Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Cc: Amit Shah <amit.shah@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
most. If more than 256 luns are specified by user, we have buffer
overflow in scsi_target_emulate_report_luns.
To fix, we allocate the buffer dynamically.
Signed-off-by: Asias He <asias@redhat.com> Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
virtio: out-of-bounds buffer write on invalid state load
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.
Fix it by making the value unsigned.
For consistency, change first_multi as well.
Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
Conflicts:
include/hw/virtio/virtio-net.h
Stefan Hajnoczi [Wed, 13 Feb 2013 08:25:34 +0000 (09:25 +0100)]
block/curl: only restrict protocols with libcurl>=7.19.4
The curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, ...) interface was
introduced in libcurl 7.19.4. Therefore we cannot protect against
CVE-2013-0249 when linking against an older libcurl.
Reported-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Tested-by: Andreas Färber <andreas.faeber@web.de>
Message-id: 1360743934-8337-1-git-send-email-stefanha@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Stefan Hajnoczi [Fri, 8 Feb 2013 07:49:10 +0000 (08:49 +0100)]
block/curl: disable extra protocols to prevent CVE-2013-0249
There is a buffer overflow in libcurl POP3/SMTP/IMAP. The workaround is
simple: disable extra protocols so that they cannot be exploited. Full
details here:
http://curl.haxx.se/docs/adv_20130206.html
QEMU only cares about HTTP, HTTPS, FTP, FTPS, and TFTP. I have tested
that this fix prevents the exploit on my host with
libcurl-7.27.0-5.fc18.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Roger Pau Monne [Mon, 17 Nov 2014 15:00:52 +0000 (15:00 +0000)]
xen_disk: fix unmapping of persistent grants
This patch fixes two issues with persistent grants and the disk PV backend
(Qdisk):
- Keep track of memory regions where persistent grants have been mapped
since we need to unmap them as a whole. It is not possible to unmap a
single grant if it has been batch-mapped. A new check has also been added
to make sure persistent grants are only used if the whole mapped region
can be persistently mapped in the batch_maps case.
- Unmap persistent grants before switching to the closed state, so the
frontend can also free them.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Release-Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reported-by: George Dunlap <george.dunlap@eu.citrix.com> Cc: Kevin Wolf <kwolf@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: George Dunlap <george.dunlap@eu.citrix.com>
Matthew Daley [Thu, 10 Oct 2013 14:15:47 +0000 (14:15 +0000)]
xen_disk: mark ioreq as mapped before unmapping in error case
Commit 4472beae modified the semantics of ioreq_{un,}map so that they are
idempotent if called when they're not needed (ie., twice in a row). However,
it neglected to handle the case where batch mapping is not being used (the
default), and one of the grants fails to map. In this case, ioreq_unmap will
be called to unwind and unmap any mappings already performed, but ioreq_unmap
simply returns due to the aforementioned change (the ioreq has not already
been marked as mapped).
The frontend user can therefore force xen_disk to leak grant mappings, a
per-domain limited resource.
Fix by marking the ioreq as mapped before calling ioreq_unmap in this
situation.
Signed-off-by: Matthew Daley <mattjd@gmail.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
In addition, at least all files created with the "guest-file-open" QMP
command, and all files created with shell output redirection (or
otherwise) by utilities invoked by the fsfreeze hook script are affected.
For now mask all file mode bits for "group" and "others" in
become_daemon().
Temporarily, for compatibility reasons, stick with the 0666 file-mode in
case of files newly created by the "guest-file-open" QMP call. Do so
without changing the umask temporarily.
Currently the qemu-nbd program will auto-detect the format of
any disk it is given. This behaviour is known to be insecure.
For example, if qemu-nbd initially exposes a 'raw' file to an
unprivileged app, and that app runs
then the next time the app is started, the qemu-nbd will now
detect it as a 'qcow2' file and expose /etc/shadow to the
unprivileged app.
The only way to avoid this is to explicitly tell qemu-nbd what
disk format to use on the command line, completely disabling
auto-detection. This patch adds a '-f' / '--format' arg for
this purpose, mirroring what is already available via qemu-img
and qemu commands.
qemu-nbd --format raw -p 9000 evil.img
will now always use raw, regardless of what format 'evil.img'
looks like it contains
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[Use errx, not err. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Support backend option "direct-io-safe". This is documented as
follows in the Xen backend specification:
* direct-io-safe
* Values: 0/1 (boolean)
* Default Value: 0
*
* The underlying storage is not affected by the direct IO memory
* lifetime bug. See:
* http://lists.xen.org/archives/html/xen-devel/2012-12/msg01154.html
*
* Therefore this option gives the backend permission to use
* O_DIRECT, notwithstanding that bug.
