Peter Maydell [Tue, 15 Apr 2014 18:18:49 +0000 (19:18 +0100)]
target-arm: Implement CBAR for Cortex-A57
The Cortex-A57, like most of the other ARM cores, has a CBAR
register which defines the base address of the per-CPU
peripherals. However it has a 64-bit view as well as a
32-bit view; expand the QOM reset-cbar property from UINT32
to UINT64 so this can be specified, and implement the
32-bit and 64-bit views of a 64-bit CBAR.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:48 +0000 (19:18 +0100)]
target-arm: Implement Cortex-A57 implementation-defined system registers
Implement a subset of the Cortex-A57's implementation defined system
registers. We provide RAZ/WI or reads-as-constant/writes-ignored
implementations of the various control and syndrome reigsters.
We do not implement registers which provide direct access to and
manipulation of the L1 cache, since QEMU doesn't implement caches.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:48 +0000 (19:18 +0100)]
target-arm: Implement RVBAR register
Implement the AArch64 RVBAR register, which indicates the reset
address. Since the reset address is implementation defined and
usually configurable by setting config signals in hardware, we
also provide a QOM property so it can be set at board level if
necessary.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:47 +0000 (19:18 +0100)]
target-arm: Implement auxiliary fault status registers
Implement the auxiliary fault status registers AFSR0_EL1 and
AFSR1_EL1. These are present on v7 and later, and have IMPDEF
behaviour; we choose to RAZ/WI for all cores.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:47 +0000 (19:18 +0100)]
target-arm: Replace wildcarded cpreg definitions with precise ones for ARMv8
Many of the reginfo definitions in cp_reginfo[] use CP_ANY wildcards.
This is for a combination of reasons:
* early ARM implementations really did underdecode
* earlier versions of QEMU underdecoded and we can't tighten
this up because we don't know if guests really require this or not
* implementation convenience
For ARMv8 the architecture has tightened things up and system and
coprocessor registers are always specifically decoded. We take
advantage of this opportunity for a clean break by restricting
our CP_ANY wildcarded reginfo to pre-v8 CPUs, and providing
specifically decoded versions where necessary for v8 CPUs.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:47 +0000 (19:18 +0100)]
target-arm: Don't expose wildcard ID register definitions for ARMv8
In ARMv8 the 32 bit coprocessor ID register space is tidied up to
remove the wildcarded aliases of the MIDR and the RAZ behaviour
for the unassigned space where crm = 3..7. Make sure we don't
expose thes wildcards for v8 cores. This means we need to have
a specific implementation for REVIDR, an IMPDEF register which
may be the same as the MIDR (and which we always implement as such).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:46 +0000 (19:18 +0100)]
target-arm: Remove THUMB2EE feature from AArch64 'any' CPU
The AArch64 usermode 'any' CPU type was accidentally specified
with the ARM_FEATURE_THUMB2EE bit set. This is incorrect since
ARMv8 removes Thumb2EE completely. Since we never implemented
Thumb2EE anyway having the feature bit set was fairly harmless
for user-mode, but the correct thing is to not set it at all.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:46 +0000 (19:18 +0100)]
target-arm: Implement ISR_EL1 register
Implement the ISR_EL1 register. This is actually present in
ARMv7 as well but was previously unimplemented. It is a
read-only register that indicates whether interrupts are
currently pending.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:45 +0000 (19:18 +0100)]
target-arm: Implement AArch64 view of CONTEXTIDR
Implement AArch64 view of the CONTEXTIDR register.
We tighten up the condition when we flush the TLB on a CONTEXTIDR
write to avoid needlessly flushing the TLB every time on a 64
bit system (and also on a 32 bit system using LPAE, as a bonus).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:44 +0000 (19:18 +0100)]
target-arm: Implement ARMv8 MVFR registers
For ARMv8 there are two changes to the MVFR media feature registers:
* there is a new MVFR2 which is accessible from 32 bit code
* 64 bit code accesses these via the usual sysreg instructions
rather than with a floating-point specific instruction
Implement this.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Implement exception handling for AArch64 EL1. Exceptions from AArch64 or
AArch32 EL0 are supported.
