When enabling vbe mode qemu will setup a bunch of vga registers to make
sure the vga emulation operates in correct mode for a linear
framebuffer. Move that code to a separate function so we can call it
from other places too.
vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.
The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register. The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.
Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.
Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.
Wei Liu [Tue, 12 Apr 2016 10:43:14 +0000 (11:43 +0100)]
xenfb: use the correct condition to avoid excessive looping
In commit ac0487e1 ("xenfb.c: avoid expensive loops when prod <=
out_cons"), ">=" was used. In fact, a full ring is a legit state.
Correct the test to use ">".
xenfb.c: avoid expensive loops when prod <= out_cons
If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.
Don Slutz [Mon, 30 Nov 2015 22:11:04 +0000 (17:11 -0500)]
exec: Stop using memory after free
memory_region_unref(mr) can free memory.
For example I got:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f43280d4700 (LWP 4462)]
0x00007f43323283c0 in phys_section_destroy (mr=0x7f43259468b0)
at /home/don/xen/tools/qemu-xen-dir/exec.c:1023
1023 if (mr->subpage) {
(gdb) bt
at /home/don/xen/tools/qemu-xen-dir/exec.c:1023
at /home/don/xen/tools/qemu-xen-dir/exec.c:1034
at /home/don/xen/tools/qemu-xen-dir/exec.c:2205
(gdb) p mr
$1 = (MemoryRegion *) 0x7f43259468b0
On Xen MSIs can be remapped into pirqs, which are a type of event
channels. It's mostly for the benefit of PCI passthrough devices, to
avoid the overhead of interacting with the emulated lapic.
However remapping interrupts and MSIs is also supported for emulated
devices, such as the e1000 and virtio-net.
When an interrupt or an MSI is remapped into a pirq, masking and
unmasking is done by masking and unmasking the event channel. The
masking bit on the PCI config space or MSI-X table should be ignored,
but it isn't at the moment.
As a consequence emulated devices which use MSI or MSI-X, such as
virtio-net, don't work properly (the guest doesn't receive any
notifications). The mechanism was working properly when xen_apic was
introduced, but I haven't narrowed down which commit in particular is
causing the regression.
Fix the issue by ignoring the masking bit for MSI and MSI-X which have
been remapped into pirqs.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
net: pcnet: add check to validate receive data size(CVE-2015-7504)
In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.
Reported by: Qinghao Tang <luodalongde@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
Jason Wang [Mon, 30 Nov 2015 07:00:06 +0000 (15:00 +0800)]
pcnet: fix rx buffer overflow(CVE-2015-7512)
Backends could provide a packet whose length is greater than buffer
size. Check for this and truncate the packet to avoid rx buffer
overflow in this case.
Cc: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Gerd Hoffmann [Mon, 14 Dec 2015 08:21:23 +0000 (09:21 +0100)]
ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
This is CVE-2015-8558.
Cc: qemu-stable@nongnu.org Reported-by: Qinghao Tang <luodalongde@gmail.com> Tested-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
While checking r/w access in 'memory_access_is_direct' routine
a glitch in the expression leads to segmentation fault while
performing dma read operation.
net: cadence_gem: check packet size in gem_recieve
While receiving packets in 'gem_receive' routine, if Frame Check
Sequence(FCS) is enabled, it copies the packet into a local
buffer without checking its size. Add check to validate packet
length against the buffer size to avoid buffer overflow.
Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
When processing NCQ commands, AHCI device emulation prepares a
NCQ transfer object; To which an aio control block(aiocb) object
is assigned in 'execute_ncq_command'. In case, when the NCQ
command is invalid, the 'aiocb' object is not assigned, and NCQ
transfer object is left as 'used'. This leads to a use after
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
Reset NCQ transfer object to 'unused' to avoid it.
[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
net: ne2000: fix bounds check in ioport operations
While doing ioport r/w operations, ne2000 device emulation suffers
from OOB r/w errors. Update respective array bounds check to avoid
OOB access.
Reported-by: Ling Liu <liuling-it@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
P J P [Mon, 21 Dec 2015 09:43:13 +0000 (15:13 +0530)]
scsi: initialise info object with appropriate size
While processing controller 'CTRL_GET_INFO' command, the routine
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
appropriate size to null initialise it.
Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: P J P <ppandit@redhat.com>
P J P [Tue, 15 Dec 2015 06:57:54 +0000 (12:27 +0530)]
net: vmxnet3: avoid memory leakage in activate_device
Vmxnet3 device emulator does not check if the device is active
before activating it, also it did not free the transmit & receive
buffers while deactivating the device, thus resulting in memory
leakage on the host. This patch fixes both these issues to avoid
host memory leakage.
Reported-by: Qinghao Tang <luodalongde@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com>
While sending 'SetPixelFormat' messages to a VNC server,
the client could set the 'red-max', 'green-max' and 'blue-max'
values to be zero. This leads to a floating point exception in
write_png_palette while doing frame buffer updates.
Reported-by: Lian Yihan <lianyihan@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Laszlo Ersek [Tue, 19 Jan 2016 13:17:20 +0000 (14:17 +0100)]
e1000: eliminate infinite loops on out-of-bounds transfer start
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
iterating over a set of descriptors that the guest's e1000 driver
prepares:
- the TDLEN and RDLEN registers store the total size of the descriptor
area,
- while the TDH and RDH registers store the offset (in whole tx / rx
descriptors) into the area where the transfer is supposed to start.
Each time a descriptor is processed, the TDH and RDH register is bumped
(as appropriate for the transfer direction).
