aboutsummaryrefslogtreecommitdiff
path: root/exec.c
AgeCommit message (Collapse)AuthorFilesLines
2015-06-19exec: clamp accesses against the MemoryRegionSectionPaolo Bonzini1-1/+1
Because the clamping was done against the MemoryRegion, address_space_rw was effectively broken if a write spanned multiple sections that are not linear in underlying memory (with the memory not being under an IOMMU). This is visible with the MIPS rc4030 IOMMU, which is implemented as a series of alias memory regions that point to the actual RAM. Tested-by: Hervé Poussineau <hpoussin@reactos.org> Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-19exec: do not clamp accesses to MMIO regionsPaolo Bonzini1-2/+6
It is common for MMIO registers to overlap, for example a 4 byte register at 0xcf8 (totally random choice... :)) and a 1 byte register at 0xcf9. If these registers are implemented via separate MemoryRegions, it is wrong to clamp the accesses as the value written would be truncated. Hence for these regions the effects of commit 23820db (exec: Respect as_translate_internal length clamp, 2015-03-16, previously applied as commit c3c1bb99) must be skipped. Tested-by: Hervé Poussineau <hpoussin@reactos.org> Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-12qemu_ram_foreach_block: pass up error value, and down the ramblock nameDr. David Alan Gilbert1-2/+8
check the return value of the function it calls and error if it's non-0 Fixup qemu_rdma_init_one_block that is the only current caller, and rdma_add_block the only function it calls using it. Pass the name of the ramblock to the function; helps in debugging. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Amit Shah <amit.shah@redhat.com> Reviewed-by: Michael R. Hines <mrhines@us.ibm.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2015-06-12migration: Use normal VMStateDescriptions for SubsectionsJuan Quintela1-7/+4
We create optional sections with this patch. But we already have optional subsections. Instead of having two mechanism that do the same, we can just generalize it. For subsections we just change: - Add a needed function to VMStateDescription - Remove VMStateSubsection (after removal of the needed function it is just a VMStateDescription) - Adjust the whole tree, moving the needed function to the corresponding VMStateDescription Signed-off-by: Juan Quintela <quintela@redhat.com>
2015-06-05memory: replace cpu_physical_memory_reset_dirty() with test-and-clearStefan Hajnoczi1-6/+17
The cpu_physical_memory_reset_dirty() function is sometimes used together with cpu_physical_memory_get_dirty(). This is not atomic since two separate accesses to the dirty memory bitmap are made. Turn cpu_physical_memory_reset_dirty() and cpu_physical_memory_clear_dirty_range_type() into the atomic cpu_physical_memory_test_and_clear_dirty(). Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <1417519399-3166-6-git-send-email-stefanha@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05exec: only check relevant bitmaps for cleanlinessPaolo Bonzini1-9/+13
Most of the time, not all bitmaps have to be marked as dirty; do not do anything if the interesting ones are already dirty. Previously, any clean bitmap would have cause all the bitmaps to be marked dirty. In fact, unless running TCG most of the time bitmap operations need not be done at all, because memory_region_is_logging returns zero. In this case, skip the call to cpu_physical_memory_range_includes_clean altogether as well. With this patch, cpu_physical_memory_set_dirty_range is called unconditionally, so there need not be anymore a separate call to xen_modified_memory. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05exec: pass client mask to cpu_physical_memory_set_dirty_rangePaolo Bonzini1-9/+11
This cuts in half the cost of bitmap operations (which will become more expensive when made atomic) during migration on non-VRAM regions. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05translate-all: remove unnecessary argument to tb_invalidate_phys_rangePaolo Bonzini1-1/+1
The is_cpu_write_access argument is always 0, remove it. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05exec: use memory_region_get_dirty_log_mask to optimize dirty trackingPaolo Bonzini1-40/+19
The memory API can now return the exact set of bitmaps that have to be tracked. Use it instead of the in_migration variable. In the next patches, we will also use it to set only DIRTY_MEMORY_VGA or DIRTY_MEMORY_MIGRATION if necessary. This can make a difference for dataplane, especially after the dirty bitmap is changed to use more expensive atomic operations. Of some interest is the change to stl_phys_notdirty. When migration was introduced, stl_phys_notdirty was changed to effectively behave as stl_phys during migration. In fact, if one looks at the function as it was in the beginning (commit 8df1cd0, physical memory access functions, 2005-01-28), at the time the dirty bitmap was the equivalent of DIRTY_MEMORY_CODE nowadays; hence, the function simply should not touch the dirty code bits. This patch changes it to do the intended thing. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05ram_addr: tweaks to xen_modified_memoryPaolo Bonzini1-1/+2
