Alex Bennée [Fri, 5 Jun 2020 15:49:29 +0000 (16:49 +0100)]
linux-user: detect overflow of MAP_FIXED mmap
Relaxing the restrictions on 64 bit guests leads to the user being
able to attempt to map right at the edge of addressable memory. This
in turn lead to address overflow tripping the assert in page_set_flags
when the end address wrapped around.
Detect the wrap earlier and correctly -ENOMEM the guest (in the
reported case LTP mmap15).
Alex Bennée [Fri, 5 Jun 2020 15:49:28 +0000 (16:49 +0100)]
tests/tcg: add simple commpage test case
The COMMPAGE are a number of kernel provided user-space routines for
32 bit ARM systems. Add a basic series of smoke tests to ensure it is
working as it should.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20200605154929.26910-14-alex.bennee@linaro.org>
Alex Bennée [Fri, 5 Jun 2020 15:49:27 +0000 (16:49 +0100)]
linux-user: deal with address wrap for ARM_COMMPAGE on 32 bit
We rely on the pointer to wrap when accessing the high address of the
COMMPAGE so it lands somewhere reasonable. However on 32 bit hosts we
cannot afford just to map the entire 4gb address range. The old mmap
trial and error code handled this by just checking we could map both
the guest_base and the computed COMMPAGE address.
We can't just manipulate loadaddr to get what we want so we introduce
an offset which pgb_find_hole can apply when looking for a gap for
guest_base that ensures there is space left to map the COMMPAGE
afterwards.
This is arguably a little inefficient for the one 32 bit
value (kuser_helper_version) we need to keep there given all the
actual code entries are picked up during the translation phase.
Fixes: ee94743034b
Bug: https://bugs.launchpad.net/qemu/+bug/1880225 Cc: Bug 1880225 <1880225@bugs.launchpad.net> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com> Cc: Richard Henderson <richard.henderson@linaro.org> Cc: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200605154929.26910-13-alex.bennee@linaro.org>
Alex Bennée [Fri, 5 Jun 2020 15:49:26 +0000 (16:49 +0100)]
linux-user: provide fallback pgd_find_hole for bare chroots
When running QEMU out of a chroot environment we may not have access
to /proc/self/maps. As there is no other "official" way to introspect
our memory map we need to fall back to the original technique of
repeatedly trying to mmap an address range until we find one that
works.
Fortunately it's not quite as ugly as the original code given we
already re-factored the complications of dealing with the
ARM_COMMPAGE. We do make an attempt to skip over brk() which is about
the only concrete piece of information we have about the address map
at this moment.
Fixes: ee9474303 Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20200605154929.26910-12-alex.bennee@linaro.org>
Alex Bennée [Fri, 5 Jun 2020 15:49:25 +0000 (16:49 +0100)]
hw/virtio/vhost: re-factor vhost-section and allow DIRTY_MEMORY_CODE
The purpose of vhost_section is to identify RAM regions that need to
be made available to a vhost client. However when running under TCG
all RAM sections have DIRTY_MEMORY_CODE set which leads to problems
down the line.
Re-factor the code so:
- steps are clearer to follow
- reason for rejection is recorded in the trace point
- we allow DIRTY_MEMORY_CODE
We expand the comment to explain that kernel based vhost has specific
support for migration tracking.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Fabiano Rosas <farosas@linux.ibm.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20200605154929.26910-11-alex.bennee@linaro.org>
Paolo Bonzini [Fri, 5 Jun 2020 15:49:24 +0000 (16:49 +0100)]
docker: update Ubuntu to 20.04
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20200604231716.11354-1-pbonzini@redhat.com>
Message-Id: <20200605154929.26910-10-alex.bennee@linaro.org>
Alex Bennée [Fri, 5 Jun 2020 15:49:21 +0000 (16:49 +0100)]
.shippable: temporaily disable some cross builds
These currently fail due to Debian bug #960271 as the
linux-libc-library has a user-space build breaking symbol in it.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200605154929.26910-7-alex.bennee@linaro.org>
Alex Bennée [Fri, 5 Jun 2020 15:49:20 +0000 (16:49 +0100)]
.travis.yml: allow failure for unreliable hosts
They will still run but they won't get in the way of the result.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200605154929.26910-6-alex.bennee@linaro.org>
Alex Bennée [Fri, 5 Jun 2020 15:49:19 +0000 (16:49 +0100)]
exec: flush the whole TLB if a watchpoint crosses a page boundary
There is no particular reason why you can't have a watchpoint in TCG
that covers a large chunk of the address space. We could be clever
about it but these cases are pretty rare and we can assume the user
will expect a little performance degradation.