*
* That is, if this option is enabled, use of O_DIRECT is safe,
* in circumstances where we would normally have avoided it as a
* workaround for that bug. This option is not relevant for all
* backends, and even not necessarily supported for those for
* which it is relevant. A backend which knows that it is not
* affected by the bug can ignore this option.
*
* This option doesn't require a backend to use O_DIRECT, so it
* should not be used to try to control the caching behaviour.
Also, BDRV_O_NATIVE_AIO is ignored if BDRV_O_NOCACHE, so clarify the
default flags passed to the qemu block layer.
The original proposal for a "cache" backend option has been dropped
because it was believed too wide, especially considering that at the
moment the backend doesn't have a way to tell the toolstack that it is
capable of supporting it.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Igor Mammedov [Thu, 25 Apr 2013 14:05:25 +0000 (16:05 +0200)]
acpi_piix4: Add infrastructure to send CPU hot-plug GPE to guest
* introduce processor status bitmask visible to guest at 0xaf00 addr,
where ACPI asl code expects it
* set bit corresponding to APIC ID in processor status bitmask on
receiving CPU hot-plug notification
* trigger CPU hot-plug SCI, to notify guest about CPU hot-plug event
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from QEMU commit b8622725cf0196f672f272922b0941dc8ba1c408)
The function piix4_cpu_hotplug_req() has been modified to take an integer
instead of a CPU object.
There was a cpu_added_notifier in the original commit, this haven't
been back-ported, as it can't be used.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Wrapper to avoid open-coded loops and to make CPUState iteration
independent of CPUArchState.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from QEMU commit d6b9e0d60cc511eca210834428bb74508cff3d33) Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Igor Mammedov [Tue, 23 Apr 2013 08:29:41 +0000 (10:29 +0200)]
cpu: Introduce get_arch_id() method and override it for X86CPU
get_arch_id() adds possibility for generic code to get a guest-visible
CPU ID without accessing CPUArchState.
If derived classes don't override it, it will return cpu_index.
Override it on target-i386 in X86CPU to return the APIC ID.
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: liguang <lig.fnst@cn.fujitsu.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from QEMU commit 997395d3888fcde6ce41535a8208d7aa919d824b) Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
xen: start PCI hole at 0xe0000000 (same as pc_init1 and qemu-xen-traditional)
We are currently setting the PCI hole to start at HVM_BELOW_4G_RAM_END,
that is 0xf0000000.
Start the PCI hole at 0xe0000000 instead, that is the same value used by
pc_init1 and qemu-xen-traditional.
The current xen backend driver implementation uses int64_t variables
to store the size of the corresponding backend disk/file. It also uses
an int64_t variable to store the block size of that image. When writing
the number of sectors (file_size/block_size) to xenstore, however, it
passes these values as 32 bit signed integers. This will cause an
overflow for any disk of 1 TiB or more.
This patch changes the xen backend driver to use a 64 bit integer write
xenstore function.
Introduce 64 bit integer write interface to xenstore
The current implementation of xen_backend only provides 32 bit integer
functions to write to xenstore. This patch adds two functions that
allow writing 64 bit integers (one generic function and another for
the backend only).
This patch also fixes the size of the char arrays used to represent
these integers as strings (originally 32 bytes, however no more than
12 bytes are needed for 32 bit integers and no more than 21 bytes are
needed for 64 bit integers).
Alex Bligh [Fri, 5 Apr 2013 15:45:15 +0000 (15:45 +0000)]
Xen PV backend: Disable use of O_DIRECT by default as it results in crashes.
Due to what is almost certainly a kernel bug, writes with O_DIRECT may
continue to reference the page after the write has been marked as
completed, particularly in the case of TCP retransmit. In other
scenarios, this "merely" risks data corruption on the write, but with
Xen pages from domU are only transiently mapped into dom0's memory,
resulting in kernel panics when they are subsequently accessed.
