Taylor Simpson [Sun, 10 Dec 2023 22:07:10 +0000 (15:07 -0700)]
Hexagon (target/hexagon) Make generators object oriented - gen_analyze_funcs
This patch conflicts with
https://lists.gnu.org/archive/html/qemu-devel/2023-11/msg00729.html
If that series goes in first, we'll rework this patch and vice versa.
Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Brian Cain <bcain@quicinc.com>
Message-Id: <20231210220712.491494-8-ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <bcain@quicinc.com>
Taylor Simpson [Sun, 10 Dec 2023 22:07:09 +0000 (15:07 -0700)]
Hexagon (target/hexagon) Make generators object oriented - gen_op_regs
Reviewed-by: Brian Cain <bcain@quicinc.com> Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com>
Message-Id: <20231210220712.491494-7-ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <bcain@quicinc.com>
Taylor Simpson [Sun, 10 Dec 2023 22:07:08 +0000 (15:07 -0700)]
Hexagon (target/hexagon) Make generators object oriented - gen_idef_parser_funcs
Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Brian Cain <bcain@quicinc.com>
Message-Id: <20231210220712.491494-6-ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <bcain@quicinc.com>
Taylor Simpson [Sun, 10 Dec 2023 22:07:07 +0000 (15:07 -0700)]
Hexagon (target/hexagon) Make generators object oriented - gen_helper_funcs
Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Brian Cain <bcain@quicinc.com>
Message-Id: <20231210220712.491494-5-ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <bcain@quicinc.com>
Taylor Simpson [Sun, 10 Dec 2023 22:07:06 +0000 (15:07 -0700)]
Hexagon (target/hexagon) Make generators object oriented - gen_helper_protos
Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Brian Cain <bcain@quicinc.com>
Message-Id: <20231210220712.491494-4-ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <bcain@quicinc.com>
Taylor Simpson [Sun, 10 Dec 2023 22:07:05 +0000 (15:07 -0700)]
Hexagon (target/hexagon) Make generators object oriented - gen_tcg_funcs
The generators are generally a bunch of Python if-then-else
statements based on the regtype and regid. Encapsulate regtype/regid
into a class hierarchy. Clients lookup the register and invoke
methods.
This has several advantages for making the code easier to read,
understand, and maintain
- The class name makes it more clear what the operand does
- All the methods for a given type of operand are together
- Don't need hex_common.bad_register
If a regtype/regid is missing, the lookup in hex_common.get_register
will fail
- We can remove the functions in hex_common that use regtype/regid
(e.g., is_read)
This patch creates the class hierarchy in hex_common and converts
gen_tcg_funcs.py. The other scripts will be converted in subsequent
patches in this series.
Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Brian Cain <bcain@quicinc.com>
Message-Id: <20231210220712.491494-3-ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <bcain@quicinc.com>
Taylor Simpson [Sun, 10 Dec 2023 22:07:04 +0000 (15:07 -0700)]
Hexagon (target/hexagon) Clean up handling of modifier registers
Currently, the register number (MuN) for modifier registers is the
modifier register number rather than the index into hex_gpr. This
patch changes MuN to the hex_gpr index, which is consistent with
the handling of control registers.
Note that HELPER(fcircadd) needs the CS register corresponding to the
modifier register specified in the instruction. We create a TCGv
variable "CS" to hold the value to pass to the helper.
Reviewed-by: Brian Cain <bcain@quicinc.com> Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com>
Message-Id: <20231210220712.491494-2-ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <bcain@quicinc.com>
Taylor Simpson [Thu, 30 Nov 2023 18:39:55 +0000 (11:39 -0700)]
Hexagon (target/hexagon) Fix shadow variable when idef-parser is off
Adding -Werror=shadow=compatible-local causes Hexagon not to build
when idef-parser is off. The "label" variable in CHECK_NOSHUF_PRED
shadows a variable in the surrounding code.
Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Brian Cain <bcain@quicinc.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20231130183955.54314-1-ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <bcain@quicinc.com>
Peter Maydell [Fri, 19 Jan 2024 11:39:38 +0000 (11:39 +0000)]
Merge tag 'hw-cpus-20240119' of https://github.com/philmd/qemu into staging
HW core patch queue
. Deprecate unmaintained SH-4 models (Samuel)
. HPET: Convert DPRINTF calls to trace events (Daniel)
. Implement buffered block writes in Intel PFlash (Gerd)
. Ignore ELF loadable segments with zero size (Bin)
. ESP/NCR53C9x: PCI DMA fixes (Mark)
. PIIX: Simplify Xen PCI IRQ routing (Bernhard)
. Restrict CPU 'start-powered-off' property to sysemu (Phil)
. target/alpha: Only build sys_helper.c on system emulation (Phil)
. target/xtensa: Use generic instruction breakpoint API & add test (Max)
. Restrict icount to system emulation (Phil)
. Do not set CPUState TCG-specific flags in non-TCG accels (Phil)
. Cleanup TCG tb_invalidate API (Phil)
. Correct LoongArch/KVM include path (Bibo)
. Do not ignore throttle errors in crypto backends (Phil)
* tag 'hw-cpus-20240119' of https://github.com/philmd/qemu: (36 commits)
configure: Add linux header compile support for LoongArch
MAINTAINERS: Update hw/core/cpu.c entry
MAINTAINERS: Update Raphael Norwitz email
hw/elf_ops: Ignore loadable segments with zero size
hw/scsi/esp-pci: set DMA_STAT_BCMBLT when BLAST command issued
hw/scsi/esp-pci: synchronise setting of DMA_STAT_DONE with ESP completion interrupt
hw/scsi/esp-pci: generate PCI interrupt from separate ESP and PCI sources
hw/scsi/esp-pci: use correct address register for PCI DMA transfers
target/riscv: Rename tcg_cpu_FOO() to include 'riscv'
target/i386: Rename tcg_cpu_FOO() to include 'x86'
hw/s390x: Rename cpu_class_init() to include 'sclp'
hw/core/cpu: Rename cpu_class_init() to include 'common'
accel: Rename accel_init_ops_interfaces() to include 'system'
cpus: Restrict 'start-powered-off' property to system emulation
system/watchpoint: Move TCG specific code to accel/tcg/
system/replay: Restrict icount to system emulation
hw/pflash: implement update buffer for block writes
hw/pflash: use ldn_{be,le}_p and stn_{be,le}_p
hw/pflash: refactor pflash_data_write()
hw/i386/pc_piix: Make piix_intx_routing_notifier_xen() more device independent
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 19 Jan 2024 11:39:27 +0000 (11:39 +0000)]
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* vga: implement odd/even and byte/word/doubleword modes more accurately
* vga: implement horizontal pel panning
* KVM: add class property to configure KVM device node to use
* fix various bugs in x86 TCG PC-relative translation
* properly align huge pages on LoongArch
* cleanup patches
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
tests/tcg: Don't #include <inttypes.h> in aarch64/system/vtimer.c
qemu/osdep: Add huge page aligned support on LoongArch platform
remove unnecessary casts from uintptr_t
target/i386: pcrel: store low bits of physical address in data[0]
target/i386: fix incorrect EIP in PC-relative translation blocks
target/i386: Do not re-compute new pc with CF_PCREL
io_uring: move LuringState typedef to block/aio.h
Add class property to configure KVM device node to use
vga: sort-of implement word and double-word access modes
vga: use latches in odd/even mode too
vga: reindent memory access code
vga: optimize horizontal pel panning in 256-color modes
vga: implement horizontal pel panning in graphics modes
vga: mask addresses in non-VESA modes to 256k
vga: introduce VGADisplayParams
vga: use common endian swap macros
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Bibo Mao [Tue, 16 Jan 2024 01:39:52 +0000 (09:39 +0800)]
configure: Add linux header compile support for LoongArch
When compiling qemu with system KVM mode for LoongArch, header files
in directory linux-headers/asm-loongarch should be used firstly.
