Ian Jackson [Wed, 26 Nov 2008 14:14:06 +0000 (14:14 +0000)]
vnc and xenfb integer overflow and division by zero vuln fixes
row_stride_div0.patch: a malicious frontend can send row_stride==0 and force
qemu-dm to perform division by 0
vnc_resize_doublecheck.patch: there is an unchecked multiplication when
calculating framebuffer size. Cs 17630 sanitizes framebuffer dimensions
passed by the frontend, so most probably no integer overflow can happen, but
there should be a check for overflow close to the actual computation (to
make code review easier and to cope with other codepaths in the future).
(Patches submitted by Rafal Wojtczuk <rafal@invisiblethingslab.com>
against xen-3.2 ioemu; adapted for xen-unstable by Ian Jackson and also
edited to actually compile and do be correct.)
Contributed-by: Rafal Wojtczuk <rafal@invisiblethingslab.com> Modified-by: Ian Jackson <ian.jackson@eu.citrix.com> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Cherry picked from xen-unsstable a83c1174b942d0f0f0e05927eb5b69fe8489b7ab
PLUS
vnc integer overflow check fix overzealous zero checking
In a83c1174b942d0f0f0e05927eb5b69fe8489b7ab, we arranged to avoid
integer overflow and calls to realloc(nonzero,0). However
vs->depth==0 is legitimate on entry to vnc_dpy_resize_shared.
We need to move the check for vs->depth until after vnc_colourdepth.
Ian Jackson [Wed, 3 Sep 2008 10:26:06 +0000 (11:26 +0100)]
support PCI Express Capability Structure version 1
Suppport PCI Express Capability Structure version 1. The format of
PCI Express Capability Structure is different between version 1 and
version 2. Current code supports only version 2. This might cause
conflict with other capability structure if device implement
version 1.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
although this was probably a mistake; it should have been committed
separately. In any case we cherry pick that half of the change now.
Ian Jackson [Tue, 9 Sep 2008 13:02:03 +0000 (14:02 +0100)]
Fix map cache low/high/low bug
This small patch fixes an issue leading to a crash (segfault, although
with earlier changesets I was seeing sigbus - not sure what changed)
in qemu-dm when the following conditions occur:
1. A valid mapping for a bucket on a low address exists
2. Immediately after accessing memory mapped in this bucket, an access
occurs to a high (beyond assigned ram) address beyond the 1GB limit
for 32bit map cache wrapping around to the previous bucket's entry
number.
3. The next call to map cache again accesses the low address.
In this scenario, the guest mem for the low bucket has been unmapped
by the remap_bucket caused by 2., but because the valid_mapping
bit-test fails, map_cache returns before last_address_index has been
updated. The subsequent call to map_cache therefore never remaps the
low, valid bucket and instead returns a vaddr pointing to memory that
has failed to get mapped.
Ian Jackson [Fri, 5 Sep 2008 09:32:49 +0000 (10:32 +0100)]
fix offset of MSI-X memory mapped table.
This patch fixes offset of MSI-X memory mapped table.
Current code does not set dev->msix->table_off variable.
The offset of MSI-X memory mapped table is treated as 0.
The wrong region is unmapped from guest physical memory space.
As a result, guest device driver can't access memory mapped resource.
The patch fixes this issue. My MegaRAID SAS assigned to guest domain
becomes working with the patch.
Ian Jackson [Fri, 15 Aug 2008 10:38:06 +0000 (11:38 +0100)]
Try to fix USB HID and make the HID reports readable.
Decode HID report Items in the comments.
Invert mouse wheel direction as per Alexander Graf's report and as we already do in the tablet.
Clamp the Relative values to -127:127 as we claimed in the HID descriptors.
Ian Jackson [Fri, 1 Aug 2008 16:15:24 +0000 (17:15 +0100)]
Fix medium change device lookup.
Previously, medium change notifications would be handled with respect
to the wrong emulated disk drive. This would make many configurations
(particularly ones with CDs and many hard disks) break. (A medium
change notification occurs at the start for every removeable device.)
