aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2018-04-10sam460ex: Fix timer frequency and clock multipliersBALATON Zoltan
We only emulate timer running at CPU frequency which is what most guests expect so set the frequency to match real hardware. This also allows setting clock multipliers which caused slowdown previously due to wrong timer frequency. Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-04-10spapr: Initialize reserved areas list in FDT in H_CAS handlerAlexey Kardashevskiy
At the moment the device tree produced by the H_CAS handler has no reserved map initialized at all which is not correct as at least one empty record is required to be present as a marker of the end. This does not cause problems now as the only consumer is SLOF which does not look at the reserved map area. However when DTC's "Improve libfdt's memory safety" changeset hits the QEMU upstream, there will be errors reported and crashes observed. This fixes the problem by adding an empty entry to the reserved map, just like create_device_tree() does already. Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-04-10hw/misc/macio: Fix crash when listing device properties of macio deviceThomas Huth
The macio-newworld device can currently be used to abort QEMU unexpectedly: $ ppc-softmmu/qemu-system-ppc -S -M ref405ep,accel=qtest -qmp stdio {"QMP": {"version": {"qemu": {"micro": 50, "minor": 11, "major": 2}, "package": "build-all"}, "capabilities": []}} { 'execute': 'qmp_capabilities' } {"return": {}} { 'execute': 'device-list-properties', 'arguments': {'typename': 'macio-newworld'}} Unexpected error in qemu_chr_fe_init() at chardev/char-fe.c:222: Device 'serial0' is in use Aborted (core dumped) qdev properties should be set during realize(), not during instance_init(), so move the related code there to fix this problem. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-04-09Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20180409' into stagingPeter Maydell
Fixes for s390x: kvm, vfio-ccw, ipl code, bios. Includes a rebuild of s390-ccw.img and s390-netboot.img. # gpg: Signature made Mon 09 Apr 2018 16:08:19 BST # gpg: using RSA key DECF6B93C6F02FAF # gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" # gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" # gpg: aka "Cornelia Huck <cohuck@kernel.org>" # gpg: aka "Cornelia Huck <cohuck@redhat.com>" # Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF * remotes/cohuck/tags/s390x-20180409: s390x: load_psw() should only exchange the PSW for KVM s390x/mmu: don't overwrite pending exception in mmu translate vfio-ccw: fix memory leaks in vfio_ccw_realize() pc-bios/s390: update images s390: Do not pass inofficial IPL type to the guest s390: Ensure IPL from SCSI works as expected s390: Refactor IPL parameter block generation s390x/kvm: call cpu_synchronize_state() on every kvm_arch_handle_exit() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-04-09Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Miscellaneous bugfixes, including crash fixes from Alexey, Peter M. and Thomas. # gpg: Signature made Mon 09 Apr 2018 15:37:15 BST # gpg: using RSA key BFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: Add missing bit for SSE instr in VEX decoding maint: Add .mailmap entries for patches claiming list authorship dump: Fix build with newer gcc device-crash-test: Remove fixed isa-fdc entry qemu-pr-helper: Write pidfile more often qemu-pr-helper: Daemonize before dropping privileges virtio-serial: fix heapover-flow kvmclock: fix clock_is_reliable on migration from QEMU < 2.9 hw/dma/i82374: Avoid double creation of the 82374 controller hw/scsi: support SCSI-2 passthrough without PI scsi-disk: allow customizing the SCSI version scsi-disk: Don't enlarge min_io_size to max_io_size configure: Add missing configure options to help text i386/hyperv: error out if features requested but unsupported i386/hyperv: add hv-frequencies cpu property target/i386: WHPX: set CPUID_EXT_HYPERVISOR bit memfd: fix vhost-user-test on non-memfd capable host scripts/checkpatch.pl: Bug fix target/i386: Fix andn instruction sys_membarrier: fix up include directives Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-04-09Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
