aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2015-12-17kvm: x86: add support for KVM_CAP_SPLIT_IRQCHIPPaolo Bonzini
This patch adds support for split IRQ chip mode. When KVM_CAP_SPLIT_IRQCHIP is enabled: 1.) The PIC, PIT, and IOAPIC are implemented in userspace while the LAPIC is implemented by KVM. 2.) The software IOAPIC delivers interrupts to the KVM LAPIC via kvm_set_irq. Interrupt delivery is configured via the MSI routing table, for which routes are reserved in target-i386/kvm.c then configured in hw/intc/ioapic.c 3.) KVM delivers IOAPIC EOIs via a new exit KVM_EXIT_IOAPIC_EOI, which is handled in target-i386/kvm.c and relayed to the software IOAPIC via ioapic_eoi_broadcast. Signed-off-by: Matt Gingell <gingell@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17kvm: add support for -machine kernel_irqchip=splitMatt Gingell
This patch adds the initial plumbing for split IRQ chip mode via KVM_CAP_SPLIT_IRQCHIP. In addition to option processing, a number of kvm_*_in_kernel macros are defined to help clarify which component is where. Signed-off-by: Matt Gingell <gingell@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17hw/misc: Hyper-V test device 'hyperv-testdev'Andrey Smetanin
'hyperv-testdev' will be used by kvm-unit-tests to setup Hyper-V SynIC SINT's routing and to inject Hyper-V SynIC SINT's. Hyper-V test device is ISA type device that creates 0x3000 IO memory region and catches write access into it. Every write operation data decoded into ctl code and parameters for Hyper-V test device. Signed-off-by: Andrey Smetanin <asmetanin@virtuozzo.com> Reviewed-by: Roman Kagan <rkagan@virtuozzo.com> Signed-off-by: Denis V. Lunev <den@openvz.org> CC: Paolo Bonzini <pbonzini@redhat.com> CC: Richard Henderson <rth@twiddle.net> CC: Eduardo Habkost <ehabkost@redhat.com> CC: "Andreas Färber" <afaerber@suse.de> CC: Marcelo Tosatti <mtosatti@redhat.com> CC: Roman Kagan <rkagan@virtuozzo.com> CC: Denis V. Lunev <den@openvz.org> CC: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17linux-headers: update from kvm/nextPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17vmw_pvscsi: Introduce 'x-disable-pcie' backword compatability propertyShmulik Ladkani
Following the previous patch which changed pvscsi to be a pci express device, this patch introduces a boolean property 'x-disable-pcie'. Its default value is false, exposing pvscsi as a pcie device. Setting 'x-disable-pcie' to 'on' preserves the old 'pci device' (non express) behavior. This allows migration to older versions. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Message-Id: <1449994112-7054-7-git-send-email-shmulik.ladkani@ravellosystems.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17vmw_pvscsi: The pvscsi device is a PCIE endpointShmulik Ladkani
Report the 'express endpoint' capability if on a PCIE bus. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Message-Id: <1449994112-7054-6-git-send-email-shmulik.ladkani@ravellosystems.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17vmw_pvscsi: coding: Introduce PVSCSIClassShmulik Ladkani
Introduce a class type for pvscsi, and the usual DEVICE_CLASS/DEVICE_GET_CLASS macros. No semantic change. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Message-Id: <1449994112-7054-5-git-send-email-shmulik.ladkani@ravellosystems.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17vmw_pvscsi: Introduce 'x-old-pci-configuration' backword compatability propertyShmulik Ladkani
Following the previous patches, which introduced various changes in pvscsi's pci configuration space (device subsystem id and revision, msi offset), this patch introduces a boolean property 'x-old-pci-configuration' to pvscsi. Its default value is false, exposing the above changes in the pci config space. Setting 'x-old-pci-configuration' to 'on' preserves the old behavior, which allows migration to older versions. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Message-Id: <1449994112-7054-4-git-send-email-shmulik.ladkani@ravellosystems.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17vmw_pvscsi: Change offset of msi pci capabilityShmulik Ladkani
Place device reported MSI capability at the same offset as placed by the VMware virtual hardware - at offset 0x7c. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Message-Id: <1449994112-7054-3-git-send-email-shmulik.ladkani@ravellosystems.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17vmw_pvscsi: Set device subsystem and revisionShmulik Ladkani
To be VMware PVSCSI SCSI Controller, rev 02. As reported by the VMware virtual hardware. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Message-Id: <1449994112-7054-2-git-send-email-shmulik.ladkani@ravellosystems.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17i.MX: Add an i.MX25 specific CCM class/instanceJean-Christophe Dubois
