Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Fix OOB access via malformed incoming_posn parameters
and check that requested memory is actually alloc'ed.
Signed-off-by: Sebastian Krahmer <krahmer@suse.de>
[AF: Rebased, cleanups, avoid fd leak]
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.
Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
[AF: Tighten upper bound check for posn in close_guest_eventfds()]
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field. Fix this and
check we received enough bytes before accessing the buffer pointer.
Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
[AF: Handle partial reads via FIFO]
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This patch fixes instructions counting when execution is stopped on
breakpoint (e.g. set from gdb). Without a patch extra instruction is translated
and icount is incremented by invalid value (which equals to number of
executed instructions + 1).
Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@ispras.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Add support for powerpc platforms. We use uname -m, which allows us to
detect ppc, ppc64 and ppc64le/el.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Unfortunately ioctl numbers are platform specific, so abstract them out
of the code so they can be overridden. As it happens x86 and s390 share
the same values, so nothing needs to change yet.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The current platform detection is a little bit messy. We look for lines
in /proc/cpuinfo starting with 'flags' OR 'vendor-id', and scan both
for values we know will only occur in one or the other. We also keep
scanning once we've found a value, which could be a feature, but isn't
in this case.
We'd also like to add another platform, powerpc, which will just make it
worse. So clean it up in preparation.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
In kvm_stat we have a dictionary of exit reasons for s390. Firstly these
are not s390 specific, they are the generic exit reasons. So rename the
dictionary to reflect that, and add it separately to filters[].
Secondly, the values are defined using hex, but in the kernel header
they are decimal. That means values above 9 in kvm_stat are incorrect.
While we're there, fix the whitespace to match the rest of the file.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
In kvm_stat we grovel through /sys to find out how many cpus are in the
system. However if a cpu is offline it will still be present in /sys,
and the perf_event_open() will fail.
Modify the logic to only return online cpus. We need to be careful on
systems which don't support cpu hotplug, the online file will not be
present at all.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
We need to count the ctrlq and eventq, and also cleanup before
returning. Besides, the format string should be unsigned.
The number could never be less than zero.
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Before, when a write protected iSCSI target is attached as scsi-disk
with BDRV_O_RDWR, we report it as writable, while in fact all writes
will fail.
One way to improve this is to report write protect flag as true to
guest, but a even better way is to refuse using a write protected LUN to
guest.
Target write protect flag is checked with a mode sense query.
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When QEMU works in icount mode cpu_restore_state function performs two actions:
restoring the program counter and updating icount to the correct value.
kvmvapic's patch_instruction function is called by cpu_report_tpr_access
function which also invokes cpu_restore_state. It results to calling
cpu_restore_state twice - in cpu_report_tpr_access and in patch_instruction.
When icount is disabled second call is safe. But when icount is enabled,
cpu_restore_state modifies instructions counter twice, which leads to incorrect
behavior. This patch removes useless cpu_restore_state call from kvmvapic.
Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@ispras.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
commit abfd9ce3(migration: dump vmstate info as a json
file for static analysis) introduce a new command,
'-dump-vmstate', that takes a filename
as an argument. When executed, QEMU will dump the vmstate information
for the machine type it's invoked with to the file, and quit.
However, only one instance of the -dump-vmstate option is supported.
If more were given, the vmstate_dump_file variable would be overwritten.
This fix also helps silence a Coverity error.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The PCI MMIO might be disabled or the device in the reset state.
Make sure we do not dump these memory regions.
Signed-off-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
CC: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This is a pc & q35 only machine opt.
VMWare apparently doesn't like running under QEMU due to our
incomplete emulation of it's special IO Port. This adds a
pc & q35 property to allow it to be turned off.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Don Slutz <dslutz@verizon.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
MSI-X works slightly different than INTx; the doorbell
registers are not necessarily used as MSI-X interrupts
are directed anyway. So the head pointer on the
reply queue needs to be updated as soon as a frame
is completed, and we can set the doorbell only
when in INTx mode.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Windows requires the frames to be unmapped, otherwise we run
into a race condition where the updated frame data is not
visible to the guest.
With that we can simplify the queue algorithm and use a bitmap
for tracking free frames.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Improve queue logging by displaying head and tail pointer
of the completion queue.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Some implementations use DCMD_CLUSTER_RESET_LD to simulate
a device reset.
Signed-off-by: Hannes Reinecke <hare@suse.de>
[Compare against id, not lun. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The windows driver is sending several init_firmware commands
when in MSI-X mode. It is, however, using only the first
queue. So disregard any additional init_firmware commands
until the HBA is reset.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The EFI firmware doesn't handle unit attentions properly,
so we need to clear the Power On/Reset unit attention upon
initial reset.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
To ease debugging we should be decoding
the register names.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The check for a valid command buffer size was inverted.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The 2108 chip supports MSI and MSI-X, so update the emulation
to support both chips.
Signed-off-by: Hannes Reinecke <hare@suse.de>
[Make VMStateDescription const. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Logical drives can only be addressed with the 'target_id' number;
LUN numbers cannot be selected.
Physical drives can be selected with both, target and LUN id.
So we should disallow LUN numbers not equal to 0 when in
RAID mode.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The trace events already contain the function name, so the actual
message doesn't need to contain any of these informations.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The MFI_DCMD_LD_LIST_QUERY function is using a different format than
MFI_DCMD_LD_LIST, so we need to implement it differently.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
scsi_cdb_length() does not return the length of the cdb, but
the transfersize encoded in the cdb. So rename it to scsi_cdb_xfer()
and also rename all other related functions to end with _xfer.
We can then add a new scsi_cdb_length() which actually does return the
length of the cdb. With that DEBUG_SCSI can now display the correct
CDB buffer.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Expand %.mo-objs in -y nested objects, so that we can write combined
object -cflags rules like what will be done in the coming patch.
