From f408f49165111b95a7186e2b1e01ee577c643855 Mon Sep 17 00:00:00 2001 From: Anthony Liguori Date: Wed, 27 Jun 2012 08:20:43 -0500 Subject: qtest: fix infinite loop when QEMU aborts abruptly From Markus: Makes "make check" hang: QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 gtester -k --verbose -m=quick tests/crash-test tests/rtc-test TEST: tests/crash-test... (pid=972) qemu-system-x86_64: Device needs media, but drive is empty [Nothing happens, wait a while, then hit ^C] make: *** [check-qtest-x86_64] Interrupt This was due to the fact that we weren't checked for errors when reading from the QMP socket. This patch adds appropriate error checking. Reported-by: Markus Armbruster Signed-off-by: Anthony Liguori (cherry picked from commit 039380a8e18f618cdacf72486449c04dc1b70eef) Signed-off-by: Michael Roth --- tests/libqtest.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/libqtest.c b/tests/libqtest.c index 6d333ef0a..0664323e1 100644 --- a/tests/libqtest.c +++ b/tests/libqtest.c @@ -290,6 +290,11 @@ void qtest_qmp(QTestState *s, const char *fmt, ...) continue; } + if (len == -1 || len == 0) { + fprintf(stderr, "Broken pipe\n"); + exit(1); + } + switch (c) { case '{': nesting++; -- cgit v1.2.3 From 7940c766d470ddb184f6d678d080006d2b668172 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 14 Aug 2012 15:35:34 +0100 Subject: configure: Don't override user's --cpu on MacOS and Solaris Both MacOS and Solaris have special case handling for the CPU type, because the check_define probes will return i386 even if the hardware is 64 bit and x86_64 would be preferable. Move these checks earlier in the configure probing so that we can do them only if the user didn't specify a CPU with --cpu. This fixes a bug where the user's command line argument was being ignored. Reviewed-by: Andreas F=E4rber Signed-off-by: Peter Maydell Signed-off-by: Anthony Liguori (cherry picked from commit bbea4050802a2e7e0296a21823c0925782c02b93) Signed-off-by: Michael Roth --- configure | 60 +++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/configure b/configure index 72d16a495..df29c2f4c 100755 --- a/configure +++ b/configure @@ -275,6 +275,41 @@ EOF compile_object } +if check_define __linux__ ; then + targetos="Linux" +elif check_define _WIN32 ; then + targetos='MINGW32' +elif check_define __OpenBSD__ ; then + targetos='OpenBSD' +elif check_define __sun__ ; then + targetos='SunOS' +elif check_define __HAIKU__ ; then + targetos='Haiku' +else + targetos=`uname -s` +fi + +# Some host OSes need non-standard checks for which CPU to use. +# Note that these checks are broken for cross-compilation: if you're +# cross-compiling to one of these OSes then you'll need to specify +# the correct CPU with the --cpu option. +case $targetos in +Darwin) + # on Leopard most of the system is 32-bit, so we have to ask the kernel if we can + # run 64-bit userspace code. + # If the user didn't specify a CPU explicitly and the kernel says this is + # 64 bit hw, then assume x86_64. Otherwise fall through to the usual detection code. + if test -z "$cpu" && test "$(sysctl -n hw.optional.x86_64)" = "1"; then + cpu="x86_64" + fi + ;; +SunOS) + # `uname -m` returns i86pc even on an x86_64 box, so default based on isainfo + if test -z "$cpu" && test "$(isainfo -k)" = "amd64"; then + cpu="x86_64" + fi +esac + if test ! -z "$cpu" ; then # command line argument : @@ -349,19 +384,6 @@ if test -z "$ARCH"; then fi # OS specific -if check_define __linux__ ; then - targetos="Linux" -elif check_define _WIN32 ; then - targetos='MINGW32' -elif check_define __OpenBSD__ ; then - targetos='OpenBSD' -elif check_define __sun__ ; then - targetos='SunOS' -elif check_define __HAIKU__ ; then - targetos='Haiku' -else - targetos=`uname -s` -fi case $targetos in CYGWIN*) @@ -411,12 +433,6 @@ OpenBSD) Darwin) bsd="yes" darwin="yes" - # on Leopard most of the system is 32-bit, so we have to ask the kernel it if we can - # run 64-bit userspace code - if [ "$cpu" = "i386" ] ; then - is_x86_64=`sysctl -n hw.optional.x86_64` - [ "$is_x86_64" = "1" ] && cpu=x86_64 - fi if [ "$cpu" = "x86_64" ] ; then QEMU_CFLAGS="-arch x86_64 $QEMU_CFLAGS" LDFLAGS="-arch x86_64 $LDFLAGS" @@ -437,12 +453,6 @@ SunOS) smbd="${SMBD-/usr/sfw/sbin/smbd}" needs_libsunmath="no" solarisrev=`uname -r | cut -f2 -d.` - # have to select again, because `uname -m` returns i86pc - # even on an x86_64 box. - solariscpu=`isainfo -k` - if test "${solariscpu}" = "amd64" ; then - cpu="x86_64" - fi if [ "$cpu" = "i386" -o "$cpu" = "x86_64" ] ; then if test "$solarisrev" -le 9 ; then if test -f /opt/SUNWspro/prod/lib/libsunmath.so.1; then -- cgit v1.2.3 From 08e642c00e979b10e3fb293272dc3057ab9f220b Mon Sep 17 00:00:00 2001 From: David Gibson Date: Mon, 6 Aug 2012 18:44:45 +0000 Subject: ppc: Fix bug in handling of PAPR hypercall exits Currently for powerpc, kvm_arch_handle_exit() always returns 1, meaning that its caller - kvm_cpu_exec() - will always exit immediately afterwards to the loop in qemu_kvm_cpu_thread_fn(). There's no need to do this. Once we've handled the hypercall there's no reason we can't go straight around and KVM_RUN again, which is what ret = 0 will signal. The only exception might be for hypercalls which affect the state of cpu_can_run(), however the only one that might do this is H_CEDE and for kvm that is always handled in the kernel, not qemu. Furtherm setting ret = 0 means that when exit_requested is set from a hypercall, we will enter KVM_RUN once more with a signal which lets the the kernel do its internal logic to complete the hypercall with out actually executing any more guest code. This is important if our hypercall also triggered a reset, which previously would re-initialize everything without completing the hypercall. This caused the kernel to get confused because it thought the guest was still in the middle of a hypercall when it has actually been reset. This patch therefore changes to ret = 0, which is both a bugfix and a small optimization. Signed-off-by: David Gibson Signed-off-by: Alexander Graf (cherry picked from commit 78e8fde26c032931ca2ae13bfc7c59e38afd17ee) Signed-off-by: Michael Roth --- target-ppc/kvm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c index c09cc39c7..29997af76 100644 --- a/target-ppc/kvm.c +++ b/target-ppc/kvm.c @@ -558,7 +558,7 @@ int kvm_arch_handle_exit(CPUPPCState *env, struct kvm_run *run) dprintf("handle PAPR hypercall\n"); run->papr_hcall.ret = spapr_hypercall(env, run->papr_hcall.nr, run->papr_hcall.args); - ret = 1; + ret = 0; break; #endif default: -- cgit v1.2.3 From 97ac3b1af57a4cdbf04ad55c308dff72bc9f1a61 Mon Sep 17 00:00:00 2001 From: Christian Borntraeger Date: Mon, 23 Jul 2012 21:37:04 +0000 Subject: s390: Fix error handling and condition code of service call Invalid sccb addresses will cause specification or addressing exception. Lets add those checks. Furthermore, the good case (cc=0) was incorrect for KVM, we did not set the CC at all. We now use return codes < 0 as program checks and return codes > 0 as condition code values. Signed-off-by: Christian Borntraeger Signed-off-by: Alexander Graf (cherry picked from commit 9abf567d95a4e840df868ca993219175fbef8c22) Signed-off-by: Michael Roth --- target-s390x/kvm.c | 5 +++-- target-s390x/op_helper.c | 27 ++++++++++++++++++--------- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c index 90aad61eb..e4e6f15ea 100644 --- a/target-s390x/kvm.c +++ b/target-s390x/kvm.c @@ -238,9 +238,10 @@ static int kvm_sclp_service_call(CPUS390XState *env, struct kvm_run *run, code = env->regs[(ipbh0 & 0xf0) >> 4]; r = sclp_service_call(env, sccb, code); - if (r) { - setcc(env, 3); + if (r < 0) { + enter_pgmcheck(env, -r); } + setcc(env, r); return 0; } diff --git a/target-s390x/op_helper.c b/target-s390x/op_helper.c index 7b7247316..91dd8dc3f 100644 --- a/target-s390x/op_helper.c +++ b/target-s390x/op_helper.c @@ -19,6 +19,8 @@ */ #include "cpu.h" +#include "memory.h" +#include "cputlb.h" #include "dyngen-exec.h" #include "host-utils.h" #include "helper.h" @@ -2366,6 +2368,9 @@ static void ext_interrupt(CPUS390XState *env, int type, uint32_t param, cpu_inject_ext(env, type, param, param64); } +/* + * ret < 0 indicates program check, ret = 0,1,2,3 -> cc + */ int sclp_service_call(CPUS390XState *env, uint32_t sccb, uint64_t code) { int r = 0; @@ -2375,10 +2380,12 @@ int sclp_service_call(CPUS390XState *env, uint32_t sccb, uint64_t code) printf("sclp(0x%x, 0x%" PRIx64 ")\n", sccb, code); #endif + /* basic checks */ + if (!memory_region_is_ram(phys_page_find(sccb >> TARGET_PAGE_BITS)->mr)) { + return -PGM_ADDRESSING; + } if (sccb & ~0x7ffffff8ul) { - fprintf(stderr, "KVM: invalid sccb address 0x%x\n", sccb); - r = -1; - goto out; + return -PGM_SPECIFICATION; } switch(code) { @@ -2405,22 +2412,24 @@ int sclp_service_call(CPUS390XState *env, uint32_t sccb, uint64_t code) #ifdef DEBUG_HELPER printf("KVM: invalid sclp call 0x%x / 0x%" PRIx64 "x\n", sccb, code); #endif - r = -1; + r = 3; break; } -out: return r; } /* SCLP service call */ uint32_t HELPER(servc)(uint32_t r1, uint64_t r2) { - if (sclp_service_call(env, r1, r2)) { - return 3; - } + int r; - return 0; + r = sclp_service_call(env, r1, r2); + if (r < 0) { + program_interrupt(env, -r, 4); + return 0; + } + return r; } /* DIAG */ -- cgit v1.2.3 From 5a1800cf1cc7869d29e6bd299dddbab7a3acbb2b Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Tue, 14 Aug 2012 13:43:12 +0200 Subject: kvmvapic: Disable if there is insufficient memory We need at least 1M of RAM to map the option ROM. Otherwise, we will corrupt host memory or even crash: $ qemu-system-x86_64 -nodefaults --enable-kvm -vnc :0 -m 640k Segmentation fault (core dumped) Reported-and-tested-by: Markus Armbruster Signed-off-by: Jan Kiszka Signed-off-by: Marcelo Tosatti (cherry picked from commit a9605e0317c7a6d5e68f3a3b6708c8ef1096f4bc) Signed-off-by: Michael Roth --- hw/apic_common.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/apic_common.c b/hw/apic_common.c index 60b82596e..e4612bbc7 100644 --- a/hw/apic_common.c +++ b/hw/apic_common.c @@ -289,7 +289,9 @@ static int apic_init_common(SysBusDevice *dev) sysbus_init_mmio(dev, &s->io_memory); - if (!vapic && s->vapic_control & VAPIC_ENABLE_MASK) { + /* Note: We need at least 1M to map the VAPIC option ROM */ + if (!vapic && s->vapic_control & VAPIC_ENABLE_MASK && + ram_size >= 1024 * 1024) { vapic = sysbus_create_simple("kvmvapic", -1, NULL); } s->vapic = vapic; -- cgit v1.2.3 From 36ed337845a00240c370bbea782f953a8110d0c0 Mon Sep 17 00:00:00 2001 From: Anthony Liguori Date: Wed, 27 Jun 2012 07:37:54 -0500 Subject: qdev: fix use-after-free in the error path of qdev_init_nofail From Markus: Before: $ qemu-system-x86_64 -display none -drive if=ide qemu-system-x86_64: Device needs media, but drive is empty qemu-system-x86_64: Initialization of device ide-hd failed [Exit 1 ] After: $ qemu-system-x86_64 -display none -drive if=ide qemu-system-x86_64: Device needs media, but drive is empty Segmentation fault (core dumped) [Exit 139 (SIGSEGV)] This error always existed as qdev_init() frees the object. But QOM goes a bit further and purposefully sets the class pointer to NULL to help find use-after-free. It worked :-) Cc: Andreas Faerber Reported-by: Markus Armbruster Signed-off-by: Anthony Liguori (cherry picked from commit 7de3abe505e34398cef5bddf6c4d0bd9ee47007f) Signed-off-by: Michael Roth --- hw/qdev.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/qdev.c b/hw/qdev.c index af419b9c1..8e8ca3ff9 100644 --- a/hw/qdev.c +++ b/hw/qdev.c @@ -256,9 +256,10 @@ int qdev_simple_unplug_cb(DeviceState *dev) way is somewhat unclean, and best avoided. */ void qdev_init_nofail(DeviceState *dev) { + const char *typename = object_get_typename(OBJECT(dev)); + if (qdev_init(dev) < 0) { - error_report("Initialization of device %s failed", - object_get_typename(OBJECT(dev))); + error_report("Initialization of device %s failed", typename); exit(1); } } -- cgit v1.2.3 From 3b38972743856fbfcee88fc15eb0753977103313 Mon Sep 17 00:00:00 2001 From: Avi Kivity Date: Mon, 6 Aug 2012 15:49:03 +0300 Subject: virtio-blk: fix use-after-free while handling scsi commands The scsi passthrough handler falls through after completing a request into the failure path, resulting in a use after free. Reproducible by running a guest with aio=native on a block device. Reported-by: Stefan Priebe Signed-off-by: Avi Kivity Signed-off-by: Stefan Hajnoczi Signed-off-by: Kevin Wolf (cherry picked from commit 730a9c53b4e52681fcfe31cf38854cbf91e132c7) Signed-off-by: Michael Roth --- hw/virtio-blk.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c index fe0774617..f44d24420 100644 --- a/hw/virtio-blk.c +++ b/hw/virtio-blk.c @@ -253,6 +253,7 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) virtio_blk_req_complete(req, status); g_free(req); + return; #else abort(); #endif -- cgit v1.2.3 From 34b41ed15dd050097def7aebde9b39a12bd4cc43 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Thu, 24 May 2012 12:04:50 +0200 Subject: ehci: fix reset Check for the reset bit first when processing USBCMD register writes. Also break out of the switch, there is no need to check the other bits. Signed-off-by: Gerd Hoffmann (cherry picked from commit 7046530c36fa3a3f87692bdb54556f5d891a9c03) Signed-off-by: Michael Roth --- hw/usb/hcd-ehci.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index e759c996c..5855c5d91 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1064,6 +1064,12 @@ static void ehci_mem_writel(void *ptr, target_phys_addr_t addr, uint32_t val) /* Do any register specific pre-write processing here. */ switch(addr) { case USBCMD: + if (val & USBCMD_HCRESET) { + ehci_reset(s); + val = s->usbcmd; + break; + } + if ((val & USBCMD_RUNSTOP) && !(s->usbcmd & USBCMD_RUNSTOP)) { qemu_mod_timer(s->frame_timer, qemu_get_clock_ns(vm_clock)); SET_LAST_RUN_CLOCK(s); @@ -1077,10 +1083,6 @@ static void ehci_mem_writel(void *ptr, target_phys_addr_t addr, uint32_t val) ehci_set_usbsts(s, USBSTS_HALT); } - if (val & USBCMD_HCRESET) { - ehci_reset(s); - val = s->usbcmd; - } /* not supporting dynamic frame list size at the moment */ if ((val & USBCMD_FLS) && !(s->usbcmd & USBCMD_FLS)) { -- cgit v1.2.3 From b10daa61f9a600997b59b36b34c6e2341a6e7616 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 20 Jun 2012 13:14:08 +0200 Subject: ehci: don't flush cache on doorbell rings. Commit 4be23939ab0d7019c7e59a37485b416fbbf0f073 makes ehci instantly zap any unlinked queue heads when the guest rings the doorbell. While hacking up uas support this turned out to be a problem. The linux kernel can unlink and instantly relink the very same queue head, thereby killing any async packets in flight. That alone isn't an issue yet, the packet will canceled and resubmitted and everything is fine. We'll run into trouble though in case the async packet is completed already, so we can't cancel it any more. The transaction is simply lost then. usb_ehci_qh_ptrs q (nil) - QH @ 39c4f000: next 39c4f122 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95feba90a0 - QH @ 39c4f000: next 39c4f122 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95fe515210 - QH @ 39c4f120: next 39c4f0c2 qtds 29dbce40,29dbc4e0,00000009 usb_ehci_qh_fields QH @ 39c4f120 - rl 4, mplen 512, eps 2, ep 1, dev 2 usb_ehci_packet_action q 0x7f95fe515210 p 0x7f95fdec32a0: alloc usb_packet_state_change bus 0, port 2, ep 1, packet 0x7f95fdec32e0, state undef -> setup usb_ehci_packet_action q 0x7f95fe515210 p 0x7f95fdec32a0: process usb_uas_command dev 2, tag 0x2, lun 0, lun64 00000000-00000000 scsi_req_parsed target 0 lun 0 tag 2 command 42 dir 2 length 16384 scsi_req_parsed_lba target 0 lun 0 tag 2 command 42 lba 5933312 scsi_req_alloc target 0 lun 0 tag 2 scsi_req_continue target 0 lun 0 tag 2 scsi_req_data target 0 lun 0 tag 2 len 16384 usb_uas_scsi_data dev 2, tag 0x2, bytes 16384 usb_uas_write_ready dev 2, tag 0x2 usb_packet_state_change bus 0, port 2, ep 1, packet 0x7f95fdec32e0, state setup -> complete usb_ehci_packet_action q 0x7f95fe515210 p 0x7f95fdec32a0: free usb_ehci_qh_ptrs q 0x7f95fdec3210 - QH @ 39c4f0c0: next 39c4f002 qtds 29dbce40,00000001,00000009 usb_ehci_qh_fields QH @ 39c4f0c0 - rl 4, mplen 512, eps 2, ep 2, dev 2 usb_ehci_queue_action q 0x7f95fe5152a0: free usb_packet_state_change bus 0, port 2, ep 2, packet 0x7f95feba9170, state async -> complete ^^^ async packets completes. usb_ehci_packet_action q 0x7f95fdec3210 p 0x7f95feba9130: wakeup usb_ehci_qh_ptrs q (nil) - QH @ 39c4f000: next 39c4f122 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95feba90a0 - QH @ 39c4f000: next 39c4f122 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95fe515210 - QH @ 39c4f120: next 39c4f002 qtds 29dbc4e0,29dbc8a0,00000009 usb_ehci_qh_fields QH @ 39c4f120 - rl 4, mplen 512, eps 2, ep 1, dev 2 usb_ehci_queue_action q 0x7f95fdec3210: free usb_ehci_packet_action q 0x7f95fdec3210 p 0x7f95feba9130: free ^^^ endpoint #2 queue head removed from schedule, doorbell makes ehci zap the queue, the (completed) usb packet is freed too and gets lost. usb_ehci_qh_ptrs q (nil) - QH @ 39c4f000: next 39c4f0c2 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95feba90a0 - QH @ 39c4f000: next 39c4f0c2 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_queue_action q 0x7f9600dff570: alloc usb_ehci_qh_ptrs q 0x7f9600dff570 - QH @ 39c4f0c0: next 39c4f122 qtds 29dbce40,00000001,00000009 usb_ehci_qh_fields QH @ 39c4f0c0 - rl 4, mplen 512, eps 2, ep 2, dev 2 usb_ehci_packet_action q 0x7f9600dff570 p 0x7f95feba9130: alloc usb_packet_state_change bus 0, port 2, ep 2, packet 0x7f95feba9170, state undef -> setup usb_ehci_packet_action q 0x7f9600dff570 p 0x7f95feba9130: process usb_packet_state_change bus 0, port 2, ep 2, packet 0x7f95feba9170, state setup -> async usb_ehci_packet_action q 0x7f9600dff570 p 0x7f95feba9130: async ^^^ linux kernel relinked the queue head, ehci creates a new usb packet, but we should have delivered the completed one instead. usb_ehci_qh_ptrs q 0x7f95fe515210 - QH @ 39c4f120: next 39c4f002 qtds 29dbc4e0,29dbc8a0,00000009 usb_ehci_qh_fields QH @ 39c4f120 - rl 4, mplen 512, eps 2, ep 1, dev 2 So instead of instantly zapping the queue we'll set a flag that the queue needs revalidation in case we'll see it again in the schedule. ehci then checks that the queue head fields addressing / describing the endpoint and the qtd pointer match the cached content before reusing it. Cc: Hans de Goede Signed-off-by: Gerd Hoffmann (cherry picked from commit 9bc3a3a216e2689bfcdd36c3e079333bbdbf3ba0) Conflicts: hw/usb/hcd-ehci.c Signed-off-by: Michael Roth --- hw/usb/hcd-ehci.c | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 5855c5d91..ce8b405b7 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -348,6 +348,7 @@ struct EHCIQueue { QTAILQ_ENTRY(EHCIQueue) next; uint32_t seen; uint64_t ts; + int revalidate; /* cached data from guest - needs to be flushed * when guest removes an entry (doorbell, handshake sequence) @@ -695,7 +696,18 @@ static EHCIQueue *ehci_find_queue_by_qh(EHCIState *ehci, uint32_t addr, return NULL; } -static void ehci_queues_rip_unused(EHCIState *ehci, int async, int flush) +static void ehci_queues_tag_unused_async(EHCIState *ehci) +{ + EHCIQueue *q; + + QTAILQ_FOREACH(q, &ehci->aqueues, next) { + if (!q->seen) { + q->revalidate = 1; + } + } +} + +static void ehci_queues_rip_unused(EHCIState *ehci, int async) { EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; EHCIQueue *q, *tmp; @@ -706,7 +718,7 @@ static void ehci_queues_rip_unused(EHCIState *ehci, int async, int flush) q->ts = ehci->last_run_ns; continue; } - if (!flush && ehci->last_run_ns < q->ts + 250000000) { + if (ehci->last_run_ns < q->ts + 250000000) { /* allow 0.25 sec idle */ continue; } @@ -1521,7 +1533,7 @@ static int ehci_state_waitlisthead(EHCIState *ehci, int async) ehci_set_usbsts(ehci, USBSTS_REC); } - ehci_queues_rip_unused(ehci, async, 0); + ehci_queues_rip_unused(ehci, async); /* Find the head of the list (4.9.1.1) */ for(i = 0; i < MAX_QH; i++) { @@ -1605,6 +1617,7 @@ static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async) { uint32_t entry; EHCIQueue *q; + EHCIqh qh; entry = ehci_get_fetch_addr(ehci, async); q = ehci_find_queue_by_qh(ehci, entry, async); @@ -1622,7 +1635,16 @@ static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async) } get_dwords(ehci, NLPTR_GET(q->qhaddr), - (uint32_t *) &q->qh, sizeof(EHCIqh) >> 2); + (uint32_t *) &qh, sizeof(EHCIqh) >> 2); + if (q->revalidate && (q->qh.epchar != qh.epchar || + q->qh.epcap != qh.epcap || + q->qh.current_qtd != qh.current_qtd)) { + ehci_free_queue(q, async); + q = ehci_alloc_queue(ehci, async); + q->seen++; + } + q->qh = qh; + q->revalidate = 0; ehci_trace_qh(q, NLPTR_GET(q->qhaddr), &q->qh); if (q->async == EHCI_ASYNC_INFLIGHT) { @@ -2047,7 +2069,7 @@ static void ehci_advance_async_state(EHCIState *ehci) */ if (ehci->usbcmd & USBCMD_IAAD) { /* Remove all unseen qhs from the async qhs queue */ - ehci_queues_rip_unused(ehci, async, 1); + ehci_queues_tag_unused_async(ehci); DPRINTF("ASYNC: doorbell request acknowledged\n"); ehci->usbcmd &= ~USBCMD_IAAD; ehci_set_interrupt(ehci, USBSTS_IAA); @@ -2102,7 +2124,7 @@ static void ehci_advance_periodic_state(EHCIState *ehci) ehci_set_fetch_addr(ehci, async,entry); ehci_set_state(ehci, async, EST_FETCHENTRY); ehci_advance_state(ehci, async); - ehci_queues_rip_unused(ehci, async, 0); + ehci_queues_rip_unused(ehci, async); break; default: -- cgit v1.2.3 From f49853a4bd5113cdb847579b8fb171a06d68af10 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 15 Jun 2012 09:39:50 +0200 Subject: uhci: fix uhci_async_cancel_all We update the QTAILQ in the loop, thus we must use the SAFE version to make sure we don't touch the queue struct after freeing it. https://bugzilla.novell.com/show_bug.cgi?id=766310 Signed-off-by: Gerd Hoffmann (cherry picked from commit 77fa9aee38758a078870e25f0dcf642066b4d5cc) Signed-off-by: Michael Roth --- hw/usb/hcd-uhci.