Commit Graph

11492 Commits

Author SHA1 Message Date
Laszlo Ersek
7d9cb533f5 pci-assign: propagate errors from assigned_dev_register_regions()
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:20:00 -04:00
Laszlo Ersek
7a98593b34 pci-assign: propagate errors from assigned_dev_register_msix_mmio()
The return type is also changed from "int" to "void", because it was used
in a success vs. failure sense only (the caller didn't distinguish error
codes from each other, and even assigned_dev_register_msix_mmio() masked
mmap()'s errno values with a common -EFAULT).

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:20:00 -04:00
Laszlo Ersek
64135217a7 pci-assign: propagate errors from assigned_device_pci_cap_init()
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:20:00 -04:00
Laszlo Ersek
5b877045d3 pci-assign: propagate errors from get_real_device()
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:19:59 -04:00
Laszlo Ersek
f3455d4704 pci-assign: assignment should fail if we can't read config space
assigned_initfn()
  get_real_device()
    read()

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:19:59 -04:00
Laszlo Ersek
42ee4194f2 pci-assign: accept Error from pci_add_capability2()
Propagate any errors while adding PCI capabilities to
assigned_device_pci_cap_init(). We'll continue the propagation upwards
when assigned_device_pci_cap_init() becomes a leaf itself (when none of
its callees will report errors internally any longer when detecting and
returning them).

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:19:59 -04:00
Laszlo Ersek
cd9aa33e2c pci: add Error-propagating pci_add_capability2()
... and rebase pci_add_capability() to it.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:19:59 -04:00
Laszlo Ersek
665f119fba pci-assign: propagate Error from check_irqchip_in_kernel()
Rename check_irqchip_in_kernel() to verify_irqchip_in_kernel(), so that
the name reflects our expectation better. Rather than returning a bool,
make it do nothing or set an Error.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:19:59 -04:00
Laszlo Ersek
bcdcf75d62 pci-assign: propagate errors from get_real_id()
get_real_id() has two thin wrappers (and no other callers),
get_real_vendor_id() and get_real_device_id(); it's easiest to convert
them in one fell swoop.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:19:59 -04:00
Laszlo Ersek
4951013ff5 pci-assign: make assign_failed_examine() just format the cause
This allows us to report the entire error with one error_report() call,
easing future error propagation.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:19:59 -04:00
Laszlo Ersek
cf10a5b18f pci-assign: accept Error from monitor_handle_fd_param2()
Propagate any errors in monitor fd handling up to get_real_device(), and
report them there. We'll continue the propagation upwards when
get_real_device() becomes a leaf itself (when none of its callees will
report errors internally any longer when detecting and returning an
error).

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
eviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-05-08 14:19:59 -04:00
Peter Maydell
ff788b6fe6 trivial patches for 2014-05-07
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQEcBAABAgAGBQJTambbAAoJEL7lnXSkw9fbEOcH/REFxjH3t1qbPUeA1woMpwBJ
 74dxEUa0/PXhbjk99O3At03+wrB9g6b6pT7VDqCiq+/HzCYdJukfu86Jiig6Zvo4
 3a9ktjZIuV0Nh8mkyiWv9heSO378xADfZfm1AaVx/NS07W6O6o4W8vzkgDT0nI/e
 01bTdMmpV/AgaVEjPMvW3clB5fq0J3LuccSZV5+xUPGR0iiPZHNLGRqlPUS09aSc
 lNglFcRpkTclKIf5sPUUyrbShMkFGTBqs+8lPHKE7eYby86YCGsZTtPohY/6PqIa
 spAtsTEamvLByeILlQkkh5ESP/Im/3+zSHsfnXaAzMyfwAyGI9xzsrD0Hi7CQdg=
 =Bfks
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-05-07' into staging

trivial patches for 2014-05-07

# gpg: Signature made Wed 07 May 2014 18:01:15 BST using RSA key ID A4C3D7DB
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg:                 aka "Michael Tokarev <mjt@corpit.ru>"
# gpg:                 aka "Michael Tokarev <mjt@debian.org>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
#      Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514  66A7 BEE5 9D74 A4C3 D7DB

