Commit Graph

58104 Commits

Author SHA1 Message Date
Juan Quintela
741d4086c8 migration: Use proper types in json
We use int for everything (int64_t), and then we check that value is
between 0 and 255.  Change it to the valid types.

This change only happens for HMP.  QMP always use bytes and similar.

Signed-off-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2018-01-15 12:47:53 +01:00
Peter Maydell
fd06527b80 slirp updates
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEOjpdRkZg6GdhDKQnmWhJwc9WBHgFAlpbkRwACgkQmWhJwc9W
 BHjCVw/9FuebLWQl8BDnaRt31qlxTFegJazWRRQyQnqjBcwT3kAAPBDTDkvJRa+Y
 L6bwuOM6RRS8dHK7Kf9Af5jxPlFhgOiqtfrOBmD3nYaVSMZ/K/xSlZpt1b8CEqfi
 l9IqPfXwV1yTHRDdJ8RNOP3LOlpkzK/wvzVw83lDkaN7uKv+LCNQ/CAy3KlCNHRn
 nc3OHI4DhKsSH17NggZiXFifbwJ3OISV42uBbpPVF6yJLtaVZtCOA5xsUIaOR043
 INe8o8pTcPtZ2rnMtNa+VQMdxVJTtssd+QwEDktEvI8RSCrwvQhUuw5RL88TNUdd
 Rw03qlQbVh6J17a3fDFj1qDY5Eu63kF9DothoWhe/Kky4ROqZyQwdpHFDWZb0Jzb
 LDOftTFL5Oa00GiWtE2FLrM7C4omlCCeUAzhnLeTYVGTaK+hn/ugTvE4ySAQUSgj
 TONvitIPRigivaqCRsGa0F+RIpJxQORPkLFKSIYW7dMCMgFq2YiTcg6TsEnhYrIH
 8diE7pjexsTlFUEg5jelJPHAS6IdGg3l+UEq2twVnkeIfHAdkaDKlUS9z3J0iM+K
 5cMKBwok5rOti+3imJ3hoEhwn2bvN9lio+u7Y9YY3wRF2OQuFyK2zc89aAbHVmj0
 J90lF5VxwD64F7hexd6MwKLgvxdgILU7xsMAVPswVPdweztW+EI=
 =p5qP
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/thibault/tags/samuel-thibault' into staging

slirp updates

# gpg: Signature made Sun 14 Jan 2018 17:19:24 GMT
# gpg:                using RSA key 0x996849C1CF560478
# gpg: Good signature from "Samuel Thibault <samuel.thibault@aquilenet.fr>"
# gpg:                 aka "Samuel Thibault <sthibault@debian.org>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@gnu.org>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@inria.fr>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@labri.fr>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@ens-lyon.org>"
# gpg:                 aka "Samuel Thibault <samuel.thibault@u-bordeaux.fr>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 900C B024 B679 31D4 0F82  304B D017 8C76 7D06 9EE6
#      Subkey fingerprint: 3A3A 5D46 4660 E867 610C  A427 9968 49C1 CF56 0478

* remotes/thibault/tags/samuel-thibault:
  slirp: add in6_dhcp_multicast()
  slirp: removed unused code
  slirp: remove unnecessary struct declaration
  slirp: remove unused header
  slirp: avoid IN6_IS_ADDR_UNSPECIFIED(), rather use in6_zero()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-15 10:39:29 +00:00
Philippe Mathieu-Daudé
318116a6ff slirp: add in6_dhcp_multicast()
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14 18:16:13 +01:00
Philippe Mathieu-Daudé
676e268003 slirp: removed unused code
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14 18:16:13 +01:00
Philippe Mathieu-Daudé
c416d7f917 slirp: remove unnecessary struct declaration
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14 18:16:13 +01:00
Philippe Mathieu-Daudé
847b2557db slirp: remove unused header
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14 18:16:13 +01:00
Philippe Mathieu-Daudé
1120fae0cf slirp: avoid IN6_IS_ADDR_UNSPECIFIED(), rather use in6_zero()
Host: Mac OS 10.12.5
Compiler: Apple LLVM version 8.1.0 (clang-802.0.42)

  slirp/ip6_icmp.c:80:38: warning: taking address of packed member 'ip_src' of class or
        structure 'ip6' may result in an unaligned pointer value
        [-Waddress-of-packed-member]
              IN6_IS_ADDR_UNSPECIFIED(&ip->ip_src)) {
                                       ^~~~~~~~~~
  /usr/include/netinet6/in6.h:238:42: note: expanded from macro 'IN6_IS_ADDR_UNSPECIFIED'
          ((*(const __uint32_t *)(const void *)(&(a)->s6_addr[0]) == 0) && \
                                                  ^