Otherwise it fails to find kvm.h on system with old glibc, since
latest kernel header files are not installed.
This patch adds linux_arch definition for LoongArch system so that
header files in directory linux-headers/asm-loongarch can be included.
Fixes: 714b03c125 ("target/loongarch: Add loongarch kvm into meson build") Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240116013952.264474-1-maobibo@loongson.cn> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Zhao Liu [Mon, 15 Jan 2024 09:48:42 +0000 (17:48 +0800)]
MAINTAINERS: Update hw/core/cpu.c entry
The hw/core/cpu.c was split as hw/core/cpu-common.c and
hw/core/cpu-sysemu.c in the commit df4fd7d5c8a3 ("cpu: Split as
cpu-common / cpu-sysemu").
Update the related entry.
Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240115094852.3597165-2-zhao1.liu@linux.intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Bin Meng [Tue, 16 Jan 2024 15:50:49 +0000 (23:50 +0800)]
hw/elf_ops: Ignore loadable segments with zero size
Some ELF files really do have segments of zero size, e.g.:
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
RISCV_ATTRIBUT 0x00000000000025b8 0x0000000000000000 0x0000000000000000
0x000000000000003e 0x0000000000000000 R 0x1
LOAD 0x0000000000001000 0x0000000080200000 0x0000000080200000
0x00000000000001d1 0x00000000000001d1 R E 0x1000
LOAD 0x00000000000011d1 0x00000000802001d1 0x00000000802001d1
0x0000000000000e37 0x0000000000000e37 RW 0x1000
LOAD 0x0000000000000120 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 0x1000
The current logic does not check for this condition, resulting in
the incorrect assignment of 'lowaddr' as zero.
There is already a piece of codes inside the segment traversal loop
that checks for zero-sized loadable segments for not creating empty
ROM blobs. Let's move this check to the beginning of the loop to
cover both scenarios.
Signed-off-by: Bin Meng <bmeng@tinylab.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20240116155049.390301-1-bmeng@tinylab.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Mark Cave-Ayland [Fri, 12 Jan 2024 13:15:29 +0000 (13:15 +0000)]
hw/scsi/esp-pci: set DMA_STAT_BCMBLT when BLAST command issued
Even though the BLAST command isn't fully implemented in QEMU, the DMA_STAT_BCMBLT
bit should be set after the command has been issued to indicate that the command
has completed.
This fixes an issue with the DC390 DOS driver which issues the BLAST command as
part of its normal error recovery routine at startup, and otherwise sits in a
tight loop waiting for DMA_STAT_BCMBLT to be set before continuing.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Guenter Roeck <linux@roeck-us.net>
Message-ID: <20240112131529.515642-5-mark.cave-ayland@ilande.co.uk> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Mark Cave-Ayland [Fri, 12 Jan 2024 13:15:28 +0000 (13:15 +0000)]
hw/scsi/esp-pci: synchronise setting of DMA_STAT_DONE with ESP completion interrupt
The setting of DMA_STAT_DONE at the end of a DMA transfer can be configured to
generate an interrupt, however the Linux driver manually checks for DMA_STAT_DONE
being set and if it is, considers that a DMA transfer has completed.
If DMA_STAT_DONE is set but the ESP device isn't indicating an interrupt then
the Linux driver considers this to be a spurious interrupt. However this can
occur in QEMU as there is a delay between the end of DMA transfer where
DMA_STAT_DONE is set, and the ESP device raising its completion interrupt.
This appears to be an incorrect assumption in the Linux driver as the ESP and
PCI DMA interrupt sources are separate (and may not be raised exactly
together), however we can work around this by synchronising the setting of
DMA_STAT_DONE at the end of a DMA transfer with the ESP completion interrupt.
In conjunction with the previous commit Linux is now able to correctly boot
from an am53c974 PCI SCSI device on the hppa C3700 machine without emitting
"iget: checksum invalid" and "Spurious irq, sreg=10" errors.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Guenter Roeck <linux@roeck-us.net>
Message-ID: <20240112131529.515642-4-mark.cave-ayland@ilande.co.uk> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Mark Cave-Ayland [Fri, 12 Jan 2024 13:15:27 +0000 (13:15 +0000)]
hw/scsi/esp-pci: generate PCI interrupt from separate ESP and PCI sources
The am53c974/dc390 PCI interrupt has two separate sources: the first is from the
internal ESP device, and the second is from the PCI DMA transfer logic.
