aboutsummaryrefslogtreecommitdiff
path: root/target-s390x
AgeCommit message (Collapse)AuthorFilesLines
2015-06-17target-s390x: PER: add Breaking-Event-Address registerAurelien Jarno4-11/+37
This patch adds support for PER Breaking-Event-Address register. Like real hardware, it save the current PSW address when the PSW address is changed by an instruction. We have to take care of optimizations QEMU does, a branch to the next instruction is still a branch. This register is copied to low core memory when a program exception happens. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: PER instruction-fetch nullification event supportAurelien Jarno1-0/+12
For the instruction-fetch nullification event, we just reuse the existing instruction-fetch code and trigger the exception immediately in that case. There is no need to save the CPU state in the TCG code as it has been saved by the previous instruction before calling the per_check_exception helper. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: PER store-using-real-address event supportAurelien Jarno1-0/+16
This PER event happens each time the STURA or STURG instructions are used. As they use helpers, we can just save the event in the PER code there, if enabled. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: PER storage-alteration event supportAurelien Jarno5-3/+100
For the PER storage-alteration event we can use the QEMU watchpoint infrastructure. When PER is enabled or PER control register changed we enable the corresponding watchpoints. When a watchpoint arises we can save the event. Unfortunately the current code does not provide the address space used to trigger the watchpoint. For now we assume it comes from the default ASC. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: PER instruction-fetch event supportAurelien Jarno3-0/+17
For the PER instruction-fetch, we can't use the QEMU breakpoint infrastructure as it triggers for a single address and not a full address range, and as it actually stop before the instruction and not before. We therefore call an helper with the just fetched instruction address, which check if the address is within the PER address range. If it is the case, an event is recorded and will be signaled through an exception. Note that we implement here the PER-3 behaviour, that is an invalid opcode is not considered as an instruction fetch. Without PER-3 this behavious is undefined. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: PER successful-branching event supportAurelien Jarno3-0/+51
For the PER successful-branching event support, we can't rely on any QEMU infrastucture. We therefore call an helper in all places where a branch can be taken. We have to pay attention to the branch to next case, as it's still a taken branch. We don't need to care about the cases using goto_tb, as we have disabled them in the previous patch. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: basic PER event handlingAurelien Jarno5-20/+71
This patch add basic support to generate PER exceptions. It adds two fields to the cpu structure to record for the PER address and PER code & ATMID values. When an exception is triggered and a PER event is pending, the two PER values are copied to the lowcore area. At the end of an instruction, an helper is checking for a possible pending PER event and triggers an exception in that case. For that to work with branches, we need to disable TB chaining when PER is activated. Fortunately it's already in the TB flags. Finally in case of a SERVICE CALL exception, we need to trigger the PER exception immediately after. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: add get_per_in_range functionAurelien Jarno1-0/+11
This function checks if an address is in between the PER starting address and the PER ending address, taking care of a possible address range loop. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: add get_per_atmid functionAurelien Jarno1-0/+12
This function returns the ATMID field that is stored in the per_perc_atmid lowcore entry. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: add PER related constantsAurelien Jarno1-0/+16
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: mvc_fast_memmove: access memory through softmmuAurelien Jarno1-57/+27
mvc_fast_memmove is bypassing the softmmu functions, getting the physical source and destination addresses using the mmu_translate function and accessing the corresponding physical memory. This prevents watchpoints to work correctly. Instead use the tlb_vaddr_to_host function to get the host addresses corresponding to the guest source and destination addresses through the softmmu code and fallback to the byte level code in case the corresponding address are not in the QEMU TLB or being examined through a watchpoint. As a bonus it works even for area crossing pages by splitting the are into chunks contained in a single page, bringing some performances improvements. We can therefore remove the 8-byte loads/stores method, as it is now quite unlikely to be used. At the same time change the name of the function to fast_memmove as it's not specific to mvc and use the same argument order as the C memmove function. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: mvc_fast_memset: access memory through softmmuAurelien Jarno1-41/+32
