Traditional PCI config space access is achieved by writing a 32 bit
value to io port 0xcf8 to identify the bus, device, function and config
register. Port 0xcfc then contains the register in question. But if you
write the appropriate pair of magic values to 0xcf9, the machine will
reboot. Spectacular! And not standardised in any way (certainly not part
of the PCI spec), so different chipsets may have different requirements.
Booo.
In the PIIX3 spec, IO port 0xcf9 is specified as the Reset Control
Register. Bit 1 (System Reset, SRST) would normally differentiate between
soft reset and hard reset, but we ignore the difference beyond allowing
the guest to read it back.
RHBZ reference: 890459
This patch introduces the following overlap between the preexistent
"pci-conf-idx" region and the "piix3-reset-control" region just being
added. Partial output from "info mtree":
I/O
0000000000000000-000000000000ffff (prio 0, RW): io
0000000000000cf8-0000000000000cfb (prio 0, RW): pci-conf-idx
0000000000000cf9-0000000000000cf9 (prio 1, RW): piix3-reset-control
I sanity-checked the patch by booting a RHEL-6.3 guest and found no
problems. I summoned gdb and set a breakpoint on rcr_write() in order to
gather a bit more confidence. Relevant frames of the stack:
kvm_handle_io (port=3321, data=0x7f3f5f3de000, direction=1, size=1,
count=1) [kvm-all.c:1422]
cpu_outb (addr=3321, val=6 '\006') [ioport.c:289]
ioport_write (index=0, address=3321, data=6) [ioport.c:83]
ioport_writeb_thunk (opaque=0x7f3f622c4680, addr=3321, data=6)
[ioport.c:212]
memory_region_iorange_write (iorange=0x7f3f622c4680, offset=0,
width=1, data=6) [memory.c:439]
access_with_adjusted_size (addr=0, value=0x7f3f531fbac0,
size=1, access_size_min=1,
access_size_max=4,
access=0x7f3f5f6e0f90
<memory_region_write_accessor>,
opaque=0x7f3f6227b668)
[memory.c:364]
memory_region_write_accessor (opaque=0x7f3f6227b668, addr=0,
value=0x7f3f531fbac0, size=1,
shift=0, mask=255)
[memory.c:334]
rcr_write (opaque=0x7f3f6227afb0, addr=0, val=6, len=1)
[hw/piix_pci.c:498]
The dispatch happens in ioport_write(); "index=0" means byte-wide access:
static void ioport_write(int index, uint32_t address, uint32_t data)
{
static IOPortWriteFunc * const default_func[3] = {
default_ioport_writeb,
default_ioport_writew,
default_ioport_writel
};
IOPortWriteFunc *func = ioport_write_table[index][address];
if (!func)
func = default_func[index];
func(ioport_opaque[address], address, data);
}
The "ioport_write_table" and "ioport_opaque" arrays describe the flattened
IO port space. The first array is less interesting (it selects a thunk
function). The "ioport_opaque" array is interesting because it decides how
writing to the port is implemented ultimately.
4-byte wide access to 0xcf8 (pci-conf-idx):
(gdb) print ioport_write_table[2][0xcf8]
$1 = (IOPortWriteFunc *) 0x7f3f5f6d99ba <ioport_writel_thunk>
(gdb) print \
((struct MemoryRegionIORange*)ioport_opaque[0xcf8])->mr->ops.write
$2 = (void (*)(void *, hwaddr, uint64_t, unsigned int))
0x7f3f5f5575cb <pci_host_config_write>
1-byte wide access to 0xcf9 (piix3-reset-control):
(gdb) print ioport_write_table[0][0xcf9]
$3 = (IOPortWriteFunc *) 0x7f3f5f6d98d0 <ioport_writeb_thunk>
(gdb) print \
((struct MemoryRegionIORange*)ioport_opaque[0xcf9])->mr->ops.write
$4 = (void (*)(void *, hwaddr, uint64_t, unsigned int))
0x7f3f5f6b42f1 <rcr_write>
The higher priority of "piix3-reset-control" ensures that the 0xcf9
entries in ioport_write_table / ioport_opaque will always belong to it,
independently of its relative registration order versus "pci-conf-idx".
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Fills out support for the pci assignment API. Added:
PCIINTxRoute ich9_route_intx_pin_to_irq(void *opaque, int pirq_pin)
Add calls to pci_bus_fire_intx_routing_notifier() when routing changes
are made.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
This patch makes rx commands consistent with specification.
Signed-off-by: Amos Kong <akong@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
In virtio-net guest driver, currently we write MAC address to
pci config space byte by byte, this means that we have an
intermediate step where mac is wrong. This patch introduced
a new control command to set MAC address, it's atomic.
VIRTIO_NET_F_CTRL_MAC_ADDR is a new feature bit for compatibility.
"mac" field will be set to read-only when VIRTIO_NET_F_CTRL_MAC_ADDR
is acked.
