From f8b3e48b2d269551cd40f94770dc20da2f402325 Mon Sep 17 00:00:00 2001
From: James Hogan <james.hogan@imgtec.com>
Date: Fri, 24 Apr 2015 11:26:52 +0100
Subject: [PATCH 1/8] mips/kvm: Fix Big endian 32-bit register access
Fix access to 32-bit registers on big endian targets. The pointer passed
to the kernel must be for the actual 32-bit value, not a temporary
64-bit value, otherwise on big endian systems the kernel will only
interpret the upper half.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: kvm@vger.kernel.org
Cc: qemu-stable@nongnu.org
Message-Id: <1429871214-23514-2-git-send-email-james.hogan@imgtec.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target-mips/kvm.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/target-mips/kvm.c b/target-mips/kvm.c
index bd64a70bcd..85256f3104 100644
--- a/target-mips/kvm.c
+++ b/target-mips/kvm.c
@@ -235,10 +235,9 @@ int kvm_mips_set_ipi_interrupt(MIPSCPU *cpu, int irq, int level)
static inline int kvm_mips_put_one_reg(CPUState *cs, uint64_t reg_id,
int32_t *addr)
{
- uint64_t val64 = *addr;
struct kvm_one_reg cp0reg = {
.id = reg_id,
- .addr = (uintptr_t)&val64
+ .addr = (uintptr_t)addr
};
return kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &cp0reg);
@@ -270,18 +269,12 @@ static inline int kvm_mips_put_one_reg64(CPUState *cs, uint64_t reg_id,
static inline int kvm_mips_get_one_reg(CPUState *cs, uint64_t reg_id,
int32_t *addr)
{
- int ret;
- uint64_t val64 = 0;
struct kvm_one_reg cp0reg = {
.id = reg_id,
- .addr = (uintptr_t)&val64
+ .addr = (uintptr_t)addr
};
- ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &cp0reg);
- if (ret >= 0) {
- *addr = val64;
- }
- return ret;
+ return kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &cp0reg);
}
static inline int kvm_mips_get_one_ulreg(CPUState *cs, uint64 reg_id,
From 02dae26ac4ceb1e82c432cfca4d9b65ae82343c6 Mon Sep 17 00:00:00 2001
From: James Hogan <james.hogan@imgtec.com>
Date: Fri, 24 Apr 2015 11:26:53 +0100
Subject: [PATCH 2/8] mips/kvm: Sign extend registers written to KVM
In case we're running on a 64-bit host, be sure to sign extend the
general purpose registers and hi/lo/pc before writing them to KVM, so as
to take advantage of MIPS32/MIPS64 compatibility.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: kvm@vger.kernel.org
Cc: qemu-stable@nongnu.org
Message-Id: <1429871214-23514-3-git-send-email-james.hogan@imgtec.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target-mips/kvm.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/target-mips/kvm.c b/target-mips/kvm.c
index 85256f3104..d287d42883 100644
--- a/target-mips/kvm.c
+++ b/target-mips/kvm.c
@@ -628,12 +628,12 @@ int kvm_arch_put_registers(CPUState *cs, int level)
/* Set the registers based on QEMU's view of things */
for (i = 0; i < 32; i++) {
- regs.gpr[i] = env->active_tc.gpr[i];
+ regs.gpr[i] = (int64_t)(target_long)env->active_tc.gpr[i];
}
- regs.hi = env->active_tc.HI[0];
- regs.lo = env->active_tc.LO[0];
- regs.pc = env->active_tc.PC;
+ regs.hi = (int64_t)(target_long)env->active_tc.HI[0];
+ regs.lo = (int64_t)(target_long)env->active_tc.LO[0];
+ regs.pc = (int64_t)(target_long)env->active_tc.PC;
ret = kvm_vcpu_ioctl(cs, KVM_SET_REGS, ®s);
From 586d2142a9f1aa5a1dceb0941e7b3f0953974a8b Mon Sep 17 00:00:00 2001
From: Gonglei <arei.gonglei@huawei.com>
Date: Fri, 10 Jul 2015 08:51:28 +0800
Subject: [PATCH 3/8] ppc/spapr_drc: fix memory leak
fix CID 1311373.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Message-Id: <1436489490-236-3-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/ppc/spapr_drc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index ef985381cb..ee874326ee 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -422,6 +422,7 @@ static void realize(DeviceState *d, Error **errp)
error_free(err);
object_unref(OBJECT(drc));
}
+ g_free(child_name);
DPRINTFN("drc realize complete");
}
From 5348c62cab309b68ecd13a33c9f21e8d6071af72 Mon Sep 17 00:00:00 2001
From: Gonglei <arei.gonglei@huawei.com>
Date: Fri, 10 Jul 2015 08:51:29 +0800
Subject: [PATCH 4/8] arm/xlnx-zynqmp: fix memory leak