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c index 9e211a0bb..3803f526d 100644 --- a/hw/usb/hcd-uhci.c +++ b/hw/usb/hcd-uhci.c @@ -288,10 +288,10 @@ static void uhci_async_cancel_device(UHCIState *s, USBDevice *dev) static void uhci_async_cancel_all(UHCIState *s) { - UHCIQueue *queue; + UHCIQueue *queue, *nq; UHCIAsync *curr, *n; - QTAILQ_FOREACH(queue, &s->queues, next) { + QTAILQ_FOREACH_SAFE(queue, &s->queues, next, nq) { QTAILQ_FOREACH_SAFE(curr, &queue->asyncs, next, n) { uhci_async_unlink(curr); uhci_async_cancel(curr); -- cgit v1.2.3 From a1a17b1d5a7fe618e42a94fc171712aeb31561ec Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 8 Jun 2012 12:58:46 +0200 Subject: usb: restore USBDevice->attached on vmload Signed-off-by: Gerd Hoffmann (cherry picked from commit 495d544798151206bafca65ec588c0388637eb40) Signed-off-by: Michael Roth --- hw/usb/bus.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/hw/usb/bus.c b/hw/usb/bus.c index 2068640a5..77b2b99e5 100644 --- a/hw/usb/bus.c +++ b/hw/usb/bus.c @@ -27,10 +27,23 @@ static struct BusInfo usb_bus_info = { static int next_usb_bus = 0; static QTAILQ_HEAD(, USBBus) busses = QTAILQ_HEAD_INITIALIZER(busses); +static int usb_device_post_load(void *opaque, int version_id) +{ + USBDevice *dev = opaque; + + if (dev->state == USB_STATE_NOTATTACHED) { + dev->attached = 0; + } else { + dev->attached = 1; + } + return 0; +} + const VMStateDescription vmstate_usb_device = { .name = "USBDevice", .version_id = 1, .minimum_version_id = 1, + .post_load = usb_device_post_load, .fields = (VMStateField []) { VMSTATE_UINT8(addr, USBDevice), VMSTATE_INT32(state, USBDevice), -- cgit v1.2.3 From b00201d402e9927427a4494510c9d0a4b2f620c7 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Fri, 6 Jul 2012 12:09:32 +0200 Subject: usb-redir: Correctly handle the usb_redir_babble usbredir status Signed-off-by: Hans de Goede Signed-off-by: Gerd Hoffmann (cherry picked from commit adae502c0ae4572ef08f71cb5b5ed5a8e90299fe) Signed-off-by: Michael Roth --- hw/usb/redirect.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 51c27b405..1fd903acc 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -1031,6 +1031,8 @@ static int usbredir_handle_status(USBRedirDevice *dev, case usb_redir_inval: WARNING("got invalid param error from usb-host?\n"); return USB_RET_NAK; + case usb_redir_babble: + return USB_RET_BABBLE; case usb_redir_ioerror: case usb_redir_timeout: default: -- cgit v1.2.3 From dbeb6c22d7a6d17f14fec38725bca63218ab7f22 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Fri, 6 Jul 2012 12:09:33 +0200 Subject: usb-ehci: Fix an assert whenever isoc transfers are used hcd-ehci.c is missing an usb_packet_init() call for the ipacket UsbPacket it uses for isoc transfers, triggering an assert (taking the entire vm down) in usb_packet_setup as soon as any isoc transfers are done by a high speed USB device. Signed-off-by: Hans de Goede Signed-off-by: Gerd Hoffmann (cherry picked from commit 7341ea075c09258b98a1d0efc60efd402cbfc9b4) Signed-off-by: Michael Roth --- hw/usb/hcd-ehci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index ce8b405b7..41c9d8435 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -2324,6 +2324,7 @@ static int usb_ehci_initfn(PCIDevice *dev) s->frame_timer = qemu_new_timer_ns(vm_clock, ehci_frame_timer, s); QTAILQ_INIT(&s->aqueues); QTAILQ_INIT(&s->pqueues); + usb_packet_init(&s->ipacket); qemu_register_reset(ehci_reset, s); -- cgit v1.2.3 From 8a869baa08b3b3fd7a122957983f3d7754728112 Mon Sep 17 00:00:00 2001 From: Michael Roth Date: Wed, 15 Aug 2012 13:45:42 -0500 Subject: qlist: add qlist_size() Signed-off-by: Michael Roth Reviewed-by: Eric Blake Signed-off-by: Michael Roth Signed-off-by: Anthony Liguori (cherry picked from commit a86a4c2f7b7f0b72816ea1c219d8140699b6665b) Signed-off-by: Michael Roth --- qlist.c | 13 +++++++++++++ qlist.h | 1 + 2 files changed, 14 insertions(+) diff --git a/qlist.c b/qlist.c index 88498b157..b48ec5b91 100644 --- a/qlist.c +++ b/qlist.c @@ -124,6 +124,19 @@ int qlist_empty(const QList *qlist) return QTAILQ_EMPTY(&qlist->head); } +static void qlist_size_iter(QObject *obj, void *opaque) +{ + size_t *count = opaque; + (*count)++; +} + +size_t qlist_size(const QList *qlist) +{ + size_t count = 0; + qlist_iter(qlist, qlist_size_iter, &count); + return count; +} + /** * qobject_to_qlist(): Convert a QObject into a QList */ diff --git a/qlist.h b/qlist.h index d426bd4a4..ae776f99c 100644 --- a/qlist.h +++ b/qlist.h @@ -49,6 +49,7 @@ void qlist_iter(const QList *qlist, QObject *qlist_pop(QList *qlist); QObject *qlist_peek(QList *qlist); int qlist_empty(const QList *qlist); +size_t qlist_size(const QList *qlist); QList *qobject_to_qlist(const QObject *obj); static inline const QListEntry *qlist_first(const QList *qlist) -- cgit v1.2.3 From 9c7e3b98aac6c43c3cf4d261696f58b13f84afe7 Mon Sep 17 00:00:00 2001 From: Michael Roth Date: Wed, 15 Aug 2012 13:45:43 -0500 Subject: json-parser: don't replicate tokens at each level of recursion Currently, when parsing a stream of tokens we make a copy of the token list at the beginning of each level of recursion so that we do not modify the original list in cases where we need to fall back to an earlier state. In the worst case, we will only read 1 or 2 tokens off the list before recursing again, which means an upper bound of roughly N^2 token allocations. For a "reasonably" sized QMP request (in this a QMP representation of cirrus_vga's device state, generated via QIDL, being passed in via qom-set), this caused my 16GB's of memory to be exhausted before any noticeable progress was made by the parser. This patch works around the issue by using single copy of the token list in the form of an indexable array so that we can save/restore state by manipulating indices. A subsequent commit adds a "large_dict" test case which exhibits the same behavior as above. With this patch applied the test case successfully completes in under a second. Tested with valgrind, make check, and QMP. Reviewed-by: Eric Blake Signed-off-by: Michael Roth Signed-off-by: Anthony Liguori (cherry picked from commit 65c0f1e9558c7c762cdb333406243fff1d687117) Signed-off-by: Michael Roth --- json-parser.c | 230 ++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 142 insertions(+), 88 deletions(-) diff --git a/json-parser.c b/json-parser.c index 849e2156d..457291b16 100644 --- a/json-parser.c +++ b/json-parser.c @@ -27,6 +27,11 @@ typedef struct JSONParserContext { Error *err; + struct { + QObject **buf; + size_t pos; + size_t count; + } tokens; } JSONParserContext; #define BUG_ON(cond) assert(!(cond)) @@ -40,7 +45,7 @@ typedef struct JSONParserContext * 4) deal with premature EOI */ -static QObject *parse_value(JSONParserContext *ctxt, QList **tokens, va_list *ap); +static QObject *parse_value(JSONParserContext *ctxt, va_list *ap); /** * Token manipulators @@ -270,27 +275,111 @@ out: return NULL; } +static QObject *parser_context_pop_token(JSONParserContext *ctxt) +{ + QObject *token; + g_assert(ctxt->tokens.pos < ctxt->tokens.count); + token = ctxt->tokens.buf[ctxt->tokens.pos]; + ctxt->tokens.pos++; + return token; +} + +/* Note: parser_context_{peek|pop}_token do not increment the + * token object's refcount. In both cases the references will continue + * to be tracked and cleaned up in parser_context_free(), so do not + * attempt to free the token object. + */ +static QObject *parser_context_peek_token(JSONParserContext *ctxt) +{ + QObject *token; + g_assert(ctxt->tokens.pos < ctxt->tokens.count); + token = ctxt->tokens.buf[ctxt->tokens.pos]; + return token; +} + +static JSONParserContext parser_context_save(JSONParserContext *ctxt) +{ + JSONParserContext saved_ctxt = {0}; + saved_ctxt.tokens.pos = ctxt->tokens.pos; + saved_ctxt.tokens.count = ctxt->tokens.count; + saved_ctxt.tokens.buf = ctxt->tokens.buf; + return saved_ctxt; +} + +static void parser_context_restore(JSONParserContext *ctxt, + JSONParserContext saved_ctxt) +{ + ctxt->tokens.pos = saved_ctxt.tokens.pos; + ctxt->tokens.count = saved_ctxt.tokens.count; + ctxt->tokens.buf = saved_ctxt.tokens.buf; +} + +static void tokens_append_from_iter(QObject *obj, void *opaque) +{ + JSONParserContext *ctxt = opaque; + g_assert(ctxt->tokens.pos < ctxt->tokens.count); + ctxt->tokens.buf[ctxt->tokens.pos++] = obj; + qobject_incref(obj); +} + +static JSONParserContext *parser_context_new(QList *tokens) +{ + JSONParserContext *ctxt; + size_t count; + + if (!tokens) { + return NULL; + } + + count = qlist_size(tokens); + if (count == 0) { + return NULL; + } + + ctxt = g_malloc0(sizeof(JSONParserContext)); + ctxt->tokens.pos = 0; + ctxt->tokens.count = count; + ctxt->tokens.buf = g_malloc(count * sizeof(QObject *)); + qlist_iter(tokens, tokens_append_from_iter, ctxt); + ctxt->tokens.pos = 0; + + return ctxt; +} + +/* to support error propagation, ctxt->err must be freed separately */ +static void parser_context_free(JSONParserContext *ctxt) +{ + int i; + if (ctxt) { + for (i = 0; i < ctxt->tokens.count; i++) { + qobject_decref(ctxt->tokens.buf[i]); + } + g_free(ctxt->tokens.buf); + g_free(ctxt); + } +} + /** * Parsing rules */ -static int parse_pair(JSONParserContext *ctxt, QDict *dict, QList **tokens, va_list *ap) +static int parse_pair(JSONParserContext *ctxt, QDict *dict, va_list *ap) { QObject *key = NULL, *token = NULL, *value, *peek; - QList *working = qlist_copy(*tokens); + JSONParserContext saved_ctxt = parser_context_save(ctxt); - peek = qlist_peek(working); + peek = parser_context_peek_token(ctxt); if (peek == NULL) { parse_error(ctxt, NULL, "premature EOI"); goto out; } - key = parse_value(ctxt, &working, ap); + key = parse_value(ctxt, ap); if (!key || qobject_type(key) != QTYPE_QSTRING) { parse_error(ctxt, peek, "key is not a string in object"); goto out; } - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { parse_error(ctxt, NULL, "premature EOI"); goto out; @@ -301,7 +390,7 @@ static int parse_pair(JSONParserContext *ctxt, QDict *dict, QList **tokens, va_l goto out; } - value = parse_value(ctxt, &working, ap); + value = parse_value(ctxt, ap); if (value == NULL) { parse_error(ctxt, token, "Missing value in dict"); goto out; @@ -309,28 +398,24 @@ static int parse_pair(JSONParserContext *ctxt, QDict *dict, QList **tokens, va_l qdict_put_obj(dict, qstring_get_str(qobject_to_qstring(key)), value); - qobject_decref(token); qobject_decref(key); - QDECREF(*tokens); - *tokens = working; return 0; out: - qobject_decref(token); + parser_context_restore(ctxt, saved_ctxt); qobject_decref(key); - QDECREF(working); return -1; } -static QObject *parse_object(JSONParserContext *ctxt, QList **tokens, va_list *ap) +static QObject *parse_object(JSONParserContext *ctxt, va_list *ap) { QDict *dict = NULL; QObject *token, *peek; - QList *working = qlist_copy(*tokens); + JSONParserContext saved_ctxt = parser_context_save(ctxt); - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { goto out; } @@ -338,23 +423,22 @@ static QObject *parse_object(JSONParserContext *ctxt, QList **tokens, va_list *a if (!token_is_operator(token, '{')) { goto out; } - qobject_decref(token); token = NULL; dict = qdict_new(); - peek = qlist_peek(working); + peek = parser_context_peek_token(ctxt); if (peek == NULL) { parse_error(ctxt, NULL, "premature EOI"); goto out; } if (!token_is_operator(peek, '}')) { - if (parse_pair(ctxt, dict, &working, ap) == -1) { + if (parse_pair(ctxt, dict, ap) == -1) { goto out; } - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { parse_error(ctxt, NULL, "premature EOI"); goto out; @@ -365,59 +449,52 @@ static QObject *parse_object(JSONParserContext *ctxt, QList **tokens, va_list *a parse_error(ctxt, token, "expected separator in dict"); goto out; } - qobject_decref(token); token = NULL; - if (parse_pair(ctxt, dict, &working, ap) == -1) { + if (parse_pair(ctxt, dict, ap) == -1) { goto out; } - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { parse_error(ctxt, NULL, "premature EOI"); goto out; } } - qobject_decref(token); token = NULL; } else { - token = qlist_pop(working); - qobject_decref(token); + token = parser_context_pop_token(ctxt); token = NULL; } - QDECREF(*tokens); - *tokens = working; - return QOBJECT(dict); out: - qobject_decref(token); - QDECREF(working); + parser_context_restore(ctxt, saved_ctxt); QDECREF(dict); return NULL; } -static QObject *parse_array(JSONParserContext *ctxt, QList **tokens, va_list *ap) +static QObject *parse_array(JSONParserContext *ctxt, va_list *ap) { QList *list = NULL; QObject *token, *peek; - QList *working = qlist_copy(*tokens); + JSONParserContext saved_ctxt = parser_context_save(ctxt); - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { goto out; } if (!token_is_operator(token, '[')) { + token = NULL; goto out; } - qobject_decref(token); token = NULL; list = qlist_new(); - peek = qlist_peek(working); + peek = parser_context_peek_token(ctxt); if (peek == NULL) { parse_error(ctxt, NULL, "premature EOI"); goto out; @@ -426,7 +503,7 @@ static QObject *parse_array(JSONParserContext *ctxt, QList **tokens, va_list *ap if (!token_is_operator(peek, ']')) { QObject *obj; - obj = parse_value(ctxt, &working, ap); + obj = parse_value(ctxt, ap); if (obj == NULL) { parse_error(ctxt, token, "expecting value"); goto out; @@ -434,7 +511,7 @@ static QObject *parse_array(JSONParserContext *ctxt, QList **tokens, va_list *ap qlist_append_obj(list, obj); - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { parse_error(ctxt, NULL, "premature EOI"); goto out; @@ -446,10 +523,9 @@ static QObject *parse_array(JSONParserContext *ctxt, QList **tokens, va_list *ap goto out; } - qobject_decref(token); token = NULL; - obj = parse_value(ctxt, &working, ap); + obj = parse_value(ctxt, ap); if (obj == NULL) { parse_error(ctxt, token, "expecting value"); goto out; @@ -457,39 +533,33 @@ static QObject *parse_array(JSONParserContext *ctxt, QList **tokens, va_list *ap qlist_append_obj(list, obj); - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { parse_error(ctxt, NULL, "premature EOI"); goto out; } } - qobject_decref(token); token = NULL; } else { - token = qlist_pop(working); - qobject_decref(token); + token = parser_context_pop_token(ctxt); token = NULL; } - QDECREF(*tokens); - *tokens = working; - return QOBJECT(list); out: - qobject_decref(token); - QDECREF(working); + parser_context_restore(ctxt, saved_ctxt); QDECREF(list); return NULL; } -static QObject *parse_keyword(JSONParserContext *ctxt, QList **tokens) +static QObject *parse_keyword(JSONParserContext *ctxt) { QObject *token, *ret; - QList *working = qlist_copy(*tokens); + JSONParserContext saved_ctxt = parser_context_save(ctxt); - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { goto out; } @@ -507,29 +577,24 @@ static QObject *parse_keyword(JSONParserContext *ctxt, QList **tokens) goto out; } - qobject_decref(token); - QDECREF(*tokens); - *tokens = working; - return ret; out: - qobject_decref(token); - QDECREF(working); + parser_context_restore(ctxt, saved_ctxt); return NULL; } -static QObject *parse_escape(JSONParserContext *ctxt, QList **tokens, va_list *ap) +static QObject *parse_escape(JSONParserContext *ctxt, va_list *ap) { QObject *token = NULL, *obj; - QList *working = qlist_copy(*tokens); + JSONParserContext saved_ctxt = parser_context_save(ctxt); if (ap == NULL) { goto out; } - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { goto out; } @@ -553,25 +618,20 @@ static QObject *parse_escape(JSONParserContext *ctxt, QList **tokens, va_list *a goto out; } - qobject_decref(token); - QDECREF(*tokens); - *tokens = working; - return obj; out: - qobject_decref(token); - QDECREF(working); + parser_context_restore(ctxt, saved_ctxt); return NULL; } -static QObject *parse_literal(JSONParserContext *ctxt, QList **tokens) +static QObject *parse_literal(JSONParserContext *ctxt) { QObject *token, *obj; - QList *working = qlist_copy(*tokens); + JSONParserContext saved_ctxt = parser_context_save(ctxt); - token = qlist_pop(working); + token = parser_context_pop_token(ctxt); if (token == NULL) { goto out; } @@ -591,35 +651,30 @@ static QObject *parse_literal(JSONParserContext *ctxt, QList **tokens) goto out; } - qobject_decref(token); - QDECREF(*tokens); - *tokens = working; - return obj; out: - qobject_decref(token); - QDECREF(working); + parser_context_restore(ctxt, saved_ctxt); return NULL; } -static QObject *parse_value(JSONParserContext *ctxt, QList **tokens, va_list *ap) +static QObject *parse_value(JSONParserContext *ctxt, va_list *ap) { QObject *obj; - obj = parse_object(ctxt, tokens, ap); + obj = parse_object(ctxt, ap); if (obj == NULL) { - obj = parse_array(ctxt, tokens, ap); + obj = parse_array(ctxt, ap); } if (obj == NULL) { - obj = parse_escape(ctxt, tokens, ap); + obj = parse_escape(ctxt, ap); } if (obj == NULL) { - obj = parse_keyword(ctxt, tokens); + obj = parse_keyword(ctxt); } if (obj == NULL) { - obj = parse_literal(ctxt, tokens); + obj = parse_literal(ctxt); } return obj; @@ -632,19 +687,18 @@ QObject *json_parser_parse(QList *tokens, va_list *ap) QObject *json_parser_parse_err(QList *tokens, va_list *ap, Error **errp) { - JSONParserContext ctxt = {}; - QList *working; + JSONParserContext *ctxt = parser_context_new(tokens); QObject *result; - if (!tokens) { + if (!ctxt) { return NULL; } - working = qlist_copy(tokens); - result = parse_value(&ctxt, &working, ap); - QDECREF(working); + result = parse_value(ctxt, ap); + + error_propagate(errp, ctxt->err); - error_propagate(errp, ctxt.err); + parser_context_free(ctxt); return result; } -- cgit v1.2.3 From b83883e2dbbbeb4b4f5c2fc83c5eec8e2d5a6c5d Mon Sep 17 00:00:00 2001 From: Michael Roth Date: Wed, 15 Aug 2012 13:45:44 -0500 Subject: check-qjson: add test for large JSON objects Signed-off-by: Michael Roth Signed-off-by: Anthony Liguori (cherry picked from commit 7109edfeb69c1d3c2164175837784dfcd210fed0) Signed-off-by: Michael Roth --- tests/check-qjson.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/tests/check-qjson.c b/tests/check-qjson.c index 526e25ef6..3b896f5f9 100644 --- a/tests/check-qjson.c +++ b/tests/check-qjson.c @@ -466,6 +466,58 @@ static void simple_dict(void) } } +/* + * this generates json of the form: + * a(0,m) = [0, 1, ..., m-1] + * a(n,m) = { + * 'key0': a(0,m), + * 'key1': a(1,m), + * ... + * 'key(n-1)': a(n-1,m) + * } + */ +static void gen_test_json(GString *gstr, int nest_level_max, + int elem_count) +{ + int i; + + g_assert(gstr); + if (nest_level_max == 0) { + g_string_append(gstr, "["); + for (i = 0; i < elem_count; i++) { + g_string_append_printf(gstr, "%d", i); + if (i < elem_count - 1) { + g_string_append_printf(gstr, ", "); + } + } + g_string_append(gstr, "]"); + return; + } + + g_string_append(gstr, "{"); + for (i = 0; i < nest_level_max; i++) { + g_string_append_printf(gstr, "'key%d': ", i); + gen_test_json(gstr, i, elem_count); + if (i < nest_level_max - 1) { + g_string_append(gstr, ","); + } + } + g_string_append(gstr, "}"); +} + +static void large_dict(void) +{ + GString *gstr = g_string_new(""); + QObject *obj; + + gen_test_json(gstr, 10, 100); + obj = qobject_from_json(gstr->str); + g_assert(obj != NULL); + + qobject_decref(obj); + g_string_free(gstr, true); +} + static void simple_list(void) { int i; @@ -706,6 +758,7 @@ int main(int argc, char **argv) g_test_add_func("/literals/keyword", keyword_literal); g_test_add_func("/dicts/simple_dict", simple_dict); + g_test_add_func("/dicts/large_dict", large_dict); g_test_add_func("/lists/simple_list", simple_list); g_test_add_func("/whitespace/simple_whitespace", simple_whitespace); -- cgit v1.2.3 From 55e64b6dddfd71953f4eb7ad6d0bcfc8d92500e5 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Thu, 5 Jul 2012 19:35:57 +0200 Subject: slirp: Enforce host-side user of smb share Windows 7 (and possibly other versions) cannot connect to the samba share if the exported host directory is not world-readable. This can be resolved by forcing the username used for access checks to the one under which QEMU and smbd are running. Signed-off-by: Jan Kiszka (cherry picked from commit 1cb1c5d10bb9e180bd3f7be2c10b212ed86a97b4) Signed-off-by: Michael Roth --- net/slirp.