With this CCM, i.MX25 timer is accurate with "real world time". Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Message-id: 2c0cf90be767bfc8520661eca891ab22c61f18fe.1449528242.git.jcd@tribudubois.net Reviewed-by Peter Crosthwaite <crosthwaite.peter@gmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17i.MX: Split the CCM class into an abstract base class and a concrete classJean-Christophe Dubois
The IMX_CCM class is now the base abstract class that is used by EPIT and GPT timer implementation. IMX31_CCM class is the concrete class implementing CCM for i.MX31 SOC. For now the i.MX25 continues to use the i.MX31 CCM implementation. An i.MX25 specific CCM will be introduced in a later patch. We also rework initialization to stop using deprecated sysbus device init. Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: fd3c7f87b50f5ebc99ec91f01413db35017f116d.1449528242.git.jcd@tribudubois.net Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17i.MX: rename i.MX CCM get_clock() function and CLK ID enum namesJean-Christophe Dubois
This is to prepare for CCM code refactoring. This is just a bit of function and enum values renaming. We also remove some useless intermediate variables. Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: 53c4d9b9611988a5f56f178f285e04490747925e.1449528242.git.jcd@tribudubois.net Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17i.MX: Fix i.MX31 default/reset configurationJean-Christophe Dubois
Linux on i.MX31/KZM is expecting the CCM to use the CKIH ref clock instead of the CKIL plus the FPM multiplier. We change the CCMR reg reset value to match linux expected config. This allows the CCM to provide a 39MHz clk (as expected by linux) instead of the actual 50MHz. With this change the "sleep 60" command on linux is time accurate with "real world time". Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: 6dc5bc4e0a450b20cecdb2991112e7281b653345.1449528242.git.jcd@tribudubois.net Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17ARM: Virt: Add gpio-keys node for Poweroff using DTShannon Zhao
Add a gpio-keys node. This is used for Poweroff for the systems which use DT not ACPI. Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Tested-by: Wei Huang <wei@redhat.com> Message-id: 1449804086-3464-11-git-send-email-zhaoshenglong@huawei.com [PMM: use "standard-headers/linux/input.h" rather than <linux/input.h>] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17ARM: Virt: Add QEMU powerdown notifier and hook it to GPIO Pin 3Shannon Zhao
Currently mach-virt model doesn't support powerdown request. Guest VM doesn't react to system_powerdown from monitor console (or QMP) because there is no communication mechanism for such requests. This patch registers GPIO Pin 3 with powerdown notification. So guest VM can receive notification when such powerdown request is triggered. Signed-off-by: Wei Huang <wei@redhat.com> Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Reviewed-by: Wei Huang <wei@redhat.com> Tested-by: Wei Huang <wei@redhat.com> Message-id: 1449804086-3464-10-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17ARM: ACPI: Add _E03 for Power ButtonShannon Zhao
Here GPIO pin 3 is used for Power Button, add _E03 in ACPI DSDT table. Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Tested-by: Wei Huang <wei@redhat.com> Message-id: 1449804086-3464-9-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17ACPI: Add aml_gpio_int() wrapper for GPIO Interrupt ConnectionShannon Zhao
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Tested-by: Wei Huang <wei@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 1449804086-3464-8-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17ACPI: Add GPIO Connection DescriptorShannon Zhao
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Tested-by: Wei Huang <wei@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 1449804086-3464-7-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17ARM: ACPI: Add power button device in ACPI DSDT tableShannon Zhao
Add power button device in ACPI DSDT table. Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Reviewed-by: Wei Huang <wei@redhat.com> Tested-by: Wei Huang <wei@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 1449804086-3464-6-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17ARM: ACPI: Add GPIO controller in ACPI DSDT tableShannon Zhao
Add GPIO controller in ACPI DSDT table. It can be used for gpio event. Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Tested-by: Wei Huang <wei@redhat.com> Message-id: 1449804086-3464-5-git-send-email-zhaoshenglong@huawei.com Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17ARM: Virt: Add a GPIO controllerShannon Zhao