NB: In my testing gdb will silently squash a watchpoint like:
watch (char[0x7fffffffff]) *0x0
to a 4 byte watchpoint. Practically it will limit the maximum size
based on max-value-size. However given enough of a tweak the sky is
the limit.
Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20200605154929.26910-5-alex.bennee@linaro.org>
Alex Bennée [Fri, 5 Jun 2020 15:49:18 +0000 (16:49 +0100)]
tests/plugin: correctly honour io_count
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200605154929.26910-4-alex.bennee@linaro.org>
scripts/clean-includes: Mark 'qemu/qemu-plugin.h' as special header
"qemu/qemu-plugin.h" isn't meant to be include by QEMU codebase,
but by 3rd party plugins that QEMU can use. These plugins can be
built out of QEMU and don't include "qemu/osdep.h".
Mark "qemu/qemu-plugin.h" as a special header that doesn't need
to be cleaned for "qemu/osdep.h".
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20200524215654.13256-1-f4bug@amsat.org>
Message-Id: <20200605154929.26910-3-alex.bennee@linaro.org>
Implement F_OFD_ fcntl() command, /proc/cpuinfo for hppa
Fix socket(), prnctl() error codes, underflow in target_mremap,
epoll_create() strace, oldumount for alpha
User-mode build dependencies improvement
# gpg: Signature made Sat 06 Jun 2020 14:15:36 BST
# gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C
# gpg: issuer "laurent@vivier.eu"
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full]
# gpg: aka "Laurent Vivier <laurent@vivier.eu>" [full]
# gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full]
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C
* remotes/vivier2/tags/linux-user-for-5.1-pull-request:
stubs: Restrict ui/win32-kbd-hook to system-mode
hw/core: Restrict CpuClass::get_crash_info() to system-mode
target/s390x: Restrict CpuClass::get_crash_info() to system-mode
target/i386: Restrict CpuClass::get_crash_info() to system-mode
arch_init: Remove unused 'qapi-commands-misc.h' include
exec: Assert CPU migration is not used on user-only build
target/riscv/cpu: Restrict CPU migration to system-mode
stubs/Makefile: Reduce the user-mode object list
util/Makefile: Reduce the user-mode object list
tests/Makefile: Restrict some softmmu-only tests
tests/Makefile: Only display TCG-related tests when TCG is available
configure: Avoid building TCG when not needed
Makefile: Only build virtiofsd if system-mode is enabled
linux-user: implement OFD locks
linux-user/mmap.c: fix integer underflow in target_mremap
linux-user/strace.list: fix epoll_create{,1} -strace output
linux-user: Add support for /proc/cpuinfo on hppa platform
linux-user: return target error codes for socket() and prctl()
linux-user, alpha: fix oldumount syscall
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 5 Jun 2020 22:31:31 +0000 (23:31 +0100)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200605' into staging
target-arm queue:
hw/ssi/imx_spi: Handle tx burst lengths other than 8 correctly
hw/input/pxa2xx_keypad: Replace hw_error() by qemu_log_mask()
hw/arm/pxa2xx: Replace printf() call by qemu_log_mask()
target/arm: Convert crypto insns to gvec
hw/adc/stm32f2xx_adc: Correct memory region size and access size
tests/acceptance: Add a boot test for the xlnx-versal-virt machine
docs/system: Document Aspeed boards
raspi: Add model of the USB controller
target/arm: Convert 2-reg-and-shift and 1-reg-imm Neon insns to decodetree
In the next commit we are going to remove some objects from the
util-obj-y variable (objects which are not used by user-mode,
when configured with --disable-system).