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/net/slirp.c b/net/slirp.c index 96f5032c4..c73610e48 100644 --- a/net/slirp.c +++ b/net/slirp.c @@ -26,6 +26,7 @@ #include "config-host.h" #ifndef _WIN32 +#include #include #endif #include "net.h" @@ -487,8 +488,15 @@ static int slirp_smb(SlirpState* s, const char *exported_dir, static int instance; char smb_conf[128]; char smb_cmdline[128]; + struct passwd *passwd; FILE *f; + passwd = getpwuid(geteuid()); + if (!passwd) { + error_report("failed to retrieve user name"); + return -1; + } + snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", (long)getpid(), instance++); if (mkdir(s->smb_dir, 0700) < 0) { @@ -517,14 +525,16 @@ static int slirp_smb(SlirpState* s, const char *exported_dir, "[qemu]\n" "path=%s\n" "read only=no\n" - "guest ok=yes\n", + "guest ok=yes\n" + "force user=%s\n", s->smb_dir, s->smb_dir, s->smb_dir, s->smb_dir, s->smb_dir, s->smb_dir, - exported_dir + exported_dir, + passwd->pw_name ); fclose(f); -- cgit v1.2.3 From 1a933e48016db893c799775a897b2af88a879683 Mon Sep 17 00:00:00 2001 From: Dunrong Huang Date: Fri, 6 Jul 2012 14:04:43 +0800 Subject: slirp: Ensure smbd and shared directory exist when enable smb Users may pass the following parameters to qemu: $ qemu-kvm -net nic -net user,smb= ... $ qemu-kvm -net nic -net user,smb ... $ qemu-kvm -net nic -net user,smb=bad_directory ... In these cases, qemu started successfully while samba server failed to start. Users will confuse since samba server failed silently without any indication of what it did wrong. To avoid it, we check whether the shared directory exist and if users have permission to access this directory when QEMU's "built-in" SMB server is enabled. Signed-off-by: Dunrong Huang Signed-off-by: Jan Kiszka (cherry picked from commit 927d811b282ffdf5386bd63f435c1507634ba49a) Signed-off-by: Michael Roth --- net/slirp.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/net/slirp.c b/net/slirp.c index c73610e48..d3fcbf4a0 100644 --- a/net/slirp.c +++ b/net/slirp.c @@ -497,6 +497,18 @@ static int slirp_smb(SlirpState* s, const char *exported_dir, return -1; } + if (access(CONFIG_SMBD_COMMAND, F_OK)) { + error_report("could not find '%s', please install it", + CONFIG_SMBD_COMMAND); + return -1; + } + + if (access(exported_dir, R_OK | X_OK)) { + error_report("no such directory '%s', or you do not have permission " + "to access it, please check it", exported_dir); + return -1; + } + snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", (long)getpid(), instance++); if (mkdir(s->smb_dir, 0700) < 0) { -- cgit v1.2.3 From 44a42fd2b69b1bc9cdb54d0cbfcdfd6b3bbf0c31 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Fri, 6 Jul 2012 08:40:48 +0200 Subject: slirp: Improve error reporting of inaccessible smb directories Instead of guessing, print the error code returned by access. Signed-off-by: Jan Kiszka (cherry picked from commit 22a61f365df83d5d7884cceb1c462295977cb2db) Signed-off-by: Michael Roth --- net/slirp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/slirp.c b/net/slirp.c index d3fcbf4a0..49f55bcef 100644 --- a/net/slirp.c +++ b/net/slirp.c @@ -504,8 +504,8 @@ static int slirp_smb(SlirpState* s, const char *exported_dir, } if (access(exported_dir, R_OK | X_OK)) { - error_report("no such directory '%s', or you do not have permission " - "to access it, please check it", exported_dir); + error_report("error accessing shared directory '%s': %s", + exported_dir, strerror(errno)); return -1; } -- cgit v1.2.3 From c337db8cc9f4725c0654134de42b97f7847186a4 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Mon, 9 Jul 2012 16:42:30 +0200 Subject: apic: Resolve potential endless loop around apic_update_irq Commit d96e173769 refactored the reinjection of pending PIC interrupts. However, it missed the potential loop of apic_update_irq -> apic_deliver_pic_intr -> apic_local_deliver -> apic_set_irq -> apic_update_irq that /could/ occur if LINT0 is injected as APIC_DM_FIXED and that vector is currently blocked via TPR. Resolve this by reinjecting only where it matters: inside apic_get_interrupt. This function may clear a vector while a PIC-originated reason still exists. Signed-off-by: Jan Kiszka Signed-off-by: Avi Kivity (cherry picked from commit 3db3659bf60094657e1465cc809acb09551816ee) Signed-off-by: Michael Roth --- hw/apic.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/apic.c b/hw/apic.c index 4eeaf8801..ec8f9ba65 100644 --- a/hw/apic.c +++ b/hw/apic.c @@ -371,9 +371,6 @@ static void apic_update_irq(APICCommonState *s) } if (apic_irq_pending(s) > 0) { cpu_interrupt(s->cpu_env, CPU_INTERRUPT_HARD); - } else if (apic_accept_pic_intr(&s->busdev.qdev) && - pic_get_output(isa_pic)) { - apic_deliver_pic_intr(&s->busdev.qdev, 1); } } @@ -568,7 +565,14 @@ int apic_get_interrupt(DeviceState *d) reset_bit(s->irr, intno); set_bit(s->isr, intno); apic_sync_vapic(s, SYNC_TO_VAPIC); + + /* re-inject if there is still a pending PIC interrupt */ + if (apic_accept_pic_intr(&s->busdev.qdev) && pic_get_output(isa_pic)) { + apic_deliver_pic_intr(&s->busdev.qdev, 1); + } + apic_update_irq(s); + return intno; } -- cgit v1.2.3 From 2a93a8940093560686fdcda24776ff265d6bcba7 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Mon, 9 Jul 2012 16:42:31 +0200 Subject: apic: Reevaluate pending interrupts on LVT_LINT0 changes When the guest modifies the LVT_LINT0 register, we need to check if some pending PIC interrupt can now be delivered. Signed-off-by: Jan Kiszka Signed-off-by: Avi Kivity (cherry picked from commit a94820ddc36f8c452b37f9dcb323f55ffdbc75f9) Signed-off-by: Michael Roth --- hw/apic.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/hw/apic.c b/hw/apic.c index ec8f9ba65..e96402d4f 100644 --- a/hw/apic.c +++ b/hw/apic.c @@ -540,6 +540,15 @@ static void apic_deliver(DeviceState *d, uint8_t dest, uint8_t dest_mode, apic_bus_deliver(deliver_bitmask, delivery_mode, vector_num, trigger_mode); } +static bool apic_check_pic(APICCommonState *s) +{ + if (!apic_accept_pic_intr(&s->busdev.qdev) || !pic_get_output(isa_pic)) { + return false; + } + apic_deliver_pic_intr(&s->busdev.qdev, 1); + return true; +} + int apic_get_interrupt(DeviceState *d) { APICCommonState *s = DO_UPCAST(APICCommonState, busdev.qdev, d); @@ -567,9 +576,7 @@ int apic_get_interrupt(DeviceState *d) apic_sync_vapic(s, SYNC_TO_VAPIC); /* re-inject if there is still a pending PIC interrupt */ - if (apic_accept_pic_intr(&s->busdev.qdev) && pic_get_output(isa_pic)) { - apic_deliver_pic_intr(&s->busdev.qdev, 1); - } + apic_check_pic(s); apic_update_irq(s); @@ -812,8 +819,11 @@ static void apic_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val) { int n = index - 0x32; s->lvt[n] = val; - if (n == APIC_LVT_TIMER) + if (n == APIC_LVT_TIMER) { apic_timer_update(s, qemu_get_clock_ns(vm_clock)); + } else if (n == APIC_LVT_LINT0 && apic_check_pic(s)) { + apic_update_irq(s); + } } break; case 0x38: -- cgit v1.2.3 From a47343957489b9fafdb438351e8fa9d58d7fd30b Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Mon, 9 Jul 2012 16:42:32 +0200 Subject: apic: Defer interrupt updates to VCPU thread KVM performs TPR raising asynchronously to QEMU, specifically outside QEMU's global lock. When an interrupt is injected into the APIC and TPR is checked to decide if this can be delivered, a stale TPR value may be used, causing spurious interrupts in the end. Fix this by deferring apic_update_irq to the context of the target VCPU. We introduce a new interrupt flag for this, CPU_INTERRUPT_POLL. When it is set, the VCPU calls apic_poll_irq before checking for further pending interrupts. To avoid special-casing KVM, we also implement this logic for TCG mode. Signed-off-by: Jan Kiszka Signed-off-by: Avi Kivity (cherry picked from commit 5d62c43a17edaa7f6a88821c9086e6c8e0e5327d) Signed-off-by: Michael Roth --- cpu-exec.c | 6 ++++++ hw/apic.c | 5 ++++- hw/apic.h | 1 + hw/apic_internal.h | 1 - target-i386/cpu.h | 4 +++- target-i386/kvm.c | 4 ++++ 6 files changed, 18 insertions(+), 3 deletions(-) diff --git a/cpu-exec.c b/cpu-exec.c index 0344cd5c5..6db32cd39 100644 --- a/cpu-exec.c +++ b/cpu-exec.c @@ -285,6 +285,12 @@ int cpu_exec(CPUArchState *env) } #endif #if defined(TARGET_I386) +#if !defined(CONFIG_USER_ONLY) + if (interrupt_request & CPU_INTERRUPT_POLL) { + env->interrupt_request &= ~CPU_INTERRUPT_POLL; + apic_poll_irq(env->apic_state); + } +#endif if (interrupt_request & CPU_INTERRUPT_INIT) { svm_check_intercept(env, SVM_EXIT_INIT); do_cpu_init(env); diff --git a/hw/apic.c b/hw/apic.c index e96402d4f..b2c637368 100644 --- a/hw/apic.c +++ b/hw/apic.c @@ -16,6 +16,7 @@ * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, see */ +#include "qemu-thread.h" #include "apic_internal.h" #include "apic.h" #include "ioapic.h" @@ -369,7 +370,9 @@ static void apic_update_irq(APICCommonState *s) if (!(s->spurious_vec & APIC_SV_ENABLE)) { return; } - if (apic_irq_pending(s) > 0) { + if (!qemu_cpu_is_self(s->cpu_env)) { + cpu_interrupt(s->cpu_env, CPU_INTERRUPT_POLL); + } else if (apic_irq_pending(s) > 0) { cpu_interrupt(s->cpu_env, CPU_INTERRUPT_HARD); } } diff --git a/hw/apic.h b/hw/apic.h index 62179cebe..a89542b23 100644 --- a/hw/apic.h +++ b/hw/apic.h @@ -20,6 +20,7 @@ void apic_init_reset(DeviceState *s); void apic_sipi(DeviceState *s); void apic_handle_tpr_access_report(DeviceState *d, target_ulong ip, TPRAccess access); +void apic_poll_irq(DeviceState *d); /* pc.c */ int cpu_is_bsp(CPUX86State *env); diff --git a/hw/apic_internal.h b/hw/apic_internal.h index 60a6a8bda..4d8ff490c 100644 --- a/hw/apic_internal.h +++ b/hw/apic_internal.h @@ -141,7 +141,6 @@ void apic_report_irq_delivered(int delivered); bool apic_next_timer(APICCommonState *s, int64_t current_time); void apic_enable_tpr_access_reporting(DeviceState *d, bool enable); void apic_enable_vapic(DeviceState *d, target_phys_addr_t paddr); -void apic_poll_irq(DeviceState *d); void vapic_report_tpr_access(DeviceState *dev, void *cpu, target_ulong ip, TPRAccess access); diff --git a/target-i386/cpu.h b/target-i386/cpu.h index 2460f6348..8ff3f304c 100644 --- a/target-i386/cpu.h +++ b/target-i386/cpu.h @@ -477,6 +477,7 @@ for syscall instruction */ /* i386-specific interrupt pending bits. */ +#define CPU_INTERRUPT_POLL CPU_INTERRUPT_TGT_EXT_1 #define CPU_INTERRUPT_SMI CPU_INTERRUPT_TGT_EXT_2 #define CPU_INTERRUPT_NMI CPU_INTERRUPT_TGT_EXT_3 #define CPU_INTERRUPT_MCE CPU_INTERRUPT_TGT_EXT_4 @@ -1029,7 +1030,8 @@ static inline void cpu_clone_regs(CPUX86State *env, target_ulong newsp) static inline bool cpu_has_work(CPUX86State *env) { - return ((env->interrupt_request & CPU_INTERRUPT_HARD) && + return ((env->interrupt_request & (CPU_INTERRUPT_HARD | + CPU_INTERRUPT_POLL)) && (env->eflags & IF_MASK)) || (env->interrupt_request & (CPU_INTERRUPT_NMI | CPU_INTERRUPT_INIT | diff --git a/target-i386/kvm.c b/target-i386/kvm.c index e74a9e464..d8bbe4ff6 100644 --- a/target-i386/kvm.c +++ b/target-i386/kvm.c @@ -1725,6 +1725,10 @@ int kvm_arch_process_async_events(CPUX86State *env) return 0; } + if (env->interrupt_request & CPU_INTERRUPT_POLL) { + env->interrupt_request &= ~CPU_INTERRUPT_POLL; + apic_poll_irq(env->apic_state); + } if (((env->interrupt_request & CPU_INTERRUPT_HARD) && (env->eflags & IF_MASK)) || (env->interrupt_request & CPU_INTERRUPT_NMI)) { -- cgit v1.2.3 From c094d3d8181f3193e402b49361327040c5725d79 Mon Sep 17 00:00:00 2001 From: Jason Baron Date: Fri, 3 Aug 2012 15:57:10 -0400 Subject: ahci: Fix sglist memleak in ahci_dma_rw_buf() I noticed that in hw/ide/ahci:ahci_dma_rw_buf() we do not free the sglist. Thus, I've added a call to qemu_sglist_destroy() to fix this memory leak. In addition, I've adeed a call in qemu_sglist_destroy() to 0 all of the sglist fields, in case there is some other codepath that tries to free the sglist. Signed-off-by: Jason Baron Signed-off-by: Kevin Wolf (cherry picked from commit ea8d82a1ed72634f089ed1bccccd9c84cc1ab855) Signed-off-by: Michael Roth --- dma-helpers.c | 1 + hw/ide/ahci.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/dma-helpers.c b/dma-helpers.c index 7971a89c1..7e7e415cf 100644 --- a/dma-helpers.c +++ b/dma-helpers.c @@ -33,6 +33,7 @@ void qemu_sglist_add(QEMUSGList *qsg, dma_addr_t base, dma_addr_t len) void qemu_sglist_destroy(QEMUSGList *qsg) { g_free(qsg->sg); + memset(qsg, 0, sizeof(*qsg)); } typedef struct { diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c index 2d7d03d77..1669a75a8 100644 --- a/hw/ide/ahci.c +++ b/hw/ide/ahci.c @@ -1041,6 +1041,9 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write) dma_buf_write(p, l, &s->sg); } + /* free sglist that was created in ahci_populate_sglist() */ + qemu_sglist_destroy(&s->sg); + /* update number of transferred bytes */ ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l); s->io_buffer_index += l; -- cgit v1.2.3 From 5ae1c7ca0a8e648219f7cea1f58bf57cf8d2cea2 Mon Sep 17 00:00:00 2001 From: Jason Baron Date: Fri, 3 Aug 2012 15:57:06 -0400 Subject: ahci: Fix ahci cdrom read corruptions for reads > 128k MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While testing q35, which has its cdrom attached to the ahci controller, I found that the Fedora 17 install would panic on boot. The panic occurs while squashfs is trying to read from the cdrom. The errors are: [ 8.622711] SQUASHFS error: xz_dec_run error, data probably corrupt [ 8.625180] SQUASHFS error: squashfs_read_data failed to read block 0x20be48a I was also able to produce corrupt data reads using an installed piix based qemu machine, using 'dd'. I found that the corruptions were only occuring when then read size was greater than 128k. For example, the following command results in corrupted reads: dd if=/dev/sr0 of=/tmp/blah bs=256k iflag=direct The > 128k size reads exercise a different code path than 128k and below. In ide_atapi_cmd_read_dma_cb() s->io_buffer_size is capped at 128k. Thus, ide_atapi_cmd_read_dma_cb() is called a second time when the read is > 128k. However, ahci_dma_rw_buf() restart the read from offset 0, instead of at 128k. Thus, resulting in a corrupted read. To fix this, I've introduced 'io_buffer_offset' field in IDEState to keep track of the offset. I've also modified ahci_populate_sglist() to take a new 3rd offset argument, so that the sglist is property initialized. I've tested this patch using 'dd' testing, and Fedora 17 now correctly boots and installs on q35 with the cdrom ahci controller. Signed-off-by: Jason Baron Tested-by: Andreas Färber Signed-off-by: Kevin Wolf (cherry picked from commit 61f52e06f0a21bab782f98ef3ea789aa6d0aa046) Conflicts: hw/ide/ahci.c Signed-off-by: Michael Roth --- hw/ide/ahci.c | 41 ++++++++++++++++++++++++++++++++++------- hw/ide/internal.h | 1 + 2 files changed, 35 insertions(+), 7 deletions(-) diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c index 1669a75a8..267198e52 100644 --- a/hw/ide/ahci.c +++ b/hw/ide/ahci.c @@ -634,7 +634,7 @@ static void ahci_write_fis_d2h(AHCIDevice *ad, uint8_t *cmd_fis) } } -static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist) +static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, int offset) { AHCICmdHdr *cmd = ad->cur_cmd; uint32_t opts = le32_to_cpu(cmd->opts); @@ -645,6 +645,10 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist) uint8_t *prdt; int i; int r = 0; + int sum = 0; + int off_idx = -1; + int off_pos = -1; + int tbl_entry_size; if (!sglist_alloc_hint) { DPRINTF(ad->port_no, "no sg list given by guest: 0x%08x\n", opts); @@ -666,9 +670,30 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist) /* Get entries in the PRDT, init a qemu sglist accordingly */ if (sglist_alloc_hint > 0) { AHCI_SG *tbl = (AHCI_SG *)prdt; - - qemu_sglist_init(sglist, sglist_alloc_hint); + sum = 0; for (i = 0; i < sglist_alloc_hint; i++) { + /* flags_size is zero-based */ + tbl_entry_size = (le32_to_cpu(tbl[i].flags_size) + 1); + if (offset <= (sum + tbl_entry_size)) { + off_idx = i; + off_pos = offset - sum; + break; + } + sum += tbl_entry_size; + } + if ((off_idx == -1) || (off_pos < 0) || (off_pos > tbl_entry_size)) { + DPRINTF(ad->port_no, "%s: Incorrect offset! " + "off_idx: %d, off_pos: %d\n", + __func__, off_idx, off_pos); + r = -1; + goto out; + } + + qemu_sglist_init(sglist, (sglist_alloc_hint - off_idx)); + qemu_sglist_add(sglist, le64_to_cpu(tbl[off_idx].addr + off_pos), + le32_to_cpu(tbl[off_idx].flags_size) + 1 - off_pos); + + for (i = off_idx + 1; i < sglist_alloc_hint; i++) { /* flags_size is zero-based */ qemu_sglist_add(sglist, le64_to_cpu(tbl[i].addr), le32_to_cpu(tbl[i].flags_size) + 1); @@ -741,7 +766,7 @@ static void process_ncq_command(AHCIState *s, int port, uint8_t *cmd_fis, ncq_tfs->lba, ncq_tfs->lba + ncq_tfs->sector_count - 2, s->dev[port].port.ifs[0].nb_sectors - 1); - ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist); + ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0); ncq_tfs->tag = tag; switch(ncq_fis->command) { @@ -964,7 +989,7 @@ static int ahci_start_transfer(IDEDMA *dma) goto out; } - if (!ahci_populate_sglist(ad, &s->sg)) { + if (!ahci_populate_sglist(ad, &s->sg, 0)) { has_sglist = 1; } @@ -1009,6 +1034,7 @@ static void ahci_start_dma(IDEDMA *dma, IDEState *s, DPRINTF(ad->port_no, "\n"); ad->dma_cb = dma_cb; ad->dma_status |= BM_STATUS_DMAING; + s->io_buffer_offset = 0; dma_cb(s, 0); } @@ -1017,7 +1043,7 @@ static int ahci_dma_prepare_buf(IDEDMA *dma, int is_write) AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma); IDEState *s = &ad->port.ifs[0]; - ahci_populate_sglist(ad, &s->sg); + ahci_populate_sglist(ad, &s->sg, 0); s->io_buffer_size = s->sg.size; DPRINTF(ad->port_no, "len=%#x\n", s->io_buffer_size); @@ -1031,7 +1057,7 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write) uint8_t *p = s->io_buffer + s->io_buffer_index; int l = s->io_buffer_size - s->io_buffer_index; - if (ahci_populate_sglist(ad, &s->sg)) { + if (ahci_populate_sglist(ad, &s->sg, s->io_buffer_offset)) { return 0; } @@ -1047,6 +1073,7 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write) /* update number of transferred bytes */ ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l); s->io_buffer_index += l; + s->io_buffer_offset += l; DPRINTF(ad->port_no, "len=%#x\n", l); diff --git a/hw/ide/internal.h b/hw/ide/internal.h index f8a027d0e..ecd8d9480 100644 --- a/hw/ide/internal.h +++ b/hw/ide/internal.h @@ -389,6 +389,7 @@ struct IDEState { struct iovec iov; QEMUIOVector qiov; /* ATA DMA state */ + int io_buffer_offset; int io_buffer_size; QEMUSGList sg; /* PIO transfer handling */ -- cgit v1.2.3 From 393d4c921464c2a791b6662b8b664feba9104cce Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Tue, 14 Aug 2012 10:24:03 +0200 Subject: kvm: i8254: Cache kernel clock offset in KVMPITState To prepare the final fix for clock calibration issues with the in-kernel PIT, we want to cache the offset between vmclock and the clock used by the in-kernel PIT. So far, we only need to update it when the VM state changes between running and stopped because we only read the in-kernel PIT state while the VM is running. Signed-off-by: Jan Kiszka Signed-off-by: Marcelo Tosatti (cherry picked from commit 205df4d1a87cbb14a50655fb2c0a987467fb29d6) Signed-off-by: Michael Roth --- hw/kvm/i8254.c | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/hw/kvm/i8254.c b/hw/kvm/i8254.c index c5d3711a0..c235d80a5 100644 --- a/hw/kvm/i8254.c +++ b/hw/kvm/i8254.c @@ -35,7 +35,8 @@ typedef struct KVMPITState { PITCommonState pit; LostTickPolicy lost_tick_policy; - bool state_valid; + bool vm_stopped; + int64_t kernel_clock_offset; } KVMPITState; static int64_t abs64(int64_t v) @@ -43,19 +44,11 @@ static int64_t abs64(int64_t v) return v < 0 ? -v : v; } -static void kvm_pit_get(PITCommonState *pit) +static void kvm_pit_update_clock_offset(KVMPITState *s) { - KVMPITState *s = DO_UPCAST(KVMPITState, pit, pit); - struct kvm_pit_state2 kpit; - struct kvm_pit_channel_state *kchan; - struct PITChannelState *sc; int64_t offset, clock_offset; struct timespec ts; - int i, ret; - - if (s->state_valid) { - return; - } + int i; /* * Measure the delta between CLOCK_MONOTONIC, the base used for @@ -72,6 +65,21 @@ static void kvm_pit_get(PITCommonState *pit) clock_offset = offset; } } + s->kernel_clock_offset = clock_offset; +} + +static void kvm_pit_get(PITCommonState *pit) +{ + KVMPITState *s = DO_UPCAST(KVMPITState, pit, pit); + struct kvm_pit_state2 kpit; + struct kvm_pit_channel_state *kchan; + struct PITChannelState *sc; + int i, ret; + + /* No need to re-read the state if VM is stopped. */ + if (s->vm_stopped) { + return; + } if (kvm_has_pit_state2()) { ret = kvm_vm_ioctl(kvm_state, KVM_GET_PIT2, &kpit); @@ -106,7 +114,7 @@ static void kvm_pit_get(PITCommonState *pit) sc->mode = kchan->mode; sc->bcd = kchan->bcd; sc->gate = kchan->gate; - sc->count_load_time = kchan->count_load_time + clock_offset; + sc->count_load_time = kchan->count_load_time + s->kernel_clock_offset; } sc = &pit->channels[0]; @@ -211,10 +219,12 @@ static void kvm_pit_vm_state_change(void *opaque, int running, KVMPITState *s = opaque; if (running) { - s->state_valid = false; + kvm_pit_update_clock_offset(s); + s->vm_stopped = false; } else { + kvm_pit_update_clock_offset(s); kvm_pit_get(&s->pit); - s->state_valid = true; + s->vm_stopped = true; } } -- cgit v1.2.3 From ffc7565c81b010683c3cab8efe9accd0eb90aa0d Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Tue, 14 Aug 2012 10:24:47 +0200 Subject: kvm: i8254: Finish time conversion fix 0cdd3d1444 fixed reading back the counter load time from the kernel while assuming the kernel would always update its load time on writing the state. That is only true for channel 1, and so pit_get_channel_info returned wrong output pin states for high counter values. Fix this by applying the offset also on kvm_pit_put. Now we also need to update the offset when we write the state while the VM is stopped as it keeps on changing in that state. Signed-off-by: Jan Kiszka Signed-off-by: Marcelo Tosatti (cherry picked from commit 050a46065de8e3d4ee5a04f5598d666f63d34800) Signed-off-by: Michael Roth --- hw/kvm/i8254.