aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2016-02-08balloon: Improve use of qapi visitorEric Blake
Rework the control flow of balloon_stats_get_all() to make it easier for a later patch to split visit_end_struct(). Also switch to the uint64 visitor to match the data type. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1454075341-13658-10-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-02-08Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
pc and misc cleanups and fixes, virtio optimizations Included here: Refactoring and bugfix patches in PC/ACPI. New commands for ipmi. Virtio optimizations. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Sat 06 Feb 2016 18:44:26 GMT using RSA key ID D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" * remotes/mst/tags/for_upstream: (45 commits) net: set endianness on all backend devices fix MSI injection on Xen intel_iommu: large page support dimm: Correct type of MemoryHotplugState->base pc: set the OEM fields in the RSDT and the FADT from the SLIC acpi: add function to extract oem_id and oem_table_id from the user's SLIC acpi: expose oem_id and oem_table_id in build_rsdt() acpi: take oem_id in build_header(), optionally pc: Eliminate PcGuestInfo struct pc: Move APIC and NUMA data from PcGuestInfo to PCMachineState pc: Move PcGuestInfo.fw_cfg to PCMachineState pc: Remove PcGuestInfo.isapc_ram_fw field pc: Remove RAM size fields from PcGuestInfo pc: Remove compat fields from PcGuestInfo acpi: Don't save PcGuestInfo on AcpiBuildState acpi: Remove guest_info parameters from functions pc: Simplify xen_load_linux() signature pc: Simplify pc_memory_init() signature pc: Eliminate struct PcGuestInfoState pc: Move PcGuestInfo declaration to top of file ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-06net: set endianness on all backend devicesLaurent Vivier
commit 5be7d9f1b1452613b95c6ba70b8d7ad3d0797991 vhost-net: tell tap backend about the vnet endianness makes vhost net to set the endianness of the device, but only for the first device. In case of multiqueue, we have multiple devices... This patch sets the endianness for all the devices of the interface. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Jason Wang <jasowang@redhat.com>
2016-02-06fix MSI injection on XenStefano Stabellini
On Xen MSIs can be remapped into pirqs, which are a type of event channels. It's mostly for the benefit of PCI passthrough devices, to avoid the overhead of interacting with the emulated lapic. However remapping interrupts and MSIs is also supported for emulated devices, such as the e1000 and virtio-net. When an interrupt or an MSI is remapped into a pirq, masking and unmasking is done by masking and unmasking the event channel. The masking bit on the PCI config space or MSI-X table should be ignored, but it isn't at the moment. As a consequence emulated devices which use MSI or MSI-X, such as virtio-net, don't work properly (the guest doesn't receive any notifications). The mechanism was working properly when xen_apic was introduced, but I haven't narrowed down which commit in particular is causing the regression. Fix the issue by ignoring the masking bit for MSI and MSI-X which have been remapped into pirqs. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06intel_iommu: large page supportJason Wang
Current intel_iommu only supports 4K page which may not be sufficient to cover guest working set. This patch tries to enable 2M and 1G mapping for intel_iommu. This is also useful for future device IOTLB implementation to have a better hit rate. Major work is adding a page mask field on IOTLB entry to make it support large page. And also use the slpte level as key to do IOTLB lookup. MAMV was increased to 18 to support direct invalidation for 1G mapping. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06pc: set the OEM fields in the RSDT and the FADT from the SLICLaszlo Ersek
The Microsoft spec about the SLIC and MSDM ACPI tables at <http://go.microsoft.com/fwlink/p/?LinkId=234834> requires the OEM ID and OEM Table ID fields to be consistent between the SLIC and the RSDT/XSDT. That further affects the FADT, because a similar match between the FADT and the RSDT/XSDT is required by the ACPI spec in general. This patch wires up the previous three patches. Cc: "Michael S. Tsirkin" <mst@redhat.com> (supporter:ACPI/SMBIOS) Cc: Igor Mammedov <imammedo@redhat.com> (supporter:ACPI/SMBIOS) Cc: Paolo Bonzini <pbonzini@redhat.com> (maintainer:X86) Cc: Richard W.M. Jones <rjones@redhat.com> Cc: Aleksei Kovura <alex3kov@zoho.com> Cc: Michael Tokarev <mjt@tls.msk.ru> Cc: Steven Newbury <steve@snewbury.org.uk> RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1248758 LP: https://bugs.launchpad.net/qemu/+bug/1533848 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Steven Newbury <steve@snewbury.org.uk>