Invoke xen_modified_memory from cpu_physical_memory_set_dirty_range_nocode; it is akin to DIRTY_MEMORY_MIGRATION, so set it together with that bitmap. The remaining call from invalidate_and_set_dirty's "else" branch will go away soon. Second, fix the second argument to the function in the cpu_physical_memory_set_dirty_lebitmap call site. That function is only used by KVM, but it is better to be clean anyway. Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05exec: optimize phys_page_set_levelPaolo Bonzini1-14/+10
phys_page_set_level is writing zeroes to a struct that has just been filled in by phys_map_node_alloc. Instead, tell phys_map_node_alloc whether to fill in the page "as a leaf" or "as a non-leaf". memcpy is faster than struct assignment, which copies each bitfield individually. A compiler bug (https://gcc.gnu.org/PR66391), and small memcpys like this one are special-cased anyway, and optimized to a register move, so just use the memcpy. This cuts the cost of phys_page_set_level from 25% to 5% when booting qboot. Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-30exec: move rcu_read_lock/unlock to address_space_translate callersPaolo Bonzini1-4/+29
Once address_space_translate will be called outside the BQL, the returned MemoryRegion might disappear as soon as the RCU read-side critical section ends. Avoid this by moving the critical section to the callers. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1426684909-95030-3-git-send-email-pbonzini@redhat.com>
2015-04-30Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell1-30/+51
- miscellaneous cleanups for TCG (Emilio) and NBD (Bogdan) - next part in the thread-safe address_space_* saga: atomic access to the bounce buffer and the map_clients list, from Fam - optional support for linking with tcmalloc, also from Fam - reapplying Peter Crosthwaite's "Respect as_translate_internal length clamp" after fixing the SPARC fallout. - build system fix from Wei Liu - small acpi-build and ioport cleanup by myself # gpg: Signature made Wed Apr 29 09:34:00 2015 BST using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: (22 commits) nbd/trivial: fix type cast for ioctl translate-all: use bitmap helpers for PageDesc's bitmap target-i386: disable LINT0 after reset Makefile.target: prepend $libs_softmmu to $LIBS milkymist: do not modify libs-softmmu configure: Add support for tcmalloc exec: Respect as_translate_internal length clamp ioport: reserve the whole range of an I/O port in the AddressSpace ioport: loosen assertions on emulation of 16-bit ports ioport: remove wrong comment ide: there is only one data port gus: clean up MemoryRegionPortio sb16: remove useless mixer_write_indexw sun4m: fix slavio sysctrl and led register sizes acpi-build: remove dependency from ram_addr.h memory: add memory_region_ram_resize dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel exec: Notify cpu_register_map_client caller if the bounce buffer is available exec: Protect map_client_list with mutex linux-user, bsd-user: Remove two calls to cpu_exec_init_all ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-04-27exec: Respect as_translate_internal length clampPeter Crosthwaite1-4/+2
address_space_translate_internal will clamp the *plen length argument based on the size of the memory region being queried. The iommu walker logic in addresss_space_translate was ignoring this by discarding the post fn call value of *plen. Fix by just always using *plen as the length argument throughout the fn, removing the len local variable. This fixes a bootloader bug when a single elf section spans multiple QEMU memory regions. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-Id: <1426570554-15940-1-git-send-email-peter.crosthwaite@xilinx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-27dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancelFam Zheng1-13/+21
If DMA's owning thread cancels the IO while the bounce buffer's owning thread is notifying the "cpu client list", a use-after-free happens: continue_after_map_failure dma_aio_cancel ------------------------------------------------------------------ aio_bh_new qemu_bh_delete qemu_bh_schedule (use after free) Also, the old code doesn't run the bh in the right AioContext. Fix both problems by passing a QEMUBH to cpu_register_map_client. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1426496617-10702-6-git-send-email-famz@redhat.com> [Remove unnecessary forward declaration. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-27exec: Notify cpu_register_map_client caller if the bounce buffer is availableFam Zheng1-7/+16
