aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2015-02-05target-arm: Change reset to highest available ELGreg Bellows
Update to arm_cpu_reset() to reset into the highest available exception level based on the set ARM features. Signed-off-by: Greg Bellows <greg.bellows@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1422029835-4696-4-git-send-email-greg.bellows@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-02-05target_arm: Parameterise the irq lines for armv7m_initAlistair Francis
This patch allows the board to specifiy the number of NVIC interrupt lines when using armv7m_init. Signed-off-by: Alistair Francis <alistair23@gmail.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-id: 5a0b0fcc778df0340899f488053acc9493679e03.1422077994.git.alistair23@gmail.com [PMM: removed stale FIXME comment] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-02-05target_arm: Remove memory region init from armv7m_initAlistair Francis
This patch moves the memory region init code from the armv7m_init function to the stellaris_init function Signed-off-by: Alistair Francis <alistair23@gmail.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-id: 4836be7e1d708554d6eb0bc639dc2fbf7dac0458.1422077994.git.alistair23@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-02-04vfio-pci: Fix missing unparent of dynamically allocated MemoryRegionAlex Williamson
Commit d8d95814609e added explicit object_unparent() calls for dynamically allocated MemoryRegions. The VFIOMSIXInfo structure also contains such a MemoryRegion, covering the mmap'd region of a PCI BAR above the MSI-X table. This structure is freed as part of the class exit function and therefore also needs an explicit object_unparent(). Failing to do this results in random segfaults due to fields within the structure, often the class pointer, being reclaimed and corrupted by the time object_finalize_child_property() is called for the object. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org # 2.2
2015-02-04vfio: fix wrong initialize vfio_group_listChen Fan
Signed-off-by: Chen Fan <chen.fan.fnst@cn.fujitsu.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2015-02-03Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150203' into stagingPeter Maydell
Some bugfixes and cleanups for s390x, both in the new pci code and in old code. # gpg: Signature made Tue 03 Feb 2015 13:01:04 GMT using RSA key ID C6F02FAF # gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>" # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" * remotes/cohuck/tags/s390x-20150203: pc-bios/s390-ccw: update binary pc-bios/s390-ccw: fix sparse warnings s390x/ipl: Improved code indentation in s390_ipl_init() s390x/kvm: unknown DIAGNOSE code should give a specification exception s390x/kvm: Fix diag-308 register decoding s390x/pci: fix dma notifications in rpcit instruction s390x/pci: check for invalid function handle s390x/pci: avoid sign extension in stpcifc s390: Plug memory leak on s390_pci_generate_event() error path Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-02-03s390x/ipl: Improved code indentation in s390_ipl_init()Thomas Huth
The indentation of the code in s390_ipl_init() can be simplified a little bit by removing superfluous else-statements. Suggested-by: Michael Mueller <mimu@linux.vnet.ibm.com> Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com> Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-02-03s390x/pci: fix dma notifications in rpcit instructionYi Min Zhao
The virtual I/O address range passed to rpcit instruction might not map to consecutive physical guest pages. For this we have to translate and create mapping notifications for each vioa page separately. Signed-off-by: Yi Min Zhao <zyimin@cn.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-02-03s390x/pci: check for invalid function handleFrank Blaschka
broken guest may provide 0 (invalid) function handle to zpci instructions. Since we use function handle 0 to indicate an empty slot in the PHB we have to add an additional check to spot this kind of error. Signed-off-by: Frank Blaschka <blaschka@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-02-03s390x/pci: avoid sign extension in stpcifcFrank Blaschka
This patch avoids sign extension and fixes a data conversion bug in stpcifc. Both issues where found by Coverity. Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Frank Blaschka <blaschka@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-02-03s390: Plug memory leak on s390_pci_generate_event() error pathMarkus Armbruster
Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-02-02scsi: Fix scsi_req_cancel_async for no aiocb reqFam Zheng
scsi_req_cancel_complete is responsible for releasing the request, so we shouldn't skip it in any case. This doesn't affect the only existing caller, virtio-scsi, but is useful for other devices once they use it. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-02rcu: add rcu libraryPaolo Bonzini