Update the ESP interrupt handler so that it sets DMA_STAT_SCSIINT rather than
driving the PCI IRQ directly, and introduce a new esp_pci_update_irq() function
to generate the correct PCI IRQ level. In particular this fixes spurious interrupts
being generated by setting DMA_STAT_DONE at the end of a transfer if DMA_CMD_INTE_D
isn't set in the DMA_CMD register.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Guenter Roeck <linux@roeck-us.net>
Message-ID: <20240112131529.515642-3-mark.cave-ayland@ilande.co.uk> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Mark Cave-Ayland [Fri, 12 Jan 2024 13:15:26 +0000 (13:15 +0000)]
hw/scsi/esp-pci: use correct address register for PCI DMA transfers
The current code in esp_pci_dma_memory_rw() sets the DMA address to the value
of the DMA_SPA (Starting Physical Address) register which is incorrect: this
means that for each callback from the SCSI layer the DMA address is set back
to the starting address.
In the case where only a single SCSI callback occurs (currently for transfer
lengths < 128kB) this works fine, however for larger transfers the DMA address
wraps back to the initial starting address, corrupting the buffer holding the
data transferred to the guest.
Fix esp_pci_dma_memory_rw() to use the DMA_WAC (Working Address Counter) for
the DMA address which is correctly incremented across multiple SCSI layer
transfers.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Guenter Roeck <linux@roeck-us.net>
Message-ID: <20240112131529.515642-2-mark.cave-ayland@ilande.co.uk> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
target/riscv: Rename tcg_cpu_FOO() to include 'riscv'
The tcg_cpu_FOO() names are riscv specific, so rename
them as riscv_tcg_cpu_FOO() (as other names in this file)
to ease navigating the code.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20240111120221.35072-6-philmd@linaro.org>
target/i386: Rename tcg_cpu_FOO() to include 'x86'
The tcg_cpu_FOO() names are x86 specific, so rename
them as x86_tcg_cpu_FOO() (as other names in this file)
to ease navigating the code.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-ID: <20240111120221.35072-5-philmd@linaro.org>
hw/s390x: Rename cpu_class_init() to include 'sclp'
cpu_class_init() is specific to s390x SCLP, so rename
it as sclp_cpu_class_init() (as other names in this file)
to ease navigating the code.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-ID: <20240111120221.35072-4-philmd@linaro.org>
accel: Rename accel_init_ops_interfaces() to include 'system'
accel_init_ops_interfaces() is system specific, so
rename it as accel_system_init_ops_interfaces() to
ease navigating the code.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20240111120221.35072-2-philmd@linaro.org>
cpus: Restrict 'start-powered-off' property to system emulation
Since the CPUState::start-powered-off property is irrelevant
to user emulation, restrict it to system emulation.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20240111161817.43150-1-philmd@linaro.org>
system/watchpoint: Move TCG specific code to accel/tcg/
Keep system/watchpoint.c accelerator-agnostic by moving
TCG specific code to accel/tcg/watchpoint.c. Update meson.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20240111162032.43378-1-philmd@linaro.org>
system/replay: Restrict icount to system emulation
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231208113529.74067-7-philmd@linaro.org>
Gerd Hoffmann [Mon, 8 Jan 2024 16:08:59 +0000 (17:08 +0100)]
hw/pflash: implement update buffer for block writes
Add an update buffer where all block updates are staged.
Flush or discard updates properly, so we should never see
half-completed block writes in pflash storage.
Drop a bunch of FIXME comments ;)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240108160900.104835-4-kraxel@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Gerd Hoffmann [Mon, 8 Jan 2024 16:08:57 +0000 (17:08 +0100)]
hw/pflash: refactor pflash_data_write()
Move the offset calculation, do it once at the start of the function and
let the 'p' variable point directly to the memory location which should
be updated. This makes it simpler to update other buffers than
pfl->storage in an upcoming patch. No functional change.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240108160900.104835-2-kraxel@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/i386/pc_piix: Make piix_intx_routing_notifier_xen() more device independent
This is a follow-up on commit 89965db43cce "hw/isa/piix3: Avoid Xen-specific
variant of piix3_write_config()" which introduced
piix_intx_routing_notifier_xen(). This function is implemented in board code but
accesses the PCI configuration space of the PIIX ISA function to determine the
PCI interrupt routes. Avoid this by reusing pci_device_route_intx_to_irq() which
makes piix_intx_routing_notifier_xen() more device-agnostic.
One remaining improvement would be making piix_intx_routing_notifier_xen()
agnostic towards the number of PCI interrupt routes and move it to xen-hvm.
This might be useful for possible Q35 Xen efforts but remains a future exercise
for now.
Signed-off-by: Bernhard Beschow <shentey@gmail.com> Reviewed-by: David Woodhouse <dwmw@amazon.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240107231623.5282-1-shentey@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Samuel Tardieu [Tue, 9 Jan 2024 08:30:53 +0000 (09:30 +0100)]
hw/block: Deprecate the TC58128 block device
The 16MiB flash device is only used by the deprecated shix machine.
Its code it old and unmaintained, and has never been adapted to the
QOM architecture. It still contains debug statements and uses global
variables. It is time to deprecate it.
Signed-off-by: Samuel Tardieu <sam@rfc1149.net> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240109083053.2581588-3-sam@rfc1149.net> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Samuel Tardieu [Tue, 9 Jan 2024 08:30:52 +0000 (09:30 +0100)]
target/sh4: Deprecate the shix machine
The shix machine has been designed and used at Télécom Paris from 2003
to 2010. It had been added to QEMU in 2005 and has not been maintained
since. Since nobody is using the physical board anymore nor interested
in maintaining the QEMU port, it is time to deprecate it.
Signed-off-by: Samuel Tardieu <sam@rfc1149.net> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240109083053.2581588-2-sam@rfc1149.net> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
util/async: Only call icount_notify_exit() if icount is enabled
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231208113529.74067-6-philmd@linaro.org>
target/arm: Ensure icount is enabled when emulating INST_RETIRED
pmu_init() register its event checking the pm_event::supported()
handler. For INST_RETIRED, the event is only registered and the
bit enabled in the PMU Common Event Identification register when
icount is enabled as ICOUNT_PRECISE.