Then some system-mode tests are going to fail, due to the missing
objects:
$ make check-unit -k
LINK tests/test-iov
/usr/bin/ld: tests/test-iov.o: in function `iov_from_buf':
include/qemu/iov.h:49: undefined reference to `iov_from_buf_full'
make: *** [rules.mak:124: tests/test-iov] Error 1
LINK tests/test-timed-average
/usr/bin/ld: tests/test-timed-average.o: in function `account':
tests/test-timed-average.c:27: undefined reference to `timed_average_account'
make: *** [rules.mak:124: tests/test-timed-average] Error 1
LINK tests/test-util-filemonitor
/usr/bin/ld: tests/test-util-filemonitor.o: in function `qemu_file_monitor_test_event_loop':
tests/test-util-filemonitor.c:83: undefined reference to `main_loop_wait'
make: *** [rules.mak:124: tests/test-util-filemonitor] Error 1
LINK tests/test-util-sockets
/usr/bin/ld: tests/test-util-sockets.o: in function `test_socket_fd_pass_name_good':
tests/test-util-sockets.c:91: undefined reference to `socket_connect'
make: *** [rules.mak:124: tests/test-util-sockets] Error 1
LINK tests/test-base64
/usr/bin/ld: tests/test-base64.o: in function `test_base64_good':
tests/test-base64.c:35: undefined reference to `qbase64_decode'
collect2: error: ld returned 1 exit status
make: *** [rules.mak:124: tests/test-base64] Error 1
LINK tests/test-bufferiszero
/usr/bin/ld: tests/test-bufferiszero.o: in function `test_1':
tests/test-bufferiszero.c:31: undefined reference to `buffer_is_zero'
make: *** [rules.mak:124: tests/test-bufferiszero] Error 1
make: Target 'check-unit' not remade because of errors.
Instead, restrict these tests to system-mode, by using the
$(CONFIG_SOFTMMU) variable.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Tested-by: Laurent Vivier <laurent@vivier.eu> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200522172510.25784-5-philmd@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Jonathan Marler [Sat, 2 May 2020 16:12:25 +0000 (10:12 -0600)]
linux-user/mmap.c: fix integer underflow in target_mremap
Fixes: https://bugs.launchpad.net/bugs/1876373
This code path in mmap occurs when a page size is decreased with mremap. When a section of pages is shrunk, qemu calls mmap_reserve on the pages that were released. However, it has the diff operation reversed, subtracting the larger old_size from the smaller new_size. Instead, it should be subtracting the smaller new_size from the larger old_size. You can also see in the previous line of the change that this mmap_reserve call only occurs when old_size > new_size.
Peter Maydell [Fri, 22 May 2020 14:55:20 +0000 (15:55 +0100)]
target/arm: Convert Neon one-register-and-immediate insns to decodetree
Convert the insns in the one-register-and-immediate group to decodetree.
In the new decode, our asimd_imm_const() function returns a 64-bit value
rather than a 32-bit one, which means we don't need to treat cmode=14 op=1
as a special case in the decoder (it is the only encoding where the two
halves of the 64-bit value are different).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-10-peter.maydell@linaro.org
Peter Maydell [Fri, 22 May 2020 14:55:19 +0000 (15:55 +0100)]
target/arm: Convert VCVT fixed-point ops to decodetree
Convert the VCVT fixed-point conversion operations in the
Neon 2-regs-and-shift group to decodetree.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-9-peter.maydell@linaro.org
Peter Maydell [Fri, 22 May 2020 14:55:18 +0000 (15:55 +0100)]
target/arm: Convert Neon VSHLL, VMOVL to decodetree
Convert the VSHLL and VMOVL insns from the 2-reg-shift group
to decodetree. Since the loop always has two passes, we unroll
it to avoid the awkward reassignment of one TCGv to another.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-8-peter.maydell@linaro.org
Peter Maydell [Fri, 22 May 2020 14:55:17 +0000 (15:55 +0100)]
target/arm: Convert Neon narrowing shifts with op==9 to decodetree
Convert the remaining Neon narrowing shifts to decodetree:
* VQSHRN
* VQRSHRN
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-7-peter.maydell@linaro.org
Peter Maydell [Fri, 22 May 2020 14:55:16 +0000 (15:55 +0100)]
target/arm: Convert Neon narrowing shifts with op==8 to decodetree
Convert the Neon narrowing shifts where op==8 to decodetree:
* VSHRN
* VRSHRN
* VQSHRUN
* VQRSHRUN
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-6-peter.maydell@linaro.org
Peter Maydell [Fri, 22 May 2020 14:55:15 +0000 (15:55 +0100)]
target/arm: Convert VQSHLU, VQSHL 2-reg-shift insns to decodetree
Convert the VQSHLU and QVSHL 2-reg-shift insns to decodetree.