Reported-by: John Arbuckle <programmingkidx@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-01-14 18:16:13 +01:00
Peter Maydell
c7947342d7 sdl2: bugfixes.
spice: cleanups.
 input: mem leak fix.
 gtk: deprecate 2.x support.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJaWMu3AAoJEEy22O7T6HE4fkQP/1IKT3nfaMrRjQFwNFF/lcX/
 qUCfAojVmq+5at+Im/x29gq0xVI3J3/xaq53iyjUMJhS0rF382fY0ZMJwHj6LbVA
 jB2JiPa6JbyO5GC8bNCs5yYB8qtT0c9iP+6EcR+HJIuDj+eMt1tstLzv58waGM5/
 v1ZOEd4S4uMj6/dY/l9HZ5/CGkX8tlT4++zM3+kYvTEvkVRCIlGIEJA/R/mQmM+d
 M6tKqN2Yxc0QxypnuzXtLRPoEx9BlOMuNVR7IGdDbcc8z7yD47wq7XW7lxdqrDVo
 YLMlEZPxeBow78K5qq1MK32QeHtQqdXcu1RZCHGszu/I3Opad1UAS3JduHEQb2vO
 yD2KW3zGD8pB9TDEV9RTF10jtRRxakoB+UXeNnDX0vuylbNGcPTwBvrCCnwk+Ahj
 6raKwZnheqJW/zmr71UoDrpfAUKnmt4Y4Zvs06nuNqAXwIEGdIiX+7mz1pE+rK3u
 IUXOLAPE+HdDjcssbr3iuXove0pTpM6QXKY8exGKgByTmzK6/kfvA7DgS4g1wvgv
 HPLToS4mC2kg0ItphLdketSt+6K5qNXGChQxRjczzpLtiwpngd502VOaQui9gpXl
 nXkU+DTHY8bQDGgA+BJ8T6IB3qvCuWzFfRXrqHZR+eMHbQK+7dR21L++P6sCMFXM
 DzHlatBVfRs341k3GuS/
 =JUSN
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/ui-20180112-pull-request' into staging

sdl2: bugfixes.
spice: cleanups.
input: mem leak fix.
gtk: deprecate 2.x support.

# gpg: Signature made Fri 12 Jan 2018 14:52:39 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/ui-20180112-pull-request:
  sdl2: Ignore UI hotkeys after a focus change when GUI modifier is held
  sdl2 uses surface relative coordinates
  sdl2: Do not hide the cursor on auxilliary windows
  spice: remove unused timer list
  spice: remove only written event_mask field
  spice: remove unused watch list
  spice: remove QXLWorker interface field
  ui: deprecate use of GTK 2.x in favour of 3.x series
  input: fix memory leak

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-12 16:41:24 +00:00
Peter Maydell
7398166ddf vnc: limit memory usage (CVE-2017-15124)
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJaWLCyAAoJEEy22O7T6HE4Ml4P/jPi2kCJ6pZCzOSkPqxQv5HU
 ScUIVidH4pvLQnyhGUNTYxkd7RwlG9M4LKoy6U0JTs6rh3/Jb91H/yX7EtXi7JkP
 vxuKO3UehDjnlRyS+g4VE/+VBJB4V4XTRqK7BNWFqpxLd+DsZ6scUOwGykF4mFzQ
 YV8a08IL8DZ3XtPjX5W1g0I7iGPgijZVFHGtteG5r+SWG877ACzduaYBGHoXL0vM
 HFOfbGmXVZrRFBCom/iQLLR4fsPm3ynMMk9bPqz+Tw/z7CnObdjkrMgaPV7soZzH
 +SK5O+aT5jyrFk8FufDr3AuI3nz7A5maOjT4Jin9089VomnV0O1sxjDwGC7D/OH/
 tBZR8qWrRQ6mSRJQo+fZvCkXBYZvOFdjow1xDQahymQkvtQWWkwVH5Fpzz474VQP
 tIpoZFa5KlPWsz91/tgBo43Znjn+cccw0BzGRSWsM6dqP/C+gKO3+W3cOT8W8Skj
 lN88F3uHQhR2QZ0s4ZWSaVr7qMTI4OFkryRM4GXqwKL685/lRV8da6A+K9xuvXro
 jCcsu1vc24ZCnVIJ5BFQP2Gp7Xd8iD0RYe2wQF47mY0XBR7d1CwiqHKsEVZXj+EH
 A7hvvuEjJYM7R/sl5Yhw9yQWDeH0HTiKZPms9p84vGh2fxABEVPsPVqSApw5yfNz
 oT7Mk9nPanfsnDiOQ1R0
 =Bf/5
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/vnc-20180112-pull-request' into staging

