Commit Graph

58058 Commits

Author SHA1 Message Date
Daniel P. Berrange f887cf165d ui: place a hard cap on VNC server output buffer size
The previous patches fix problems with throttling of forced framebuffer updates
and audio data capture that would cause the QEMU output buffer size to grow
without bound. Those fixes are graceful in that once the client catches up with
reading data from the server, everything continues operating normally.

There is some data which the server sends to the client that is impractical to
throttle. Specifically there are various pseudo framebuffer update encodings to
inform the client of things like desktop resizes, pointer changes, audio
playback start/stop, LED state and so on. These generally only involve sending
a very small amount of data to the client, but a malicious guest might be able
to do things that trigger these changes at a very high rate. Throttling them is
not practical as missed or delayed events would cause broken behaviour for the
client.

This patch thus takes a more forceful approach of setting an absolute upper
bound on the amount of data we permit to be present in the output buffer at
any time. The previous patch set a threshold for throttling the output buffer
by allowing an amount of data equivalent to one complete framebuffer update and
one seconds worth of audio data. On top of this it allowed for one further
forced framebuffer update to be queued.

To be conservative, we thus take that throttling threshold and multiply it by
5 to form an absolute upper bound. If this bound is hit during vnc_write() we
forceably disconnect the client, refusing to queue further data. This limit is
high enough that it should never be hit unless a malicious client is trying to
exploit the sever, or the network is completely saturated preventing any sending
of data on the socket.

This completes the fix for CVE-2017-15124 started in the previous patches.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-12-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange ada8d2e436 ui: fix VNC client throttling when forced update is requested
The VNC server must throttle data sent to the client to prevent the 'output'
buffer size growing without bound, if the client stops reading data off the
socket (either maliciously or due to stalled/slow network connection).

The current throttling is very crude because it simply checks whether the
output buffer offset is zero. This check is disabled if the client has requested
a forced update, because we want to send these as soon as possible.

As a result, the VNC client can cause QEMU to allocate arbitrary amounts of RAM.
They can first start something in the guest that triggers lots of framebuffer
updates eg play a youtube video. Then repeatedly send full framebuffer update
requests, but never read data back from the server. This can easily make QEMU's
VNC server send buffer consume 100MB of RAM per second, until the OOM killer
starts reaping processes (hopefully the rogue QEMU process, but it might pick
others...).

To address this we make the throttling more intelligent, so we can throttle
full updates. When we get a forced update request, we keep track of exactly how
much data we put on the output buffer. We will not process a subsequent forced
update request until this data has been fully sent on the wire. We always allow
one forced update request to be in flight, regardless of what data is queued
for incremental updates or audio data. The slight complication is that we do
not initially know how much data an update will send, as this is done in the
background by the VNC job thread. So we must track the fact that the job thread
has an update pending, and not process any further updates until this job is
has been completed & put data on the output buffer.

This unbounded memory growth affects all VNC server configurations supported by
QEMU, with no workaround possible. The mitigating factor is that it can only be
triggered by a client that has authenticated with the VNC server, and who is
able to trigger a large quantity of framebuffer updates or audio samples from
the guest OS. Mostly they'll just succeed in getting the OOM killer to kill
their own QEMU process, but its possible other processes can get taken out as
collateral damage.

This is a more general variant of the similar unbounded memory usage flaw in
the websockets server, that was previously assigned CVE-2017-15268, and fixed
in 2.11 by:

  commit a7b20a8efa
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Mon Oct 9 14:43:42 2017 +0100

    io: monitor encoutput buffer size from websocket GSource

This new general memory usage flaw has been assigned CVE-2017-15124, and is
partially fixed by this patch.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-11-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange e2b72cb6e0 ui: fix VNC client throttling when audio capture is active
The VNC server must throttle data sent to the client to prevent the 'output'
buffer size growing without bound, if the client stops reading data off the
socket (either maliciously or due to stalled/slow network connection).

The current throttling is very crude because it simply checks whether the
output buffer offset is zero. This check must be disabled if audio capture is
enabled, because when streaming audio the output buffer offset will rarely be
zero due to queued audio data, and so this would starve framebuffer updates.

As a result, the VNC client can cause QEMU to allocate arbitrary amounts of RAM.
They can first start something in the guest that triggers lots of framebuffer
updates eg play a youtube video. Then enable audio capture, and simply never
read data back from the server. This can easily make QEMU's VNC server send
buffer consume 100MB of RAM per second, until the OOM killer starts reaping
processes (hopefully the rogue QEMU process, but it might pick others...).