Signed-off-by: Rob Herring <rob.herring@linaro.org>
[PMM: fixed minor style nits; updated to match changes in
previous patches; added some of the simpler cases of
illegal-exception-return support] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:43 +0000 (19:18 +0100)]
target-arm: Implement AArch64 SPSR_EL1
Implement the AArch64 SPSR_EL1. For compatibility with how KVM
handles SPSRs and with the architectural mapping between AArch32
and AArch64, we put this in the banked_spsr[] array in the slot
that is used for SVC in AArch32. This means we need to extend the
array from uint32_t to uint64_t, which requires some reworking
of the 32 bit KVM save/restore code.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:43 +0000 (19:18 +0100)]
target-arm: Implement SP_EL0, SP_EL1
Implement handling for the AArch64 SP_EL0 system register.
This holds the EL0 stack pointer, and is only accessible when
it's not being used as the stack pointer, ie when we're in EL1
and EL1 is using its own stack pointer. We also provide a
definition of the SP_EL1 register; this isn't guest visible
as a system register for an implementation like QEMU which
doesn't provide EL2 or EL3; however it is useful for ensuring
the underlying state is migrated.
We need to update the state fields in the CPU state whenever
we switch stack pointers; this happens when we take an exception
and also when SPSEL is used to change the bit in PSTATE which
indicates which stack pointer EL1 should use.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:42 +0000 (19:18 +0100)]
target-arm: Add AArch64 ELR_EL1 register.
Add the AArch64 ELR_EL1 register.
Note that this does not live in env->cp15: for KVM migration
compatibility we need to migrate it separately rather than
as part of the system registers, because the KVM-to-userspace
interface puts it in the struct kvm_regs rather than making
them visible via the ONE_REG ioctls.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Rob Herring [Tue, 15 Apr 2014 18:18:42 +0000 (19:18 +0100)]
target-arm: Implement AArch64 views of fault status and data registers
Implement AArch64 views of ESR_EL1 and FAR_EL1, and make the 32 bit
DFSR, DFAR, IFAR share state with them as architecturally specified.
The IFSR doesn't share state with any AArch64 register visible at EL1,
so just rename the state field without widening it to 64 bits.
Signed-off-by: Rob Herring <rob.herring@linaro.org>
[PMM: Minor tweaks; fix some bugs involving inconsistencies between
use of offsetof() or offsetoflow32() and struct field width] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:41 +0000 (19:18 +0100)]
target-arm: Use dedicated CPU state fields for ARM946 access bit registers
The ARM946 model currently uses the c5_data and c5_insn fields in the CPU
state struct to store the contents of its access permission registers.
This is confusing and a good source of bugs because for all the MMU-based
CPUs those fields are fault status and fault address registers, which
behave completely differently; they just happen to use the same cpreg
encoding. Split them out to use their own fields instead.
These registers are only present in PMSAv5 MPU systems (of which the
ARM946 is our only current example); PMSAv6 and PMSAv7 (which we have
no implementations of) handle access permissions differently. We name
the new state fields accordingly.
Note that this change fixes a bug where a data abort or prefetch abort
on the ARM946 would accidentally corrupt the access permission registers
because the interrupt handling code assumed the c5_data and c5_insn
fields were always fault status registers.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:41 +0000 (19:18 +0100)]
target-arm: A64: Implement DC ZVA
Implement the DC ZVA instruction, which clears a block of memory.
The fast path obtains a pointer to the underlying RAM via the TCG TLB
data structure so we can do a direct memset(), with fallback to a
simple byte-store loop in the slow path.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:41 +0000 (19:18 +0100)]
target-arm: Don't mention PMU in debug feature register
Suppress the ID_AA64DFR0_EL1 PMUVer field, even if the CPU specific
value claims that it exists. QEMU doesn't currently implement it,
and not advertising it prevents the guest from trying to use it
and getting UNDEFs on unimplemented registers.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
---
This is arguably a hack, but otherwise Linux tries to prod
half a dozen PMU sysregs.