This brings PV devices in line with emulated devices. Removing
O_DIRECT is safe as barrier operations are now correctly passed
through.
See:
http://lists.xen.org/archives/html/xen-devel/2012-12/msg01154.html
for more details.
Alex Bligh [Fri, 5 Apr 2013 15:45:10 +0000 (15:45 +0000)]
Xen PV backend: Move call to bdrv_new from blk_init to blk_connect
This commit delays the point at which bdrv_new (and hence blk_open
on the underlying device) is called from blk_init to blk_connect.
This ensures that in an inbound live migrate, the block device is
not opened until it has been closed at the other end. This is in
preparation for supporting devices with open/close consistency
without using O_DIRECT. This commit does NOT itself change O_DIRECT
semantics.
xen-mapcache: pass the right size argument to test_bits
Compute the correct size for test_bits().
qemu_get_ram_ptr() and qemu_safe_ram_ptr() will call xen_map_cache()
with size is 0 if the requested address is in the RAM. Then
xen_map_cache() will pass the size 0 to test_bits() for checking if the
corresponding pfn was mapped in cache. But test_bits() will always
return 1 when size is 0 without any bit testing. Actually, for this
case, test_bits should check one bit. So this patch introduced a
__test_bit_size which is greater than 0 and a multiple of XC_PAGE_SIZE,
then test_bits can work correctly with __test_bit_size
>> XC_PAGE_SHIFT as its size.
Alex Bligh [Mon, 11 Mar 2013 14:02:49 +0000 (14:02 +0000)]
xen: Disable use of O_DIRECT by default as it results in crashes.
Due to what is almost certainly a kernel bug, writes with O_DIRECT may
continue to reference the page after the write has been marked as
completed, particularly in the case of TCP retransmit. In other
scenarios, this "merely" risks data corruption on the write, but with
Xen pages from domU are only transiently mapped into dom0's memory,
resulting in kernel panics when they are subsequently accessed.
This brings PV devices in line with emulated devices. Removing
O_DIRECT is safe as barrier operations are now correctly passed
through.
See:
http://lists.xen.org/archives/html/xen-devel/2012-12/msg01154.html
for more details.
Signed-off-by: Alex Bligh <alex@alex.org.uk> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
The pointer arithmetic there is safe, but ugly. Coverity grouses
about it. However, the actual comparison is off by one: <= end
instead of < end. Fix by rewriting the check in a cleaner way.
Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit bc5f92e5db6f303e73387278e32f8669f0abf0e5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Roger Pau Monne [Mon, 14 Jan 2013 18:26:53 +0000 (18:26 +0000)]
xen_disk: fix memory leak
On ioreq_release the full ioreq was memset to 0, loosing all the data
and memory allocations inside the QEMUIOVector, which leads to a
memory leak. Create a new function to specifically reset ioreq.
Reported-by: Maik Wessler <maik.wessler@yahoo.com> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit 282c6a2f292705f823554447ca0b7731b6f81a97)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Maydell [Thu, 17 Jan 2013 20:04:16 +0000 (20:04 +0000)]
tcg/target-arm: Add missing parens to assertions
Silence a (legitimate) complaint about missing parentheses:
tcg/arm/tcg-target.c: In function ‘tcg_out_qemu_ld’:
tcg/arm/tcg-target.c:1148:5: error: suggest parentheses around
comparison in operand of ‘&’ [-Werror=parentheses]
tcg/arm/tcg-target.c: In function ‘tcg_out_qemu_st’:
tcg/arm/tcg-target.c:1357:5: error: suggest parentheses around
comparison in operand of ‘&’ [-Werror=parentheses]
which meant that we would mistakenly always assert if running
a QEMU built with debug enabled on ARM.
Signed-off-by: Peter Maydell <peter.maydelL@linaro.org> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 5256a7208a7c2af19baf8f99bd4f06632f9f9ba9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Kevin Wolf [Wed, 16 Jan 2013 20:20:00 +0000 (21:20 +0100)]
win32-aio: Fix memory leak
The buffer is allocated for both reads and writes, and obviously it
should be freed even if an error occurs.
Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit e8bccad5ac6095b5af7946cd72d9aacb57f7c0a3)
Conflicts:
block/win32-aio.c
*addressed conflict due to buggy g_free() still in use instead of
qemu_vfree() as it is upstream (via commit 7479acdb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Kevin Wolf [Wed, 16 Jan 2013 20:19:59 +0000 (21:19 +0100)]
win32-aio: Fix vectored reads
Copying data in the right direction really helps a lot!
Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit bcbbd234d42f1111e42b91376db61922d42e7e9e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Kevin Wolf [Wed, 16 Jan 2013 18:25:51 +0000 (19:25 +0100)]
aio: Fix return value of aio_poll()
aio_poll() must return true if any work is still pending, even if it
didn't make progress, so that bdrv_drain_all() doesn't stop waiting too
early. The possibility of stopping early occasionally lead to a failed
assertion in bdrv_drain_all(), when some in-flight request was missed
and the function didn't really drain all requests.
In order to make that change, the return value as specified in the
function comment must change for blocking = false; fortunately, the
return value of blocking = false callers is only used in test cases, so
this change shouldn't cause any trouble.
Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2ea9b58f0bc62445b7ace2381b4c4db7d5597e19)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Roger Pau Monne [Mon, 14 Jan 2013 18:28:19 +0000 (18:28 +0000)]
xen_disk: add persistent grant support to xen_disk backend
This protocol extension reuses the same set of grant pages for all
transactions between the front/back drivers, avoiding expensive tlb
flushes, grant table lock contention and switches between userspace
and kernel space. The full description of the protocol can be found in
the public blkif.h header.
Roger Pau Monne [Mon, 14 Jan 2013 18:26:53 +0000 (18:26 +0000)]
xen_disk: fix memory leak
On ioreq_release the full ioreq was memset to 0, loosing all the data
and memory allocations inside the QEMUIOVector, which leads to a
memory leak. Create a new function to specifically reset ioreq.
Paolo Bonzini [Thu, 10 Jan 2013 14:28:35 +0000 (15:28 +0100)]
raw-posix: fix bdrv_aio_ioctl
When the raw-posix aio=thread code was moved from posix-aio-compat.c
to block/raw-posix.c, there was an unintended change to the ioctl code.
The code used to return the ioctl command, which posix_aio_read()
would later morph into a zero. This hack is not necessary anymore,
and in fact breaks scsi-generic (which expects a zero return code).
Remove it.
Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b608c8dc02c78ee95455a0989bdf1b41c768b2ef)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Alex Williamson [Tue, 8 Jan 2013 21:10:03 +0000 (14:10 -0700)]
vfio-pci: Loosen sanity checks to allow future features
VFIO_PCI_NUM_REGIONS and VFIO_PCI_NUM_IRQS should never have been
used in this manner as it locks a specific kernel implementation.
Future features may introduce new regions or interrupt entries
(VGA may add legacy ranges, AER might add an IRQ for error
signalling). Fix this before it gets us into trouble.
Alex Williamson [Mon, 7 Jan 2013 04:30:31 +0000 (21:30 -0700)]
pci-assign: Enable MSIX on device to match guest
When a guest enables MSIX on a device we evaluate the MSIX vector
table, typically find no unmasked vectors and don't switch the device
to MSIX mode. This generally works fine and the device will be
switched once the guest enables and therefore unmasks a vector.
Unfortunately some drivers enable MSIX, then use interfaces to send
commands between VF & PF or PF & firmware that act based on the host
state of the device. These therefore may break when MSIX is managed
lazily. This change re-enables the previous test used to enable MSIX
(see qemu-kvm a6b402c9), which basically guesses whether a vector
will be used based on the data field of the vector table.
Cc: qemu-stable@nongnu.org Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit feb9a2ab4b0260d8d680a7ffd25063dafc7ec628)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Alex Williamson [Tue, 8 Jan 2013 21:09:03 +0000 (14:09 -0700)]
vfio-pci: Make host MSI-X enable track guest
Guests typically enable MSI-X with all of the vectors in the MSI-X
vector table masked. Only when the vector is enabled does the vector
get unmasked, resulting in a vector_use callback. These two points,
enable and unmask, correspond to pci_enable_msix() and request_irq()
for Linux guests. Some drivers rely on VF/PF or PF/fw communication
channels that expect the physical state of the device to match the
guest visible state of the device. They don't appreciate lazily
enabling MSI-X on the physical device.
To solve this, enable MSI-X with a single vector when the MSI-X
capability is enabled and immediate disable the vector. This leaves
the physical device in exactly the same state between host and guest.
