lock_user() can return NULL, which typically means the syscall
should fail with EFAULT. Add checks in various places where
Coverity spotted that we were missing them.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
A target_mmap() call in load_elf_binary() was missing the MAP_ANONYMOUS
flag. (Spotted by Coverity, because target_mmap() will try to use
-1 as the filedescriptor in this case.)
This has never been noticed because the code in question is for
handling ancient SVr4 iBCS2 binaries.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Native strace reports when the process being traced takes a signal:
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
Report something similar when QEMU is doing its internal strace of
the guest process and is about to deliver it a signal.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Do an initial range check on the ppoll syscall's nfds argument,
to avoid possible overflow in the calculation of the lock_user()
size argument. The host kernel will later apply the rather lower
limit based on RLIMIT_NOFILE as appropriate.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
The kernel checks that the maxevents parameter to epoll_wait
is non-negative and not larger than EP_MAX_EVENTS. Add this
check to our implementation, so that:
* we fail these cases EINVAL rather than EFAULT
* we don't pass negative or overflowing values to the
lock_user() size calculation
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
The linux utimensat syscall differs in semantics from the
libc function because the syscall combines the features
of utimensat() and futimens(). Rather than trying to
split these apart in order to call the two libc functions
which then call the same underlying syscall, just always
directly make the host syscall. This fixes bugs in some
of the corner cases which should return errors from the
syscall but which we were incorrectly directing to futimens().
This doesn't reduce the set of hosts that our syscall
implementation will work on, because if the direct syscall
fails ENOSYS then the libc functions would also fail ENOSYS.
(The system call has been in the kernel since 2.6.22 anyway.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Implement the FS_IOC_GETFLAGS and FS_IOC_SETFLAGS ioctls, as used
by chattr.
Note that the type information encoded in these ioctl numbers
is at odds with the actual type the kernel accesses, as discussed
in http://thread.gmane.org/gmane.linux.file-systems/80164.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
The POSIX standard mandates that for a connected socket recvfrom()
must ignore the msg_name and msg_namelen fields. This is awkward
for QEMU because we will attempt to copy them from guest address
space. Handle this by not immediately returning a TARGET_EFAULT
if the copy failed, but instead passing a known-bad address
to the host kernel, which can then return EFAULT or ignore the
value appropriately.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
The sendmsg and recvmsg syscalls use a different errno to indicate
an overlarge iovec length from readv and writev. Handle this
special case in do_sendrcvmsg_locked() to avoid getting the
default errno returned by lock_iovec().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
In the kernel the length of an iovec is generally handled as
an unsigned long, not an integer; fix the parameter to
lock_iovec() accordingly.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Since bd6092e Replace qmp-commands.hx by docs/qmp-commands.txt
make install fails if building out of source-tree.
Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1474362094-2293-1-git-send-email-riku.voipio@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Running cpuid instructions with a simple run like:
i386-linux-user/qemu-i386 tests/tcg/sha1-i386
Results in the following assert:
#0 0x00007ffff64246f5 in raise () from /lib64/libc.so.6
#1 0x00007ffff64262fa in abort () from /lib64/libc.so.6
#2 0x00007ffff7937ec5 in g_assertion_message () from /lib64/libglib-2.0.so.0
#3 0x00007ffff7937f5a in g_assertion_message_expr () from /lib64/libglib-2.0.so.0
#4 0x000055555561b54c in apicid_bitwidth_for_count (count=0) at /home/elmarco/src/qemu/include/hw/i386/topology.h:58
#5 0x000055555561b58a in apicid_smt_width (nr_cores=0, nr_threads=0) at /home/elmarco/src/qemu/include/hw/i386/topology.h:67
#6 0x000055555561b5c3 in apicid_core_offset (nr_cores=0, nr_threads=0) at /home/elmarco/src/qemu/include/hw/i386/topology.h:82
#7 0x000055555561b5e3 in apicid_pkg_offset (nr_cores=0, nr_threads=0) at /home/elmarco/src/qemu/include/hw/i386/topology.h:89
#8 0x000055555561dd86 in cpu_x86_cpuid (env=0x555557999550, index=4, count=3, eax=0x7fffffffcae8, ebx=0x7fffffffcaec, ecx=0x7fffffffcaf0, edx=0x7fffffffcaf4) at /home/elmarco/src/qemu/target-i386/cpu.c:2405
#9 0x0000555555638e8e in helper_cpuid (env=0x555557999550) at /home/elmarco/src/qemu/target-i386/misc_helper.c:106
#10 0x000055555599dc5e in static_code_gen_buffer ()
#11 0x00005555555952f8 in cpu_tb_exec (cpu=0x5555579912d0, itb=0x7ffff4371ab0) at /home/elmarco/src/qemu/cpu-exec.c:166
#12 0x0000555555595c8e in cpu_loop_exec_tb (cpu=0x5555579912d0, tb=0x7ffff4371ab0, last_tb=0x7fffffffd088, tb_exit=0x7fffffffd084, sc=0x7fffffffd0a0) at /home/elmarco/src/qemu/cpu-exec.c:517
#13 0x0000555555595e50 in cpu_exec (cpu=0x5555579912d0) at /home/elmarco/src/qemu/cpu-exec.c:612
#14 0x00005555555c065b in cpu_loop (env=0x555557999550) at /home/elmarco/src/qemu/linux-user/main.c:297
#15 0x00005555555c25b2 in main (argc=2, argv=0x7fffffffd848, envp=0x7fffffffd860) at /home/elmarco/src/qemu/linux-user/main.c:4803
The fields are set in qemu_init_vcpu() with softmmu, but it's a stub
with linux-user.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
commit 78d6a05d2f
("x86/lapic: Load LAPIC state at post_load")
has some debugging leftovers.