vnc: limit memory usage (CVE-2017-15124)

# gpg: Signature made Fri 12 Jan 2018 12:57:22 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/vnc-20180112-pull-request:
  ui: mix misleading comments & return types of VNC I/O helper methods
  ui: add trace events related to VNC client throttling
  ui: place a hard cap on VNC server output buffer size
  ui: fix VNC client throttling when forced update is requested
  ui: fix VNC client throttling when audio capture is active
  ui: refactor code for determining if an update should be sent to the client
  ui: correctly reset framebuffer update state after processing dirty regions
  ui: introduce enum to track VNC client framebuffer update request state
  ui: track how much decoded data we consumed when doing SASL encoding
  ui: avoid pointless VNC updates if framebuffer isn't dirty
  ui: remove redundant indentation in vnc_client_update
  ui: remove unreachable code in vnc_update_client
  ui: remove 'sync' parameter from vnc_update_client
  vnc: fix debug spelling

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-12 16:01:30 +00:00
Jindrich Makovicka
849bbe6035 sdl2: Ignore UI hotkeys after a focus change when GUI modifier is held
When SDL2 windows change focus while a key is held, the window that
receives the focus also receives a new KeyDown event, without an
autorepeat flag. This means that if a WM places the qemu console
over the main window after Ctrl-Alt-2, the console closes immediately
after opening. Then, the main window receives the KeyDown event again
and the whole process repeats.

This patch makes the SDL2 UI ignore the KeyDown events on a window that
just received the focus, if the GUI modifier was held. The ignore flag
is reset on a first KeyUp event. This effectively works around the issue
above.

Signed-off-by: Jindrich Makovicka <makovick@gmail.com>
Message-Id: <20171117112258.5888-4-makovick@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 15:51:18 +01:00
Jindrich Makovicka
d9f0626280 sdl2 uses surface relative coordinates
This patch fixes mouse positioning with -device usb-tablet and fullscreen
or resized window.

Fixes: 46522a8223
Signed-off-by: Jindrich Makovicka <makovick@gmail.com>
Message-Id: <20171117112258.5888-3-makovick@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 15:51:05 +01:00
Jindrich Makovicka
2821671629 sdl2: Do not hide the cursor on auxilliary windows
Signed-off-by: Jindrich Makovicka <makovick@gmail.com>
Message-Id: <20171117112258.5888-2-makovick@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 15:50:43 +01:00
Peter Maydell
a3380cf658 target/xtensa: Remove duplicate typedef of DisasContext
Some older versions of gcc complain if a typedef is defined twice:

target/xtensa/translate.c:81: error: redefinition of typedef 'DisasContext'
target/xtensa/cpu.h:339: note: previous declaration of 'DisasContext' was here

Remove the now-redundant typedef from the definition of the struct in
translate.c.

Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1515762528-22818-1-git-send-email-peter.maydell@linaro.org
2018-01-12 14:36:41 +00:00
Frediano Ziglio
abda476681 spice: remove unused timer list
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Message-id: 20171122135625.16625-4-fziglio@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 14:35:58 +01:00
Frediano Ziglio
58a5d33aa8 spice: remove only written event_mask field
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Message-id: 20171122135625.16625-3-fziglio@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 14:35:58 +01:00
Frediano Ziglio
44e8f22986 spice: remove unused watch list
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Message-id: 20171122135625.16625-2-fziglio@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 14:35:58 +01:00
Frediano Ziglio
9fedfa4909 spice: remove QXLWorker interface field
This fields points to an old interface that is no more
used in the current code.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Message-id: 20171122135625.16625-1-fziglio@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 14:35:58 +01:00
Daniel P. Berrange
b7715af2b3 ui: deprecate use of GTK 2.x in favour of 3.x series
The GTK 3.0 release was made in Feb, 2011:

  https://blog.gtk.org/2011/02/10/gtk-3-0-released/

That will soon be 7 years ago, which is enough time to consider
the 3.x series widely supported.