fix CID 1311372.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Message-Id: <1436489490-236-4-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/arm/xlnx-zynqmp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index 5e7207846e..62ef4ceb32 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -144,6 +144,7 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
} else {
s->boot_cpu_ptr = &s->apu_cpu[i];
}
+ g_free(name);
object_property_set_int(OBJECT(&s->apu_cpu[i]), GIC_BASE_ADDR,
"reset-cbar", &err);
@@ -181,6 +182,7 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
} else {
s->boot_cpu_ptr = &s->rpu_cpu[i];
}
+ g_free(name);
object_property_set_bool(OBJECT(&s->rpu_cpu[i]), true, "reset-hivecs",
&err);
From 24b41d66c8ad8f77839fca777b92e365dad0cf5c Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Date: Fri, 10 Jul 2015 20:08:52 +0100
Subject: [PATCH 5/8] RDMA: Fix error exits
The error checks I added used 'break' after the error, but I'm
in a switch inside the while loop, so they need to be 'goto out'.
Spotted by coverity; entries 1311368 and 1311369
Fixes: afcddefd
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <1436555332-19076-1-git-send-email-dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
migration/rdma.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/migration/rdma.c b/migration/rdma.c
index f106b2a818..74876fd7ab 100644
--- a/migration/rdma.c
+++ b/migration/rdma.c
@@ -2997,7 +2997,7 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque)
(unsigned int)comp->block_idx,
rdma->local_ram_blocks.nb_blocks);
ret = -EIO;
- break;
+ goto out;
}
block = &(rdma->local_ram_blocks.block[comp->block_idx]);
@@ -3092,7 +3092,7 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque)
(unsigned int)reg->current_index,
rdma->local_ram_blocks.nb_blocks);
ret = -ENOENT;
- break;
+ goto out;
}
block = &(rdma->local_ram_blocks.block[reg->current_index]);
if (block->is_ram_block) {
@@ -3102,7 +3102,7 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque)
block->block_name, block->offset,
reg->key.current_addr);
ret = -ERANGE;
- break;
+ goto out;
}
host_addr = (block->local_host_addr +
(reg->key.current_addr - block->offset));
@@ -3118,7 +3118,7 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque)
" chunk: %" PRIx64,
block->block_name, reg->key.chunk);
ret = -ERANGE;
- break;
+ goto out;
}
}
chunk_start = ram_chunk_start(block, chunk);
From c6742b14fe7352059cd4954a356a8105757af31b Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 14 Jul 2015 13:45:34 +0200
Subject: [PATCH 6/8] memory: fix refcount leak in memory_region_present
memory_region_present() leaks a reference to a MemoryRegion in the
case "mr == container". While fixing it, avoid reference counting
altogether for memory_region_present(), by using RCU only.
The return value could in principle be already invalid immediately
after memory_region_present returns, but presumably the caller knows
that and it's using memory_region_present to probe for devices that
are unpluggable, or something like that. The RCU critical section
is needed anyway, because it protects as->current_map.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
memory.c | 44 ++++++++++++++++++++++++++++----------------
1 file changed, 28 insertions(+), 16 deletions(-)
diff --git a/memory.c b/memory.c
index 5a0cc66982..0acebb1f22 100644
--- a/memory.c
+++ b/memory.c
@@ -1887,23 +1887,16 @@ static FlatRange *flatview_lookup(FlatView *view, AddrRange addr)
sizeof(FlatRange), cmp_flatrange_addr);
}
-bool memory_region_present(MemoryRegion *container, hwaddr addr)
-{
- MemoryRegion *mr = memory_region_find(container, addr, 1).mr;
- if (!mr || (mr == container)) {
- return false;
- }
- memory_region_unref(mr);
- return true;
-}
-
bool memory_region_is_mapped(MemoryRegion *mr)
{
return mr->container ? true : false;
}
-MemoryRegionSection memory_region_find(MemoryRegion *mr,
- hwaddr addr, uint64_t size)
+/* Same as memory_region_find, but it does not add a reference to the
+ * returned region. It must be called from an RCU critical section.
