Commit Graph

17299 Commits

Author SHA1 Message Date
Luiz Capitulino
54d50be688 qapi: Check for negative enum values
We don't currently check for negative enum values in qmp_output_type_enum(),
this will very likely generate a segfault when triggered.

However, it _seems_ that no code in tree can trigger this today.

Acked-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2011-11-17 15:15:03 -02:00
Anthony Liguori
3f5bd4e1b8 Update version to 1.0-rc2
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-14 11:26:32 -06:00
Alon Levy
3827cdb1c3 pc_piix: set qxl revision to 2 for pc-0.14
The default is still 3, and I didn't change older machine types.

Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-14 11:26:32 -06:00
Peter Maydell
e1556ad5b8 hw/omap_gpio: Fix infinite recursion when doing 8/16 bit reads
Fix a long-standing bug which meant that any attempt to do an
8 or 16 bit read from the OMAP GPIO module would cause qemu to
crash due to an infinite recursion.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-14 11:26:32 -06:00
Andrzej Zaborowski
371572dff4 Revert bugfix e7852674d5 until tested or until after the release.
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
2011-11-14 18:17:59 +01:00
Juha Riihimäki
a3efecb847 hw/onenand: reject read-only drives
Signed-off-by: Juha Riihimäki <juha.riihimaki@nokia.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
2011-11-14 03:22:30 +01:00
Juha Riihimäki
3fc3abf7ec hw/nand: reject read-only drives
also gracefully fail on nand_device_init() for unsupported block
size instead of aborting.

Signed-off-by: Juha Riihimäki <juha.riihimaki@nokia.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
2011-11-14 03:19:18 +01:00
Jean-Christophe DUBOIS
b2887c43ee hw/arm_sysctl: Fix RESETCTL for realview-pb-a8 and -pbx-a9
Depending on the considered baseboard the bit used to
reset the platform is different.

Here is the list of considered Realview/Versatile platforms:

Realview/Versatile AB for ARM926EJ-S: BOARD_ID = 0x100 = BOARD_ID_PB9
http://infocenter.arm.com/help/topic/com.arm.doc.dui0225d/CACCIFGI.html

RealView Emulation Baseboard: BOARD_ID = 0x140 = BOARD_ID_EB
No reset register

RealView PB for Cortex-A8: BOARD_ID = 0x178 = BOARD_ID_PBA8
http://infocenter.arm.com/help/topic/com.arm.doc.dui0417d/BBACIGAD.html

RealView PB for Cortex-A9: BOARD_ID = 0x182 = BOARD_ID_PBX
http://infocenter.arm.com/help/topic/com.arm.doc.dui0440b/CACCHBFB.html

Motherboard Express =C2=B5ATX: BOARD_ID = 0x190 = BOARD_ID_VEXPRESS
No reset register

Signed-off-by: Jean-Christophe DUBOIS <jcd@tribudubois.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
2011-11-14 03:09:20 +01:00
Peter Maydell
7c64d297f9 hw/pxa2xx.c: Fix handling of RW bits in PMCR
Fix an error in commit afd4a6522 which meant that writing a zero
to the RW bits in the PMCR wouldn't actually clear them. (Error
spotted by Andrzej Zaborowski.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
2011-11-14 02:26:20 +01:00
Peter Maydell
e7852674d5 hw/usb-net.c: Fix precedence bug when checking rndis_state
"!X == 2" is always false (spotted by Coverity), so the checks
for whether rndis is in the correct state would never fire.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
2011-11-14 02:19:24 +01:00
Avi Kivity
88365e47dd memory: fix 'info mtree' segfaults
'info mtree' accesses invalid memory in two cases, both due to incorrect
(and unsafe) usage of QTAILQ_FOREACH_SAFE().