Furthermore, the brief gap where we enable vector 0, it fires into
userspace, not KVM, so the guest doesn't get spurious interrupts.
Ideally we could call VFIO_DEVICE_SET_IRQS with the right parameters
to enable MSI-X with zero vectors, but this will currently return an
error as the Linux MSI-X interfaces do not allow it.
Max Filippov [Wed, 19 Dec 2012 20:04:09 +0000 (00:04 +0400)]
target-xtensa: fix search_pc for the last TB opcode
Zero out tcg_ctx.gen_opc_instr_start for instructions representing the
last guest opcode in the TB.
Cc: qemu-stable@nongnu.org Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 36f25d2537c40c6c47f4abee5d31a24863d1adf7)
*modified to use older global version of gen_opc_instr_start
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Tue, 20 Nov 2012 11:48:19 +0000 (12:48 +0100)]
buffered_file: do not send more than s->bytes_xfer bytes per tick
Sending more was possible if the buffer was large.
Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit bde54c08b4854aceee3dee25121a2b835cb81166)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Wed, 12 Dec 2012 11:54:43 +0000 (12:54 +0100)]
migration: fix migration_bitmap leak
Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 244eaa7514a944b36273eb8428f32da8e9124fcf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Discard packets longer than 16384 when !SBP to match the hardware behavior.
Signed-off-by: Michael Contreras <michael@inetric.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2c0331f4f7d241995452b99afaf0aab00493334a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Uri Lublin [Wed, 12 Dec 2012 16:30:47 +0000 (18:30 +0200)]
qxl+vnc: register a vm state change handler for dummy spice_server
When qxl + vnc are used, a dummy spice_server is initialized.
The spice_server has to be told when the VM runstate changes,
which is what this patch does.
Without it, from qxl_send_events(), the following error message is shown:
qxl_send_events: spice-server bug: guest stopped, ignoring
Cc: qemu-stable@nongnu.org Signed-off-by: Uri Lublin <uril@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 938b8a36b65e44c44ca29245437f8d7ac0f826e8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
With MMU option xtensa architecture has two TLBs: ITLB and DTLB. ITLB is
only used for code access, DTLB is only for data. However TLB entries in
both TLBs have attribute field controlling write and exec access. These
bits need to be properly masked off depending on TLB type before being
used as tlb_set_page prot argument. Otherwise the following happens:
(1) ITLB entry for some PFN gets invalidated
(2) DTLB entry for the same PFN gets updated, attributes allow code
execution
(3) code at the page with that PFN is executed (possible due to step 2),
entry for the TB is written into the jump cache
(4) QEMU TLB entry for the PFN gets replaced with an entry for some
other PFN
(5) code in the TB from step 3 is executed (possible due to jump cache)
and it accesses data, for which there's no DTLB entry, causing DTLB
miss exception
(6) re-translation of the TB from step 5 is attempted, but there's no
QEMU TLB entry nor xtensa ITLB entry for that PFN, which causes ITLB
miss exception at the TB start address
(7) ITLB miss exception is handled by the guest, but execution is
resumed from the beginning of the faulting TB (the point where ITLB
miss occured), not from the point where DTLB miss occured, which is
wrong.
With that fix the above scenario causes ITLB miss exception (that used
to be step 7) at step 3, right at the beginning of the TB.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 659f807c0a700317a7a0fae7a6e6ebfe68bfbbc4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Gerd Hoffmann [Fri, 14 Dec 2012 07:54:24 +0000 (07:54 +0000)]
pixman: fix vnc tight png/jpeg support
This patch adds an x argument to qemu_pixman_linebuf_fill so it can
also be used to convert a partial scanline. Then fix tight + png/jpeg
encoding by passing in the x+y offset, so the data is read from the
correct screen location instead of the upper left corner.
Cc: 1087974@bugs.launchpad.net Cc: qemu-stable@nongnu.org Reported-by: Tim Hardeneck <thardeck@suse.de> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit bc210eb163b162ff2e94e5c8f4307715731257f8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Kevin O'Connor (6):
floppy: Minor - reduce handle_0e code size when CONFIG_FLOPPY is disabled.
vga: Minor comment spelling fix.
Don't recursively evaluate CFLAGS variables.
Don't use gcc's -combine option.
