKE97bO8DItOp9ahh87up/qHDFkJJo+VKuDaBPdzlS6PURzc8wv0T # QquWUkfdE6qYIPr8ShVYT00NNThIKLyn0qaN4s1mQ+2h8p8nXc4aYsWgcr2wxJFm # sOoVvwOXzDE= # =Yuwq # -----END PGP SIGNATURE----- # gpg: Signature made Tue 16 Jan 2024 07:45:57 GMT # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "thuth@redhat.com" # gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full] # gpg: aka "Thomas Huth <thuth@redhat.com>" [full] # gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full] # gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown] # Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5 * tag 'pull-request-2024-01-16' of https://gitlab.com/thuth/qemu: meson: mitigate against use of uninitialize stack for exploits meson: mitigate against ROP exploits with -fzero-call-used-regs qtest: Bump npcm7xx_watchdog_timer-test timeout to 2 minutes tests/qtest/npcm7xx_watchdog_timer: Only test the corner cases by default tests/qtest/meson.build: Bump the boot-serial-test timeout to 4 minutes Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-18acpi/tests/avocado/bits: wait for 200 seconds for SHUTDOWN event from bits VMAni Sinha
By default, the timeout to receive any specified event from the QEMU VM is 60 seconds set by the python avocado test framework. Please see event_wait() and events_wait() in python/qemu/machine/machine.py. If the matching event is not triggered within that interval, an asyncio.TimeoutError is generated. Since the timeout for the bits avocado test is 200 secs, we need to make event_wait() timeout of the same value as well so that an early timeout is not triggered by the avocado framework. CC: peter.maydell@linaro.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2077 Signed-off-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-id: 20240117042556.3360190-1-anisinha@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-18load_elf: fix iterator's type for elf file processingAnastasia Belova
j is used while loading an ELF file to byteswap segments' data. If data is larger than 2GB an overflow may happen. So j should be elf_word. This commit fixes a minor bug: it's unlikely anybody is trying to load ELF files with 2GB+ segments for wrong-endianness targets, but if they did, it wouldn't work correctly. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: qemu-stable@nongnu.org Fixes: 7ef295ea5b ("loader: Add data swap option to load-elf") Signed-off-by: Anastasia Belova <abelova@astralinux.ru> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-18hw/arm/virt: Consolidate valid CPU typesGavin Shan
It's found that some of the CPU type names in the array of valid CPU types are invalid because their corresponding classes aren't registered, as reported by Peter Maydell. [gshan@gshan build]$ ./qemu-system-arm -machine virt -cpu cortex-a9 qemu-system-arm: Invalid CPU model: cortex-a9 The valid models are: cortex-a7, cortex-a15, (null), (null), (null), (null), (null), (null), (null), (null), (null), (null), (null), max Fix it by consolidating the array of valid CPU types. After it's applied, we have the following output when TCG is enabled. [gshan@gshan build]$ ./qemu-system-arm -machine virt -cpu cortex-a9 qemu-system-arm: Invalid CPU model: cortex-a9 The valid models are: cortex-a7, cortex-a15, max [gshan@gshan build]$ ./qemu-system-aarch64 -machine virt -cpu cortex-a9 qemu-system-aarch64: Invalid CPU model: cortex-a9 The valid models are: cortex-a7, cortex-a15, cortex-a35, cortex-a55, cortex-a72, cortex-a76, cortex-a710, a64fx, neoverse-n1, neoverse-v1, neoverse-n2, cortex-a53, cortex-a57, max Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2084 Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Gavin Shan <gshan@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-id: 20240111051054.83304-1-gshan@redhat.com Fixes: fa8c617791 ("hw/arm/virt: Check CPU type in machine_run_board_init()") Signed-off-by: Gavin Shan <gshan@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-18hw/timer: fix systick trace messageSamuel Tardieu
Signed-off-by: Samuel Tardieu <sam@rfc1149.net> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Message-id: 20240109184508.3189599-1-sam@rfc1149.net Fixes: ff68dacbc786 ("armv7m: Split systick out from NVIC") Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-16Merge tag 'hppa-fixes-8.2-pull-request' of ↵Peter Maydell
