1. 12 Apr, 2018 5 commits
  2. 11 Apr, 2018 5 commits
  3. 10 Apr, 2018 30 commits
    • Pavel Dovgalyuk's avatar
      icount: fix cpu_restore_state_from_tb for non-tb-exit cases · afd46fca
      Pavel Dovgalyuk authored
      
      
      In icount mode, instructions that access io memory spaces in the middle
      of the translation block invoke TB recompilation.  After recompilation,
      such instructions become last in the TB and are allowed to access io
      memory spaces.
      
      When the code includes instruction like i386 'xchg eax, 0xffffd080'
      which accesses APIC, QEMU goes into an infinite loop of the recompilation.
      
      This instruction includes two memory accesses - one read and one write.
      After the first access, APIC calls cpu_report_tpr_access, which restores
      the CPU state to get the current eip.  But cpu_restore_state_from_tb
      resets the cpu->can_do_io flag which makes the second memory access invalid.
      Therefore the second memory access causes a recompilation of the block.
      Then these operations repeat again and again.
      
      This patch moves resetting cpu->can_do_io flag from
      cpu_restore_state_from_tb to cpu_loop_exit* functions.
      
      It also adds a parameter for cpu_restore_state which controls restoring
      icount.  There is no need to restore icount when we only query CPU state
      without breaking the TB.  Restoring it in such cases leads to the
      incorrect flow of the virtual time.
      
      In most cases new parameter is true (icount should be recalculated).
      But there are two cases in i386 and openrisc when the CPU state is only
      queried without the need to break the TB.  This patch fixes both of
      these cases.
      Signed-off-by: default avatarPavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
      Message-Id: <20180409091320.12504.35329.stgit@pasha-VirtualBox>
      [rth: Make can_do_io setting unconditional; move from cpu_exec;
      make cpu_loop_exit_{noexc,restore} call cpu_loop_exit.]
      Signed-off-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      afd46fca
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20180410a' into staging · ac4ba87a
      Peter Maydell authored
      
      
      Migration reversion pull for 2.12
      
      One to revert after we decided it needs some more thinking.
      
      # gpg: Signature made Tue 10 Apr 2018 16:02:17 BST
      # gpg:                using RSA key 0516331EBC5BFDE7
      # gpg: Good signature from "Dr. David Alan Gilbert (RH2) <dgilbert@redhat.com>"
      # Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A  9FA9 0516 331E BC5B FDE7
      
      * remotes/dgilbert/tags/pull-migration-20180410a:
        Revert "migration: Don't activate block devices if using -S"
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      ac4ba87a
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/ericb/tags/pull-qapi-2018-04-10' into staging · 26d6a7c8
      Peter Maydell authored
      
      
      qapi patches for 2018-04-10
      
      - Peter Xu: iotests: fix wait_until_completed()
      - Peter Xu: iothread: workaround glib bug which hangs qmp-test
      - Peter Xu: monitor: bind dispatch bh to iohandler context
      
      # gpg: Signature made Tue 10 Apr 2018 14:15:09 BST
      # gpg:                using RSA key A7A16B4A2527436A
      # gpg: Good signature from "Eric Blake <eblake@redhat.com>"
      # gpg:                 aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>"
      # gpg:                 aka "[jpeg image of size 6874]"
      # Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A
      
      * remotes/ericb/tags/pull-qapi-2018-04-10:
        monitor: bind dispatch bh to iohandler context
        iothread: workaround glib bug which hangs qmp-test
        iotests: fix wait_until_completed()
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      26d6a7c8
    • James Cowgill's avatar
      linux-user: implement HWCAP bits on MIPS · 46a1ee4f
      James Cowgill authored
      Add support for the two currently defined HWCAP bits on MIPS - R6 and
      MSA.
      