PMU events are TCG-only, hardware accelerators handle them
directly. Unfortunately we register the events in non-TCG builds,
leading to linking error such:
ld: Undefined symbols:
_icount_to_ns, referenced from:
_instructions_ns_per in target_arm_helper.c.o
clang: error: linker command failed with exit code 1 (use -v to see invocation)
As a kludge, give a hint to the compiler by asserting the
pm_event::get_count() and pm_event::ns_per_count() handler will
only be called under this icount mode.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231208113529.74067-5-philmd@linaro.org>
Rather than having to lookup for what the 0, 1, 2, ...
icount values are, use a enum definition.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20231208113529.74067-4-philmd@linaro.org>
system/cpu-timers: Have icount_configure() return a boolean
Following the example documented since commit e3fe3988d7 ("error:
Document Error API usage rules"), have icount_configure()
return a boolean indicating whether an error is set or not.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231208113529.74067-2-philmd@linaro.org>
target/alpha: Only build sys_helper.c on system emulation
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20231207105426.49339-3-philmd@linaro.org>
target/alpha: Extract clk_helper.c from sys_helper.c
Except helper_load_pcc(), all helpers from sys_helper.c
are system-emulation specific. In preparation of restricting
sys_helper.c to system emulation, extract helper_load_pcc()
to clk_helper.c.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20231207105426.49339-2-philmd@linaro.org>
accel/tcg: Remove tb_invalidate_phys_page() from system emulation
Since previous commit, tb_invalidate_phys_page() is not used
anymore in system emulation. Make it static for user emulation
and remove its public declaration in "exec/translate-all.h".
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20231130205600.35727-1-philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Commit e3f7c801f1 introduced the TCGCPUOps::debug_check_breakpoint()
handler, and commit 10c37828b2 "moved breakpoint recognition outside
of translation", so "we no longer need to flush any TBs when changing
BPs".
The last target using tb_invalidate_phys_addr() was converted to the
debug_check_breakpoint(), so this function is now unused. Remove it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20231130203241.31099-1-philmd@linaro.org>
Max Filippov [Thu, 30 Nov 2023 17:19:20 +0000 (09:19 -0800)]
tests/tcg/xtensa: add icount/ibreak priority test
When icount and ibreak exceptions are due to happen on the same address
icount has higher precedence.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Acked-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20231130171920.3798954-3-jcmvbkbc@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Max Filippov [Thu, 30 Nov 2023 17:19:19 +0000 (09:19 -0800)]
target/xtensa: use generic instruction breakpoint infrastructure
Don't embed ibreak exception generation into TB and don't invalidate TB
on ibreak address change. Add CPUBreakpoint pointers to xtensa
CPUArchState, use cpu_breakpoint_insert/cpu_breakpoint_remove_by_ref to
manage ibreak breakpoints and provide TCGCPUOps::debug_check_breakpoint
callback that recognizes valid instruction breakpoints.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20231130171920.3798954-2-jcmvbkbc@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
accel: Do not set CPUState::can_do_io in non-TCG accels
'can_do_io' is specific to TCG. It was added to other
accelerators in 626cf8f4c6 ("icount: set can_do_io outside
TB execution"), then likely copy/pasted in commit c97d6d2cdf
("i386: hvf: add code base from Google's QEMU repository").
Having it set in non-TCG code is confusing, so remove it from
QTest / HVF / KVM.
Fixes: 626cf8f4c6 ("icount: set can_do_io outside TB execution") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20231129205037.16849-1-philmd@linaro.org>
accel: Do not set CPUState::tcg_cflags in non-TCG accels
'tcg_cflags' is specific to TCG.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20231130075958.21285-1-philmd@linaro.org>
backends/cryptodev: Do not ignore throttle/backends Errors
Both cryptodev_backend_set_throttle() and CryptoDevBackendClass::init()
can set their Error** argument. Do not ignore them, return early
on failure. Without that, running into another failure trips
error_setv()'s assertion. Use the ERRP_GUARD() macro as suggested
in commit ae7c80a7bd ("error: New macro ERRP_GUARD()").
Cc: qemu-stable@nongnu.org Fixes: e7a775fd9f ("cryptodev: Account statistics") Fixes: 2580b452ff ("cryptodev: support QoS") Reviewed-by: zhenwei pi <pizhenwei@bytedance.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20231120150418.93443-1-philmd@linaro.org>
Daniel Hoffman [Sat, 18 Nov 2023 23:11:29 +0000 (15:11 -0800)]
hw/timer/hpet: Convert DPRINTF to trace events
This conversion is pretty straight-forward. Standardized some formatting
so the +0 and +4 offset cases can recycle the same message.
Signed-off-by: Daniel Hoffman <dhoff749@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231118231129.2840388-1-dhoff749@gmail.com>
[PMD: Fixed few string formats] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Since the pkgsrc-2023Q3 release [*], the py-expat package has been
merged into the base 'python' package:
- Several packages have been folded into base packages. While the
result is simpler, those updating may need to force-remove the
secondary packages, depending on the update method. When doing
make replace, one has to pkg_delete -f the secondary packages.
pkgin handles at least the python packages correctly, removing the
split package when updating python. Specific packages and the
former packages now included:
Remove py311-expat from the package list in order to avoid:
### Installing packages ...
processing remote summary (http://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/9.3/All)...
database for http://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/9.3/All is up-to-date
py311-expat is not available in the repository
...
calculating dependencies.../py311-expat is not available in the repository
pkg_install error log can be found in /var/db/pkgin/pkg_install-err.log
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2109 Tested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240117140746.23511-1-philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
cli: Remove deprecated '-singlestep' command line option
This option has been deprecated before the 8.1 release,
in commit 12fd0f41d0 ("Document that -singlestep command
line option is deprecated"). Time to drop it.
Inspired-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20240117151430.29235-4-philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
This command has been deprecated before the 8.1 release,
in commit e9ccfdd91d ("hmp: Add 'one-insn-per-tb' command
equivalent to 'singlestep'"). Time to drop it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: "Dr. David Alan Gilbert" <dave@treblig.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20240117151430.29235-3-philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
qapi: Remove deprecated 'singlestep' member of StatusInfo
This member has been deprecated before the 8.1 release, in commit 34c18203d4 ("qmp: Deprecate 'singlestep' member of StatusInfo").