To address this we make the throttling more intelligent, so we can throttle
when audio capture is active too. To determine how to throttle incremental
updates or audio data, we calculate a size threshold. Normally the threshold is
the approximate number of bytes associated with a single complete framebuffer
update. ie width * height * bytes per pixel. We'll send incremental updates
until we hit this threshold, at which point we'll stop sending updates until
data has been written to the wire, causing the output buffer offset to fall
back below the threshold.

If audio capture is enabled, we increase the size of the threshold to also
allow for upto 1 seconds worth of audio data samples. ie nchannels * bytes
per sample * frequency. This allows the output buffer to have a mixture of
incremental framebuffer updates and audio data queued, but once the threshold
is exceeded, audio data will be dropped and incremental updates will be
throttled.

This unbounded memory growth affects all VNC server configurations supported by
QEMU, with no workaround possible. The mitigating factor is that it can only be
triggered by a client that has authenticated with the VNC server, and who is
able to trigger a large quantity of framebuffer updates or audio samples from
the guest OS. Mostly they'll just succeed in getting the OOM killer to kill
their own QEMU process, but its possible other processes can get taken out as
collateral damage.

This is a more general variant of the similar unbounded memory usage flaw in
the websockets server, that was previously assigned CVE-2017-15268, and fixed
in 2.11 by:

  commit a7b20a8efa
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Mon Oct 9 14:43:42 2017 +0100

    io: monitor encoutput buffer size from websocket GSource

This new general memory usage flaw has been assigned CVE-2017-15124, and is
partially fixed by this patch.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-10-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange 0bad834228 ui: refactor code for determining if an update should be sent to the client
The logic for determining if it is possible to send an update to the client
will become more complicated shortly, so pull it out into a separate method
for easier extension later.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-9-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange 728a7ac954 ui: correctly reset framebuffer update state after processing dirty regions
According to the RFB protocol, a client sends one or more framebuffer update
requests to the server. The server can reply with a single framebuffer update
response, that covers all previously received requests. Once the client has
read this update from the server, it may send further framebuffer update
requests to monitor future changes. The client is free to delay sending the
framebuffer update request if it needs to throttle the amount of data it is
reading from the server.

The QEMU VNC server, however, has never correctly handled the framebuffer
update requests. Once QEMU has received an update request, it will continue to
send client updates forever, even if the client hasn't asked for further
updates. This prevents the client from throttling back data it gets from the
server. This change fixes the flawed logic such that after a set of updates are
sent out, QEMU waits for a further update request before sending more data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-8-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange fef1bbadfb ui: introduce enum to track VNC client framebuffer update request state
Currently the VNC servers tracks whether a client has requested an incremental
or forced update with two boolean flags. There are only really 3 distinct
states to track, so create an enum to more accurately reflect permitted states.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-7-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange 8f61f1c5a6 ui: track how much decoded data we consumed when doing SASL encoding
When we encode data for writing with SASL, we encode the entire pending output
buffer. The subsequent write, however, may not be able to send the full encoded
data in one go though, particularly with a slow network. So we delay setting the
output buffer offset back to zero until all the SASL encoded data is sent.

Between encoding the data and completing sending of the SASL encoded data,
however, more data might have been placed on the pending output buffer. So it
is not valid to set offset back to zero. Instead we must keep track of how much
data we consumed during encoding and subtract only that amount.

With the current bug we would be throwing away some pending data without having
sent it at all. By sheer luck this did not previously cause any serious problem
because appending data to the send buffer is always an atomic action, so we
only ever throw away complete RFB protocol messages. In the case of frame buffer
updates we'd catch up fairly quickly, so no obvious problem was visible.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-6-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange 3541b08475 ui: avoid pointless VNC updates if framebuffer isn't dirty
The vnc_update_client() method checks the 'has_dirty' flag to see if there are
dirty regions that are pending to send to the client. Regardless of this flag,
if a forced update is requested, updates must be sent. For unknown reasons
though, the code also tries to sent updates if audio capture is enabled. This
makes no sense as audio capture state does not impact framebuffer contents, so
this check is removed.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-5-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange b939eb89b6 ui: remove redundant indentation in vnc_client_update
Now that previous dead / unreachable code has been removed, we can simplify
the indentation in the vnc_client_update method.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-4-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange c53df96161 ui: remove unreachable code in vnc_update_client
A previous commit:

  commit 5a8be0f73d
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   Wed Jul 13 12:21:20 2016 +0200

    vnc: make sure we finish disconnect

Added a check for vs->disconnecting at the very start of the
vnc_update_client method. This means that the very next "if"
statement check for !vs->disconnecting always evaluates true,
and is thus redundant. This in turn means the vs->disconnecting
check at the very end of the method never evaluates true, and
is thus unreachable code.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-3-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:53 +01:00
Daniel P. Berrange 6af998db05 ui: remove 'sync' parameter from vnc_update_client
There is only one caller of vnc_update_client and that always passes false
for the 'sync' parameter.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-2-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:53 +01:00
Marc-André Lureau 090fdc83b0 vnc: fix debug spelling
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171220140618.12701-1-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:53 +01:00
Peter Maydell 997eba28a3 target-arm queue:
* add aarch64_be linux-user target
  * Virt: ACPI: fix qemu assert due to re-assigned table data address
  * imx_fec: various bug fixes and cleanups
  * hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
  * hw/sd/pxa2xx_mmci: add read/write() trace events
  * linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
  * target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
  * hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
  * hw/intc/arm_gic: reserved register addresses are RAZ/WI
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJaV2iVAAoJEDwlJe0UNgzeLmEQAJ3A9m42/ZI6z3zSjnu27q13
 8UvLlXimJuABK9cav5EvqXz6j+LwqBs7psJ6tvNXV3L2A+lBPYPHsTqnS7T0BSts
 36r1IepRA1Gw8nIdKDpK4ZwNQ2EkkipairtWq7OV4Q3Ouh5TRuVX2Sm8iKdz0tm5
 cd6LAQjynPfe4oeZXgJU6TlulSaWxSrUhhc0VGsv6Q9L5tZR4C1lFYP8Ijv3xPfh
 5pKWccTJktywahrFrdr0mWOWnRgkZ3Fm63r0JeyoHeT7olLLp91zk/d+C7+QYoEn
 vkJwvPrhYru349Inq8T7X7jg3aWdh28Ivajm11EQ9l+uFjwdbR/jbVUHCQn3QXzE
 +SN1Kmk3U8IiAPoc9hjTjHnYG6OSKEBgJautgmxQZjWaMm7RvwVPvJTULyZTQi27
 0NxHl9Uh2dlc8Msj6DfGfd0XOdf1crqtAGERKfJBsyrN0whiugH9Hn+AEnjf17zt
 M6lJbkwF8P8oG0DmnbZcxvh9QIHv0eaAW5ksR5wwnPIHsvSLQv/wgiwRdTjNh/JM
 KNH/F4+H2O7bbK2Dh/Y20RGiip0XhpelRFfoN507Uh4YgE+NEmV1CnN1gbk/P+y6
 f1PJ5Dt+H3m3dSyzyUsie4foO5BVTxhPE6dQKz2nsTWjNJRbIRLJx82A5GSF2Cip
 ZDCn6DGcMXtbAoseeu9l
 =imOw
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20180111' into staging

target-arm queue:
 * add aarch64_be linux-user target
 * Virt: ACPI: fix qemu assert due to re-assigned table data address
 * imx_fec: various bug fixes and cleanups
 * hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
 * hw/sd/pxa2xx_mmci: add read/write() trace events
 * linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
 * target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
 * hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
 * hw/intc/arm_gic: reserved register addresses are RAZ/WI