Signed-off-by: Amos Kong <akong@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Virtio-net code makes assumption about virtqueue descriptor layout
(e.g. sg[0] is the header, sg[1] is the data buffer).
This patch makes code not rely on the layout of descriptors.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Amos Kong <akong@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Once guest overrides virtio net primary mac,
it retains the value set until qemu exit.
This is inconsistent with standard nic behaviour.
To fix, revert the mac to the original value on reset.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
This addresses two issues with config generation
1. rule generating timestamp has side effect.
Thus cleanup on error does not work.
2. rule for handling timestamp is too generic.
It can create any missing .h file.
As a result when .h file is removed, build
might try to create it using this rule which
results in build errors.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Add code comment to clarify the reason we set ICS with ICR:
the reason was previously undocumented and git
log confused rather than clarified the comments.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* qemu-kvm/uq/master:
target-i386: kvm: prevent buffer overflow if -cpu foo, [x]level is too big
vmxcap: bit 9 of VMX_PROCBASED_CTLS2 is 'virtual interrupt delivery'
Conflicts:
target-i386/kvm.c
Trivial merge resolution due to lack of context.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
# By Markus Armbruster
# Via Michael Roth
* mdroth/qga-pull-1-28-13:
qemu-ga: Plug leaks on qmp_guest_network_get_interfaces() error paths
qemu-ga: Plug memory leak in guest_fsfreeze_cleanup()
set_bit on indicators doesn't go well on 32 bit targets:
note: expected 'long unsigned int *' but argument is of type 'uint64_t *'
Switch to bit shifts instead.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
[agraf: use 1ULL instead]
Signed-off-by: Alexander Graf <agraf@suse.de>
Changed error codes in the channel subsystem / virtio-ccw code
(-EOPNOTSUPP -> -ENOSYS, -ERESTART -> -EINPROGRESS).
This should hopefully fix building on mingw32.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Map the I/O interruption code before calling into css.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
libvirt specifies nodefaults and creates an sclp console with special
parameters. Let qemu follow nodefaults and don't create an sclp
console if nodefaults is specified.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Add a new machine type, s390-ccw-virtio, making use of the
virtio-ccw transport to present virtio devices as channel
devices.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
s390_virtio_bus_find_mem() may return a NULL VirtIOS390Device.
If called with, e.g., args[0] == 0, this leads to a segfault.
Fix this by adding error handling as done for other hypercalls.
Present since baf0b55a9e (Implement
virtio reset).
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
This moves all files only used by s390 system emulation to hw/s390x.
Signed-off-by: Alexander Graf <agraf@suse.de>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
virtio-s390 devices are not being reset when their bus is. To fix
this, add a reset method that forwards to virtio_reset. This is
only needed because of the "strange" modeling of virtio devices;
the ->vdev link is being handled manually rather than through qdev.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Add a new virtio transport that uses channel commands to perform
virtio operations.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Some of the machine initialization for s390-virtio will be reused
by virtio-ccw.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Trigger the code for our virtual css in case of instruction
intercepts for I/O instructions.
Handle the tsch exit for the subchannel-related part of tsch.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Provide a mechanism for qemu to provide fully virtual subchannels to
the guest.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Provide handlers for (most) channel I/O instructions.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
I/O interrupts are queued per isc. Only crw pending machine checks
are supported.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Add s390_cpu_physical_memory_{map,unmap} with special handling
for the lowcore.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Create a lowcore mapping helper that includes a check for sufficient
length.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
The current s390 machine uses the virtio console as default console,
but this doesn't mean that we always want to keep it that way for new
machines.
This patch introduces a way for a machine type to specify that it wants
the default console to be an SCLP console, which is a lot closer to what
real hardware does.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Stack corruption may occur if too big 'level' or 'xlevel' values passed
on command line with KVM enabled, due to limited size of cpuid_data
in kvm_arch_init_vcpu().
reproduces with:
qemu -enable-kvm -cpu qemu64,level=4294967295
or
qemu -enable-kvm -cpu qemu64,xlevel=4294967295
Check if there is space in cpuid_data before passing it to cpu_x86_cpuid()
or abort() if there is not space.
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
* afaerber/qom-cpu: (37 commits)
kvm: Pass CPUState to kvm_on_sigbus_vcpu()
cpu: Unconditionalize CPUState fields
target-m68k: Use type_register() instead of type_register_static()
target-unicore32: Use type_register() instead of type_register_static()
target-openrisc: Use type_register() instead of type_register_static()
target-unicore32: Catch attempt to instantiate abstract type in cpu_init()
target-openrisc: Catch attempt to instantiate abstract type in cpu_init()
target-m68k: Catch attempt to instantiate abstract type in cpu_init()
target-arm: Catch attempt to instantiate abstract type in cpu_init()
target-alpha: Catch attempt to instantiate abstract type in cpu_init()
qom: Introduce object_class_is_abstract()
target-unicore32: Detect attempt to instantiate non-CPU type in cpu_init()
target-openrisc: Detect attempt to instantiate non-CPU type in cpu_init()
target-m68k: Detect attempt to instantiate non-CPU type in cpu_init()
target-alpha: Detect attempt to instantiate non-CPU type in cpu_init()
target-arm: Detect attempt to instantiate non-CPU type in cpu_init()
cpu: Add model resolution support to CPUClass
target-i386: Remove setting tsc-frequency from x86_def_t
target-i386: Set custom features/properties without intermediate x86_def_t
target-i386: Remove vendor_override field from CPUX86State
...