Time to drop it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20240117151430.29235-2-philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Thu, 18 Jan 2024 10:37:59 +0000 (11:37 +0100)]
qemu-options: Remove the deprecated -chroot option
It's been marked as deprecated since QEMU 8.1, so it should be fine
to remove this now.
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20240118103759.130748-5-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Thu, 18 Jan 2024 10:37:57 +0000 (11:37 +0100)]
qemu-options: Remove the deprecated -no-acpi option
It's been marked as deprecated since QEMU 8.0, so it should be fine
to remove this now.
Message-ID: <20240118103759.130748-3-thuth@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Thu, 18 Jan 2024 10:37:56 +0000 (11:37 +0100)]
qemu-options: Remove the deprecated -no-hpet option
It's been marked as deprecated since QEMU 8.0, so it should be fine
to remove this now.
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20240118103759.130748-2-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Matthew Rosato [Thu, 18 Jan 2024 18:51:51 +0000 (13:51 -0500)]
s390x/pci: drive ISM reset from subsystem reset
ISM devices are sensitive to manipulation of the IOMMU, so the ISM device
needs to be reset before the vfio-pci device is reset (triggering a full
UNMAP). In order to ensure this occurs, trigger ISM device resets from
subsystem_reset before triggering the PCI bus reset (which will also
trigger vfio-pci reset). This only needs to be done for ISM devices
which were enabled for use by the guest.
Further, ensure that AIF is disabled as part of the reset event.
Fixes: ef1535901a ("s390x: do a subsystem reset before the unprotect on reboot") Fixes: 03451953c7 ("s390x/pci: reset ISM passthrough devices on shutdown and system reset") Reported-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20240118185151.265329-4-mjrosato@linux.ibm.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Matthew Rosato [Thu, 18 Jan 2024 18:51:50 +0000 (13:51 -0500)]
s390x/pci: refresh fh before disabling aif
Typically we refresh the host fh during CLP enable, however it's possible
that the device goes through multiple reset events before the guest
performs another CLP enable. Let's handle this for now by refreshing the
host handle from vfio before disabling aif.
Fixes: 03451953c7 ("s390x/pci: reset ISM passthrough devices on shutdown and system reset") Reported-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20240118185151.265329-3-mjrosato@linux.ibm.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Matthew Rosato [Thu, 18 Jan 2024 18:51:49 +0000 (13:51 -0500)]
s390x/pci: avoid double enable/disable of aif
Use a flag to keep track of whether AIF is currently enabled. This can be
used to avoid enabling/disabling AIF multiple times as well as to determine
whether or not it should be disabled during reset processing.
Fixes: d0bc7091c2 ("s390x/pci: enable adapter event notification for interpreted devices") Reported-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20240118185151.265329-2-mjrosato@linux.ibm.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
* tag 'pull-request-2024-01-16' of https://gitlab.com/thuth/qemu:
meson: mitigate against use of uninitialize stack for exploits
meson: mitigate against ROP exploits with -fzero-call-used-regs
qtest: Bump npcm7xx_watchdog_timer-test timeout to 2 minutes
tests/qtest/npcm7xx_watchdog_timer: Only test the corner cases by default
tests/qtest/meson.build: Bump the boot-serial-test timeout to 4 minutes
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Ani Sinha [Wed, 17 Jan 2024 04:25:56 +0000 (09:55 +0530)]
acpi/tests/avocado/bits: wait for 200 seconds for SHUTDOWN event from bits VM
By default, the timeout to receive any specified event from the QEMU VM is 60
seconds set by the python avocado test framework. Please see event_wait() and
events_wait() in python/qemu/machine/machine.py. If the matching event is not
triggered within that interval, an asyncio.TimeoutError is generated. Since the
timeout for the bits avocado test is 200 secs, we need to make event_wait()
timeout of the same value as well so that an early timeout is not triggered by
the avocado framework.
CC: peter.maydell@linaro.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2077 Signed-off-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20240117042556.3360190-1-anisinha@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Anastasia Belova [Mon, 15 Jan 2024 09:22:16 +0000 (12:22 +0300)]
load_elf: fix iterator's type for elf file processing
j is used while loading an ELF file to byteswap segments'
data. If data is larger than 2GB an overflow may happen.
So j should be elf_word.
This commit fixes a minor bug: it's unlikely anybody is trying to
load ELF files with 2GB+ segments for wrong-endianness targets,
but if they did, it wouldn't work correctly.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: qemu-stable@nongnu.org Fixes: 7ef295ea5b ("loader: Add data swap option to load-elf") Signed-off-by: Anastasia Belova <abelova@astralinux.ru> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gavin Shan [Thu, 11 Jan 2024 05:10:54 +0000 (15:10 +1000)]
hw/arm/virt: Consolidate valid CPU types
It's found that some of the CPU type names in the array of valid
CPU types are invalid because their corresponding classes aren't
registered, as reported by Peter Maydell.
[gshan@gshan build]$ ./qemu-system-arm -machine virt -cpu cortex-a9
qemu-system-arm: Invalid CPU model: cortex-a9
The valid models are: cortex-a7, cortex-a15, (null), (null), (null),
(null), (null), (null), (null), (null), (null), (null), (null), max
Fix it by consolidating the array of valid CPU types. After it's
applied, we have the following output when TCG is enabled.
[gshan@gshan build]$ ./qemu-system-arm -machine virt -cpu cortex-a9
qemu-system-arm: Invalid CPU model: cortex-a9
The valid models are: cortex-a7, cortex-a15, max
[gshan@gshan build]$ ./qemu-system-aarch64 -machine virt -cpu cortex-a9
qemu-system-aarch64: Invalid CPU model: cortex-a9
The valid models are: cortex-a7, cortex-a15, cortex-a35, cortex-a55,
cortex-a72, cortex-a76, cortex-a710, a64fx, neoverse-n1, neoverse-v1,
neoverse-n2, cortex-a53, cortex-a57, max
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2084 Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Gavin Shan <gshan@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Message-id: 20240111051054.83304-1-gshan@redhat.com Fixes: fa8c617791 ("hw/arm/virt: Check CPU type in machine_run_board_init()") Signed-off-by: Gavin Shan <gshan@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
tests/tcg: Don't #include <inttypes.h> in aarch64/system/vtimer.c
make check-tcg fails on Fedora with:
vtimer.c:9:10: fatal error: inttypes.h: No such file or directory
Fedora has a minimal aarch64 cross-compiler, which satisfies the
configure checks, so it's chosen instead of the dockerized one.