Add compile checking phase to build.
acpi: Use prt_slot() macro to describe irq pins of first PCI device.
Laszlo Ersek (1):
maininit(): print machine UUID under seabios version message
Alex Williamson [Mon, 10 Dec 2012 18:30:03 +0000 (11:30 -0700)]
vfio-pci: Don't use kvm_irqchip_in_kernel
kvm_irqchip_in_kernel() has an architecture specific meaning, so
we shouldn't be using it to determine whether to enabled KVM INTx
bypass. kvm_irqfds_enabled() seems most appropriate. Also use this
to protect our other call to kvm_check_extension() as that explodes
when KVM isn't enabled.
Petar Jovanovic [Tue, 4 Dec 2012 23:29:10 +0000 (00:29 +0100)]
target-mips: Fix incorrect shift for SHILO and SHILOV
helper_shilo has not been shifting an accumulator value correctly for negative
values in 'shift' field. Minor optimization for shift=0 case.
This change also adds tests that will trigger issue and check for regressions.
Signed-off-by: Petar Jovanovic <petarj@mips.com> Reviewed-by: Richard Henderson <rth@twiddle.net> Reviewed-by: Eric Johnson <ericj@mips.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 19e6c50d2d843220efbdd3b2db21d83c122c364a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Petar Jovanovic [Mon, 26 Nov 2012 15:13:21 +0000 (16:13 +0100)]
target-mips: Fix incorrect code and test for INSV
Content of register rs should be shifted for pos before applying a mask.
This change contains both fix for the instruction and to the existing test.
Signed-off-by: Petar Jovanovic <petarj@mips.com> Reviewed-by: Eric Johnson <ericj@mips.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 34f5606ee101f82a247d09d05644ad2a63c8e342)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
David Gibson [Tue, 4 Dec 2012 00:38:39 +0000 (11:38 +1100)]
migration: Fix madvise breakage if host and guest have different page sizes
madvise(DONTNEED) will throw away the contents of the whole page at the
given address, even if the given length is less than the page size. One
can argue about whether that's the correct behaviour, but that's what it's
done for a long time in Linux at least.
That means that the madvise() in ram_load(), on a setup where
TARGET_PAGE_SIZE is smaller than the host page size, can throw away data
in guest pages adjacent to the one it's actually processing right now,
leading to guest memory corruption on an incoming migration.
This patch therefore, disables the madvise() if the host page size is
larger than TARGET_PAGE_SIZE. This means we don't get the benefits of that
madvise() in this case, but a more complete fix is more difficult to
accomplish. This at least fixes the guest memory corruption.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 45e6cee42b98d10e2e14885ab656541a9ffd5187)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
David Gibson [Tue, 4 Dec 2012 00:38:38 +0000 (11:38 +1100)]
Fix off-by-1 error in RAM migration code
The code for migrating (or savevm-ing) memory pages starts off by creating
a dirty bitmap and filling it with 1s. Except, actually, because bit
addresses are 0-based it fills every bit except bit 0 with 1s and puts an
extra 1 beyond the end of the bitmap, potentially corrupting unrelated
memory. Oops. This patch fixes it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7ec81e56edc2b2007ce0ae3982aa5c18af9546ab)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Brad Smith [Fri, 28 Dec 2012 06:38:11 +0000 (01:38 -0500)]
Disable semaphores fallback code for OpenBSD
Disable the semaphores fallback code for OpenBSD as modern OpenBSD
releases now have sem_timedwait().
Signed-off-by: Brad Smith <brad@comstyle.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 927fa909d5d5cf8c07673cd16a6d3bdc81250bc0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Brad Smith [Fri, 28 Dec 2012 06:00:26 +0000 (01:00 -0500)]
Fix semaphores fallback code
As reported in bug 1087114 the semaphores fallback code is broken which
results in QEMU crashing and making QEMU unusable.
This patch is from Paolo.
This needs to be back ported to the 1.3 stable tree as well.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Brad Smith <brad@comstyle.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit a795ef8dcb8cbadffc996c41ff38927a97645234)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Replace a lot of formulaic multiplications (containing casts, no less)
with calls to a pair of functions. This encapsulates in a single
place the operations which require care relating to integer overflow.
e1000: Discard packets that are too long if !SBP and !LPE
The e1000_receive function for the e1000 needs to discard packets longer than
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
this behavior and allocates memory based on this assumption.