Rob Herring [Tue, 15 Apr 2014 18:18:40 +0000 (19:18 +0100)]
target-arm: Add v8 mmu translation support
Add support for v8 page table walks. This supports stage 1 translations
for 4KB, 16KB and 64KB page sizes starting with 0 or 1 level.
Signed-off-by: Rob Herring <rob.herring@linaro.org>
[PMM: fix style nits, fold in 16/64K page support patch, use
arm_el_is_aa64() to decide whether to do 64 bit page table walk] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:40 +0000 (19:18 +0100)]
target-arm: Fix VFP enables for AArch32 EL0 under AArch64 EL1
The current A32/T32 decoder bases its "is VFP/Neon enabled?" check
on the FPSCR.EN bit. This is correct if EL1 is AArch32, but for
an AArch64 EL1 the logic is different: it must act as if FPSCR.EN
is always set. Instead, trapping must happen according to CPACR
bits for cp10/cp11; these cover all of FP/Neon, including the
FPSCR/FPSID/MVFR register accesses which FPSCR.EN does not affect.
Add support for CPACR checks (which are also required for ARMv7,
but were unimplemented because Linux happens not to use them)
and make sure they generate exceptions with the correct syndrome.
We actually return incorrect syndrome information for cases
where FP is disabled but the specific instruction bit pattern
is unallocated: strictly these should be the Uncategorized
exception, not a "SIMD disabled" exception. This should be
mostly harmless, and the structure of the A32/T32 VFP/Neon
decoder makes it painful to put the 'FP disabled?' checks in
the right places.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:40 +0000 (19:18 +0100)]
target-arm: A64: Add assertion that FP access was checked
Because unallocated encodings generate different exception syndrome
information from traps due to FP being disabled, we can't do a single
"is fp access disabled" check at a high level in the decode tree.
To help in catching bugs where the access check was forgotten in some
code path, we set this flag when the access check is done, and assert
that it is set at the point where we actually touch the FP regs.
This requires us to pass the DisasContext to the vec_reg_offset
and fp_reg_offset functions.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:39 +0000 (19:18 +0100)]
target-arm: A64: Correctly fault FP/Neon if CPACR.FPEN set
For the A64 instruction set, the only FP/Neon disable trap
is the CPACR FPEN bits, which may indicate "enabled", "disabled"
or "disabled for EL0". Add a bit to the AArch64 tb flags indicating
whether FP/Neon access is currently enabled and make the decoder
emit code to raise exceptions on use of FP/Neon insns if it is not.
We use a new flag in DisasContext rather than borrowing the
existing vfp_enabled flag because the A32/T32 decoder is going
to need both.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
---
I'm aware this is a rather hard to review patch; sorry.
I have done an exhaustive check that we have fp access checks
in all code paths with the aid of the assertions added in the
next patch plus the code-coverage hack patch I posted to the
list earlier.
This patch is correct as of 09e037354 target-arm: A64: Add saturating accumulate ops (USQADD/SUQADD)
which was the last of the Neon insns to be added, so assuming
no refactoring of the code it should be fine.
Rob Herring [Tue, 15 Apr 2014 18:18:39 +0000 (19:18 +0100)]
target-arm: Provide syndrome information for MMU faults
Set up the required syndrome information when we detect an MMU fault.
Signed-off-by: Rob Herring <rob.herring@linaro.org>
[PMM: split out from exception handling patch, tweaked to bring
in line with how we create other kinds of syndrome information] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:38 +0000 (19:18 +0100)]
target-arm: Add support for generating exceptions with syndrome information
Add new helpers exception_with_syndrome (for generating an exception
with syndrome information) and exception_uncategorized (for generating
an exception with "Unknown or Uncategorized Reason", which have a syndrome
register value of zero), and use them to generate the correct syndrome
information for exceptions which are raised directly from generated code.