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/hw/kvm/i8254.c b/hw/kvm/i8254.c index c235d80a5..53d13e312 100644 --- a/hw/kvm/i8254.c +++ b/hw/kvm/i8254.c @@ -122,17 +122,23 @@ static void kvm_pit_get(PITCommonState *pit) pit_get_next_transition_time(sc, sc->count_load_time); } -static void kvm_pit_put(PITCommonState *s) +static void kvm_pit_put(PITCommonState *pit) { + KVMPITState *s = DO_UPCAST(KVMPITState, pit, pit); struct kvm_pit_state2 kpit; struct kvm_pit_channel_state *kchan; struct PITChannelState *sc; int i, ret; - kpit.flags = s->channels[0].irq_disabled ? KVM_PIT_FLAGS_HPET_LEGACY : 0; + /* The offset keeps changing as long as the VM is stopped. */ + if (s->vm_stopped) { + kvm_pit_update_clock_offset(s); + } + + kpit.flags = pit->channels[0].irq_disabled ? KVM_PIT_FLAGS_HPET_LEGACY : 0; for (i = 0; i < 3; i++) { kchan = &kpit.channels[i]; - sc = &s->channels[i]; + sc = &pit->channels[i]; kchan->count = sc->count; kchan->latched_count = sc->latched_count; kchan->count_latched = sc->count_latched; @@ -145,7 +151,7 @@ static void kvm_pit_put(PITCommonState *s) kchan->mode = sc->mode; kchan->bcd = sc->bcd; kchan->gate = sc->gate; - kchan->count_load_time = sc->count_load_time; + kchan->count_load_time = sc->count_load_time - s->kernel_clock_offset; } ret = kvm_vm_ioctl(kvm_state, -- cgit v1.2.3 From cfeb9958c8f4f99f08222a47fe42ea73acb41ecc Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Wed, 15 Aug 2012 13:12:20 +0200 Subject: pc: Fix RTC CMOS info on RAM for ram_size < 1MiB pc_cmos_init() always claims 640KiB base memory, and ram_size - 1MiB extended memory. The latter can underflow to "lots of extended memory". Fix both, and clean up some. Note: SeaBIOS currently requires 1MiB of RAM, and doesn't check whether it got enough. Signed-off-by: Markus Armbruster Signed-off-by: Blue Swirl (cherry picked from commit e89001f72edde37fb36fa7c964daa1bbeb2eca26) Signed-off-by: Michael Roth --- hw/pc.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/hw/pc.c b/hw/pc.c index e81a06c16..6c4b07bbe 100644 --- a/hw/pc.c +++ b/hw/pc.c @@ -344,32 +344,37 @@ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size, /* various important CMOS locations needed by PC/Bochs bios */ /* memory size */ - val = 640; /* base memory in K */ + /* base memory (first MiB) */ + val = MIN(ram_size / 1024, 640); rtc_set_memory(s, 0x15, val); rtc_set_memory(s, 0x16, val >> 8); - - val = (ram_size / 1024) - 1024; + /* extended memory (next 64MiB) */ + if (ram_size > 1024 * 1024) { + val = (ram_size - 1024 * 1024) / 1024; + } else { + val = 0; + } if (val > 65535) val = 65535; rtc_set_memory(s, 0x17, val); rtc_set_memory(s, 0x18, val >> 8); rtc_set_memory(s, 0x30, val); rtc_set_memory(s, 0x31, val >> 8); - - if (above_4g_mem_size) { - rtc_set_memory(s, 0x5b, (unsigned int)above_4g_mem_size >> 16); - rtc_set_memory(s, 0x5c, (unsigned int)above_4g_mem_size >> 24); - rtc_set_memory(s, 0x5d, (uint64_t)above_4g_mem_size >> 32); - } - - if (ram_size > (16 * 1024 * 1024)) - val = (ram_size / 65536) - ((16 * 1024 * 1024) / 65536); - else + /* memory between 16MiB and 4GiB */ + if (ram_size > 16 * 1024 * 1024) { + val = (ram_size - 16 * 1024 * 1024) / 65536; + } else { val = 0; + } if (val > 65535) val = 65535; rtc_set_memory(s, 0x34, val); rtc_set_memory(s, 0x35, val >> 8); + /* memory above 4GiB */ + val = above_4g_mem_size / 65536; + rtc_set_memory(s, 0x5b, val); + rtc_set_memory(s, 0x5c, val >> 8); + rtc_set_memory(s, 0x5d, val >> 16); /* set the number of CPU */ rtc_set_memory(s, 0x5f, smp_cpus - 1); -- cgit v1.2.3 From fd21cc14f57247339be0ebf3e0845e431aa5aedc Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Wed, 15 Aug 2012 13:12:19 +0200 Subject: vl: Round argument of -m up to multiple of 8KiB Partial pages make little sense and don't work. Ensure the RAM size is a multiple of any possible target's page size. Fixes $ qemu-system-x86_64 -nodefaults -S -vnc :0 -m 0.8 qemu-system-x86_64: /work/armbru/qemu/exec.c:2255: register_subpage: Assertion `existing->mr->subpage || existing->mr == &io_mem_unassigned' failed. Signed-off-by: Markus Armbruster Signed-off-by: Blue Swirl (cherry picked from commit ff961015529437f4b83fca0a92069aebcf533c9c) Signed-off-by: Michael Roth --- vl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/vl.c b/vl.c index 23ab3a34d..1dd4c6b31 100644 --- a/vl.c +++ b/vl.c @@ -2659,6 +2659,7 @@ int main(int argc, char **argv, char **envp) break; case QEMU_OPTION_m: { int64_t value; + uint64_t sz; char *end; value = strtosz(optarg, &end); @@ -2666,12 +2667,12 @@ int main(int argc, char **argv, char **envp) fprintf(stderr, "qemu: invalid ram size: %s\n", optarg); exit(1); } - - if (value != (uint64_t)(ram_addr_t)value) { + sz = QEMU_ALIGN_UP((uint64_t)value, 8192); + ram_size = sz; + if (ram_size != sz) { fprintf(stderr, "qemu: ram size too large\n"); exit(1); } - ram_size = value; break; } case QEMU_OPTION_mempath: -- cgit v1.2.3 From 07ab4fc1ef2e628209ecab97475ea45071b19ec8 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Thu, 16 Aug 2012 10:34:10 +0200 Subject: vmdk: Fix header structure Commit bb45ded9 swapped gd_offset and rgd_offset. This is wrong. Signed-off-by: Kevin Wolf (cherry picked from commit 7a736bfa4e0a58087054cad68a1d4b3804bbb708) Signed-off-by: Michael Roth --- block/vmdk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/vmdk.c b/block/vmdk.c index 18e9b4caf..28541fe6f 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -57,8 +57,8 @@ typedef struct { int64_t desc_offset; int64_t desc_size; int32_t num_gtes_per_gte; - int64_t gd_offset; int64_t rgd_offset; + int64_t gd_offset; int64_t grain_offset; char filler[1]; char check_bytes[4]; -- cgit v1.2.3 From d438650fa512f944ca4af1a08ab132712c50b684 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Thu, 16 Aug 2012 10:39:33 +0200 Subject: vmdk: Read footer for streamOptimized images The footer takes precedence over the header when it exists. It contains the real grain directory offset that is missing in the header. Without this patch, streamOptimized images with a footer cannot be read. Signed-off-by: Kevin Wolf Reviewed-by: Stefan Hajnoczi Reviewed-by: Jeff Cody (cherry picked from commit 65bd155c7356d448ffee7f89149c4d473076b0ba) Signed-off-by: Michael Roth --- block/vmdk.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/block/vmdk.c b/block/vmdk.c index 28541fe6f..a55f75652 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -35,6 +35,7 @@ #define VMDK4_FLAG_RGD (1 << 1) #define VMDK4_FLAG_COMPRESS (1 << 16) #define VMDK4_FLAG_MARKER (1 << 17) +#define VMDK4_GD_AT_END 0xffffffffffffffffULL typedef struct { uint32_t version; @@ -115,6 +116,13 @@ typedef struct VmdkGrainMarker { uint8_t data[0]; } VmdkGrainMarker; +enum { + MARKER_END_OF_STREAM = 0, + MARKER_GRAIN_TABLE = 1, + MARKER_GRAIN_DIRECTORY = 2, + MARKER_FOOTER = 3, +}; + static int vmdk_probe(const uint8_t *buf, int buf_size, const char *filename) { uint32_t magic; @@ -451,6 +459,54 @@ static int vmdk_open_vmdk4(BlockDriverState *bs, if (header.capacity == 0 && header.desc_offset) { return vmdk_open_desc_file(bs, flags, header.desc_offset << 9); } + + if (le64_to_cpu(header.gd_offset) == VMDK4_GD_AT_END) { + /* + * The footer takes precedence over the header, so read it in. The + * footer starts at offset -1024 from the end: One sector for the + * footer, and another one for the end-of-stream marker. + */ + struct { + struct { + uint64_t val; + uint32_t size; + uint32_t type; + uint8_t pad[512 - 16]; + } QEMU_PACKED footer_marker; + + uint32_t magic; + VMDK4Header header; + uint8_t pad[512 - 4 - sizeof(VMDK4Header)]; + + struct { + uint64_t val; + uint32_t size; + uint32_t type; + uint8_t pad[512 - 16]; + } QEMU_PACKED eos_marker; + } QEMU_PACKED footer; + + ret = bdrv_pread(file, + bs->file->total_sectors * 512 - 1536, + &footer, sizeof(footer)); + if (ret < 0) { + return ret; + } + + /* Some sanity checks for the footer */ + if (be32_to_cpu(footer.magic) != VMDK4_MAGIC || + le32_to_cpu(footer.footer_marker.size) != 0 || + le32_to_cpu(footer.footer_marker.type) != MARKER_FOOTER || + le64_to_cpu(footer.eos_marker.val) != 0 || + le32_to_cpu(footer.eos_marker.size) != 0 || + le32_to_cpu(footer.eos_marker.type) != MARKER_END_OF_STREAM) + { + return -EINVAL; + } + + header = footer.header; + } + l1_entry_sectors = le32_to_cpu(header.num_gtes_per_gte) * le64_to_cpu(header.granularity); if (l1_entry_sectors == 0) { -- cgit v1.2.3 From f946f010f5f7d6b13bf6acabffebe093b1c9949c Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Thu, 16 Aug 2012 10:56:35 +0200 Subject: Documentation: Warn against qemu-img on active image People have repeatedly expected that you can do things like snapshotting an image with qemu-img while a qemu instance is running. Maybe we need to consider locking the files while they are in use, but having a warning in the qemu-img manpage is doable for 1.2 and can't hurt anyway. Signed-off-by: Kevin Wolf (cherry picked from commit 48467328c6dccc9c7be6628ed0ef0810f83be2a9) Signed-off-by: Michael Roth --- qemu-img.texi | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/qemu-img.texi b/qemu-img.texi index 9cee2eaa6..482c21b39 100644 --- a/qemu-img.texi +++ b/qemu-img.texi @@ -4,6 +4,16 @@ usage: qemu-img command [command options] @c man end @end example +@c man begin DESCRIPTION +qemu-img allows you to create, convert and modify images offline. It can handle +all image formats supported by QEMU. + +@b{Warning:} Never use qemu-img to modify images in use by a running virtual +machine or any other process; this may destroy the image. Also, be aware that +querying an image that is being modified by another process may encounter +inconsistent state. +@c man end + @c man begin OPTIONS The following commands are supported: -- cgit v1.2.3 From a410be59b5f2727f254152020e0f59cf2c1c5b15 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Sat, 18 Aug 2012 23:37:31 +0200 Subject: iscsi: move iscsi_schedule_bh and iscsi_readv_writev_bh_cb Put these functions at the beginning, to avoid forward references in the next patches. Signed-off-by: Paolo Bonzini (cherry picked from commit 27cbd828c617944c0f9603763fdf4fa87e7ad923) Signed-off-by: Michael Roth --- block/iscsi.c | 56 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/block/iscsi.c b/block/iscsi.c index 22888a084..4d345c610 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -65,6 +65,34 @@ struct IscsiTask { int complete; }; +static void +iscsi_readv_writev_bh_cb(void *p) +{ + IscsiAIOCB *acb = p; + + qemu_bh_delete(acb->bh); + + if (acb->canceled == 0) { + acb->common.cb(acb->common.opaque, acb->status); + } + + qemu_aio_release(acb); +} + +static int +iscsi_schedule_bh(QEMUBHFunc *cb, IscsiAIOCB *acb) +{ + acb->bh = qemu_bh_new(cb, acb); + if (!acb->bh) { + error_report("oom: could not create iscsi bh"); + return -EIO; + } + + qemu_bh_schedule(acb->bh); + return 0; +} + + static void iscsi_abort_task_cb(struct iscsi_context *iscsi, int status, void *command_data, void *private_data) @@ -152,34 +180,6 @@ iscsi_process_write(void *arg) } -static int -iscsi_schedule_bh(QEMUBHFunc *cb, IscsiAIOCB *acb) -{ - acb->bh = qemu_bh_new(cb, acb); - if (!acb->bh) { - error_report("oom: could not create iscsi bh"); - return -EIO; - } - - qemu_bh_schedule(acb->bh); - return 0; -} - -static void -iscsi_readv_writev_bh_cb(void *p) -{ - IscsiAIOCB *acb = p; - - qemu_bh_delete(acb->bh); - - if (acb->canceled == 0) { - acb->common.cb(acb->common.opaque, acb->status); - } - - qemu_aio_release(acb); -} - - static void iscsi_aio_write16_cb(struct iscsi_context *iscsi, int status, void *command_data, void *opaque) -- cgit v1.2.3 From b90d717b6469ac15fa1837a884097bbc5499124c Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Sat, 18 Aug 2012 23:38:03 +0200 Subject: iscsi: simplify iscsi_schedule_bh It is always used with the same callback, remove the argument. And its return value is never used, assume allocation succeeds. Signed-off-by: Paolo Bonzini (cherry picked from commit cfb3f5064af2d2e29c976e292c9472dfe9d61e31) Conflicts: block/iscsi.c Signed-off-by: Michael Roth --- block/iscsi.c | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/block/iscsi.c b/block/iscsi.c index 4d345c610..4584d54eb 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -66,7 +66,7 @@ struct IscsiTask { }; static void -iscsi_readv_writev_bh_cb(void *p) +iscsi_bh_cb(void *p) { IscsiAIOCB *acb = p; @@ -79,17 +79,11 @@ iscsi_readv_writev_bh_cb(void *p) qemu_aio_release(acb); } -static int -iscsi_schedule_bh(QEMUBHFunc *cb, IscsiAIOCB *acb) +static void +iscsi_schedule_bh(IscsiAIOCB *acb) { - acb->bh = qemu_bh_new(cb, acb); - if (!acb->bh) { - error_report("oom: could not create iscsi bh"); - return -EIO; - } - + acb->bh = qemu_bh_new(iscsi_bh_cb, acb); qemu_bh_schedule(acb->bh); - return 0; } @@ -204,7 +198,7 @@ iscsi_aio_write16_cb(struct iscsi_context *iscsi, int status, acb->status = -EIO; } - iscsi_schedule_bh(iscsi_readv_writev_bh_cb, acb); + iscsi_schedule_bh(acb); scsi_free_scsi_task(acb->task); acb->task = NULL; } @@ -306,7 +300,7 @@ iscsi_aio_read16_cb(struct iscsi_context *iscsi, int status, acb->status = -EIO; } - iscsi_schedule_bh(iscsi_readv_writev_bh_cb, acb); + iscsi_schedule_bh(acb); scsi_free_scsi_task(acb->task); acb->task = NULL; } @@ -422,7 +416,7 @@ iscsi_synccache10_cb(struct iscsi_context *iscsi, int status, acb->status = -EIO; } - iscsi_schedule_bh(iscsi_readv_writev_bh_cb, acb); + iscsi_schedule_bh(acb); scsi_free_scsi_task(acb->task); acb->task = NULL; } @@ -476,7 +470,7 @@ iscsi_unmap_cb(struct iscsi_context *iscsi, int status, acb->status = -EIO; } - iscsi_schedule_bh(iscsi_readv_writev_bh_cb, acb); + iscsi_schedule_bh(acb); scsi_free_scsi_task(acb->task); acb->task = NULL; } -- cgit v1.2.3 From 799c27e1243769a52fb3edc7e5b42f9f50c9fba6 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Sat, 18 Aug 2012 23:35:49 +0200 Subject: iscsi: fix races between task completion and abort This patch fixes two main issues with block/iscsi.c: 1) iscsi_task_mgmt_abort_task_async calls iscsi_scsi_task_cancel which was also directly called in iscsi_aio_cancel 2) a race between task completion and task abortion could happen cause the scsi_free_scsi_task were done before iscsi_schedule_bh has finished. To fix this, all the freeing of IscsiTasks and releasing of the AIOCBs is centralized in iscsi_bh_cb, independent of whether the SCSI command has completed or was cancelled. 3) iscsi_aio_cancel was not synchronously waiting for the end of the command. Signed-off-by: Paolo Bonzini (cherry picked from commit 1bd075f29ea6d11853475c7c42734595720c3ac6) Conflicts: block/iscsi.c Signed-off-by: Michael Roth --- block/iscsi.c | 52 ++++++++++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 24 deletions(-) diff --git a/block/iscsi.c b/block/iscsi.c index 4584d54eb..c3d8db8b4 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -76,12 +76,20 @@ iscsi_bh_cb(void *p) acb->common.cb(acb->common.opaque, acb->status); } + if (acb->task != NULL) { + scsi_free_scsi_task(acb->task); + acb->task = NULL; + } + qemu_aio_release(acb); } static void iscsi_schedule_bh(IscsiAIOCB *acb) { + if (acb->bh) { + return; + } acb->bh = qemu_bh_new(iscsi_bh_cb, acb); qemu_bh_schedule(acb->bh); } @@ -91,6 +99,10 @@ static void iscsi_abort_task_cb(struct iscsi_context *iscsi, int status, void *command_data, void *private_data) { + IscsiAIOCB *acb = private_data; + + acb->status = -ECANCELED; + iscsi_schedule_bh(acb); } static void @@ -99,15 +111,19 @@ iscsi_aio_cancel(BlockDriverAIOCB *blockacb) IscsiAIOCB *acb = (IscsiAIOCB *)blockacb; IscsiLun *iscsilun = acb->iscsilun; - acb->common.cb(acb->common.opaque, -ECANCELED); + if (acb->status != -EINPROGRESS) { + return; + } + acb->canceled = 1; /* send a task mgmt call to the target to cancel the task on the target */ iscsi_task_mgmt_abort_task_async(iscsilun->iscsi, acb->task, - iscsi_abort_task_cb, NULL); + iscsi_abort_task_cb, acb); - /* then also cancel the task locally in libiscsi */ - iscsi_scsi_task_cancel(iscsilun->iscsi, acb->task); + while (acb->status == -EINPROGRESS) { + qemu_aio_wait(); + } } static AIOPool iscsi_aio_pool = { @@ -185,9 +201,6 @@ iscsi_aio_write16_cb(struct iscsi_context *iscsi, int status, g_free(acb->buf); if (acb->canceled != 0) { - qemu_aio_release(acb); - scsi_free_scsi_task(acb->task); - acb->task = NULL; return; } @@ -199,8 +212,6 @@ iscsi_aio_write16_cb(struct iscsi_context *iscsi, int status, } iscsi_schedule_bh(acb); - scsi_free_scsi_task(acb->task); - acb->task = NULL; } static int64_t sector_qemu2lun(int64_t sector, IscsiLun *iscsilun) @@ -229,6 +240,8 @@ iscsi_aio_writev(BlockDriverState *bs, int64_t sector_num, acb->qiov = qiov; acb->canceled = 0; + acb->bh = NULL; + acb->status = -EINPROGRESS; /* XXX we should pass the iovec to write16 to avoid the extra copy */ /* this will allow us to get rid of 'buf' completely */ @@ -287,9 +300,6 @@ iscsi_aio_read16_cb(struct iscsi_context *iscsi, int status, trace_iscsi_aio_read16_cb(iscsi, status, acb, acb->canceled); if (acb->canceled != 0) { - qemu_aio_release(acb); - scsi_free_scsi_task(acb->task); - acb->task = NULL; return; } @@ -301,8 +311,6 @@ iscsi_aio_read16_cb(struct iscsi_context *iscsi, int status, } iscsi_schedule_bh(acb); - scsi_free_scsi_task(acb->task); - acb->task = NULL; } static BlockDriverAIOCB * @@ -328,6 +336,8 @@ iscsi_aio_readv(BlockDriverState *bs, int64_t sector_num, acb->qiov = qiov; acb->canceled = 0; + acb->bh = NULL; + acb->status = -EINPROGRESS; acb->read_size = qemu_read_size; acb->buf = NULL; @@ -403,9 +413,6 @@ iscsi_synccache10_cb(struct iscsi_context *iscsi, int status, IscsiAIOCB *acb = opaque; if (acb->canceled != 0) { - qemu_aio_release(acb); - scsi_free_scsi_task(acb->task); - acb->task = NULL; return; } @@ -417,8 +424,6 @@ iscsi_synccache10_cb(struct iscsi_context *iscsi, int status, } iscsi_schedule_bh(acb); - scsi_free_scsi_task(acb->task); - acb->task = NULL; } static BlockDriverAIOCB * @@ -433,6 +438,8 @@ iscsi_aio_flush(BlockDriverState *bs, acb->iscsilun = iscsilun; acb->canceled = 0; + acb->bh = NULL; + acb->status = -EINPROGRESS; acb->task = iscsi_synchronizecache10_task(iscsi, iscsilun->lun, 0, 0, 0, 0, @@ -457,9 +464,6 @@ iscsi_unmap_cb(struct iscsi_context *iscsi, int status, IscsiAIOCB *acb = opaque; if (acb->canceled != 0) { - qemu_aio_release(acb); - scsi_free_scsi_task(acb->task); - acb->task = NULL; return; } @@ -471,8 +475,6 @@ iscsi_unmap_cb(struct iscsi_context *iscsi, int status, } iscsi_schedule_bh(acb); - scsi_free_scsi_task(acb->task); - acb->task = NULL; } static BlockDriverAIOCB * @@ -489,6 +491,8 @@ iscsi_aio_discard(BlockDriverState *bs, acb->iscsilun = iscsilun; acb->canceled = 0; + acb->bh = NULL; + acb->status = -EINPROGRESS; list[0].lba = sector_qemu2lun(sector_num, iscsilun); list[0].num = nb_sectors * BDRV_SECTOR_SIZE / iscsilun->block_size; -- cgit v1.2.3 From b598cb2214cbc197a7d8a677644a7ef3ea17c2c1 Mon Sep 17 00:00:00 2001 From: Alexey Kardashevskiy Date: Wed, 18 Jul 2012 22:52:04 +1000 Subject: eventfd: making it thread safe QEMU uses IO handlers to run select() in the main loop. The handlers list is managed by qemu_set_fd_handler() helper which works fine when called from the main thread as it is called when select() is not waiting. However IO handlers list can be changed in the thread other than the main one doing os_host_main_loop_wait(), for example, as a result of a hypercall which changes PCI config space (VFIO on POWER is the case) and enables/disabled MSI/MSIX which closes/creates eventfd handles. As the main loop should be waiting on the newly created eventfds, it has to be restarted. The patch adds the qemu_notify_event() call to interrupt select() to make main_loop() restart select() with the updated IO handlers list. Signed-off-by: Alexey Kardashevskiy Reviewed-by: Paolo Bonzini Signed-off-by: Anthony Liguori (cherry picked from commit 55ce75faf253d4369670f60409c608e665e8dde9) Signed-off-by: Michael Roth --- iohandler.c | 1 + 1 file changed, 1 insertion(+) diff --git a/iohandler.c b/iohandler.c index 3c74de612..dea43552d 100644 --- a/iohandler.c +++ b/iohandler.c @@ -77,6 +77,7 @@ int qemu_set_fd_handler2(int fd, ioh->fd_write = fd_write; ioh->opaque = opaque; ioh->deleted = 0; + qemu_notify_event(); } return 0; } -- cgit v1.2.3 From 886c62a3ff5aefca7b595a830ef2def5fedb636d Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Fri, 17 Aug 2012 12:56:44 +0200 Subject: i82378: Remove bogus MMIO coalescing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This MMIO area is an entry gate to legacy PC ISA devices, addressed via PIO over there. Quite a few of the PIO ports have side effects on access like starting/stopping timers that must be executed properly ordered /wrt the CPU. So we have to remove the coalescing mark. Acked-by: Hervé Poussineau Acked-by: Andreas Färber Signed-off-by: Jan Kiszka Signed-off-by: Anthony Liguori (cherry picked from commit 0ec64507a5e6366e6d8070a82c866b935f687ed9) Signed-off-by: Michael Roth --- hw/i82378.c | 1 - 1 file changed, 1 deletion(-) diff --git a/hw/i82378.c b/hw/i82378.c index 9b11d907e..2123c142a 100644 --- a/hw/i82378.c +++ b/hw/i82378.c @@ -225,7 +225,6 @@ static int pci_i82378_init(PCIDevice *dev) pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->io); memory_region_init_io(&s->mem, &i82378_mem_ops, s, "i82378-mem", 0x01000000); - memory_region_set_coalescing(&s->mem); pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mem); /* Make I/O address read only */ -- cgit v1.2.3 From c7e6d6b1158910460b395232faeb053593da2a96 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Wed, 22 Aug 2012 10:17:04 +0000 Subject: Fix invalidate if memory requested was not bucket aligned When memory is mapped in qemu_map_cache with lock != 0 a reverse mapping is created pointing to the virtual address of location requested. The cached mapped entry is saved in last_address_vaddr with the memory location of the base virtual address (without bucket offset). However when this entry is invalidated the virtual address saved in the reverse mapping is used. This cause that the mapping is freed but the last_address_vaddr is not reset. Signed-off-by: Frediano Ziglio Signed-off-by: Stefano Stabellini (cherry picked from commit 27b7652ef515bb4c694f79d657d2052c72b19536) Signed-off-by: Michael Roth --- xen-mapcache.