The caller's workflow is like if (!address_space_map()) { ... cpu_register_map_client(); } If bounce buffer became available after address_space_map() but before cpu_register_map_client(), the caller could miss it and has to wait for the next bounce buffer notify, which may never happen in the worse case. Just notify the list in cpu_register_map_client(). Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <1426496617-10702-5-git-send-email-famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-27exec: Protect map_client_list with mutexFam Zheng1-9/+13
So that accesses from multiple threads are safe. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <1426496617-10702-4-git-send-email-famz@redhat.com> [Remove #if from cpu_exec_init_all. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-27exec: Atomic access to bounce bufferFam Zheng1-1/+3
There could be a race condition when two processes call address_space_map concurrently and both want to use the bounce buffer. Add an in_use flag in BounceBuffer to sync it. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <1426496617-10702-2-git-send-email-famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-26exec.c: Capture the memory attributes for a watchpoint hitPeter Maydell1-15/+31
Capture the memory attributes for the transaction which triggered a watchpoint; this allows CPU specific code to implement features like ARM's "user-mode only WPs also hit for LDRT/STRT accesses made from privileged code". This change also correctly passes through the memory attributes to the underlying device when a watchpoint access doesn't hit. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2015-04-26exec.c: Add new address_space_ld*/st* functionsPeter Maydell1-50/+247
Add new address_space_ld*/st* functions which allow transaction attributes and error reporting for basic load and stores. These are named to be in line with the address_space_read/write/rw buffer operations. The existing ld/st*_phys functions are now wrappers around the new functions. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2015-04-26exec.c: Make address_space_rw take transaction attributesPeter Maydell1-23/+28
Make address_space_rw take transaction attributes, rather than always using the 'unspecified' attributes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2015-04-26exec.c: Convert subpage memory ops to _with_attrsPeter Maydell1-12/+21
Convert the subpage memory ops to _with_attrs; this will allow us to pass the attributes through to the underlying access functions. (Nothing uses the attributes yet.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2015-04-26memory: Replace io_mem_read/write with memory_region_dispatch_read/writePeter Maydell1-16/+31
Rather than retaining io_mem_read/write as simple wrappers around the memory_region_dispatch_read/write functions, make the latter public and change all the callers to use them, since we need to touch all the callsites anyway to add MemTxAttrs and MemTxResult support. Delete io_mem_read and io_mem_write entirely. (All the callers currently pass MEMTXATTRS_UNSPECIFIED and convert the return value back to bool or ignore it.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2015-04-01Revert "exec: Respect as_tranlsate_internal length clamp"Paolo Bonzini1-2/+4
This reverts commit c3c1bb99d1c11978d9ce94d1bdcf0705378c1459. It causes problems with boards that declare memory regions shorter than the registers they contain. Reported-by: Zoltan Balaton <balaton@eik.bme.hu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-26exec: avoid possible overwriting of mmaped area in qemu_ram_remapPaolo Bonzini1-1/+0
It is not necessary to munmap an area before remapping it with MAP_FIXED; if the memory region specified by addr and len overlaps pages of any existing mapping, then the overlapped part of the existing mapping will be discarded. On the other hand, if QEMU does munmap the pages, there is a small probability that another mmap sneaks in and catches the just-freed portion of the address space. In effect, munmap followed by mmap(MAP_FIXED) is a use-after-free error, and Coverity flags it as such. Fix it. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-18exec: Respect as_tranlsate_internal length clampPeter Crosthwaite1-4/+2