QEMU already contains logic to deal with bogus transfers submitted by the
guest:
- Normally, the transmit case wants to increase TDH from its initial value
to TDT. (TDT is allowed to be numerically smaller than the initial TDH
value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
that QEMU currently has here is a check against reaching the original
TDH value again -- a complete wraparound, which should never happen.
- In the receive case RDH is increased from its initial value until
"total_size" bytes have been received; preferably in a single step, or
in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
RX descriptors are skipped without receiving data, while RDH is
incremented just the same. QEMU tries to prevent an infinite loop
(processing only null RX descriptors) by detecting whether RDH assumes
its original value during the loop. (Again, wrapping from RDLEN to 0 is
normal.)
What both directions miss is that the guest could program TDLEN and RDLEN
so low, and the initial TDH and RDH so high, that these registers will
immediately be truncated to zero, and then never reassume their initial
values in the loop -- a full wraparound will never occur.
The condition that expresses this is:
xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
i.e., TDH or RDH start out after the last whole rx or tx descriptor that
fits into the TDLEN or RDLEN sized area.
This condition could be checked before we enter the loops, but
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
bogus DMA addresses, so we just extend the existing failsafes with the
above condition.
Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Prasad Pandit <ppandit@redhat.com> Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Cc: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Roger Pau Monne [Fri, 13 Nov 2015 17:38:06 +0000 (17:38 +0000)]
xen: fix usage of xc_domain_create in domain builder
Due to the addition of HVMlite and the requirement to always provide a
valid xc_domain_configuration_t, xc_domain_create now always takes an arch
domain config, which can be NULL in order to mimic previous behaviour.
Add a small stub called xen_domain_create that encapsulates the correct
call to xc_domain_create depending on the libxc version detected.
When processing firmware configurations, an OOB r/w access occurs
if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff).
Add a check to validate 's->cur_entry' to avoid such access.
xenfb: avoid reading twice the same fields from the shared page
Reading twice the same field could give the guest an attack of
opportunity. In the case of event->type, gcc could compile the switch
statement into a jump table, effectively ending up reading the type
field multiple times.
xen/blkif: Avoid double access to src->nr_segments
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
Gerd Hoffmann [Tue, 9 Jun 2015 19:08:47 +0000 (21:08 +0200)]
spice-display: fix segfault in qemu_spice_create_update
Although it is pretty unusual the stride for the guest image and the
mirror image maintained by spice-display can be different. So use
separate variables for them.
P J P [Tue, 15 Sep 2015 11:16:59 +0000 (16:46 +0530)]
net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
P J P [Tue, 15 Sep 2015 11:10:49 +0000 (16:40 +0530)]
net: add checks to validate ring buffer pointers(CVE-2015-5279)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.
Signed-off-by: P J P <pjp@fedoraproject.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Gerd Hoffmann [Fri, 21 Aug 2015 18:59:27 +0000 (20:59 +0200)]
vnc: fix memory corruption (CVE-2015-5225)
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative. Result is (possibly
exploitable) memory corruption. Reason for that is it uses the stride
instead of bytes per scanline to apply limits.
For the server surface is is actually fine. vnc creates that itself,
there is never any padding and thus scanline length always equals stride.
For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way. So add and use a new variable
(guest_ll) for the guest scanline length. Also rename min_stride to
line_bytes to make more clear what it actually is. Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.
Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com> Reviewed-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)
pci_piix3_xen_ide_unplug should completely unhook the unplugged
IDEDevice from the corresponding BlockBackend, otherwise the next call
to release_drive will try to detach the drive again.
Suggested-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 17:16:59 +0000 (18:16 +0100)]
rtl8139: drop tautologous if (ip) {...} statement
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 17:16:58 +0000 (18:16 +0100)]
rtl8139: avoid nested ifs in IP header parsing
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Kevin Wolf [Mon, 27 Jul 2015 03:42:53 +0000 (23:42 -0400)]
ide: Clear DRQ after handling all expected accesses (CVE-2015-5154)
This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Kevin Wolf [Mon, 27 Jul 2015 03:42:53 +0000 (23:42 -0400)]
ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Paolo Bonzini [Tue, 21 Jul 2015 06:59:39 +0000 (08:59 +0200)]
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
Jan Beulich [Fri, 24 Jul 2015 09:38:28 +0000 (03:38 -0600)]
xen/HVM: atomically access pointers in bufioreq handling
The number of slots per page being 511 (i.e. not a power of two) means
that the (32-bit) read and write indexes going beyond 2^32 will likely
disturb operation. The hypervisor side gets I/O req server creation
extended so we can indicate that we're using suitable atomic accesses
where needed, allowing it to atomically canonicalize both pointers when
both have gone through at least one cycle.
The Xen side counterpart (which is not a functional prereq to this
change, albeit a build one) went in already (commit b7007bc6f9).
Since e02bc6de30c44fd668dc0d6e1cd1804f2eed3ed3, add_watch() is called
with G_IO_HUP. Even if spice-qemu-char ignores this flag, the
precondition must be changed.
The original commit fixes a bug when assigning a large number of
devices which require option roms to a guest. (One known
configuration that needs extra memory is having more than 4 emulated
NICs assigned. Three or fewer NICs seems to work without this
functionality.)
However, by unilaterally increasing maxmem, it introduces two
problems.
First, now libxl's calculation of the required maxmem during migration
is broken -- any guest which exercised this functionality will fail on
migration. (Guests which have the default number of devices are not
affected.)