ACPI 5.0 supports GPIO-signaled ACPI Events. This can be used for powerdown, hotplug evnets. Add a GPIO controller in machine virt, to support powerdown, maybe can be used for cpu hotplug. And here we use pl061. Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Reviewed-by: Wei Huang <wei@redhat.com> Tested-by: Wei Huang <wei@redhat.com> Message-id: 1449804086-3464-4-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17acpi: extend aml_interrupt() to support multiple irqsIgor Mammedov
ASL Interrupt() macro translates to Extended Interrupt Descriptor which supports variable number of IRQs. It will be used for conversion of ASL code for pc/q35 machines that use it for returning several IRQs in _PSR object. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Message-id: 1449804086-3464-3-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17acpi: support serialized methodXiao Guangrong
Add serialized method support so that explicit Mutex can be avoided Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com> Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Message-id: 1449804086-3464-2-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17arm: soc-dma: use hwaddr instead of target_ulong in printfPaolo Bonzini
This is a first baby step towards removing widespread inclusion of cpu.h and compiling more devices once (so that arm, aarch64 and in the future target-multi can share the object files). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> [PMM: changed __FUNCTION__ to __func__ since we're touching these lines of code anyway] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17arm: explicitly mark device loads as little-endianPaolo Bonzini
Behaviour of emulated devices should not depend on the endianness of the CPU, so avoid using the endian-dependent load and store functions in the PXA2xx and OMAP display devices. These devices are little endian when they do DMA access. (Since ARM softmmu is always compiled as little endian, this means that the endian-dependent load and store functions are always little endian, so this commit makes no functionally visible change.) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> [PMM: rewrote commit message] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17i.MX: add support for lower and upper interrupt in GPIO.Jean-Christophe Dubois
The i.MX6 GPIO device supports 2 interrupts instead of one. * 1 for the lower 16 GPIOs. * 1 for the upper 16 GPIOs. i.MX31 and i.MX25 only support 1 interrupt for the 32 GPIOs. So we add a property to turn the behavior on when required. Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: 1447497668-1603-1-git-send-email-jcd@tribudubois.net Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17Merge remote-tracking branch 'remotes/kraxel/tags/pull-fw-cfg-20151217-1' ↵Peter Maydell
into staging fw_cfg: doc updates, various optimizations. # gpg: Signature made Thu 17 Dec 2015 08:59:32 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-fw-cfg-20151217-1: fw_cfg: replace ioport data read with generic method fw_cfg: add generic non-DMA read method fw_cfg: avoid calculating invalid current entry pointer fw_cfg: remove offset argument from callback prototype fw_cfg: amend callback behavior spec to once per select fw_cfg: move internal function call docs to header file Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-12-17' into ↵Peter Maydell
staging QAPI patches for 2015-12-17 # gpg: Signature made Thu 17 Dec 2015 07:33:41 GMT using RSA key ID EB918653 # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" * remotes/armbru/tags/pull-qapi-2015-12-17: (40 commits) qapi: Detect base class loops qapi: Move duplicate collision checks to schema check() qapi: Enforce (or whitelist) case conventions on qapi members qapi: Track enum values by QAPISchemaMember, not string qapi: Prepare new QAPISchemaMember base class qapi: Shorter visits of optional fields qapi: Simplify visits of optional fields qapi: Fix alternates that accept 'number' but not 'int' qapi: Inline _make_implicit_tag() qapi-types: Drop unnedeed ._fwdefn qapi: Simplify visiting of alternate types qapi: Convert QType into QAPI built-in enum type qobject: Rename qtype_code to QType qobject: Simplify QObject qapi: Change munging of CamelCase enum values qapi: Add alias for ErrorClass cpu: Convert CpuInfo into flat union qapi: Remove obsolete tests for MAX collision qapi: Don't let implicit enum MAX member collide qapi: Tighten the regex on valid names ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17qapi: Change munging of CamelCase enum valuesEric Blake