Drop them.
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
This avoids a double hand-full of magic numbers in the
xsave and xrstor helper functions.
Signed-off-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
The only remaining function of qmp-commands.hx is to let us generate
qmp-commands.txt from it. Replace qmp-commands.hx by qmp-commands.txt.
We intend to move the documentation into the QAPI schema and generate
qapi-commands.txt from it, but not right now.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160912091913.15831-19-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Replace the old manual dispatch and validation code by the generic one
provided by qapi common code.
Note that it is now possible to call the following commands that used to
be disabled by compile-time conditionals:
- dump-skeys
- query-spice
- rtc-reset-reinjection
- query-gic-capabilities
Their fallback functions return an appropriate "feature disabled" error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160912091913.15831-16-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Check that invalid args on commands without arguments returns an error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160912091913.15831-15-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
The generated marshal functions do not visit arguments from commands
that take no arguments. Thus they fail to catch invalid
members. Visit the arguments, if provided, to throw an error in case of
invalid members.
Currently, qmp_check_client_args() checks for invalid arguments and
correctly catches this case. When switching to qmp_dispatch() we want to
keep that behaviour. The commands using 'O' may have arbitrary
arguments, and must have 'gen': false in the qapi schema to skip the
generated checks.
Old/new diff:
void qmp_marshal_stop(QDict *args, QObject **ret, Error **errp)
{
Error *err = NULL;
+ Visitor *v = NULL;
- (void)args;
+ if (args) {
+ v = qmp_input_visitor_new(QOBJECT(args), true);
+ visit_start_struct(v, NULL, NULL, 0, &err);
+ if (err) {
+ goto out;
+ }
+
+ if (!err) {
+ visit_check_struct(v, &err);
+ }
+ visit_end_struct(v, NULL);
+ if (err) {
+ goto out;
+ }
+ }
qmp_stop(&err);
+
+out:
error_propagate(errp, err);
+ visit_free(v);
+ if (args) {
+ v = qapi_dealloc_visitor_new();
+ visit_start_struct(v, NULL, NULL, 0, NULL);
+
+ visit_end_struct(v, NULL);
+ visit_free(v);
+ }
}
The new code closely resembles code for a command with arguments.
Differences:
- the visit of the argument and its cleanup struct don't visit any
members (because there are none).
- the visit of the argument struct and its cleanup are conditional.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160912091913.15831-14-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Now that the register function is always generated, we can
remove the so-called "middle" mode from the generator script.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160912091913.15831-13-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
This is no longer necessary now that we aren't using middle mode
anymore.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20160912091913.15831-12-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
One step towards getting rid of the static qmp_cmds table.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20160912091913.15831-11-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Stop using the so-called 'middle' mode. Instead, use qmp_find_command()
from generated qapi commands registry. Update and fix the documentation
too.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160912091913.15831-10-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Make it possible to call marshallers manually, without going through
qmp_dispatch(). (this is currently only possible in middle-mode, but
it's also useful in general)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160912091913.15831-9-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
We currently define QMP commands in two places: the QAPI schema and
qmp-commands.hx. The latter is preprocessed, the former is not. We
use the preprocessor to suppress configuration-specific commands. For
instance, query-spice is only available #ifdef CONFIG_SPICE.
QMP command dispatch and query-commands use the qmp-commands.hx
definition, and thus obey the #ifdeffery there. Good, because it lets
QMP clients probe for available features more easily.
query-qmp-schema uses the QAPI schema, and thus lists the
configuration-specific commands even when they're unavailable. Not so
good.
We're about to flip command dispatch and query-commands to the
non-middle-mode command registry, which uses the QAPI schema, so we
can ditch qmp-commands.hx. To avoid regressing query-commands,
arrange for commands that are suppressed with the preprocessor now to
be unregistered with that registry. This will keep them unavailable
and out of query-commands when we flip command dispatch and
query-commands to that registry, exactly as before.
This is a hack. The proper solution is to support
configuration-specific commands in the QAPI schema. Mark it FIXME.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20160912091913.15831-8-marcandre.lureau@redhat.com>
Since a few commands are using 'gen': false, they are not registered
automatically by the generator. Register manually instead.
This is in preparation for removal of qapi 'middle' mode generation.