This includes a (mangled) copy of the liburcu code. The main changes are: 1) removing dependencies on many other header files in liburcu; 2) removing for simplicity the tentative busy waiting in synchronize_rcu, which has limited performance effects; 3) replacing futexes in synchronize_rcu with QemuEvents for Win32 portability. The API is the same as liburcu, so it should be possible in the future to require liburcu on POSIX systems for example and use our copy only on Windows. Among the various versions available I chose urcu-mb, which is the least invasive implementation even though it does not have the fastest rcu_read_{lock,unlock} implementation. The urcu flavor can be changed later, after benchmarking. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-27Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
pci, pc, virtio fixes and cleanups A bunch of fixes all over the place. Also, beginning to generalize acpi build code for reuse by ARM. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Tue 27 Jan 2015 13:12:25 GMT using RSA key ID D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" * remotes/mst/tags/for_upstream: pc-dimm: Add Error argument to pc_existing_dimms_capacity pc-dimm: Make pc_existing_dimms_capacity global pc: Fix DIMMs capacity calculation smbios: Don't report unknown CPU speed (fix SVVP regression) smbios: Fix dimm size calculation when RAM is multiple of 16GB bios-linker-loader: move source to common location bios-linker-loader: move header to common location virtio: fix feature bit checks bios-tables-test: split piix4 and q35 tests acpi: build_append_nameseg(): add padding if necessary acpi: update generated hex files acpi-test: update expected DSDT pc: acpi: fix WindowsXP BSOD when memory hotplug is enabled pci: Split pcie_host_mmcfg_map() Add some trace calls to pci.c. ich9: add disable_s3, disable_s4, s4_val properties Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-01-27pc-dimm: Add Error argument to pc_existing_dimms_capacityBharata B Rao
Now that pc_existing_dimms_capacity() is an API, include Error pointer as an argument and modify the caller appropriately. Suggested-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com>
2015-01-27pc-dimm: Make pc_existing_dimms_capacity globalBharata B Rao
Move pc_existing_dimms_capacity() to pc-dimm.c since it would be needed by PowerPC memory hotplug code too. Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-27pc: Fix DIMMs capacity calculationBharata B Rao
pc_existing_dimms_capacity() is returning DIMMs count rather than capacity. Fix this to return the capacity. Also consider only realized devices for capacity calculation. Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-27smbios: Don't report unknown CPU speed (fix SVVP regression)Eduardo Habkost
SVVP requires processor speed on Type 4 structures to not be unknown. This was fixed in SeaBIOS 0.5.0 (in 2009), but the bug was reintroduced in QEMU 2.1. Revert to old behavior and report CPU speed as 2000 MHz instead of unknown. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-27smbios: Fix dimm size calculation when RAM is multiple of 16GBEduardo Habkost
The Memory Device size calculation logic is broken when the RAM size is a multiple of 16GB, making the size of the last entry be 0 instead of 16GB. Fix the logic to handle that case correctly. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-27bios-linker-loader: move source to common locationMichael S. Tsirkin
There are plans to use bios linker by MIPS, ARM. It's only used by ACPI ATM, so put it in hw/acpi and make it depend on CONFIG_ACPI. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-27bios-linker-loader: move header to common locationMichael S. Tsirkin
Will be usable by MIPS, ARM. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-27virtio: fix feature bit checksCornelia Huck
Several places check against the feature bit number instead of against the feature bit. Fix them. Cc: qemu-stable@nongnu.org Reported-by: Thomas Huth <thuth@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-27acpi: build_append_nameseg(): add padding if necessaryIgor Mammedov
According to ACPI spec NameSeg shorter than 4 characters must be padded up to 4 characters with "_" symbol. ACPI 5.0: 20.2.2 "Name Objects Encoding" Do it in build_append_nameseg() so that caller shouldn't know or care about it. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Claudio Fontana <claudio.fontana@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-27acpi: update generated hex filesMichael S. Tsirkin
Previous patch pc: acpi: fix WindowsXP BSOD when memory hotplug is enabled changed DSDT, update hex files for non-iasl builds. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-26pc: acpi: fix WindowsXP BSOD when memory hotplug is enabledIgor Mammedov
ACPI parser in XP considers PNP0A06 devices of CPU and memory hotplug as duplicates. Adding unique _UID to CPU hotplug device fixes BSOD. Cc: qemu-stable@nongnu.org Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-26pci: Split pcie_host_mmcfg_map()Alexander Graf
The mmcfg space is a memory region that allows access to PCI config space in the PCIe world. To maintain abstraction layers, I would like to expose the mmcfg space as a sysbus mmio region rather than have it mapped straight into the system's memory address space though. So this patch splits the initialization of the mmcfg space from the actual mapping, allowing us to only have an mmfg memory region without the map. Signed-off-by: Alexander Graf <agraf@suse.de> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Claudio Fontana <claudio.fontana@huawei.com>
