This function is only needed when Q35 is in use. Moving it to
the same file that uses it lets you disable the entire USB
subsystem in x86_64-softmmu.mak; of course doing that will
cause -usb to break horribly, but one thing at a time.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1545064358-4601-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This patch introduces a new system bus generic EHCI controller.
For the system bus EHCI controller, we've already had "xlnx",
"exynos4210", "tegra2", "ppc4xx" and "fusbh200", they are specific and
only suitable for their own platforms, platforms such as an Arm server,
may need a generic system bus EHCI controller, this patch creates it,
and the kernel driver ehci_platform.c works well on it.
Signed-off-by: Hongbo Zhang <hongbo.zhang@linaro.org>
Message-id: 1546077657-22637-1-git-send-email-hongbo.zhang@linaro.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
In usb_device_post_load, certain values of dev->setup_len or
dev->setup_index can cause -EINVAL to be returned. One example is when
setup_len exceeds 4096, the hard-coded value of sizeof(dev->data_buf).
This can happen through legitimate guest activity and will cause all
subsequent attempts to migrate the guest to fail in vmstate_load_state.
The values of these variables can be set by USB packets originating in
the guest. There are two ways in which they can be set: in
do_token_setup and in do_parameter in hw/usb/core.c.
It is easy to craft a USB packet in a guest that causes do_token_setup
to set setup_len to a value larger than 4096. When this has been done
once, all subsequent attempts to migrate the VM will fail in
usb_device_post_load until the VM is next power-cycled or a
smaller-sized USB packet is sent to the device.
Sample code for achieving this in a VM started with "-device usb-tablet"
running Linux with CONFIG_HIDRAW=y and HID_MAX_BUFFER_SIZE > 4096:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
int main() {
char buf[4097];
int fd = open("/dev/hidraw0", O_RDWR|O_NONBLOCK);
buf[0] = 0x1;
write(fd, buf, 4097);
return 0;
}
When this code is run in the VM, qemu will output:
usb_generic_handle_packet: ctrl buffer too small (4097 > 4096)
A subsequent attempt to migrate the VM will fail and output the
following on the destination host:
qemu-kvm: error while loading state for instance 0x0 of device '0000:00:06.7/1/usb-ptr'
qemu-kvm: load of migration failed: Invalid argument
The idea behind checking the values of setup_len and setup_index before
they are used is correct, but doing it in usb_device_post_load feels
arbitrary, and will cause unnecessary migration failures. Indeed, none
of the commit messages for c60174e8, 9f8e9895 and 719ffe1f justify why
post_load is the right place to do these checks. They correctly point
out that the important thing to protect is the usb_packet_copy.
Instead, the right place to do the checks is in do_token_setup and
do_parameter. Indeed, there are already some checks here. We can examine
each of the disjuncts currently tested in usb_device_post_load to see
whether any need adding to do_token_setup or do_parameter to improve
safety there:
* dev->setup_index < 0
- This test is not needed because setup_index is explicitly set to
0 in do_token_setup and do_parameter.
* dev->setup_len < 0
- In both do_token_setup and do_parameter, the value of setup_len
is computed by (s->setup_buf[7] << 8) | s->setup_buf[6]. Since
s->setup_buf is a byte array and setup_len is an int32_t, it's
impossible for this arithmetic to set setup_len's top bit, so it can
never be negative.
* dev->setup_index > dev->setup_len
- Since setup_index is 0, this is equivalent to the previous test,
so is redundant.
* dev->setup_len > sizeof(dev->data_buf)
- This condition is already explicitly checked in both
do_token_setup and do_parameter.
Hence there is no need to bolster the existing checks in do_token_setup
or do_parameter, and we can safely remove these checks from
usb_device_post_load without reducing safety but allowing migrations to
proceed regardless of what USB packets have been generated by the guest.
Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
Message-Id: <20190107175117.23769-1-jonathan.davies@nutanix.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
In previous commit:
commit 7dea29e4af
Author: Li Qiang <liq3ea@gmail.com>
Date: Fri Oct 19 03:50:36 2018 -0700
hw: ccid-card-emulated: cleanup resource when realize in error path
The emulated_realize method was changed so that it jumps to a cleanup
label to de-initialize state upon error. This change failed to ensure
the success path exited the method before this point though. So the
mutexes are always destroyed even in normal operation. The result is
as crashtastic as expected:
$ qemu-system-x86_64 -usb -device usb-ccid,id=ccid0 -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0
qemu-system-x86_64: util/qemu-thread-posix.c:64: qemu_mutex_lock_impl: Assertion `mutex->initialized' failed.