Thus we deprecate the GTK 2.x support, which will allow us to
delete it in the last release of 2018. By this time, GTK 3.x
will be almost 8 years old.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20171212113440.16483-1-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 14:30:34 +01:00
linzhecheng
fca4774a96 input: fix memory leak
If kbd_queue is not empty and queue_count >= queue_limit,
we should free evt.

Change-Id: Ieeacf90d5e7e370a40452ec79031912d8b864d83
Signed-off-by: linzhecheng <linzhecheng@huawei.com>
Message-id: 20171225023730.5512-1-linzhecheng@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 14:20:39 +01:00
Daniel P. Berrange
30b80fd526 ui: mix misleading comments & return types of VNC I/O helper methods
While the QIOChannel APIs for reading/writing data return ssize_t, with negative
value indicating an error, the VNC code passes this return value through the
vnc_client_io_error() method. This detects the error condition, disconnects the
client and returns 0 to indicate error. Thus all the VNC helper methods should
return size_t (unsigned), and misleading comments which refer to the possibility
of negative return values need fixing.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-14-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
6aa22a2918 ui: add trace events related to VNC client throttling
The VNC client throttling is quite subtle so will benefit from having trace
points available for live debugging.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-13-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
f887cf165d ui: place a hard cap on VNC server output buffer size
The previous patches fix problems with throttling of forced framebuffer updates
and audio data capture that would cause the QEMU output buffer size to grow
without bound. Those fixes are graceful in that once the client catches up with
reading data from the server, everything continues operating normally.

There is some data which the server sends to the client that is impractical to
throttle. Specifically there are various pseudo framebuffer update encodings to
inform the client of things like desktop resizes, pointer changes, audio
playback start/stop, LED state and so on. These generally only involve sending
a very small amount of data to the client, but a malicious guest might be able
to do things that trigger these changes at a very high rate. Throttling them is
not practical as missed or delayed events would cause broken behaviour for the
client.

This patch thus takes a more forceful approach of setting an absolute upper
bound on the amount of data we permit to be present in the output buffer at
any time. The previous patch set a threshold for throttling the output buffer
by allowing an amount of data equivalent to one complete framebuffer update and
one seconds worth of audio data. On top of this it allowed for one further
forced framebuffer update to be queued.

To be conservative, we thus take that throttling threshold and multiply it by
5 to form an absolute upper bound. If this bound is hit during vnc_write() we
forceably disconnect the client, refusing to queue further data. This limit is
high enough that it should never be hit unless a malicious client is trying to
exploit the sever, or the network is completely saturated preventing any sending
of data on the socket.

This completes the fix for CVE-2017-15124 started in the previous patches.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-12-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
ada8d2e436 ui: fix VNC client throttling when forced update is requested
The VNC server must throttle data sent to the client to prevent the 'output'
buffer size growing without bound, if the client stops reading data off the
socket (either maliciously or due to stalled/slow network connection).

The current throttling is very crude because it simply checks whether the
output buffer offset is zero. This check is disabled if the client has requested
a forced update, because we want to send these as soon as possible.

As a result, the VNC client can cause QEMU to allocate arbitrary amounts of RAM.
They can first start something in the guest that triggers lots of framebuffer
updates eg play a youtube video. Then repeatedly send full framebuffer update
requests, but never read data back from the server. This can easily make QEMU's
VNC server send buffer consume 100MB of RAM per second, until the OOM killer
starts reaping processes (hopefully the rogue QEMU process, but it might pick
others...).

To address this we make the throttling more intelligent, so we can throttle
full updates. When we get a forced update request, we keep track of exactly how
much data we put on the output buffer. We will not process a subsequent forced
update request until this data has been fully sent on the wire. We always allow
one forced update request to be in flight, regardless of what data is queued
for incremental updates or audio data. The slight complication is that we do
not initially know how much data an update will send, as this is done in the
background by the VNC job thread. So we must track the fact that the job thread
has an update pending, and not process any further updates until this job is
has been completed & put data on the output buffer.