2015-01-26Add some trace calls to pci.c.Don Koch
Signed-off-by: Don Koch <dkoch@verizon.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-01-26ich9: add disable_s3, disable_s4, s4_val propertiesAmit Shah
PIIX4 has disable_s3 and disable_s4 properties to enable or disable PM functions. Add such properties to the ICH9 chipset as well for the Q35 machine type. S3 / S4 are not guaranteed to always work (needs work in the guest as well as QEMU for things to work properly), and disabling advertising of these features ensures guests don't go into zombie state if something isn't working right. The defaults are kept the same as in PIIX4: both S3 and S4 are enabled by default. These can be disabled via the cmdline: ... -global ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 Note: some guests can fake hibernation by writing a hibernate image and doing a shutdown instead of S4 if S4 isn't available; there's nothing we can do guests to stop doing this, and this patch can't affect that functionality. Signed-off-by: Amit Shah <amit.shah@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2015-01-26Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
- Many fixes from the floor as usual - New "edu" device (v1->v2: fix 32-bit compilation) - Disabling HLE and RTM on Haswell & Broadwell - kvm_stat updates - Added --enable-modules to Travis, in preparation for switching the default # gpg: Signature made Mon 26 Jan 2015 11:44:40 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: kvm_stat: Add RESET support for perf event ioctl target-i386: Disable HLE and RTM on Haswell & Broadwell sparse: Fix build with sparse on .S files exec: fix madvise of NULL pointer .travis.yml: Add "--enable-modules" apic: do not dereference pointer before it is checked for NULL kvm_stat: Print errno when syscall to perf_event_open() fails kvm_stat: Update exit reasons to the latest defintion kvm_stat: Add aarch64 support hw: misc, add educational driver vmstate: accept QEMUTimer in VMSTATE_TIMER*, add VMSTATE_TIMER_PTR* qemu-timer: introduce timer_deinit qemu-timer: add timer_init and timer_init_ns/us/ms target-i386: make xmm_regs 512-bit wide target-i386: use vmstate_offset_sub_array for AVX registers tests/multiboot: Add test for modules multiboot: Fix offset of bootloader name tests/multiboot: Update reference output pc: fix KVM features in pc-1.3 and earlier machine types Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-01-26target-i386: Disable HLE and RTM on Haswell & BroadwellEduardo Habkost
All Haswell CPUs and some Broadwell CPUs were updated by Intel to have the HLE and RTM features disabled. This will prevent "-cpu Haswell,enforce" and "-cpu Broadwell,enforce" from running out of the box on those CPUs. Disable those features by default on Broadwell and Haswell CPU models, starting on pc-*-2.3. Users who want to use those features can enable them explicitly on the command-line. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-26apic: do not dereference pointer before it is checked for NULLPaolo Bonzini
Right now you only get to apic_init_reset if you have an APIC (do_cpu_init is reached only if CPU_INTERRUPT_INIT is set and that only happens in hw/intc/apic.c). However, this is wrong because for example a port 92 or keyboard controller reset is really an INIT, and that can happen also with no APIC. So keep the check and fix the error that Coverity reported. Reported-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-26hw: misc, add educational driverJiri Slaby
I am using qemu for teaching the Linux kernel at our university. I wrote a simple PCI device that can answer to writes/reads, generate interrupts and perform DMA. As I am dragging it locally over 2 years, I am sending it to you now. Signed-off-by: Jiri Slaby <jslaby@suse.cz> [Fix 32-bit compilation. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-26vmstate: accept QEMUTimer in VMSTATE_TIMER*, add VMSTATE_TIMER_PTR*Paolo Bonzini
Old users of VMSTATE_TIMER* are mechanically changed to VMSTATE_TIMER_PTR variants. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-26multiboot: Fix offset of bootloader nameKevin Wolf
This fixes a bug introduced in commit 5eba5a66 ('Add bootloader name to multiboot implementation'). The calculation of the bootloader name offset didn't consider space occupied by module command lines, so some unlucky module got its command line partially overwritten with a "qemu" string. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-26pc: fix KVM features in pc-1.3 and earlier machine typesPaolo Bonzini
Due to a typo, instead of disabling KVM_FEATURE_PV_EOI (bit 6) these machine types are disabling bits 1 and 2, which are KVM_FEATURE_NOP_IO_DELAY and KVM_FEATURE_MMU_OP. Not a big deal because they aren't very important and KVM_FEATURE_MMU_OP is disabled anyway. The worst part is actually that KVM_FEATURE_PV_EOI is remaining enabled. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-23virtio-blk: Use blk_aio_ioctlFam Zheng
Use the asynchronous interface of ioctl. This will not make the VM unresponsive if the ioctl takes a long time. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2015-01-23virtio-blk: Pass req to virtio_blk_handle_scsi_reqFam Zheng
