aboutsummaryrefslogtreecommitdiff
path: root/target
AgeCommit message (Collapse)Author
2020-04-29s390x: Add unpack facility feature to GA1Christian Borntraeger
The unpack facility is an indication that diagnose 308 subcodes 8-10 are available to the guest. That means, that the guest can put itself into protected mode. Once it is in protected mode, the hardware stops any attempt of VM introspection by the hypervisor. Some features are currently not supported in protected mode: * vfio devices * Migration * Huge page backings Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-17-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: Handle SIGP store status correctlyJanosch Frank
For protected VMs status storing is not done by QEMU anymore. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-15-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: Move IO control structures over SIDAJanosch Frank
For protected guests, we need to put the IO emulation results into the SIDA, so SIE will write them into the guest at the next entry. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-14-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: Disable address checks for PV guest IO emulationJanosch Frank
IO instruction data is routed through SIDAD for protected guests, so adresses do not need to be checked, as this is kernel memory which is always available. Also the instruction data always starts at offset 0 of the SIDAD. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-13-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: Move diag 308 data over SIDAJanosch Frank
For protected guests the IPIB is written/read to/from the SIDA, so we need those accesses to go through s390_cpu_pv_mem_read/write(). Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-12-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: Set guest IPL PSWJanosch Frank
Handling of CPU reset and setting of the IPL psw from guest storage at offset 0 is done by a Ultravisor call. Let's only fetch it if necessary. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-11-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: SCLP interpretationJanosch Frank
SCLP for a protected guest is done over the SIDAD, so we need to use the s390_cpu_pv_mem_* functions to access the SIDAD instead of guest memory when reading/writing SCBs. To not confuse the sclp emulation, we set 0x4000 as the SCCB address, since the function that injects the sclp external interrupt would reject a zero sccb address. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Message-Id: <20200319131921.2367-10-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: Move STSI data over SIDADJanosch Frank
For protected guests, we need to put the STSI emulation results into the SIDA, so SIE will write them into the guest at the next entry. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-9-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: Add SIDA memory opsJanosch Frank
Protected guests save the instruction control blocks in the SIDA instead of QEMU/KVM directly accessing the guest's memory. Let's introduce new functions to access the SIDA. The memops for doing so are available with KVM_CAP_S390_PROTECTED, so let's check for that. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-8-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: KVM intercept changesJanosch Frank
Protected VMs no longer intercept with code 4 for an instruction interception. Instead they have codes 104 and 108 for protected instruction interception and protected instruction notification respectively. The 104 mirrors the 4 interception. The 108 is a notification interception to let KVM and QEMU know that something changed and we need to update tracking information or perform specific tasks. It's currently taken for the following instructions: * spx (To inform about the changed prefix location) * sclp (On incorrect SCCB values, so we can inject a IRQ) * sigp (All but "stop and store status") * diag308 (Subcodes 0/1) Of these exits only sclp errors, state changing sigps and diag308 will reach QEMU. QEMU will do its parts of the job, while the ultravisor has done the instruction part of the job. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200319131921.2367-7-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29s390x: protvirt: Support unpack facilityJanosch Frank