Reported-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Avi Kivity <avi@redhat.com>
2011-11-13 12:00:55 +02:00
Anthony Liguori
74d33d5ce4 Merge remote-tracking branch 'kwolf/block-stable' into staging 2011-11-11 17:26:37 -06:00
Max Filippov
0abe905d29 vl.c: prohibit simultaneous use of -icount with kvm or xen
With -icount, The vm_clock is updated with help from TCG (it counts
instructions at 2^ICOUNT ns/instructions). With KVM, the instruction
count is not available so KVM cannot provide this help.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:53 -06:00
Peter Maydell
ee71c98434 hw/arm_timer.c: Fix bounds check for Integrator timer accesses
There are only three counter/timers on the integrator board:
correct the bounds check to avoid an array overrun. (Spotted
by Coverity, see bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:53 -06:00
Peter Maydell
afd4a65225 hw/pxa2xx.c: Fix handling of R/WC bits in PMCR
Fix a bug in handling the write-one-to-clear bits in the PMCR
which meant that we would always clear the bit even if the
value written was a zero. Spotted by Coverity (see bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:53 -06:00
Peter Maydell
b78c2b3aad hw/pl061: Remove pointless comparison of array to null
Remove a pointless comparison of an array to null. (There is
no need to check whether s->out[i] is non-null as qemu_set_irq
will do that for us.) Spotted by Coverity (see bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:53 -06:00
Peter Maydell
35914dc724 hw/tc58128.c: Remove unnecessary check for g_malloc failure
Remove a check for g_malloc failing: this never happens.
Also use g_malloc rather than g_malloc0 as we immediately
memset the entire region and so zero-initialising it is pointless.
Spotted by Coverity (see bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:53 -06:00
Peter Maydell
7dd47667b9 linux-user/elfload.c: Don't memset(NULL..) if malloc() failed
If a malloc() in copy_elf_strings() failed we would call memset()
before the "did malloc fail?" check. Fix this by moving to the
glib alloc/free routines for this memory so we can use g_try_malloc0
rather than having a separate memset(). Spotted by Coverity (see
bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:53 -06:00
Peter Maydell
096685fc2a hw/omap_intc.c: Avoid crash on access to nonexistent banked registers
Avoid a crash due to null pointer dereference if a guest attempts
to access banked registers for a nonexistent bank. Spotted by
Coverity (see bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:52 -06:00
Markus Armbruster
1bbd1592c8 os-posix: Plug fd leak in qemu_create_pidfile()
Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:52 -06:00
Markus Armbruster
095ed5be7b posix-aio-compat: Plug memory leak on paio_init() error path
Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:52 -06:00
Markus Armbruster
9d94747262 qemu-sockets: Plug fd leak on unix_connect_opts() error path
Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:52 -06:00
Markus Armbruster
f2d3476eba ui: Plug memory leaks on parse_keyboard_layout() error path
Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:51 -06:00
Markus Armbruster
a4e2604852 qemu-char: Plug memory leak on qemu_chr_open_pty() error path
Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:51 -06:00
Juan Quintela
1299c63168 migration: fix detached migration with fd
Migration with fd uses s->mon to pass the fd.  But we only assign the
s->mon for !detached migration.  Fix it.  Once there add a comment
indicating that s->mon has two uses.

Bug reported by:  Wen Congyang <wency@cn.fujitsu.com>

Signed-off-by: Juan Quintela <quintela@redhat.com>
CC:  Wen Congyang <wency@cn.fujitsu.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:51 -06:00
Pavel Borzenkov
f2338fb48a configure: Do not use 'sed -i'
'sed -i' is not defined in POSIX. It doesn't work on Mac OS X the way
it's used in configure (without suffix argument). This patch implements
Peter Maydell's idea of xattr.h detection.

Cc: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 12:49:51 -06:00
Andreas Färber
d423675c94 vl.c: Fail gracefully if no machine is found
machine defaults to find_default_machine(),
then gets overridden via -M and machine_parse().

If no -M is specified and find_default_machine() returns NULL
(when no machine compiled in), exit with an error.

Avoids a segfault when setting machine->max_cpus.

Signed-off-by: Andreas Färber <andreas.faerber@web.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-11 08:27:06 -06:00
Kevin Wolf
ca716364f0 block: Make cache=unsafe flush to the OS
cache=unsafe completely ignored bdrv_flush, because flushing the host disk
costs a lot of performance. However, this means that qcow2 images (and
potentially any other format) can lose data even after the guest has issued a
flush if the qemu process crashes/is killed. In case of a host crash, data loss
is certainly expected with cache=unsafe, but if just the qemu process dies this
is a bit too unsafe.

Now that we have two separate flush functions, we can choose to flush
everythign to the OS, but don't enforce that it's physically written to the
disk.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:59 +01:00
Kevin Wolf
eb489bb1ec block: Introduce bdrv_co_flush_to_os
qcow2 has a writeback metadata cache, so flushing a qcow2 image actually
consists of writing back that cache to the protocol and only then flushes the
protocol in order to get everything stable on disk.

This introduces a separate bdrv_co_flush_to_os to reflect the split.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:59 +01:00
Kevin Wolf
c68b89acd6 block: Rename bdrv_co_flush to bdrv_co_flush_to_disk
There are two different types of flush that you can do: Flushing one level up
to the OS (i.e. writing data to the host page cache) or flushing it all the way
down to the disk. The existing functions flush to the disk, reflect this in the
function name.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:59 +01:00
Peter Maydell
980bda8ba2 hw/pc.c: Fix use-while-uninitialized of fd_type[]
Fix a use-while-uninitialized of the fd_type[] array (introduced
in commit 34d4260e1, noticed by Coverity). This is more theoretical
than practical, since it's quite hard to get here with floppy==NULL
(the qdev_try_create() of the isa-fdc device has to fail).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:59 +01:00
Charles Arnold
78439f6af1 block: Fix vpc initialization of the Dynamic Disk Header
The Data Offset field in the Dynamic Disk Header is an 8 byte field.
Although the specification (2006-10-11) gives an example of initializing
only the first 4 bytes, images generated by Microsoft on Windows initialize
all 8 bytes.

Failure to initialize all 8 bytes results in errors from utilities
like Citrix's vhd-util which checks specifically for the proper Data
Offset field initialization.