This unbounded memory growth affects all VNC server configurations supported by
QEMU, with no workaround possible. The mitigating factor is that it can only be
triggered by a client that has authenticated with the VNC server, and who is
able to trigger a large quantity of framebuffer updates or audio samples from
the guest OS. Mostly they'll just succeed in getting the OOM killer to kill
their own QEMU process, but its possible other processes can get taken out as
collateral damage.

This is a more general variant of the similar unbounded memory usage flaw in
the websockets server, that was previously assigned CVE-2017-15268, and fixed
in 2.11 by:

  commit a7b20a8efa
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Mon Oct 9 14:43:42 2017 +0100

    io: monitor encoutput buffer size from websocket GSource

This new general memory usage flaw has been assigned CVE-2017-15124, and is
partially fixed by this patch.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-11-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
e2b72cb6e0 ui: fix VNC client throttling when audio capture is active
The VNC server must throttle data sent to the client to prevent the 'output'
buffer size growing without bound, if the client stops reading data off the
socket (either maliciously or due to stalled/slow network connection).

The current throttling is very crude because it simply checks whether the
output buffer offset is zero. This check must be disabled if audio capture is
enabled, because when streaming audio the output buffer offset will rarely be
zero due to queued audio data, and so this would starve framebuffer updates.

As a result, the VNC client can cause QEMU to allocate arbitrary amounts of RAM.
They can first start something in the guest that triggers lots of framebuffer
updates eg play a youtube video. Then enable audio capture, and simply never
read data back from the server. This can easily make QEMU's VNC server send
buffer consume 100MB of RAM per second, until the OOM killer starts reaping
processes (hopefully the rogue QEMU process, but it might pick others...).

To address this we make the throttling more intelligent, so we can throttle
when audio capture is active too. To determine how to throttle incremental
updates or audio data, we calculate a size threshold. Normally the threshold is
the approximate number of bytes associated with a single complete framebuffer
update. ie width * height * bytes per pixel. We'll send incremental updates
until we hit this threshold, at which point we'll stop sending updates until
data has been written to the wire, causing the output buffer offset to fall
back below the threshold.

If audio capture is enabled, we increase the size of the threshold to also
allow for upto 1 seconds worth of audio data samples. ie nchannels * bytes
per sample * frequency. This allows the output buffer to have a mixture of
incremental framebuffer updates and audio data queued, but once the threshold
is exceeded, audio data will be dropped and incremental updates will be
throttled.

This unbounded memory growth affects all VNC server configurations supported by
QEMU, with no workaround possible. The mitigating factor is that it can only be
triggered by a client that has authenticated with the VNC server, and who is
able to trigger a large quantity of framebuffer updates or audio samples from
the guest OS. Mostly they'll just succeed in getting the OOM killer to kill
their own QEMU process, but its possible other processes can get taken out as
collateral damage.

This is a more general variant of the similar unbounded memory usage flaw in
the websockets server, that was previously assigned CVE-2017-15268, and fixed
in 2.11 by:

  commit a7b20a8efa
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Mon Oct 9 14:43:42 2017 +0100

    io: monitor encoutput buffer size from websocket GSource

This new general memory usage flaw has been assigned CVE-2017-15124, and is
partially fixed by this patch.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-10-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
0bad834228 ui: refactor code for determining if an update should be sent to the client
The logic for determining if it is possible to send an update to the client
will become more complicated shortly, so pull it out into a separate method
for easier extension later.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-9-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
728a7ac954 ui: correctly reset framebuffer update state after processing dirty regions
According to the RFB protocol, a client sends one or more framebuffer update
requests to the server. The server can reply with a single framebuffer update
response, that covers all previously received requests. Once the client has
read this update from the server, it may send further framebuffer update
requests to monitor future changes. The client is free to delay sending the
framebuffer update request if it needs to throttle the amount of data it is
reading from the server.

The QEMU VNC server, however, has never correctly handled the framebuffer
update requests. Once QEMU has received an update request, it will continue to
send client updates forever, even if the client hasn't asked for further
updates. This prevents the client from throttling back data it gets from the
server. This change fixes the flawed logic such that after a set of updates are
sent out, QEMU waits for a further update request before sending more data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-8-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
fef1bbadfb ui: introduce enum to track VNC client framebuffer update request state
Currently the VNC servers tracks whether a client has requested an incremental
or forced update with two boolean flags. There are only really 3 distinct
states to track, so create an enum to more accurately reflect permitted states.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-7-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
8f61f1c5a6 ui: track how much decoded data we consumed when doing SASL encoding
When we encode data for writing with SASL, we encode the entire pending output
buffer. The subsequent write, however, may not be able to send the full encoded
data in one go though, particularly with a slow network. So we delay setting the
output buffer offset back to zero until all the SASL encoded data is sent.