The unpack facility provides the means to setup a protected guest. A protected guest cannot be introspected by the hypervisor or any user/administrator of the machine it is running on. Protected guests are encrypted at rest and need a special boot mechanism via diag308 subcode 8 and 10. Code 8 sets the PV specific IPLB which is retained separately from those set via code 5. Code 10 is used to unpack the VM into protected memory, verify its integrity and start it. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Co-developed-by: Christian Borntraeger <borntraeger@de.ibm.com> [Changes to machine] Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200323083606.24520-1-frankja@linux.ibm.com> [CH: fixed up KVM_PV_VM_ -> KVM_PV_] Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-29various: Remove suspicious '\' character outside of #define in C codePhilippe Mathieu-Daudé
Fixes the following coccinelle warnings: $ spatch --sp-file --verbose-parsing ... \ scripts/coccinelle/remove_local_err.cocci ... SUSPICIOUS: a \ character appears outside of a #define at ./target/ppc/translate_init.inc.c:5213 SUSPICIOUS: a \ character appears outside of a #define at ./target/ppc/translate_init.inc.c:5261 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:166 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:167 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:169 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:170 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:171 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:172 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:173 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5787 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5789 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5800 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5801 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5802 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5804 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5805 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5806 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:6329 SUSPICIOUS: a \ character appears outside of a #define at ./hw/sd/sdhci.c:1133 SUSPICIOUS: a \ character appears outside of a #define at ./hw/scsi/scsi-disk.c:3081 SUSPICIOUS: a \ character appears outside of a #define at ./hw/net/virtio-net.c:1529 SUSPICIOUS: a \ character appears outside of a #define at ./hw/riscv/sifive_u.c:468 SUSPICIOUS: a \ character appears outside of a #define at ./dump/dump.c:1895 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2209 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2215 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2221 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2222 SUSPICIOUS: a \ character appears outside of a #define at ./block/replication.c:172 SUSPICIOUS: a \ character appears outside of a #define at ./block/replication.c:173 Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200412223619.11284-2-f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Acked-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2020-04-28s390x: Move diagnose 308 subcodes and rcs into ipl.hJanosch Frank
They are part of the IPL process, so let's put them into the ipl header. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Message-Id: <20200319131921.2367-2-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-04-22target/arm: Fix ID_MMFR4 value on AArch64 'max' CPUPeter Maydell
In commit 41a4bf1feab098da4cd the added code to set the CNP field in ID_MMFR4 for the AArch64 'max' CPU had a typo where it used the wrong variable name, resulting in ID_MMFR4 fields AC2, XNX and LSM being wrong. Fix the typo. Fixes: 41a4bf1feab098da4cd Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com> Message-id: 20200422124501.28015-1-peter.maydell@linaro.org
2020-04-20target/ppc: Fix TCG temporary leaks in gen_slbia()Philippe Mathieu-Daudé
This fixes: $ qemu-system-ppc64 \ -machine pseries-4.1 -cpu power9 \ -smp 4 -m 12G -accel tcg ... ... Quiescing Open Firmware ... Booting Linux via __start() @ 0x0000000002000000 ... Opcode 1f 12 0f 00 (7ce003e4) leaked temporaries Opcode 1f 12 0f 00 (7ce003e4) leaked temporaries Opcode 1f 12 0f 00 (7ce003e4) leaked temporaries [*] https://www.mail-archive.com/qemu-discuss@nongnu.org/msg05400.html Fixes: 0418bf78fe8 ("Fix ISA v3.0 (POWER9) slbia implementation") Reported-by: Dennis Clarke <dclarke@blastwave.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Message-id: 20200417090749.14310-1-f4bug@amsat.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-17target/ppc: Fix mtmsr(d) L=1 variant that loses interruptsNicholas Piggin