Signed-off-by: Michael Contreras <michael@inetric.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Anthony Liguori [Fri, 30 Nov 2012 16:24:24 +0000 (10:24 -0600)]
Merge remote-tracking branch 'kwolf/for-anthony' into staging
* kwolf/for-anthony:
coroutine-sigaltstack.c: Use stack_t, not struct sigaltstack
stream: fix ratelimit_set_speed
atapi: make change media detection for guests easier
Documentation: Update image format information
Documentation: Update block cache mode information
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Anthony Liguori [Fri, 30 Nov 2012 16:20:21 +0000 (10:20 -0600)]
Merge remote-tracking branch 'kraxel/usb.73' into staging
* kraxel/usb.73:
ehci-sysbus: Attach DMA context.
usb: fail usbdevice_create() when there is no USB bus
usb: tag usb host adapters as not hotpluggable.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Most important change is that seabios sets the busmaster bit
in the pci config space for the lsi and esp scsi host adapters.
Since commit 1c380f9460522f32c8dd2577b2a53d518ec91c6d qemu
is strict here and disallows any dma access when the bit is
clear.
Paolo Bonzini [Thu, 29 Nov 2012 17:11:50 +0000 (18:11 +0100)]
multiboot: fix e801 memory map
The e801 memory sizes in the multiboot structures hard-code the available
low memory to 640. However, the value should not include the size of the
EBDA. Fill the value in the option ROM, getting the size of low memory
from the BIOS.
Cc: Alexander Graf <agraf@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Reported-by: Paul Moore <pmoore@redhat.com> Tested-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Peter Maydell [Sat, 10 Nov 2012 21:47:52 +0000 (21:47 +0000)]
coroutine-sigaltstack.c: Use stack_t, not struct sigaltstack
Use the POSIX-specified stack_t type as the argument to sigaltstack()
rather than the legacy struct sigaltstack. This allows us to compile
on MacOSX with --with-coroutine=sigaltstack.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Wed, 21 Nov 2012 13:21:47 +0000 (14:21 +0100)]
Documentation: Update image format information
Document new and yet undocumented options and image formats. The
qemu-img man page contains information only for raw and qcow2 now and
references the HTML documentation for a more detailed description of
other formats.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Kevin Wolf [Wed, 21 Nov 2012 11:26:56 +0000 (12:26 +0100)]
Documentation: Update block cache mode information
Somehow we forgot to update this when cache=writeback became the
default. While changing the information on the default, also make the
description of all caches modes a bit more accurate.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Commit 0d8d7690850eb0cf2b2b60933cf47669a6b6f18f introduced
a regression in virtio-net performance because it looks
into the ring aggressively while we really only care
about a single packet worth of buffers.
Reported as bugzilla 1066055 in launchpad.
To fix, add parameters limiting lookahead, and
use in virtqueue_avail_bytes.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reported-by: Edivaldo de Araujo Pereira <edivaldoapereira@yahoo.com.br> Tested-by: Edivaldo de Araujo Pereira <edivaldoapereira@yahoo.com.br> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Anthony Liguori [Thu, 29 Nov 2012 13:46:23 +0000 (07:46 -0600)]
qdev: relax bus type check in qdev_device_add() (v2)
We are currently checking for an exact type match. Use QOM dynamic_cast to
check for a compatible type instead.
Cc: Konrad Frederic <fred.konrad@greensocs.com> Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
v1 -> v2:
- also add cast to qbus_find_recursive (Peter)
- simplify by doing object_dynamic_cast instead of messing with classes
Bruce Rogers [Tue, 27 Nov 2012 20:11:25 +0000 (13:11 -0700)]
qapi: fix qapi_dealloc_type_size parameter type
The second parameter to qapi_dealloc_type_size should be a uint64_t *,
not a size_t *. This was causing our 32 bit x86 build to fail, since
warnings are treated as errors.
Signed-off-by: Bruce Rogers <brogers@suse.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Reviewed-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
This was left as NULL on the initial merge due to debate on the mailing list on
how to handle DMA contexts for sysbus devices. Patch 9e11908f12f92e31ea94dc2a4c962c836cba9f2a was later merged to fix OHCI. This is the,
equivalent fix for sysbus EHCI.
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
projects / qemu-upstream-4.3-testing.git / log