virtio,vhost: fixes Add a feature flag for new protocol messages. Misc fixes. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Mon 09 Apr 2018 15:37:29 BST # gpg: using RSA key 281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: virtio-serial: fix heap-over-flow vhost: Allow adjoining regions contrib/libvhost-user: add the protocol feature used for SET/GET message vhost-user: back SET/GET_CONFIG requests with a protocol feature vhost-user-blk: set config ops before vhost-user init Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-04-09virtio-serial: fix heapover-flowlinzhecheng
Check device having the feature of VIRTIO_CONSOLE_F_EMERG_WRITE before get config->emerg_wr. It is neccessary because sizeof(virtio_console_config) is 8 byte if VirtIOSerial doesn't have the feature of VIRTIO_CONSOLE_F_EMERG_WRITE(see virtio_serial_device_realize), read/write emerg_wr will lead to heap-over-flow. Signed-off-by: linzhecheng <linzhecheng@huawei.com> Message-Id: <20180328133435.20112-1-linzhecheng@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-04-09kvmclock: fix clock_is_reliable on migration from QEMU < 2.9Michael Chapman
When migrating from a pre-2.9 QEMU, no clock_is_reliable flag is transferred. We should assume that the source host has an unreliable KVM_GET_CLOCK, rather than using whatever was determined locally, to ensure that any drift from the TSC-based value calculated by the guest is corrected. Signed-off-by: Michael Chapman <mike@very.puzzling.org> Message-Id: <20180406053406.774-1-mike@very.puzzling.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-04-09hw/dma/i82374: Avoid double creation of the 82374 controllerPhilippe Mathieu-Daudé
QEMU fails when used with the following command line: ./ppc64-softmmu/qemu-system-ppc64 -S -machine 40p -device i82374 qemu-system-ppc64: hw/isa/isa-bus.c:110: isa_bus_dma: Assertion `!bus->dma[0] && !bus->dma[1]' failed. The 40p machine type already creates the device i82374. If specified in the command line, it will try to create it again, hence generating the error. The function isa_bus_dma() isn't supposed to be called twice for the same bus. Check the bus doesn't already have a DMA controller registered before creating the device. Fixes: https://bugs.launchpad.net/qemu/+bug/1721224 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20180326153441.32641-2-f4bug@amsat.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-04-09hw/scsi: support SCSI-2 passthrough without PIDaniel Henrique Barboza
QEMU SCSI code makes assumptions about how the PROTECT and BYTCHK works in the protocol, denying support for PI (Protection Information) in case the guest OS requests it. However, in SCSI versions 2 and older, there is no PI concept in the protocol. This means that when dealing with such devices: - there is no PROTECT bit in byte 5 of the standard INQUIRY response. The whole byte is marked as "Reserved"; - there is no RDPROTECT in byte 2 of READ. We have 'Logical Unit Number' in this field instead; - there is no VRPROTECT in byte 2 of VERIFY. We have 'Logical Unit Number' in this field instead. This also means that the BYTCHK bit in this case is not related to PI. Since QEMU does not consider these changes, a SCSI passthrough using a SCSI-2 device will not work. It will mistake these fields with PI information and return Illegal Request SCSI SENSE thinking that the driver is asking for PI support. This patch fixes it by adding a new attribute called 'scsi_version' that is read from the standard INQUIRY response of passthrough devices. This allows for a version verification before applying conditions related to PI that doesn't apply for older versions. Reported-by: Dac Nguyen <dacng@us.ibm.com> Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com> Message-Id: <20180327211451.14647-1-danielhb@linux.vnet.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-04-09scsi-disk: allow customizing the SCSI versionPaolo Bonzini
We would like to have different behavior for passthrough devices depending on the SCSI version they expose. To prepare for that, allow the user of emulated devices to specify the desired SCSI level, and adjust the emulation according to the property value. The next patch will set the level for scsi-block and scsi-generic devices. Based on a patch by Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-04-09scsi-disk: Don't enlarge min_io_size to max_io_sizeFam Zheng
Some backends report big max_io_sectors. Making min_io_size the same value in this case will make it impossible for guest to align memory, therefore the disk may not be usable at all. Do not enlarge them when they are zero. Reported-by: David Gibson <dgibson@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <20180327164141.19075-1-famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-04-09virtio-serial: fix heap-over-flowlinzhecheng