If mtmsr L=1 sets MSR[EE] while there is a maskable exception pending, it does not cause an interrupt. This causes the test case to hang: https://lists.gnu.org/archive/html/qemu-ppc/2019-10/msg00826.html More recently, Linux reduced the occurance of operations (e.g., rfi) which stop translation and allow pending interrupts to be processed. This started causing hangs in Linux boot in long-running kernel tests, running with '-d int' shows the decrementer stops firing despite DEC wrapping and MSR[EE]=1. https://lists.ozlabs.org/pipermail/linuxppc-dev/2020-April/208301.html The cause is the broken mtmsr L=1 behaviour, which is contrary to the architecture. From Power ISA v3.0B, p.977, Move To Machine State Register, Programming Note states: If MSR[EE]=0 and an External, Decrementer, or Performance Monitor exception is pending, executing an mtmsrd instruction that sets MSR[EE] to 1 will cause the interrupt to occur before the next instruction is executed, if no higher priority exception exists Fix this by handling L=1 exactly the same way as L=0, modulo the MSR bits altered. The confusion arises from L=0 being "context synchronizing" whereas L=1 is "execution synchronizing", which is a weaker semantic. However this is not a relaxation of the requirement that these exceptions cause interrupts when MSR[EE]=1 (e.g., when mtmsr executes to completion as TCG is doing here), rather it specifies how a pipelined processor can have multiple instructions in flight where one may influence how another behaves. Cc: qemu-stable@nongnu.org Reported-by: Anton Blanchard <anton@ozlabs.org> Reported-by: Nathan Chancellor <natechancellor@gmail.com> Tested-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Message-Id: <20200414111131.465560-1-npiggin@gmail.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Tested-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2020-04-17target/ppc: Fix wrong interpretation of the disposition flag.Ganesh Goudar
Bitwise AND with kvm_run->flags to evaluate if we recovered from MCE or not is not correct, As disposition in kvm_run->flags is a two-bit integer value and not a bit map, So check for equality instead of bitwise AND. Without the fix qemu treats any unrecoverable mce error as recoverable and ends up in a mce loop inside the guest, Below are the MCE logs before and after the fix. Before fix: [ 66.775757] MCE: CPU0: Initiator CPU [ 66.775891] MCE: CPU0: Unknown [ 66.776587] MCE: CPU0: machine check (Harmless) Host UE Indeterminate [Recovered] [ 66.776857] MCE: CPU0: NIP: [c0080000000e00b8] mcetest_tlbie+0xb0/0x128 [mcetest_tlbie] After fix: [ 20.650577] CPU: 0 PID: 1415 Comm: insmod Tainted: G M O 5.6.0-fwnmi-arv+ #11 [ 20.650618] NIP: c0080000023a00e8 LR: c0080000023a00d8 CTR: c000000000021fe0 [ 20.650660] REGS: c0000001fffd3d70 TRAP: 0200 Tainted: G M O (5.6.0-fwnmi-arv+) [ 20.650708] MSR: 8000000002a0b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 42000222 XER: 20040000 [ 20.650758] CFAR: c00000000000b940 DAR: c0080000025e00e0 DSISR: 00000200 IRQMASK: 0 [ 20.650758] GPR00: c0080000023a00d8 c0000001fddd79a0 c0080000023a8500 0000000000000039 [ 20.650758] GPR04: 0000000000000001 0000000000000000 0000000000000000 0000000000000007 [ 20.650758] GPR08: 0000000000000007 c0080000025e00e0 0000000000000000 00000000000000f7 [ 20.650758] GPR12: 0000000000000000 c000000001900000 c00000000101f398 c0080000025c052f [ 20.650758] GPR16: 00000000000003a8 c0080000025c0000 c0000001fddd7d70 c0000000015b7940 [ 20.650758] GPR20: 000000000000fff1 c000000000f72c28 c0080000025a0988 0000000000000000 [ 20.650758] GPR24: 0000000000000100 c0080000023a05d0 c0000000001f1d70 0000000000000000 [ 20.650758] GPR28: c0000001fde20000 c0000001fd02b2e0 c0080000023a0000 c0080000025e0000 [ 20.651178] NIP [c0080000023a00e8] mcetest_tlbie+0xe8/0xf0 [mcetest_tlbie] [ 20.651220] LR [c0080000023a00d8] mcetest_tlbie+0xd8/0xf0 [mcetest_tlbie] [ 20.651262] Call Trace: [ 20.651280] [c0000001fddd79a0] [c0080000023a00d8] mcetest_tlbie+0xd8/0xf0 [mcetest_tlbie] (unreliable) [ 20.651340] [c0000001fddd7a10] [c00000000001091c] do_one_initcall+0x6c/0x2c0 [ 20.651390] [c0000001fddd7af0] [c0000000001f7998] do_init_module+0x90/0x298 [ 20.651433] [c0000001fddd7b80] [c0000000001f61a8] load_module+0x1f58/0x27a0 [ 20.651476] [c0000001fddd7d40] [c0000000001f6c70] __do_sys_finit_module+0xe0/0x100 [ 20.651526] [c0000001fddd7e20] [c00000000000b9d0] system_call+0x5c/0x68 [ 20.651567] Instruction dump: [ 20.651594] e8410018 3c620000 e8638020 480000cd e8410018 3c620000 e8638028 480000bd [ 20.651646] e8410018 7be904e4 39400000 612900e0 <7d434a64> 4bffff74 3c4c0001 38428410 [ 20.651699] ---[ end trace 4c40897f016b4340 ]--- [ 20.653310] Bus error [ 20.655575] MCE: CPU0: machine check (Harmless) Host UE Indeterminate [Not recovered] [ 20.655575] MCE: CPU0: NIP: [c0080000023a00e8] mcetest_tlbie+0xe8/0xf0 [mcetest_tlbie] [ 20.655576] MCE: CPU0: Initiator CPU [ 20.655576] MCE: CPU0: Unknown Signed-off-by: Ganesh Goudar <ganeshgr@linux.ibm.com> Message-Id: <20200408170944.16003-1-ganeshgr@linux.ibm.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2020-04-15gdbstub: Introduce gdb_get_float32() to get 32-bit float registersPhilippe Mathieu-Daudé
Since we now use a GByteArray, we can not use stfl_p() directly. Introduce the gdb_get_float32() helper to load a float32 register. Fixes: a010bdbe719 ("extend GByteArray to read register helpers") Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20200414163853.12164-2-philmd@redhat.com> Message-Id: <20200414200631.12799-14-alex.bennee@linaro.org>
2020-04-15gdbstub: Do not use memset() on GByteArrayPhilippe Mathieu-Daudé
Introduce gdb_get_zeroes() to fill a GByteArray with zeroes. Fixes: a010bdbe719 ("extend GByteArray to read register helpers") Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200414102427.7459-1-philmd@redhat.com> [AJB: used slightly more gliby set_size approach] Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20200414200631.12799-13-alex.bennee@linaro.org>
2020-04-15gdbstub: i386: Fix gdb_get_reg16() parameter to unbreak gdbPeter Xu
We should only pass in gdb_get_reg16() with the GByteArray* object itself, no need to shift. Without this patch, gdb remote attach will crash QEMU: (gdb) target remote :1234 Remote debugging using :1234 Remote communication error. Target disconnected.: Connection reset by peer. $ qemu-system-x86_64 -m 1G -smp 4 ... -s ERROR:qemu/gdbstub.c:1843:handle_read_all_regs: assertion failed: (len == gdbserver_state.mem_buf->len) Bail out! ERROR:qemu/gdbstub.c:1843:handle_read_all_regs: assertion failed: (len == gdbserver_state.mem_buf->len) Fixes: a010bdbe719 ("extend GByteArray to read register helpers") Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20200409164954.36902-3-peterx@redhat.com> Message-Id: <20200414200631.12799-12-alex.bennee@linaro.org>
2020-04-15target/m68k/helper: Fix m68k_fpu_gdb_get_reg() use of GByteArrayPhilippe Mathieu-Daudé
Since a010bdbe719 the gdbstub API takes a GByteArray*. Unfortunately we forgot to update the gdb_get_reg*() calls. Do it now. Fixes: a010bdbe719 ("extend GByteArray to read register helpers") Reported-by: Peter Xu <peterx@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20200409172509.4078-1-philmd@redhat.com> Message-Id: <20200414200631.12799-11-alex.bennee@linaro.org>
2020-04-14Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Bugfixes, and reworking of the atomics documentation. # gpg: Signature made Tue 14 Apr 2020 15:38:01 BST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: hax: Windows doesn't like posix device names tests: numa: test one backend with prealloc enabled hostmem: set default prealloc_threads to valid value Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-14hax: Windows doesn't like posix device namesVolker Rümelin
Patch acb9f95a7c "i386: Fix GCC warning with snprintf when HAX is enabled" replaced Windows device names with posix device names. Revert this. Fixes: acb9f95a7c "i386: Fix GCC warning with snprintf when HAX is enabled" Signed-off-by: Volker Rümelin <vr_qemu@t-online.de> Message-Id: <20200322210211.29603-1-vr_qemu@t-online.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-04-09Merge remote-tracking branch 'remotes/rth/tags/pull-rx-20200408' into stagingPeter Maydell
Add fall through comment for Coverity. # gpg: Signature made Wed 08 Apr 2020 16:28:12 BST # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "richard.henderson@linaro.org" # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full] # Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F * remotes/rth/tags/pull-rx-20200408: target/rx/translate: Add missing fall through comment Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-07target/rx/translate: Add missing fall through commentPhilippe Mathieu-Daudé