address_space_translate_internal will clamp the *plen length argument based on the size of the memory region being queried. The iommu walker logic in addresss_space_translate was ignoring this by discarding the post fn call value of *plen. Fix by just always using *plen as the length argument throughout the fn, removing the len local variable. This fixes a bootloader bug when a single elf section spans multiple QEMU memory regions. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-Id: <1426570554-15940-1-git-send-email-peter.crosthwaite@xilinx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-12Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell1-3/+5
misc fixes and cleanups A bunch of fixes all over the place, some of the bugs fixed are actually regressions. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Wed Mar 11 17:48:30 2015 GMT using RSA key ID D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: (25 commits) virtio-scsi: remove empty wrapper for cmd virtio-scsi: clean out duplicate cdb field virtio-scsi: fix cdb/sense size uapi/virtio_scsi: allow overriding CDB/SENSE size virtio-scsi: drop duplicate CDB/SENSE SIZE exec: don't include hw/boards for linux-user acpi: specify format for build_append_namestring MAINTAINERS: drop aliguori@amazon.com tpm: Move memory subregion function into realize function virtio-pci: Convert to realize() pci: Convert pci_nic_init() to Error to avoid qdev_init() machine: query mem-merge machine property machine: query dump-guest-core machine property hw/boards: make it safe to include for linux-user machine: query phandle-start machine property machine: query kvm-shadow-mem machine property kvm: add machine state to kvm_arch_init machine: query kernel-irqchip property machine: allowed/required kernel-irqchip support machine: replace qemu opts with iommu property ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-11exec: don't include hw/boards for linux-userMichael S. Tsirkin1-0/+2
As noted by Andreas, hw/boards.h shouldn't be used outside softmmu code. Include it conditionally, and drop the (now unnecessary) ifdef guards in hw/boards.h Reported-by: Andreas Färber <afaerber@suse.de> Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Andreas Färber <afaerber@suse.de>
2015-03-11machine: query mem-merge machine propertyMarcel Apfelbaum1-1/+1
Running qemu-bin ... -machine pc,mem-merge=on leads to crash: x86_64-softmmu/qemu-system-x86_64 -machine pc,dump-guest-core=on qemu-system-x86_64: qemu/util/qemu-option.c:387: qemu_opt_get_bool_helper: Assertion `opt->desc && opt->desc->type == QEMU_OPT_BOOL' failed. Aborted (core dumped) This happens because the commit e79d5a6 ("machine: remove qemu_machine_opts global list") removed the global option descriptions and moved them to MachineState's QOM properties. Fix this by querying machine properties through designated wrappers. Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-11machine: query dump-guest-core machine propertyMarcel Apfelbaum1-2/+2
Running qemu-bin ... -machine pc,dump-guest-core=on leads to crash: x86_64-softmmu/qemu-system-x86_64 -machine pc,dump-guest-core=on qemu-system-x86_64: qemu/util/qemu-option.c:387: qemu_opt_get_bool_helper: Assertion `opt->desc && opt->desc->type == QEMU_OPT_BOOL' failed. Aborted (core dumped) This happens because the commit e79d5a6 ("machine: remove qemu_machine_opts global list") removed the global option descriptions and moved them to MachineState's QOM properties. Fix this by querying machine properties through designated wrappers. Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-10Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell1-0/+1
- scsi: improvements to error reporting and conversion to realize, Coverity/sparse fix for iscsi driver - RCU fallout: fix -daemonize and s390x system emulation - KVM: kvm_stat improvements and new man page - x86: SYSRET fix for VxWorks # gpg: Signature made Tue Mar 10 10:18:45 2015 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: x86: fix SS selector in SYSRET scsi: Convert remaining PCI HBAs to realize() scsi: Improve error reporting for invalid drive property hw: Propagate errors through qdev_prop_set_drive() scsi: Clean up duplicated error in legacy if=scsi code cpus: initialize cpu->memory_dispatch rcu: handle forks safely qemu-thread: do not use PTHREAD_MUTEX_ERRORCHECK kvm_stat: add kvm_stat.1 man page kvm_stat: add column headers to text UI iscsi: Fix check for username Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-10cpus: initialize cpu->memory_dispatchPaolo Bonzini1-0/+1
This fixes a NULL pointer dereference in s390x-softmmu. On pretty much all other architectures, creating an MMIO region calls cpu_reload_memory_map. On s390, however, there are no MMIO regions and everything is done via hypercalls. Fixes: 9d82b5a792236db31a75b9db5c93af69ac07c7c5 Reported-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-10Remove superfluous '\n' around error_report()Gonglei1-1/+1
Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-02-26exec: round up size on MR resizeMichael S. Tsirkin1-0/+2
Block size must fundamentally be a multiple of target page size. Aligning automatically removes need to worry about the alignment from callers. Note: the only caller of qemu_ram_resize (acpi) already happens to have size padded to a power of 2, but we would like to drop the padding in ACPI core, and don't want to expose target page size knowledge to ACPI. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Paolo Bonzini <ponzini@redhat.com>
2015-02-16Convert ram_list to RCUMike Day1-30/+72
Allow "unlocked" reads of the ram_list by using an RCU-enabled QLIST. The ramlist mutex is kept. call_rcu callbacks are run with the iothread lock taken, but that may change in the future. Writers still take the ramlist mutex, but they no longer need to assume that the iothread lock is taken. Readers of the list, instead, no longer require either the iothread or ramlist mutex, but they need to use rcu_read_lock() and rcu_read_unlock(). One place in arch_init.c was downgrading from write side to read side like this: qemu_mutex_lock_iothread() qemu_mutex_lock_ramlist() ... qemu_mutex_unlock_iothread() ... qemu_mutex_unlock_ramlist() and the equivalent idiom is: qemu_mutex_lock_ramlist() rcu_read_lock() ... qemu_mutex_unlock_ramlist() ... rcu_read_unlock() Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Mike Day <ncmike@ncultra.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-16exec: convert ram_list to QLISTMike Day1-22/+30
QLIST has RCU-friendly primitives, so switch to it. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Mike Day <ncmike@ncultra.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-16cosmetic changes preparing for the following patchesMike Day1-29/+57
Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Mike Day <ncmike@ncultra.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-16exec: protect mru_block with RCUPaolo Bonzini1-15/+37
Hence, freeing a RAMBlock has to be switched to call_rcu. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-16exec: RCUify AddressSpaceDispatchPaolo Bonzini1-8/+26
Note that even after this patch, most callers of address_space_* functions must still be under the big QEMU lock, otherwise the memory region returned by address_space_translate can disappear as soon as address_space_translate returns. This will be fixed in the next part of this series. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-16exec: make iotlb RCU-friendlyPaolo Bonzini1-5/+8
After the previous patch, TLBs will be flushed on every change to the memory mapping. This patch augments that with synchronization of the MemoryRegionSections referred to in the iotlb array. With this change, it is guaranteed that iotlb_to_region will access the correct memory map, even once the TLB will be accessed outside the BQL. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-16exec: introduce cpu_reload_memory_mapPaolo Bonzini1-1/+1
This for now is a simple TLB flush. This can change later for two reasons: 1) an AddressSpaceDispatch will be cached in the CPUState object 2) it will not be possible to do tlb_flush once the TCG-generated code runs outside the BQL. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-10memory: unregister AddressSpace MemoryListener within BQLPaolo Bonzini1-1/+5
address_space_destroy_dispatch is called from an RCU callback and hence outside the iothread mutex (BQL). However, after address_space_destroy no new accesses can hit the destroyed AddressSpace so it is not necessary to observe changes to the memory map. Move the memory_listener_unregister call earlier, to make it thread-safe again. Reported-by: Alex Williamson <alex.williamson@redhat.com> Fixes: 374f2981d1f10bc4307f250f24b2a7ddb9b14be0 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2015-01-26exec: fix madvise of NULL pointerPaolo Bonzini1-6/+7
Coverity flags this as "dereference after null check". Not quite a dereference, since it will just EFAULT, but still nice to fix. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-20exec.c: Drop TARGET_HAS_ICE define and checksPeter Maydell1-16/+0
The TARGET_HAS_ICE #define is intended to indicate whether a target-* guest CPU implementation supports the breakpoint handling. However, all our guest CPUs have that support (the only two which do not define TARGET_HAS_ICE are unicore32 and openrisc, and in both those cases the bp support is present and the lack of the #define is just a bug). So remove the #define entirely: all new guest CPU support should include breakpoint handling as part of the basic implementation. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Message-id: 1420484960-32365-1-git-send-email-peter.maydell@linaro.org