Thanks to Haicheng Li at Intel for the report,
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1314
Keir Fraser [Fri, 1 Aug 2008 09:06:13 +0000 (10:06 +0100)]
passthrough: fix flag for expansion rom base address register.
pt_bar_reg_parse() is called for expansion rom base address register.
Currently it returns PT_BAR_FLAG_MEM if bit 0 is 0. It returns
PT_BAR_FLAG_IO if bit 0 is 1.
But bit 0 in expansion rom base address register is enable bit. If bit
0 is 1 for some reason, it returns PT_BAR_FLAG_IO. Expansion rom is
mapped to memory space. It should return PT_BAR_FLAG_MEM.
After applying this patch, it returns PT_BAR_FLAG_MEM regardless
of bit 0, when it is called for expansion rom base address register.
Keir Fraser [Fri, 1 Aug 2008 09:05:36 +0000 (10:05 +0100)]
passthrough: fix corrupting register value in pt_pci_write_config().
I forgot to shift value read from real device. If the emulated register offset
is not aligned with 4 byte, the write emulation will not be handled well
because of corrupting register value read from real device.
The patch fixes this issue.
Keir Fraser [Fri, 1 Aug 2008 09:04:39 +0000 (10:04 +0100)]
passthru: fix libpci error handling.
libpci returns ALL F when error occurs. Currently, if libpci returns ALL
F, emulation stops. But it is possible that the field of real register
which is read by guest software is ALL F.
After applying this patch, if libpci returns ALL F, ioemu will log
warning message and continue the emulation.
Keir Fraser [Fri, 1 Aug 2008 09:01:05 +0000 (10:01 +0100)]
passthrough: fix writing handlers for base address registers.
- Current implementation can not work fine when base address registers
are accessed via 1 byte write access and 2 byte write access. This
patch enables them.
- Currently guest software can set address which is not aligned
with resource size and page size. The patch does not allow guest
software to set unaligned address.
Ian Jackson [Wed, 30 Jul 2008 15:46:30 +0000 (16:46 +0100)]
fix SDL mouse events processing
This fixes SDL mouse events processing:
- GetRelativeMouseState() always returns the last position, so when the
polling loop gets several mouse events in one go, we would send
useless 'no move' events, let's avoid that.
- So as to make sure we don't miss any mouse click / double click, we
should not use GetRelativeMouseState() to get the button state, but
rather keep records of the button state ourselves (I've requested SDL
developers to provide it directly in the event in SDL 1.3).
- bev->state doesn't contain the button state but whether the event is a press
or a release. Use bev->button instead.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Ian Jackson [Wed, 30 Jul 2008 11:06:29 +0000 (12:06 +0100)]
Use fd signal trick to break us out of select; do not sigwait
* The sigwait approach to detecting aio does not work because some
versions of glibc forget to block signals on the private aio thread.
This means that blocking SIGUSR2 is ineffective; the signals can be
lost and the program can block in sigwait (!)
* Use of SIGUSR2 to interrupt select() does not work because signals
which arrive just before entry to select() do not interrupt it.
So instead we use the time-honoured self-pipe trick: in the signal
handler we write to a pipe, which we select on when we want to wait
for the signal, and which we read from (to empty out) just before
actually doing the `top half' processing which deals with the condition
to which the signal relates.
Following discussion on xen-devel and elsewhere, we have concluded
that the real problem here was that the S3 resume flag was in the ROM
memory region rather than the EBDA. This has been fixed in
xen-unstable 18120.
We can therefore keep the whole of the ROM/BIOS area readonly.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Tue, 22 Jul 2008 15:28:06 +0000 (16:28 +0100)]
Nicer fix for spurious messages from configure when GCC3 is missing.
This reverts b5123e05cce4be4c6c8c822fad0f0df4c053da06 and replaces it
with a nice simple change, namely to change test ... -a ... with
test ... && test ... . That provides shortcut evaluation.
Thanks to Andre Przywara who provided this one-line change as an
update to the previous commit.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Tue, 22 Jul 2008 15:23:47 +0000 (16:23 +0100)]
Pass --disable-gfx-check to allow VNC-only builds.