Aborted (core dumped)
Fixes: 7dea29e4af
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181221134115.27973-1-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
qemu_extra_params_fw[] has external linkage, but is used
only in fw_cfg_bootsplash(), it makes sense to make it
locally.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <1542777026-2788-4-git-send-email-liq3ea@gmail.com>
[PMD: Removed qemu_extra_params_fw declaration in vl.c]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
fw_cfg_reboot() gets option parameter "reboot-timeout" with
qemu_opt_get(), then converts it to an integer by hand. It neglects to
check that conversion for errors, and fails to reject negative values.
Positive values above the limit get reported and replaced by the limit.
This patch checks for conversion errors properly, and reject all values
outside 0...0xffff.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <1542777026-2788-3-git-send-email-liq3ea@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
fw_cfg_bootsplash() gets option parameter "splash-time"
with qemu_opt_get(), then converts it to an integer by hand.
It neglects to check that conversion for errors. This is
needlessly complicated and error-prone. But as "splash-time
not specified" is not the same as "splash-time=T" for any T,
we need use qemu_opt_get() to check if splash time exists.
This patch also make the qemu exit when finding or loading
splash file failed.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <1542777026-2788-2-git-send-email-liq3ea@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
read_splashfile() reports "failed to read splash file" without
further details. Get the details from g_file_get_contents(), and
include them in the error message. Also remove unnecessary 'res'
variable.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <1541052148-28752-1-git-send-email-liq3ea@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
The dmg file has many tables which describe: "start from sector XXX to
sector XXX, the compression method is XXX and where the compressed data
resides on".
Each sector in the expanded file should be covered by a table. The table
will describe the offset of compressed data (or raw depends on the type)
in the dmg.
For example:
[-----------The expanded file------------]
[---bzip table ---]/* zeros */[---zlib---]
^
| if we want to read this sector.
we will find bzip table which contains this sector, and get the
compressed data offset, read it from dmg, uncompress it, finally write to
expanded file.
If we skip zero chunk (table), some sector cannot find the table which
will cause search_chunk() return s->n_chunks, dmg_read_chunk() return -1
and finally causing dmg_co_preadv() return EIO.
See:
[-----------The expanded file------------]
[---bzip table ---]/* zeros */[---zlib---]
^
| if we want to read this sector.
Oops, we cannot find the table contains it...
In the original implementation, we don't have zero table. When we try to
read sector inside the zero chunk. We will get EIO, and skip reading.
After this patch, we treat zero chunk the same as ignore chunk, it will
directly write zero and avoid some sector may not find the table.
After this patch:
[-----------The expanded file------------]
[---bzip table ---][--zeros--][---zlib---]
Signed-off-by: yuchenlin <npes87184@gmail.com>
Reviewed-by: Julio Faracco <jcfaracco@gmail.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20190103114700.9686-4-npes87184@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
There is a possible hang in original binary search implementation. That is
if chunk1 = 4, chunk2 = 5, chunk3 = 4, and we go else case.
The chunk1 will be still 4, and so on.
Signed-off-by: yuchenlin <npes87184@gmail.com>
Message-id: 20190103114700.9686-2-npes87184@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This is a trivial patch to fix a wrong value for block terminator.
The old value was 0x7fffffff which is wrong. It was not affecting the
code because QEMU dmg block is not handling block terminator right now.
Neverthless, it should be fixed.
Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
Reviewed-by: yuchenlin <yuchenlin@synology.com>
Message-id: 20181228145055.18039-1-jcfaracco@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJcLj4bAAoJENSXKoln91plJ3MH/RauD4z1smuHP2LBRqtUgFEv
+pZxNtmHQGcpJ6QexYzldcGR4gPgiBW6AYO3qVFSduwNWO7UjOPBAl/fKvlz5pWL
BJw9odsrOXjG/6cXcy3QWkYxizC/0/HzPjWa3/sSa3Dkygib9jB80wzR3ZpFreLo
XQsbcwso4aaoB0X1M4tfHsY6xUcxmzB+V73xFh2ptHrMTGoCZJbo12Np0rdwEa9v
WMV9wn1ptB3R0QJNxA2X+vbnJsXujG15DZC7Wj1HUmz9LcLG5doTCGXLXOxD0zhy
6HKB/bVTvbDdDti17JvbmtdVhzgoLMtnQFly0e77px3XRMonQHMpsQGCIvWyd+g=
=y41H
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/amarkovic/tags/mips-queue-december-2018-v3' into staging
MIPS queue for December 2018 - v3
# gpg: Signature made Thu 03 Jan 2019 16:53:47 GMT
# gpg: using RSA key D4972A8967F75A65
# gpg: Good signature from "Aleksandar Markovic <amarkovic@wavecomp.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8526 FBF1 5DA3 811F 4A01 DD75 D497 2A89 67F7 5A65
* remotes/amarkovic/tags/mips-queue-december-2018-v3: (44 commits)
tests/tcg: mips: Test R5900 three-operand MADDU1
tests/tcg: mips: Test R5900 three-operand MADDU
tests/tcg: mips: Test R5900 three-operand MADD1
tests/tcg: mips: Test R5900 three-operand MADD
disas: nanoMIPS: Add a note on documentation
disas: nanoMIPS: Reorder declarations and definitions of gpr decoders
disas: nanoMIPS: Comment the decoder of 'gpr1' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr1' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr2.reg2' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr2.reg2' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr2.reg1' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr2.reg1' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr4.zero' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr4.zero' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr4' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr4' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr3.src.store' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr3.src.store' gpr encoding type
disas: nanoMIPS: Comment the decoder of 'gpr3' gpr encoding type
disas: nanoMIPS: Rename the decoder of 'gpr3' gpr encoding type
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Test R5900 three-operand MADDU1.
Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Test R5900 three-operand MADDU.
Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Test R5900 three-operand MADD1.
Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Test R5900 three-operand MADD.
Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Add "nanoMIPS32 Instruction Set Technical Reference Manual" as
a reference.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Reorder declarations and definitions of gpr decoders by number of
input bits of corresponding encoding type.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Comment the decoder of 'gpr1' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename the decoder of 'gpr1' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Comment the decoder of 'gpr2.reg2' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename the decoder of 'gpr2.reg2' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Comment the decoder of 'gpr2.reg1' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename the decoder of 'gpr2.reg1' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Comment the decoder of 'gpr4.zero' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename the decoder of 'gpr4.zero' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Comment the decoder of 'gpr4' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename the decoder of 'gpr4' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Comment the decoder of 'gpr3.src.store' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename the decoder of 'gpr3.src.store' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Comment the decoder of 'gpr3' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename the decoder of 'gpr3' gpr encoding type in nanoMIPS
disassembler.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Fix order of extraction function invocations so that extraction
goes from MSB side to LSB side of the given instruction coding
content. This is desireable because of consistency and easier
visual spotting of errors.
After this patch, all such invocations should be in the desired
order.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename more functions that have names that are hard to understand.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename NMD::extract_ft_20_19_18_17_16(uint64 instruction) to
NMD::extract_ft_25_24_23_22_21(uint64 instruction).
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename NMD::extract_fs_15_14_13_12_11(uint64 instruction) to
NMD::extract_fs_20_19_18_17_16(uint64 instruction).
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename NMD::extract_fd_10_9_8_7_6(uint64 instruction) to
NMD::extract_fd_15_14_13_12_11(uint64 instruction).
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Rename some functions that have names that are hard to understand.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Fix order of extraction function invocations so that extraction
goes from MSB side to LSB side of the given instruction coding
content. This is desireable because of consistency and easier
visual spotting of errors.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Fix wrong function name. The convention in these files is that names of
extraction functions should reflect bit patterns they are extracting.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Some functions were not used at all. Compiler doesn't complain
since they are class memebers. Remove them - no future usage is
planned.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Fix several mistakes in preambles of nanomips disassembler source
files.
Reviewed-by: Aleksandar Rikalo <arikalo@wavecomp.com>
Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Use POSIX types and format strings.
Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
The three-operand MADD and MADDU are specific to R5900 cores.
Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Fredrik Noring <noring@nocrew.org>
The three-operand MADD and MADDU are specific to Sony R5900 core,
and Toshiba TX19/TX39/TX79 cores as well.
The "32-Bit TX System RISC TX39 Family Architecture manual"
is available at https://wiki.qemu.org/File:DSAE0022432.pdf
Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Philippe Mathieu-Daudé<f4bug@amsat.org>
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Tested-by: Fredrik Noring <noring@nocrew.org>
Add translation handler for S32ALNI MXU instruction.
Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com>
Signed-off-by: Aleksandar Markovic <amarkovic@wavecomp.com>