* remotes/mjt/tags/trivial-patches-2014-05-07: (21 commits)
  libcacard: remove unnecessary EOL from debug prints
  docs/memory.txt: Fix document on MMIO operations
  readline: Sort completions before printing them.
  readline: use g_strndup instead of open-coding it
  qmp: report path ambiguity error
  libcacard: replace pstrcpy() with memcpy()
  glib: move g_poll() replacement into glib-compat.h
  do not call g_thread_init() for glib >= 2.31
  hw/9pfs: Add include file for exported symbol
  xen: remove unused global, xen_xcg
  hw: Add missing 'static' attributes
  qemu-timer: Add missing 'static' attribute
  ui: Add missing 'static' attribute
  monitor: Add missing 'static' attribute
  hw/s390x: Add missing 'static' attribute
  hw/mips: Add missing 'static' and 'const' attributes
  hw/9pfs: Add missing 'static' attributes
  arch_init: Be sure of only one exit entry with DPRINTF() for ram_load()
  tests/tcg: Fix compilation of test_path
  qga: Fix typo (plural) in comment
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07 18:38:39 +01:00
Peter Maydell
5894145a26 Merge remote-tracking branch 'remotes/sstabellini/xen-140507-2' into staging
* remotes/sstabellini/xen-140507-2:
  xen_disk: add discard support
  pass an inclusive address range to xc_domain_pin_memory_cacheattr
  xen: factor out common functions
  xen: move Xen HVM files under hw/i386/xen
  xen: move Xen PV machine files to hw/xenpv
  qemu-xen: free all the pirqs for msi/msix when driver unload
  exec: Limit translation limiting in address_space_translate to xen

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07 18:12:14 +01:00
Stefan Weil
69b15212d7 hw/9pfs: Add include file for exported symbol
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-07 21:00:43 +04:00
Jim Meyering
770e39f743 xen: remove unused global, xen_xcg
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Jim Meyering <meyering@redhat.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-07 21:00:43 +04:00
Stefan Weil
6a0a70b0f5 hw: Add missing 'static' attributes
This fixes warnings from the static code analysis (smatch).

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-07 21:00:43 +04:00
Stefan Weil
bfaaad0281 hw/s390x: Add missing 'static' attribute
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-07 21:00:43 +04:00
Stefan Weil
f73cdbc6ac hw/mips: Add missing 'static' and 'const' attributes
This fixes a warning from the static code analysis (smatch).

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Acked-by: Aurelien Jarno <aurelien@aurel32.net>
2014-05-07 21:00:43 +04:00
Stefan Weil
f5a014d236 hw/9pfs: Add missing 'static' attributes
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-07 21:00:43 +04:00
Olaf Hering
f31352041b xen_disk: add discard support
Implement discard support for xen_disk. It makes use of the existing
discard code in qemu.

The discard support is enabled unconditionally. The tool stack may
provide a property "discard-enable" in the backend node to optionally
disable discard support.  This is helpful in case the backing file was
intentionally created non-sparse to avoid fragmentation.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07 16:18:04 +00:00
Peter Maydell
b18a990c3d pc,net,MAINTAINERS,build updates
MAINTAINERS updated with link to the security process documentation
 apic version modified to make more guests happy
 On top of that, bugfixes all over the place
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJTalwhAAoJECgfDbjSjVRpyqcIAKniYsCcKiUjIpTjo4hSHkNN
 zBfMlnqyFNMB8e6rQ7yqt8WCp/fzzsiqjYF07Ycmcmfnbfh907C90Ei37CWQpObv
 GlY41Qx4qUJxYbrqXJCcmOoR+UmAhrIzlr4TLs4DuasLglXGaPla0PcQgzYCNxsk
 m6f2FvyazAkr4FpT+y67YceHM6xlBoPOI2wLPcSPXWN775xZdfA/w/oFcTRdKlny
 V9Eo2WTKtQXrz5rPg9U+jLJhKn1e67DHt2CoQqvQtMg2BUSX7YmLdzF3N5I4eiwt
 DYPf4YO/LIJnkKpKVWFLrYWwccXDacSvqIDQOuCU0nydlHnXviGRcUIWh15x0a8=
 =vbBe
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

pc,net,MAINTAINERS,build updates

MAINTAINERS updated with link to the security process documentation
apic version modified to make more guests happy
On top of that, bugfixes all over the place

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Wed 07 May 2014 17:15:29 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  configure: make source tree build more robust
  MAINTAINERS: addresses for responsible disclosure
  pm_smbus: correctly report unclaimed cycles
  smbus: return -1 if nothing found at the given address
  smbus: allow returning an error from reads
  apic: use emulated lapic version 0x14 on pc machines >= 2.1
  pc: add compat_props placeholder for 2.0 machine type
  i8259: don't abort when trying to use level sensitive irqs
  acpi: fix tables for no-hpet configuration
  acpi-build: properly decrement objects' reference counters
  acpi/pcihp.c: Rewrite acpi_pcihp_get_bsel using object_property_get_int

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07 17:16:03 +01:00
Wei Liu
ad3f7e31bf xen: move Xen HVM files under hw/i386/xen
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07 16:14:56 +00:00
Paolo Bonzini
c8097612ce pm_smbus: correctly report unclaimed cycles
Without this patch, i2cdetect will report all addresses as present.
With it, only 0x50..0x57 are present.