https://github.com/hdeller/qemu-hppa into staging target/hppa qemu v8.2 regression fixes There were some regressions introduced with Qemu v8.2 on the hppa/hppa64 target, e.g.: - 32-bit HP-UX crashes on B160L (32-bit) machine - NetBSD boot failure due to power button in page zero - NetBSD FPU detection failure - OpenBSD 7.4 boot failure This patch series fixes those known regressions and additionally: - allows usage of the max. 3840MB of memory (instead of 3GB), - adds support for the qemu --nodefaults option (to debug other devices) This patch set will not fix those known (non-regression) bugs: - HP-UX and NetBSD still fail to boot on the new 64-bit C3700 machine - Linux kernel will still fail to boot on C3700 as long as kernel modules are used. Changes v2->v3: - Added comment about Figures H-10 and H-11 in the parisc2.0 spec in patch which calculate PDC address translation if PSW.W=0 - Introduce and use hppa_set_ior_and_isr() - Use drive_get_max_bus(IF_SCSI), nd_table[] and serial_hd() to check if default devices should be created - Added Tested-by and Reviewed-by tags Changes v1->v2: - fix OpenBSD boot with SeaBIOS v15 instead of v14 - commit message enhancements suggested by BALATON Zoltan - use uint64_t for ram_max in patch #1 # -----BEGIN PGP SIGNATURE----- # # iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCZaImPQAKCRD3ErUQojoP # X2C5AP9fbIkCni45JU6KC6OmFsCbAReRQCPwLO+MzR8/us2ywgD+PsGxSBk8ASxM # nqtv3J9JC3i+XSnbtwLV+qChnO+IXwc= # =FAMY # -----END PGP SIGNATURE----- # gpg: Signature made Sat 13 Jan 2024 05:57:17 GMT # gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F # gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown] # gpg: aka "Helge Deller <deller@kernel.org>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603 # Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F * tag 'hppa-fixes-8.2-pull-request' of https://github.com/hdeller/qemu-hppa: target/hppa: Update SeaBIOS-hppa to version 15 target/hppa: Fix IOR and ISR on error in probe target/hppa: Fix IOR and ISR on unaligned access trap target/hppa: Export function hppa_set_ior_and_isr() target/hppa: Avoid accessing %gr0 when raising exception hw/hppa: Move software power button address back into PDC target/hppa: Fix PDC address translation on PA2.0 with PSW.W=0 hw/pci-host/astro: Add missing astro & elroy registers for NetBSD hw/hppa/machine: Disable default devices with --nodefaults option hw/hppa/machine: Allow up to 3840 MB total memory Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-16Merge tag 'migration-20240116-pull-request' of ↵Peter Maydell
https://gitlab.com/peterx/qemu into staging Migration pull request 2nd batch for 9.0 - Het's cleanup on migration qmp command paths - Fabiano's migration cleanups and test improvements - Fabiano's patch to re-enable multifd-cancel test - Peter's migration doc reorganizations - Nick Briggs's fix for Solaries build on rdma # -----BEGIN PGP SIGNATURE----- # # iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCZaX1PhIccGV0ZXJ4QHJl # ZGhhdC5jb20ACgkQO1/MzfOr1wZSzwEAq6sp/ylNHLzNoMdWL28JLqCsb4DPYH2i # u7XgYgT1qDAA/0vwoe4a5uFn1aaGCS+2d2syjJ8kOE7h+eZrbK520jsA # =1zUG # -----END PGP SIGNATURE----- # gpg: Signature made Tue 16 Jan 2024 03:17:18 GMT # gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706 # gpg: issuer "peterx@redhat.com" # gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [marginal] # gpg: aka "Peter Xu <peterx@redhat.com>" [marginal] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706 * tag 'migration-20240116-pull-request' of https://gitlab.com/peterx/qemu: migration/rdma: define htonll/ntohll only if not predefined docs/migration: Further move virtio to be feature of migration docs/migration: Further move vfio to be feature of migration docs/migration: Organize "Postcopy" page docs/migration: Split "dirty limit" docs/migration: Split "Postcopy" docs/migration: Split "Debugging" and "Firmware" docs/migration: Split "Backwards compatibility" separately docs/migration: Convert virtio.txt into rST docs/migration: Create index page docs/migration: Create migration/ directory tests/qtest: Re-enable multifd cancel test tests/qtest/migration: Use the new migration_test_add tests/qtest/migration: Add a wrapper to print test names tests/qtest/migration: Print migration incoming errors migration: Report error in incoming migration migration/multifd: Change multifd_pages_init argument migration/multifd: Remove QEMUFile from where it is not needed migration/multifd: Remove MultiFDPages_t::packet_num migration: Simplify initial conditionals in migration for better readability Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-16meson: mitigate against use of uninitialize stack for exploitsDaniel P. Berrangé