Secondly, it makes it impossible for a higher-level toolstack or
administer to predict how much memory a VM will actually use, making
it much more difficult to effectively use all of the memory on a
machine.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Fri, 5 Jun 2015 12:04:55 +0000 (13:04 +0100)]
xen/pass-through: constify some static data
This is done indirectly by adjusting two typedefs and helps emphasizing
that the respective tables aren't supposed to be modified at runtime
(as they may be shared between devices).
Jan Beulich [Mon, 8 Jun 2015 13:11:51 +0000 (14:11 +0100)]
xen/pass-through: ROM BAR handling adjustments
Expecting the ROM BAR to be written with an all ones value when sizing
the region is wrong - the low bit has another meaning (enable/disable)
and bits 1..10 are reserved. The PCI spec also mandates writing all
ones to just the address portion of the register.
Use suitable constants also for initializing the ROM BAR register field
description.
The code introduced to address XSA-126 allows simplification of other
code in xen_pt_initfn(): All we need to do is update "cmd" suitably,
as it'll be written back to the host register near the end of the
function anyway.
Petr Matousek [Sun, 24 May 2015 08:53:44 +0000 (10:53 +0200)]
pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
This is CVE-2015-3209.
Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Matt Tait <matttait@google.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: unknown PCI config space fields should be read-only
... by default. Add a per-device "permissive" mode similar to pciback's
to allow restoring previous behavior (and hence break security again,
i.e. should be used only for trusted guests).
This is part of XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>)
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: add a few PCI config space field descriptions
Since the next patch will turn all not explicitly described fields
read-only by default, those fields that have guest writable bits need
to be given explicit descriptors.
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: mark reserved bits in PCI config space fields
The adjustments are solely to make the subsequent patches work right
(and hence make the patch set consistent), namely if permissive mode
(introduced by the last patch) gets used (as both reserved registers
and reserved fields must be similarly protected from guest access in
default mode, but the guest should be allowed access to them in
permissive mode).
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: mark all PCIe capability bits read-only
xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read-
only to avoid unintended write-back (just a precaution, the field ought
to be read-only in hardware).
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: split out calculation of throughable mask in PCI config space handling
This is just to avoid having to adjust that calculation later in
multiple places.
Note that including ->ro_mask in get_throughable_mask()'s calculation
is only an apparent (i.e. benign) behavioral change: For r/o fields it
doesn't matter > whether they get passed through - either the same flag
is also set in emu_mask (then there's no change at all) or the field is
r/o in hardware (and hence a write won't change it anyway).
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen/pt: consolidate PM capability emu_mask
There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing
PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local
emu_mask variable - we can have the same effect by setting the field
descriptor's emu_mask member suitably right away. Note that
xen_pt_pmcsr_reg_write() is being retained in order to allow later
patches to be less intrusive.
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen/MSI: don't open-code pass-through of enable bit modifications
Without this the actual XSA-131 fix would cause the enable bit to not
get set anymore (due to the write back getting suppressed there based
on the OR of emu_mask, ro_mask, and res_mask).
Note that the fiddling with the enable bit shouldn't really be done by
qemu, but making this work right (via libxc and the hypervisor) will
require more extensive changes, which can be postponed until after the
security issue got addressed.
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen/MSI-X: limit error messages
Limit error messages resulting from bad guest behavior to avoid allowing
the guest to cause the control domain's disk to fill.
The first message in pci_msix_write() can simply be deleted, as this
is indeed bad guest behavior, but such out of bounds writes don't
really need to be logged.
The second one is more problematic, as there guest behavior may only
appear to be wrong: For one, the old logic didn't take the mask-all bit
into account. And then this shouldn't depend on host device state (i.e.
the host may have masked the entry without the guest having done so).
Plus these writes shouldn't be dropped even when an entry is unmasked.
Instead, if they can't be made take effect right away, they should take
effect on the next unmasking or enabling operation - the specification
explicitly describes such caching behavior. Until we can validly drop
the message (implementing such caching/latching behavior), issue the
message just once per MSI-X table entry.
Note that the log message in pci_msix_read() similar to the one being
removed here is not an issue: "addr" being of unsigned type, and the
maximum size of the MSI-X table being 32k, entry_nr simply can't be
negative and hence the conditonal guarding issuing of the message will
never be true.
This is XSA-130.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen: don't allow guest to control MSI mask register
It's being used by the hypervisor. For now simply mimic a device not
capable of masking, and fully emulate any accesses a guest may issue
nevertheless as simple reads/writes without side effects.
This is XSA-129.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen: properly gate host writes of modified PCI CFG contents
The old logic didn't work as intended when an access spanned multiple
fields (for example a 32-bit access to the location of the MSI Message
Data field with the high 16 bits not being covered by any known field).
Remove it and derive which fields not to write to from the accessed
fields' emulation masks: When they're all ones, there's no point in
doing any host write.
This fixes a secondary issue at once: We obviously shouldn't make any
host write attempt when already the host read failed.
This is XSA-128.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Petr Matousek [Wed, 6 May 2015 07:48:59 +0000 (09:48 +0200)]
fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
glib-compat: fix problems with not-quite glib 2.22
Commit 89b516d8b9444ece8ccabb322a9389587c7a7b83 ("glib: add
compatibility interface for g_get_monotonic_time()") aimed
at making qemu build with old glib versions. At least SLES11SP3,
however, contains a backport of g_get_monotonic_time() while
keeping the reported glib version at 2.22.
Let's work around this by a strategically placed #define.