Before:

         0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
    00:          03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
    10: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
    20: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
    30: 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
    40: 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
    50: 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
    60: 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
    70: 70 71 72 73 74 75 76 77

After:

         0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
    00:          -- -- -- -- -- -- -- -- -- -- -- -- --
    10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
    20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
    30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
    40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
    50: 50 51 52 53 54 55 56 57 -- -- -- -- -- -- -- --
    60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
    70: -- -- -- -- -- -- -- --

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-07 19:14:51 +03:00
Wei Liu
d5fdb85e3d xen: move Xen PV machine files to hw/xenpv
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07 16:14:50 +00:00
Paolo Bonzini
046a184414 smbus: return -1 if nothing found at the given address
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-07 19:14:46 +03:00
Zhenzhong Duan
c976437c7d qemu-xen: free all the pirqs for msi/msix when driver unload
Pirqs are not freed when driver unload, then new pirqs are allocated when
driver reload. This could exhaust pirqs if do it in a loop.

This patch fixes the bug by freeing pirqs when ENABLE bit is cleared in
msi/msix control reg.

There is also other way of fixing it such as reuse pirqs between driver reload,
but this way is better.
Xen-devel: http://marc.info/?l=xen-devel&m=136800120304275&w=2

Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07 16:14:41 +00:00
Paolo Bonzini
285364e968 smbus: allow returning an error from reads
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-07 19:14:41 +03:00
Gabriel L. Somlo
aa93200b88 apic: use emulated lapic version 0x14 on pc machines >= 2.1
Add "version" property to local apic, and have it default to
0x14 for pc machines starting at 2.1. For compatibility with
previous releases, pc machines up to 2.0 will have their local
apic version set to 0x11.

Signed-off-by: Gabriel L. Somlo <somlo@cmu.edu>
Acked-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-07 18:36:37 +03:00
Gabriel L. Somlo
9df11c9f08 pc: add compat_props placeholder for 2.0 machine type
Add the "boilerplate" necessary for subsequent patches to
simply drop in compat_props for pc machines 2.0 and older.

This patch contains no functional changes.

Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
Acked-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-07 18:36:37 +03:00
Hervé Poussineau
8cbad670ce i8259: don't abort when trying to use level sensitive irqs
This is a guest-triggerable error, as seen when using Xenix 2.3.4.
Replace hw_error by LOG_UNIMPL, so that guests can continue.
With this patch, I can install and use Xenix 2.3.4a without any problem.
I can also start installation of Xenix 2.3.4q, but it fails due to not
finding an hard disk.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-07 18:36:37 +03:00
Peter Maydell
8d1dc5d188 Some improvements for s390.
Two patches deal with address translation, one fixes a problem in the
 channel subsystem code.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJTae7qAAoJEN7Pa5PG8C+vLYAQALKbTtK5unCFbkVI0kJ1vCiP
 iwYfIh2+3sN8J5OEsqkH0U02x3s/X61i1rFR8lRfTib0KC28dGZWRcFJD/l0TBrv
 ELTBv3I3hssw0vHjPHLdI2/Ov4rmLlGWzLk5IbZXMoKT2SzFvlsYK804jrxchIjU
 G36sia4iZRxc0D8q8fKqXTVl9r1F7n2pLdBpW+AeMnUXnqzQfsKmT+Oyiju8U3wY
 9lRaFnRJmRCR03H4BQMdYYqnnoRW+4k/jrVKtjvRPu2VWYdqnN/0lZInJE91gRO0
 SyUczV13/jGSArcNJFUqsrEqCn+6wpXWZZS8pvp0zluShoZBJdkeVNdNSsE/Izgq
 RibN3D//o92pDL+N1X8Pf8tDkONuogyaBcfQusGUCCTN4o26RHFbRItilyezuVKr
 044Y7v15ZSEMUflUWWLc0QoZSH5PlHP6hwG34ty0eOOyzmqVAybv6i4YuDGQuhmr
 OFu2ewqZR9Dxa4SHF1suWhuKSkdKYryXBOuxaoq0qC7/UbvsK5280A1jXockopzd
 qhI3idbfnmmE60UsUOIFw6InBYh0iSNYMELMc53eBzluprAkfa8pAeYF9a36FRcK
 /DaAatACBc2xp+e5fbLttNqJmLdVUKpnumXwAeKBX96ZHVIak3rG+R+uv0ys9fis
 DVn2hSYFTnS9xTLzp0MY
 =wjNY
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20140507' into staging