# gpg: Signature made Thu 11 Jan 2018 13:37:25 GMT
# gpg:                using RSA key 0x3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20180111: (26 commits)
  hw/intc/arm_gic: reserved register addresses are RAZ/WI
  hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
  target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
  linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
  hw/sd/pxa2xx_mmci: add read/write() trace events
  hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
  imx_fec: Reserve full FSL_IMX25_FEC_SIZE page for the register file
  imx_fec: Fix a typo in imx_enet_receive()
  imx_fec: Use correct length for packet size
  imx_fec: Add support for multiple Tx DMA rings
  imx_fec: Emulate SHIFT16 in ENETx_RACC
  imx_fec: Use MIN instead of explicit ternary operator
  imx_fec: Use ENET_FTRL to determine truncation length
  imx_fec: Move Tx frame buffer away from the stack
  imx_fec: Change queue flushing heuristics
  imx_fec: Refactor imx_eth_enable_rx()
  imx_fec: Do not link to netdev
  Virt: ACPI: fix qemu assert due to re-assigned table data address
  target/arm: Fix stlxp for aarch64_be
  linux-user: Activate armeb handler registration
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 14:34:41 +00:00
Peter Maydell 0cf0985201 hw/intc/arm_gic: reserved register addresses are RAZ/WI
The GICv2 specification says that reserved register addresses
must RAZ/WI; now that we implement external abort handling
for Arm CPUs this means we must return MEMTX_OK rather than
MEMTX_ERROR, to avoid generating a spurious guest data abort.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1513183941-24300-3-git-send-email-peter.maydell@linaro.org
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
2018-01-11 13:25:40 +00:00
Peter Maydell f1945632b4 hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
The GICv3 specification says that reserved register addresses
should RAZ/WI. This means we need to return MEMTX_OK, not MEMTX_ERROR,
because now that we support generating external aborts the
latter will cause an abort on new board models.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1513183941-24300-2-git-send-email-peter.maydell@linaro.org
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
2018-01-11 13:25:40 +00:00
Peter Maydell 2eea841c11 target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
Refactor disas_thumb2_insn() so that it generates the code for raising
an UNDEF exception for invalid insns, rather than returning a flag
which the caller must check to see if it needs to generate the UNDEF
code. This brings the function in to line with the behaviour of
disas_thumb_insn() and disas_arm_insn().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1513080506-17703-1-git-send-email-peter.maydell@linaro.org
2018-01-11 13:25:40 +00:00
Peter Maydell 579648554a linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
Our copy of the nwfpe code for emulating of the old FPA11 floating
point unit doesn't check the coprocessor number in the instruction
when it emulates it.  This means that we might treat some
instructions which should really UNDEF as being FPA11 instructions by
accident.

The kernel's copy of the nwfpe code doesn't make this error; I suspect
the bug was noticed and fixed as part of the process of mainlining
the nwfpe code more than a decade ago.

Add a check that the coprocessor number (which is always in bits
[11:8] of the instruction) is either 1 or 2, which is where the
FPA11 lives.

Reported-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:39 +00:00
Philippe Mathieu-Daudé 487b406af1 hw/sd/pxa2xx_mmci: add read/write() trace events
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20180104000156.30932-1-f4bug@amsat.org
[PMM: add missing include]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:39 +00:00
Philippe Mathieu-Daudé 2ba63e4af6 hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20180103224208.30291-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:38 +00:00
Andrey Smirnov 831858ad9d imx_fec: Reserve full FSL_IMX25_FEC_SIZE page for the register file
Some i.MX SoCs (e.g. i.MX7) have FEC registers going as far as offset
0x614, so to avoid getting aborts when accessing those on QEMU, extend
the register file to cover FSL_IMX25_FEC_SIZE(16K) of address space
instead of just 1K.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:38 +00:00
Andrey Smirnov 894d74cc4f imx_fec: Fix a typo in imx_enet_receive()
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:38 +00:00
Andrey Smirnov 52cfd5846b imx_fec: Use correct length for packet size
Use 'frame_size' instead of 'len' when calling qemu_send_packet(),
failing to do so results in malformed packets send in case when that
packed is fragmented into multiple DMA transactions.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:37 +00:00
Andrey Smirnov f93f961c40 imx_fec: Add support for multiple Tx DMA rings
More recent version of the IP block support more than one Tx DMA ring,
so add the code implementing that feature.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:37 +00:00
Andrey Smirnov ebdd8cddb9 imx_fec: Emulate SHIFT16 in ENETx_RACC
Needed to support latest Linux kernel driver which relies on that
functionality.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:37 +00:00
Andrey Smirnov 4c5e7a6cda imx_fec: Use MIN instead of explicit ternary operator
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:36 +00:00
Andrey Smirnov ff9a7feeab imx_fec: Use ENET_FTRL to determine truncation length
Frame truncation length, TRUNC_FL, is determined by the contents of
ENET_FTRL register, so convert the code to use it instead of a
hardcoded constant.