Jan Beulich [Tue, 31 Mar 2015 13:58:04 +0000 (13:58 +0000)]
xen: limit guest control of PCI command register
Otherwise the guest can abuse that control to cause e.g. PCIe
Unsupported Request responses (by disabling memory and/or I/O decoding
and subsequently causing [CPU side] accesses to the respective address
ranges), which (depending on system configuration) may be fatal to the
host.
This is CVE-2015-2756 / XSA-126.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Kevin Wolf [Wed, 11 Feb 2015 16:19:57 +0000 (17:19 +0100)]
vpc: Fix size in fixed image creation
If total_sectors is rounded to match the geometry, total_size needs to
be changed as well. Otherwise we end up with an image whose geometry
describes a disk larger than the image file, which doesn't end well.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
(cherry picked from commit c7dd631d482912fd615a9ef18a0e0691e7a84836) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Kevin Wolf [Tue, 10 Feb 2015 10:17:53 +0000 (11:17 +0100)]
coroutine: Fix use after free with qemu_coroutine_yield()
Instead of using the same function for entering and exiting coroutines,
and hoping that it doesn't add any functionality that hurts with the
parameters used for exiting, we can just directly call into the real
task switch in qemu_coroutine_switch().
This fixes a use-after-free scenario where reentering a coroutine that
has yielded still accesses the old parent coroutine (which may have
meanwhile terminated) in the part of coroutine_swap() that follows
qemu_coroutine_switch().
Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 80687b4dd6f43b3fef61fef8fbcb358457350562) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Igor Mammedov [Fri, 19 Dec 2014 11:46:57 +0000 (11:46 +0000)]
pc: acpi: fix WindowsXP BSOD when memory hotplug is enabled
ACPI parser in XP considers PNP0A06 devices of CPU and
memory hotplug as duplicates. Adding unique _UID
to CPU hotplug device fixes BSOD.
Cc: qemu-stable@nongnu.org Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 6d4e4cb9985e24557abcf3932a0e7f8f6ab3c1d2) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
xen-hvm: increase maxmem before calling xc_domain_populate_physmap
Increase maxmem before calling xc_domain_populate_physmap_exact to
avoid the risk of running out of guest memory. This way we can also
avoid complex memory calculations in libxl at domain construction
time.
This patch fixes an abort() when assigning more than 4 NICs to a VM.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Don Slutz <dslutz@verizon.com>
(cherry picked from commit c1d322e6048796296555dd36fdd102d7fa2f50bf) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Jun Li [Wed, 5 Nov 2014 07:03:03 +0000 (15:03 +0800)]
qdev: Avoid type assertion in qdev_build_hotpluggable_device_list()
Currently when *obj is not a TYPE_DEVICE, QEMU will abort. This patch
fixes it. When *obj is not a TYPE_DEVICE, just do not add it to hotpluggable
device list.
This patch also fixes the following issue:
1. boot QEMU using cli:
$ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
-device virtio-scsi-pci,id=scsi0
2. device_del scsi0 via hmp using tab key(first input device_del, then press
"Tab" key).
(qemu) device_del
After step 2, QEMU will abort.
(qemu) device_del hw/core/qdev.c:930:qdev_build_hotpluggable_device_list:
Object 0x5555563a2460 is not an instance of type device
Signed-off-by: Jun Li <junmuzi@gmail.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 09d560177101d2ef1e333754a25cfa49b70583b3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Wed, 10 Dec 2014 15:56:46 +0000 (16:56 +0100)]
kvm/apic: fix 2.2->2.1 migration
The wait_for_sipi field is set back to 1 after an INIT, so it was not
effective to reset it in kvm_apic_realize. Introduce a reset callback
and reset wait_for_sipi there.
Reported-by: Igor Mammedov <imammedo@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 575a6f4082c45778b93032ef1e7fbea4467b3a2a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Leon Alrae [Mon, 26 Jan 2015 16:49:42 +0000 (16:49 +0000)]
target-mips: fix broken snapshotting
Recently added CP0.BadInstr and CP0.BadInstrP registers ended up in cpu_load()
under different offset than in cpu_save(). These and all registers between were
incorrectly restored.
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
(cherry picked from commit b40a1530f294b5fa4479dc3ca9bf46c269d08d87) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Anton D. Kachalov (1):
[intel] Add 8086:1557 card (Intel 82599 10G ethernet mezz)
Christian Hesse (1):
[build] Merge util/geniso and util/genliso
Curtis Larsen (3):
[efi] Use EFI_CONSOLE_CONTROL_PROTOCOL to set text mode if available
[efi] Report errors from attempting to disconnect existing drivers
[efi] Try various possible SNP receive filters
Dale Hamel (1):
[smbios] Expose board serial number as ${board-serial}
Florian Schmaus (1):
[build] Set GITVERSION only if there is a git repository
Hannes Reinecke (3):
[ethernet] Provide eth_random_addr() to generate random Ethernet addresses
[igbvf] Assign random MAC address if none is set
[igbvf] Allow changing of MAC address
Jan Kiszka (1):
[intel] Add I217-LM PCI ID
Marin Hannache (4):
[nfs] Fix an invalid free() when loading a symlink
[nfs] Fix an invalid free() when loading a regular (non-symlink) file
[nfs] Rewrite NFS URI handling
[readline] Add CTRL-W shortcut to remove a word
Michael Brown (144):
[profile] Allow interrupts to be excluded from profiling results
[intel] Exclude time spent in hypervisor from profiling
[build] Fix version.o dependency upon git index
[tcp] Defer sending ACKs until all received packets have been processed
[lkrnprefix] Function as a bzImage kernel
[build] Avoid errors when build directory is mounted via NFS
[undi] Apply quota only to number of complete received packets
[lkrnprefix] Make real-mode setup code relocatable
[intel] Increase receive ring fill level
[syslog] Strip invalid characters from hostname
[test] Add self-tests for strdup()
[libc] Prevent strndup() from reading beyond the end of the string
[efi] Allow for optional protocols
[efi] Make EFI_DEVICE_PATH_TO_TEXT_PROTOCOL optional
[efi] Make EFI_HII_DATABASE_PROTOCOL optional
[efi] Do not try to fetch loaded image device path protocol
[ipv6] Fix definition of IN6_IS_ADDR_LINKLOCAL()
[dhcpv6] Do not set sin6_scope_id on the unspecified client socket address
[ipv6] Do not set sin6_scope_id on source address
[ipv6] Include network device when transcribing multicast addresses
[ipv6] Avoid potentially copying from a NULL pointer in ipv6_tx()
[librm] Allow for the PIC interrupt vector offset to be changed
[ifmgmt] Do not sleep CPU while configuring network devices
[scsi] Improve sense code parsing
[iscsi] Read IPv4 settings only from the relevant network device
[iscsi] Include IP address origin in iBFT
[debug] Allow debug message colours to be customised via DBGCOL=...