Between encoding the data and completing sending of the SASL encoded data,
however, more data might have been placed on the pending output buffer. So it
is not valid to set offset back to zero. Instead we must keep track of how much
data we consumed during encoding and subtract only that amount.

With the current bug we would be throwing away some pending data without having
sent it at all. By sheer luck this did not previously cause any serious problem
because appending data to the send buffer is always an atomic action, so we
only ever throw away complete RFB protocol messages. In the case of frame buffer
updates we'd catch up fairly quickly, so no obvious problem was visible.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-6-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
3541b08475 ui: avoid pointless VNC updates if framebuffer isn't dirty
The vnc_update_client() method checks the 'has_dirty' flag to see if there are
dirty regions that are pending to send to the client. Regardless of this flag,
if a forced update is requested, updates must be sent. For unknown reasons
though, the code also tries to sent updates if audio capture is enabled. This
makes no sense as audio capture state does not impact framebuffer contents, so
this check is removed.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-5-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
b939eb89b6 ui: remove redundant indentation in vnc_client_update
Now that previous dead / unreachable code has been removed, we can simplify
the indentation in the vnc_client_update method.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-4-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:54 +01:00
Daniel P. Berrange
c53df96161 ui: remove unreachable code in vnc_update_client
A previous commit:

  commit 5a8be0f73d
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   Wed Jul 13 12:21:20 2016 +0200

    vnc: make sure we finish disconnect

Added a check for vs->disconnecting at the very start of the
vnc_update_client method. This means that the very next "if"
statement check for !vs->disconnecting always evaluates true,
and is thus redundant. This in turn means the vs->disconnecting
check at the very end of the method never evaluates true, and
is thus unreachable code.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-3-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:53 +01:00
Daniel P. Berrange
6af998db05 ui: remove 'sync' parameter from vnc_update_client
There is only one caller of vnc_update_client and that always passes false
for the 'sync' parameter.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171218191228.31018-2-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:53 +01:00
Marc-André Lureau
090fdc83b0 vnc: fix debug spelling
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20171220140618.12701-1-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-12 13:48:53 +01:00
Peter Maydell
36b5e43af8 pc, pci, virtio: features, fixes, cleanups
A bunch of fixes, cleanus and new features all over the place.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJaV8NpAAoJECgfDbjSjVRpve8IAMuT4Na9gn0SGZnzarF5Bn4H
 D7oIOHCVkJPFZXD4Eqv39JFJJbDKPszSSHuoYt8zqXd4N6ZOBiV39cVhUCV1f/7H
 /gzfTGr+s1NzxKKhdjh4jNM0RgUQR5j11Dz3G4wbTtx2LA2kYm/zWsnqNJwYo4tX
 SbwmU7RHa/5O3aJQ1LQgWJ7uPwuIuc84gWciKKRiYa3f7WNu+5j1dLhKtop5Boww
 AlK63tLfLyQczo1k+PUak1j5kD2v6dNZX1wRS6QZkA1Bj0GnHlE5bBycu8l4B88F
 mBYCLVBY4bOhweKSzxM2a90Q3uz+HffMl04M4drPnaEqltbsYDrSwiC8RJqMIjo=
 =Jkdo
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