mvc_fast_memset is bypassing the softmmu functions, getting the physical address using the mmu_translate function and accessing the corresponding physical memory. This prevents watchpoints to work correctly. Instead use the tlb_vaddr_to_host function to get the host address corresponding to the guest address through the softmmu code and fallback to the byte level code in case the corresponding address is not in the QEMU TLB or being examined through a watchpoint. As a bonus it works even for area crossing pages by splitting the are into chunks contained in a single page, bringing some performances improvements. At the same time change the name of the function to fast_memset as it's not specific to mvc and use the same argument order as the C memset function. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: function to adjust the length wrt page boundaryAurelien Jarno1-0/+11
This patch adds a function to adjust the length of a transfer so that it doesn't cross a page boundary in softmmu mode. It does nothing in user mode. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: wire up I/O instructions in TCG modeAlexander Graf4-14/+179
The code handling the I/O instructions for KVM decodes the instruction itself. In TCG mode also pass the full instruction word to the helpers. Signed-off-by: Alexander Graf <agraf@suse.de> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: wire up DIAG REIPL in TCG modeAurelien Jarno1-0/+6
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: wire up DIAG IPL in TCG modeAurelien Jarno4-13/+20
DIAG IPL is already implemented for KVM, but not wired from TCG. For that change the format of the instruction so that we can get R1 and R3 numbers in addition to the function code. The diag function can change plenty of things, including CC, so we should enter with a static CC. Also it doesn't set the value of general register 2 to 0 as in the current code. We also need to exit the CPU loop after a reset, which means a new PSW. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: fix s390_cpu_initial_resetAurelien Jarno1-0/+1
The s390_cpu_initial_reset function zeroes a big part of the CPU state structure, including CPU_COMMON, and thus the QEMU TLB structure. As they should not be initialized with zeroes only, we need to call the tlb_flush to initialize it correctly. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: initialize I/O interrupt queueAurelien Jarno1-0/+8
env->io_index[] should be set to -1 during CPU reset to mark the I/O interrupt queue as empty. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: correctly initialize ext interrupt queueAurelien Jarno1-1/+2
env->ext_index should be initialized to -1 to mark the external interrupt queue as emtpy. This should not be done in s390_cpu_initfn as all the interrupt fields are later reset to 0 by the memset in s390_cpu_initial_reset or s390_cpu_full_reset. Move the initialization there. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17target-s390x: fix setcc in TCG modeAurelien Jarno1-0/+1
In TCG mode we should store the CC value in env->cc_op. However do it inconditionnaly because: - the tcg_enabled function is not inlined - it's probably faster to always store the value, especially given it is likely in the same cache line than env->psw.mask. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17virtio-ccw: disable ioevent bit when ioeventfds are not enabledAurelien Jarno1-5/+1
This remove the corresponding error messages in TCG mode, and allow to simplify the s390_assign_subch_ioeventfd() function. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17s390/ioinst: fix endianness in ioinst_schib_validAlexander Graf1-3/+3
The ioinst_schib_valid gets a SCHIB in guest endianness, we should byteswap the fields we access. Signed-off-by: Alexander Graf <agraf@suse.de> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-17s390/ioinst: fix IO_INT_WORD_ISC macroAurelien Jarno1-1/+1
The I/O-Interruption Subclass field corresponds to bits 2 to 5 (BE notation) of the Interruption-Identification Word. The value should be shift by 27 instead of 24. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-15Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20150615' into ↵Peter Maydell3-0/+48
staging s390x/kvm/watchdog 1. Implement a diag288 based watchdog 2. Fix virtio-ccw BIOS for gcc >= 4.9 # gpg: Signature made Mon Jun 15 12:36:25 2015 BST using RSA key ID B5A61C7C # gpg: Good signature from "Christian Borntraeger (IBM) <borntraeger@de.ibm.com>" * remotes/borntraeger/tags/s390x-20150615: s390/bios: build with -fdelete-null-pointer-checks watchdog: Add new Virtual Watchdog action INJECT-NMI nmi: Implement inject_nmi() for non-monitor context use s390x/watchdog: diag288 migration support s390x/kvm: diag288 instruction interception and handling s390x/watchdog: introduce diag288 watchdog device watchdog: change option wording to allow for more watchdogs Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-06-12migration: Use normal VMStateDescriptions for SubsectionsJuan Quintela1-17/+13