[build] Expose build timestamp, build name, and product names
[efi] Allow device paths to be easily included in debug messages
[efi] Provide a meaningful EFI SNP device name
[efi] Restructure EFI driver model
[build] Fix erroneous object name in version object
[build] Add yet another potential location for isolinux.bin
[efi] Allow network devices to be created on top of arbitrary SNP devices
[autoboot] Allow autoboot device to be identified by link-layer address
[efi] Identify autoboot device by MAC address when chainloading
[efi] Attempt to start only drivers claiming support for a device
[efi] Rewrite SNP NIC driver
[efi] Include SNP NIC driver within the all-drivers target
[crypto] Add support for iPAddress subject alternative names
[crypto] Fix debug message
[netdevice] Reset network device index when last device is unregistered
[efi] Update EDK2 headers
[efi] Install our own disk I/O protocol and claim exclusive use of it
[efi] Allow for interception of boot services calls by loaded image
[efi] Print well-known GUIDs by name in debug messages
[efi] Include EFI_CONSOLE_CONTROL_PROTOCOL header
[ioapi] Fail ioremap() when attempting to map a zero bus address
[intel] Check for ioremap() failures
[realtek] Check for ioremap() failures
[vmxnet3] Check for ioremap() failures
[skel] Check for ioremap() failures
[myson] Check for ioremap() failures
[natsemi] Check for ioremap() failures
[i386] Add functions to read and write model-specific registers
[x86_64] Add functions to read and write model-specific registers
[efi] Show more diagnostic information when building with DEBUG=efi_wrap
[ioapi] Centralise notion of PAGE_SIZE
[lotest] Discard packets arriving on the incorrect network device
[xen] Import selected public headers
[xen] Add basic support for PV-HVM domains
[xen] Add support for Xen netfront virtual NICs
[efi] Default to releasing network devices for use via SNP
[efi] Unload started images only on failure
[efi] Fill in loaded image's DeviceHandle if firmware fails to do so
[efi] Fix incorrect debug message level when device has no device path
[efi] Report exact failure when unable to open the device path
[netdevice] Avoid registering duplicate network devices
[efi] Ignore failures when attempting to install SNP HII protocol
[efi] Expand the range of well-known EFI GUIDs in debug messages
[efi] Provide efi_handle_name() for debugging
[efi] Add ability to dump all openers of a given protocol on a handle
[efi] Use efi_handle_name() instead of efi_handle_devpath_text()
[efi] Use efi_handle_name() instead of efi_devpath_text() where applicable
[efi] Allow compiler to perform type checks on EFI_HANDLE
[efi] Avoid unnecessarily passing pointers to EFI_HANDLEs
[efi] Dump existing openers when we are unable to open a protocol
[efi] Dump handle information around connect/disconnect attempts
[efi] Improve debugging of the debugging facilities
[efi] Add excessive sanity checks into efi_debug functions
[efi] Also try original ComponentName protocol for retrieving driver names
[efi] Print raw device path when we have no DevicePathToTextProtocol
[efi] Add ability to dump SNP device mode information
[efi] Reset multicast filter list when setting SNP receive filters
[efi] Provide centralised definitions of commonly-used GUIDs
[efi] Open device path protocol only at point of use
[efi] Move abstract device path and handle functions to efi_utils.c
[efi] Generalise snpnet_pci_info() to efi_locate_device()
[bios] Support displaying and hiding cursor
[efi] Support displaying and hiding cursor
[readline] Ensure cursor is visible when prompting for input
[xen] Accept alternative Xen platform PCI device ID 5853:0002
[xen] Use version 1 grant tables by default
[xen] Cope with unexpected initial backend states
[smc9000] Avoid using CONFIG as a preprocessor macro
[build] Allow for named configurations at build time
[intel] Display PBS value when applying ICH errata workaround
[intel] Display before and after values for both PBS and PBA
[intel] Apply PBS/PBA errata workaround only to ICH8 PCI device IDs
[efi] Add definitions of GUIDs observed during Windows boot
[efi] Dump details of any calls to our dummy block and disk I/O protocols
[romprefix] Do not preserve unused register %di
[build] Remove obsolete references to .zrom build targets
[build] Allow ISA ROMs to be built
[build] Avoid deleting config header files if build is interrupted
[prefix] Halt system without burning CPU if we cannot access the payload
[prefix] Report both %esi and %ecx when opening payload fails
[util] Use PCI length field to obtain length of individual images
[mromprefix] Use PCI length field to obtain length of individual images
[mromprefix] Allow for .mrom images larger than 128kB
[efi] Show details of intercepted LoadImage() calls
[efi] Make our virtual file system case insensitive