Note that qmp_init_marshal() function isn't run yet, so the commands
aren't actually registered, until module_call_init(MODULE_INIT_QAPI) is
added in a later patch.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20160912091913.15831-6-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
handle_qmp_command() will switch to use qmp_dispatch(). It won't have a
pointer to the marshaller function anymore, but only the name of the
command to invoke. Simplify invalid_qmp_mode() so it can just be called
with the command name.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20160912091913.15831-5-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Even though device_add is not fully qapi'fied, we may add it to the json
schema with 'gen': false, so registration and documentation can be
generated.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20160912091913.15831-4-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
qapi'fy the 'qmp_capabilities' command, makes the command visible in
query-qmp-schema.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20160912091913.15831-3-marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
There are better chances to find what went wrong at build time than a
later assert in qmp_query_version
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160912091913.15831-2-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
It is very useful to know about TLS cert verification
status when debugging, so add a trace point for it.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Currently pbkdf is only supported with SHA1 and SHA256. Expand
this to support all algorithms known to QEMU.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
cryptsetup recently increased the default pbkdf2 time to 2 seconds
to partially mitigate improvements in hardware performance wrt
brute-forcing the pbkdf algorithm. This updates QEMU defaults to
match.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
When calculating iterations for pbkdf of the key slot
data, we had a /= 2, which was copied from identical
code in cryptsetup. It was always unclear & undocumented
why cryptsetup had this division and it was recently
removed there, too.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Currently when timing the pbkdf algorithm a fixed key
size of 32 bytes is used. This results in inaccurate
timings for certain hashes depending on their digest
size. For example when using sha1 with aes-256, this
causes us to measure time for the master key digest
doing 2 sha1 operations per iteration, instead of 1.
Instead we should pass in the desired key size to the
timing routine that matches the key size that will be
used for real later.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
The 'out' buffer will hold a key derived from master
password, so it is best practice to clear this buffer
when no longer required.
At this time, the code isn't worrying about locking
buffers into RAM to prevent swapping sensitive data
to disk.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
As protection against bruteforcing passphrases, the PBKDF
algorithm is tuned by counting the number of iterations
needed to produce 1 second of running time. If the machine
that the image will be used on is much faster than the
machine where the image is created, it can be desirable
to raise the number of iterations. This change adds a new
'iter-time' property that allows the user to choose the
iteration wallclock time.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
The qcrypto_pbkdf_count_iters method uses a 64 bit int
but then checks its value against INT32_MAX before
returning it. This bounds check is premature, because
the calling code may well scale the iteration count
by some value. It is thus better to return a 64-bit
integer and let the caller do range checking.
For consistency the qcrypto_pbkdf method is also changed
to accept a 64bit int, though this is somewhat academic
since nettle is limited to taking an 'int' while gcrypt
is limited to taking a 'long int'.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
- a fix for a regression introduced in 2.7
- basic functional testing for virtio-9p
- some code cleanups for 9pfs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlffsoEACgkQAvw66wEB28Lw8wCgojmICLgnE5foLIdW9dW5nodK
8B0AnAxj0jIYdc2WN5DrFcTrcaSea5KN
=Rhkz
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
This pull request contains:
- a fix for a regression introduced in 2.7
- basic functional testing for virtio-9p
- some code cleanups for 9pfs
# gpg: Signature made Mon 19 Sep 2016 10:40:17 BST
# gpg: using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Greg Kurz <groug@free.fr>"
# gpg: aka "Greg Kurz <gkurz@fr.ibm.com>"
# gpg: aka "Greg Kurz <gkurz@linux.vnet.ibm.com>"
# gpg: aka "Gregory Kurz (Groug) <groug@free.fr>"
# gpg: aka "Gregory Kurz (Cimai Technology) <gkurz@cimai.com>"
# gpg: aka "Gregory Kurz (Meiosys Technology) <gkurz@meiosys.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2
* remotes/gkurz/tags/for-upstream:
9pfs: fix potential segfault during walk
tests: virtio-9p: add basic configuration test
tests: virtio-9p: introduce start/stop functions
9pfs: introduce v9fs_path_sprintf() helper
9pfs: drop useless v9fs_string_null() function
9pfs: drop duplicate line in proxy backend
9pfs: drop unused fmt strings in the proxy backend
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
If the call to fid_to_qid() returns an error, we will call v9fs_path_free()
on uninitialized paths.
It is a regression introduced by the following commit:
56f101ecce 9pfs: handle walk of ".." in the root directory
Let's fix this by initializing dpath and path before calling fid_to_qid().
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
[groug: updated the changelog to indicate this is regression and to provide
the offending commit SHA1]
Signed-off-by: Greg Kurz <groug@kaod.org>
Fixup some typos and whitespace damage introduced by the CPU model
patches for s390.
Reported-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
We have everything needed for virtio-ccw revision 2 wired up now.
Bump the maximum supported revision reported on a device basis to
the guest so they can make use of it.
Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
This patch adds the response to the READ_STATUS CCW command.
Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>