Qemu upstream inexplicably falls over during configuration if you will
be forced to use VNC for graphics, as if that were somehow an
unreasonable thing to do. So hit that check on the head.
Thanks to Christoph Egger for the report.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Tue, 22 Jul 2008 14:49:52 +0000 (15:49 +0100)]
Fix HVM direct kernel booting.
This was broken during the merge with qemu upstream.
Fixes:
* Properly update kernel loading address so that qemu actually
loads the kernel where we want it.
* Use 0x200000 not 0x20000 as the updated kernel loading address.
* Use stl_phys(real_addr+0x214,) rather than stl_p(header+0x214,),
as the header has already been copied into target memory so we
need to update it there.
Ian Jackson [Tue, 22 Jul 2008 10:52:24 +0000 (11:52 +0100)]
pci passthrough changes ported across from xen-unstable by Yuji Shimada
The patch contains following patches which have been applied to Xen
Unstable Changeset 17959-18076.
pci_config_passthrough_with_msi_msix.patch
[Xen-devel] [PATCH] Support more Capability Structures (including
MSI/MSI-X) and Device Specific Registers for pt device.
Yuji Shimada <shimada-yxb@necst.nec.co.jp>
Fri, 04 Jul 2008 15:26:52 +0900
fix_pt_iomap.patch
Re: [Xen-devel] [PATCH] Support more Capability Structures
(including MSI/MSI-X) and Device Specific Registers for pt device.
NISHIGUCHI Naoki <nisiguti@jp.fujitsu.com>
Tue, 08 Jul 2008 14:14:55 +0900
Ian Jackson [Fri, 18 Jul 2008 13:28:52 +0000 (14:28 +0100)]
Do not disturb old fd flags (eg O_APPEND) when setting nonblock.
socket_set_nonblock should not unconditionally call
fcntl(,F_SETFL,O_NONBLOCK) because that would clear other flags which
might be intentionally set on the fd.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Fri, 18 Jul 2008 13:24:17 +0000 (14:24 +0100)]
Always use nonblocking mode for qemu_chr_open_fd.
The rest of qemu assumes that IO operations on a CharDriverState do
not block. Currently there are a couple of cases where such a driver
was set up but the calls to set nonblocking mode were missing:
* qemu_chr_open_pty
* qemu_chr_open_pipe
* qemu_chr_open_stdio
This is fixed by adding two calls to socket_set_nonblock to
qemu_chr_open_fd.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Fri, 18 Jul 2008 13:33:07 +0000 (14:33 +0100)]
ide: enable single word DMA
Windows XP doesn't enable DMA by default on dvd-rom devices emulated by QEMU.
Furthermore if I try to manually enable DMA using Device Manager, the
DMA mode chosen by Windows is inexplicably one of the few modes
unsupported by QEMU: single word mode 2.
Since on virtual hardware single word DMA is not really slower than
multi word DMA, it makes sense for QEMU to support single word dma as
well.
This patch does exactly this. We also make sure that mdma is
deactivated when sdma is active and vice versa.
This has various compatibility problems, including breaking
restoration of old images. It is also likely that we will want to
increase this amount in the future.
Ian Jackson [Wed, 9 Jul 2008 11:32:09 +0000 (12:32 +0100)]
Store pty name in xenstore for the benefit of the tools.
This is a rather intrusive patch, because we need a mechanism to get
the ptsname out of the guts of the qemu startup code. This is a
first cut of such a thing which might eventually go upstream.
The main new interface is chr_getname, a new CharDriverState method.
If implemented it returns "<type> <name>" where currently "<type>" is
"pty" for ptys. If not implemented the function pointer may be null.
We import store_dev_info from xen-unstable (17987:9b35ae586cb8) and
eviscerate it appropriately.
Ian Jackson [Wed, 9 Jul 2008 10:38:33 +0000 (11:38 +0100)]
Do not rebuild every time ./xen-setup is run.
This involves saving config-host.h while we rerun config and
regenerate it, putting the saved version back, and then installing
the new version only if it has changed.
projects / qemu-xen-3.3-testing.git / log