2016-02-06acpi: add function to extract oem_id and oem_table_id from the user's SLICLaszlo Ersek
The acpi_get_slic_oem() function stores pointers to these fields in the (first) SLIC table that the user passes in with the -acpitable switch. Cc: "Michael S. Tsirkin" <mst@redhat.com> (supporter:ACPI/SMBIOS) Cc: Igor Mammedov <imammedo@redhat.com> (supporter:ACPI/SMBIOS) Cc: Richard W.M. Jones <rjones@redhat.com> Cc: Aleksei Kovura <alex3kov@zoho.com> Cc: Michael Tokarev <mjt@tls.msk.ru> Cc: Steven Newbury <steve@snewbury.org.uk> RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1248758 LP: https://bugs.launchpad.net/qemu/+bug/1533848 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Steven Newbury <steve@snewbury.org.uk>
2016-02-06acpi: expose oem_id and oem_table_id in build_rsdt()Laszlo Ersek
Since build_rsdt() is implemented as common utility code (in "hw/acpi/aml-build.c"), it should expose -- and forward -- the oem_id and oem_table_id parameters between board code and the generic build_header() function. Cc: "Michael S. Tsirkin" <mst@redhat.com> (supporter:ACPI/SMBIOS) Cc: Igor Mammedov <imammedo@redhat.com> (supporter:ACPI/SMBIOS) Cc: Shannon Zhao <zhaoshenglong@huawei.com> (maintainer:ARM ACPI Subsystem) Cc: Paolo Bonzini <pbonzini@redhat.com> (maintainer:X86) Cc: Richard W.M. Jones <rjones@redhat.com> Cc: Aleksei Kovura <alex3kov@zoho.com> Cc: Michael Tokarev <mjt@tls.msk.ru> Cc: Steven Newbury <steve@snewbury.org.uk> RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1248758 LP: https://bugs.launchpad.net/qemu/+bug/1533848 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
2016-02-06acpi: take oem_id in build_header(), optionallyLaszlo Ersek
This patch is the continuation of commit 8870ca0e94f2 ("acpi: support specified oem table id for build_header"). It will allow us to control the OEM ID field too in the SDT header. Cc: "Michael S. Tsirkin" <mst@redhat.com> (supporter:ACPI/SMBIOS) Cc: Igor Mammedov <imammedo@redhat.com> (supporter:ACPI/SMBIOS) Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com> (maintainer:NVDIMM) Cc: Shannon Zhao <zhaoshenglong@huawei.com> (maintainer:ARM ACPI Subsystem) Cc: Paolo Bonzini <pbonzini@redhat.com> (maintainer:X86) Cc: Richard W.M. Jones <rjones@redhat.com> Cc: Aleksei Kovura <alex3kov@zoho.com> Cc: Michael Tokarev <mjt@tls.msk.ru> Cc: Steven Newbury <steve@snewbury.org.uk> RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1248758 LP: https://bugs.launchpad.net/qemu/+bug/1533848 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
2016-02-06pc: Eliminate PcGuestInfo structEduardo Habkost
The struct is not used for anything, now. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06pc: Move APIC and NUMA data from PcGuestInfo to PCMachineStateEduardo Habkost
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06pc: Move PcGuestInfo.fw_cfg to PCMachineStateEduardo Habkost
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06pc: Remove PcGuestInfo.isapc_ram_fw fieldEduardo Habkost
The code can use the PCMachineClass.pci_enabled field directly. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06pc: Remove RAM size fields from PcGuestInfoEduardo Habkost
The ACPI code can use the PCMachineState fields directly. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06pc: Remove compat fields from PcGuestInfoEduardo Habkost
Remove the fields: legacy_acpi_table_size, has_acpi_build, has_reserved_memory, and rsdp_in_ram from PcGuestInfo, and let the existing code use the PCMachineClass fields directly. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06acpi: Don't save PcGuestInfo on AcpiBuildStateEduardo Habkost
We don't need to save the pointer on AcpiBuildState, as it is not used anymore. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06acpi: Remove guest_info parameters from functionsEduardo Habkost
We can use PC_MACHINE(qdev_get_machine())->acpi_guest_info to get guest_info. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06pc: Simplify xen_load_linux() signatureEduardo Habkost
We can get the PcGuestInfo struct directly from PCMachineState, and the return value is not needed at all. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06pc: Simplify pc_memory_init() signatureEduardo Habkost
We can get the PcGuestInfo struct directly from PCMachineState, and the return value is not needed at all. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06pc: Eliminate struct PcGuestInfoStateEduardo Habkost