To avoid the case where TRUNC_FL is greater that ENET_MAX_FRAME_SIZE,
increase the value of the latter to its theoretical maximum of 16K.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:36 +00:00
Andrey Smirnov 7bac20dc51 imx_fec: Move Tx frame buffer away from the stack
Make Tx frame assembly buffer to be a paort of IMXFECState structure
to avoid a concern about having large data buffer on the stack.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:35 +00:00
Andrey Smirnov b2b012afdd imx_fec: Change queue flushing heuristics
In current implementation, packet queue flushing logic seem to suffer
from a deadlock like scenario if a packet is received by the interface
before before Rx ring is initialized by Guest's driver. Consider the
following sequence of events:

	1. A QEMU instance is started against a TAP device on Linux
	   host, running Linux guest, e. g., something to the effect
	   of:

	   qemu-system-arm \
	      -net nic,model=imx.fec,netdev=lan0 \
	      netdev tap,id=lan0,ifname=tap0,script=no,downscript=no \
	      ... rest of the arguments ...

	2. Once QEMU starts, but before guest reaches the point where
	   FEC deriver is done initializing the HW, Guest, via TAP
	   interface, receives a number of multicast MDNS packets from
	   Host (not necessarily true for every OS, but it happens at
	   least on Fedora 25)

	3. Recieving a packet in such a state results in
	   imx_eth_can_receive() returning '0', which in turn causes
	   tap_send() to disable corresponding event (tap.c:203)

	4. Once Guest's driver reaches the point where it is ready to
	   recieve packets it prepares Rx ring descriptors and writes
	   ENET_RDAR_RDAR to ENET_RDAR register to indicate to HW that
	   more descriptors are ready. And at this points emulation
	   layer does this:

	   	 s->regs[index] = ENET_RDAR_RDAR;
                 imx_eth_enable_rx(s);

	   which, combined with:

	   	  if (!s->regs[ENET_RDAR]) {
		     qemu_flush_queued_packets(qemu_get_queue(s->nic));
		  }

	   results in Rx queue never being flushed and corresponding
	   I/O event beign disabled.

To prevent the problem, change the code to always flush packet queue
when ENET_RDAR transitions 0 -> ENET_RDAR_RDAR.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:35 +00:00
Andrey Smirnov a6383e99ff imx_fec: Refactor imx_eth_enable_rx()
Refactor imx_eth_enable_rx() to have more meaningfull variable name
than 'tmp' and to reduce number of logical negations done.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:35 +00:00
Andrey Smirnov 1fdde6537e imx_fec: Do not link to netdev
Binding to a particular netdev doesn't seem to belong to this layer
and should probably be done as a part of board or SoC specific code.

Convert all of the users of this IP block to use
qdev_set_nic_properties() instead.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:34 +00:00
Zhaoshenglong 4d027afeb3 Virt: ACPI: fix qemu assert due to re-assigned table data address
acpi_data_push uses g_array_set_size to resize the memory size. If there
is no enough contiguous memory, the address will be changed. If we use
the old value, it will assert.
qemu-kvm: hw/acpi/bios-linker-loader.c:214: bios_linker_loader_add_checksum:
Assertion `start_offset < file->blob->len' failed.`

This issue only happens in building SRAT table now but here we unify the
pattern for other tables as well to avoid possible issues in the future.

Signed-off-by: Zhaoshenglong <zhaoshenglong@huawei.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:34 +00:00
Michael Weiser 0785557f88 target/arm: Fix stlxp for aarch64_be
ldxp loads two consecutive doublewords from memory regardless of CPU
endianness. On store, stlxp currently assumes to work with a 128bit
value and consequently switches order in big-endian mode. With this
change it packs the doublewords in reverse order in anticipation of the
128bit big-endian store operation interposing them so they end up in
memory in the right order. This makes it work for both MTTCG and !MTTCG.
It effectively implements the ARM ARM STLXP operation pseudo-code:

data = if BigEndian() then el1:el2 else el2:el1;

With this change an aarch64_be Linux 4.14.4 kernel succeeds to boot up
in system emulation mode.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:33 +00:00
Michael Weiser bfe69cc867 linux-user: Activate armeb handler registration
armeb is missing from the target list in qemu-binfmt-conf.sh. Add it so
the handler for those binaries gets registered by the script.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-8-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:33 +00:00
Michael Weiser 2ced93eee0 linux-user: Separate binfmt arm CPU families
Give big-endian arm and aarch64 CPUs their own family in
qemu-binfmt-conf.sh to make sure we register qemu-user for binaries of
the opposite endianness on arm and aarch64. Apart from the family
assignments of the magic values, qemu_get_family() needs to be able to
distinguish the two and recognise aarch64{,_be} as well.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-7-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:33 +00:00
Michael Weiser f772f212b3 linux-user: Add aarch64_be magic numbers to qemu-binfmt-conf.sh
As we now have a linux-user aarch64_be target, we can add it to the list
of supported targets in qemu-binfmt-conf.sh