In preparation for calling blk_aio_ioctl. Also make the function static as no other files need it. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2015-01-22Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20150122-1' ↵Peter Maydell
into staging b16: fix interrupt acknowledgement # gpg: Signature made Thu 22 Jan 2015 11:38:29 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-audio-20150122-1: sb16: fix interrupt acknowledgement Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-01-22hw/input/hid.c Fix capslock hid codeDinar Valeev
When ever USB keyboard is used, e.g. '-usbdevice keyboard' pressing caps lock key send 0x32 hid code, which is treated as backslash. Instead it should be 0x39 code. This affects sending uppercase keys, as they typed whith caps lock active. While on x86 this can be workarounded by using ps/2 protocol. On Power it is crusial as we don't have anything else than USB. This is fixes guest automation tasts over vnc. Signed-off-by: Dinar Valeev <dvaleev@suse.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-22hid: handle full ptr queues in post_loadGerd Hoffmann
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Tested-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-01-22sb16: fix interrupt acknowledgementPaolo Bonzini
SoundBlaster 16 emulation is very broken and consumes a lot of CPU, but a small fix was suggested offlist and it is enough to fix some games. I got Epic Pinball to work with the "SoundBlaster Clone" option. The processing of the interrupt register is wrong due to two missing "not"s. This causes the interrupt flag to remain set even after the Acknowledge ports have been read (0x0e and 0x0f). The line was introduced by commit 85571bc (audio merge (malc), 2004-11-07), but the code might have been broken before because I did not look closely at the huge patches from 10 years ago. Reported-by: Joshua Bair <j_bair@bellsouth.net> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-20Add device listener interfacePaul Durrant
The Xen ioreq-server API, introduced in Xen 4.5, requires that PCI device models explicitly register with Xen for config space accesses. This patch adds a listener interface into qdev-core which can be used by the Xen interface code to monitor for arrival and departure of PCI devices. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-19ui: Add dpy_gfx_check_format() to check backend shared surface supportBenjamin Herrenschmidt
This allows VGA to decide whether to use a shared surface based on whether the UI backend supports the format or not. Backends that don't provide the new callback fallback to native 32 bpp which is equivalent to what was supported before. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> [ kraxel: fix console check, allow only 32 bpp as fallback ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-16fw_cfg: fix endianness in fw_cfg_data_mem_read() / _write()Laszlo Ersek
(1) Let's contemplate what device endianness means, for a memory mapped device register (independently of QEMU -- that is, on physical hardware). It determines the byte order that the device will put on the data bus when the device is producing a *numerical value* for the CPU. This byte order may differ from the CPU's own byte order, therefore when software wants to consume the *numerical value*, it may have to swap the byte order first. For example, suppose we have a device that exposes in a 2-byte register the number of sheep we have to count before falling asleep. If the value is decimal 37 (0x0025), then a big endian register will produce [0x00, 0x25], while a little endian register will produce [0x25, 0x00]. If the device register is big endian, but the CPU is little endian, the numerical value will read as 0x2500 (decimal 9472), which software has to byte swap before use. However... if we ask the device about who stole our herd of sheep, and it answers "XY", then the byte representation coming out of the register must be [0x58, 0x59], regardless of the device register's endianness for numeric values. And, software needs to copy these bytes into a string field regardless of the CPU's own endianness. (2) QEMU's device register accessor functions work with *numerical values* exclusively, not strings: The emulated register's read accessor function returns the numerical value (eg. 37 decimal, 0x0025) as a *host-encoded* uint64_t. QEMU translates this value for the guest to the endianness of the emulated device register (which is recorded in MemoryRegionOps.endianness). Then guest code must translate the numerical value from device register to guest CPU endianness, before including it in any computation (see (1)). (3) However, the data register of the fw_cfg device shall transfer strings *only* -- that is, opaque blobs. Interpretation of any given blob is subject to further agreement -- it can be an integer in an independently determined byte order, or a genuine string, or an array of structs of integers (in some byte order) and fixed size strings, and so on. Because register emulation in QEMU is integer-preserving, not string-preserving (see (2)), we have to jump through a few hoops. (3a) We defined the memory mapped fw_cfg data register as DEVICE_BIG_ENDIAN. The particular choice is not really relevant -- we