There is no cross-version of inttypes.h, however.
Fix by using stdint.h instead. The test does not require anything
from inttypes.h anyway.
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-ID: <20240108125030.58569-1-iii@linux.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Bibo Mao [Mon, 15 Jan 2024 07:32:44 +0000 (15:32 +0800)]
qemu/osdep: Add huge page aligned support on LoongArch platform
On LoongArch kvm mode if transparent huge page wants to be enabled, base
address and size of memslot from both HVA and GPA view. And LoongArch
supports both 4K and 16K page size with Linux kernel, so transparent huge
page size is calculated from real page size rather than hardcoded size.
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20240115073244.174155-1-maobibo@loongson.cn> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Wed, 13 Dec 2023 18:32:45 +0000 (19:32 +0100)]
remove unnecessary casts from uintptr_t
uintptr_t, or unsigned long which is equivalent on Linux I32LP64 systems,
is an unsigned type and there is no need to further cast to __u64 which is
another unsigned integer type; widening casts from unsigned integers
zero-extend the value.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Wed, 17 Jan 2024 15:27:42 +0000 (16:27 +0100)]
target/i386: pcrel: store low bits of physical address in data[0]
For PC-relative translation blocks, env->eip changes during the
execution of a translation block, Therefore, QEMU must be able to
recover an instruction's PC just from the TranslationBlock struct and
the instruction data with. Because a TB will not span two pages, QEMU
stores all the low bits of EIP in the instruction data and replaces them
in x86_restore_state_to_opc. Bits 12 and higher (which may vary between
executions of a PCREL TB, since these only use the physical address in
the hash key) are kept unmodified from env->eip. The assumption is that
these bits of EIP, unlike bits 0-11, will not change as the translation
block executes.
Unfortunately, this is incorrect when the CS base is not aligned to a page.
Then the linear address of the instructions (i.e. the one with the
CS base addred) indeed will never span two pages, but bits 12+ of EIP
can actually change. For example, if CS base is 0x80262200 and EIP =
0x6FF4, the first instruction in the translation block will be at linear
address 0x802691F4. Even a very small TB will cross to EIP = 0x7xxx,
while the linear addresses will remain comfortably within a single page.
The fix is simply to use the low bits of the linear address for data[0],
since those don't change. Then x86_restore_state_to_opc uses tb->cs_base
to compute a temporary linear address (referring to some unknown
instruction in the TB, but with the correct values of bits 12 and higher);
the low bits are replaced with data[0], and EIP is obtained by subtracting
again the CS base.
Huge thanks to Mark Cave-Ayland for the image and initial debugging,
and to Gitlab user @kjliew for help with bisecting another occurrence
of (hopefully!) the same bug.
It should be relatively easy to write a testcase that performs MMIO on
an EIP with different bits 12+ than the first instruction of the translation
block; any help is welcome.
Fixes: e3a79e0e878 ("target/i386: Enable TARGET_TB_PCREL", 2022-10-11) Cc: qemu-stable@nongnu.org Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: Richard Henderson <richard.henderson@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1759
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1964
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2012 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
target/i386: Do not re-compute new pc with CF_PCREL
With PCREL, we have a page-relative view of EIP, and an
approximation of PC = EIP+CSBASE that is good enough to
detect page crossings. If we try to recompute PC after
masking EIP, we will mess up that approximation and write
a corrupt value to EIP.
We already handled masking properly for PCREL, so the
fix in b5e0d5d2 was only needed for the !PCREL path.
Cc: qemu-stable@nongnu.org Fixes: b5e0d5d22fbf ("target/i386: Fix 32-bit wrapping of pc/eip computation") Reported-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20240101230617.129349-1-richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 12 Jul 2021 13:10:10 +0000 (15:10 +0200)]
io_uring: move LuringState typedef to block/aio.h
The LuringState typedef is defined twice, in include/block/raw-aio.h and
block/io_uring.c. Move it in include/block/aio.h, which is included
everywhere the typedef is needed, since include/block/aio.h already has
to define the forward reference to the struct.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Daan De Meyer [Sat, 21 Oct 2023 13:40:15 +0000 (15:40 +0200)]
Add class property to configure KVM device node to use
This allows passing the KVM device node to use as a file
descriptor via /dev/fdset/XX. Passing the device node to
use as a file descriptor allows running qemu unprivileged
even when the user running qemu is not in the kvm group
on distributions where access to /dev/kvm is gated behind
membership of the kvm group (as long as the process invoking
qemu is able to open /dev/kvm and passes the file descriptor
to qemu).
Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
Message-ID: <20231021134015.1119597-1-daan.j.demeyer@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 29 Dec 2014 13:56:24 +0000 (14:56 +0100)]
vga: sort-of implement word and double-word access modes
Jazz Jackrabbit has a very unusual VGA setup, where it uses odd/even mode
with 256-color graphics. Probably, it wants to use fast VRAM-to-VRAM
copies without having to store 4 copies of the sprites as needed in mode
X, one for each mod-4 alignment; odd/even mode simplifies the code a
lot if it's okay to place on a 160-pixels horizontal grid.
At the same time, because it wants to use double buffering (a la "mode X")
it uses byte mode, not word mode as is the case in text modes. In order
to implement the combination of odd/even mode (plane number comes from
bit 0 of the address) and byte mode (use all bytes of VRAM, whereas word
mode only uses bytes 0, 2, 4,... on each of the four planes), we need
to separate the effect on the plane number from the effect on the address.
Implementing the modes properly is a mess in QEMU, because it would
change the layout of VRAM and break migration. As an approximation,
shift right when the CPU accesses memory instead of shifting left when
the CRT controller reads it. A hack is needed in order to write font data
properly (see comment in the code), but it works well enough for the game.