We create optional sections with this patch. But we already have optional subsections. Instead of having two mechanism that do the same, we can just generalize it. For subsections we just change: - Add a needed function to VMStateDescription - Remove VMStateSubsection (after removal of the needed function it is just a VMStateDescription) - Adjust the whole tree, moving the needed function to the corresponding VMStateDescription Signed-off-by: Juan Quintela <quintela@redhat.com>
2015-06-11s390x/kvm: diag288 instruction interception and handlingXu Wang3-0/+48
Intercept the diag288 requests from kvm guests, and hand the requested command to the diag288 watchdog device for further handling. Signed-off-by: Xu Wang <gesaint@linux.vnet.ibm.com> Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2015-06-09Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20150609' into ↵Peter Maydell2-3/+5
staging s390x/virtio-ccw: migration and virtio for 2.4 1. Migration fixups 2. virtio 9pfs # gpg: Signature made Tue Jun 9 09:00:05 2015 BST using RSA key ID B5A61C7C # gpg: Good signature from "Christian Borntraeger (IBM) <borntraeger@de.ibm.com>" * remotes/borntraeger/tags/s390x-20150609: s390x/migration: add comment about floating point migration s390x/kvm: always ignore empty vcpu interrupt state virtio-ccw/migration: Migrate config vector for virtio devices virtio-ccw: add support for 9pfs Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-06-09s390x/migration: add comment about floating point migrationChristian Borntraeger1-0/+1
commit 46c804def4bd ("s390x: move fpu regs into a subsection of the vmstate") moved the fprs into a subsection and bumped the version number. This will allow to not transfer fprs in the future if necessary. Add a comment to mark the return true as intentional. CC: Juan Quintela <quintela@redhat.com> CC: David Hildenbrand <dahi@linux.vnet.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Message-Id: <1433758884-2997-1-git-send-email-borntraeger@de.ibm.com> Reviewed-by: Juan Quintela <quintela@redhat.com>
2015-06-05target-s390x: Only access allocated storage keysAlexander Graf1-1/+1
We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure that we only access that many. Unfortunately the code can overrun this array by one, potentially overwriting unrelated memory. Fix it by limiting storage keys to their scope. Signed-off-by: Alexander Graf <agraf@suse.de> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
2015-06-05target-s390x: fix MVC instruction when areas overlapAurelien Jarno1-3/+4
The MVC instruction and the memmove C funtion do not have the same semantic when memory areas overlap: MVC: When the operands overlap, the result is obtained as if the operands were processed one byte at a time and each result byte were stored immediately after fetching the necessary operand byte. memmove: Copying takes place as though the bytes in src are first copied into a temporary array that does not overlap src or dest, and the bytes are then copied from the temporary array to dest. The behaviour is therefore the same when the destination is at a lower address than the source, but not in the other case. This is actually a trick for propagating a value to an area. While the current code detects that and call memset in that case, it only does for 1-byte value. This trick can and is used for propagating two or more bytes to an area. In the softmmu case, the call to mvc_fast_memmove is correct as the above tests verify that source and destination are each within a page, and both in a different page. The part doing the move 8 bytes by 8 bytes is wrong and we need to check that if the source and destination overlap, they do with a distance of minimum 8 bytes before copying 8 bytes at a time. In the user code, we should check check that the destination is at a lower address than source or than the end of the source is at a lower address than the destination before calling memmove. In the opposite case we fallback to the same code as the softmmu one. Note that l represents (length - 1). Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: use softmmu functions for mvcp/mvcsAurelien Jarno1-33/+20
mvcp and mvcs helper get access to the physical memory by a call to mmu_translate for the virtual to real conversion and then using ldb_phys and stb_phys to physically access the data. In practice this is quite slow because it bypasses the QEMU softmmu TLB and because stb_phys calls try to invalidate the corresponding memory for each access. Instead use cpu_ldb_{primary,secondary} for the loads and cpu_stb_{primary,secondary} for the stores. Ideally this should be further optimized by a call to memcpy, but that already improves the boot time of a guest by a factor 1.8. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: support non current ASC in s390_cpu_handle_mmu_faultAurelien Jarno1-1/+1
s390_cpu_handle_mmu_fault currently looks at the current ASC mode defined in PSW mask instead of the MMU index. This prevent emulating easily instructions using a specific ASC mode. Fix that by using the MMU index converted back to ASC using the just added cpu_mmu_idx_to_asc function. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: add a cpu_mmu_idx_to_asc functionAurelien Jarno1-3/+22