When variables are used without being initialized, there is potential to take advantage of data that was pre-existing on the stack from an earlier call, to drive an exploit. It is good practice to always initialize variables, and the compiler can warn about flaws when -Wuninitialized is present. This warning, however, is by no means foolproof with its output varying depending on compiler version and which optimizations are enabled. The -ftrivial-auto-var-init option can be used to tell the compiler to always initialize all variables. This increases the security and predictability of the program, closing off certain attack vectors, reducing the risk of unsafe memory disclosure. While the option takes several possible values, using 'zero' is considered to be the option that is likely to lead to semantically correct or safe behaviour[1]. eg sizes/indexes are not likely to lead to out-of-bounds accesses when initialized to zero. Pointers are less likely to point something useful if initialized to zero. Even with -ftrivial-auto-var-init=zero set, GCC will still issue warnings with -Wuninitialized if it discovers a problem, so we are not loosing diagnostics for developers, just hardening runtime behaviour and making QEMU behave more predictably in case of hitting bad codepaths. [1] https://lists.llvm.org/pipermail/cfe-dev/2020-April/065221.html Signed-off-by: "Daniel P. Berrangé" <berrange@redhat.com> Message-ID: <20240103123414.2401208-3-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-01-16meson: mitigate against ROP exploits with -fzero-call-used-regsDaniel P. Berrangé
To quote wikipedia: "Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing. In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine's memory, called "gadgets". Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks." QEMU is by no means perfect with an ever growing set of CVEs from flawed hardware device emulation, which could potentially be exploited using ROP techniques. Since GCC 11 there has been a compiler option that can mitigate against this exploit technique: -fzero-call-user-regs To understand it refer to these two resources: https://www.jerkeby.se/newsletter/posts/rop-reduction-zero-call-user-regs/ https://gcc.gnu.org/pipermail/gcc-patches/2020-August/552262.html I used two programs to scan qemu-system-x86_64 for ROP gadgets: https://github.com/0vercl0k/rp https://github.com/JonathanSalwan/ROPgadget When asked to find 8 byte gadgets, the 'rp' tool reports: A total of 440278 gadgets found. You decided to keep only the unique ones, 156143 unique gadgets found. While the ROPgadget tool reports: Unique gadgets found: 353122 With the --ropchain argument, the latter attempts to use the found gadgets to product a chain that can execute arbitrary syscalls. With current QEMU it succeeds in this task, which is an undesirable situation. With QEMU modified to use -fzero-call-user-regs=used-gpr the 'rp' tool reports A total of 528991 gadgets found. You decided to keep only the unique ones, 121128 unique gadgets found. This is 22% fewer unique gadgets While the ROPgadget tool reports: Unique gadgets found: 328605 This is 7% fewer unique gadgets. Crucially though, despite this more modest reduction, the ROPgadget tool is no longer able to identify a chain of gadgets for executing arbitrary syscalls. It fails at the very first step, unable to find gadgets for populating registers for a future syscall. Having said that, more advanced tools do still manage to put together a viable ROP chain. Also this only takes into account QEMU code. QEMU links to many 3rd party shared libraries and ideally all of them would be compiled with this same hardening. That becomes a distro policy question though. In terms of performance impact, TCG was used as an evaluation test case. We're not interested in protecting TCG since it isn't designed to provide a security barrier, but it is performance sensitive code, so useful as a guide to how other areas of QEMU might be impacted. With the -fzero-call-user-regs=used-gpr argument present, using the real world test of booting a linux kernel and having init immediately poweroff, there is a ~1% slow down in performance under TCG. The QEMU binary size also grows by approximately 1%. By comparison, using the more aggressive -fzero-call-user-regs=all, results in a slowdown of over 25% in TCG, which is clearly not an acceptable impact, and a binary size increase of 5%. Considering that 'used-gpr' successfully stopped ROPgadget assembling a chain, this more targeted protection is a justifiable hardening / performance tradeoff. Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: "Daniel P. Berrangé" <berrange@redhat.com> Message-ID: <20240103123414.2401208-2-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-01-16qtest: Bump npcm7xx_watchdog_timer-test timeout to 2 minutesThomas Huth
The npcm7xx_watchdog_timer-test can take more than 60 seconds in SPEED=slow mode on a loaded host system. Bumping to 2 minutes will give more headroom. Message-ID: <20240112164717.1063954-1-thuth@redhat.com> Reviewed-by: "Daniel P. Berrangé" <berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-01-16tests/qtest/npcm7xx_watchdog_timer: Only test the corner cases by defaultThomas Huth