Because doubleword and chain4 modes are now independent, chain4 does not
assert anymore that the address is in range. Instead it just returns
all ones and discards writes, like other modes.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Tue, 30 Dec 2014 21:42:06 +0000 (22:42 +0100)]
vga: use latches in odd/even mode too
Jazz Jackrabbit uses odd/even mode with 256-color graphics. This is
probably so that it can do very fast blitting with a decent resolution
(two pixels, compared to four pixels for "regular" mode X).
Accesses still use all planes (reads go to the latches and the game uses
read mode 1 so that the CPU always gets 0xFF; writes use the plane mask
register because the game sets bit 2 of the sequencer's memory mode
register). For this to work, QEMU needs to use the code for latched
memory accesses in odd/even mode. The only difference between odd/even
mode and "regular" planar mode is how the plane is computed in read mode
0, and how the planes are masked if the aforementioned bit 2 is reset.
It is almost enough to fix the game. You also need to honor byte/word
mode selection, which is done in the next patch.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 29 Dec 2014 13:48:14 +0000 (14:48 +0100)]
vga: implement horizontal pel panning in graphics modes
This implements smooth scrolling, as used for example by Commander Keen
and Second Reality.
Unfortunately, this is not enough to avoid tearing in Commander Keen,
because sometimes the wrong start address is used for a frame.
On real EGA, the panning register is sampled on every line, while
the display start is latched for the next frame at the start of the
vertical retrace. On real VGA, the panning register is also latched,
but at the end of the vertical retrace. It looks like Keen exploits
this by only waiting for horizontal retrace when setting the display
start, but implementing it breaks the 256-color Keen games...
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 29 Dec 2014 13:43:42 +0000 (14:43 +0100)]
vga: mask addresses in non-VESA modes to 256k
This allows setting the start address to a high value, and reading the
bottom of the screen from the beginning of VRAM. Commander Keen 4
("Goodbye, Galaxy!") relies on this behavior.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Fri, 9 Jan 2015 09:47:33 +0000 (10:47 +0100)]
vga: introduce VGADisplayParams
The next patches will introduce more parameters that cause a full
refresh. Instead of adding arguments to get_offsets and lines to
update_basic_params, do everything through a struct.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 29 Dec 2014 13:38:48 +0000 (14:38 +0100)]
vga: use common endian swap macros
The constant-expression bswap is provided by const_le32(), and GET_PLANE()
can also be implemented using cpu_to_le32(). Remove the custom macros in
vga.c.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Peter Maydell [Tue, 16 Jan 2024 14:24:42 +0000 (14:24 +0000)]
Merge tag 'hppa-fixes-8.2-pull-request' of https://github.com/hdeller/qemu-hppa into staging
target/hppa qemu v8.2 regression fixes
There were some regressions introduced with Qemu v8.2 on the hppa/hppa64
target, e.g.:
- 32-bit HP-UX crashes on B160L (32-bit) machine
- NetBSD boot failure due to power button in page zero
- NetBSD FPU detection failure
- OpenBSD 7.4 boot failure
This patch series fixes those known regressions and additionally:
- allows usage of the max. 3840MB of memory (instead of 3GB),
- adds support for the qemu --nodefaults option (to debug other devices)
This patch set will not fix those known (non-regression) bugs:
- HP-UX and NetBSD still fail to boot on the new 64-bit C3700 machine
- Linux kernel will still fail to boot on C3700 as long as kernel modules are used.
Changes v2->v3:
- Added comment about Figures H-10 and H-11 in the parisc2.0 spec
in patch which calculate PDC address translation if PSW.W=0
- Introduce and use hppa_set_ior_and_isr()
- Use drive_get_max_bus(IF_SCSI), nd_table[] and serial_hd() to check
if default devices should be created
- Added Tested-by and Reviewed-by tags
Changes v1->v2:
- fix OpenBSD boot with SeaBIOS v15 instead of v14
- commit message enhancements suggested by BALATON Zoltan
- use uint64_t for ram_max in patch #1
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCZaImPQAKCRD3ErUQojoP
# X2C5AP9fbIkCni45JU6KC6OmFsCbAReRQCPwLO+MzR8/us2ywgD+PsGxSBk8ASxM
# nqtv3J9JC3i+XSnbtwLV+qChnO+IXwc=
# =FAMY
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 13 Jan 2024 05:57:17 GMT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-fixes-8.2-pull-request' of https://github.com/hdeller/qemu-hppa:
target/hppa: Update SeaBIOS-hppa to version 15
target/hppa: Fix IOR and ISR on error in probe
target/hppa: Fix IOR and ISR on unaligned access trap
target/hppa: Export function hppa_set_ior_and_isr()
target/hppa: Avoid accessing %gr0 when raising exception
hw/hppa: Move software power button address back into PDC
target/hppa: Fix PDC address translation on PA2.0 with PSW.W=0
hw/pci-host/astro: Add missing astro & elroy registers for NetBSD
hw/hppa/machine: Disable default devices with --nodefaults option
hw/hppa/machine: Allow up to 3840 MB total memory
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 16 Jan 2024 14:24:26 +0000 (14:24 +0000)]
Merge tag 'migration-20240116-pull-request' of https://gitlab.com/peterx/qemu into staging
Migration pull request 2nd batch for 9.0
- Het's cleanup on migration qmp command paths
- Fabiano's migration cleanups and test improvements
- Fabiano's patch to re-enable multifd-cancel test
- Peter's migration doc reorganizations
- Nick Briggs's fix for Solaries build on rdma
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCZaX1PhIccGV0ZXJ4QHJl
# ZGhhdC5jb20ACgkQO1/MzfOr1wZSzwEAq6sp/ylNHLzNoMdWL28JLqCsb4DPYH2i
# u7XgYgT1qDAA/0vwoe4a5uFn1aaGCS+2d2syjJ8kOE7h+eZrbK520jsA
# =1zUG
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 16 Jan 2024 03:17:18 GMT
# gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706
# gpg: issuer "peterx@redhat.com"
# gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [marginal]
# gpg: aka "Peter Xu <peterx@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706
* tag 'migration-20240116-pull-request' of https://gitlab.com/peterx/qemu:
migration/rdma: define htonll/ntohll only if not predefined
docs/migration: Further move virtio to be feature of migration
docs/migration: Further move vfio to be feature of migration
docs/migration: Organize "Postcopy" page
docs/migration: Split "dirty limit"
docs/migration: Split "Postcopy"
docs/migration: Split "Debugging" and "Firmware"
docs/migration: Split "Backwards compatibility" separately
docs/migration: Convert virtio.txt into rST
docs/migration: Create index page
docs/migration: Create migration/ directory
tests/qtest: Re-enable multifd cancel test
tests/qtest/migration: Use the new migration_test_add
tests/qtest/migration: Add a wrapper to print test names
tests/qtest/migration: Print migration incoming errors
migration: Report error in incoming migration
migration/multifd: Change multifd_pages_init argument
migration/multifd: Remove QEMUFile from where it is not needed
migration/multifd: Remove MultiFDPages_t::packet_num
migration: Simplify initial conditionals in migration for better readability
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
meson: mitigate against use of uninitialize stack for exploits
When variables are used without being initialized, there is potential
to take advantage of data that was pre-existing on the stack from an
earlier call, to drive an exploit.