This patch includes moving the A32/T32 gen_exception_insn functions
further up in the source file; they will be needed for "VFP/Neon disabled"
exception generation later.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:38 +0000 (19:18 +0100)]
target-arm: Provide correct syndrome information for cpreg access traps
For exceptions taken to AArch64, if a coprocessor/system register
access fails due to a trap or enable bit then the syndrome information
must include details of the failing instruction (crn/crm/opc1/opc2
fields, etc). Make the decoder construct the syndrome information
at translate time so it can be passed at runtime to the access-check
helper function and used as required.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:38 +0000 (19:18 +0100)]
target-arm: Define exception record for AArch64 exceptions
For AArch32 exceptions, the only information provided about
the cause of an exception is the individual exception type (data
abort, undef, etc), which we store in cs->exception_index. For
AArch64, the CPU provides much more detail about the cause of
the exception, which can be found in the syndrome register.
Create a set of fields in CPUARMState which must be filled in
whenever an exception is raised, so that exception entry can
correctly fill in the syndrome register for the guest.
This includes the information which in AArch32 appears in
the DFAR and IFAR (fault address registers) and the DFSR
and IFSR (fault status registers) for data aborts and
prefetch aborts, since if we end up taking the MMU fault
to AArch64 rather than AArch32 this will need to end up
in different system registers.
This patch does a refactoring which moves the setting of the
AArch32 DFAR/DFSR/IFAR/IFSR from the point where the exception
is raised to the point where it is taken. (This is no change
for cores with an MMU, retains the existing clearly incorrect
behaviour for ARM946 of trashing the MP access permissions
registers which share the c5_data and c5_insn state fields,
and has no effect for v7M because we don't implement its
MPU fault status or address registers.)
As a side effect of the cleanup we fix a bug in the AArch64
linux-user mode code where we were passing a 64 bit fault
address through the 32 bit c6_data/c6_insn fields: it now
goes via the always-64-bit exception.vaddress.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:37 +0000 (19:18 +0100)]
target-arm: Implement AArch64 DAIF system register
Implement the DAIF system register which is a view of the
DAIF bits in PSTATE. To avoid needing a readfn, we widen
the daif field in CPUARMState to uint64_t.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Tue, 15 Apr 2014 18:18:37 +0000 (19:18 +0100)]
target-arm: Split out private-to-target functions into internals.h
Currently cpu.h defines a mixture of functions and types needed by
the rest of QEMU and those needed only by files within target-arm/.
Split the latter out into a new header so they aren't needlessly
exposed further than required.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Peter Maydell [Thu, 17 Apr 2014 19:54:38 +0000 (20:54 +0100)]
Merge remote-tracking branch 'remotes/rth/tcg-aarch-6-5' into staging
* remotes/rth/tcg-aarch-6-5: (25 commits)
tcg-aarch64: Use tcg_out_mov in preference to tcg_out_movr
tcg-aarch64: Prefer unsigned offsets before signed offsets for ldst
tcg-aarch64: Introduce tcg_out_insn_3312, _3310, _3313
tcg-aarch64: Merge aarch64_ldst_get_data/type into tcg_out_op
tcg-aarch64: Introduce tcg_out_insn_3507
tcg-aarch64: Support stores of zero
tcg-aarch64: Implement TCG_TARGET_HAS_new_ldst
tcg-aarch64: Pass qemu_ld/st arguments directly
tcg-aarch64: Use TCGMemOp in qemu_ld/st
tcg-aarch64: Use ADR to pass the return address to the ld/st helpers
tcg-aarch64: Use tcg_out_call for qemu_ld/st
tcg-aarch64: Avoid add with zero in tlb load
tcg-aarch64: Implement tcg_register_jit
tcg-aarch64: Introduce tcg_out_insn_3314
tcg-aarch64: Reuse LR in translated code
tcg-aarch64: Use CBZ and CBNZ
tcg-aarch64: Create tcg_out_brcond
tcg-aarch64: Use symbolic names for branches
tcg-aarch64: Use adrp in tcg_out_movi
tcg-aarch64: Special case small constants in tcg_out_movi
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Replace aarch64_ldst_op_data with AArch64LdstType, as it wasn't encoded
for the proper shift for the field and was confusing.