      Buglink: https://bugs.launchpad.net/qemu/+bug/1754372
      
      Signed-off-by: default avatarJames Cowgill <james.cowgill@mips.com>
      Reviewed-by: default avatarLaurent Vivier <laurent@vivier.eu>
      Message-Id: <20180315151348.6451-1-james.cowgill@mips.com>
      Signed-off-by: default avatarLaurent Vivier <laurent@vivier.eu>
      46a1ee4f
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.12-20180410' into staging · 69550301
      Peter Maydell authored
      ppc patch queue 2018-04-10
      
      Here's a rather late pull request with a handful of fixes for 2.12.
      These have been blocked for some time, because I wasn't able to
      complete my usual test set due to the SCSI problem fixed in 37c51741
      
      
      "scsi-disk: Don't enlarge min_io_size to max_io_size".
      
      Since we're in hard freeze, these are all bugfixes.  Most are also
      regressions, although in one case it's only a "regression" because a
      longstanding bug has been exposed by a new machine type (sam460ex) in
      the testcases.  There are also a couple of sam460ex fixes that aren't
      regressions since the board didn't exist before.  On the flipside
      though, they're low risk because they only touch board specific code
      for a board that doesn't exist in any released version.
      
      # gpg: Signature made Tue 10 Apr 2018 08:13:52 BST
      # gpg:                using RSA key 6C38CACA20D9B392
      # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
      # gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
      # gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>"
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392
      
      * remotes/dgibson/tags/ppc-for-2.12-20180410:
        roms/u-boot-sam460ex: Change to qemu git mirror and update
        sam460ex: Fix timer frequency and clock multipliers
        tests/boot-serial: Test the sam460ex board
        spapr: Initialize reserved areas list in FDT in H_CAS handler
        target/ppc: Fix backwards migration of msr_mask
        hw/misc/macio: Fix crash when listing device properties of macio device
        target/ppc: Initialize lazy_tlb_flush correctly
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      69550301
    • Laurent Vivier's avatar
      linux-user: add microblaze/microblazeel magic numbers in qemu-binfmt-conf.sh · 947aeab3
      Laurent Vivier authored
      
      Signed-off-by: default avatarLaurent Vivier <laurent@vivier.eu>
      Message-Id: <20180409115212.875-2-laurent@vivier.eu>
      947aeab3
    • Laurent Vivier's avatar
      linux-user: fix microblaze get_sp_from_cpustate() · a31e7605
      Laurent Vivier authored
      
      
      get_sigframe() uses regs[1] and this is actual SP.
      Signed-off-by: default avatarLaurent Vivier <laurent@vivier.eu>
      Message-Id: <20180409115212.875-1-laurent@vivier.eu>
      a31e7605
    • Stefan Hajnoczi's avatar
      qemu-iotests: update 185 output · c1de5696
      Stefan Hajnoczi authored
      Commit 4486e89c ("vl: introduce
      vm_shutdown()") added a bdrv_drain_all() call.  As a side-effect of the
      drain operation the block job iterates one more time than before.  The
      185 output no longer matches and the test is failing now.
      
      It may be possible to avoid the superfluous block job iteration, but
      that type of patch is not suitable late in the QEMU 2.12 release cycle.
      
      This patch simply updates the 185 output file.  The new behavior is
      correct, just not optimal, so make the test pass again.
      
      Fixes: 4486e89c
      
       ("vl: introduce vm_shutdown()")
      Cc: Kevin Wolf <kwolf@redhat.com>
      Cc: QingFeng Hao <haoqf@linux.vnet.ibm.com>
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Reviewed-by: default avatarQingFeng Hao <haoqf@linux.vnet.ibm.com>
      Reviewed-by: default avatarEric Blake <eblake@redhat.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      c1de5696
    • Kevin Wolf's avatar
      commit/stream: Reset delay_ns · 2fe4bba1
      Kevin Wolf authored
      
      
      Streaming and the commit block job only want to apply throttling when
      they actually copied data instead of skipping it, so they made the
      calculation of delay_ns conditional. However, delay_ns isn't reset when
      skipping some sectors, so instead of not waiting, the old delay is
      applied again.
      