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/xen-mapcache.c b/xen-mapcache.c index 59ba085b6..9cd6db3d7 100644 --- a/xen-mapcache.c +++ b/xen-mapcache.c @@ -320,10 +320,6 @@ void xen_invalidate_map_cache_entry(uint8_t *buffer) target_phys_addr_t size; int found = 0; - if (mapcache->last_address_vaddr == buffer) { - mapcache->last_address_index = -1; - } - QTAILQ_FOREACH(reventry, &mapcache->locked_entries, next) { if (reventry->vaddr_req == buffer) { paddr_index = reventry->paddr_index; @@ -342,6 +338,11 @@ void xen_invalidate_map_cache_entry(uint8_t *buffer) QTAILQ_REMOVE(&mapcache->locked_entries, reventry, next); g_free(reventry); + if (mapcache->last_address_index == paddr_index) { + mapcache->last_address_index = -1; + mapcache->last_address_vaddr = NULL; + } + entry = &mapcache->entry[paddr_index % mapcache->nr_buckets]; while (entry && (entry->paddr_index != paddr_index || entry->size != size)) { pentry = entry; -- cgit v1.2.3 From 07548727b3ef25c63ed5a3f068f46059963490c6 Mon Sep 17 00:00:00 2001 From: Dongxiao Xu Date: Wed, 22 Aug 2012 10:17:43 +0000 Subject: xen-all.c: fix multiply issue for int and uint types If the two multiply operands are int and uint types separately, the int type will be transformed to uint firstly, which is not the intent in our code piece. The fix is to add (int64_t) transform for the uint type before the multiply. Signed-off-by: Dongxiao Xu Signed-off-by: Stefano Stabellini (cherry picked from commit 14d40183725361e6350166099556c7661063921b) Signed-off-by: Michael Roth --- xen-all.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/xen-all.c b/xen-all.c index b5220cc6a..c1e8c342c 100644 --- a/xen-all.c +++ b/xen-all.c @@ -710,7 +710,8 @@ static void cpu_ioreq_pio(ioreq_t *req) for (i = 0; i < req->count; i++) { tmp = do_inp(req->addr, req->size); - cpu_physical_memory_write(req->data + (sign * i * req->size), + cpu_physical_memory_write( + req->data + (sign * i * (int64_t)req->size), (uint8_t *) &tmp, req->size); } } @@ -721,7 +722,8 @@ static void cpu_ioreq_pio(ioreq_t *req) for (i = 0; i < req->count; i++) { uint32_t tmp = 0; - cpu_physical_memory_read(req->data + (sign * i * req->size), + cpu_physical_memory_read( + req->data + (sign * i * (int64_t)req->size), (uint8_t*) &tmp, req->size); do_outp(req->addr, req->size, tmp); } @@ -738,12 +740,14 @@ static void cpu_ioreq_move(ioreq_t *req) if (!req->data_is_ptr) { if (req->dir == IOREQ_READ) { for (i = 0; i < req->count; i++) { - cpu_physical_memory_read(req->addr + (sign * i * req->size), + cpu_physical_memory_read( + req->addr + (sign * i * (int64_t)req->size), (uint8_t *) &req->data, req->size); } } else if (req->dir == IOREQ_WRITE) { for (i = 0; i < req->count; i++) { - cpu_physical_memory_write(req->addr + (sign * i * req->size), + cpu_physical_memory_write( + req->addr + (sign * i * (int64_t)req->size), (uint8_t *) &req->data, req->size); } } @@ -752,16 +756,20 @@ static void cpu_ioreq_move(ioreq_t *req) if (req->dir == IOREQ_READ) { for (i = 0; i < req->count; i++) { - cpu_physical_memory_read(req->addr + (sign * i * req->size), + cpu_physical_memory_read( + req->addr + (sign * i * (int64_t)req->size), (uint8_t*) &tmp, req->size); - cpu_physical_memory_write(req->data + (sign * i * req->size), + cpu_physical_memory_write( + req->data + (sign * i * (int64_t)req->size), (uint8_t*) &tmp, req->size); } } else if (req->dir == IOREQ_WRITE) { for (i = 0; i < req->count; i++) { - cpu_physical_memory_read(req->data + (sign * i * req->size), + cpu_physical_memory_read( + req->data + (sign * i * (int64_t)req->size), (uint8_t*) &tmp, req->size); - cpu_physical_memory_write(req->addr + (sign * i * req->size), + cpu_physical_memory_write( + req->addr + (sign * i * (int64_t)req->size), (uint8_t*) &tmp, req->size); } } -- cgit v1.2.3 From 1bc633246105b629b72728b007fd9d414c6038e8 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 22 Aug 2012 13:55:52 +0200 Subject: qemu-ga: don't leak a file descriptor upon failed lockf Signed-off-by: Jim Meyering Signed-off-by: Anthony Liguori (cherry picked from commit 4144f122b477164cf466ca69be24cf4ef5c218d3) Signed-off-by: Michael Roth --- qemu-ga.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/qemu-ga.c b/qemu-ga.c index 8199da789..e7f9edbc7 100644 --- a/qemu-ga.c +++ b/qemu-ga.c @@ -248,6 +248,9 @@ static bool ga_open_pidfile(const char *pidfile) pidfd = open(pidfile, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR); if (pidfd == -1 || lockf(pidfd, F_TLOCK, 0)) { g_critical("Cannot lock pid file, %s", strerror(errno)); + if (pidfd != -1) { + close(pidfd); + } return false; } -- cgit v1.2.3 From df60f451b3eb94305e63f0bb12c9c361a721bc81 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 22 Aug 2012 13:55:53 +0200 Subject: linux-user: do_msgrcv: don't leak host_mb upon TARGET_EFAULT failure Also, use g_malloc to avoid NULL-deref upon OOM. Signed-off-by: Jim Meyering Signed-off-by: Anthony Liguori (cherry picked from commit 0d07fe47d4986271a21ed4ff5237275ff55dd93f) Signed-off-by: Michael Roth --- linux-user/syscall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 20d2a7487..9bf0b28b8 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -2794,7 +2794,7 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp, if (!lock_user_struct(VERIFY_WRITE, target_mb, msgp, 0)) return -TARGET_EFAULT; - host_mb = malloc(msgsz+sizeof(long)); + host_mb = g_malloc(msgsz+sizeof(long)); ret = get_errno(msgrcv(msqid, host_mb, msgsz, tswapal(msgtyp), msgflg)); if (ret > 0) { @@ -2809,11 +2809,11 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp, } target_mb->mtype = tswapal(host_mb->mtype); - free(host_mb); end: if (target_mb) unlock_user_struct(target_mb, msgp, 1); + g_free(host_mb); return ret; } -- cgit v1.2.3 From b68e45c68667dce43341c94c69126852496ddbaf Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 22 Aug 2012 13:55:54 +0200 Subject: sheepdog: don't leak socket file descriptor upon connection failure Signed-off-by: Jim Meyering Signed-off-by: Anthony Liguori (cherry picked from commit a7e47d4bfcbf256fae06891a8599950ff8e1b61b) Signed-off-by: Michael Roth --- block/sheepdog.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/sheepdog.c b/block/sheepdog.c index f46ca8fb6..36ff9d748 100644 --- a/block/sheepdog.c +++ b/block/sheepdog.c @@ -489,6 +489,7 @@ static int connect_to_sdog(const char *addr, const char *port) if (errno == EINTR) { goto reconnect; } + close(fd); break; } -- cgit v1.2.3 From cc5caf7df4ed5833183121e08c6b6131722137d5 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 22 Aug 2012 13:55:55 +0200 Subject: arm-semi: don't leak 1KB user string lock buffer upon TARGET_SYS_OPEN Always call unlock_user before returning. Signed-off-by: Jim Meyering Signed-off-by: Anthony Liguori (cherry picked from commit 396bef4b3846bf4e80a2bee38e9a2d8554d0f251) Signed-off-by: Michael Roth --- arm-semi.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/arm-semi.c b/arm-semi.c index 88ca9bb1b..5d2a2d227 100644 --- a/arm-semi.c +++ b/arm-semi.c @@ -194,18 +194,19 @@ uint32_t do_arm_semihosting(CPUARMState *env) if (!(s = lock_user_string(ARG(0)))) /* FIXME - should this error code be -TARGET_EFAULT ? */ return (uint32_t)-1; - if (ARG(1) >= 12) + if (ARG(1) >= 12) { + unlock_user(s, ARG(0), 0); return (uint32_t)-1; + } if (strcmp(s, ":tt") == 0) { - if (ARG(1) < 4) - return STDIN_FILENO; - else - return STDOUT_FILENO; + int result_fileno = ARG(1) < 4 ? STDIN_FILENO : STDOUT_FILENO; + unlock_user(s, ARG(0), 0); + return result_fileno; } if (use_gdb_syscalls()) { gdb_do_syscall(arm_semi_cb, "open,%s,%x,1a4", ARG(0), (int)ARG(2)+1, gdb_open_modeflags[ARG(1)]); - return env->regs[0]; + ret = env->regs[0]; } else { ret = set_swi_errno(ts, open(s, open_modeflags[ARG(1)], 0644)); } -- cgit v1.2.3 From c068d37020f8c0d10beaf4671c41b05b923d7896 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 22 Aug 2012 13:55:56 +0200 Subject: softmmu-semi: fix lock_user* functions not to deref NULL upon OOM Return NULL upon malloc failure. Signed-off-by: Jim Meyering Signed-off-by: Anthony Liguori (cherry picked from commit 15d9e3bc6af8a56af8c61911aab8453a54795db1) Signed-off-by: Michael Roth --- softmmu-semi.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/softmmu-semi.h b/softmmu-semi.h index 648cb959d..bcb979a5b 100644 --- a/softmmu-semi.h +++ b/softmmu-semi.h @@ -40,7 +40,7 @@ static void *softmmu_lock_user(CPUArchState *env, uint32_t addr, uint32_t len, uint8_t *p; /* TODO: Make this something that isn't fixed size. */ p = malloc(len); - if (copy) + if (p && copy) cpu_memory_rw_debug(env, addr, p, len, 0); return p; } @@ -52,6 +52,9 @@ static char *softmmu_lock_user_string(CPUArchState *env, uint32_t addr) uint8_t c; /* TODO: Make this something that isn't fixed size. */ s = p = malloc(1024); + if (!s) { + return NULL; + } do { cpu_memory_rw_debug(env, addr, &c, 1, 0); addr++; -- cgit v1.2.3 From 50d0184cb7be68a521a19073c92c5ffc6adb728f Mon Sep 17 00:00:00 2001 From: Anthony Liguori Date: Thu, 23 Aug 2012 08:03:21 -0500 Subject: monitor: move json init from OPEN event to init At some point in the past, the OPEN event was changed to be issued from a bottom half. This creates a small window whereas a data callback registered in init may be invoked before the OPEN event has been issued. This is reproducible with: echo "{'execute': 'qmp_capabilities'}" | qemu-system-x86_64 -M none -qmp stdio We can fix this for the monitor by moving the parser initialization to init. The remaining state that is set in OPEN appears harmless. Reported-by: Daniel Berrange Signed-off-by: Anthony Liguori (cherry picked from commit 58617a795c8067b2f9800cffce60f38707d3aa31) Conflicts: monitor.c Signed-off-by: Michael Roth --- monitor.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/monitor.c b/monitor.c index 12a6fe25a..ab65a9aab 100644 --- a/monitor.c +++ b/monitor.c @@ -4501,13 +4501,13 @@ static void monitor_control_event(void *opaque, int event) switch (event) { case CHR_EVENT_OPENED: mon->mc->command_mode = 0; - json_message_parser_init(&mon->mc->parser, handle_qmp_command); data = get_qmp_greeting(); monitor_json_emitter(mon, data); qobject_decref(data); break; case CHR_EVENT_CLOSED: json_message_parser_destroy(&mon->mc->parser); + json_message_parser_init(&mon->mc->parser, handle_qmp_command); break; } } @@ -4610,6 +4610,8 @@ void monitor_init(CharDriverState *chr, int flags) monitor_event, mon); } + json_message_parser_init(&mon->mc->parser, handle_qmp_command); + QLIST_INSERT_HEAD(&mon_list, mon, entry); if (!default_mon || (flags & MONITOR_IS_DEFAULT)) default_mon = mon; -- cgit v1.2.3 From 5ea33884f642ab74a321527d7a91001d1562d671 Mon Sep 17 00:00:00 2001 From: Meador Inge Date: Tue, 21 Aug 2012 12:31:37 -0500 Subject: target-mips: Enable access to required RDHWR hardware registers While running in the usermode emulator all of the required* MIPS32r2 RDHWR hardware registers should be accessible (the Linux kernel enables access to these same registers). Note that these registers are still enabled when the MIPS ISA is not release 2. This is OK since the Linux kernel emulates access to them when they are not available in hardware. * There is also the ULR register which is only recommended for full release 2 compliance. Incidentally, accessing this register in the current implementation works fine without flipping its access bit. Signed-off-by: Meador Inge Signed-off-by: Aurelien Jarno (cherry picked from commit 94159135cb59684853dcd45ff70d6dbc54a29209) Signed-off-by: Michael Roth --- target-mips/translate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/target-mips/translate.c b/target-mips/translate.c index 0c563eedf..7dd21f4f7 100644 --- a/target-mips/translate.c +++ b/target-mips/translate.c @@ -12767,8 +12767,9 @@ void cpu_state_reset(CPUMIPSState *env) #if defined(CONFIG_USER_ONLY) env->hflags = MIPS_HFLAG_UM; - /* Enable access to the SYNCI_Step register. */ - env->CP0_HWREna |= (1 << 1); + /* Enable access to the CPUNum, SYNCI_Step, CC, and CCRes RDHWR + hardware registers. */ + env->CP0_HWREna |= 0x0000000F; if (env->CP0_Config1 & (1 << CP0C1_FP)) { env->hflags |= MIPS_HFLAG_FPU; } -- cgit v1.2.3 From cdcf2aa41c816482b53e2d3909557c7c3f909845 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Sun, 4 Mar 2012 08:21:39 +0100 Subject: target-mips: Fix some helper functions (VR54xx multiplication) Commits b5dc7732e1cc2fb549e48b7b5d664f2c79628e2e and be24bb4f3007c3e07cbf1934f7e781493d876ab7 optimized the code and removed the correct setting of t0. Fix this. gcc-4.7 detected this bug because parameter arg1 was unused but set in set_HIT0_LO and set_HI_LOT0. Cc: Aurelien Jarno Signed-off-by: Stefan Weil Signed-off-by: Aurelien Jarno (cherry picked from commit 6fc97fafce05eee76479ca6d289241772d21b370) Signed-off-by: Michael Roth --- target-mips/op_helper.c | 75 +++++++++++++++++++------------------------------ 1 file changed, 29 insertions(+), 46 deletions(-) diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c index 66037acec..e5bc93e22 100644 --- a/target-mips/op_helper.c +++ b/target-mips/op_helper.c @@ -192,115 +192,98 @@ static inline uint64_t get_HILO (void) return ((uint64_t)(env->active_tc.HI[0]) << 32) | (uint32_t)env->active_tc.LO[0]; } -static inline void set_HIT0_LO (target_ulong arg1, uint64_t HILO) +static inline target_ulong set_HIT0_LO(uint64_t HILO) { + target_ulong tmp; env->active_tc.LO[0] = (int32_t)(HILO & 0xFFFFFFFF); - arg1 = env->active_tc.HI[0] = (int32_t)(HILO >> 32); + tmp = env->active_tc.HI[0] = (int32_t)(HILO >> 32); + return tmp; } -static inline void set_HI_LOT0 (target_ulong arg1, uint64_t HILO) +static inline target_ulong set_HI_LOT0(uint64_t HILO) { - arg1 = env->active_tc.LO[0] = (int32_t)(HILO & 0xFFFFFFFF); + target_ulong tmp = env->active_tc.LO[0] = (int32_t)(HILO & 0xFFFFFFFF); env->active_tc.HI[0] = (int32_t)(HILO >> 32); + return tmp; } /* Multiplication variants of the vr54xx. */ target_ulong helper_muls (target_ulong arg1, target_ulong arg2) { - set_HI_LOT0(arg1, 0 - ((int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2)); - - return arg1; + return set_HI_LOT0(0 - ((int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2)); } target_ulong helper_mulsu (target_ulong arg1, target_ulong arg2) { - set_HI_LOT0(arg1, 0 - ((uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2)); - - return arg1; + return set_HI_LOT0(0 - (uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2); } target_ulong helper_macc (target_ulong arg1, target_ulong arg2) { - set_HI_LOT0(arg1, ((int64_t)get_HILO()) + ((int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2)); - - return arg1; + return set_HI_LOT0((int64_t)get_HILO() + (int64_t)(int32_t)arg1 * + (int64_t)(int32_t)arg2); } target_ulong helper_macchi (target_ulong arg1, target_ulong arg2) { - set_HIT0_LO(arg1, ((int64_t)get_HILO()) + ((int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2)); - - return arg1; + return set_HIT0_LO((int64_t)get_HILO() + (int64_t)(int32_t)arg1 * + (int64_t)(int32_t)arg2); } target_ulong helper_maccu (target_ulong arg1, target_ulong arg2) { - set_HI_LOT0(arg1, ((uint64_t)get_HILO()) + ((uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2)); - - return arg1; + return set_HI_LOT0((uint64_t)get_HILO() + (uint64_t)(uint32_t)arg1 * + (uint64_t)(uint32_t)arg2); } target_ulong helper_macchiu (target_ulong arg1, target_ulong arg2) { - set_HIT0_LO(arg1, ((uint64_t)get_HILO()) + ((uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2)); - - return arg1; + return set_HIT0_LO((uint64_t)get_HILO() + (uint64_t)(uint32_t)arg1 * + (uint64_t)(uint32_t)arg2); } target_ulong helper_msac (target_ulong arg1, target_ulong arg2) { - set_HI_LOT0(arg1, ((int64_t)get_HILO()) - ((int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2)); - - return arg1; + return set_HI_LOT0((int64_t)get_HILO() - (int64_t)(int32_t)arg1 * + (int64_t)(int32_t)arg2); } target_ulong helper_msachi (target_ulong arg1, target_ulong arg2) { - set_HIT0_LO(arg1, ((int64_t)get_HILO()) - ((int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2)); - - return arg1; + return set_HIT0_LO((int64_t)get_HILO() - (int64_t)(int32_t)arg1 * + (int64_t)(int32_t)arg2); } target_ulong helper_msacu (target_ulong arg1, target_ulong arg2) { - set_HI_LOT0(arg1, ((uint64_t)get_HILO()) - ((uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2)); - - return arg1; + return set_HI_LOT0((uint64_t)get_HILO() - (uint64_t)(uint32_t)arg1 * + (uint64_t)(uint32_t)arg2); } target_ulong helper_msachiu (target_ulong arg1, target_ulong arg2) { - set_HIT0_LO(arg1, ((uint64_t)get_HILO()) - ((uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2)); - - return arg1; + return set_HIT0_LO((uint64_t)get_HILO() - (uint64_t)(uint32_t)arg1 * + (uint64_t)(uint32_t)arg2); } target_ulong helper_mulhi (target_ulong arg1, target_ulong arg2) { - set_HIT0_LO(arg1, (int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2); - - return arg1; + return set_HIT0_LO((int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2); } target_ulong helper_mulhiu (target_ulong arg1, target_ulong arg2) { - set_HIT0_LO(arg1, (uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2); - - return arg1; + return set_HIT0_LO((uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2); } target_ulong helper_mulshi (target_ulong arg1, target_ulong arg2) { - set_HIT0_LO(arg1, 0 - ((int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2)); - - return arg1; + return set_HIT0_LO(0 - (int64_t)(int32_t)arg1 * (int64_t)(int32_t)arg2); } target_ulong helper_mulshiu (target_ulong arg1, target_ulong arg2) { - set_HIT0_LO(arg1, 0 - ((uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2)); - - return arg1; + return set_HIT0_LO(0 - (uint64_t)(uint32_t)arg1 * (uint64_t)(uint32_t)arg2); } #ifdef TARGET_MIPS64 -- cgit v1.2.3 From 5330a894ed44e18ba8eb038fbc1060eac34ad8bc Mon Sep 17 00:00:00 2001 From: Anthony Liguori Date: Thu, 23 Aug 2012 13:49:02 -0500 Subject: monitor: don't try to initialize json parser when monitor is HMP Reported-by: Michael Roth Signed-off-by: Anthony Liguori (cherry picked from commit 26efaca377e004b79ff50a6e936d029a0c095b8b) Signed-off-by: Michael Roth --- monitor.