Check device having the feature of VIRTIO_CONSOLE_F_EMERG_WRITE before get config->emerg_wr. It is neccessary because sizeof(virtio_console_config) is 8 byte if VirtIOSerial doesn't have the feature of VIRTIO_CONSOLE_F_EMERG_WRITE(see virtio_serial_device_realize), read/write emerg_wr will lead to heap-over-flow. Signed-off-by: linzhecheng <linzhecheng@huawei.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2018-04-09vhost: Allow adjoining regionsDr. David Alan Gilbert
My rework of section adding combines overlapping or adjoining regions, but checks they're actually the same underlying RAM block. Fix the case where two blocks adjoin but don't overlap; that new region should get added (but not combined), but my previous patch was disallowing it. Fixes: c1ece84e7c9 Reported-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Tested-by: Alex Williamson <alex.williamson@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2018-04-09vhost-user: back SET/GET_CONFIG requests with a protocol featureMaxime Coquelin
Without a dedicated protocol feature, QEMU cannot know whether the backend can handle VHOST_USER_SET_CONFIG and VHOST_USER_GET_CONFIG messages. This patch adds a protocol feature that is only advertised by QEMU if the device implements the config ops. Vhost user init fails if the device support the feature but the backend doesn't. The backend should only send VHOST_USER_SLAVE_CONFIG_CHANGE_MSG requests if the protocol feature has been negotiated. Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Changpeng Liu <changpeng.liu@intel.com>
2018-04-09vhost-user-blk: set config ops before vhost-user initMaxime Coquelin
As soon as vhost-user init is done, the backend may send VHOST_USER_SLAVE_CONFIG_CHANGE_MSG, so let's set the notification callback before it. Also, it will be used to know whether the device supports the config feature to advertize it or not. Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Changpeng Liu <changpeng.liu@intel.com>
2018-04-09vfio-ccw: fix memory leaks in vfio_ccw_realize()Greg Kurz
If the subchannel is already attached or if vfio_get_device() fails, the code jumps to the 'out_device_err' label and doesn't free the string it has just allocated. The code should be reworked so that vcdev->vdev.name only gets set when the device has been attached, and freed when it is about to be detached. This could be achieved with the addition of a vfio_ccw_get_device() function that would be the counterpart of vfio_put_device(). But this is a more elaborate cleanup that should be done in a follow-up. For now, let's just add calls to g_free() on the buggy error paths. Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <152311222681.203086.8874800175539040298.stgit@bahia> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2018-04-09s390: Ensure IPL from SCSI works as expectedViktor Mihajlovski
Operating systems may request an IPL from a virtio-scsi device by specifying an IPL parameter type of CCW. In this case QEMU won't set up the IPLB correctly. The BIOS will still detect it's a SCSI device to boot from, but it will now have to search for the first LUN and attempt to boot from there. However this may not be the original boot LUN if there's more than one SCSI disk attached to the HBA. With this change QEMU will detect that the request is for a SCSI device and will rebuild the initial IPL parameter info if it's the SCSI device used for the first boot. In consequence the BIOS can use the boot LUN from the IPL information block. In case a different SCSI device has been set, the BIOS will find and use the first available LUN. Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com> Message-Id: <1522940844-12336-3-git-send-email-mihajlov@linux.vnet.ibm.com> Reviewed-by: Farhan Ali <alifm@linux.vnet.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2018-04-09s390: Refactor IPL parameter block generationViktor Mihajlovski
Splitting out the the CCW device extraction allows reuse. Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com> Message-Id: <1522940844-12336-2-git-send-email-mihajlov@linux.vnet.ibm.com> Reviewed-by: Farhan Ali <alifm@linux.vnet.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2018-04-09memfd: fix vhost-user-test on non-memfd capable hostMarc-André Lureau