      Properly reset delay_ns where needed.
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      Reviewed-by: default avatarEric Blake <eblake@redhat.com>
      2fe4bba1
    • Kevin Wolf's avatar
      qemu-iotests: Remove _supported_fmt dmg · ad53ea42
      Kevin Wolf authored
      
      
      qemu-iotests doesn't support dmg, and the dmg block driver doesn't
      support image creation. Two test cases declare dmg as supported, but
      that's obviously wrong for both reasons. Remove the declaration.
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      Reviewed-by: default avatarEric Blake <eblake@redhat.com>
      ad53ea42
    • Vladimir Sementsov-Ogievskiy's avatar
      iotests: blacklist bochs and cloop for 205 and 208 · e819edd0
      Vladimir Sementsov-Ogievskiy authored
      
      
      Blacklist these formats, as they don't support image creation, as they
      say:
          > ./qemu-img create -f bochs x 1m
          qemu-img: x: Format driver 'bochs' does not support image creation
      
          > ./qemu-img create -f cloop x 1m
          qemu-img: x: Format driver 'cloop' does not support image creation
      Signed-off-by: default avatarVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      e819edd0
    • Vladimir Sementsov-Ogievskiy's avatar
      iotests.py: improve verify_image_format helper · f48351d2
      Vladimir Sementsov-Ogievskiy authored
      
      
      Support "generic" formats like in bash tests with their
         _supported_fmt generic
      The test, supporting "generic" formats will run if IMGFMT_GENERIC =
      true, which is default, except for bochs and cloop. However, you can
      use verify_image_format(['generic', 'bochs']), which will run for all
      except cloop (for this moment).
      
      Also, add an assert (we don't want set both arguments) and remove
      duplication.
      Signed-off-by: default avatarVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      f48351d2
    • Philippe Mathieu-Daudé's avatar
      hw/block/pflash_cfi: fix off-by-one error · 07c13a71
      Philippe Mathieu-Daudé authored
      
      
      ASAN reported:
      
          hw/block/pflash_cfi02.c:245:33: runtime error: index 82 out of bounds for type 'uint8_t [82]'
      
      Since the 'cfi_len' member is not used, remove it to keep the code safer.
      
      Cc: qemu-stable@nongnu.org
      Reported-by: AddressSanitizer
      Signed-off-by: default avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      07c13a71
    • Vladimir Sementsov-Ogievskiy's avatar
    • Dr. David Alan Gilbert's avatar
      Revert "migration: Don't activate block devices if using -S" · a18a73d7
      Dr. David Alan Gilbert authored
      This reverts commit 0746a926
      
      .
      Discussion with kwolf suggests this is actually an API change that
      we need to gate on a capability.  Push to 2.13.
      Signed-off-by: default avatarDr. David Alan Gilbert <dgilbert@redhat.com>
      a18a73d7
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20180410' into staging · f41ee66d
      Peter Maydell authored
      
      
      target-arm queue:
       * fpu: Fix rounding mode for floatN_to_uintM_round_to_zero
       * tcg: Fix guest state corruption when running 64-bit Arm
         guests on a 32-bit host (especially when using icount)
       * linux-user/signal.c: Ensure AArch64 signal frame isn't too small
       * cpus.c: ensure running CPU recalculates icount deadlines on timer expiry
       * target/arm: Report unsupported MPU region sizes more clearly
       * hw/arm/fsl-imx: Fix introspection problem with fsl-imx6 and fsl-imx7
       * hw/arm/allwinner-a10: Do not use nd_table in instance_init function
       * hw/sd/bcm2835_sdhost: Don't raise spurious interrupts
       * hw/sd/bcm2835_sdhost: Add tracepoints
       * target-arm: Check undefined opcodes for SWP in A32 decoder
       * hw/arm/integratorcp: Don't do things that could be fatal in the instance_init
       * hw/arm: Allow manually specified /psci node
      