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monitor.c b/monitor.c index ab65a9aab..a7af002ed 100644 --- a/monitor.c +++ b/monitor.c @@ -4605,13 +4605,13 @@ void monitor_init(CharDriverState *chr, int flags) qemu_chr_add_handlers(chr, monitor_can_read, monitor_control_read, monitor_control_event, mon); qemu_chr_fe_set_echo(chr, true); + + json_message_parser_init(&mon->mc->parser, handle_qmp_command); } else { qemu_chr_add_handlers(chr, monitor_can_read, monitor_read, monitor_event, mon); } - json_message_parser_init(&mon->mc->parser, handle_qmp_command); - QLIST_INSERT_HEAD(&mon_list, mon, entry); if (!default_mon || (flags & MONITOR_IS_DEFAULT)) default_mon = mon; -- cgit v1.2.3 From 1d34dff02fad135a64266e670f01ac3c6a408fa1 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 22 Aug 2012 23:09:46 +0200 Subject: qom: object_delete should unparent the object first object_deinit is only called when the reference count goes to zero, and yet tries to do an object_unparent. Now, object_unparent either does nothing or it will decrease the reference count. Because we know the reference count is zero, the object_unparent call in object_deinit is useless. Instead, we need to disconnect the object from its parent just before we remove the last reference apart from the parent's. This happens in object_delete. Once we do this, all calls to object_unparent peppered through QEMU can go away. Signed-off-by: Paolo Bonzini Signed-off-by: Anthony Liguori (cherry picked from commit da5a44e8b0b727681fc33e8d94832d1cae48a788) Signed-off-by: Michael Roth --- hw/acpi_piix4.c | 1 - hw/qdev.c | 2 -- hw/xen_platform.c | 3 --- qom/object.c | 5 ++--- 4 files changed, 2 insertions(+), 9 deletions(-) diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c index 0345490ee..585da4e3e 100644 --- a/hw/acpi_piix4.c +++ b/hw/acpi_piix4.c @@ -299,7 +299,6 @@ static void acpi_piix_eject_slot(PIIX4PMState *s, unsigned slots) if (pc->no_hotplug) { slot_free = false; } else { - object_unparent(OBJECT(dev)); qdev_free(qdev); } } diff --git a/hw/qdev.c b/hw/qdev.c index 8e8ca3ff9..37c72c559 100644 --- a/hw/qdev.c +++ b/hw/qdev.c @@ -150,7 +150,6 @@ int qdev_init(DeviceState *dev) rc = dc->init(dev); if (rc < 0) { - object_unparent(OBJECT(dev)); qdev_free(dev); return rc; } @@ -241,7 +240,6 @@ void qbus_reset_all_fn(void *opaque) int qdev_simple_unplug_cb(DeviceState *dev) { /* just zap it */ - object_unparent(OBJECT(dev)); qdev_free(dev); return 0; } diff --git a/hw/xen_platform.c b/hw/xen_platform.c index 0214f370b..84221df1c 100644 --- a/hw/xen_platform.c +++ b/hw/xen_platform.c @@ -87,9 +87,6 @@ static void unplug_nic(PCIBus *b, PCIDevice *d) { if (pci_get_word(d->config + PCI_CLASS_DEVICE) == PCI_CLASS_NETWORK_ETHERNET) { - /* Until qdev_free includes a call to object_unparent, we call it here - */ - object_unparent(&d->qdev.parent_obj); qdev_free(&d->qdev); } } diff --git a/qom/object.c b/qom/object.c index 6f839ad8c..58dd8862e 100644 --- a/qom/object.c +++ b/qom/object.c @@ -347,8 +347,6 @@ static void object_deinit(Object *obj, TypeImpl *type) if (type_has_parent(type)) { object_deinit(obj, type_get_parent(type)); } - - object_unparent(obj); } void object_finalize(void *data) @@ -385,8 +383,9 @@ Object *object_new(const char *typename) void object_delete(Object *obj) { + object_unparent(obj); + g_assert(obj->ref == 1); object_unref(obj); - g_assert(obj->ref == 0); g_free(obj); } -- cgit v1.2.3 From 63f7166a80a204e8d6d1732315b5c924d46f31d3 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 22 Aug 2012 23:09:47 +0200 Subject: ivshmem: fix memory_region_del_eventfd assertion failure We do not register ioeventfds unless the IVSHMEM_IOEVENTFD feature is set. The same feature must be checked before releasing the eventfds. Regression introduced by commit 563027c (ivshmem: use EventNotifier and memory API, 2012-07-05). Reported-by: Cam Macdonnell Tested-by: Cam Macdonnell Signed-off-by: Paolo Bonzini Signed-off-by: Anthony Liguori (cherry picked from commit 98609cd8fcf755c0ba7049d751353b8b2e243b65) Signed-off-by: Michael Roth --- hw/ivshmem.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/ivshmem.c b/hw/ivshmem.c index d48e5f990..36005618b 100644 --- a/hw/ivshmem.c +++ b/hw/ivshmem.c @@ -351,6 +351,10 @@ static void close_guest_eventfds(IVShmemState *s, int posn) { int i, guest_curr_max; + if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) { + return; + } + guest_curr_max = s->peers[posn].nb_eventfds; for (i = 0; i < guest_curr_max; i++) { -- cgit v1.2.3 From 0214b6b4deb87d70bfc5fb00ba62f85fcf06f8ab Mon Sep 17 00:00:00 2001 From: Matthew Ogilvie Date: Thu, 23 Aug 2012 00:24:39 -0600 Subject: target-i386/translate.c: mov to/from crN/drN: ignore mod bits > This instruction is always treated as a register-to-register (MOD = 11) > instruction, regardless of the encoding of the MOD field in the MODR/M > byte. Also, Microport UNIX System V/386 v 2.1 (ca 1987) runs fine on real Intel 386 and 486 CPU's (at least), but does not run in qemu without this patch. Signed-off-by: Matthew Ogilvie Signed-off-by: malc (cherry picked from commit 5c73b757e3aa80dc84352b2ede0d8bdea5419f6d) Conflicts: target-i386/translate.c Signed-off-by: Michael Roth --- target-i386/translate.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/target-i386/translate.c b/target-i386/translate.c index c1ede1a75..c792e7ace 100644 --- a/target-i386/translate.c +++ b/target-i386/translate.c @@ -7409,8 +7409,11 @@ static target_ulong disas_insn(DisasContext *s, target_ulong pc_start) gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); } else { modrm = ldub_code(s->pc++); - if ((modrm & 0xc0) != 0xc0) - goto illegal_op; + /* Ignore the mod bits (assume (modrm&0xc0)==0xc0). + * AMD documentation (24594.pdf) and testing of + * intel 386 and 486 processors all show that the mod bits + * are assumed to be 1's, regardless of actual values. + */ rm = (modrm & 7) | REX_B(s); reg = ((modrm >> 3) & 7) | rex_r; if (CODE64(s)) @@ -7451,8 +7454,11 @@ static target_ulong disas_insn(DisasContext *s, target_ulong pc_start) gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base); } else { modrm = ldub_code(s->pc++); - if ((modrm & 0xc0) != 0xc0) - goto illegal_op; + /* Ignore the mod bits (assume (modrm&0xc0)==0xc0). + * AMD documentation (24594.pdf) and testing of + * intel 386 and 486 processors all show that the mod bits + * are assumed to be 1's, regardless of actual values. + */ rm = (modrm & 7) | REX_B(s); reg = ((modrm >> 3) & 7) | rex_r; if (CODE64(s)) -- cgit v1.2.3 From 0ba3d50242573c3c821f275e6061655b7e6d4ae1 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Sun, 26 Aug 2012 14:40:02 +0100 Subject: tcg/arm: Fix broken CONFIG_TCG_PASS_AREG0 code The CONFIG_TCG_PASS_AREG0 code for calling ld/st helpers was broken in that it did not respect the ABI requirement that 64 bit values were passed in even-odd register pairs. The simplest way to fix this is to implement some new utility functions for marshalling function arguments into the correct registers and stack, so that the code which sets up the address and data arguments does not need to care whether there has been a preceding env argument. Signed-off-by: Peter Maydell Signed-off-by: Blue Swirl (cherry picked from commit 9716ef3b1b48ebbb4b6515fb4685a5db96ce41d9) Signed-off-by: Michael Roth --- tcg/arm/tcg-target.c | 237 +++++++++++++++++++++++++++++++-------------------- 1 file changed, 144 insertions(+), 93 deletions(-) diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c index 4d59a6385..cf0ca3d0b 100644 --- a/tcg/arm/tcg-target.c +++ b/tcg/arm/tcg-target.c @@ -176,6 +176,13 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) so don't use these. */ tcg_regset_reset_reg(ct->u.regs, TCG_REG_R0); tcg_regset_reset_reg(ct->u.regs, TCG_REG_R1); +#if defined(CONFIG_TCG_PASS_AREG0) && (TARGET_LONG_BITS == 64) + /* If we're passing env to the helper as r0 and need a regpair + * for the address then r2 will be overwritten as we're setting + * up the args to the helper. + */ + tcg_regset_reset_reg(ct->u.regs, TCG_REG_R2); +#endif #endif break; case 'L': @@ -197,6 +204,12 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) use these. */ tcg_regset_reset_reg(ct->u.regs, TCG_REG_R0); tcg_regset_reset_reg(ct->u.regs, TCG_REG_R1); +#if defined(CONFIG_SOFTMMU) && \ + defined(CONFIG_TCG_PASS_AREG0) && (TARGET_LONG_BITS == 64) + /* Avoid clashes with registers being used for helper args */ + tcg_regset_reset_reg(ct->u.regs, TCG_REG_R2); + tcg_regset_reset_reg(ct->u.regs, TCG_REG_R3); +#endif break; /* qemu_st64 data_reg2 */ case 'S': @@ -210,6 +223,10 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) #ifdef CONFIG_SOFTMMU /* r2 is still needed to load data_reg, so don't use it. */ tcg_regset_reset_reg(ct->u.regs, TCG_REG_R2); +#if defined(CONFIG_TCG_PASS_AREG0) && (TARGET_LONG_BITS == 64) + /* Avoid clashes with registers being used for helper args */ + tcg_regset_reset_reg(ct->u.regs, TCG_REG_R3); +#endif #endif break; @@ -388,6 +405,14 @@ static inline void tcg_out_dat_reg(TCGContext *s, (rn << 16) | (rd << 12) | shift | rm); } +static inline void tcg_out_mov_reg(TCGContext *s, int cond, int rd, int rm) +{ + /* Simple reg-reg move, optimising out the 'do nothing' case */ + if (rd != rm) { + tcg_out_dat_reg(s, cond, ARITH_MOV, rd, 0, rm, SHIFT_IMM_LSL(0)); + } +} + static inline void tcg_out_dat_reg2(TCGContext *s, int cond, int opc0, int opc1, int rd0, int rd1, int rn0, int rn1, int rm0, int rm1, int shift) @@ -966,6 +991,90 @@ static void *qemu_st_helpers[4] = { __stq_mmu, }; #endif + +/* Helper routines for marshalling helper function arguments into + * the correct registers and stack. + * argreg is where we want to put this argument, arg is the argument itself. + * Return value is the updated argreg ready for the next call. + * Note that argreg 0..3 is real registers, 4+ on stack. + * When we reach the first stacked argument, we allocate space for it + * and the following stacked arguments using "str r8, [sp, #-0x10]!". + * Following arguments are filled in with "str r8, [sp, #0xNN]". + * For more than 4 stacked arguments we'd need to know how much + * space to allocate when we pushed the first stacked argument. + * We don't need this, so don't implement it (and will assert if you try it.) + * + * We provide routines for arguments which are: immediate, 32 bit + * value in register, 16 and 8 bit values in register (which must be zero + * extended before use) and 64 bit value in a lo:hi register pair. + */ +#define DEFINE_TCG_OUT_ARG(NAME, ARGPARAM) \ + static TCGReg NAME(TCGContext *s, TCGReg argreg, ARGPARAM) \ + { \ + if (argreg < 4) { \ + TCG_OUT_ARG_GET_ARG(argreg); \ + } else if (argreg == 4) { \ + TCG_OUT_ARG_GET_ARG(TCG_REG_R8); \ + tcg_out32(s, (COND_AL << 28) | 0x052d8010); \ + } else { \ + assert(argreg < 8); \ + TCG_OUT_ARG_GET_ARG(TCG_REG_R8); \ + tcg_out32(s, (COND_AL << 28) | 0x058d8000 | (argreg - 4) * 4); \ + } \ + return argreg + 1; \ + } + +#define TCG_OUT_ARG_GET_ARG(A) tcg_out_dat_imm(s, COND_AL, ARITH_MOV, A, 0, arg) +DEFINE_TCG_OUT_ARG(tcg_out_arg_imm32, uint32_t arg) +#undef TCG_OUT_ARG_GET_ARG +#define TCG_OUT_ARG_GET_ARG(A) tcg_out_ext8u(s, COND_AL, A, arg) +DEFINE_TCG_OUT_ARG(tcg_out_arg_reg8, TCGReg arg) +#undef TCG_OUT_ARG_GET_ARG +#define TCG_OUT_ARG_GET_ARG(A) tcg_out_ext16u(s, COND_AL, A, arg) +DEFINE_TCG_OUT_ARG(tcg_out_arg_reg16, TCGReg arg) +#undef TCG_OUT_ARG_GET_ARG + +/* We don't use the macro for this one to avoid an unnecessary reg-reg + * move when storing to the stack. + */ +static TCGReg tcg_out_arg_reg32(TCGContext *s, TCGReg argreg, TCGReg arg) +{ + if (argreg < 4) { + tcg_out_mov_reg(s, COND_AL, argreg, arg); + } else if (argreg == 4) { + /* str arg, [sp, #-0x10]! */ + tcg_out32(s, (COND_AL << 28) | 0x052d0010 | (arg << 12)); + } else { + assert(argreg < 8); + /* str arg, [sp, #0xNN] */ + tcg_out32(s, (COND_AL << 28) | 0x058d0000 | + (arg << 12) | (argreg - 4) * 4); + } + return argreg + 1; +} + +static inline TCGReg tcg_out_arg_reg64(TCGContext *s, TCGReg argreg, + TCGReg arglo, TCGReg arghi) +{ + /* 64 bit arguments must go in even/odd register pairs + * and in 8-aligned stack slots. + */ + if (argreg & 1) { + argreg++; + } + argreg = tcg_out_arg_reg32(s, argreg, arglo); + argreg = tcg_out_arg_reg32(s, argreg, arghi); + return argreg; +} + +static inline void tcg_out_arg_stacktidy(TCGContext *s, TCGReg argreg) +{ + /* Output any necessary post-call cleanup of the stack */ + if (argreg > 4) { + tcg_out_dat_imm(s, COND_AL, ARITH_ADD, TCG_REG_R13, TCG_REG_R13, 0x10); + } +} + #endif #define TLB_SHIFT (CPU_TLB_ENTRY_BITS + CPU_TLB_BITS) @@ -975,6 +1084,7 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) int addr_reg, data_reg, data_reg2, bswap; #ifdef CONFIG_SOFTMMU int mem_index, s_bits; + TCGReg argreg; # if TARGET_LONG_BITS == 64 int addr_reg2; # endif @@ -1088,31 +1198,22 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) tcg_out_b_noaddr(s, COND_EQ); /* TODO: move this code to where the constants pool will be */ - if (addr_reg != TCG_REG_R0) { - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R0, 0, addr_reg, SHIFT_IMM_LSL(0)); - } -# if TARGET_LONG_BITS == 32 - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R1, 0, mem_index); -# else - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R1, 0, addr_reg2, SHIFT_IMM_LSL(0)); - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R2, 0, mem_index); -# endif + /* Note that this code relies on the constraints we set in arm_op_defs[] + * to ensure that later arguments are not passed to us in registers we + * trash by moving the earlier arguments into them. + */ + argreg = TCG_REG_R0; #ifdef CONFIG_TCG_PASS_AREG0 - /* XXX/FIXME: suboptimal and incorrect for 64 bit */ - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - tcg_target_call_iarg_regs[2], 0, - tcg_target_call_iarg_regs[1], SHIFT_IMM_LSL(0)); - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - tcg_target_call_iarg_regs[1], 0, - tcg_target_call_iarg_regs[0], SHIFT_IMM_LSL(0)); - - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - tcg_target_call_iarg_regs[0], 0, TCG_AREG0, - SHIFT_IMM_LSL(0)); + argreg = tcg_out_arg_reg32(s, argreg, TCG_AREG0); #endif +#if TARGET_LONG_BITS == 64 + argreg = tcg_out_arg_reg64(s, argreg, addr_reg, addr_reg2); +#else + argreg = tcg_out_arg_reg32(s, argreg, addr_reg); +#endif + argreg = tcg_out_arg_imm32(s, argreg, mem_index); tcg_out_call(s, (tcg_target_long) qemu_ld_helpers[s_bits]); + tcg_out_arg_stacktidy(s, argreg); switch (opc) { case 0 | 4: @@ -1211,6 +1312,7 @@ static inline void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc) int addr_reg, data_reg, data_reg2, bswap; #ifdef CONFIG_SOFTMMU int mem_index, s_bits; + TCGReg argreg; # if TARGET_LONG_BITS == 64 int addr_reg2; # endif @@ -1314,89 +1416,38 @@ static inline void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc) tcg_out_b_noaddr(s, COND_EQ); /* TODO: move this code to where the constants pool will be */ - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R0, 0, addr_reg, SHIFT_IMM_LSL(0)); -# if TARGET_LONG_BITS == 32 - switch (opc) { - case 0: - tcg_out_ext8u(s, COND_AL, TCG_REG_R1, data_reg); - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R2, 0, mem_index); - break; - case 1: - tcg_out_ext16u(s, COND_AL, TCG_REG_R1, data_reg); - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R2, 0, mem_index); - break; - case 2: - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R1, 0, data_reg, SHIFT_IMM_LSL(0)); - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R2, 0, mem_index); - break; - case 3: - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R8, 0, mem_index); - tcg_out32(s, (COND_AL << 28) | 0x052d8010); /* str r8, [sp, #-0x10]! */ - if (data_reg != TCG_REG_R2) { - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R2, 0, data_reg, SHIFT_IMM_LSL(0)); - } - if (data_reg2 != TCG_REG_R3) { - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R3, 0, data_reg2, SHIFT_IMM_LSL(0)); - } - break; - } -# else - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R1, 0, addr_reg2, SHIFT_IMM_LSL(0)); + /* Note that this code relies on the constraints we set in arm_op_defs[] + * to ensure that later arguments are not passed to us in registers we + * trash by moving the earlier arguments into them. + */ + argreg = TCG_REG_R0; +#ifdef CONFIG_TCG_PASS_AREG0 + argreg = tcg_out_arg_reg32(s, argreg, TCG_AREG0); +#endif +#if TARGET_LONG_BITS == 64 + argreg = tcg_out_arg_reg64(s, argreg, addr_reg, addr_reg2); +#else + argreg = tcg_out_arg_reg32(s, argreg, addr_reg); +#endif + switch (opc) { case 0: - tcg_out_ext8u(s, COND_AL, TCG_REG_R2, data_reg); - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R3, 0, mem_index); + argreg = tcg_out_arg_reg8(s, argreg, data_reg); break; case 1: - tcg_out_ext16u(s, COND_AL, TCG_REG_R2, data_reg); - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R3, 0, mem_index); + argreg = tcg_out_arg_reg16(s, argreg, data_reg); break; case 2: - if (data_reg != TCG_REG_R2) { - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R2, 0, data_reg, SHIFT_IMM_LSL(0)); - } - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R3, 0, mem_index); + argreg = tcg_out_arg_reg32(s, argreg, data_reg); break; case 3: - tcg_out_dat_imm(s, COND_AL, ARITH_MOV, TCG_REG_R8, 0, mem_index); - tcg_out32(s, (COND_AL << 28) | 0x052d8010); /* str r8, [sp, #-0x10]! */ - if (data_reg != TCG_REG_R2) { - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R2, 0, data_reg, SHIFT_IMM_LSL(0)); - } - if (data_reg2 != TCG_REG_R3) { - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - TCG_REG_R3, 0, data_reg2, SHIFT_IMM_LSL(0)); - } + argreg = tcg_out_arg_reg64(s, argreg, data_reg, data_reg2); break; } -# endif - -#ifdef CONFIG_TCG_PASS_AREG0 - /* XXX/FIXME: suboptimal and incorrect for 64 bit */ - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - tcg_target_call_iarg_regs[3], 0, - tcg_target_call_iarg_regs[2], SHIFT_IMM_LSL(0)); - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - tcg_target_call_iarg_regs[2], 0, - tcg_target_call_iarg_regs[1], SHIFT_IMM_LSL(0)); - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - tcg_target_call_iarg_regs[1], 0, - tcg_target_call_iarg_regs[0], SHIFT_IMM_LSL(0)); - tcg_out_dat_reg(s, COND_AL, ARITH_MOV, - tcg_target_call_iarg_regs[0], 0, TCG_AREG0, - SHIFT_IMM_LSL(0)); -#endif + argreg = tcg_out_arg_imm32(s, argreg, mem_index); tcg_out_call(s, (tcg_target_long) qemu_st_helpers[s_bits]); - if (opc == 3) - tcg_out_dat_imm(s, COND_AL, ARITH_ADD, TCG_REG_R13, TCG_REG_R13, 0x10); + tcg_out_arg_stacktidy(s, argreg); reloc_pc24(label_ptr, (tcg_target_long)s->code_ptr); #else /* !CONFIG_SOFTMMU */ -- cgit v1.2.3 From ec16f35e4e448a11741263c08bf4e76533c435c8 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Sat, 25 Aug 2012 23:59:58 +0200 Subject: tcg/ia64: fix prologue/epilogue Prologue and epilogue code has been broken in cea5f9a28. Signed-off-by: Aurelien Jarno (cherry picked from commit 18d445b443a5fa06a7c2819a170623b970afb3fb) Signed-off-by: Michael Roth --- tcg/ia64/tcg-target.