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-6-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:32 +00:00
Michael Weiser 722dd7be8c configure: Add aarch64_be-linux-user target
Add target aarch64_be-linux-user. This allows a qemu-aarch64_be binary
to be built that will run big-endian aarch64 binaries.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-5-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:32 +00:00
Michael Weiser 50f22fa60d linux-user: Fix endianess of aarch64 signal trampoline
Since for aarch64 the signal trampoline is synthesized directly into the
signal frame we need to make sure the instructions end up little-endian.
Otherwise the wrong endianness will cause a SIGILL upon return from the
signal handler on big-endian targets.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20171220212308.12614-4-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:31 +00:00
Michael Weiser cb3aa5fea1 linux-user: Add separate aarch64_be uname
Make big-endian aarch64 systems identify as aarch64_be as expected by
big-endian userland and toolchains.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-3-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:31 +00:00
Michael Weiser dfdcf34031 linux-user: Add support for big-endian aarch64
Enable big-endian mode for data accesses on aarch64 for big-endian linux
user mode. Activate it for all exception levels as documented by ARM:
Set the SCTLR EE bit for ELs 1 through 3. Additionally set bit E0E in
EL1 to enable it in EL0 as well.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20171220212308.12614-2-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:31 +00:00
Peter Maydell e890966d60 ppc patch queue 2018-01-11
This pull request supersedes ppc-for-2.12-20180108 and several before
 it.  The earlier pull request included a patch which exposed a bug in
 the ARM TCG backend.  I've pulled that out and will repost once the
 ARM bug is fixed (a patch has been posted by Richard Henderson).
 
 Higlights from this series:
   * SLOF update
   * Several new devices for embedded platforms
   * Fix to correctly set compatiblity mode for hotplugged CPUs
   * dtc compile fix for older MacOS versions
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEdfRlhq5hpmzETofcbDjKyiDZs5IFAlpW7uMACgkQbDjKyiDZ
 s5JBRQ//Ybt5KgnY0WVEJDVjeIuNBJUD6brVSIYr39tQPe1XdLgeVESxY8NFHy/A
 +vEuTXeneJw6ShkfQFoyvMKpMi/vUmdCW9I7JL0VSFL1DlnpQqonH2EXUWRR4ox9
 DF54+Q/KUFyUS3ENN5FSLDSYKhHZ2lgS5ViNuk5rmOlsrfEsjwqi5hCyMN7DXDv+
 XY/kv2WWLHtXx6W8ci42jYeTDXnLTA2qLh2pCywakJa3vJkmxkBedotBOBA4A2lo
 ThhwwPqBN1Ui0mR5faVXRAnzOYv2bduv4srdtiYmaWESDx6iDmBcVIedbI/ls7ux
 xikU5ix/GGfX74Bg/mrxGC4+i6mc0lifyGMKyyRle3lD1KrMUuI8ceGuxpzNENgQ
 uwpAnnLx6wwLk2BSsBGz7nXIwI5ZKVJf0u/zVjKkIh4BDn/nDTkPqM8aKweG+XbY
 1ahJp0mlmvBbPLWdiK+bmJR453tlvSLp+Xk/YmIw0g+9tORS6ET2StH5InrM04/J
 in2aQ1Tf7cOu5F+emg11UY33l2MZ6hgKcqMbRi2wGDtSTBVe2VUkXRKz6oKsTvXk
 Yx12+DweC1oK3Gmw/qv/xs/QnrMp7Au50jYHvpLEY7MuHSG2CdmP8hiCYP6HGi0W
 ZhF3khXlZ/Dw7Rkq6W3TGUyTRXhDoI73SB716SbScSgSluEzovs=
 =W8lr
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.12-20180111' into staging

ppc patch queue 2018-01-11

This pull request supersedes ppc-for-2.12-20180108 and several before
it.  The earlier pull request included a patch which exposed a bug in
the ARM TCG backend.  I've pulled that out and will repost once the
ARM bug is fixed (a patch has been posted by Richard Henderson).