Coverity reported a missing fall through comment, add it. Fixes: e5918d7d7f0 ("target/rx: TCG translation") Reported-by: Coverity (CID 1422222 MISSING_BREAK) Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200403184419.28556-1-philmd@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2020-04-07target/xtensa: statically allocate xtensa_insnbufs in DisasContextMax Filippov
Rather than dynamically allocate, and risk failing to free when we longjmp out of the translator, allocate the maximum buffer size based on the maximum supported instruction length. Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Richard Henderson <richard.henderson@linaro.org>
2020-04-07target/xtensa: fix pasto in pfwait.r opcode nameMax Filippov
Core xtensa opcode table has pfwait.o instead of pfwait.r. Fix that. Fixes: c884400f2988 ("target/xtensa: implement block prefetch option opcodes") Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
2020-04-07Merge remote-tracking branch 'remotes/stsquad/tags/pull-misc-fixes-070420-1' ↵Peter Maydell
into staging Various fixes: - add .github repo lockdown config - better handle missing symbols in elf-ops - protect fcntl64 with #ifdef - remove unused macros from test - fix handling of /proc/self/maps - avoid BAD_SHIFT in x80 softfloat - properly terminate on .hex EOF - fix configure probe on windows cross build - fix %r12 guest_base initialization # gpg: Signature made Tue 07 Apr 2020 16:31:14 BST # gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44 # gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [full] # Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44 * remotes/stsquad/tags/pull-misc-fixes-070420-1: tcg/i386: Fix %r12 guest_base initialization configure: Add -Werror to PIE probe hw/core: properly terminate loading .hex on EOF record linux-user: clean-up padding on /proc/self/maps linux-user: factor out reading of /proc/self/maps softfloat: Fix BAD_SHIFT from normalizeFloatx80Subnormal gdbstub: fix compiler complaining target/xtensa: add FIXME for translation memory leak linux-user: more debug for init_guest_space tests/tcg: remove extraneous pasting macros linux-user: protect fcntl64 with an #ifdef elf-ops: bail out if we have no function symbols .github: Enable repo-lockdown bot to refuse GitHub pull requests Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-07target/xtensa: add FIXME for translation memory leakAlex Bennée
Dynamically allocating a new structure within the DisasContext can potentially leak as we can longjmp out of the translation loop (see test_phys_mem). The proper fix would be to use static allocation within the DisasContext but as the Xtensa translator imports it's code from elsewhere I leave that as an exercise for the maintainer. Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Acked-by: Max Filippov <jcmvbkbc@gmail.com> Message-Id: <20200403191150.863-6-alex.bennee@linaro.org>
2020-04-07ppc/spapr: KVM FWNMI should not be enabled until guest requests itNicholas Piggin
The KVM FWNMI capability should be enabled with the "ibm,nmi-register" rtas call. Although MCEs from KVM will be delivered as architected interrupts to the guest before "ibm,nmi-register" is called, KVM has different behaviour depending on whether the guest has enabled FWNMI (it attempts to do more recovery on behalf of a non-FWNMI guest). Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Message-Id: <20200325142906.221248-2-npiggin@gmail.com> Reviewed-by: Greg Kurz <groug@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2020-04-03target/arm: Remove obsolete TODO note from get_phys_addr_lpae()Peter Maydell
An old comment in get_phys_addr_lpae() claims that the code does not support the different format TCR for VTCR_EL2. This used to be true but it is not true now (in particular the aa64_va_parameters() and aa32_va_parameters() functions correctly handle the different register format by checking whether the mmu_idx is Stage2). Remove the out of date parts of the comment. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200331143407.3186-1-peter.maydell@linaro.org
2020-04-03target/arm: PSTATE.PAN should not clear exec bitsPeter Maydell
Our implementation of the PSTATE.PAN bit incorrectly cleared all access permission bits for privileged access to memory which is user-accessible. It should only affect the privileged read and write permissions; execute permission is dealt with via XN/PXN instead. Fixes: 81636b70c226dc27d7ebc8d Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200330170651.20901-1-peter.maydell@linaro.org