      # gpg: Signature made Tue 10 Apr 2018 13:16:12 BST
      # gpg:                using RSA key 3C2525ED14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
      # gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
      # gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
      # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE
      
      * remotes/pmaydell/tags/pull-target-arm-20180410:
        fpu: Fix rounding mode for floatN_to_uintM_round_to_zero
        tcg: Introduce tcg_set_insn_start_param
        linux-user/signal.c: Ensure AArch64 signal frame isn't too small
        cpus.c: ensure running CPU recalculates icount deadlines on timer expiry
        target/arm: Report unsupported MPU region sizes more clearly
        hw/arm/fsl-imx: Fix introspection problem with fsl-imx6 and fsl-imx7
        hw/arm/allwinner-a10: Do not use nd_table in instance_init function
        hw/sd/bcm2835_sdhost: Don't raise spurious interrupts
        hw/sd/bcm2835_sdhost: Add tracepoints
        target-arm: Check undefined opcodes for SWP in A32 decoder
        hw/arm/integratorcp: Don't do things that could be fatal in the instance_init
        hw/arm: Allow manually specified /psci node
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      f41ee66d
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/kraxel/tags/ui-20180410-pull-request' into staging · df6378eb
      Peter Maydell authored
      
      
      configure: don't warn on old sdl/gtk versions if disabled.
      keymap + gtk fixes.
      
      # gpg: Signature made Tue 10 Apr 2018 10:23:37 BST
      # gpg:                using RSA key 4CB6D8EED3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
      # gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
      # Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138
      
      * remotes/kraxel/tags/ui-20180410-pull-request:
        configure: don't warn SDL abi if disabled
        configure: don't warn GTK if disabled
        gtk: drop pointless code from gd_window_close
        ui: fix keymap detection under Xwayland
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      df6378eb
    • Peter Xu's avatar
      monitor: bind dispatch bh to iohandler context · 951702f3
      Peter Xu authored
      Eric Auger reported the problem days ago that OOB broke ARM when running
      with libvirt:
      
      http://lists.gnu.org/archive/html/qemu-devel/2018-03/msg06231.html
      
      
      
      The problem was that the monitor dispatcher bottom half was bound to
      qemu_aio_context now, which could be polled unexpectedly in block code.
      We should keep the dispatchers run in iohandler_ctx just like what we
      did before the Out-Of-Band series (chardev uses qio, and qio binds
      everything with iohandler_ctx).
      
      If without this change, QMP dispatcher might be run even before reaching
      main loop in block IO path, for example, in a stack like (the ARM case,
      "cont" command handler run even during machine init phase):
      
              #0  qmp_cont ()
              #1  0x00000000006bd210 in qmp_marshal_cont ()
              #2  0x0000000000ac05c4 in do_qmp_dispatch ()
              #3  0x0000000000ac07a0 in qmp_dispatch ()
              #4  0x0000000000472d60 in monitor_qmp_dispatch_one ()
              #5  0x000000000047302c in monitor_qmp_bh_dispatcher ()
              #6  0x0000000000acf374 in aio_bh_call ()
              #7  0x0000000000acf428 in aio_bh_poll ()
              #8  0x0000000000ad5110 in aio_poll ()
              #9  0x0000000000a08ab8 in blk_prw ()
              #10 0x0000000000a091c4 in blk_pread ()
              #11 0x0000000000734f94 in pflash_cfi01_realize ()
              #12 0x000000000075a3a4 in device_set_realized ()
              #13 0x00000000009a26cc in property_set_bool ()
              #14 0x00000000009a0a40 in object_property_set ()
              #15 0x00000000009a3a08 in object_property_set_qobject ()
              #16 0x00000000009a0c8c in object_property_set_bool ()
              #17 0x0000000000758f94 in qdev_init_nofail ()
              #18 0x000000000058e190 in create_one_flash ()
              #19 0x000000000058e2f4 in create_flash ()
              #20 0x00000000005902f0 in machvirt_init ()
              #21 0x00000000007635cc in machine_run_board_init ()
              #22 0x00000000006b135c in main ()
      
      Actually the problem is more severe than that.  After we switched to the
      qemu AIO handler it means the monitor dispatcher code can even be called
      with nested aio_poll(), then it can be an explicit aio_poll() inside
      another main loop aio_poll() which could be racy too; breaking code
      like TPM and 9p that use nested event loops.
      