Conflicts:
tests/Makefile
Resolved simple conflict caused by lack of context in Makefile
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
# By Paolo Bonzini (14) and others
# Via Kevin Wolf
* kwolf/for-anthony: (24 commits)
ide: Add fall through annotations
block: Create proper size file for disk mirror
ahci: Add migration support
ahci: Change data types in preparation for migration
ahci: Remove unused AHCIDevice fields
hbitmap: add assertion on hbitmap_iter_init
mirror: do nothing on zero-sized disk
block/vdi: Check for bad signature
block/vdi: Improved return values from vdi_open
block/vdi: Improve debug output for signature
block: Use error code EMEDIUMTYPE for wrong format in some block drivers
block: Add special error code for wrong format
mirror: support arbitrarily-sized iterations
mirror: support more than one in-flight AIO operation
mirror: add buf-size argument to drive-mirror
mirror: switch mirror_iteration to AIO
mirror: allow customizing the granularity
block: allow customizing the granularity of the dirty bitmap
block: return count of dirty sectors, not chunks
mirror: perform COW if the cluster size is bigger than the granularity
...
# By Lei Li (3) and others
# Via Luiz Capitulino
* luiz/queue/qmp:
QAPI: Introduce memchar-read QMP command
QAPI: Introduce memchar-write QMP command
qemu-char: Add new char backend CirMemCharDriver
docs: document virtio-balloon stats
balloon: re-enable balloon stats
balloon: drop old stats code & API
block: Monitor command commit neglects to report some errors
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Neglects to free errors allocated by qmp_guest_fsfreeze_thaw().
Spotted by Coverity.
While there, drop the test whether return value is negative (it's
never true), and improve logging.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Since commit 20d695a925 (kvm: Pass
CPUState to kvm_arch_*) CPUArchState is no longer needed.
Allows to change qemu_kvm_eat_signals() argument as well.
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Gleb Natapov <gleb@redhat.com>
Commits fc8c5b8c41 (Makefile.user: Define
CONFIG_USER_ONLY for libuser/) and
dd83b06ae6 (qom: Introduce CPU class)
specifically prepared the qom/cpu.c file to be compiled differently for
softmmu and *-user. This broke as part of build system refactorings
while CPU patches were in flight, adding conditional fields
kvm_fd (8737c51c04) and
kvm_vcpu_dirty (20d695a925) for softmmu.
linux-user and bsd-user would therefore get a CPUState type with
instance_size ~8 bytes longer than expected.
Fix this by unconditionally having the fields in CPUState.
In practice, target-specific CPU types' instance_size would compensate
this, and upstream qom/cpu.c does not yet touch any affected field.
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
According to its documentation, type_register_static()'s TypeInfo
argument should exist for the life type of the type.
Therefore use type_register() when registering the list of CPU subtypes.
No functional change with the current implementation.
Cf. 918fd0839e for arm.
Signed-off-by: Andreas Färber <afaerber@suse.de>
According to its documentation, type_register_static()'s TypeInfo
argument should exist for the life type of the type.
Therefore use type_register() when registering the list of CPU subtypes.
No functional change with the current implementation.
Cf. 918fd0839e for arm.
Signed-off-by: Andreas Färber <afaerber@suse.de>
According to its documentation, type_register_static()'s TypeInfo
argument should exist for the life type of the type.
Therefore use type_register() when registering the list of CPU subtypes.
No functional change with the current implementation.
Cf. 918fd0839e for arm.
Signed-off-by: Andreas Färber <afaerber@suse.de>
This fixes -cpu arm-cpu asserting.
Cc: qemu-stable@nongnu.org
Acked-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andreas Färber <afaerber@suse.de>
This lets a caller check if an ObjectClass as returned by, e.g.,
object_class_by_name() is instantiatable.
Signed-off-by: Andreas Färber <afaerber@suse.de>
Cc: Anthony Liguori <anthony@codemonkey.ws>
Consolidate model checking into a new uc32_cpu_class_by_name().
If the name matches an existing type, also check whether that type is
actually (a sub-type of) TYPE_UNICORE32_CPU.
This fixes, e.g., -cpu puv3_dma asserting.
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
SysBusDeviceClass' initfn merely calls SysBusDeviceClass::init, so we
can already hook up our own realizefn overwriting this behavior.
A symmetric unrealizefn is not necessary, knowing that the child's
unrealizefn is still no-op, too. Avoids ripping it out again when
recursive realization at DeviceState-level is implemented.
Signed-off-by: Andreas Färber <andreas.faerber@web.de>
Laszlo Ersek