The test_prescaler() part in the npcm7xx_watchdog_timer test is quite repetitive, testing all possible combinations of the WTCLK and WTIS bitfields. Since each test spins up a new instance of QEMU, this is rather an expensive test, especially on loaded host systems. For the normal quick test mode, it should be sufficient to test the corner settings of these fields (i.e. 0 and 3), so we can speed up this test in the default mode quite a bit. Message-ID: <20240115070223.30178-1-thuth@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-01-16tests/qtest/meson.build: Bump the boot-serial-test timeout to 4 minutesThomas Huth
When running with TCI, the boot-serial-test can take longer than 3 minutes: https://gitlab.com/qemu-project/qemu/-/jobs/5890481086#L4774 Bump the timeout to 4 minutes to avoid CI failures here. Message-ID: <20240115071146.31213-1-thuth@redhat.com> Reviewed-by: "Daniel P. Berrangé" <berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-01-16migration/rdma: define htonll/ntohll only if not predefinedNick Briggs
Solaris has #defines for htonll and ntohll which cause syntax errors when compiling code that attempts to (re)define these functions.. Signed-off-by: Nick Briggs <nicholas.h.briggs@gmail.com> Link: https://lore.kernel.org/r/65a04a7d.497ab3.3e7bef1f@gateway.sonic.net Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Further move virtio to be feature of migrationPeter Xu
Move it one layer down, so taking Virtio-migration as a feature for migration. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-11-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Further move vfio to be feature of migrationPeter Xu
Move it one layer down, so taking VFIO-migration as a feature for migration. Cc: Alex Williamson <alex.williamson@redhat.com> Cc: Cédric Le Goater <clg@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-10-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Organize "Postcopy" pagePeter Xu
Reorganize the page, moving things around, and add a few headlines ("Postcopy internals", "Postcopy features") to cover sub-areas. Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-9-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Split "dirty limit"Peter Xu
Split that into a separate file, put under "features". Cc: Yong Huang <yong.huang@smartx.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-8-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Split "Postcopy"Peter Xu
Split postcopy into a separate file. Introduce a head page "features.rst" to keep all the features on top of migration framework. Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-7-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Split "Debugging" and "Firmware"Peter Xu
Move the two sections into a separate file called "best-practices.rst". Add the entry into index. Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-6-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Split "Backwards compatibility" separatelyPeter Xu
Split the section from main.rst into a separate file. Reference it in the index.rst. Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-5-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Convert virtio.txt into rSTPeter Xu
Convert the plain old .txt into .rst, add it into migration/index.rst. Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-4-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Create index pagePeter Xu
Create an index page for migration module. Move VFIO migration there too. A trivial touch-up on the title to use lower case there. Since then we'll have "migration" as the top title, make the main doc file renamed to "migration framework". Cc: Alex Williamson <alex.williamson@redhat.com> Cc: Cédric Le Goater <clg@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-3-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16docs/migration: Create migration/ directoryPeter Xu
Migration documentation is growing into a single file too large. Create a sub-directory for it for a split. We also already have separate vfio/virtio documentations, move it all over into the directory. Note that the virtio one is still not yet converted to rST. That is a job for later. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Cc: Alex Williamson <alex.williamson@redhat.com> Cc: Cédric Le Goater <clg@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-2-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16tests/qtest: Re-enable multifd cancel testFabiano Rosas
We've found the source of flakiness in this test, so re-enable it. Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Link: https://lore.kernel.org/r/20230606144551.24367-4-farosas@suse.de [peterx: rebase to 2a61a6964c, to use migration_test_add()] Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16tests/qtest/migration: Use the new migration_test_addFabiano Rosas
Replace the tests registration with the new function that prints tests names. Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/r/20240104142144.9680-8-farosas@suse.de Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16tests/qtest/migration: Add a wrapper to print test namesFabiano Rosas