      Switch to use the iohandler_ctx for monitor dispatchers.
      
      My sincere thanks to Eric Auger who offered great help during both
      debugging and verifying the problem.  The ARM test was carried out by
      applying this patch upon QEMU 2.12.0-rc0 and problem is gone after the
      patch.
      
      A quick test of mine shows that after this patch applied we can pass all
      raw iotests even with OOB on by default.
      
      CC: Eric Blake <eblake@redhat.com>
      CC: Markus Armbruster <armbru@redhat.com>
      CC: Stefan Hajnoczi <stefanha@redhat.com>
      CC: Fam Zheng <famz@redhat.com>
      Reported-by: default avatarEric Auger <eric.auger@redhat.com>
      Tested-by: default avatarEric Auger <eric.auger@redhat.com>
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Message-Id: <20180410044942.17059-1-peterx@redhat.com>
      Reviewed-by: default avatarEric Blake <eblake@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarEric Blake <eblake@redhat.com>
      951702f3
    • Peter Xu's avatar
      iothread: workaround glib bug which hangs qmp-test · 15544349
      Peter Xu authored
      
      
      Free the AIO context earlier than the GMainContext (if we have) to
      workaround a glib2 bug that GSource context pointer is not cleared even
      if the context has already been destroyed (while it should).
      
      The patch itself only changed the order to destroy the objects, no
      functional change at all. Without this workaround, we can encounter
      qmp-test hang with oob (and possibly any other use case when iothread is
      used with GMainContexts):
      
        #0  0x00007f35ffe45334 in __lll_lock_wait () from /lib64/libpthread.so.0
        #1  0x00007f35ffe405d8 in _L_lock_854 () from /lib64/libpthread.so.0
        #2  0x00007f35ffe404a7 in pthread_mutex_lock () from /lib64/libpthread.so.0
        #3  0x00007f35fc5b9c9d in g_source_unref_internal (source=0x24f0600, context=0x7f35f0000960, have_lock=0) at gmain.c:1685
        #4  0x0000000000aa6672 in aio_context_unref (ctx=0x24f0600) at /root/qemu/util/async.c:497
        #5  0x000000000065851c in iothread_instance_finalize (obj=0x24f0380) at /root/qemu/iothread.c:129
        #6  0x0000000000962d79 in object_deinit (obj=0x24f0380, type=0x242e960) at /root/qemu/qom/object.c:462
        #7  0x0000000000962e0d in object_finalize (data=0x24f0380) at /root/qemu/qom/object.c:476
        #8  0x0000000000964146 in object_unref (obj=0x24f0380) at /root/qemu/qom/object.c:924
        #9  0x0000000000965880 in object_finalize_child_property (obj=0x24ec640, name=0x24efca0 "mon_iothread", opaque=0x24f0380) at /root/qemu/qom/object.c:1436
        #10 0x0000000000962c33 in object_property_del_child (obj=0x24ec640, child=0x24f0380, errp=0x0) at /root/qemu/qom/object.c:436
        #11 0x0000000000962d26 in object_unparent (obj=0x24f0380) at /root/qemu/qom/object.c:455
        #12 0x0000000000658f00 in iothread_destroy (iothread=0x24f0380) at /root/qemu/iothread.c:365
        #13 0x00000000004c67a8 in monitor_cleanup () at /root/qemu/monitor.c:4663
        #14 0x0000000000669e27 in main (argc=16, argv=0x7ffc8b1ae2f8, envp=0x7ffc8b1ae380) at /root/qemu/vl.c:4749
      
      The glib2 bug is fixed in commit 26056558b ("gmain: allow
      g_source_get_context() on destroyed sources", 2012-07-30), so the first
      good version is glib2 2.33.10. But we still support building with
      glib as old as 2.28, so we need the workaround.
      