[efi] Wrap any images loaded by our wrapped image
[efi] Use the SNP protocol instance to match the SNP chainloading device
[efi] Avoid returning uninitialised data from PCI configuration space reads
[efi] Make EFI_PCI_ROOT_BRIDGE_IO_PROTOCOL optional
[efi] Allow for non-PCI snpnet devices
[build] Clean up all binary directories on "make [very]clean"
[efi] Add efifatbin utility
[efi] Provide dummy device path in efi_image_probe()
[dhcp] Check for matching chaddr in received DHCP packets
[dhcp] Remove obsolete dhcp_chaddr() function
[build] Use -malign-double to build 32-bit UEFI binaries
[efi] Centralise definitions of more protocol GUIDs
[efi] Add definitions of GUIDs observed when chainloading from Intel driver
[efi] Free transmit ring entry before calling netdev_tx_complete()
[efi] Generalise snpnet_dev_info() to efi_device_info()
[efi] Update to current EDK2 headers
[efi] Add NII / UNDI driver
[efi] Check for presence of UNDI in NII protocol
[efi] Include NII driver within "snp" and "snponly" build targets
[ping] Report timed-out pings via the callback function
[ping] Allow termination after a specified number of packets
[ping] Allow "ping" command output to be inhibited
[intel] Use autoloaded MAC address instead of EEPROM MAC address
[crypto] Fix parsing of OCSP responder ID key hash
[vmxnet3] Add profiling code to exclude time spent in the hypervisor
[netdevice] Fix erroneous use of free(iobuf) instead of free_iob(iobuf)
[libc] Add ASSERTED macro to test if any assertion has triggered
[list] Add sanity checks after list-adding functions
[malloc] Tidy up debug output
[malloc] Sanity check parameters to alloc_memblock() and free_memblock()
[malloc] Check integrity of free list
[malloc] Report caller address as soon as memory corruption is detected
Peter Lemenkov (1):
[build] Check if git index actually exists
Robin Smidsrød (2):
[build] Add named configuration for VirtualBox
[build] Avoid using embedded script in VirtualBox named configuration
Sven Ulland (1):
[lacp] Set "aggregatable" flag in response LACPDU
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c246cee4eedb17ae3932d699e009a8b63240235f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Fri, 19 Dec 2014 11:53:14 +0000 (12:53 +0100)]
exec: change default exception_index value for migration to -1
In QEMU 2.2 the exception_index value was added to the migration stream
through a subsection. The default was set to 0, which is wrong and
should have been -1.
However, 2.2 does not have commit e511b4d (cpu-exec: reset exception_index
correctly, 2014-11-26), hence in 2.2 the exception_index is never used
and is set to -1 on the next call to cpu_exec. So we can change the
migration stream to make the default -1. The effects are:
- 2.2.1 -> 2.2.0: cpu->exception_index set incorrectly to 0 if it
were -1 on the source; then reset to -1 in cpu_exec. This is TCG
only; KVM does not use exception_index.
- 2.2.0 -> 2.2.1: cpu->exception_index set incorrectly to -1 if it
were 0 on the source; but it would be reset to -1 in cpu_exec anyway.
This is TCG only; KVM does not use exception_index.
- 2.2.1 -> 2.1: two bugs fixed: 1) can migrate backwards if
cpu->exception_index is set to -1; 2) should not migrate backwards
(but 2.2.0 allows it) if cpu->exception_index is set to 0
- 2.2.0 -> 2.3.0: 2.2.0 will send the subsection unnecessarily if
exception_index is -1, but that is not a problem. 2.3.0 will set
cpu->exception_index to -1 if it is 0 on the source, but this would
be anyway a problem for 2.2.0 -> 2.2.x migration (due to lack of
commit e511b4d in 2.2.x) so we can ignore it
- 2.2.1 -> 2.3.0: everything works.
In addition, play it safe and never send the subsection unless TCG
is in use. KVM does not use exception_index (PPC KVM stores values
in it for use in the subsequent call to ppc_cpu_do_interrupt, but
does not need it as soon as kvm_handle_debug returns). Xen and
qtest do not run any code for the CPU at all.
Reported-by: Igor Mammedov <imammedo@redhat.com> Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com> Tested-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1418989994-17244-3-git-send-email-pbonzini@redhat.com Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit adee64249ee37e822d578e65a765750e7f2081f6) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Fam Zheng [Mon, 19 Jan 2015 09:51:43 +0000 (17:51 +0800)]
qtest: Fix deadloop by running main loop AIO context's timers
qemu_clock_run_timers() only takes care of main_loop_tlg, we shouldn't
forget aio timer list groups.
Currently, the qemu_clock_deadline_ns_all (a few lines above) counts all
the timergroups of this clock type, including aio tlg, but we don't fire
them, so they are never cleared, which makes a dead loop.
For example, this function hangs when trying to drive throttled block
request queue with qtest clock_step.