2020-04-03target/arm: don't expose "ieee_half" via gdbstubAlex Bennée
While support for parsing ieee_half in the XML description was added to gdb in 2019 (a6d0f249) there is no easy way for the gdbstub to know if the gdb end will understand it. Disable it for now and allow older gdbs to successfully connect to the default -cpu max SVE enabled QEMUs. Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200402143913.24005-1-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-03Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20200403' into stagingPeter Maydell
- fix cpu number reporting in the stsi 3.2.2 block for kvm - fix migration for old machines with odd ram sizes # gpg: Signature made Fri 03 Apr 2020 10:11:06 BST # gpg: using RSA key C3D0D66DC3624FF6A8C018CEDECF6B93C6F02FAF # gpg: issuer "cohuck@redhat.com" # gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [marginal] # gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full] # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full] # gpg: aka "Cornelia Huck <cohuck@kernel.org>" [marginal] # gpg: aka "Cornelia Huck <cohuck@redhat.com>" [marginal] # Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF * remotes/cohuck/tags/s390x-20200403: vl/s390x: fixup ram sizes for compat machines s390x: kvm: Fix number of cpu reports for stsi 3.2.2 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-03Merge remote-tracking branch 'remotes/ehabkost/tags/x86-next-pull-request' ↵Peter Maydell
into staging x86 queue for -rc2 Fixes: * EPYC CPU model APIC ID topology fixes (Babu Moger) * Fix crash when enabling intel-pt on older machine types (Luwei Kang) * Add missing ARCH_CAPABILITIES bits to Icelake-Server CPU model (Xiaoyao Li) # gpg: Signature made Thu 02 Apr 2020 23:18:30 BST # gpg: using RSA key 5A322FD5ABC4D3DBACCFD1AA2807936F984DC5A6 # gpg: issuer "ehabkost@redhat.com" # gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>" [full] # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF D1AA 2807 936F 984D C5A6 * remotes/ehabkost/tags/x86-next-pull-request: target/i386: Add ARCH_CAPABILITIES related bits into Icelake-Server CPU model target/i386: set the CPUID level to 0x14 on old machine-type i386: Fix pkg_id offset for EPYC cpu models target/i386: Enable new apic id encoding for EPYC based cpus models hw/i386: Move arch_id decode inside x86_cpus_init i386: Introduce use_epyc_apic_id_encoding in X86CPUDefinition hw/i386: Introduce apicid functions inside X86MachineState target/i386: Cleanup and use the EPYC mode topology functions hw/386: Add EPYC mode topology decoding functions Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-02target/i386: do not set unsupported VMX secondary execution controlsVitaly Kuznetsov
Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls") added a workaround for KVM pre-dating commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm KVM_GET_MSRS") which wasn't setting certain available controls. The workaround uses generic CPUID feature bits to set missing VMX controls. It was found that in some cases it is possible to observe hosts which have certain CPUID features but lack the corresponding VMX control. In particular, it was reported that Azure VMs have RDSEED but lack VMX_SECONDARY_EXEC_RDSEED_EXITING; attempts to enable this feature bit result in QEMU abort. Resolve the issue but not applying the workaround when we don't have to. As there is no good way to find out if KVM has the fix itself, use 95c5c7c77c ("KVM: nVMX: list VMX MSRs in KVM_GET_MSR_INDEX_LIST") instead as these [are supposed to] come together. Fixes: 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls") Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Message-Id: <20200331162752.1209928-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-04-02i386: hvf: Reset IRQ inhibition after moving RIPRoman Bolshakov
The sequence of instructions exposes an issue: sti hlt Interrupts cannot be delivered to hvf after hlt instruction cpu because HF_INHIBIT_IRQ_MASK is set just before hlt is handled and never reset after moving instruction pointer beyond hlt. So, after hvf_vcpu_exec() returns, CPU thread gets locked up forever in qemu_wait_io_event() (cpu_thread_is_idle() evaluates inhibition flag and considers the CPU idle if the flag is set). Cc: Cameron Esfahani <dirty@apple.com> Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com> Message-Id: <20200328174411.51491-1-r.bolshakov@yadro.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-04-02s390x: kvm: Fix number of cpu reports for stsi 3.2.2Janosch Frank