Merge aarch64_ldst_op_data, AArch64LdstType, and a few stray opcode bits
into a single I3312_* argument, eliminating some magic numbers from the
helper functions.
Reviewed-by: Claudio Fontana <claudio.fontana@huawei.com> Signed-off-by: Richard Henderson <rth@twiddle.net>
The original code was wrong, because effectively it ignored errors
from kernel, because kernel does not return -1 on error case but
returns -errno, and does not return -EPERM for this particular ioctl.
But in some cases kernel actually returned unsuccessful result,
namely, when the dirty bitmap in requested slot does not exist
it returns -ENOENT. With new code this condition becomes an
error when it shouldn't be.
Revert that patch instead of fixing it properly this late in the
release process. I disagree with this approach, but let's make
things move _somewhere_, instead of arguing endlessly whch of
the 2 proposed fixes is better.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 1397477644-902-1-git-send-email-mjt@msgid.tls.msk.ru Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 14 Apr 2014 13:02:12 +0000 (14:02 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
acpi: SSDT update
This has a fix by Igor for a regression introduced by
bridge hotplug code.
Expected test files were updated accordingly.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Mon 14 Apr 2014 13:13:35 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>"
ide: Correct improper smart self test counter reset in ide core.
The SMART self test counter was incorrectly being reset to zero,
not 1. This had the effect that on every 21st SMART EXECUTE OFFLINE:
* We would write off the beginning of a dynamically allocated buffer
* We forgot the SMART history
Fix this.
Signed-off-by: Benoit Canet <benoit@irqsave.net>
Message-id: 1397336390-24664-1-git-send-email-benoit.canet@irqsave.net Reviewed-by: Markus Armbruster <armbru@redhat.com> Cc: qemu-stable@nongnu.org Acked-by: Kevin Wolf <kwolf@redhat.com>
[PMM: tweaked commit message as per suggestions from Markus] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Igor Mammedov [Sun, 13 Apr 2014 21:55:51 +0000 (23:55 +0200)]
acpi: fix incorrect encoding for 0x{F-1}FFFF
Fix typo in build_append_int() which causes integer
truncation when it's in range 0x{F-1}FFFF by packing it
as WordConst instead of required DWordConst.
In partucular this fixes a regression: hotplug in slots 16,17,18 and 19
didn't work, since SSDT had code like this:
If (And (Arg0, 0x0000))
{
Notify (S80, Arg1)
}
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Stefan Weil <sw@weilnetz.de>
Peter Maydell [Fri, 11 Apr 2014 16:13:52 +0000 (17:13 +0100)]
configure: Make stack-protector test check both compile and link
Since we use the -fstack-protector argument at both compile and
link time in the build, we must check that it works with both
a compile and a link:
* MacOSX only fails in the compile step, not linking
* some gcc cross environments only fail at the link stage (if they
require a libssp and it's not present for some reason)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1397232832-32301-1-git-send-email-peter.maydell@linaro.org Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
vmxnet3: validate queues configuration read on migration
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-5-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
vmxnet3: validate interrupt indices read on migration
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-4-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
vmxnet3: validate queues configuration coming from guest
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-3-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
vmxnet3: validate interrupt indices coming from guest
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-2-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When VM guest programs multicast addresses for
a virtio net card, it supplies a 32 bit
entries counter for the number of addresses.
These addresses are read into tail portion of
a fixed macs array which has size MAC_TABLE_ENTRIES,
at offset equal to in_use.
To avoid overflow of this array by guest, qemu attempts
to test the size as follows:
- if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
however, as mac_data.entries is uint32_t, this sum
can overflow, e.g. if in_use is 1 and mac_data.entries
is 0xffffffff then in_use + mac_data.entries will be 0.
Qemu will then read guest supplied buffer into this
memory, overflowing buffer on heap.