Signed-off-by: Charles Arnold <carnold@suse.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:58 +01:00
Paolo Bonzini
802ddc375a qemu-nbd: open the block device after starting the client thread
This is cleaner, because we do not need to close the block device when
there is an error opening /dev/nbdX.  It was done this way only to
print errors before daemonizing.

At the same time, use atexit to ensure that the block device is closed
whenever we exit.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:58 +01:00
Paolo Bonzini
f1ef5555c2 qemu-nbd: fix socket creation race
Now that the client and server are in the same process, there is
no need to race on the creation of the socket.  We can open the
listening socket before starting the client thread.

This avoids that "qemu-nbd -v -c" prints this once before connecting
successfully to the socket:

    connect(unix:/var/lock/qemu-nbd-nbd0): No such file or directory

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:58 +01:00
Paolo Bonzini
c1f8fdc362 qemu-nbd: print error messages from the daemon through a pipe
In order to get nice error messages, keep the qemu-nbd process running
until before issuing NBD_DO_IT and connected to the daemon with a pipe.
This lets the qemu-nbd process relay error messages from the daemon and
exit with a nonzero status if appropriate.

Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:58 +01:00
Paolo Bonzini
a517e88baa qemu-nbd: move client to a thread
This avoids that qemu-nbd uses both forking and threads, which do
not behave well together.

qemu-nbd is already Unix only, and there is no qemu_thread_join,
so for now use pthreads.

Since the parent and child no longer have separate file descriptors,
we can open the NBD device before daemonizing, instead of checking
with access(2) and restricting the open to the client only.

Reported-by: Pierre Riteau <pierre.riteau@irisa.fr>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:58 +01:00
Paolo Bonzini
b32f6c28d5 qemu-nbd: rename socket variable
It will be moved to a global variable by the next patch, and it
would conflict with the socket function.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:58 +01:00
Paolo Bonzini
bb345110f0 qemu-nbd: trap SIGTERM
The client process right now uses SIGTERM to interrupt the server side.
This does not affect the exit status of "qemu-nbd -v -c" because the
server is a child process.  This will change when both sides will be
in the same process, and anyway cleaning up things nicely upon SIGTERM
is good practice.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:58 +01:00
Paolo Bonzini
74624688b3 nbd: treat EPIPE from NBD_DO_IT as success
This can be seen with "qemu-nbd -v -c", which returns 1 instead of 0
when you disconnect with "qemu-nbd -d".

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:58 +01:00
Paolo Bonzini
4480de19d9 scsi-disk: implement eject requests
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:57 +01:00
Paolo Bonzini
2df0a3a308 atapi: implement eject requests
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:57 +01:00
Paolo Bonzini
025ccaa7f9 block: add eject request callback
Recent versions of udev always keep the tray locked so that the kernel
can observe "eject request" events (aka tray button presses) even on
discs that aren't mounted.  Add support for these events in the ATAPI
and SCSI cd drive device models.

To let management cope with the behavior of udev, an event should also
be added for "tray opened/closed".  This way, after issuing an "eject"
command, management can poll until the guests actually reacts to the
command.  They can then issue the "change" command after the tray has been
opened, or try with "eject -f" after a (configurable?) timeout.  However,
with this patch and the corresponding support in the device models,
at least it is possible to do a manual two-step eject+change sequence.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11 14:02:57 +01:00
Kevin Wolf
7704df98b0 vvfat: Fix read-write mode
vvfat used to directly call into the qcow2 block driver instead of using the
block.c wrappers. With the coroutine conversion, this stopped working.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2011-11-11 14:02:57 +01:00
Peter Maydell
0e3b800e71 hw/lan9118.c: Add missing 'break' to fix buffer overrun
Add a missing 'break' statement to fix a buffer overrun when
executing the EEPROM write-all command. Spotted by Coverity
(see bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
2011-11-10 12:29:50 +00:00
Markus Armbruster
04c5b17a74 x86/cpuid: Fix crash on -cpu ""
Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
2011-11-10 12:29:50 +00:00
Markus Armbruster
99e1dec06f x86/cpuid: Plug memory leak in cpudef_setfield()
To reproduce the leak, put two name options into the same [cpudef]
section of target-x86_64.conf.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
2011-11-10 12:29:50 +00:00
Markus Armbruster
d3c481b357 x86/cpuid: Convert remaining strdup() to g_strdup()
Fixes missing error checking.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
2011-11-10 12:29:50 +00:00
Markus Armbruster
302d9d6fd8 ui/vnc: Convert sasl.mechlist to g_malloc() & friends
Fixes protocol_client_auth_sasl_mechname() not to crash when malloc()
fails.  Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
2011-11-10 12:29:50 +00:00
Markus Armbruster
542379f426 qdev: Fix crash on -device '?=x'
Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
2011-11-10 12:29:50 +00:00
陳韋任
235e510cfd configure: Show --cpu option on the help list
Signed-off-by: Chen Wen-Ren (陳韋任) <chenwj@iis.sinica.edu.tw>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
2011-11-10 09:41:40 +00:00