These are the last of the simple shift-by-immediate insns.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-5-peter.maydell@linaro.org
Convert the VSRA, VSRI, VRSHR, VRSRA 2-reg-shift insns to decodetree.
(These are the last instructions in the group that are vectorized;
the rest all require looping over each element.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-4-peter.maydell@linaro.org
Peter Maydell [Fri, 22 May 2020 14:55:13 +0000 (15:55 +0100)]
target/arm: Convert Neon VSHR 2-reg-shift insns to decodetree
Convert the VSHR 2-reg-shift insns to decodetree.
Note that unlike the legacy decoder, we present the right shift
amount to the trans_ function as a positive integer.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-3-peter.maydell@linaro.org
Peter Maydell [Fri, 22 May 2020 14:55:12 +0000 (15:55 +0100)]
target/arm: Convert Neon VSHL and VSLI 2-reg-shift insn to decodetree
Convert the VSHL and VSLI insns from the Neon 2-registers-and-a-shift
group to decodetree.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200522145520.6778-2-peter.maydell@linaro.org
Paul Zimmerman [Wed, 20 May 2020 23:53:49 +0000 (16:53 -0700)]
raspi2 acceptance test: add test for dwc-hsotg (dwc2) USB host
Add a check for functional dwc-hsotg (dwc2) USB host emulation to
the Raspi 2 acceptance test
Signed-off-by: Paul Zimmerman <pauldzim@gmail.com> Reviewed-by: Philippe Mathieu-Daude <f4bug@amsat.org>
Message-id: 20200520235349.21215-8-pauldzim@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paul Zimmerman [Wed, 20 May 2020 23:53:48 +0000 (16:53 -0700)]
wire in the dwc-hsotg (dwc2) USB host controller emulation
Wire the dwc-hsotg (dwc2) emulation into Qemu
Signed-off-by: Paul Zimmerman <pauldzim@gmail.com> Reviewed-by: Philippe Mathieu-Daude <f4bug@amsat.org>
Message-id: 20200520235349.21215-7-pauldzim@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paul Zimmerman [Wed, 20 May 2020 23:53:47 +0000 (16:53 -0700)]
usb: add short-packet handling to usb-storage driver
The dwc-hsotg (dwc2) USB host depends on a short packet to
indicate the end of an IN transfer. The usb-storage driver
currently doesn't provide this, so fix it.
I have tested this change rather extensively using a PC
emulation with xhci, ehci, and uhci controllers, and have
not observed any regressions.
Signed-off-by: Paul Zimmerman <pauldzim@gmail.com>
Message-id: 20200520235349.21215-6-pauldzim@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paul Zimmerman [Wed, 20 May 2020 23:53:46 +0000 (16:53 -0700)]
dwc-hsotg (dwc2) USB host controller emulation
Add the dwc-hsotg (dwc2) USB host controller emulation code.
Based on hw/usb/hcd-ehci.c and hw/usb/hcd-ohci.c.
Note that to use this with the dwc-otg driver in the Raspbian
kernel, you must pass the option "dwc_otg.fiq_fsm_enable=0" on
the kernel command line.
Emulation of slave mode and of descriptor-DMA mode has not been
implemented yet. These modes are seldom used.
I have used some on-line sources of information while developing
this emulation, including:
http://www.capital-micro.com/PDF/CME-M7_Family_User_Guide_EN.pdf
which has a pretty complete description of the controller starting
on page 370.
https://sourceforge.net/p/wive-ng/wive-ng-mt/ci/master/tree/docs/DataSheets/RT3050_5x_V2.0_081408_0902.pdf
which has a description of the controller registers starting on
page 130.
Thanks to Felippe Mathieu-Daude for providing a cleaner method
of implementing the memory regions for the controller registers.