When munging enum values, the fact that we were passing the entire prefix + value through camel_to_upper() meant that enum values spelled with CamelCase could be turned into CAMEL_CASE. However, this provides a potential collision (both OneTwo and One-Two would munge into ONE_TWO) for enum types, when the same two names are valid side-by-side as QAPI member names. By changing the generation of enum constants to always be prefix + '_' + c_name(value, False).upper(), and ensuring that there are no case collisions (in the next patches), we no longer have to worry about names that would be distinct as QAPI members but collide as variant tag names, without having to think about what munging the heuristics in camel_to_upper() will actually perform on an enum value. Making the change will affect enums that did not follow coding conventions, using 'CamelCase' rather than desired 'lower-case'. Thankfully, there are only two culprits: InputButton and ErrorClass. We already tweaked ErrorClass to make it an alias of QapiErrorClass, where only the alias needs changing rather than the whole tree. So the bulk of this change is modifying INPUT_BUTTON_WHEEL_UP to the new INPUT_BUTTON_WHEELUP (and likewise for WHEELDOWN). That part of this commit may later need reverting if we rename the enum constants from 'WheelUp' to 'wheel-up' as part of moving x-input-send-event to a stable interface; but at least we have documentation bread crumbs in place to remind us (commit 513e7cd), and it matches the fact that SDL constants are also spelled SDL_BUTTON_WHEELUP. Suggested by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1447836791-369-27-git-send-email-eblake@redhat.com> [Commit message tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com>
2015-12-17qapi: Don't let implicit enum MAX member collideEric Blake
Now that we guarantee the user doesn't have any enum values beginning with a single underscore, we can use that for our own purposes. Renaming ENUM_MAX to ENUM__MAX makes it obvious that the sentinel is generated. This patch was mostly generated by applying a temporary patch: |diff --git a/scripts/qapi.py b/scripts/qapi.py |index e6d014b..b862ec9 100644 |--- a/scripts/qapi.py |+++ b/scripts/qapi.py |@@ -1570,6 +1570,7 @@ const char *const %(c_name)s_lookup[] = { | max_index = c_enum_const(name, 'MAX', prefix) | ret += mcgen(''' | [%(max_index)s] = NULL, |+// %(max_index)s | }; | ''', | max_index=max_index) then running: $ cat qapi-{types,event}.c tests/test-qapi-types.c | sed -n 's,^// \(.*\)MAX,s|\1MAX|\1_MAX|g,p' > list $ git grep -l _MAX | xargs sed -i -f list The only things not generated are the changes in scripts/qapi.py. Rejecting enum members named 'MAX' is now useless, and will be dropped in the next patch. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1447836791-369-23-git-send-email-eblake@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> [Rebased to current master, commit message tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com>
2015-12-15fw_cfg: replace ioport data read with generic methodGabriel L. Somlo
IOPort read access is limited to one byte at a time by fw_cfg_comb_valid(). As such, fw_cfg_comb_read() may safely ignore its size argument (which will always be 1), and simply call its fw_cfg_read() helper function once, returning 8 bits via the least significant byte of a 64-bit return value. This patch replaces fw_cfg_comb_read() with the generic method fw_cfg_data_read(), and removes the unused fw_cfg_read() helper. When called with size = 1, fw_cfg_data_read() acts exactly like fw_cfg_read(), performing the same set of sanity checks, and executing the while loop at most once (subject to the current read offset being within range). Cc: Laszlo Ersek <lersek@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Marc Marí <markmb@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Message-id: 1446733972-1602-7-git-send-email-somlo@cmu.edu Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15fw_cfg: add generic non-DMA read methodGabriel L. Somlo
Introduce fw_cfg_data_read(), a generic read method which works on all access widths (1 through 8 bytes, inclusive), and can be used during both IOPort and MMIO read accesses. To maintain legibility, only fw_cfg_data_mem_read() (the MMIO data read method) is replaced by this patch. The new method essentially unwinds the fw_cfg_data_mem_read() + fw_cfg_read() combo, but without unnecessarily repeating all the validity checks performed by the latter on each byte being read. This patch also modifies the trace_fw_cfg_read prototype to accept a 64-bit value argument, allowing it to work properly with the new read method, but also remain backward compatible with existing call sites. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Marc Marí <markmb@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1446733972-1602-6-git-send-email-somlo@cmu.edu Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15fw_cfg: avoid calculating invalid current entry pointerGabriel L. Somlo