Instead of allocating a new struct just for PcGuestInfo and the mchine_done Notifier, place them inside PCMachineState. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
2016-02-06ipmi: add ACPI power and GUID commandsCédric Le Goater
>From the specs (20.8 Get Device GUID Command), the command needs to return a GUID (Globally Unique ID), or UUID, that should never change over the lifetime of the device. qemu_uuid looked like a good candidate to start with but we could use a specific BMC property also if needed. Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> Acked-by: Corey Minyard <cminyard@mvista.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06ipmi: add GET_SYS_RESTART_CAUSE chassis commandCédric Le Goater
This is a simulator. Just return an unknown cause (0). Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> Acked-by: Corey Minyard <cminyard@mvista.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06ipmi: add get and set SENSOR_TYPE commandsCédric Le Goater
Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> Acked-by: Corey Minyard <cminyard@mvista.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06ipmi: introduce a struct ipmi_sdr_compactCédric Le Goater
Currently, sdr attributes are identified using byte offsets and this can be a bit confusing. This patch adds a struct ipmi_sdr_compact conforming to the IPMI specs and replaces byte offsets with names. It also introduces and uses a struct ipmi_sdr_header in sections of the code where no assumption is made on the type of SDR. This leave rooms to potential usage of other types in the future. Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06ipmi: fix SDR length valueCédric Le Goater
The IPMI BMC simulator populates the SDR table with a set of initial SDRs. The length of each SDR is taken from the record itself (byte 4) which does not include the size of the header. But, the full length (header + data) is required by the sdr_add_entry() routine. Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06ipmi: cleanup error_report messagesCédric Le Goater
Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> Cc: Greg Kurz <gkurz@linux.vnet.ibm.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06ipmi: replace *_MAXCMD definesCédric Le Goater
ARRAY_SIZE() is simple to use and removes the need to pre-define the size of the command arrays. Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06ipmi: replace goto by a return statementCédric Le Goater
Each routine using the IPMI_ADD_RSP_DATA, IPMI_CHECK_CMD_LEN or IPMI_CHECK_RESERVATION macros needs to define a goto label 'out' to handle hidden errors. Using directly a return statement has the same effect and it removes the fact that 'out' needs to be defined. The code exits in ipmi_sim_handle_command() are a little different from the rest and a "possible" error in the macro IPMI_ADD_RSP_DATA is handled before making use of it. This might be a bit excessive as a minimum response len is currently 300 bytes and the patch checks that at least 3 are available. Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> Reviewed-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Corey Minyard <cminyard@mvista.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06hw/pci: ensure that only PCI/PCIe bridges can be attached to pxb/pxb-pcie ↵Marcel Apfelbaum
devices PCI devices can't be plugged directly into PCI extra root bridges because their resources can't be computed by firmware before the ACPI tables are loaded. Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06hw/pxb: add pxb devices to the bridge categoryMarcel Apfelbaum
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06virtio: combine write of an entry into used ringVincenzo Maffione
Fill in an element of the used ring with a single combined access to the guest physical memory, rather than using two separated accesses. This reduces the overhead due to expensive address translation. Signed-off-by: Vincenzo Maffione <v.maffione@gmail.com> Message-Id: <e4a89a767a4a92cbb6bcc551e151487eb36e1722.1450218353.git.v.maffione@gmail.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06virtio: read avail_idx from VQ only when necessaryVincenzo Maffione
The virtqueue_pop() implementation needs to check if the avail ring contains some pending buffers. To perform this check, it is not always necessary to fetch the avail_idx in the VQ memory, which is expensive. This patch introduces a shadow variable tracking avail_idx and modifies virtio_queue_empty() to access avail_idx in physical memory only when necessary. Signed-off-by: Vincenzo Maffione <v.maffione@gmail.com> Message-Id: <b617d6459902773d9f4ab843bfaca764f5af8eda.1450218353.git.v.maffione@gmail.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06virtio: cache used_idx in a VirtQueue fieldVincenzo Maffione