Our usage of gtest results in us losing the very basic functionality of "knowing which test failed". The issue is that gtest only prints test names ("paths" in gtest parlance) once the test has finished, but we use asserts in the tests and crash gtest itself before it can print anything. We also use a final abort when the result of g_test_run is not 0. Depending on how the test failed/broke we can see the function that trigged the abort, which may be representative of the test, but it could also just be some generic function. We have been relying on the primitive method of looking at the name of the previous successful test and then looking at the code to figure out which test should have come next. Add a wrapper to the test registration that does the job of printing the test name before running. Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/r/20240104142144.9680-7-farosas@suse.de Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16tests/qtest/migration: Print migration incoming errorsFabiano Rosas
We're currently just asserting when incoming migration fails. Let's print the error message from QMP as well. Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/r/20240104142144.9680-6-farosas@suse.de Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16migration: Report error in incoming migrationFabiano Rosas
We're not currently reporting the errors set with migrate_set_error() when incoming migration fails. Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/r/20240104142144.9680-5-farosas@suse.de Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16migration/multifd: Change multifd_pages_init argumentFabiano Rosas
The 'size' argument is actually the number of pages that fit in a multifd packet. Change it to uint32_t and rename. Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/r/20240104142144.9680-4-farosas@suse.de Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16migration/multifd: Remove QEMUFile from where it is not neededFabiano Rosas
Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/r/20240104142144.9680-3-farosas@suse.de Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16migration/multifd: Remove MultiFDPages_t::packet_numFabiano Rosas
This was introduced by commit 34c55a94b1 ("migration: Create multipage support") and never used. Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/r/20240104142144.9680-2-farosas@suse.de Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-16migration: Simplify initial conditionals in migration for better readabilityHet Gala
The inital conditional statements in qmp migration functions is harder to understand than necessary. It is better to get all errors out of the way in the beginning itself to have better readability and error handling. Signed-off-by: Het Gala <het.gala@nutanix.com> Suggested-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Link: https://lore.kernel.org/r/20231205080039.197615-1-het.gala@nutanix.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-01-15tests/qtest: Add STM32L4x5 SYSCFG QTest testcaseInès Varhol
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Arnaud Minier <arnaud.minier@telecom-paris.fr> Signed-off-by: Inès Varhol <ines.varhol@telecom-paris.fr> Message-id: 20240109194438.70934-4-ines.varhol@telecom-paris.fr Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-15hw/arm: Connect STM32L4x5 SYSCFG to STM32L4x5 SoCInès Varhol
The SYSCFG input GPIOs aren't connected yet. When the STM32L4x5 GPIO device will be implemented, its output GPIOs will be connected to the SYSCFG input GPIOs. Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Arnaud Minier <arnaud.minier@telecom-paris.fr> Signed-off-by: Inès Varhol <ines.varhol@telecom-paris.fr> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-id: 20240109194438.70934-3-ines.varhol@telecom-paris.fr Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-15hw/misc: Implement STM32L4x5 SYSCFGInès Varhol
Acked-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Arnaud Minier <arnaud.minier@telecom-paris.fr> Signed-off-by: Inès Varhol <ines.varhol@telecom-paris.fr> Message-id: 20240109194438.70934-2-ines.varhol@telecom-paris.fr Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-15tests/qtest: Add STM32L4x5 EXTI QTest testcaseInès Varhol
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Arnaud Minier <arnaud.minier@telecom-paris.fr> Signed-off-by: Inès Varhol <ines.varhol@telecom-paris.fr> Message-id: 20240109160658.311932-4-ines.varhol@telecom-paris.fr Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-01-15hw/arm: Connect STM32L4x5 EXTI to STM32L4x5 SoCInès Varhol
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Arnaud Minier <arnaud.minier@telecom-paris.fr> Signed-off-by: Inès Varhol <ines.varhol@telecom-paris.fr> Message-id: 20240109160658.311932-3-ines.varhol@telecom-paris.fr Signed-off-by: Peter Maydell <peter.maydell@linaro.org>