When calculating a pointer to the currently selected fw_cfg item, the following is used: FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; When s->cur_entry is FW_CFG_INVALID, we are calculating the address of a non-existent element in s->entries[arch][...], which is undefined. This patch ensures the resulting entry pointer is set to NULL whenever s->cur_entry is FW_CFG_INVALID. Reported-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu Cc: Marc Marí <markmb@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15fw_cfg: remove offset argument from callback prototypeGabriel L. Somlo
Read callbacks are now only invoked at item selection, before any data is read. As such, the value of the offset argument passed to the callback will always be 0. Also, the two callback instances currently in use both leave their offset argument unused. This patch removes the offset argument from the fw_cfg read callback prototype, and from the currently available instances. The unused (write) callback prototype is also removed (write support was removed earlier, in commit 023e3148). Cc: Laszlo Ersek <lersek@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Marc Marí <markmb@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1446733972-1602-4-git-send-email-somlo@cmu.edu Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15fw_cfg: amend callback behavior spec to once per selectGabriel L. Somlo
Currently, the fw_cfg internal API specifies that if an item was set up with a read callback, the callback must be run each time a byte is read from the item. This behavior is both wasteful (most items do not have a read callback set), and impractical for bulk transfers (e.g., DMA read). At the time of this writing, the only items configured with a callback are "/etc/table-loader", "/etc/acpi/tables", and "/etc/acpi/rsdp". They all share the same callback functions: virt_acpi_build_update() on ARM (in hw/arm/virt-acpi-build.c), and acpi_build_update() on i386 (in hw/i386/acpi.c). Both of these callbacks are one-shot (i.e. they return without doing anything at all after the first time they are invoked with a given build_state; since build_state is also shared across all three items mentioned above, the callback only ever runs *once*, the first time either of the listed items is read). This patch amends the specification for fw_cfg_add_file_callback() to state that any available read callback will only be invoked once each time the item is selected. This change has no practical effect on the current behavior of QEMU, and it enables us to significantly optimize the behavior of fw_cfg reads during guest firmware setup, eliminating a large amount of redundant callback checks and invocations. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Marc Marí <markmb@redhat.com> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1446733972-1602-3-git-send-email-somlo@cmu.edu Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15ehci: make idt processing more robustGerd Hoffmann
Make ehci_process_itd return an error in case we didn't do any actual iso transfer because we've found no active transaction. That'll avoid ehci happily run in circles forever if the guest builds a loop out of idts. This is CVE-2015-8558. Cc: qemu-stable@nongnu.org Reported-by: Qinghao Tang <luodalongde@gmail.com> Tested-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15usb-mtp: add support for basic mtp eventsBandan Das
When the host polls for events, we check our events qlist and send one event at a time. Also, note that the event packet needs to be sent in one go, so I increased the max packet size to 64. Tested with a linux guest. Signed-off-by: Bandan Das <bsd@redhat.com> Message-id: 1448314625-3855-5-git-send-email-bsd@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15usb-mtp: Add support for inotify based file monitoringBandan Das
For now, we use inotify watches to track only a small number of events, namely, add, delete and modify. Note that for delete, the kernel already deactivates the watch for us and we just need to take care of modifying our internal state. inotify is a linux only mechanism. Suggested-by: Gerd Hoffman <kraxel@redhat.com> Signed-off-by: Bandan Das <bsd@redhat.com> Message-id: 1448314625-3855-4-git-send-email-bsd@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15usb-mtp: free objects on a mtp resetBandan Das
On a reset, call usb_mtp_object_free on all objects and their children Signed-off-by: Bandan Das <bsd@redhat.com> Message-id: 1448314625-3855-3-git-send-email-bsd@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-15usb-mtp: use a list for keeping track of childrenBandan Das
To support adding/removal of objects, we will need to update the object cache hierarchy we have built internally. Convert to using a Qlist for easier management. Signed-off-by: Bandan Das <bsd@redhat.com> Message-id: 1448314625-3855-2-git-send-email-bsd@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-12-10virtio-9p-device: add minimal unrealize handlerGreg Kurz