Signed-off-by: Fam Zheng <famz@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1421661103-29153-1-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit efef88b3d9ad4325172ed288032807fa88d683cc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Wu [Tue, 23 Dec 2014 15:30:41 +0000 (16:30 +0100)]
block/iscsi: fix uninitialized variable
'ret' was never initialized in the success path.
Signed-off-by: Peter Wu <peter@lekensteyn.nl> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit debfb917a4f9c0784772c86f110f2bcd22e5a14f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Cc: <qemu-stable@nongnu.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit b41112c46b93f781669c0eb89e51d3a87af6bb49) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 158ef8cbb7e0fe8bb430310924b8bebe5f186e6e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Alex Williamson [Wed, 4 Feb 2015 18:45:32 +0000 (11:45 -0700)]
vfio-pci: Fix missing unparent of dynamically allocated MemoryRegion
Commit d8d95814609e added explicit object_unparent() calls for
dynamically allocated MemoryRegions. The VFIOMSIXInfo structure also
contains such a MemoryRegion, covering the mmap'd region of a PCI BAR
above the MSI-X table. This structure is freed as part of the class
exit function and therefore also needs an explicit object_unparent().
Failing to do this results in random segfaults due to fields within
the structure, often the class pointer, being reclaimed and corrupted
by the time object_finalize_child_property() is called for the object.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org # 2.2
(cherry picked from commit 3a4dbe6aa934370a92372528c1255ee1504965ee) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Maydell [Thu, 5 Feb 2015 13:37:23 +0000 (13:37 +0000)]
target-arm/translate-a64: Fix wrong mmu_idx usage for LDT/STT
The LDT/STT (load/store unprivileged) instruction decode was using
the wrong MMU index value. This meant that instead of these insns
being "always access as if user-mode regardless of current privilege"
they were "always access as if kernel-mode regardless of current
privilege". This went unnoticed because AArch64 Linux doesn't use
these instructions.
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Greg Bellows <greg.bellows@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
I'm not counting this as a security issue because I'm assuming
nobody treats TCG guests as a security boundary (certainly I
would not recommend doing so...)
Dinar Valeev [Wed, 21 Jan 2015 22:48:41 +0000 (23:48 +0100)]
hw/input/hid.c Fix capslock hid code
When ever USB keyboard is used, e.g. '-usbdevice keyboard' pressing
caps lock key send 0x32 hid code, which is treated as backslash.
Instead it should be 0x39 code. This affects sending uppercase keys,
as they typed whith caps lock active.
While on x86 this can be workarounded by using ps/2 protocol. On
Power it is crusial as we don't have anything else than USB.
This is fixes guest automation tasts over vnc.
Signed-off-by: Dinar Valeev <dvaleev@suse.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0ee4de5840ccc1072459ec68062bfb63c888a94d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Tue, 20 Jan 2015 16:23:48 +0000 (17:23 +0100)]
sb16: fix interrupt acknowledgement
SoundBlaster 16 emulation is very broken and consumes a lot of CPU, but a
small fix was suggested offlist and it is enough to fix some games. I
got Epic Pinball to work with the "SoundBlaster Clone" option.
The processing of the interrupt register is wrong due to two missing
"not"s. This causes the interrupt flag to remain set even after the
Acknowledge ports have been read (0x0e and 0x0f).
The line was introduced by commit 85571bc (audio merge (malc), 2004-11-07),
but the code might have been broken before because I did not look closely
at the huge patches from 10 years ago.
Reported-by: Joshua Bair <j_bair@bellsouth.net> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 9939375c282a0f97afa69dc6799d3c77aaf7d544) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Cornelia Huck [Fri, 12 Dec 2014 09:01:46 +0000 (10:01 +0100)]
virtio: fix feature bit checks
Several places check against the feature bit number instead of against
the feature bit. Fix them.
Cc: qemu-stable@nongnu.org Reported-by: Thomas Huth <thuth@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 91d5c57a2e98845c02cda026f3f6a88cb5e14225) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Wed, 10 Dec 2014 09:17:36 +0000 (10:17 +0100)]
vt82c686: avoid out-of-bounds read
superio_ioport_readb can read the 256th element of the array.
Coverity reports an out-of-bounds write in superio_ioport_writeb,
but it does not show the corresponding out-of-bounds read
because it cannot prove that it can happen. Fix the root
cause of the problem (zhanghailang's patch instead fixes
the logic in superio_ioport_writeb).
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: zhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Cc: qemu-stable@nongnu.org
(cherry picked from commit 9feb8adeaa850d15b930c30f22c1ed2f2f695172) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Mon, 12 Jan 2015 10:47:30 +0000 (11:47 +0100)]
scsi: fix cancellation when I/O was completed but DMA was not.
Commit d577646 (scsi: Introduce scsi_req_cancel_complete, 2014-09-25)
was supposed to have no semantic change, but it missed a case. When
r->aiocb has already been NULLed, but DMA was not complete and the
SCSI layer was waiting for scsi_req_continue, after the patch the
SCSI layer will not call the .cancel callback of SCSIBusInfo.
Fixes: d5776465ee9a55815792efa34d79de240f4ffd99 Cc: qemu-stable@nongnu.org Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 488eef2f1d16c97cf7f9ebf644ecafa1ea1e9acc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Maydell [Mon, 22 Dec 2014 17:47:00 +0000 (17:47 +0000)]
linux-user: Fix broken m68k signal handling on 64 bit hosts
The m68k signal frame setup code which writes the signal return
trampoline code to the stack was assuming that a 'long' was 32 bits;
on 64 bit systems this meant we would end up writing the 32 bit
(2 insn) trampoline sequence to retaddr+4,retaddr+6 instead of
the intended retaddr+0,retaddr+2, resulting in a guest crash when
it tried to execute the invalid zero-bytes at retaddr+0.