2015-01-10Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell1-29/+107
pc: resizeable ROM blocks This makes ROM blocks resizeable. This infrastructure is required for other functionality we have queued. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Thu 08 Jan 2015 11:19:24 GMT using RSA key ID D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" * remotes/mst/tags/for_upstream: acpi-build: make ROMs RAM blocks resizeable memory: API to allocate resizeable RAM MR arch_init: support resizing on incoming migration exec: qemu_ram_alloc_resizeable, qemu_ram_resize exec: split length -> used_length/max_length exec: cpu_physical_memory_set/clear_dirty_range memory: add memory_region_set_size Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-01-08exec: qemu_ram_alloc_resizeable, qemu_ram_resizeMichael S. Tsirkin1-4/+78
Add API to allocate "resizeable" RAM. This looks just like regular RAM generally, but has a special property that only a portion of it (used_length) is actually used, and migrated. This used_length size can change across reboots. Follow up patches will change used_length for such blocks at migration, making it easier to extend devices using such RAM (notably ACPI, but in the future thinkably other ROMs) without breaking migration compatibility or wasting ROM (guest) memory. Device is notified on resize, so it can adjust if necessary. qemu_ram_alloc_resizeable allocates this memory, qemu_ram_resize resizes it. Note: nothing prevents making all RAM resizeable in this way. However, reviewers felt that only enabling this selectively will make some class of errors easier to detect. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-08exec: split length -> used_length/max_lengthMichael S. Tsirkin1-24/+28
This patch allows us to distinguish between two length values for each block: max_length - length of memory block that was allocated used_length - length of block used by QEMU/guest Currently, we set used_length - max_length, unconditionally. Follow-up patches allow used_length <= max_length. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-08exec: cpu_physical_memory_set/clear_dirty_rangeMichael S. Tsirkin1-1/+1
Make cpu_physical_memory_set/clear_dirty_range behave symmetrically. To clear range for a given client type only, add cpu_physical_memory_clear_dirty_range_type. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2014-12-22exec: allows 8-byte accesses in subpage_opsPaolo Bonzini1-2/+11
Otherwise fw_cfg accesses are split into 4-byte ones before they reach the fw_cfg ops / handlers. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 1419250305-31062-6-git-send-email-pbonzini@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-12-20exec: change default exception_index value for migration to -1Paolo Bonzini1-2/+2
In QEMU 2.2 the exception_index value was added to the migration stream through a subsection. The default was set to 0, which is wrong and should have been -1. However, 2.2 does not have commit e511b4d (cpu-exec: reset exception_index correctly, 2014-11-26), hence in 2.2 the exception_index is never used and is set to -1 on the next call to cpu_exec. So we can change the migration stream to make the default -1. The effects are: - 2.2.1 -> 2.2.0: cpu->exception_index set incorrectly to 0 if it were -1 on the source; then reset to -1 in cpu_exec. This is TCG only; KVM does not use exception_index. - 2.2.0 -> 2.2.1: cpu->exception_index set incorrectly to -1 if it were 0 on the source; but it would be reset to -1 in cpu_exec anyway. This is TCG only; KVM does not use exception_index. - 2.2.1 -> 2.1: two bugs fixed: 1) can migrate backwards if cpu->exception_index is set to -1; 2) should not migrate backwards (but 2.2.0 allows it) if cpu->exception_index is set to 0 - 2.2.0 -> 2.3.0: 2.2.0 will send the subsection unnecessarily if exception_index is -1, but that is not a problem. 2.3.0 will set cpu->exception_index to -1 if it is 0 on the source, but this would be anyway a problem for 2.2.0 -> 2.2.x migration (due to lack of commit e511b4d in 2.2.x) so we can ignore it - 2.2.1 -> 2.3.0: everything works. In addition, play it safe and never send the subsection unless TCG is in use. KVM does not use exception_index (PPC KVM stores values in it for use in the subsequent call to ppc_cpu_do_interrupt, but does not need it as soon as kvm_handle_debug returns). Xen and qtest do not run any code for the CPU at all. Reported-by: Igor Mammedov <imammedo@redhat.com> Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com> Tested-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 1418989994-17244-3-git-send-email-pbonzini@redhat.com Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>