Since commit 4652f1640e029e1f2433fa77ba6af285 "virtio-9p: add savevm handlers", if the user hot-unplugs a quiescent 9p device and live migrates, the source QEMU crashes before migration completetion... This happens because virtio-9p devices have a realize handler which calls virtio_init() and register_savevm(). Both calls store pointers to the device internals, that get dereferenced during migration even if the device got unplugged. This patch simply adds an unrealize handler to perform minimal cleanup and avoid the crash. Hot unplug of non-quiescent 9p devices is still not supported in QEMU, and not supported by linux guests either. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 20151208155457.27775.69441.stgit@bahia.huguette.org [PMM: rewrapped long lines in commit message] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-07sd: Mark brittle abuse of blk_attach_dev() FIXMEMarkus Armbruster
blk_attach_dev() fails here only when we're working for device "sdhci-pci" (which already attached the backend), and then we don't want to attach a second time. If we ever create another failure mode, we're setting up ourselves to using the same backend from multiple frontends, which is likely to end in tears. Can't clean this up this close to the release, so mark it FIXME. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1449503710-3707-3-git-send-email-armbru@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-07sdhci: Sanitize "sdhci-pci" properties for future qomificationMarkus Armbruster
We currently fuse controller and card into a single device model, but we intend qomify things properly and separate the two. The properties that really belong to the card would then have to somehow pass-through to the card's properties. To avoid that complication, either mark them experimental or drop them. Properties "capareg", "maxcurr" and the usual PCI device properties belong to the controller. Property "drive" belongs to the card; rename it to "x-drive". Properties "logical_block_size", "physical_block_size", "min_io_size", "opt_io_size", "discard_granularity" belong to the card, but have no effect; drop them. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1449503710-3707-2-git-send-email-armbru@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-07virtio-blk: Drop x-data-plane optionFam Zheng
The official way of enabling dataplane is through the "iothread" property that references an iothread object created by "-object iothread". Since the old "x-data-plane=on" way now even crashes, it's probably easier to just drop it: $ qemu-system-x86_64 -drive file=null-co://,id=d0,if=none \ -device virtio-blk-pci,drive=d0,x-data-plane=on ERROR:/home/fam/work/qemu/qom/object.c:1515: object_get_canonical_path_component: assertion failed: (obj->parent != NULL) Aborted Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1449485967-19240-1-git-send-email-famz@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-07Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Mon 07 Dec 2015 14:06:07 GMT using RSA key ID 398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: lan9118: log and ignore access to invalid registers, rather than aborting lan9118: fix emulation of MAC address loaded bit in E2P_CMD register vmxnet3: silence warning pcnet: fix rx buffer overflow(CVE-2015-7512) net: pcnet: add check to validate receive data size(CVE-2015-7504) e1000: fix hang of win2k12 shutdown with flood ping Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-07lan9118: log and ignore access to invalid registers, rather than abortingAndrew Baumann
With this change, access to invalid/unimplemented device registers are logged as a "guest error" rather than aborting qemu with hw_error. This enables drivers for similar devices (e.g. SMSC 9221), by simply ignoring the unimplemented writes. It's also closer to what real hardware does. Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07lan9118: fix emulation of MAC address loaded bit in E2P_CMD registerAndrew Baumann
There appears to have been a longstanding typo in the implementation of the "MAC address loaded" bit in the E2P_CMD (EEPROM command) register. The code was using 0x10, but the controller spec says it should be bit 8 (0x100). Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07vmxnet3: silence warningMichael S. Tsirkin
vmxnet3 always produces a warning under qtest. This is not a user error, don't warn. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07pcnet: fix rx buffer overflow(CVE-2015-7512)Jason Wang
Backends could provide a packet whose length is greater than buffer size. Check for this and truncate the packet to avoid rx buffer overflow in this case. Cc: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>