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c index e02dacc84..b3c7db0f9 100644 --- a/tcg/ia64/tcg-target.c +++ b/tcg/ia64/tcg-target.c @@ -107,7 +107,7 @@ enum { }; static const int tcg_target_reg_alloc_order[] = { - TCG_REG_R34, + TCG_REG_R33, TCG_REG_R35, TCG_REG_R36, TCG_REG_R37, @@ -2314,13 +2314,13 @@ static void tcg_target_qemu_prologue(TCGContext *s) s->code_ptr += 16; /* skip GP */ /* prologue */ - tcg_out_bundle(s, mII, + tcg_out_bundle(s, miI, tcg_opc_m34(TCG_REG_P0, OPC_ALLOC_M34, - TCG_REG_R33, 32, 24, 0), + TCG_REG_R34, 32, 24, 0), + tcg_opc_a4 (TCG_REG_P0, OPC_ADDS_A4, + TCG_AREG0, 0, TCG_REG_R32), tcg_opc_i21(TCG_REG_P0, OPC_MOV_I21, - TCG_REG_B6, TCG_REG_R33, 0), - tcg_opc_i22(TCG_REG_P0, OPC_MOV_I22, - TCG_REG_R32, TCG_REG_B0)); + TCG_REG_B6, TCG_REG_R33, 0)); /* ??? If GUEST_BASE < 0x200000, we could load the register via an ADDL in the M slot of the next bundle. */ @@ -2334,10 +2334,10 @@ static void tcg_target_qemu_prologue(TCGContext *s) } tcg_out_bundle(s, miB, - tcg_opc_a4 (TCG_REG_P0, OPC_ADDS_A4, - TCG_AREG0, 0, TCG_REG_R32), tcg_opc_a4 (TCG_REG_P0, OPC_ADDS_A4, TCG_REG_R12, -frame_size, TCG_REG_R12), + tcg_opc_i22(TCG_REG_P0, OPC_MOV_I22, + TCG_REG_R32, TCG_REG_B0), tcg_opc_b4 (TCG_REG_P0, OPC_BR_SPTK_MANY_B4, TCG_REG_B6)); /* epilogue */ @@ -2351,7 +2351,7 @@ static void tcg_target_qemu_prologue(TCGContext *s) tcg_out_bundle(s, miB, tcg_opc_m48(TCG_REG_P0, OPC_NOP_M48, 0), tcg_opc_i26(TCG_REG_P0, OPC_MOV_I_I26, - TCG_REG_PFS, TCG_REG_R33), + TCG_REG_PFS, TCG_REG_R34), tcg_opc_b4 (TCG_REG_P0, OPC_BR_RET_SPTK_MANY_B4, TCG_REG_B0)); } @@ -2403,7 +2403,7 @@ static void tcg_target_init(TCGContext *s) tcg_regset_set_reg(s->reserved_regs, TCG_REG_R12); /* stack pointer */ tcg_regset_set_reg(s->reserved_regs, TCG_REG_R13); /* thread pointer */ tcg_regset_set_reg(s->reserved_regs, TCG_REG_R32); /* return address */ - tcg_regset_set_reg(s->reserved_regs, TCG_REG_R33); /* PFS */ + tcg_regset_set_reg(s->reserved_regs, TCG_REG_R34); /* PFS */ /* The following 3 are not in use, are call-saved, but *not* saved by the prologue. Therefore we cannot use them without modifying -- cgit v1.2.3 From 50462f2ca8098aff7d947772446b6060e2f59f79 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Sun, 26 Aug 2012 00:45:27 +0200 Subject: tcg/ia64: fix and optimize ld/st slow path Store slow path has been broken in e141ab52d: - the arguments are shifted before the last one (mem_index) is written. - the shift is done for both slow and fast paths. Fix that. Also optimize a bit by bundling the move together. This still can be optimized, but it's better to wait for a decision to be taken on the arguments order. Signed-off-by: Aurelien Jarno (cherry picked from commit d03c98d80ffb7c561d9e6874580f52fe7ecc8c6c) Signed-off-by: Michael Roth --- tcg/ia64/tcg-target.c | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c index b3c7db0f9..dc588dbea 100644 --- a/tcg/ia64/tcg-target.c +++ b/tcg/ia64/tcg-target.c @@ -1532,12 +1532,13 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) } #ifdef CONFIG_TCG_PASS_AREG0 /* XXX/FIXME: suboptimal */ - tcg_out_mov(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[2], - tcg_target_call_iarg_regs[1]); - tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1], - tcg_target_call_iarg_regs[0]); - tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], - TCG_AREG0); + tcg_out_bundle(s, mII, + tcg_opc_a5 (TCG_REG_P7, OPC_ADDL_A5, TCG_REG_R58, + mem_index, TCG_REG_R0), + tcg_opc_a4 (TCG_REG_P7, OPC_ADDS_A4, + TCG_REG_R57, 0, TCG_REG_R56), + tcg_opc_a4 (TCG_REG_P7, OPC_ADDS_A4, + TCG_REG_R56, 0, TCG_AREG0)); #endif if (!bswap || s_bits == 0) { tcg_out_bundle(s, miB, @@ -1659,15 +1660,21 @@ static inline void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc) #ifdef CONFIG_TCG_PASS_AREG0 /* XXX/FIXME: suboptimal */ - tcg_out_mov(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[3], - tcg_target_call_iarg_regs[2]); - tcg_out_mov(s, TCG_TYPE_I64, tcg_target_call_iarg_regs[2], - tcg_target_call_iarg_regs[1]); - tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1], - tcg_target_call_iarg_regs[0]); - tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], - TCG_AREG0); -#endif + tcg_out_bundle(s, mII, + tcg_opc_a5 (TCG_REG_P7, OPC_ADDL_A5, TCG_REG_R59, + mem_index, TCG_REG_R0), + tcg_opc_a4 (TCG_REG_P7, OPC_ADDS_A4, + TCG_REG_R58, 0, TCG_REG_R57), + tcg_opc_a4 (TCG_REG_P7, OPC_ADDS_A4, + TCG_REG_R57, 0, TCG_REG_R56)); + tcg_out_bundle(s, miB, + tcg_opc_m4 (TCG_REG_P6, opc_st_m4[opc], + data_reg, TCG_REG_R3), + tcg_opc_a4 (TCG_REG_P7, OPC_ADDS_A4, + TCG_REG_R56, 0, TCG_AREG0), + tcg_opc_b5 (TCG_REG_P7, OPC_BR_CALL_SPTK_MANY_B5, + TCG_REG_B0, TCG_REG_B6)); +#else tcg_out_bundle(s, miB, tcg_opc_m4 (TCG_REG_P6, opc_st_m4[opc], data_reg, TCG_REG_R3), @@ -1675,6 +1682,7 @@ static inline void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc) mem_index, TCG_REG_R0), tcg_opc_b5 (TCG_REG_P7, OPC_BR_CALL_SPTK_MANY_B5, TCG_REG_B0, TCG_REG_B6)); +#endif } #else /* !CONFIG_SOFTMMU */ -- cgit v1.2.3 From 9a32fb28244272f4e57145646a5f4b67edb6e111 Mon Sep 17 00:00:00 2001 From: Richard Sandiford Date: Mon, 27 Aug 2012 09:50:38 +0100 Subject: Fix operands of RECIP2.S and RECIP2.PS Read the second input operand of RECIP2.S and RECIP2.PS from FT rather than FD. RECIP2.D is already correct. Signed-off-by: Richard Sandiford Signed-off-by: Aurelien Jarno (cherry picked from commit d22d7289877ecd3ef86570f6f6d0574da40711dc) Signed-off-by: Michael Roth --- target-mips/translate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target-mips/translate.c b/target-mips/translate.c index 7dd21f4f7..79018f0f4 100644 --- a/target-mips/translate.c +++ b/target-mips/translate.c @@ -6805,7 +6805,7 @@ static void gen_farith (DisasContext *ctx, enum fopcode op1, TCGv_i32 fp1 = tcg_temp_new_i32(); gen_load_fpr32(fp0, fs); - gen_load_fpr32(fp1, fd); + gen_load_fpr32(fp1, ft); gen_helper_float_recip2_s(fp0, fp0, fp1); tcg_temp_free_i32(fp1); gen_store_fpr32(fp0, fd); @@ -7543,7 +7543,7 @@ static void gen_farith (DisasContext *ctx, enum fopcode op1, TCGv_i64 fp1 = tcg_temp_new_i64(); gen_load_fpr64(ctx, fp0, fs); - gen_load_fpr64(ctx, fp1, fd); + gen_load_fpr64(ctx, fp1, ft); gen_helper_float_recip2_ps(fp0, fp0, fp1); tcg_temp_free_i64(fp1); gen_store_fpr64(ctx, fp0, fd); -- cgit v1.2.3 From bc4321e754e8fadac0d8173c73719700a8c98d4a Mon Sep 17 00:00:00 2001 From: Richard Sandiford Date: Mon, 27 Aug 2012 09:53:29 +0100 Subject: Fix order of CVT.PS.S operands The FS input to CVT.PS.S is the high half and FT is the low half. tcg_gen_concat_i32_i64 takes the low half first, so the operands were in the wrong order. Signed-off-by: Richard Sandiford Signed-off-by: Aurelien Jarno (cherry picked from commit 13d24f49720a3e7b35a21222ef182c8513f139db) Signed-off-by: Michael Roth --- target-mips/translate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-mips/translate.c b/target-mips/translate.c index 79018f0f4..7687566e8 100644 --- a/target-mips/translate.c +++ b/target-mips/translate.c @@ -6900,7 +6900,7 @@ static void gen_farith (DisasContext *ctx, enum fopcode op1, gen_load_fpr32(fp32_0, fs); gen_load_fpr32(fp32_1, ft); - tcg_gen_concat_i32_i64(fp64, fp32_0, fp32_1); + tcg_gen_concat_i32_i64(fp64, fp32_1, fp32_0); tcg_temp_free_i32(fp32_1); tcg_temp_free_i32(fp32_0); gen_store_fpr64(ctx, fp64, fd); -- cgit v1.2.3 From 2f0f684cce95a9e0ef709cc2614fd1512cf0bb85 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Fri, 30 Mar 2012 13:16:36 -0400 Subject: target-mips: Streamline indexed cp1 memory addressing. We've already eliminated both base and index being zero. Signed-off-by: Aurelien Jarno (cherry picked from commit 05168674505153a641c7bfddb691d2eda11d13d1) Signed-off-by: Michael Roth --- target-mips/translate.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/target-mips/translate.c b/target-mips/translate.c index 7687566e8..cb6077d80 100644 --- a/target-mips/translate.c +++ b/target-mips/translate.c @@ -7742,8 +7742,7 @@ static void gen_flt3_ldst (DisasContext *ctx, uint32_t opc, } else if (index == 0) { gen_load_gpr(t0, base); } else { - gen_load_gpr(t0, index); - gen_op_addr_add(ctx, t0, cpu_gpr[base], t0); + gen_op_addr_add(ctx, t0, cpu_gpr[base], cpu_gpr[index]); } /* Don't do NOP if destination is zero: we must perform the actual memory access. */ -- cgit v1.2.3 From 8d45ae83523ae29fc05c6a3f7af3d863e3af18e7 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Fri, 30 Mar 2012 13:16:37 -0400 Subject: mips-linux-user: Always support rdhwr. The kernel will emulate this instruction if it's not supported natively. This insn is used for TLS, among other things, and so is required by modern glibc. Signed-off-by: Richard Henderson Cc: Riku Voipio Signed-off-by: Aurelien Jarno (cherry picked from commit b3167288367f79754b74ad933146e37938ebff13) Signed-off-by: Michael Roth --- target-mips/translate.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target-mips/translate.c b/target-mips/translate.c index cb6077d80..1f1d43488 100644 --- a/target-mips/translate.c +++ b/target-mips/translate.c @@ -8111,7 +8111,11 @@ gen_rdhwr (CPUMIPSState *env, DisasContext *ctx, int rt, int rd) { TCGv t0; +#if !defined(CONFIG_USER_ONLY) + /* The Linux kernel will emulate rdhwr if it's not supported natively. + Therefore only check the ISA in system mode. */ check_insn(env, ctx, ISA_MIPS32R2); +#endif t0 = tcg_temp_new(); switch (rd) { -- cgit v1.2.3 From 57708c532fb37163c445e7e4827e182cce2bbf60 Mon Sep 17 00:00:00 2001 From: Eric Johnson Date: Sat, 17 Sep 2011 17:05:32 -0700 Subject: target-mips: add privilege level check to several Cop0 instructions The MIPS Architecture Verification Programs (AVPs) check privileged instructions for the required privilege level. These changes are needed to pass the AVP suite. Signed-off-by: Eric Johnson Signed-off-by: Aurelien Jarno (cherry picked from commit 2e15497c5b8d0d172dece0cf56e2d2e977a6b679) Signed-off-by: Michael Roth --- target-mips/translate.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/target-mips/translate.c b/target-mips/translate.c index 1f1d43488..5adf0ceed 100644 --- a/target-mips/translate.c +++ b/target-mips/translate.c @@ -5933,6 +5933,7 @@ static void gen_cp0 (CPUMIPSState *env, DisasContext *ctx, uint32_t opc, int rt, { const char *opn = "ldst"; + check_cp0_enabled(ctx); switch (opc) { case OPC_MFC0: if (rt == 0) { @@ -10121,6 +10122,7 @@ static void gen_pool32axf (CPUMIPSState *env, DisasContext *ctx, int rt, int rs, #ifndef CONFIG_USER_ONLY case MFC0: case MFC0 + 32: + check_cp0_enabled(ctx); if (rt == 0) { /* Treat as NOP. */ break; @@ -10129,6 +10131,7 @@ static void gen_pool32axf (CPUMIPSState *env, DisasContext *ctx, int rt, int rs, break; case MTC0: case MTC0 + 32: + check_cp0_enabled(ctx); { TCGv t0 = tcg_temp_new(); @@ -10225,10 +10228,12 @@ static void gen_pool32axf (CPUMIPSState *env, DisasContext *ctx, int rt, int rs, case 0x05: switch (minor) { case RDPGPR: + check_cp0_enabled(ctx); check_insn(env, ctx, ISA_MIPS32R2); gen_load_srsgpr(rt, rs); break; case WRPGPR: + check_cp0_enabled(ctx); check_insn(env, ctx, ISA_MIPS32R2); gen_store_srsgpr(rt, rs); break; @@ -10269,6 +10274,7 @@ static void gen_pool32axf (CPUMIPSState *env, DisasContext *ctx, int rt, int rs, case 0x1d: switch (minor) { case DI: + check_cp0_enabled(ctx); { TCGv t0 = tcg_temp_new(); @@ -10281,6 +10287,7 @@ static void gen_pool32axf (CPUMIPSState *env, DisasContext *ctx, int rt, int rs, } break; case EI: + check_cp0_enabled(ctx); { TCGv t0 = tcg_temp_new(); @@ -10761,6 +10768,7 @@ static void decode_micromips32_opc (CPUMIPSState *env, DisasContext *ctx, minor = (ctx->opcode >> 12) & 0xf; switch (minor) { case CACHE: + check_cp0_enabled(ctx); /* Treat as no-op. */ break; case LWC2: @@ -12211,6 +12219,7 @@ static void decode_opc (CPUMIPSState *env, DisasContext *ctx, int *is_branch) gen_st_cond(ctx, op, rt, rs, imm); break; case OPC_CACHE: + check_cp0_enabled(ctx); check_insn(env, ctx, ISA_MIPS3 | ISA_MIPS32); /* Treat as NOP. */ break; -- cgit v1.2.3 From 849c8651553ecbbb29993880b8709b0ab8e27ab1 Mon Sep 17 00:00:00 2001 From: Eric Johnson Date: Sat, 17 Sep 2011 17:28:16 -0700 Subject: target-mips: allow microMIPS SWP and SDP to have RD equal to BASE The microMIPS SWP and SDP instructions do not modify GPRs. So their behavior is well defined when RD equals BASE. The MIPS Architecture Verification Programs (AVPs) check that they work as expected. This is required for AVPs to pass. Signed-off-by: Eric Johnson Signed-off-by: Aurelien Jarno (cherry picked from commit 36c6711bbe79642b0102416a9dd4243505e874a6) Signed-off-by: Michael Roth --- target-mips/translate.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/target-mips/translate.c b/target-mips/translate.c index 5adf0ceed..5ed58f65e 100644 --- a/target-mips/translate.c +++ b/target-mips/translate.c @@ -10031,7 +10031,7 @@ static void gen_ldst_pair (DisasContext *ctx, uint32_t opc, int rd, const char *opn = "ldst_pair"; TCGv t0, t1; - if (ctx->hflags & MIPS_HFLAG_BMASK || rd == 31 || rd == base) { + if (ctx->hflags & MIPS_HFLAG_BMASK || rd == 31) { generate_exception(ctx, EXCP_RI); return; } @@ -10043,6 +10043,10 @@ static void gen_ldst_pair (DisasContext *ctx, uint32_t opc, int rd, switch (opc) { case LWP: + if (rd == base) { + generate_exception(ctx, EXCP_RI); + return; + } save_cpu_state(ctx, 0); op_ld_lw(t1, t0, ctx); gen_store_gpr(t1, rd); @@ -10064,6 +10068,10 @@ static void gen_ldst_pair (DisasContext *ctx, uint32_t opc, int rd, break; #ifdef TARGET_MIPS64 case LDP: + if (rd == base) { + generate_exception(ctx, EXCP_RI); + return; + } save_cpu_state(ctx, 0); op_ld_ld(t1, t0, ctx); gen_store_gpr(t1, rd); -- cgit v1.2.3 From 256c89943262c4a10f4a1604d73918d37adad24e Mon Sep 17 00:00:00 2001 From: "munkyu.im" Date: Tue, 28 Aug 2012 16:42:06 +0900 Subject: audio/winwave: previous audio buffer should be flushed Winwave audio backend has problem with pausing and restart audio out. Unlike other backends, Winwave pausing API does not flush audio buffer. As a result, the previous audio data are played in front of user expected sound when user restart audio. So changes it to waveOutReset() Signed-off-by: Munkyu Im Signed-off-by: malc (cherry picked from commit 13ef70f64e9e4d7583fbd9918d8ea76194023d37) Signed-off-by: Michael Roth --- audio/winwaveaudio.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/audio/winwaveaudio.c b/audio/winwaveaudio.c index 87e749327..d4281e7d9 100644 --- a/audio/winwaveaudio.c +++ b/audio/winwaveaudio.c @@ -349,21 +349,15 @@ static int winwave_ctl_out (HWVoiceOut *hw, int cmd, ...) else { hw->poll_mode = 0; } - if (wave->paused) { - mr = waveOutRestart (wave->hwo); - if (mr != MMSYSERR_NOERROR) { - winwave_logerr (mr, "waveOutRestart"); - } - wave->paused = 0; - } + wave->paused = 0; } return 0; case VOICE_DISABLE: if (!wave->paused) { - mr = waveOutPause (wave->hwo); + mr = waveOutReset (wave->hwo); if (mr != MMSYSERR_NOERROR) { - winwave_logerr (mr, "waveOutPause"); + winwave_logerr (mr, "waveOutReset"); } else { wave->paused = 1; -- cgit v1.2.3 From 69c67eca97298c37b084ddd6c961625079682579 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Mon, 27 Aug 2012 22:13:27 +0200 Subject: tcg/mips: fix broken CONFIG_TCG_PASS_AREG0 code The CONFIG_TCG_PASS_AREG0 code for calling ld/st helpers was broken in that it did not respect the ABI requirement that 64 bit values were passed in even-odd register pairs. The simplest way to fix this is to implement some new utility functions for marshalling function arguments into the correct registers and stack, so that the code which sets up the address and data arguments does not need to care whether there has been a preceding env argument. Based on commit 9716ef3b for ARM by Peter Maydell. Signed-off-by: Aurelien Jarno Reviewed-by: Peter Maydell (cherry picked from commit 18fec301cd2a38f72a5eeba2656a0c5b4fa69fb7) Signed-off-by: Michael Roth --- tcg/mips/tcg-target.c | 158 +++++++++++++++++++++++++++++++------------------- 1 file changed, 99 insertions(+), 59 deletions(-) diff --git a/tcg/mips/tcg-target.c b/tcg/mips/tcg-target.c index 393ba07f2..1006e2800 100644 --- a/tcg/mips/tcg-target.c +++ b/tcg/mips/tcg-target.c @@ -217,6 +217,9 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) tcg_regset_set(ct->u.regs, 0xffffffff); #if defined(CONFIG_SOFTMMU) tcg_regset_reset_reg(ct->u.regs, TCG_REG_A0); +# if defined(CONFIG_TCG_PASS_AREG0) && (TARGET_LONG_BITS == 64) + tcg_regset_reset_reg(ct->u.regs, TCG_REG_A2); +# endif #endif break; case 'S': /* qemu_st constraint */ @@ -224,10 +227,14 @@ static int target_parse_constraint(TCGArgConstraint *ct, const char **pct_str) tcg_regset_set(ct->u.regs, 0xffffffff); tcg_regset_reset_reg(ct->u.regs, TCG_REG_A0); #if defined(CONFIG_SOFTMMU) -# if TARGET_LONG_BITS == 64 +# if (defined(CONFIG_TCG_PASS_AREG0) && TARGET_LONG_BITS == 32) || \ + (!defined(CONFIG_TCG_PASS_AREG0) && TARGET_LONG_BITS == 64) tcg_regset_reset_reg(ct->u.regs, TCG_REG_A1); # endif tcg_regset_reset_reg(ct->u.regs, TCG_REG_A2); +# if defined(CONFIG_TCG_PASS_AREG0) && TARGET_LONG_BITS == 64 + tcg_regset_reset_reg(ct->u.regs, TCG_REG_A3); +# endif #endif break; case 'I': @@ -382,7 +389,10 @@ static inline void tcg_out_nop(TCGContext *s) static inline void tcg_out_mov(TCGContext *s, TCGType type, TCGReg ret, TCGReg arg) { - tcg_out_opc_reg(s, OPC_ADDU, ret, arg, TCG_REG_ZERO); + /* Simple reg-reg move, optimising out the 'do nothing' case */ + if (ret != arg) { + tcg_out_opc_reg(s, OPC_ADDU, ret, arg, TCG_REG_ZERO); + } } static inline void tcg_out_movi(TCGContext *s, TCGType type, @@ -503,6 +513,67 @@ static inline void tcg_out_addi(TCGContext *s, int reg, tcg_target_long val) } } +/* Helper routines for marshalling helper function arguments into + * the correct registers and stack. + * arg_num is where we want to put this argument, and is updated to be ready + * for the next call. arg is the argument itself. Note that arg_num 0..3 is + * real registers, 4+ on stack. + * + * We provide routines for arguments which are: immediate, 32 bit + * value in register, 16 and 8 bit values in register (which must be zero + * extended before use) and 64 bit value in a lo:hi register pair. + */ +#define DEFINE_TCG_OUT_CALL_IARG(NAME, ARGPARAM) \ + static inline void NAME(TCGContext *s, int *arg_num, ARGPARAM) \ + { \ + if (*arg_num < 4) { \ + DEFINE_TCG_OUT_CALL_IARG_GET_ARG(tcg_target_call_iarg_regs[*arg_num]); \ + } else { \ + DEFINE_TCG_OUT_CALL_IARG_GET_ARG(TCG_REG_AT); \ + tcg_out_st(s, TCG_TYPE_I32, TCG_REG_AT, TCG_REG_SP, 4 * (*arg_num)); \ + } \ + (*arg_num)++; \ +} +#define DEFINE_TCG_OUT_CALL_IARG_GET_ARG(A) \ + tcg_out_opc_imm(s, OPC_ANDI, A, arg, 0xff); +DEFINE_TCG_OUT_CALL_IARG(tcg_out_call_iarg_reg8, TCGReg arg) +#undef DEFINE_TCG_OUT_CALL_IARG_GET_ARG +#define DEFINE_TCG_OUT_CALL_IARG_GET_ARG(A) \ + tcg_out_opc_imm(s, OPC_ANDI, A, arg, 0xffff); +DEFINE_TCG_OUT_CALL_IARG(tcg_out_call_iarg_reg16, TCGReg arg) +#undef DEFINE_TCG_OUT_CALL_IARG_GET_ARG +#define DEFINE_TCG_OUT_CALL_IARG_GET_ARG(A) \ + tcg_out_movi(s, TCG_TYPE_I32, A, arg); +DEFINE_TCG_OUT_CALL_IARG(tcg_out_call_iarg_imm32, uint32_t arg) +#undef DEFINE_TCG_OUT_CALL_IARG_GET_ARG + +/* We don't use the macro for this one to avoid an unnecessary reg-reg + move when storing to the stack. */ +static inline void tcg_out_call_iarg_reg32(TCGContext *s, int *arg_num, + TCGReg arg) +{ + if (*arg_num < 4) { + tcg_out_mov(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[*arg_num], arg); + } else { + tcg_out_st(s, TCG_TYPE_I32, arg, TCG_REG_SP, 4 * (*arg_num)); + } + (*arg_num)++; +} + +static inline void tcg_out_call_iarg_reg64(TCGContext *s, int *arg_num, + TCGReg arg_low, TCGReg arg_high) +{ + (*arg_num) = (*arg_num + 1) & ~1; + +#if defined(TCG_TARGET_WORDS_BIGENDIAN) + tcg_out_call_iarg_reg32(s, arg_num, arg_high); + tcg_out_call_iarg_reg32(s, arg_num, arg_low); +#else + tcg_out_call_iarg_reg32(s, arg_num, arg_low); + tcg_out_call_iarg_reg32(s, arg_num, arg_high); +#endif +} + static void tcg_out_brcond(TCGContext *s, TCGCond cond, int arg1, int arg2, int label_index) { @@ -792,18 +863,18 @@ static void *qemu_st_helpers[4] = { static void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc) { - int addr_regl, addr_reg1, addr_meml; + int addr_regl, addr_meml; int data_regl, data_regh, data_reg1, data_reg2; int mem_index, s_bits; #if defined(CONFIG_SOFTMMU) void *label1_ptr, *label2_ptr; - int sp_args; + int arg_num; #endif #if TARGET_LONG_BITS == 64 # if defined(CONFIG_SOFTMMU) uint8_t *label3_ptr; # endif - int addr_regh, addr_reg2, addr_memh; + int addr_regh, addr_memh; #endif data_regl = *args++; if (opc == 3) @@ -831,18 +902,13 @@ static void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, } #if TARGET_LONG_BITS == 64 # if defined(TCG_TARGET_WORDS_BIGENDIAN) - addr_reg1 = addr_regh; - addr_reg2 = addr_regl; addr_memh = 0; addr_meml = 4; # else - addr_reg1 = addr_regl; - addr_reg2 = addr_regh; addr_memh = 4; addr_meml = 0; # endif #else - addr_reg1 = addr_regl; addr_meml = 0; #endif @@ -875,22 +941,17 @@ static void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, # endif /* slow path */ - sp_args = TCG_REG_A0; - tcg_out_mov(s, TCG_TYPE_I32, sp_args++, addr_reg1); + arg_num = 0; +# ifdef CONFIG_TCG_PASS_AREG0 + tcg_out_call_iarg_reg32(s, &arg_num, TCG_AREG0); +# endif # if TARGET_LONG_BITS == 64 - tcg_out_mov(s, TCG_TYPE_I32, sp_args++, addr_reg2); + tcg_out_call_iarg_reg64(s, &arg_num, addr_regl, addr_regh); +# else + tcg_out_call_iarg_reg32(s, &arg_num, addr_regl); # endif - tcg_out_movi(s, TCG_TYPE_I32, sp_args++, mem_index); + tcg_out_call_iarg_imm32(s, &arg_num, mem_index); tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_T9, (tcg_target_long)qemu_ld_helpers[s_bits]); -#ifdef CONFIG_TCG_PASS_AREG0 - /* XXX/FIXME: suboptimal and incorrect for 64 on 32 bit */ - tcg_out_mov(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[2], - tcg_target_call_iarg_regs[1]); - tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1], - tcg_target_call_iarg_regs[0]); - tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], - TCG_AREG0); -#endif tcg_out_opc_reg(s, OPC_JALR, TCG_REG_RA, TCG_REG_T9, 0); tcg_out_nop(s); @@ -991,18 +1052,18 @@ static void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc) { - int addr_regl, addr_reg1, addr_meml; + int addr_regl, addr_meml; int data_regl, data_regh, data_reg1, data_reg2; int mem_index, s_bits; #if defined(CONFIG_SOFTMMU) uint8_t *label1_ptr, *label2_ptr; - int sp_args; + int arg_num; #endif #if TARGET_LONG_BITS == 64 # if defined(CONFIG_SOFTMMU) uint8_t *label3_ptr; # endif - int addr_regh, addr_reg2, addr_memh; + int