CVE-2014-0150
Cc: qemu-stable@nongnu.org Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 11 Apr 2014 13:07:24 +0000 (14:07 +0100)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block patches for 2.0.0-rc3
# gpg: Signature made Fri 11 Apr 2014 13:37:34 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
* remotes/kevin/tags/for-upstream:
block-commit: speed is an optional parameter
iscsi: Remember to set ret for iscsi_open in error case
bochs: Fix catalog size check
bochs: Fix memory leak in bochs_open() error path
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Max Reitz [Thu, 10 Apr 2014 17:36:25 +0000 (19:36 +0200)]
block-commit: speed is an optional parameter
As speed is an optional parameter for the QMP block-commit command, it
should be set to 0 if not given (as it is undefined if has_speed is
false), that is, the speed should not be limited.
Cc: qemu-stable@nongnu.org Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Wed, 9 Apr 2014 10:10:34 +0000 (12:10 +0200)]
bochs: Fix catalog size check
The old check was off by a factor of 512 and didn't consider cases where
we don't get an exact division. This could lead to an out-of-bounds
array access in seek_to_sector().
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
input: sdl2: Fix relative mode to match SDL1 behavior
Right now relative mode accelerates too fast, and has the 'invisible wall'
problem. SDL2 added an explicit API to handle this use case, so let's use
it.
Peter Maydell [Thu, 10 Apr 2014 22:07:55 +0000 (23:07 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
acpi: DSDT update
Two fixes here:
- Test fix to avoid warning with make check.
- Hex file update so people building QEMU
without installing iasl get exactly the same ACPI
as with.
Both should help avoid user confusion.
As it's very easy to check that the produced ACPI
binary didn't change, I think these are very low risk.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Thu 10 Apr 2014 17:09:43 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>"
Peter Maydell [Wed, 9 Apr 2014 11:04:47 +0000 (12:04 +0100)]
configure: use do_cc when checking for -fstack-protector support
MacOSX clang silently swallows unrecognized -f options when doing a link
with '-framework' also on the command line, so to detect support for
the various -fstack-protector options we must do a plain .c to .o compile,
not a complete compile-and-link.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1397041487-28477-1-git-send-email-peter.maydell@linaro.org
Peter Maydell [Tue, 8 Apr 2014 15:51:11 +0000 (16:51 +0100)]
hw/pci-host/prep: Don't reverse IO accesses on bigendian hosts
The raven_io_read() and raven_io_write() functions pass and
return values in little-endian format (since the IO op struct
is marked DEVICE_LITTLE_ENDIAN); however they were storing the
values in the buffer to pass to address_space_read/write()
in host-endian order, which meant that on big-endian hosts
the values were inadvertently reversed. Use the *_le_p()
accessors instead so that we are consistent regardless of
host endianness.
Strictly speaking the byte order of the buffer for
address_space_rw() is target byte order (which for PPC
will be BE) but it doesn't actually matter as long as we
are consistent about the marking on the IO op struct and
which stl_*_p().
This bug was probably introduced due to confusion caused by
the two different versions of ldl_p() and friends:
bswap.h defines versions meaning "host endianness access"
cpu-all.h defines versions meaning "target endianness access"
As a target-independent source file prep.c gets the bswap.h
versions; the very similar looking code in ioport.c is
compiled per-target and gets the cpu-all.h versions.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1396972271-22660-1-git-send-email-peter.maydell@linaro.org Reviewed-by: Richard Henderson <rth@twiddle.net>
Peter Maydell [Tue, 8 Apr 2014 12:59:28 +0000 (13:59 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
acpi bug fix
Here is a single last minute fix for 2.0
This changes the HID of the container used to claim
resources for CPU hotplug.
As a result, windows XP SP3 no longer brings up
an annoying "found new hardware" wizard on boot.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Tue 08 Apr 2014 13:23:30 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>"
* remotes/mst/tags/for_upstream:
dsdt: tweak ACPI ID for hotplug resource device
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
ACPI0004 seems too new:
Windows XP complains about an unrecognized device.
This is a regression since 1.7.