Signed-off-by: Paul Zimmerman <pauldzim@gmail.com>
Message-id: 20200520235349.21215-5-pauldzim@gmail.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paul Zimmerman [Wed, 20 May 2020 23:53:45 +0000 (16:53 -0700)]
dwc-hsotg (dwc2) USB host controller state definitions
Add the dwc-hsotg (dwc2) USB host controller state definitions.
Mostly based on hw/usb/hcd-ehci.h.
Signed-off-by: Paul Zimmerman <pauldzim@gmail.com>
Message-id: 20200520235349.21215-4-pauldzim@gmail.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paul Zimmerman [Wed, 20 May 2020 23:53:44 +0000 (16:53 -0700)]
dwc-hsotg (dwc2) USB host controller register definitions
Import the dwc-hsotg (dwc2) register definitions file from the
Linux kernel. This is a copy of drivers/usb/dwc2/hw.h from the
mainline Linux kernel, the only changes being to the header, and
two instances of 'u32' changed to 'uint32_t' to allow it to
compile. Checkpatch throws a boatload of errors due to the tab
indentation, but I would rather import it as-is than reformat it.
Signed-off-by: Paul Zimmerman <pauldzim@gmail.com>
Message-id: 20200520235349.21215-3-pauldzim@gmail.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paul Zimmerman [Wed, 20 May 2020 23:53:43 +0000 (16:53 -0700)]
raspi: add BCM2835 SOC MPHI emulation
Add BCM2835 SOC MPHI (Message-based Parallel Host Interface)
emulation. It is very basic, only providing the FIQ interrupt
needed to allow the dwc-otg USB host controller driver in the
Raspbian kernel to function.
Signed-off-by: Paul Zimmerman <pauldzim@gmail.com> Acked-by: Philippe Mathieu-Daude <f4bug@amsat.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20200520235349.21215-2-pauldzim@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200602135050.593692-1-clg@kaod.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
we can use the Ubuntu kernel for testing the xlnx-versal-virt machine.
So let's add a boot test for this now.
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20200525141237.15243-1-thuth@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Rather than passing an opcode to a helper, fully decode the
operation at translate time. Use clear_tail_16 to zap the
balance of the SVE register with the AdvSIMD write.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200514212831.31248-7-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Rather than passing an opcode to a helper, fully decode the
operation at translate time. Use clear_tail_16 to zap the
balance of the SVE register with the AdvSIMD write.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200514212831.31248-6-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
target/arm: Convert sha1 and sha256 to gvec helpers
Do not yet convert the helpers to loop over opr_sz, but the
descriptor allows the vector tail to be cleared. Which fixes
an existing bug vs SVE.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200514212831.31248-5-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
target/arm: Convert sha512 and sm3 to gvec helpers
Do not yet convert the helpers to loop over opr_sz, but the
descriptor allows the vector tail to be cleared. Which fixes
an existing bug vs SVE.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200514212831.31248-4-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
With this conversion, we will be able to use the same helpers
with sve. This also fixes a bug in which we failed to clear
the high bits of the SVE register after an AdvSIMD operation.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200514212831.31248-3-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
With this conversion, we will be able to use the same helpers
with sve. In particular, pass 3 vector parameters for the
3-operand operations; for advsimd the destination register
is also an input.
This also fixes a bug in which we failed to clear the high bits
of the SVE register after an AdvSIMD operation.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200514212831.31248-2-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
hw/arm/pxa2xx: Replace printf() call by qemu_log_mask()
Replace printf() calls by qemu_log_mask(), which is disabled
by default. This avoid flooding the terminal when fuzzing the
device.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200525114123.21317-3-f4bug@amsat.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
hw/input/pxa2xx_keypad: Replace hw_error() by qemu_log_mask()
hw_error() calls exit(). This a bit overkill when we can log
the accesses as unimplemented or guest error.
When fuzzing the devices, we don't want the whole process to
exit. Replace some hw_error() calls by qemu_log_mask()
(missed in commit 5a0001ec7e).
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200525114123.21317-2-f4bug@amsat.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Eden Mikitas [Tue, 2 Jun 2020 12:44:34 +0000 (13:44 +0100)]
hw/ssi/imx_spi: Removed unnecessary cast of rx data received from slave
When inserting the value retrieved (rx) from the spi slave, rx is pushed to
rx_fifo after being cast to uint8_t. rx_fifo is a fifo32, and the rx
register the driver uses is also 32 bit. This zeroes the 24 most
significant bits of rx. This proved problematic with devices that expect to
use the whole 32 bits of the rx register.