Fix by using uint32_t instead; also use uint16_t rather than short
for consistency. This fixes bug LP:1404690.
Reported-by: Michel Boaventura Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
(cherry picked from commit 1669add752d9f29283f8ebf6a863d7b1e2d0f146) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Mon, 22 Dec 2014 07:55:19 +0000 (08:55 +0100)]
pckbd: set bits 2-3-6-7 of the output port by default
OSes typically write 0xdd/0xdf to turn the A20 line off and on. This
has bits 2-3-6-7 on, so that the output port subsection is migrated.
Change the reset value and migration default to include those four
bits, thus avoiding that the subsection is migrated.
This strictly speaking changes guest ABI, but the long time during which
we have not migrated the value means that the guests really do not care
much; so the change is for all machine types.
Reported-by: Igor Mammedov <imammedo@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d13c0404092eb46e548754a47a808da1bb8d4fd0) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Mon, 22 Dec 2014 07:51:57 +0000 (08:51 +0100)]
serial: refine serial_thr_ipending_needed
If the THR interrupt is disabled, there is no need to migrate thr_ipending
because LSR.THRE will be sampled again when the interrupt is enabled.
(This is the behavior that is not documented in the datasheet, but
relied on by Windows!)
Note that in this case IIR will never be 0x2 so, if thr_ipending were
to be one, QEMU would produce the subsection.
Reported-by: Igor Mammedov <imammedo@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit bfa7362889d05d6951493d1c298289b39cf9bf86) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Fri, 12 Dec 2014 09:17:08 +0000 (10:17 +0100)]
serial: reset thri_pending on IER writes with THRI=0
This is responsible for failure of migration from 2.2 to 2.1, because
thr_ipending is always one in practice.
serial.c is setting thr_ipending unconditionally. However, thr_ipending
is not used at all if THRI=0, and it will be overwritten again the next
time THRE or THRI changes. For that reason, we can set thr_ipending to
zero every time THRI is reset.
There is disagreement on whether LSR.THRE should be resampled when IER.THRI
goes from 1 to 1. This patch does not touch the code, leaving that for
QEMU 2.3+.
This has no semantic change and is enough to fix migration in the common
case where the interrupt is not pending or is reported in IIR. It does not
change the migration format, so 2.2.0 -> 2.1 will remain broken but we
can fix 2.2.1 -> 2.1 without breaking 2.2.1 <-> 2.2.0.
The case that remains broken (the one in which the subsection is strictly
necessary) is when THRE=1, the THRI interrupt has *not* been acknowledged
yet, and a higher-priority interrupt comes. In this case, you need the
subsection to tell the source that the lower-priority THRI interrupt is
pending. The subsection's breakage of migration, in this case, prevents
continuing the VM on the destination with an invalid state.
Cc: qemu-stable@nongnu.org Reported-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 4e02b0fcf5c97579d0d3261c80c65abcf92870fe) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
vl.c: fix regression when reading machine type from config file
After 'Machine as QOM' series the machine type input triggers
the creation of the machine class.
If the machine type is set in the configuration file, the machine
class is not updated accordingly and remains the default.
Fixed that by querying the machine options after the configuration
file is loaded.
Cc: qemu-stable@nongnu.org Reported-by: William Dauchy <william@gandi.net> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 364c3e6b8dd7912e01d19122d791b8c8f6df4f6c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
David Gibson [Mon, 8 Dec 2014 02:48:02 +0000 (13:48 +1100)]
PPC: Fix crash on spapr_tce_table_finalize()
spapr_tce_table_finalize() can SEGV if the object was not previously
realized. In particular this can be triggered by running
qemu-system-ppc -device spapr-tce-table,?
The basic problem is that we have mismatched initialization versus
finalization: spapr_tce_table_finalize() is attempting to undo things that
are done in spapr_tce_table_realize(), not an instance_init function.
Therefore, replace spapr_tce_table_finalize() with
spapr_tce_table_unrealize().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Cc: qemu-stable@nongnu.org Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit 5f9490de566c5b092a6cfedc3c7a37a9c9dee917) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Tue, 4 Nov 2014 13:35:28 +0000 (14:35 +0100)]
atomic: fix position of volatile qualifier
What needs to be volatile is not the pointer, but the pointed-to
value!
Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 2cbcfb281afa041a41f6e4c4da0f5c9314084604) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Because of wrong return value of .save_live_pending() in
migration/block.c, migration finishes before the whole disk is
transferred. Such situation occurs when the migration process is fast
enough, for example when source and dest are on the same host.
If in the bulk phase we return something < max_size, we will skip
transferring the tail of the device. Currently we have "set pending to
BLOCK_SIZE if it is zero" for bulk phase, but there no guarantee, that
it will be < max_size.
True approach is to return, for example, max_size+1 when we are in the
bulk phase.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@parallels.com>
Message-id: 1419933856-4018-2-git-send-email-vsementsov@parallels.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 04636dc410b163c2243e66c3813dd4900a50a4ed) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Max Filippov [Sun, 14 Dec 2014 05:23:52 +0000 (08:23 +0300)]
target-xtensa: test cross-page opcode
Alter cross-page TB test to also test cross-page opcode.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
(cherry picked from commit 85d36377e4ff8b98119420099d445369bfd6b7bb) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
projects / qemu-upstream-4.6-testing.git / log