Use PNP0A06 instead - Generic Container Device.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-By: Igor Mammedov <imammedo@redhat.com>
gtk: Implement grab-on-click behavior in relative mode
This patch changes the behavior in the relative mode to be compatible
with other UIs, namely, grabbing the input at the first left click.
It improves the usability a lot; otherwise you have to press ctl-alt-G
or select from menu at each time you want to move the pointer. Also,
the input grab is cleared when the current mode is switched to the
absolute mode.
The automatic reset of the implicit grabbing is needed since the
switching to the absolute mode happens always after the click even on
Gtk. That is, we cannot check whether the absolute mode is already
available at the first click time even though it should have been
switched in X11 input driver side.
Peter Maydell [Tue, 8 Apr 2014 09:58:31 +0000 (10:58 +0100)]
Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' into staging
Patch queue for ppc - 2014-04-08
This is the final queue for 2.0! It fixes a lot of bugs people have
seen during testing:
- Fix e500 SMP
- Fix book3s_64 DEC
- Fix VSX (new feature in 2.0) for LE hosts
- Fix PR KVM on top of pHyp (SLOF update)
# gpg: Signature made Tue 08 Apr 2014 10:24:18 BST using RSA key ID 03FEDC60
# gpg: Can't check signature: public key not found
* remotes/agraf/tags/signed-ppc-for-upstream:
PPC: Add l1 cache sizes for 970 and above systems
ppce500_spin: Initialize struct properly
PPC: Only enter MSR_POW when no interrupts pending
PPC: Clean up DECR implementation
target-ppc: Correct VSX Integer to FP Conversion
target-ppc: Correct VSX FP to Integer Conversion
target-ppc: Correct VSX FP to FP Conversions
target-ppc: Correct VSX Scalar Compares
target-ppc: Correct Simple VSR LE Host Inversions
target-ppc: Correct LE Host Inversion of Lower VSRs
target-ppc: Define Endian-Correct Accessors for VSR Field Access
target-ppc: Bug: VSX Convert to Integer Should Truncate
softfloat: Introduce float32_to_uint64_round_to_zero
pseries: Update SLOF firmware image to qemu-slof-20140404
PPC: E500: Set PIR default reset value rather than SPR value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alexander Graf [Sat, 5 Apr 2014 23:32:06 +0000 (01:32 +0200)]
PPC: Clean up DECR implementation
There are 3 different variants of the decrementor for BookE and BookS.
The BookE variant sets TSR[DIS] to 1 when the DEC value becomes 1 or 0. TSR[DIS]
is then the indicator whether the decrementor interrupt line is asserted or not.
The old BookS variant treats DEC as an edge interrupt that gets triggered when
the DEC value's top bit turns 1 from 0.
The new BookS variant maintains the assertion bit inside DEC itself. Whenever
the DEC value becomes negative (top bit set) the DEC interrupt line is asserted.
So far we implemented mostly the old BookS variant. Let's do them all properly.
This fixes booting pseries ppc64 guest images in TCG mode for me.
Tom Musta [Mon, 31 Mar 2014 21:04:03 +0000 (16:04 -0500)]
target-ppc: Correct VSX Integer to FP Conversion
This patch corrects the VSX integer to floating point conversion instructions
by using the endian correct accessors. The auxiliary "j" index used by the
existing macros is now obsolete and is removed. The JOFFSET preprocessor
macro is also obsolete and removed.
Signed-off-by: Tom Musta <tommusta@gmail.com> Tested-by: Tom Musta <tommusta@gmail.com> Signed-off-by: Alexander Graf <agraf@suse.de>
Tom Musta [Mon, 31 Mar 2014 21:04:02 +0000 (16:04 -0500)]
target-ppc: Correct VSX FP to Integer Conversion
This patch corrects the VSX floating point to integer conversion
instructions by using the endian correct accessors. The auxiliary
"j" index used by the existing macros is now obsolete and is removed.
Signed-off-by: Tom Musta <tommusta@gmail.com> Tested-by: Tom Musta <tommusta@gmail.com> Signed-off-by: Alexander Graf <agraf@suse.de>
projects / lisovros / qemu_apohw.git / log