      Let's make sure we destroy the GSources first before its owner context
      until we drop support for glib older than 2.33.10.
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Message-Id: <20180409083956.1780-1-peterx@redhat.com>
      Reviewed-by: default avatarEric Blake <eblake@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarEric Blake <eblake@redhat.com>
      15544349
    • Peter Xu's avatar
      iotests: fix wait_until_completed() · c3988519
      Peter Xu authored
      
      
      If there are more than one events, wait_until_completed() might return
      the 2nd event even if the 1st event is JOB_COMPLETED, since the for loop
      will continue to run even if completed is set to True.
      
      It never happened before, but it can be triggered when OOB is enabled
      due to the RESUME startup message. Fix that up.
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Message-Id: <20180408030542.17855-1-peterx@redhat.com>
      Reviewed-by: default avatarFam Zheng <famz@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarEric Blake <eblake@redhat.com>
      c3988519
    • Richard Henderson's avatar
      fpu: Fix rounding mode for floatN_to_uintM_round_to_zero · bd49e602
      Richard Henderson authored
      
      
      We incorrectly passed in the current rounding mode
      instead of float_round_to_zero.
      Signed-off-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      Message-id: 20180410055912.934-1-richard.henderson@linaro.org
      Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      bd49e602
    • Richard Henderson's avatar
      tcg: Introduce tcg_set_insn_start_param · 9743cd57
      Richard Henderson authored
      
      
      The parameters for tcg_gen_insn_start are target_ulong, which may be split
      into two TCGArg parameters for storage in the opcode on 32-bit hosts.
      
      Fixes the ARM target and its direct use of tcg_set_insn_param, which would
      set the wrong argument in the 64-on-32 case.
      
      Cc: qemu-stable@nongnu.org
      Reported-by: alarson@ddci.com
      Signed-off-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      Message-id: 20180410003558.2470-1-richard.henderson@linaro.org
      Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      9743cd57
    • Peter Maydell's avatar
      linux-user/signal.c: Ensure AArch64 signal frame isn't too small · 7f0f4208
      Peter Maydell authored
      The AArch64 signal frame design was extended for SVE in commit
      8c5931de
      
      , so that instead of having a fixed setup we
      now add various records to the frame, with some of them possibly
      overflowing into an extra space outside the original 4K reserved
      block in the target_sigcontext.  However, we failed to ensure that we
      always at least allocate the 4K reserved block.  This is ABI, and
      some userspace programs rely on it.  In particular the dash shell
      would segfault if the frame wasn't as big enough.
      
      (Compare the kernel's sigframe_size() function in
      arch/arm64/kernel/signal.c.)
      Reported-by: default avatarRichard Henwood <richard.henwood@arm.com>
      Reviewed-by: default avatarLaurent Vivier <laurent@vivier.eu>
      Reviewed-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      Message-id: 20180409140714.26841-1-peter.maydell@linaro.org
      Fixes: https://bugs.launchpad.net/bugs/1761535
      Fixes: 8c5931de
      
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      7f0f4208
    • Peter Maydell's avatar
      cpus.c: ensure running CPU recalculates icount deadlines on timer expiry · c52e7132
      Peter Maydell authored
      When we run in TCG icount mode, we calculate the number of instructions
      to execute using tcg_get_icount_limit(), which ensures that we stop
      execution at the next timer deadline. However there is a bug where
      currently we do not recalculate that limit if the guest reprograms
      a timer so that the next deadline moves closer, and so we will
      continue execution until the original limit and fire the timer
      later than we should.
      