Accessing used_idx in the VQ requires an expensive access to guest physical memory. Before this patch, 3 accesses are normally done for each pop/push/notify call. However, since the used_idx is only written by us, we can track it in our internal data structure. Signed-off-by: Vincenzo Maffione <v.maffione@gmail.com> Message-Id: <3d062ec54e9a7bf9fb325c1fd693564951f2b319.1450218353.git.v.maffione@gmail.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06virtio: combine the read of a descriptorPaolo Bonzini
Compared to vring, virtio has a performance penalty of 10%. Fix it by combining all the reads for a descriptor in a single address_space_read call. This also simplifies the code nicely. Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06vring: slim down allocation of VirtQueueElementsPaolo Bonzini
Build the addresses and s/g lists on the stack, and then copy them to a VirtQueueElement that is just as big as required to contain this particular s/g list. The cost of the copy is minimal compared to that of a large malloc. Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06virtio: slim down allocation of VirtQueueElementsPaolo Bonzini
Build the addresses and s/g lists on the stack, and then copy them to a VirtQueueElement that is just as big as required to contain this particular s/g list. The cost of the copy is minimal compared to that of a large malloc. When virtqueue_map is used on the destination side of migration or on loadvm, the iovecs have already been split at memory region boundary, so we can just reuse the out_num/in_num we find in the file. Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06virtio: introduce virtqueue_alloc_elementPaolo Bonzini
Allocate the arrays for in_addr/out_addr/in_sg/out_sg outside the VirtQueueElement. For now, virtqueue_pop and vring_pop keep allocating a very large VirtQueueElement. Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06virtio: introduce qemu_get/put_virtqueue_elementPaolo Bonzini
Move allocation to virtio functions also when loading/saving a VirtQueueElement. This will also let the load/save functions keep backwards compatibility when the VirtQueueElement layout is changed. Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-06virtio: move allocation to virtqueue_pop/vring_popPaolo Bonzini
The return code of virtqueue_pop/vring_pop is unused except to check for errors or 0. We can thus easily move allocation inside the functions and just return a pointer to the VirtQueueElement. The advantage is that we will be able to allocate only the space that is needed for the actual size of the s/g list instead of the full VIRTQUEUE_MAX_SIZE items. Currently VirtQueueElement takes about 48K of memory, and this kind of allocation puts a lot of stress on malloc. By cutting the size by two or three orders of magnitude, malloc can use much more efficient algorithms. The patch is pretty large, but changes to each device are testable more or less independently. Splitting it would mostly add churn. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-02-04virtio: move VirtQueueElement at the beginning of the structsPaolo Bonzini
The next patch will make virtqueue_pop/vring_pop allocate memory for the VirtQueueElement. In some cases (blk, scsi, gpu) the device wants to extend VirtQueueElement with device-specific fields and, until now, the place of the VirtQueueElement within the containing struct didn't matter. When allocating the entire block in virtqueue_pop/vring_pop, however, the containing struct must basically be a "subclass" of VirtQueueElement, with the VirtQueueElement as the first field. Make that the case for blk and scsi; gpu is already doing it. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-02-04pc: acpi: merge SSDT into DSDTIgor Mammedov
Since both tables are built dynamically now, there is no point in keeping ASL in them in separate tables. So do the same as we do for ARM where we have only DSDT table, i.e. move SSDT ASL into DSDT and drop SSDT altogether. This patch doesn't change moved SSDT ASL in any way, but it opens a way to relatively independently simplify generated ASL on per device/subsystem basis in followup series. It also simplifies bios-tables-test where expected SSDT blobs could be dropped and only DSDT ones have to be maintained. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-02-04Fix virtio migrationDr. David Alan Gilbert