Use constants to define the MMU indexes, and add a function to do the reverse conversion of cpu_mmu_index. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: implement high-word facilityAurelien Jarno2-0/+98
Besides RISBHG and RISBLG, all high-word instructions are not implemented. Fix that. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: implement load-and-trap facilityAurelien Jarno2-9/+81
At the same time move the trap code from op_ct into gen_trap and use it for all new functions. The value needs to be stored back to register before the exception, but also before the brcond (as we don't use temp locals). That's why we can't use wout helper. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: implement miscellaneous-instruction-extensions facilityAurelien Jarno2-0/+4
RISBGN is the same as RISBG, but without setting the condition code. CLT and CLGT are the same as CLRT and CLGRT, but using memory for the second operand. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: implement LPDFR and LNDFR instructionsAurelien Jarno1-0/+2
This complete the floating point support sign handling facility. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: implement TRANSLATE EXTENDED instructionAurelien Jarno4-0/+51
It is part of the basic zArchitecture instructions. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: implement TRANSLATE AND TEST instructionAurelien Jarno4-0/+37
It is part of the basic zArchitecture instructions. Allow it to be call from EXECUTE. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: implement LOAD FP INTEGER instructionsAurelien Jarno4-0/+63
This is needed to pass the gcc.c-torture/execute/ieee/20010114-2.c test in the gcc testsuite. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: move SET DFP ROUNDING MODE to the correct facilityAurelien Jarno1-1/+1
It belongs to the DFP rounding facility. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: move STORE CLOCK FAST to the correct facilityAurelien Jarno1-1/+1
STORE CLOCK FAST should be in the SCF facility. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: change CHRL and CGHRL format to RIL-bAurelien Jarno1-2/+2
Change to match the PoP. In practice both format RIL-a and RIL-b have the same fields. They differ on the way we decode the fields, and it's done correctly in QEMU. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: fix CLGIT instructionAurelien Jarno1-1/+1
The COMPARE LOGICAL IMMEDIATE AND TRAP instruction should compare the numbers as unsigned, as its name implies. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: fix exception for invalid operation codeAurelien Jarno1-1/+1
When an operation code is not recognized (ie invalid instruction) an operation exception should be generated instead of a specification exception. The latter is for valid opcode, with invalid operands or modifiers. This give a very basic GDB support in the guest, as it uses the invalid opcode 0x0001 to generate a trap. Reviewed-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: implement LAY and LAEY instructionsAurelien Jarno2-0/+38
This complete the general-instructions-extension facility, enable it. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> [agraf: remove facility bit] Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: move a few instructions to the correct facilityAurelien Jarno1-4/+4
LY is part of the long-displacement facility. RISBHG and RISBLG are part of the high-word facility. STCMH is part of the z/Architecture. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: detect tininess before rounding for FP operationsAurelien Jarno1-0/+8
The s390x floating point unit detects tininess before rounding, so set the softfloat fp_status up appropriately. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: silence NaNs for LOAD LENGTHENED and LOAD ROUNDEDAurelien Jarno1-6/+6
LOAD LENGTHENED and LOAD ROUNDED are considered as FP operations and thus need to convert input sNaN into corresponding qNaN. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-06-05target-s390x: fix MMU index computationAurelien Jarno1-4/+11
The cpu_mmu_index function wrongly looks at PSW P bit to determine the MMU index, while this bit actually only control the use of priviledge instructions. The addressing mode is detected by looking at the PSW ASC bits instead. This used to work more or less correctly up to kernel 3.6 as the kernel was running in primary space and userland in secondary space. Since kernel 3.7 the default is to run the kernel in home space and userland in primary space. While the current QEMU code seems to work it open some security issues, like accessing the lowcore memory in R/W mode from a userspace process once it has been accessed by the kernel (it is then cached by the QEMU TLB). At the same time change the MMU_USER_IDX value so that it matches the value used in recent kernels. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Alexander Graf <agraf@suse.de>