      Fix this bug in qemu_timer_notify_cb(): if we are currently running
      a VCPU in icount mode, we simply need to kick it out of the main
      loop and back to tcg_cpu_exec(), where it will recalculate the
      icount limit. If we are not currently running a VCPU, then we
      retain the existing logic for waking up a halted CPU.
      
      Cc: qemu-stable@nongnu.org
      Fixes: https://bugs.launchpad.net/qemu/+bug/1754038
      
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      Reviewed-by: default avatarAlex Bennée <alex.bennee@linaro.org>
      Message-id: 20180406123838.21249-1-peter.maydell@linaro.org
      c52e7132
    • Peter Maydell's avatar
      target/arm: Report unsupported MPU region sizes more clearly · 8aec759b
      Peter Maydell authored
      
      
      Currently our PMSAv7 and ARMv7M MPU implementation cannot handle
      MPU region sizes smaller than our TARGET_PAGE_SIZE. However we
      report that in a slightly confusing way:
      
       DRSR[3]: No support for MPU (sub)region alignment of 9 bits. Minimum is 10
      
      The problem is not the alignment of the region, but its size;
      tweak the error message to say so:
       DRSR[3]: No support for MPU (sub)region size of 512 bytes. Minimum is 1024.
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: default avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-id: 20180405172554.27401-1-peter.maydell@linaro.org
      8aec759b
    • Thomas Huth's avatar
      hw/arm/fsl-imx: Fix introspection problem with fsl-imx6 and fsl-imx7 · f640a591
      Thomas Huth authored
      
      
      QEMU currently exits unexpectedly when trying to introspect the fsl-imx6
      and fsl-imx7 devices on systems with many SMP CPUs:
      
      $ echo "{'execute':'qmp_capabilities'}"\
             "{'execute':'device-list-properties',"\
             " 'arguments':{'typename':'fsl,imx6'}}" \
             | arm-softmmu/qemu-system-arm -M virt,accel=qtest -qmp stdio -smp 8
      {"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
       "package": "build-all"}, "capabilities": []}}
      {"return": {}}
      fsl,imx6: Only 4 CPUs are supported (8 requested)
      
      And:
      
      $ echo "{'execute':'qmp_capabilities'}"\
             "{'execute':'device-list-properties',"\
             " 'arguments':{'typename':'fsl,imx7'}}" \
             | arm-softmmu/qemu-system-arm -M raspi2,accel=qtest -qmp stdio
      {"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
       "package": "build-all"}, "capabilities": []}}
      {"return": {}}
      fsl,imx7: Only 2 CPUs are supported (4 requested)
      
      This happens because these devices are doing an exit() from their
      instance_init function - which should never be done since instance_init
      can be called at any time for device introspection! Fix it by moving
      the deadly check into the realize() function instead.
      Signed-off-by: default avatarThomas Huth <thuth@redhat.com>
      Message-id: 1522908551-14885-1-git-send-email-thuth@redhat.com
      Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      f640a591
    • Thomas Huth's avatar
      hw/arm/allwinner-a10: Do not use nd_table in instance_init function · 8aabc543
      Thomas Huth authored
      
      
      The instance_init function of a device can be called at any time, even
      if the device is not going to be used (i.e. not going to be realized).
      So a instance_init function must not do things that could cause QEMU
      to exit, like calling qemu_check_nic_model(&nd_table[0], ...) for example.
      But this is what the instance_init function of the allwinner-a10 device
      is currently doing - and this causes QEMU to quit unexpectedly when
      you run the 'device-list-properties' QMP command for example:
      
      $ echo "{'execute':'qmp_capabilities'}"\
             "{'execute':'device-list-properties',"\
             " 'arguments':{'typename':'allwinner-a10'}}" \
             | arm-softmmu/qemu-system-arm -M mps2-an505,accel=qtest -qmp stdio
      {"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
       "package": "build-all"}, "capabilities": []}}
      {"return": {}}
      Unsupported NIC model: lan9118
      
      ... and QEMU quits after printing the last line (which should not happen
      just because of running 'device-list-properties' here).
      