addr_regh, addr_memh; #endif data_regl = *args++; @@ -1024,18 +1085,13 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, #if TARGET_LONG_BITS == 64 addr_regh = *args++; # if defined(TCG_TARGET_WORDS_BIGENDIAN) - addr_reg1 = addr_regh; - addr_reg2 = addr_regl; addr_memh = 0; addr_meml = 4; # else - addr_reg1 = addr_regl; - addr_reg2 = addr_regh; addr_memh = 4; addr_meml = 0; # endif #else - addr_reg1 = addr_regl; addr_meml = 0; #endif mem_index = *args; @@ -1070,49 +1126,33 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, # endif /* slow path */ - sp_args = TCG_REG_A0; - tcg_out_mov(s, TCG_TYPE_I32, sp_args++, addr_reg1); + arg_num = 0; +# ifdef CONFIG_TCG_PASS_AREG0 + tcg_out_call_iarg_reg32(s, &arg_num, TCG_AREG0); +# endif # if TARGET_LONG_BITS == 64 - tcg_out_mov(s, TCG_TYPE_I32, sp_args++, addr_reg2); + tcg_out_call_iarg_reg64(s, &arg_num, addr_regl, addr_regh); +# else + tcg_out_call_iarg_reg32(s, &arg_num, addr_regl); # endif switch(opc) { case 0: - tcg_out_opc_imm(s, OPC_ANDI, sp_args++, data_reg1, 0xff); + tcg_out_call_iarg_reg8(s, &arg_num, data_regl); break; case 1: - tcg_out_opc_imm(s, OPC_ANDI, sp_args++, data_reg1, 0xffff); + tcg_out_call_iarg_reg16(s, &arg_num, data_regl); break; case 2: - tcg_out_mov(s, TCG_TYPE_I32, sp_args++, data_reg1); + tcg_out_call_iarg_reg32(s, &arg_num, data_regl); break; case 3: - sp_args = (sp_args + 1) & ~1; - tcg_out_mov(s, TCG_TYPE_I32, sp_args++, data_reg1); - tcg_out_mov(s, TCG_TYPE_I32, sp_args++, data_reg2); + tcg_out_call_iarg_reg64(s, &arg_num, data_regl, data_regh); break; default: tcg_abort(); } - if (sp_args > TCG_REG_A3) { - /* Push mem_index on the stack */ - tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_AT, mem_index); - tcg_out_st(s, TCG_TYPE_I32, TCG_REG_AT, TCG_REG_SP, 16); - } else { - tcg_out_movi(s, TCG_TYPE_I32, sp_args, mem_index); - } - + tcg_out_call_iarg_imm32(s, &arg_num, mem_index); tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_T9, (tcg_target_long)qemu_st_helpers[s_bits]); -#ifdef CONFIG_TCG_PASS_AREG0 - /* XXX/FIXME: suboptimal and incorrect for 64 on 32 bit */ - tcg_out_mov(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[3], - tcg_target_call_iarg_regs[2]); - tcg_out_mov(s, TCG_TYPE_I64, tcg_target_call_iarg_regs[2], - tcg_target_call_iarg_regs[1]); - tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1], - tcg_target_call_iarg_regs[0]); - tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], - TCG_AREG0); -#endif tcg_out_opc_reg(s, OPC_JALR, TCG_REG_RA, TCG_REG_T9, 0); tcg_out_nop(s); -- cgit v1.2.3 From 450ead742ae119b9862c3385b9a27060c4364483 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Wed, 29 Aug 2012 08:52:37 +0100 Subject: hw/arm_gic.c: Define .class_size in arm_gic_info TypeInfo Add the missing .class_size definition to the arm_gic_info TypeInfo. This fixes the memory corruption and possible segfault that otherwise results when the class struct is allocated at too small a size and the class init function writes off the end of it. Reported-by: Adam Lackorzynski Signed-off-by: Peter Maydell Signed-off-by: Anthony Liguori (cherry picked from commit 998a74bcda7f3297813732ddc2f28ffe5a12e37a) - ARMGICClass isn't in 1.1, set class size to SysBusDeviceClass instead Signed-off-by: Michael Roth --- hw/arm_gic.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/arm_gic.c b/hw/arm_gic.c index 72298b4b4..ab3b87b14 100644 --- a/hw/arm_gic.c +++ b/hw/arm_gic.c @@ -955,6 +955,7 @@ static TypeInfo arm_gic_info = { .parent = TYPE_SYS_BUS_DEVICE, .instance_size = sizeof(gic_state), .class_init = arm_gic_class_init, + .class_size = sizeof(SysBusDeviceClass), }; static void arm_gic_register_types(void) -- cgit v1.2.3 From 57fa9fb4efa5aa3382045db2a1970279d49e63f5 Mon Sep 17 00:00:00 2001 From: Cam Macdonell Date: Mon, 27 Aug 2012 12:12:19 -0600 Subject: ivshmem: remove redundant ioeventfd configuration setup_ioeventfds() is unnecessary and actually causes a segfault when used ioeventfd=on is used on the command-line. Since ioeventfds are handled within the memory API, it can be removed. Signed-off-by: Cam Macdonell Signed-off-by: Anthony Liguori (cherry picked from commit 7e7de876ae9bdb1b994dee148c6dc009ce94c48e) Conflicts: hw/ivshmem.c Signed-off-by: Michael Roth --- hw/ivshmem.c | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/hw/ivshmem.c b/hw/ivshmem.c index 36005618b..e20c688bd 100644 --- a/hw/ivshmem.c +++ b/hw/ivshmem.c @@ -367,22 +367,6 @@ static void close_guest_eventfds(IVShmemState *s, int posn) s->peers[posn].nb_eventfds = 0; } -static void setup_ioeventfds(IVShmemState *s) { - - int i, j; - - for (i = 0; i <= s->max_peer; i++) { - for (j = 0; j < s->peers[i].nb_eventfds; j++) { - memory_region_add_eventfd(&s->ivshmem_mmio, - DOORBELL, - 4, - true, - (i << 16) | j, - s->peers[i].eventfds[j]); - } - } -} - /* this function increase the dynamic storage need to store data about other * guests */ static void increase_dynamic_storage(IVShmemState *s, int new_min_size) { @@ -689,10 +673,6 @@ static int pci_ivshmem_init(PCIDevice *dev) memory_region_init_io(&s->ivshmem_mmio, &ivshmem_mmio_ops, s, "ivshmem-mmio", IVSHMEM_REG_BAR_SIZE); - if (ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) { - setup_ioeventfds(s); - } - /* region for registers*/ pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ivshmem_mmio); -- cgit v1.2.3 From 25c0807e3ca1026b245243e156e764cf989be6bf Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Sun, 26 Aug 2012 10:12:47 +0200 Subject: memory: Fix copy&paste mistake in memory_region_iorange_write The last argument of find_portio is "write", so this must be true here. Signed-off-by: Jan Kiszka Signed-off-by: Anthony Liguori (cherry picked from commit 7e2a62d82a3f1397acd67685c3008046eba8344b) Signed-off-by: Michael Roth --- memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memory.c b/memory.c index aab4a3132..f039464c5 100644 --- a/memory.c +++ b/memory.c @@ -426,7 +426,7 @@ static void memory_region_iorange_write(IORange *iorange, if (mrp) { mrp->write(mr->opaque, offset, data); } else if (width == 2) { - mrp = find_portio(mr, offset - mrio->offset, 1, false); + mrp = find_portio(mr, offset - mrio->offset, 1, true); assert(mrp); mrp->write(mr->opaque, offset, data & 0xff); mrp->write(mr->opaque, offset + 1, data >> 8); -- cgit v1.2.3 From cccb5446a6d1083b51d851ef5a4f1acff9173127 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Fri, 24 Aug 2012 07:03:03 +0200 Subject: qemu-ga: Fix null pointer passed to unlink in failure branch Clang reports this warning: Null pointer passed as an argument to a 'nonnull' parameter Reviewed-by: Luiz Capitulino Signed-off-by: Stefan Weil Signed-off-by: Anthony Liguori (cherry picked from commit 4bdb1a3059d7d3a931de0748a2eec39a0ab41b4e) Signed-off-by: Michael Roth --- qemu-ga.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/qemu-ga.c b/qemu-ga.c index e7f9edbc7..1b00c2f44 100644 --- a/qemu-ga.c +++ b/qemu-ga.c @@ -439,7 +439,9 @@ static void become_daemon(const char *pidfile) return; fail: - unlink(pidfile); + if (pidfile) { + unlink(pidfile); + } g_critical("failed to daemonize"); exit(EXIT_FAILURE); #endif -- cgit v1.2.3 From 28846ad3b556458674f03323cac3144dcc3cd5e2 Mon Sep 17 00:00:00 2001 From: Stefano Stabellini Date: Tue, 29 May 2012 03:35:24 +0000 Subject: qemu_rearm_alarm_timer: do not call rearm if the next deadline is INT64_MAX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit qemu_rearm_alarm_timer partially duplicates the code in qemu_next_alarm_deadline to figure out if it needs to rearm the timer. If it calls qemu_next_alarm_deadline, it always rearms the timer even if the next deadline is INT64_MAX. This patch simplifies the behavior of qemu_rearm_alarm_timer and removes the duplicated code, always calling qemu_next_alarm_deadline and only rearming the timer if the deadline is less than INT64_MAX. Signed-off-by: Stefano Stabellini Reviewed-by: Stefan Weil Tested-by: Andreas Färber Signed-off-by: Blue Swirl (cherry picked from commit 8227421e0476d9caf2a9a089465bb40c23834e33) Signed-off-by: Michael Roth --- qemu-timer.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/qemu-timer.c b/qemu-timer.c index de9897788..d37a97839 100644 --- a/qemu-timer.c +++ b/qemu-timer.c @@ -112,14 +112,10 @@ static int64_t qemu_next_alarm_deadline(void) static void qemu_rearm_alarm_timer(struct qemu_alarm_timer *t) { - int64_t nearest_delta_ns; - if (!rt_clock->active_timers && - !vm_clock->active_timers && - !host_clock->active_timers) { - return; + int64_t nearest_delta_ns = qemu_next_alarm_deadline(); + if (nearest_delta_ns < INT64_MAX) { + t->rearm(t, nearest_delta_ns); } - nearest_delta_ns = qemu_next_alarm_deadline(); - t->rearm(t, nearest_delta_ns); } /* TODO: MIN_TIMER_REARM_NS should be optimized */ -- cgit v1.2.3 From 219a7482ab5866c64fc5a815381737ef8cf77f63 Mon Sep 17 00:00:00 2001 From: Gleb Natapov Date: Tue, 7 Aug 2012 15:52:03 +0300 Subject: reset PMBA and PMREGMISC PIIX4 registers. The bug causes Windows + OVMF hang after reboot since OVMF checks PMREGMISC to see if IO space is enabled and skip configuration if it is. Reviewed-by: Laszlo Ersek Signed-off-by: Gleb Natapov Signed-off-by: Anthony Liguori (cherry picked from commit 4d09d37c6aa9a02b44b1fdb6268820fab92499bd) Signed-off-by: Michael Roth --- hw/acpi_piix4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c index 585da4e3e..7bc4e0dba 100644 --- a/hw/acpi_piix4.c +++ b/hw/acpi_piix4.c @@ -345,6 +345,9 @@ static void piix4_reset(void *opaque) pci_conf[0x5a] = 0; pci_conf[0x5b] = 0; + pci_conf[0x40] = 0x01; /* PM io base read only bit */ + pci_conf[0x80] = 0; + if (s->kvm_enabled) { /* Mark SMM as already inited (until KVM supports SMM). */ pci_conf[0x5B] = 0x02; @@ -384,8 +387,6 @@ static int piix4_pm_initfn(PCIDevice *dev) pci_conf[0x09] = 0x00; pci_conf[0x3d] = 0x01; // interrupt pin 1 - pci_conf[0x40] = 0x01; /* PM io base read only bit */ - /* APM */ apm_init(&s->apm, apm_ctrl_changed, s); -- cgit v1.2.3 From ce4fc986e576536b0998a7f8e963c0932adda6d0 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Wed, 29 Aug 2012 19:40:56 +0300 Subject: msix: make [un]use vectors on reset/load optional The facility to use/unuse vectors dynamically is helpful for virtio but little else: everyone just seems to use vectors in their init function. Avoid clearing msix vector use info on reset and load. For virtio, clear it explicitly. This should fix regressions reported with ivshmem - though I didn't test this, I verified that virtio keeps working like it did. Tested-by: Cam Macdonell Signed-off-by: Michael S. Tsirkin Signed-off-by: Anthony Liguori (cherry picked from commit 3cac001e5ae3c0ceb33e0a1978a48cb5e2482ab2) Conflicts: hw/msix.c hw/virtio-pci.c Signed-off-by: Michael Roth --- hw/msix.c | 13 +++++++++++-- hw/virtio-pci.c | 2 ++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/hw/msix.c b/hw/msix.c index 3835eaaf2..35f244e78 100644 --- a/hw/msix.c +++ b/hw/msix.c @@ -282,6 +282,15 @@ static void msix_free_irq_entries(PCIDevice *dev) } } +static void msix_clear_all_vectors(PCIDevice *dev) +{ + int vector; + + for (vector = 0; vector < dev->msix_entries_nr; ++vector) { + msix_clr_pending(dev, vector); + } +} + /* Clean up resources for the device. */ int msix_uninit(PCIDevice *dev, MemoryRegion *bar) { @@ -322,7 +331,7 @@ void msix_load(PCIDevice *dev, QEMUFile *f) return; } - msix_free_irq_entries(dev); + msix_clear_all_vectors(dev); qemu_get_buffer(f, dev->msix_table_page, n * PCI_MSIX_ENTRY_SIZE); qemu_get_buffer(f, dev->msix_table_page + MSIX_PAGE_PENDING, (n + 7) / 8); msix_update_function_masked(dev); @@ -372,7 +381,7 @@ void msix_reset(PCIDevice *dev) { if (!(dev->cap_present & QEMU_PCI_CAP_MSIX)) return; - msix_free_irq_entries(dev); + msix_clear_all_vectors(dev); dev->config[dev->msix_cap + MSIX_CONTROL_OFFSET] &= ~dev->wmask[dev->msix_cap + MSIX_CONTROL_OFFSET]; memset(dev->msix_table_page, 0, MSIX_PAGE_SIZE); diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c index 79b86f1aa..2bfdc4097 100644 --- a/hw/virtio-pci.c +++ b/hw/virtio-pci.c @@ -130,6 +130,7 @@ static int virtio_pci_load_config(void * opaque, QEMUFile *f) if (ret) { return ret; } + msix_unuse_all_vectors(&proxy->pci_dev); msix_load(&proxy->pci_dev, f); if (msix_present(&proxy->pci_dev)) { qemu_get_be16s(f, &proxy->vdev->config_vector); @@ -278,6 +279,7 @@ void virtio_pci_reset(DeviceState *d) virtio_pci_stop_ioeventfd(proxy); virtio_reset(proxy->vdev); msix_reset(&proxy->pci_dev); + msix_unuse_all_vectors(&proxy->pci_dev); proxy->flags &= ~VIRTIO_PCI_FLAG_BUS_MASTER_BUG; } -- cgit v1.2.3 From a8cd6f7ddfb9a8514170d79665669be8538d2f96 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Tue, 28 Aug 2012 11:50:26 +0200 Subject: ehci: Fix NULL ptr deref when unplugging an USB dev with an iso stream active Signed-off-by: Hans de Goede (cherry picked from commit 7ce86aa1aafaa65e7d3e572873bdf37bdb896f49) Conflicts: hw/usb/hcd-ehci.c Signed-off-by: Michael Roth --- hw/usb/hcd-ehci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 41c9d8435..a511b4e83 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1465,7 +1465,7 @@ static int ehci_process_itd(EHCIState *ehci, dev = ehci_find_device(ehci, devaddr); ep = usb_ep_get(dev, pid, endp); - if (ep->type == USB_ENDPOINT_XFER_ISOC) { + if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { usb_packet_setup(&ehci->ipacket, pid, ep); usb_packet_map(&ehci->ipacket, &ehci->isgl); ret = usb_handle_packet(dev, &ehci->ipacket); -- cgit v1.2.3 From c7580c103434c8b96c5a2cd54aaa9a092bb638a7 Mon Sep 17 00:00:00 2001 From: Max Filippov Date: Tue, 17 Jul 2012 23:45:23 +0400 Subject: target-xtensa: fix big-endian BBS/BBC implementation Quote from ISA, 2.1: For most Xtensa instructions, bit numbering is irrelevant; only the BBC and BBS instructions assign bit numbers to values on which the processor operates. The BBC/BBS instructions use big-endian bit ordering (0 is the most-significant bit) on a big-endian processor configuration. Signed-off-by: Max Filippov Signed-off-by: Blue Swirl (cherry picked from commit 7ff7563fc1c3c57914aafec1753219604346fe18) Signed-off-by: Michael Roth --- target-xtensa/translate.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/target-xtensa/translate.c b/target-xtensa/translate.c index a542a319d..94c51ae91 100644 --- a/target-xtensa/translate.c +++ b/target-xtensa/translate.c @@ -2362,10 +2362,18 @@ static void disas_xtensa_insn(DisasContext *dc) case 5: /*BBC*/ /*BBS*/ gen_window_check2(dc, RRI8_S, RRI8_T); { - TCGv_i32 bit = tcg_const_i32(1); +#ifdef TARGET_WORDS_BIGENDIAN + TCGv_i32 bit = tcg_const_i32(0x80000000); +#else + TCGv_i32 bit = tcg_const_i32(0x00000001); +#endif TCGv_i32 tmp = tcg_temp_new_i32(); tcg_gen_andi_i32(tmp, cpu_R[RRI8_T], 0x1f); +#ifdef TARGET_WORDS_BIGENDIAN + tcg_gen_shr_i32(bit, bit, tmp); +#else tcg_gen_shl_i32(bit, bit, tmp); +#endif tcg_gen_and_i32(tmp, cpu_R[RRI8_S], bit); gen_brcondi(dc, eq_ne, tmp, 0, 4 + RRI8_IMM8_SE); tcg_temp_free(tmp); @@ -2379,7 +2387,11 @@ static void disas_xtensa_insn(DisasContext *dc) { TCGv_i32 tmp = tcg_temp_new_i32(); tcg_gen_andi_i32(tmp, cpu_R[RRI8_S], - 1 << (((RRI8_R & 1) << 4) | RRI8_T)); +#ifdef TARGET_WORDS_BIGENDIAN + 0x80000000 >> (((RRI8_R & 1) << 4) | RRI8_T)); +#else + 0x00000001 << (((RRI8_R & 1) << 4) | RRI8_T)); +#endif gen_brcondi(dc, eq_ne, tmp, 0, 4 + RRI8_IMM8_SE); tcg_temp_free(tmp); } -- cgit v1.2.3 From 5a16dd9bc80bc1c519c500392122c179a2942b37 Mon Sep 17 00:00:00 2001 From: Max Filippov Date: Wed, 22 Aug 2012 22:03:35 +0400 Subject: target-xtensa: return ENOSYS for unimplemented simcalls This prevents guest from proceeding with uninitialised garbage returned from unimplemented simcalls. Signed-off-by: Max Filippov Signed-off-by: Blue Swirl (cherry picked from commit e7eee62a90c671d22d50964b7de05e3f4fd96f5f) Signed-off-by: Michael Roth --- xtensa-semi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xtensa-semi.c b/xtensa-semi.c index b7c8c3456..44b7dc3a1 100644 --- a/xtensa-semi.c +++ b/xtensa-semi.c @@ -219,6 +219,8 @@ void HELPER(simcall)(CPUXtensaState *env) default: qemu_log("%s(%d): not implemented\n", __func__, regs[2]); + regs[2] = -1; + regs[3] = ENOSYS; break; } } -- cgit v1.2.3 From f965d237b567389661bccb1701a6c94e964d7818 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 3 Sep 2012 17:34:32 +0200 Subject: qemu-timer: properly arm alarm timer for timers set by device initialization QEMU will hang when fed the following command-line qemu-system-mips -kernel vmlinux-2.6.32-5-4kc-malta -append "console=ttyS0" -nographic -net none The -net none is important otherwise it seems some events are generated causing the things to work. When it doesn't work, the guest hangs when measuring the CPU frequency, after the following line: [ 0.000000] NR_IRQS:256 Pressing a key on the serial port unblocks it, hinting that the problem is due to the recent elimination of the 1 second timeout in the main loop. The problem is that because init_timer_alarm sets the timer's pending flag to true, the alarm timer is never armed until after the first time through the main loop. Thus the bug started when QEMU started testing the pending flag in qemu_mod_timer (commit 1828be3, more alarm timer cleanup, 2010-03-10). But actually, it isn't true at all that a timer is pending when the alarm timer is created, and the real bug has been latent forever: the fix is to remove the bogus setting of pending flag. Reported-by: Aurelien Jarno Signed-off-by: Paolo Bonzini Reviewed-by: Jan Kiszka Tested-by: Aurelien Jarno Tested-by: Michael Tokarev Signed-off-by: Aurelien Jarno (cherry picked from commit de188751da8db3c77a681bf903035a0e5218c463) Signed-off-by: Michael Roth --- qemu-timer.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/qemu-timer.c b/qemu-timer.c index d37a97839..91e4c1455 100644 --- a/qemu-timer.c +++ b/qemu-timer.c @@ -759,11 +759,8 @@ int init_timer_alarm(void) goto fail; } - /* first event is at time 0 */ atexit(quit_timers); - t->pending = true; alarm_timer = t; - return 0; fail: -- cgit v1.2.3 From 113f4cd9e96f55df159573282110848b898e6b50 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Tue, 4 Sep 2012 13:26:11 -0500 Subject: console: bounds check whenever changing the cursor due to an escape code This is XSA-17 / CVE-2012-3515 Signed-off-by: Ian Campbell Signed-off-by: Anthony Liguori --- console.c | 57 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/console.c b/console.c index 6a463f591..393e62351 100644 --- a/console.c +++ b/console.c @@ -847,6 +847,26 @@ static void console_clear_xy(TextConsole *s, int x, int y) update_xy(s, x, y); } +/* set cursor, checking bounds */ +static void set_cursor(TextConsole *s, int x, int y) +{ + if (x < 0) { + x = 0; + } + if (y < 0) { + y = 0; + } + if (y >= s->height) { + y = s->height - 1; + } + if (x >= s->width) { + x = s->width - 1; + } + + s->x = x; + s->y = y; +} + static void console_putchar(TextConsole *s, int ch) { TextCell *c; @@ -918,7 +938,8 @@ static void console_putchar(TextConsole *s, int ch) s->esc_params[s->nb_esc_params] * 10 + ch - '0'; } } else { - s->nb_esc_params++; + if (s->nb_esc_params < MAX_ESC_PARAMS) + s->nb_esc_params++; if (ch == ';') break; #ifdef DEBUG_CONSOLE @@ -932,59 +953,37 @@ static void console_putchar(TextConsole *s, int ch) if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->y -= s->esc_params[0]; - if (s->y < 0) { - s->y = 0; - } + set_cursor(s, s->x, s->y - s->esc_params[0]); break; case 'B': /* move cursor down */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->y += s->esc_params[0]; - if (s->y >= s->height) { - s->y = s->height - 1; - } + set_cursor(s, s->x, s->y + s->esc_params[0]); break; case 'C': /* move cursor right */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->x += s->esc_params[0]; - if (s->x >= s->width) { - s->x = s->width - 1; - } + set_cursor(s, s->x + s->esc_params[0], s->y); break; case 'D': /* move cursor left */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->x -= s->esc_params[0]; - if (s->x < 0) { - s->x = 0; - } + set_cursor(s, s->x - s->esc_params[0], s->y); break; case 'G': /* move cursor to column */ - s->x = s->esc_params[0] - 1; - if (s->x < 0) { - s->x = 0; - } + set_cursor(s, s->esc_params[0] - 1, s->y); break; case 'f': case 'H': /* move cursor to row, column */ - s->x = s->esc_params[1] - 1; - if (s->x < 0) { - s->x = 0; - } - s->y = s->esc_params[0] - 1; - if (s->y < 0) { - s->y = 0; - } + set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1); break; case 'J': switch (s->esc_params[0]) { -- cgit v1.2.3 From 4ce5bc2dd1914a706725186c6563e8f92eedfc84 Mon Sep 17 00:00:00 2001 From: Michael Roth Date: Tue, 21 Aug 2012 11:49:43 -0500 Subject: update VERSION for 1.1.2 Signed-off-by: Michael Roth --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 524cb5524..45a1b3f44 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.1 +1.1.2 -- cgit v1.2.3