I misunderstood the vmstate macro definition when I reworked the virtio .get/.put. The VMSTATE_STRUCT_VARRAY_KNOWN, was described as being for "a variable length array (i.e. _type *_field) but we know the length". However it actually specified operation for arrays embedded in the struct (i.e. _type _field[]) since it lacked the VMS_POINTER flag. This caused offset calculation to be completely off, examining and potentially sending random data instead of the VirtQueue content. Replace the otherwise unused VMSTATE_STRUCT_VARRAY_KNOWN with a VMSTATE_STRUCT_VARRAY_POINTER_KNOWN that includes the VMS_POINTER flag (so now actually doing what it advertises) and use it in the virtio migration code. Fixes and description as per Sascha's suggestions/debug. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reported-by: Sascha Silbe <silbe@linux.vnet.ibm.com> Tested-By: Sascha Silbe <silbe@linux.vnet.ibm.com> Reviewed-By: Sascha Silbe <silbe@linux.vnet.ibm.com> Fixes: 50e5ae4dc3e4f21e874512f9e87b93b5472d26e0 Fixes: 2cf0148674430b6693c60d42b7eef721bfa9509f Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-02-04Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Thu 04 Feb 2016 08:26:24 GMT using RSA key ID 398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: net/filter: Fix the output information for command 'info network' net: always walk through filters in reverse if traffic is egress net: netmap: use nm_open() to open netmap ports e1000: eliminate infinite loops on out-of-bounds transfer start slirp: Adding family argument to tcp_fconnect() slirp: Make udp_attach IPv6 compatible slirp: Add sockaddr_equal, make solookup family-agnostic slirp: Factorizing and cleaning solookup() slirp: Factorizing address translation slirp: Make Socket structure IPv6 compatible slirp: Adding address family switch for produced frames slirp: Generalizing and neutralizing ARP code slirp: goto bad in udp_input if sosendto fails cadence_gem: fix buffer overflow net: cadence_gem: check packet size in gem_recieve qemu-doc: Do not promote deprecated -smb and -redir options net/slirp: Tell the users when they are using deprecated options Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-04Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into stagingPeter Maydell
# gpg: Signature made Wed 03 Feb 2016 20:29:54 GMT using RSA key ID AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" * remotes/jnsnow/tags/ide-pull-request: dma: remove now useless DMA_* functions sb16: use IsaDma interface instead of global DMA_* functions gus: use IsaDma interface instead of global DMA_* functions cs4231a: use IsaDma interface instead of global DMA_* functions fdc: use IsaDma interface instead of global DMA_* functions sparc64: disable floppy DMA sparc: disable floppy DMA magnum: disable floppy DMA for now i8257: implement the IsaDma interface isa: add an ISA DMA interface, and store it within the ISA bus i8257: move state definition to new independent header i8257: QOM'ify i8257: add missing const i8257: make the DMA running method per controller i8257: rename functions to start with i8257_ prefix i8257: rename struct dma_regs to I8257Regs i8257: rename struct dma_cont to I8257State i8257: pass ISA bus to DMA_init() function i82374: device only existed as ISA device, so simplify device fdc: fix detection under Linux Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-04Merge remote-tracking branch ↵Peter Maydell
'remotes/pmaydell/tags/pull-target-arm-20160203' into staging target-arm queue: * virt-acpi-build: add always-on property for timer * various fixes for EL2 and EL3 behaviour * arm: virt-acpi: each MADT.GICC entry as enabled unconditionally * target-arm: Don't report presence of EL2 if it doesn't exist * raspi: add raspberry pi 2 machine # gpg: Signature made Wed 03 Feb 2016 18:58:02 GMT using RSA key ID 14360CDE # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" # gpg: aka "Peter Maydell <pmaydell@gmail.com>" # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" * remotes/pmaydell/tags/pull-target-arm-20160203: raspi: add raspberry pi 2 machine arm/boot: move highbank secure board setup code to common routine bcm2836: add bcm2836 SoC device bcm2836_control: add bcm2836 ARM control logic bcm2835_peripherals: add rollup device for bcm2835 peripherals bcm2835_ic: add bcm2835 interrupt controller bcm2835_property: add bcm2835 property channel bcm2835_mbox: add BCM2835 mailboxes target-arm: Don't report presence of EL2 if it doesn't exist libvixl: Avoid std::abs() of 64-bit type arm: virt-acpi: each MADT.GICC entry as enabled unconditionally target-arm: Implement the S2 MMU inputsize > pamax check target-arm: Rename check_s2_startlevel to check_s2_mmu_setup target-arm: Apply S2 MMU startlevel table size check to AArch64 hw/arm: Setup EL1 and EL2 in AArch64 mode for 64bit Linux boots target-arm: Make various system registers visible to EL3 virt-acpi-build: add always-on property for timer Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-04e1000: eliminate infinite loops on out-of-bounds transfer startLaszlo Ersek