picked BE only for consistency with the control register, which *does* transfer integers -- but our choice affects how we must host-encode values from fw_cfg strings. (3b) Since we want the fw_cfg string "XY" to appear as the [0x58, 0x59] array on the data register, *and* we picked DEVICE_BIG_ENDIAN, we must compose the host (== C language) value 0x5859 in the read accessor function. (3c) When the guest performs the read access, the immediate uint16_t value will be 0x5958 (in LE guests) and 0x5859 (in BE guests). However, the uint16_t value does not matter. The only thing that matters is the byte pattern [0x58, 0x59], which the guest code must copy into the target string *without* any byte-swapping. (4) Now I get to explain where I screwed up. :( When we decided for big endian *integer* representation in the MMIO data register -- see (3a) --, I mindlessly added an indiscriminate byte-swizzling step to the (little endian) guest firmware. This was a grave error -- it violates (3c) --, but I didn't realize it. I only saw that the code I otherwise intended for fw_cfg_data_mem_read(): value = 0; for (i = 0; i < size; ++i) { value = (value << 8) | fw_cfg_read(s); } didn't produce the expected result in the guest. In true facepalm style, instead of blaming my guest code (which violated (3c)), I blamed my host code (which was correct). Ultimately, I coded ldX_he_p() into fw_cfg_data_mem_read(), because that happened to work. Obviously (...in retrospect) that was wrong. Only because my host happened to be LE, ldX_he_p() composed the (otherwise incorrect) host value 0x5958 from the fw_cfg string "XY". And that happened to compensate for the bogus indiscriminate byte-swizzling in my guest code. Clearly the current code leaks the host endianness through to the guest, which is wrong. Any device should work the same regardless of host endianness. The solution is to compose the host-endian representation (2) of the big endian interpretation (3a, 3b) of the fw_cfg string, and to drop the wrong byte-swizzling in the guest (3c). Brown paper bag time for me. Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1420024880-15416-1-git-send-email-lersek@redhat.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-01-15blizzard: do not depend on VGA internalsPaolo Bonzini
There is nothing that is used by this ARM-specific device. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-01-15vt82c686: avoid out-of-bounds readPaolo Bonzini
superio_ioport_readb can read the 256th element of the array. Coverity reports an out-of-bounds write in superio_ioport_writeb, but it does not show the corresponding out-of-bounds read because it cannot prove that it can happen. Fix the root cause of the problem (zhanghailang's patch instead fixes the logic in superio_ioport_writeb). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: zhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Cc: qemu-stable@nongnu.org
2015-01-14Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Mostly bugfixes and cleanups from qemu-devel. Yet another small patch from the record/replay series, and a few SCSI and i386 patches as well. # gpg: Signature made Wed 14 Jan 2015 09:39:14 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: cpus: consistently use QEMU_CLOCK_VIRTUAL_RT for icount_warp_rt timer qemu-timer: rename timer_init to timer_init_tl scsi: fix cancellation when I/O was completed but DMA was not. rules.mak: Fix module build hw/scsi/lsi53c895a: add support for additional diag / debug registers qemu-common.h: optimise muldiv64 if int128 is available target-i386: do not memcpy in and out of xmm_regs target-i386: fix movntsd on big-endian hosts vl.c: fix regression when reading memory size from config file vl: Don't silently change topology when all -smp options were set vl: fix max_cpus check vl: Avoid unnecessary 'if' nesting 9pfs: changed to use event_notifier instead of qemu_pipe vl.c: fix regression when reading machine type from config file char: restore stdio echo on resume from suspend. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-01-14scsi: fix cancellation when I/O was completed but DMA was not.Paolo Bonzini
Commit d577646 (scsi: Introduce scsi_req_cancel_complete, 2014-09-25) was supposed to have no semantic change, but it missed a case. When r->aiocb has already been NULLed, but DMA was not complete and the SCSI layer was waiting for scsi_req_continue, after the patch the SCSI layer will not call the .cancel callback of SCSIBusInfo. Fixes: d5776465ee9a55815792efa34d79de240f4ffd99 Cc: qemu-stable@nongnu.org Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-14hw/scsi/lsi53c895a: add support for additional diag / debug registersPeter Lieven
Some ancient Linux kernels read from registers 0x09 and 0x3c-3f during boot. According to the spec these registers are for diag and debug purposes only. If they are absend qemu aborts on read. Signed-off-by: Peter Lieven <pl@kamp.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-13Merge remote-tracking branch 'remotes/sstabellini/xen-2015-01-13' into stagingPeter Maydell
* remotes/sstabellini/xen-2015-01-13: xen-hvm: increase maxmem before calling xc_domain_populate_physmap xen-pt: Fix PCI devices re-attach failed Signed-off-by: Peter Maydell <peter.maydell@linaro.org>