Signed-off-by: Eden Mikitas <e.mikitas@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Eden Mikitas [Tue, 2 Jun 2020 12:44:34 +0000 (13:44 +0100)]
hw/ssi/imx_spi: changed while statement to prevent underflow
The while statement in question only checked if tx_burst is not 0.
tx_burst is a signed int, which is assigned the value put by the
guest driver in ECSPI_CONREG. The burst length can be anywhere
between 1 and 4096, and since tx_burst is always decremented by 8
it could possibly underflow, causing an infinite loop.
Signed-off-by: Eden Mikitas <e.mikitas@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jared Rossi [Tue, 12 May 2020 18:15:35 +0000 (14:15 -0400)]
vfio-ccw: allow non-prefetch ORBs
Remove the explicit prefetch check when using vfio-ccw devices.
This check does not trigger in practice as all Linux channel programs
are intended to use prefetch.
Newer Linux kernel versions do not require to force the PFCH flag with
vfio-ccw devices anymore.
Signed-off-by: Jared Rossi <jrossi@linux.ibm.com> Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20200512181535.18630-2-jrossi@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
We need some little help in the code to reduce the valgrind noise.
This patch does this with some designated initializers for the cpu
model features and subfunctions.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com>
Message-Id: <20200429074201.100924-1-borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Peter Maydell [Fri, 5 Jun 2020 10:53:37 +0000 (11:53 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Pull request
# gpg: Signature made Fri 05 Jun 2020 10:47:27 BST
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full]
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [full]
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha/tags/block-pull-request:
block: Factor out bdrv_run_co()
exec: Rename qemu_ram_writeback() as qemu_ram_msync()
hw/block: Let the NVMe emulated device be target-agnostic
memory: Extract memory_region_msync() from memory_region_writeback()
memory: Rename memory_region_do_writeback -> memory_region_writeback
fuzz: run the main-loop in fork-server process
fuzz: add mangled object name to linker script
fuzz: fix typo in i440fx-qtest-reboot arguments
fuzz: add datadir for oss-fuzz compatability
io_uring: use io_uring_cq_ready() to check for ready cqes
io_uring: retry io_uring_submit() if it fails with errno=EINTR
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
We have a few bdrv_*() functions that can either spawn a new coroutine
and wait for it with BDRV_POLL_WHILE() or use a fastpath if they are
alreeady running in a coroutine. All of them duplicate basically the
same code.
Factor the common code into a new function bdrv_run_co().
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-id: 20200520144901.16589-1-vsementsov@virtuozzo.com
[Factor out bdrv_run_co_entry too] Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
exec: Rename qemu_ram_writeback() as qemu_ram_msync()
Rename qemu_ram_writeback() as qemu_ram_msync() to better
match what it does.
Suggested-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20200508062456.23344-5-philmd@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
hw/block: Let the NVMe emulated device be target-agnostic
Now than the non-target specific memory_region_msync() function
is available, use it to make this device target-agnostic.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20200508062456.23344-4-philmd@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
memory: Extract memory_region_msync() from memory_region_writeback()
Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20200508062456.23344-3-philmd@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
We usually use '_do_' for internal functions. Rename
memory_region_do_writeback() as memory_region_writeback().
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20200508062456.23344-2-philmd@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Without this, the time since the last main-loop keeps increasing, as the
fuzzer runs. The forked children need to handle all the "past-due"
timers, slowing them down, over time. With this change, the
parent/fork-server process runs the main-loop, while waiting on the
child, ensuring that the timer events do not pile up, over time.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200512030133.29896-5-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Previously, we relied on "FuzzerTracePC*(.bss*)" to place libfuzzer's
fuzzer::TPC object into our contiguous shared-memory region. This does
not work for some libfuzzer builds, so this addition identifies the
region by its mangled name: *(.bss._ZN6fuzzer3TPCE);
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200512030133.29896-4-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200512030133.29896-3-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This allows us to keep pc-bios in executable_dir/pc-bios, rather than
executable_dir/../pc-bios, which is incompatible with oss-fuzz' file
structure.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200512030133.29896-2-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
io_uring: use io_uring_cq_ready() to check for ready cqes
In qemu_luring_poll_cb() we are not using the cqe peeked from the
CQ ring. We are using io_uring_peek_cqe() only to see if there
are cqes ready, so we can replace it with io_uring_cq_ready().