The cpu number reporting is handled by KVM and QEMU only fills in the VM name, uuid and other values. Unfortunately KVM doesn't report reserved cpus and doesn't even know they exist until the are created via the ioctl. So let's fix up the cpu values after KVM has written its values to the 3.2.2 sysib. To be consistent, we use the same code to retrieve the cpu numbers as the STSI TCG code in target/s390x/misc_helper.c:HELPER(stsi). Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Message-Id: <20200331110123.3774-1-frankja@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2020-03-31target/i386: Add ARCH_CAPABILITIES related bits into Icelake-Server CPU modelXiaoyao Li
Current Icelake-Server CPU model lacks all the features enumerated by MSR_IA32_ARCH_CAPABILITIES. Add them, so that guest of "Icelake-Server" can see all of them. Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com> Message-Id: <20200316095605.12318-1-xiaoyao.li@intel.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31target/i386: set the CPUID level to 0x14 on old machine-typeLuwei Kang
The CPUID level need to be set to 0x14 manually on old machine-type if Intel PT is enabled in guest. E.g. the CPUID[0].EAX(level)=7 and CPUID[7].EBX[25](intel-pt)=1 when the Qemu with "-machine pc-i440fx-3.1 -cpu qemu64,+intel-pt" parameter. Some Intel PT capabilities are exposed by leaf 0x14 and the missing capabilities will cause some MSRs access failed. This patch add a warning message to inform the user to extend the CPUID level. Suggested-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Luwei Kang <luwei.kang@intel.com> Message-Id: <1584031686-16444-1-git-send-email-luwei.kang@intel.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31i386: Fix pkg_id offset for EPYC cpu modelsBabu Moger
If the system is numa configured the pkg_offset needs to be adjusted for EPYC cpu models. Fix it calling the model specific handler. Signed-off-by: Babu Moger <babu.moger@amd.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <158396725589.58170.16424607815207074485.stgit@naples-babu.amd.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31target/i386: Enable new apic id encoding for EPYC based cpus modelsBabu Moger
The APIC ID is decoded based on the sequence sockets->dies->cores->threads. This works fine for most standard AMD and other vendors' configurations, but this decoding sequence does not follow that of AMD's APIC ID enumeration strictly. In some cases this can cause CPU topology inconsistency. When booting a guest VM, the kernel tries to validate the topology, and finds it inconsistent with the enumeration of EPYC cpu models. The more details are in the bug https://bugzilla.redhat.com/show_bug.cgi?id=1728166. To fix the problem we need to build the topology as per the Processor Programming Reference (PPR) for AMD Family 17h Model 01h, Revision B1 Processors. The documentation is available from the bugzilla Link below. Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 It is also available at https://www.amd.com/system/files/TechDocs/55570-B1_PUB.zip Here is the text from the PPR. Operating systems are expected to use Core::X86::Cpuid::SizeId[ApicIdSize], the number of least significant bits in the Initial APIC ID that indicate core ID within a processor, in constructing per-core CPUID masks. Core::X86::Cpuid::SizeId[ApicIdSize] determines the maximum number of cores (MNC) that the processor could theoretically support, not the actual number of cores that are actually implemented or enabled on the processor, as indicated by Core::X86::Cpuid::SizeId[NC]. Each Core::X86::Apic::ApicId[ApicId] register is preset as follows: • ApicId[6] = Socket ID. • ApicId[5:4] = Node ID. • ApicId[3] = Logical CCX L3 complex ID • ApicId[2:0]= (SMT) ? {LogicalCoreID[1:0],ThreadId} : {1'b0,LogicalCoreID[1:0]} The new apic id encoding is enabled for EPYC and EPYC-Rome models. Signed-off-by: Babu Moger <babu.moger@amd.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Igor Mammedov <imammedo@redhat.com> Message-Id: <158396724913.58170.3539083528095710811.stgit@naples-babu.amd.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31i386: Introduce use_epyc_apic_id_encoding in X86CPUDefinitionBabu Moger