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* remotes/sstabellini/xen-2014-10-30:
fix off-by-one error in pci_piix3_xen_ide_unplug
xen-hvm.c: Add support for Xen access to vmport
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Fix off-by-one error when unplugging disks, which would otherwise leave the last ATA disk plugged, with obvious consequences. Also rewrite loop to be more readable.
Signed-off-by: James Harper <james.harper@ejbdigital.com.au>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
This adds synchronisation of the 6 vcpu registers (only 32bits of
them) that vmport.c needs between Xen and QEMU.
This is to avoid a 2nd and 3rd exchange between QEMU and Xen to
fetch and put these 6 vcpu registers used by the code in vmport.c
and vmmouse.c
The registers are passed in the new shared page provided by
HVM_PARAM_VMPORT_REGS_PFN.
Add new array to XenIOState that allows selection of current_cpu by
vcpu id.
Now pass XenIOState to handle_ioreq().
Add new routines regs_to_cpu(), regs_from_cpu(), and
handle_vmport_ioreq().
Signed-off-by: Don Slutz <dslutz@verizon.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
MAINTAINERS updates, and AVX512 support.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAABAgAGBQJUTmDNAAoJEL/70l94x66DPb0IAKKhf8IRfQZPEQgOWD2YeANd
vwAZ4JcqAl2/dbeOTrs5TXOWdoNVXUFDmeHh4zsgUB7poxsOqZ/M7N844UGR5duC
f4fKYXAkjyqocKH7dbpf/S+YuJtU40qowI02HQeEmGpZaJUjmfMAFwrguqerdMaB
pGA79948XeoAjP8jNgf1EqCqLi31GBEfiU2q05xLKxd+M0xSFIM7IM2hGZfFv7Hq
bbE2CGuCyj4NST/GH2C/22QBz9MyqFaL2prtDqoMugAHTKE7vO/rpFti9oTDRCXa
x8U/JcBf/puBNI+Kq+cdxTJicwIuqrcBkNmjP9sLv/nJ37QwEG06VDCd4Xj9mEs=
=zXqD
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
virtio-scsi fixes, the first part of dynamic sysbus devices,
MAINTAINERS updates, and AVX512 support.
# gpg: Signature made Mon 27 Oct 2014 15:12:13 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini/tags/for-upstream: (28 commits)
aio / timers: De-document -clock
hw/scsi/virtio-scsi.c: fix the "type" use error in virtio_scsi_handle_ctrl
virtio-scsi: sense in virtio_scsi_command_complete
target-i386: add Intel AVX-512 support
get_maintainer.pl: restrict cases where it falls back to --git
get_maintainer.pl: move git loop under "if ($email) {"
qtest: fix qtest log fd should be initialized before qtest chardev
MAINTAINERS: avoid M entries that point to mailing lists
MAINTAINERS: add some tests directories
MAINTAINERS: Add more TCG files
MAINTAINERS: add myself for X86
MAINTAINERS: add Samuel Thibault as usb-serial.c and baum.c maintainer
MAINTAINERS: grab more files from Anthony's pile
target-i386: warns users when CPU threads>1 for non-Intel CPUs
sysbus: Use TYPE_DEVICE GPIO functionality
qdev: gpio: Define qdev_pass_gpios()
qdev: gpio: Remove qdev_init_gpio_out x1 restriction
qdev: gpio: delete NamedGPIOList::out
irq: Remove qemu_irq_intercept_out
qtest/irq: Rework IRQ interception
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The virtio-rng backend is currently linked twice, once in the proxy
device (e.g. virtio-rng-pci) and once in virtio-rng-device. This causes
a double unref of the backend when the parent device is unplugged.
To fix this, make the proxy device use an alias, similar to what is
already being done for the iothread link.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Message-id: 1414577839-18695-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
graphic_hw_update and vnc_refresh_server_surface aren't
need to do when no vnc client connected. It can reduce
lock contention, because vnc_refresh will hold global big
lock two millisecond every three seconds.
Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.
To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.
This is CVE-2014-7815.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
[ kraxel: apply codestyle fix ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
commit 50dcc0f8 (uhci: tracing support) had removed
DPRINTF, the DEBUG marco is useless now, remove it.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
streams support in usb-redir and usb-host works only with recent enough
versions of the support libraries (libusbredir and libusbx). Failure
mode is rather unelegant: Any stream usb transfers will throw stall
errors. Turning off support for streams in the xhci host controller
will work better as the guest can figure beforehand that streams are
not going to work.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
commit 57f97834ef cleaned up
the cac_applet_pki_process_apdu function to have a single
exit point. Unfortunately, that commit introduced a bug
where the sign buffer can get free'd and nullified while
it's still being used.
This commit corrects the bug by introducing a boolean to
track whether or not the sign buffer should be freed in
the function exit path.
Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-by: Alon Levy <alon@pobox.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
When a process in a guest uses an emulated smartcard, libcacard running
on the host passes the PIN from the guest to the PK11_Authenticate NSS
function. The first time PK11_Authenticate is called the passed in PIN
is used to unlock the certificate database. Subsequent calls to
PK11_Authenticate will transparently succeed, regardless of the passed in
PIN. This is a convenience for applications provided by NSS.
Of course, the guest may have many applications using the one emulated
smart card all driven from the same host QEMU process. That means if a
user enters the right PIN in one program in the guest, and then enters the
wrong PIN in another program in the guest, the wrong PIN will still
successfully unlock the virtual smartcard.
This commit forces the NSS certificate database to be locked anytime an
applet is selected on an emulated smartcard by calling vcard_emul_logout.
Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-By: Robert Relyea <rrelyea@redhat.com>
Reviewed-By: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Andreas Färber