On RHEL7, memfd is not supported, and vhost-user-test fails: TEST: tests/vhost-user-test... (pid=10248) /x86_64/vhost-user/migrate: qemu-system-x86_64: -object memory-backend-memfd,id=mem,size=2M,: failed to create memfd FAIL There is a qemu_memfd_check() to prevent running memfd path, but it also checks for fallback implementation. Let's specialize qemu_memfd_check() to check memfd only, while qemu_memfd_alloc_check() checks for the qemu_memfd_alloc() API. Reported-by: Miroslav Rezanina <mrezanin@redhat.com> Tested-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20180328121804.16203-1-marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2018-04-05vfio: Use a trace point when a RAM section cannot be DMA mappedEric Auger
Commit 567b5b309abe ("vfio/pci: Relax DMA map errors for MMIO regions") added an error message if a passed memory section address or size is not aligned to the page size and thus cannot be DMA mapped. This patch fixes the trace by printing the region name and the memory region section offset within the address space (instead of offset_within_region). We also turn the error_report into a trace event. Indeed, In some cases, the traces can be confusing to non expert end-users and let think the use case does not work (whereas it works as before). This is the case where a BAR is successively mapped at different GPAs and its sections are not compatible with dma map. The listener is called several times and traces are issued for each intermediate mapping. The end-user cannot easily match those GPAs against the final GPA output by lscpi. So let's keep those information to informed users. In mid term, the plan is to advise the user about BAR relocation relevance. Fixes: 567b5b309abe ("vfio/pci: Relax DMA map errors for MMIO regions") Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2018-04-03hw/s390x: fix memory leak in s390_init_ipl_dev()Greg Kurz
The string returned by object_property_get_str() is dynamically allocated. Fixes: 3c4e9baacf4d9 Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <152231460685.69730.14860451936216690693.stgit@bahia.lan> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2018-03-29tpm: CRB: Enforce locality is requested before processing bufferStefan Berger
Section 5.5.3.2.2 of the CRB specs states that use of the TPM through the localty control method must first be requested, otherwise the command will be dropped. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2018-03-29tpm: CRB: Reset Granted flag when relinquishing localityStefan Berger
Reset the Granted flag when relinquishing a locality. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2018-03-29tpm: CRB: set the Idle flag by defaultStefan Berger
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2018-03-27macio: fix NULL pointer dereference when issuing IDE trimMark Cave-Ayland
Commit ef0e64a983 "ide: pass IDEState to trim AIO callback" changed the IDE trim callback from using a BlockBackend to an IDEState but forgot to update the dma_blk_io() call in hw/ide/macio.c accordingly. Without this fix qemu-system-ppc segfaults when issuing an IDE trim command on any of the PPC Mac machines (easily triggered by running the Debian installer). Reported-by: Howard Spoelstra <hsp.cat7@gmail.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Anton Nefedov <anton.nefedov@virtuozzo.com> Message-id: 20180223184700.28854-1-mark.cave-ayland@ilande.co.uk Signed-off-by: John Snow <jsnow@redhat.com>
2018-03-27ide: fix invalid TRIM range abortion for macioAnton Nefedov
commit 947858b0 "ide: abort TRIM operation for invalid range" is incorrect for macio; just ide_dma_error() without doing a callback is not enough for that errorpath. Instead, pass -EINVAL to the callback and handle it there (see related motivation for read/write in 58ac32113). It will however catch possible EINVAL from the block layer too. Signed-off-by: Anton Nefedov <anton.nefedov@virtuozzo.com> Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Message-id: 1520010495-58172-1-git-send-email-anton.nefedov@virtuozzo.com Signed-off-by: John Snow <jsnow@redhat.com>