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-id: 20200519134942.118178-1-sgarzare@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
io_uring: retry io_uring_submit() if it fails with errno=EINTR
As recently documented [1], io_uring_enter(2) syscall can return an
error (errno=EINTR) if the operation was interrupted by a delivery
of a signal before it could complete.
This should happen when IORING_ENTER_GETEVENTS flag is used, for
example during io_uring_submit_and_wait() or during io_uring_submit()
when IORING_SETUP_IOPOLL is enabled.
We shouldn't have this problem for now, but it's better to prevent it.
While replacing fprintf() by qemu_log_mask() in commit 2b55f4d3504, we incorrectly used a 'tab = 4 spaces'
alignment, leading to misindented new code. Fix now.
Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200529165436.23573-1-f4bug@amsat.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
ati-vga: check mm_index before recursive call (CVE-2020-13800)
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.
Peter Maydell [Thu, 4 Jun 2020 10:38:47 +0000 (11:38 +0100)]
Merge remote-tracking branch 'remotes/alistair/tags/pull-riscv-to-apply-20200603' into staging
This is a collection of RISC-V patches for 5.1.
This incldues removing deprecated features and part of the OpenTitan
support series.
# gpg: Signature made Wed 03 Jun 2020 17:12:43 BST
# gpg: using RSA key F6C4AC46D4934868D3B8CE8F21E10D29DF977054
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [full]
# Primary key fingerprint: F6C4 AC46 D493 4868 D3B8 CE8F 21E1 0D29 DF97 7054
* remotes/alistair/tags/pull-riscv-to-apply-20200603:
riscv: Initial commit of OpenTitan machine
target/riscv: Add the lowRISC Ibex CPU
target/riscv: Don't set PMP feature in the cpu init
target/riscv: Disable the MMU correctly
target/riscv: Don't overwrite the reset vector
riscv/boot: Add a missing header include
riscv: sifive_e: Manually define the machine
docs: deprecated: Update the -bios documentation
target/riscv: Drop support for ISA spec version 1.09.1
target/riscv: Remove the deprecated CPUs
hw/riscv: spike: Remove deprecated ISA specific machines
hw/riscv: virt: Remove the riscv_ prefix of the machine* functions
hw/riscv: sifive_u: Remove the riscv_ prefix of the soc* functions
riscv: Change the default behavior if no -bios option is specified
riscv: Suppress the error report for QEMU testing with riscv_find_firmware()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alistair Francis [Thu, 23 Apr 2020 17:50:09 +0000 (10:50 -0700)]
target/riscv: Add the lowRISC Ibex CPU
Ibex is a small and efficient, 32-bit, in-order RISC-V core with
a 2-stage pipeline that implements the RV32IMC instruction set
architecture.
For more details on lowRISC see here:
https://github.com/lowRISC/ibex
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: LIU Zhiwei <zhiwei_liu@c-sky.com>
Alistair Francis [Thu, 28 May 2020 18:04:15 +0000 (11:04 -0700)]
target/riscv: Don't set PMP feature in the cpu init
The PMP is enabled by default via the "pmp" property so there is no need
for us to set it in the init function. As all CPUs have PMP support just
remove the set_feature() call in the CPU init functions.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Bin Meng <bin.meng@windriver.com>
Alistair Francis [Tue, 26 May 2020 23:06:02 +0000 (16:06 -0700)]
target/riscv: Disable the MMU correctly
Previously if we didn't enable the MMU it would be enabled in the
realize() function anyway. Let's ensure that if we don't want the MMU we
disable it. We also don't need to enable the MMU as it will be enabled
in realize() by default.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Bin Meng <bin.meng@windriver.com>
Alistair Francis [Thu, 23 Apr 2020 21:09:37 +0000 (14:09 -0700)]
riscv/boot: Add a missing header include
As the functions declared in this header use the symbol_fn_t
typedef itself declared in "hw/loader.h", we need to include
it here to make the header file self-contained.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Bin Meng <bin.meng@windriver.com>