      And with the cubieboard, this even causes QEMU to abort():
      
      $ echo "{'execute':'qmp_capabilities'}"\
             "{'execute':'device-list-properties',"\
             " 'arguments':{'typename':'allwinner-a10'}}" \
             | arm-softmmu/qemu-system-arm -M cubieboard,accel=qtest -qmp stdio
      {"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
       "package": "build-all"}, "capabilities": []}}
      {"return": {}}
      Unexpected error in error_set_from_qdev_prop_error() at hw/core/qdev-properties.c:1095:
      Property 'allwinner-emac.netdev' can't take value 'hub0port0', it's in use
      Aborted (core dumped)
      
      To fix the problem we've got to move the offending code to the realize
      function instead.
      Signed-off-by: default avatarThomas Huth <thuth@redhat.com>
      Message-id: 1522862420-7484-1-git-send-email-thuth@redhat.com
      Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      8aabc543
    • Peter Maydell's avatar
      hw/sd/bcm2835_sdhost: Don't raise spurious interrupts · f3d9fe8f
      Peter Maydell authored
      
      
      The Linux bcm2835_sdhost driver doesn't work on QEMU, because our
      model raises spurious data interrupts.  Our function
      bcm2835_sdhost_fifo_run() will flag an interrupt any time it is
      called with s->datacnt == 0, even if the host hasn't actually issued
      a data read or write command yet.  This means that the driver gets a
      spurious data interrupt as soon as it enables IRQs and then does
      something else that causes us to call the fifo_run routine, like
      writing to SDHCFG, and before it does the write to SDCMD to issue the
      read.  The driver's IRQ handler then spins forever complaining that
      there's no data and the SD controller isn't in a state where there's
      going to be any data:
      
      [   41.040738] sdhost-bcm2835 3f202000.mmc: fsm 1, hsts 00000000
      [   41.042059] sdhost-bcm2835 3f202000.mmc: fsm 1, hsts 00000000
      (continues forever).
      
      Move the interrupt flag setting to more plausible places:
       * for BUSY, raise this as soon as a BUSYWAIT command has executed
       * for DATA, raise this when the FIFO has any space free (for a write)
         or any data in it (for a read)
       * for BLOCK, raise this when the data count is 0 and we've
         actually done some reading or writing
      
      This is pure guesswork since the documentation for this hardware is
      not public, but it is sufficient to get the Linux bcm2835_sdhost
      driver to work.
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: default avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Tested-by: default avatarGerd Hoffmann <kraxel@redhat.com>
      Message-id: 20180319161556.16446-3-peter.maydell@linaro.org
      f3d9fe8f
    • Peter Maydell's avatar
      hw/sd/bcm2835_sdhost: Add tracepoints · b318f326
      Peter Maydell authored
      
      
      Add some tracepoints to the bcm2835_sdhost driver, to assist
      debugging.
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: default avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Tested-by: default avatarGerd Hoffmann <kraxel@redhat.com>
      Message-id: 20180319161556.16446-2-peter.maydell@linaro.org
      b318f326
    • Onur Sahin's avatar
      target-arm: Check undefined opcodes for SWP in A32 decoder · c4869ca6
      Onur Sahin authored
      
      
      Make sure we are not treating architecturally Undefined instructions
      as a SWP, by verifying the opcodes as per section A8.8.229 of ARMv7-A
      specification. Bits [21:20] must be zero for this to be a SWP or SWPB.
      We also choose to UNDEF for the architecturally UNPREDICTABLE case of
      bits [11:8] not being zero.
      Signed-off-by: default avatarOnur Sahin <onursahin08@gmail.com>
      [PMM: tweaked commit message]
      Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      c4869ca6