2018-03-26Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Miscellaenous bugfixes, including crash fixes from Alexey, Peter M. and Thomas. # gpg: Signature made Mon 26 Mar 2018 13:37:38 BST # gpg: using RSA key BFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: qemu-pr-helper: Actually allow users to specify pidfile chardev/char-fe: Allow NULL chardev in qemu_chr_fe_init() iothread: fix breakage on windows scsi: turn "is this a SCSI device?" into a conditional hint chardev-socket: remove useless if tcg: Really fix cpu_io_recompile vhost-user-test: add back memfd check vhost-user-test: do not hang if chardev creation failed scripts/device-crash-test: Remove fixed isapc-with-iommu entry hw/audio: Fix crashes when devices are used on ISA bus without DMA fdc: Exit if ISA controller does not support DMA hw/net/can: Fix segfaults when using the devices without bus WHPX improve vcpu_post_run perf WHPX fix WHvSetPartitionProperty in PropertyCode WHPX fix WHvGetCapability out WrittenSizeInBytes scripts/get_maintainer.pl: Print proper error message for missing $file Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-03-26scsi: turn "is this a SCSI device?" into a conditional hintPaolo Bonzini
If the user does not have permissions to send ioctls to the device (due to SELinux or cgroups, for example), the output can look like qemu-kvm: -device scsi-block,drive=disk: cannot get SG_IO version number: Operation not permitted. Is this a SCSI device? but this is confusing because the ioctl was blocked _before_ the device even received the SG_GET_VERSION_NUM ioctl. Therefore, for EPERM errors the suggestion should be eliminated. To make that simpler, change the code to use error_append_hint. Reported-by: Ala Hino <ahino@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-03-26hw/audio: Fix crashes when devices are used on ISA bus without DMAThomas Huth
The cs4231a, gus and sb16 sound cards crash QEMU when the user tries to instantiate them on a machine with DMA-less ISA bus (for example with "qemu-system-mips64el -M mips -device sb16"). Add proper checks to the realize functions to avoid the crashes. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <1521193892-15552-4-git-send-email-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-03-26fdc: Exit if ISA controller does not support DMAAlexey Kardashevskiy
A "powernv" machine type defines an ISA bus but it does not add any DMA controller to it so it is possible to hit assert(fdctrl->dma) by adding "-machine powernv -device isa-fdc". This replaces assert() with an error message. Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> [thuth: Slightly adjusted error message and updated scripts/device-crash-test] Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <1521193892-15552-3-git-send-email-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-03-26hw/net/can: Fix segfaults when using the devices without busThomas Huth
The CAN devices can currently be used to crash QEMU, e.g.: $ x86_64-softmmu/qemu-system-x86_64 -device kvaser_pci Segmentation fault (core dumped) So we've got to add a proper check here that the corresponding bus is available. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <1521193892-15552-2-git-send-email-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-03-26virtio_net: flush uncompleted TX on resetGreg Kurz
If the backend could not transmit a packet right away for some reason, the packet is queued for asynchronous sending. The corresponding vq element is tracked in the async_tx.elem field of the VirtIONetQueue, for later freeing when the transmission is complete. If a reset happens before completion, virtio_net_tx_complete() will push async_tx.elem back to the guest anyway, and we end up with the inuse flag of the vq being equal to -1. The next call to virtqueue_pop() is then likely to fail with "Virtqueue size exceeded". This can be reproduced easily by starting a guest with an hubport backend that is not connected to a functional network, eg, -device virtio-net-pci,netdev=hub0 -netdev hubport,id=hub0,hubid=0 and no other -netdev hubport,hubid=0 on the command line. The appropriate fix is to ensure that such an asynchronous transmission cannot survive a device reset. So for all queues, we first try to send the packet again, and eventually we purge it if the backend still could not deliver it. CC: qemu-stable@nongnu.org Reported-by: R. Nageswara Sastry <nasastry@in.ibm.com> Buglink: https://github.com/open-power-host-os/qemu/issues/37 Signed-off-by: Greg Kurz <groug@kaod.org> Tested-by: R. Nageswara Sastry <nasastry@in.ibm.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2018-03-25Merge remote-tracking branch ↵Peter Maydell