It is good practice to always initialize variables, and the compiler
can warn about flaws when -Wuninitialized is present. This warning,
however, is by no means foolproof with its output varying depending
on compiler version and which optimizations are enabled.
The -ftrivial-auto-var-init option can be used to tell the compiler
to always initialize all variables. This increases the security and
predictability of the program, closing off certain attack vectors,
reducing the risk of unsafe memory disclosure.
While the option takes several possible values, using 'zero' is
considered to be the option that is likely to lead to semantically
correct or safe behaviour[1]. eg sizes/indexes are not likely to
lead to out-of-bounds accesses when initialized to zero. Pointers
are less likely to point something useful if initialized to zero.
Even with -ftrivial-auto-var-init=zero set, GCC will still issue
warnings with -Wuninitialized if it discovers a problem, so we are
not loosing diagnostics for developers, just hardening runtime
behaviour and making QEMU behave more predictably in case of hitting
bad codepaths.
meson: mitigate against ROP exploits with -fzero-call-used-regs
To quote wikipedia:
"Return-oriented programming (ROP) is a computer security exploit
technique that allows an attacker to execute code in the presence
of security defenses such as executable space protection and code
signing.
In this technique, an attacker gains control of the call stack to
hijack program control flow and then executes carefully chosen
machine instruction sequences that are already present in the
machine's memory, called "gadgets". Each gadget typically ends in
a return instruction and is located in a subroutine within the
existing program and/or shared library code. Chained together,
these gadgets allow an attacker to perform arbitrary operations
on a machine employing defenses that thwart simpler attacks."
QEMU is by no means perfect with an ever growing set of CVEs from
flawed hardware device emulation, which could potentially be
exploited using ROP techniques.
Since GCC 11 there has been a compiler option that can mitigate
against this exploit technique:
When asked to find 8 byte gadgets, the 'rp' tool reports:
A total of 440278 gadgets found.
You decided to keep only the unique ones, 156143 unique gadgets found.
While the ROPgadget tool reports:
Unique gadgets found: 353122
With the --ropchain argument, the latter attempts to use the found
gadgets to product a chain that can execute arbitrary syscalls. With
current QEMU it succeeds in this task, which is an undesirable
situation.
With QEMU modified to use -fzero-call-user-regs=used-gpr the 'rp' tool
reports
A total of 528991 gadgets found.
You decided to keep only the unique ones, 121128 unique gadgets found.
This is 22% fewer unique gadgets
While the ROPgadget tool reports:
Unique gadgets found: 328605
This is 7% fewer unique gadgets. Crucially though, despite this more
modest reduction, the ROPgadget tool is no longer able to identify a
chain of gadgets for executing arbitrary syscalls. It fails at the
very first step, unable to find gadgets for populating registers for
a future syscall. Having said that, more advanced tools do still
manage to put together a viable ROP chain.
Also this only takes into account QEMU code. QEMU links to many 3rd
party shared libraries and ideally all of them would be compiled with
this same hardening. That becomes a distro policy question though.
In terms of performance impact, TCG was used as an evaluation test
case. We're not interested in protecting TCG since it isn't designed
to provide a security barrier, but it is performance sensitive code,
so useful as a guide to how other areas of QEMU might be impacted.
With the -fzero-call-user-regs=used-gpr argument present, using the
real world test of booting a linux kernel and having init immediately
poweroff, there is a ~1% slow down in performance under TCG. The QEMU
binary size also grows by approximately 1%.
By comparison, using the more aggressive -fzero-call-user-regs=all,
results in a slowdown of over 25% in TCG, which is clearly not an
acceptable impact, and a binary size increase of 5%.
Considering that 'used-gpr' successfully stopped ROPgadget assembling
a chain, this more targeted protection is a justifiable hardening
/ performance tradeoff.
Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: "Daniel P. Berrangé" <berrange@redhat.com>
Message-ID: <20240103123414.2401208-2-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Mon, 15 Jan 2024 07:02:23 +0000 (08:02 +0100)]
tests/qtest/npcm7xx_watchdog_timer: Only test the corner cases by default
The test_prescaler() part in the npcm7xx_watchdog_timer test is quite
repetitive, testing all possible combinations of the WTCLK and WTIS
bitfields. Since each test spins up a new instance of QEMU, this is
rather an expensive test, especially on loaded host systems.
For the normal quick test mode, it should be sufficient to test the
corner settings of these fields (i.e. 0 and 3), so we can speed up
this test in the default mode quite a bit.
Message-ID: <20240115070223.30178-1-thuth@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Peter Xu [Tue, 9 Jan 2024 06:46:19 +0000 (14:46 +0800)]
docs/migration: Create migration/ directory
Migration documentation is growing into a single file too large. Create a
sub-directory for it for a split.
We also already have separate vfio/virtio documentations, move it all over
into the directory.
Note that the virtio one is still not yet converted to rST. That is a job
for later.
Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Cc: Alex Williamson <alex.williamson@redhat.com> Cc: Cédric Le Goater <clg@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20240109064628.595453-2-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
projects / mirror_qemu.git / log