pc, pci, virtio: features, fixes, cleanups

A bunch of fixes, cleanus and new features all over the place.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Thu 11 Jan 2018 20:04:57 GMT
# gpg:                using RSA key 0x281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (23 commits)
  smbus: do not immediately complete commands
  dump-guest-memory.py: fix "You can't do that without a process to debug"
  virtio-pci: Don't force Subsystem Vendor ID = Vendor ID
  intel_iommu: fix error param in string
  intel_iommu: remove X86_IOMMU_PCI_DEVFN_MAX
  vhost-user: document memory accesses
  vhost-user: fix indentation in protocol specification
  hw/pci-host/xilinx: QOM'ify the AXI-PCIe host bridge
  hw/pci-host/piix: QOM'ify the IGD Passthrough host bridge
  tests/pxe-test: Add some extra tests
  tests/pxe-test: Test net booting over IPv6 in some cases
  tests/pxe-test: Use table of testcases rather than open-coding
  tests/pxe-test: Remove unnecessary special case test functions
  virtio_error: don't invoke status callbacks
  pci: Eliminate pci_find_primary_bus()
  pci: Eliminate redundant PCIDevice::bus pointer
  pci: Add pci_dev_bus_num() helper
  pci: Move bridge data structures from pci_bus.h to pci_bridge.h
  pci: Rename root bus initialization functions for clarity
  tests: add test to check VirtQueue object
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-12 09:52:58 +00:00
Michael S. Tsirkin
acc95bc850 Merge remote-tracking branch 'origin/master' into HEAD
Resolve conflicts around apb.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2018-01-11 22:03:50 +02:00
Peter Maydell
997eba28a3 target-arm queue:
* add aarch64_be linux-user target
  * Virt: ACPI: fix qemu assert due to re-assigned table data address
  * imx_fec: various bug fixes and cleanups
  * hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
  * hw/sd/pxa2xx_mmci: add read/write() trace events
  * linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
  * target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
  * hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
  * hw/intc/arm_gic: reserved register addresses are RAZ/WI
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJaV2iVAAoJEDwlJe0UNgzeLmEQAJ3A9m42/ZI6z3zSjnu27q13
 8UvLlXimJuABK9cav5EvqXz6j+LwqBs7psJ6tvNXV3L2A+lBPYPHsTqnS7T0BSts
 36r1IepRA1Gw8nIdKDpK4ZwNQ2EkkipairtWq7OV4Q3Ouh5TRuVX2Sm8iKdz0tm5
 cd6LAQjynPfe4oeZXgJU6TlulSaWxSrUhhc0VGsv6Q9L5tZR4C1lFYP8Ijv3xPfh
 5pKWccTJktywahrFrdr0mWOWnRgkZ3Fm63r0JeyoHeT7olLLp91zk/d+C7+QYoEn
 vkJwvPrhYru349Inq8T7X7jg3aWdh28Ivajm11EQ9l+uFjwdbR/jbVUHCQn3QXzE
 +SN1Kmk3U8IiAPoc9hjTjHnYG6OSKEBgJautgmxQZjWaMm7RvwVPvJTULyZTQi27
 0NxHl9Uh2dlc8Msj6DfGfd0XOdf1crqtAGERKfJBsyrN0whiugH9Hn+AEnjf17zt
 M6lJbkwF8P8oG0DmnbZcxvh9QIHv0eaAW5ksR5wwnPIHsvSLQv/wgiwRdTjNh/JM
 KNH/F4+H2O7bbK2Dh/Y20RGiip0XhpelRFfoN507Uh4YgE+NEmV1CnN1gbk/P+y6
 f1PJ5Dt+H3m3dSyzyUsie4foO5BVTxhPE6dQKz2nsTWjNJRbIRLJx82A5GSF2Cip
 ZDCn6DGcMXtbAoseeu9l
 =imOw
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20180111' into staging

target-arm queue:
 * add aarch64_be linux-user target
 * Virt: ACPI: fix qemu assert due to re-assigned table data address
 * imx_fec: various bug fixes and cleanups
 * hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
 * hw/sd/pxa2xx_mmci: add read/write() trace events
 * linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
 * target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
 * hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
 * hw/intc/arm_gic: reserved register addresses are RAZ/WI