'remotes/pmaydell/tags/pull-target-arm-20180323' into staging target-arm queue: * arm/translate-a64: don't lose interrupts after unmasking via write to DAIF * sdhci: fix incorrect use of Error * * hw/intc/arm_gicv3: Fix secure-GIC NS ICC_PMR and ICC_RPR accesses * hw/arm/bcm2836: Use the Cortex-A7 instead of Cortex-A15 * i.MX: Support serial RS-232 break properly * mach-virt: Set VM's SMBIOS system version to mc->name * target/arm: Honour MDCR_EL2.TDE when routing exceptions due to BKPT/BRK * target/arm: Factor out code to calculate FSR for debug exceptions * target/arm: Set FSR for BKPT, BRK when raising exception * target/arm: Always set FAR to a known unknown value for debug exceptions # gpg: Signature made Fri 23 Mar 2018 18:48:57 GMT # gpg: using RSA key 3C2525ED14360CDE # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" # gpg: aka "Peter Maydell <pmaydell@gmail.com>" # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * remotes/pmaydell/tags/pull-target-arm-20180323: target/arm: Always set FAR to a known unknown value for debug exceptions target/arm: Set FSR for BKPT, BRK when raising exception target/arm: Factor out code to calculate FSR for debug exceptions target/arm: Honour MDCR_EL2.TDE when routing exceptions due to BKPT/BRK mach-virt: Set VM's SMBIOS system version to mc->name i.MX: Support serial RS-232 break properly hw/arm/bcm2836: Use the Cortex-A7 instead of Cortex-A15 hw/intc/arm_gicv3: Fix secure-GIC NS ICC_PMR and ICC_RPR accesses sdhci: fix incorrect use of Error * arm/translate-a64: treat DISAS_UPDATE as variant of DISAS_EXIT Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-03-23mach-virt: Set VM's SMBIOS system version to mc->nameWei Huang
Instead of using "1.0" as the system version of SMBIOS, we should use mc->name for mach-virt machine type to be consistent other architectures. With this patch, "dmidecode -t 1" (e.g., "-M virt-2.12,accel=kvm") will show: Handle 0x0100, DMI type 1, 27 bytes System Information Manufacturer: QEMU Product Name: KVM Virtual Machine Version: virt-2.12 Serial Number: Not Specified ... instead of: Handle 0x0100, DMI type 1, 27 bytes System Information Manufacturer: QEMU Product Name: KVM Virtual Machine Version: 1.0 Serial Number: Not Specified ... For backward compatibility, we allow older machine types to keep "1.0" as the default system version. Signed-off-by: Wei Huang <wei@redhat.com> Reviewed-by: Andrew Jones <drjones@redhat.com> Message-id: 20180322212318.7182-1-wei@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-03-23i.MX: Support serial RS-232 break properlyTrent Piepho
Linux does not detect a break from this IMX serial driver as a magic sysrq. Nor does it note a break in the port error counts. The former is because the Linux driver uses the BRCD bit in the USR2 register to trigger the RS-232 break handler in the kernel, which is where sysrq hooks in. The emulated UART was not setting this status bit. The latter is because the Linux driver expects, in addition to the BRK bit, that the ERR bit is set when a break is read in the FIFO. A break should also count as a frame error, so add that bit too. Cc: Andrey Smirnov <andrew.smirnov@gmail.com> Signed-off-by: Trent Piepho <tpiepho@impinj.com> Message-id: 20180320013657.25038-1-tpiepho@impinj.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-03-23hw/arm/bcm2836: Use the Cortex-A7 instead of Cortex-A15Peter Maydell
The BCM2836 uses a Cortex-A7, not a Cortex-A15. Update the device to use the correct CPU. https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf When the BCM2836 was introduced (bad5623690b) the Cortex-A7 was not available, so the very similar Cortex-A15 was used. Since dcf578ed8ce we can model the correct core. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alistair Francis <alistair@alistair23.me> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180319110215.16755-1-peter.maydell@linaro.org
2018-03-23hw/intc/arm_gicv3: Fix secure-GIC NS ICC_PMR and ICC_RPR accessesPeter Maydell
If the GIC has the security extension support enabled, then a non-secure access to ICC_PMR must take account of the non-secure view of interrupt priorities, where real priorities 0x00..0x7f are secure-only and not visible to the non-secure guest, and priorities 0x80..0xff are shown to the guest as if they were 0x00..0xff. We had the logic here wrong: * on reads, the priority is in the secure range if bit 7 is clear, not if it is set * on writes, we want to set bit 7, not mask everything else Our ICC_RPR read code had the same error as ICC_PMR. (Compare the GICv3 spec pseudocode functions ICC_RPR_EL1 and ICC_PMR_EL1.) Fixes: https://bugs.launchpad.net/qemu/+bug/1748434 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Andrew Jones <drjones@redhat.com> Message-id: 20180315133441.24149-1-peter.maydell@linaro.org