Higlights from this series:
  * SLOF update
  * Several new devices for embedded platforms
  * Fix to correctly set compatiblity mode for hotplugged CPUs
  * dtc compile fix for older MacOS versions

# gpg: Signature made Thu 11 Jan 2018 04:58:11 GMT
# gpg:                using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.12-20180111:
  spapr: Correct compatibility mode setting for hotplugged CPUs
  hw/ppc: Remove the deprecated spapr-pci-vfio-host-bridge device
  Update dtc to fix compilation problem on Mac OS 10.6
  target/ppc: more use of the PPC_*() macros
  ppc/pnv: change powernv_ prefix to pnv_ for overall naming consistency
  hw/ide: Emulate SiI3112 SATA controller
  spapr_pci: use warn_report()
  ppc4xx_i2c: Implement basic I2C functions
  sm501: Add some more unimplemented registers
  sm501: Add panel hardware cursor registers also to read function
  pseries: Update SLOF firmware image to qemu-slof-20171214

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:24:17 +00:00
Peter Maydell 612061b277 nbd patches for 2018-01-10
- Vladimir Sementsov-Ogievskiy: nbd: rename nbd_option and nbd_opt_reply
 - Vladimir Sementsov-Ogievskiy: nbd/server: add additional assert to nbd_export_put
 -----BEGIN PGP SIGNATURE-----
 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
 
 iQEcBAABCAAGBQJaVpl9AAoJEKeha0olJ0Nqd1cIAKQrlgqQbyayEHHSHU93/kpX
 6+PLv4kNeV6EwLzYmY91XO7RLzobeHkHmH1b5PnTqqQFFQLEZ6UPYz8HljkSzgmN
 33WKAWqSECQ4U0zGD5RXRcqntiVjsQCzlO1bzi/eWGBh9X411mTF7y/R+KzOmrdm
 dv9Spo1VZ48KxmoTklDEDgbpABu4GcwrDbVcQbDxYIZ6PdU4TIL57JFsAkASJvPZ
 qWrGMH7ij+ropSHFkqP2bzixsDiBcStFC9eATHf6+/wYmm4N0TRJrykJpKGiCJ23
 oeQdeoZ78jTk3moxFixbNap14BNM76OMVU1Alsr5Y7zGMPgiv3Gpy83XLg050lw=
 =w/o2
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-01-10' into staging

nbd patches for 2018-01-10

- Vladimir Sementsov-Ogievskiy: nbd: rename nbd_option and nbd_opt_reply
- Vladimir Sementsov-Ogievskiy: nbd/server: add additional assert to nbd_export_put

# gpg: Signature made Wed 10 Jan 2018 22:53:49 GMT
# gpg:                using RSA key 0xA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>"
# gpg:                 aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>"
# gpg:                 aka "[jpeg image of size 6874]"
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A

* remotes/ericb/tags/pull-nbd-2018-01-10:
  nbd: rename nbd_option and nbd_opt_reply
  nbd/server: add additional assert to nbd_export_put

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 11:52:40 +00:00
Peter Maydell 7642f96e60 qemu-sparc update
-----BEGIN PGP SIGNATURE-----
 
 iQFSBAABCAA8FiEEzGIauY6CIA2RXMnEW8LFb64PMh8FAlpVPkYeHG1hcmsuY2F2
 ZS1heWxhbmRAaWxhbmRlLmNvLnVrAAoJEFvCxW+uDzIf27MIAIxw7dIYn9ez/uNv
 7iQpTp+aJjEnPhsjcshfzHfPej7d1h6ot6midy75hKb3NfyOG3RN23N5mzK4Mzjf
 ybHtXhTjYJl5gndaM0jCdaU5EYDq3BU6kkXS3WJy2hNayfFkRpeLWBR7pdxAGrP3
 bp1r064tl3sA8ALYVWFyldgf3o2AuJSxjDFRgbRRIbX1KRLnMwB2gM7ix4FCykcK
 YVIG113J4BAkTuD9vfBRz2f/Gs+zdqjprFVGccyej70qvhjnW7bgL78uYvHMzbST
 CuLULx9v3es8/s7fd1GSxZj45YTkivUPzFI4n2I0qWApTcJVBoGqj5f8EvwD/y67
 A4eiFAQ=
 =EPl3
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-signed' into staging

qemu-sparc update

# gpg: Signature made Tue 09 Jan 2018 22:12:22 GMT
# gpg:                using RSA key 0x5BC2C56FAE0F321F
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>"
# Primary key fingerprint: CC62 1AB9 8E82 200D 915C  C9C4 5BC2 C56F AE0F 321F