Add a boolean variable use_epyc_apic_id_encoding in X86CPUDefinition. This will be set if this cpu model needs to use new EPYC based apic id encoding. Override the handlers with EPYC based handlers if use_epyc_apic_id_encoding is set. This will be done in x86_cpus_init. Signed-off-by: Babu Moger <babu.moger@amd.com> Message-Id: <158396723514.58170.14825482171652019765.stgit@naples-babu.amd.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31target/i386: Cleanup and use the EPYC mode topology functionsBabu Moger
Use the new functions from topology.h and delete the unused code. Given the sockets, nodes, cores and threads, the new functions generate apic id for EPYC mode. Removes all the hardcoded values. Signed-off-by: Babu Moger <babu.moger@amd.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Igor Mammedov <imammedo@redhat.com> Message-Id: <158396722151.58170.8031705769621392927.stgit@naples-babu.amd.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200330' into stagingPeter Maydell
Improve PIE and other linkage Fix for decodetree vs Python3 floor division operator Fix i386 INDEX_op_dup2_vec expansion Fix loongson multimedia condition instructions # gpg: Signature made Tue 31 Mar 2020 04:50:15 BST # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "richard.henderson@linaro.org" # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full] # Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F * remotes/rth/tags/pull-tcg-20200330: decodetree: Use Python3 floor division operator tcg/i386: Fix INDEX_op_dup2_vec target/mips: Fix loongson multimedia condition instructions configure: Support -static-pie if requested configure: Override the os default with --disable-pie configure: Unnest detection of -z,relro and -z,now configure: Always detect -no-pie toolchain support configure: Do not force pie=no for non-x86 tcg: Remove softmmu code_gen_buffer fixed address configure: Drop adjustment of textseg Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-30target/arm: fix incorrect current EL bug in aarch32 exception emulationChangbin Du
The arm_current_el() should be invoked after mode switching. Otherwise, we get a wrong current EL value, since current EL is also determined by current mode. Fixes: 4a2696c0d4 ("target/arm: Set PAN bit as required on exception entry") Signed-off-by: Changbin Du <changbin.du@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200328140232.17278-1-changbin.du@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-28target/mips: Fix loongson multimedia condition instructionsJiaxun Yang
Loongson multimedia condition instructions were previously implemented as write 0 to rd due to lack of documentation. So I just confirmed with Loongson about their encoding and implemented them correctly. Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com> Acked-by: Huacai Chen <chenhc@lemote.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com> Message-Id: <20200324122212.11156-1-jiaxun.yang@flygoat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2020-03-26linux-user/i386: Emulate x86_64 vsyscallsRichard Henderson
Notice the magic page during translate, much like we already do for the arm32 commpage. At runtime, raise an exception to return cpu_loop for emulation. Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20200213032223.14643-4-richard.henderson@linaro.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2020-03-26target/i386: Renumber EXCP_SYSCALLRichard Henderson
We are not short of numbers for EXCP_*. There is no need to confuse things by having EXCP_VMEXIT and EXCP_SYSCALL overlap, even though the former is only used for system mode and the latter is only used for user mode. Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20200213032223.14643-2-richard.henderson@linaro.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2020-03-24hw/ppc: Take QEMU lock when calling ppc_dcr_read/write()Peter Maydell
The ppc_dcr_read() and ppc_dcr_write() functions call into callbacks in device code, so we need to hold the QEMU iothread lock while calling them. This is the case already for the callsites in kvmppc_handle_dcr_read/write(), but we must also take the lock when calling the helpers from TCG. This fixes a bug where attempting to initialise the PPC405EP SDRAM will cause an assertion when sdram_map_bcr() attempts to remap memory regions. Reported-by: Amit Lazar <abasarlaz@hotmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20200322192258.14039-1-peter.maydell@linaro.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>