2018-03-23sdhci: fix incorrect use of Error *Paolo Bonzini
Detected by Coverity (CID 1386072, 1386073, 1386076, 1386077). local_err was unused, and this made the static analyzer unhappy. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 20180320151355.25854-1-pbonzini@redhat.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-03-23hw/rdma: Fix 32-bit compilationYuval Shaia
Use the correct printf formats, so that a 32-bit compile doesn't spit out lots of warnings about %lx being incompatible with uint64_t. Suggested-by: Eric Blake <eblake@redhat.com> Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20180322095220.9976-4-yuval.shaia@oracle.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2018-03-23hw/rdma: Use correct print format in CHK_ATTR macroYuval Shaia
Macro should not cast the given variable to u64 instead it should use the supplied format argument (fmt). Reported-by: Eric Blake <eblake@redhat.com> Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20180322095220.9976-3-yuval.shaia@oracle.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2018-03-23hw/rdma: Change host_virt to void *Yuval Shaia
To avoid compilation warnings on 32-bit machines: rdma_backend.c: In function 'rdma_backend_create_mr': rdma_backend.c:409:37: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] mr->ibmr = ibv_reg_mr(pd->ibpd, (void *)addr, length, access); Reported-by: Eric Blake <eblake@redhat.com> Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20180322095220.9976-2-yuval.shaia@oracle.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2018-03-23hw/rdma: fix clang compilation errorsMarcel Apfelbaum
Fix some enum castings and extra parentheses. Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Message-Id: <20180321140316.96045-1-marcel@redhat.com> Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
2018-03-23rdma: fix up include directivesMichael S. Tsirkin
Our rule right now is to use <> for external headers only. RDMA code violates that, fix it up. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2018-03-23hw/rdma: Add support for Query QP verb to pvrdma deviceYuval Shaia
This IB verb is needed by some applications - implement it. Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2018-03-23hw/rdma: Add Query QP operationYuval Shaia
This operation is needed by rdma devices - implement it. Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
2018-03-23s390x/pci: forbid multifunction pci deviceYi Min Zhao
Currently we don't support pci multifunction. If a pci with multifucntion is plugged, the guest will spin forever. This patch fixes this. Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com> Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2018-03-22Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into stagingPeter Maydell
Multiboot patches # gpg: Signature made Wed 21 Mar 2018 14:38:36 GMT # gpg: using RSA key 7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6 * remotes/kevin/tags/for-upstream: tests/multiboot: Add .gitignore tests/multiboot: Add tests for the a.out kludge tests/multiboot: Test exit code for every qemu run multiboot: Check validity of mh_header_addr multiboot: Reject kernels exceeding the address space Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-03-21multiboot: Check validity of mh_header_addrKevin Wolf
I couldn't find a case where this prevents something bad from happening that isn't already caught by other checks, but let's err on the safe side and check that mh_header_addr is as expected. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Jack Schwartz <jack.schwartz@oracle.com>
2018-03-21multiboot: Reject kernels exceeding the address spaceKevin Wolf
The code path where mh_load_end_addr is non-zero in the Multiboot header checks that mh_load_end_addr >= mh_load_addr and so mb_load_size is checked. However, mb_load_size is not checked when calculated from the file size, when mh_load_end_addr is 0. If the kernel binary size is larger than can fit in the address space after load_addr, we ended up with a kernel_size that is smaller than load_size, which means that we read the file into a too small buffer. Add a check to reject kernel files with such Multiboot headers. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Jack Schwartz <jack.schwartz@oracle.com>