Some improvements for s390.

Two patches deal with address translation, one fixes a problem in the
channel subsystem code.

# gpg: Signature made Wed 07 May 2014 09:29:30 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found

* remotes/cohuck/tags/s390x-20140507:
  s390x/css: Don't save orb in subchannel.
  s390x/helper: Added format control bit to MMU translation
  s390x/helper: Fixed real-to-absolute address translation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07 16:06:38 +01:00
Peter Maydell
c9541f67df migration/next for 20140505
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJTZ/QsAAoJEPSH7xhYctcjJ4wP/31lNMpPLxdRpxpUoTPK39L0
 zEoBTUH5dzG2FG34p8/znNH0Lbmc3GALqP9UzyM0sL3QU0EDwqAP0idLJ/8zHrYN
 ZNJnNH6wexlpEypAsyQiayAFYAq6bc3hYtnEurN56dQgPVgb6jCicuOAt26JafLg
 xuGIuencgaEFZaIb8iobxloqDX9raoq0+JfnoV8r02+ES+PG+HHfZsAlbDiWpj/Z
 o06WBq9Xvf8X/zvuGHb9PCLGK36+kxPJ2G2531TJGZ6BjjewDExF2xlQH+PQ8pQB
 d2OKCP0In66JfyLu6JBz21APrks7DJxsuenvoqPhxhtlIcBSm+grZElNLbccDMLQ
 3fteWOCcri5WSwKNAkZ138D5SzIArZFBlqD9qW0GQsiaj3tCxfy162JAmzRPa94i
 R5OJCTDclwjCH6JvRsOs8NrQyYcXHcEl2rfeymfr68YOH5XBMeRPhcR91tVr03ow
 ZVgvwC/TJHntKnW+qtGIOa9Wfq4KghjddD37ayPAqKM/GQ0TV2sAPEr2htDaBZ0l
 5O/YGsAZPKax72OnMR2ObqoIMokympeanQLxG3Q8VKQSU2c+aU3rGVQrG1juiVYw
 NiC/nzarFzFWU8UYToXIu2QBDTde2vuRLX/myzL7L4OLavOcv8EXZBp60DP/bktE
 Pd+jdeLMh9kWu1tFrE8F
 =VoYL
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140505' into staging