# gpg: Signature made Thu 11 Jan 2018 13:37:25 GMT
# gpg:                using RSA key 0x3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20180111: (26 commits)
  hw/intc/arm_gic: reserved register addresses are RAZ/WI
  hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
  target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
  linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
  hw/sd/pxa2xx_mmci: add read/write() trace events
  hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
  imx_fec: Reserve full FSL_IMX25_FEC_SIZE page for the register file
  imx_fec: Fix a typo in imx_enet_receive()
  imx_fec: Use correct length for packet size
  imx_fec: Add support for multiple Tx DMA rings
  imx_fec: Emulate SHIFT16 in ENETx_RACC
  imx_fec: Use MIN instead of explicit ternary operator
  imx_fec: Use ENET_FTRL to determine truncation length
  imx_fec: Move Tx frame buffer away from the stack
  imx_fec: Change queue flushing heuristics
  imx_fec: Refactor imx_eth_enable_rx()
  imx_fec: Do not link to netdev
  Virt: ACPI: fix qemu assert due to re-assigned table data address
  target/arm: Fix stlxp for aarch64_be
  linux-user: Activate armeb handler registration
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 14:34:41 +00:00
Peter Maydell
0cf0985201 hw/intc/arm_gic: reserved register addresses are RAZ/WI
The GICv2 specification says that reserved register addresses
must RAZ/WI; now that we implement external abort handling
for Arm CPUs this means we must return MEMTX_OK rather than
MEMTX_ERROR, to avoid generating a spurious guest data abort.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1513183941-24300-3-git-send-email-peter.maydell@linaro.org
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
2018-01-11 13:25:40 +00:00
Peter Maydell
f1945632b4 hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
The GICv3 specification says that reserved register addresses
should RAZ/WI. This means we need to return MEMTX_OK, not MEMTX_ERROR,
because now that we support generating external aborts the
latter will cause an abort on new board models.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1513183941-24300-2-git-send-email-peter.maydell@linaro.org
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
2018-01-11 13:25:40 +00:00
Peter Maydell
2eea841c11 target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
Refactor disas_thumb2_insn() so that it generates the code for raising
an UNDEF exception for invalid insns, rather than returning a flag
which the caller must check to see if it needs to generate the UNDEF
code. This brings the function in to line with the behaviour of
disas_thumb_insn() and disas_arm_insn().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1513080506-17703-1-git-send-email-peter.maydell@linaro.org
2018-01-11 13:25:40 +00:00
Peter Maydell
579648554a linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
Our copy of the nwfpe code for emulating of the old FPA11 floating
point unit doesn't check the coprocessor number in the instruction
when it emulates it.  This means that we might treat some
instructions which should really UNDEF as being FPA11 instructions by
accident.

The kernel's copy of the nwfpe code doesn't make this error; I suspect
the bug was noticed and fixed as part of the process of mainlining
the nwfpe code more than a decade ago.

Add a check that the coprocessor number (which is always in bits
[11:8] of the instruction) is either 1 or 2, which is where the
FPA11 lives.

Reported-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:39 +00:00
Philippe Mathieu-Daudé
487b406af1 hw/sd/pxa2xx_mmci: add read/write() trace events
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20180104000156.30932-1-f4bug@amsat.org
[PMM: add missing include]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:39 +00:00
Philippe Mathieu-Daudé
2ba63e4af6 hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20180103224208.30291-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:38 +00:00
Andrey Smirnov
831858ad9d imx_fec: Reserve full FSL_IMX25_FEC_SIZE page for the register file
Some i.MX SoCs (e.g. i.MX7) have FEC registers going as far as offset
0x614, so to avoid getting aborts when accessing those on QEMU, extend
the register file to cover FSL_IMX25_FEC_SIZE(16K) of address space
instead of just 1K.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:38 +00:00
Andrey Smirnov
894d74cc4f imx_fec: Fix a typo in imx_enet_receive()
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:38 +00:00
Andrey Smirnov
52cfd5846b imx_fec: Use correct length for packet size
Use 'frame_size' instead of 'len' when calling qemu_send_packet(),
failing to do so results in malformed packets send in case when that
packed is fragmented into multiple DMA transactions.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:37 +00:00
Andrey Smirnov
f93f961c40 imx_fec: Add support for multiple Tx DMA rings
More recent version of the IP block support more than one Tx DMA ring,
so add the code implementing that feature.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:37 +00:00
Andrey Smirnov
ebdd8cddb9 imx_fec: Emulate SHIFT16 in ENETx_RACC
Needed to support latest Linux kernel driver which relies on that
functionality.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:37 +00:00
Andrey Smirnov
4c5e7a6cda imx_fec: Use MIN instead of explicit ternary operator
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:36 +00:00
Andrey Smirnov
ff9a7feeab imx_fec: Use ENET_FTRL to determine truncation length
Frame truncation length, TRUNC_FL, is determined by the contents of
ENET_FTRL register, so convert the code to use it instead of a
hardcoded constant.

To avoid the case where TRUNC_FL is greater that ENET_MAX_FRAME_SIZE,
increase the value of the latter to its theoretical maximum of 16K.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:36 +00:00
Andrey Smirnov
7bac20dc51 imx_fec: Move Tx frame buffer away from the stack
Make Tx frame assembly buffer to be a paort of IMXFECState structure
to avoid a concern about having large data buffer on the stack.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-01-11 13:25:35 +00:00