* remotes/mcayland/tags/qemu-sparc-signed: (25 commits)
  sun4u_iommu: add trace event for IOMMU translations
  sun4u_iommu: convert from IOMMU_DPRINTF to trace-events
  sun4u_iommu: update to reflect IOMMU is no longer part of the APB device
  sun4u: split IOMMU device out from apb.c to sun4u_iommu.c
  apb: QOMify IOMMU
  sun4m: remove include/hw/sparc/sun4m.h and all references to it
  sun4m: move IOMMU declarations from sun4m.h to sun4m_iommu.h
  sun4m: move sun4m_iommu.c from hw/dma to hw/sparc
  sun4u: switch from EBUS_DPRINTF() macro to trace-events
  sparc64: introduce trace-events for hw/sparc64
  apb: replace OBIO interrupt numbers in pci_pbmA_map_irq() with constants
  ebus: wire up OBIO interrupts to APB pbm via qdev GPIOs
  apb: remove busA property from PBMPCIBridge state
  apb: split pci_pbm_map_irq() into separate functions for bus A and bus B
  apb: remove pci_apb_init() and instantiate APB device using qdev
  apb: move the two secondary PCI bridges objects into APBState
  apb: use gpios to wire up the apb device to the SPARC CPU IRQs
  apb: return APBState from pci_apb_init() rather than PCIBus
  apb: APB QOMify tidy-up
  sun4u: move initialisation of all ISABus devices into ebus_realize()
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 09:54:15 +00:00
Vladimir Sementsov-Ogievskiy 420a4e9559 nbd: rename nbd_option and nbd_opt_reply
Rename nbd_option and nbd_opt_reply to NBDOption and NBDOptionReply
to correspond to Qemu coding style and other structures here.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20171122101958.17065-5-vsementsov@virtuozzo.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2018-01-10 12:11:23 -06:00
David Gibson 51f84465dd spapr: Correct compatibility mode setting for hotplugged CPUs
Currently the pseries machine sets the compatibility mode for the
guest's cpus in two places: 1) at machine reset and 2) after CAS
negotiation.

This means that if we set or negotiate a compatiblity mode, then
hotplug a cpu, the hotplugged cpu doesn't get the right mode set and
will incorrectly have the full native features.

To correct this, we set the compatibility mode on a cpu when it is
brought online with the 'start-cpu' RTAS call.  Given that we no
longer need to set the compatibility mode on all CPUs at machine
reset, so we change that to only set the mode for the boot cpu.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
Tested-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
2018-01-10 12:53:00 +11:00
Thomas Huth a716766889 hw/ppc: Remove the deprecated spapr-pci-vfio-host-bridge device
It's a deprecated dummy device since QEMU v2.6.0. That should have
been enough time to allow the users to update their scripts in case
they still use it, so let's remove this legacy code now.

Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-10 12:53:00 +11:00
John Arbuckle 307f3d0156 Update dtc to fix compilation problem on Mac OS 10.6
Currently QEMU does not build on Mac OS 10.6
because of a missing patch in the dtc
subproject. Updating dtc to make the patch
available fixes this problem.

Signed-off-by: John Arbuckle <programmingkidx@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-10 12:53:00 +11:00
Cédric Le Goater a6a444a87a target/ppc: more use of the PPC_*() macros
Also introduce utilities to manipulate bitmasks (originaly from OPAL)
which be will be used in the model of the XIVE interrupt controller.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-10 12:53:00 +11:00
Cédric Le Goater b168a138a8 ppc/pnv: change powernv_ prefix to pnv_ for overall naming consistency
The 'pnv' prefix is now used for all and the routines populating the
device tree start with 'pnv_dt'. The handler of the PnvXScomInterface
is also renamed to 'dt_xscom' which should reflect that it is
populating the device tree under the 'xscom@' node of the chip.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-10 12:53:00 +11:00
BALATON Zoltan a9dd6604a6 hw/ide: Emulate SiI3112 SATA controller
This is a common generic PCI SATA controller that is also used in PCs
but more importantly guests running on the Sam460ex board prefer this
card and have a driver for it (unlike for other SATA controllers
already emulated).

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Acked-by: John Snow <jsnow@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-10 12:53:00 +11:00
Greg Kurz 2b3db9dd34 spapr_pci: use warn_report()
These two are definitely warnings. Let's use the appropriate API.

Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-01-10 12:52:59 +11:00