The start_xmit() and e1000_receive_iov() functions implement DMA transfers iterating over a set of descriptors that the guest's e1000 driver prepares: - the TDLEN and RDLEN registers store the total size of the descriptor area, - while the TDH and RDH registers store the offset (in whole tx / rx descriptors) into the area where the transfer is supposed to start. Each time a descriptor is processed, the TDH and RDH register is bumped (as appropriate for the transfer direction). QEMU already contains logic to deal with bogus transfers submitted by the guest: - Normally, the transmit case wants to increase TDH from its initial value to TDT. (TDT is allowed to be numerically smaller than the initial TDH value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe that QEMU currently has here is a check against reaching the original TDH value again -- a complete wraparound, which should never happen. - In the receive case RDH is increased from its initial value until "total_size" bytes have been received; preferably in a single step, or in "s->rxbuf_size" byte steps, if the latter is smaller. However, null RX descriptors are skipped without receiving data, while RDH is incremented just the same. QEMU tries to prevent an infinite loop (processing only null RX descriptors) by detecting whether RDH assumes its original value during the loop. (Again, wrapping from RDLEN to 0 is normal.) What both directions miss is that the guest could program TDLEN and RDLEN so low, and the initial TDH and RDH so high, that these registers will immediately be truncated to zero, and then never reassume their initial values in the loop -- a full wraparound will never occur. The condition that expresses this is: xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) i.e., TDH or RDH start out after the last whole rx or tx descriptor that fits into the TDLEN or RDLEN sized area. This condition could be checked before we enter the loops, but pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for bogus DMA addresses, so we just extend the existing failsafes with the above condition. This is CVE-2016-1981. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Prasad Pandit <ppandit@redhat.com> Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Cc: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-02-04cadence_gem: fix buffer overflowMichael S. Tsirkin
gem_transmit copies a packet from guest into an tx_packet[2048] array on stack, with size limited by descriptor length set by guest. If guest is malicious and specifies a descriptor length that is too large, and should packet size exceed array size, this results in a buffer overflow. Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-02-04net: cadence_gem: check packet size in gem_recievePrasad J Pandit
While receiving packets in 'gem_receive' routine, if Frame Check Sequence(FCS) is enabled, it copies the packet into a local buffer without checking its size. Add check to validate packet length against the buffer size to avoid buffer overflow. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-02-03Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' ↵Peter Maydell
into staging # gpg: Signature made Wed 03 Feb 2016 15:47:34 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/tracing-pull-request: log: add "-d trace:PATTERN" trace: switch default backend to "log" trace: convert stderr backend to log log: move qemu-log.c into util/ directory log: do not unnecessarily include qom/cpu.h trace: add "-trace help" trace: add "-trace enable=..." trace: no need to call trace_backend_init in different branches now trace: split trace_init_file out of trace_init_backends trace: split trace_init_events out of trace_init_backends trace: fix documentation trace: track enabled events in a separate array trace: count number of enabled events Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-03dma: remove now useless DMA_* functionsHervé Poussineau
Keep only DMA_init function as a wrapper around DMA controllers creation. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Message-id: 1453843944-26833-20-git-send-email-hpoussin@reactos.org Signed-off-by: John Snow <jsnow@redhat.com>