migration/next for 20140505

# gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723
# gpg: Can't check signature: public key not found

* remotes/juanquintela/tags/migration/20140505: (36 commits)
  migration: expose xbzrle cache miss rate
  migration: expose the bitmap_sync_count to the end
  migration: Add counts of updating the dirty bitmap
  XBZRLE: Fix one XBZRLE corruption issues
  migration: remove duplicate code
  Coverity: Fix failure path for qemu_accept in migration
  Init the XBZRLE.lock in ram_mig_init
  Provide init function for ram migration
  Count used RAMBlock pages for migration_dirty_pages
  Make qemu_peek_buffer loop until it gets it's data
  Disallow outward migration while awaiting incoming migration
  virtio: validate config_len on load
  virtio-net: out-of-bounds buffer write on load
  openpic: avoid buffer overrun on incoming migration
  ssi-sd: fix buffer overrun on invalid state load
  savevm: Ignore minimum_version_id_old if there is no load_state_old
  usb: sanity check setup_index+setup_len in post_load
  vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
  virtio-scsi: fix buffer overrun on invalid state load
  zaurus: fix buffer overrun on invalid state load
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07 14:51:21 +01:00
Peter Maydell
7f8fea8b3d QOM/QTest infrastructure fixes and device conversions
* -device / device_add assertion fix
 * QEMUMachine conversion to MachineClass
 * Device error handling improvements
 * QTest cleanups and test cases for some more PCI devices
 * PortIO memory leak fixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTZ9+EAAoJEPou0S0+fgE/wAsP/RymQyMGXbvkzy89UQ+V/y8B
 YWGd+mfdNpic8ofCFP792uVNFhR9IfIEg+ZK4qJ8iI68B4MWXbJtvaAQZm+LrWJJ
 fFMUsI7Cl4mDPpCq5cXVgA1Df7YwarPG5rnq20A2XGFUANaO6pROxNt72K940sW8
 q1O7tMPZ1T//EBAKFYj6UhAbHa+C6vwYQmosaRoZ4uj8NZdP3uCZLKqhAE44QZcc
 nAQwWHsev3Qv0Tvx3DYbOjXZugXiUryKd8yX+PaKyQuHEdCaLjK/eGjMYbhUkqol
 4i44tbjnjUYPnAxZtIrYtDFDepyVaVvsLyP3K+0zHKkWhOl+nlqa+ERnycz2Q1de
 w+FXuftMOf+S/HO1kjv8JBUh4vcgLT77qrE/h1D5thXcTe4jz8WTEB/irUfZl7oa
 dGbSiAPaggrKIf/nBJVDnHaqIdCgMQ/WgNaSsRfKazP1OM04B0F7KKEVPTU9Zo6y
 rDYOKtsL3va+uD8ntf7kBCBjfhmJ2L+IZvI27xc0FISKgg9XXTwX8NhdfvM0/GIC
 F4guEGmralNAIjhBVUy+ajq6E2ku/i04CEfFyofgUVQ2kTcDMwhqSdG2WBjEQs2e
 NsteCfAu7B8EJ3lQa6F856k+/u1FiIRHDR6+Qi/qW2yAjdn3USMm7KWTtQaEQn8Y
 ZE2gvvnMmiWkzTSlmRUz
 =UrRJ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' into staging

QOM/QTest infrastructure fixes and device conversions

* -device / device_add assertion fix
* QEMUMachine conversion to MachineClass
* Device error handling improvements
* QTest cleanups and test cases for some more PCI devices
* PortIO memory leak fixes

# gpg: Signature made Mon 05 May 2014 19:59:16 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qom-devices-for-peter:
  PortioList: Store PortioList in device state
  tests: Add EHCI qtest
  tests: Add ioh3420 qtest
  tests: Add intel-hda qtests
  tests: Add es1370 qtest
  tests: Add ac97 qtest
  qtest: Be paranoid about accept() addrlen argument
  qtest: Add error reporting to socket_accept()
  qtest: Assure that init_socket()'s listen() does not fail
  MAINTAINERS: Document QOM
  arm: Clean up fragile use of error_is_set() in realize() methods
  qom: Clean up fragile use of error_is_set() in set() methods
  hw: Consistently name Error ** objects errp, and not err
  hw: Consistently name Error * objects err, and not errp
  machine: Remove QEMUMachine indirection from MachineClass
  machine: Replace QEMUMachine by MachineClass in accelerator configuration
  vl.c: Replace QEMUMachine with MachineClass in QEMUMachineInitArgs
  machine: Copy QEMUMachine's fields to MachineClass
  machine: Remove obsoleted field from QEMUMachine
  qdev: Fix crash by validating the object type

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07 13:47:26 +01:00
Michael S. Tsirkin
9ac1c4c07e acpi: fix tables for no-hpet configuration
acpi build tried to add offset of hpet table to rsdt even when hpet was
disabled.  If no tables follow hpet, this could lead to a malformed
rsdt.

Fix it up.

To avoid such errors in the future, rearrange code slightly to make it
clear that acpi_add_table stores the offset of the following table - not
of the previous one.

Reported-by: TeLeMan <geleman@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org
2014-05-07 12:13:42 +03:00
Kirill Batuzov
097a97a665 acpi-build: properly decrement objects' reference counters
Object returned by object_property_get_qobject needs its reference counter to
be decremented when it is not needed by caller anymore.

Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-07 12:13:42 +03:00
Kirill Batuzov
7c38ecd097 acpi/pcihp.c: Rewrite acpi_pcihp_get_bsel using object_property_get_int
acpi_pcihp_get_bsel implements functionality of object_property_get_int for
specific property named ACPI_PCIHP_PROP_BSEL, but fails to decrement object's
reference counter properly. Rewriting it using generic object_property_get_int
serves two purposes: reducing code duplication and fixing memory leak.

Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-07 12:13:42 +03:00
Cornelia Huck
56bf1a8e90 s390x/css: Don't save orb in subchannel.
Current css code saves the operation request block (orb) in the
subchannel structure for later consumption by the start function
handler. This might make sense for asynchronous execution of the
start function (which qemu doesn't support), but not in our case;
it would even be wrong since orb contains a reference to a local
variable in the base ssch handler.

Let's just pass the orb through the start function call chain for
ssch; for rsch, we can pass NULL as the backend function does not
use any information passed via the orb there.

Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-05-07 10:17:35 +02:00
Peter Maydell
951916d02c ohci live migration.
mtp bugfixes.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTZ3FAAAoJEEy22O7T6HE4Ht8P/jHSJNxwobe9ZliI82kJQ5of
 YeRkTGkr58cnqDbcfsJp1RFFvJiYg7DTz57sDq9xB9SJMfwtnP99VV2dI+k/556q
 jONi2cwiIDzI3Tub8Hkt0B4VLt1lAygzP/8Nqb7A5Nu1+6GVVwJa3UX0KJ4m+SXY
 RYs42ECNQZddaAvO1+AFe/pUSLLbasB9Fd/MR3tuW0dRV9EBE4859tMijnFNov+0
 4DswAcgjQqmgET9cF8xyyt0TKml3aAGGQLkbEJZ11tf1oeuBpcBbLrPrK4KvIB6a
 paVzxP6OSE7B4IZio7DjOjnfUuJ9LK7F7l19DwP/8d7irJ4w0HrzdwnD9I3o3CwW
 gsJZyoBUxCr6reCzPnMpP99pobVf/G/gSRV8bRiOyqqJcD/pRwejxMS30Yg3Lzlp
 ckl/XLlQJ9JPDn86v1CTBdDv337S71X5t5PDlLzZ0na1FJM1zl5GDgrfaNAdXDrY
 ghDH8Hl4dzq5RRxMDUtFpNwYNpNtBcLeDqafTAe50LnASbNuYTfaatKfDy82LQvd
 SJIWR+zYkE32bz1m8CQb3Wkq9hGrej8hGVISJu6IcPgZJEtOHd/v+nCPcgbGi79a
 87Bu3ylGAQXdQibQOeiLSJh//GwbpOBhBkQPaLkM6OH2pLRNbHzASo97hA7Q7+6d
 gDMDrk67EqH07Tr8tkCv
 =8BxQ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-6' into staging

ohci live migration.
mtp bugfixes.

# gpg: Signature made Mon 05 May 2014 12:08:48 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-6:
  usb: mtp: reply INCOMPLETE_TRANSFER on read errors
  usb: mtp: fix possible buffer overflow
  usb: mtp: drop data-out hexdump
  usb: mtp: avoid empty description string
  usb: mtp: fix error path memory leak
  usb: mtp: fix serial (must be exact 32 chars)
  usb: mtp: fix version (is decimal not bcd)
  usb: mtp: fix usb_mtp_add_u64
  usb: mtp: replace debug printfs with trace points
  usb-ohci: Add vmstate descriptor

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-06 13:06:32 +01:00
Michael S. Tsirkin
a890a2f913 virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

--

v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
98f93ddd84 virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael Roth
73d963c0a7 openpic: avoid buffer overrun on incoming migration
CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
a9c380db3b ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537

s->arglen is taken from wire and used as idx
in ssi_sd_transfer().

Validate it before access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
9f8e9895c5 usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
3476436a44 vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
As the macro verifies the value is positive, rename it
to make the function clearer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
3c3ce98142 virtio-scsi: fix buffer overrun on invalid state load
CVE-2013-4542

hw/scsi/scsi-bus.c invokes load_request.

 virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));

this probably can make elem invalid, for example,
make in_num or out_num huge, then:

    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);

will do:

    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }

and this will access out of array bounds.

Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
52f91c3723 zaurus: fix buffer overrun on invalid state load
CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

Similarly for gpio_level and gpio_dir.

To fix, limit to 16 bit.

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
5193be3be3 tsc210x: fix buffer overrun on invalid state load
CVE-2013-4539

s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.

Validate after load to avoid buffer overrun.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
ead7a57df3 ssd0323: fix buffer overun on invalid state load
CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.

For completeness, validate mode as well.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
caa881abe0 pxa2xx: avoid buffer overrun on incoming migration
CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
36cf2a3713 virtio: validate num_sg when mapping
CVE-2013-4535
CVE-2013-4536

Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.

Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00