+ */
+static MemoryRegionSection memory_region_find_rcu(MemoryRegion *mr,
+ hwaddr addr, uint64_t size)
{
MemoryRegionSection ret = { .mr = NULL };
MemoryRegion *root;
@@ -1924,11 +1917,10 @@ MemoryRegionSection memory_region_find(MemoryRegion *mr,
}
range = addrrange_make(int128_make64(addr), int128_make64(size));
- rcu_read_lock();
view = atomic_rcu_read(&as->current_map);
fr = flatview_lookup(view, range);
if (!fr) {
- goto out;
+ return ret;
}
while (fr > view->ranges && addrrange_intersects(fr[-1].addr, range)) {
@@ -1944,12 +1936,32 @@ MemoryRegionSection memory_region_find(MemoryRegion *mr,
ret.size = range.size;
ret.offset_within_address_space = int128_get64(range.start);
ret.readonly = fr->readonly;
- memory_region_ref(ret.mr);
-out:
+ return ret;
+}
+
+MemoryRegionSection memory_region_find(MemoryRegion *mr,
+ hwaddr addr, uint64_t size)
+{
+ MemoryRegionSection ret;
+ rcu_read_lock();
+ ret = memory_region_find_rcu(mr, addr, size);
+ if (ret.mr) {
+ memory_region_ref(ret.mr);
+ }
rcu_read_unlock();
return ret;
}
+bool memory_region_present(MemoryRegion *container, hwaddr addr)
+{
+ MemoryRegion *mr;
+
+ rcu_read_lock();
+ mr = memory_region_find_rcu(container, addr, 1).mr;
+ rcu_read_unlock();
+ return mr && mr != container;
+}
+
void address_space_sync_dirty_bitmap(AddressSpace *as)
{
FlatView *view;
From becaeb726ae7da4212a788773ebdfe87b4833f5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
Date: Fri, 10 Jul 2015 19:18:00 +0200
Subject: [PATCH 7/8] crypto: fix build with nettle >= 3.0.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In nettle 3, cbc_encrypt() accepts 'nettle_cipher_func' instead of
'nettle_crypt_func' and these two differ in 'const' qualifier of the
first argument. The build fails with:
In file included from crypto/cipher.c:71:0:
./crypto/cipher-nettle.c: In function ‘qcrypto_cipher_encrypt’:
./crypto/cipher-nettle.c:154:38: error: passing argument 2 of
‘nettle_cbc_encrypt’ from incompatible pointer type
cbc_encrypt(ctx->ctx_encrypt, ctx->alg_encrypt,
^
In file included from ./crypto/cipher-nettle.c:24:0,
from crypto/cipher.c:71:
/usr/include/nettle/cbc.h:48:1: note: expected
‘void (*)(const void *, size_t, uint8_t *, const uint8_t *)
but argument is of type
‘void (*)( void *, size_t, uint8_t *, const uint8_t *)
To allow both versions, we switch to the new definition and #if typedef
it for old versions.
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Message-Id: <1436548682-9315-2-git-send-email-rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
configure | 4 +++-
crypto/cipher-nettle.c | 16 ++++++++++------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/configure b/configure
index 33b945530e..cc0338ddbd 100755
--- a/configure
+++ b/configure
@@ -2183,6 +2183,7 @@ if test "$gnutls_nettle" != "no"; then
if $pkg_config --exists "nettle"; then
nettle_cflags=`$pkg_config --cflags nettle`
nettle_libs=`$pkg_config --libs nettle`
+ nettle_version=`$pkg_config --modversion nettle`
libs_softmmu="$nettle_libs $libs_softmmu"
libs_tools="$nettle_libs $libs_tools"
QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
@@ -4490,7 +4491,7 @@ echo "GTK support $gtk"
echo "GNUTLS support $gnutls"
echo "GNUTLS hash $gnutls_hash"
echo "GNUTLS gcrypt $gnutls_gcrypt"
-echo "GNUTLS nettle $gnutls_nettle"
+echo "GNUTLS nettle $gnutls_nettle ${gnutls_nettle+($nettle_version)}"
echo "VTE support $vte"
echo "curses support $curses"
echo "curl support $curl"
@@ -4858,6 +4859,7 @@ if test "$gnutls_gcrypt" = "yes" ; then
fi
if test "$gnutls_nettle" = "yes" ; then
echo "CONFIG_GNUTLS_NETTLE=y" >> $config_host_mak
+ echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak
fi
if test "$vte" = "yes" ; then
echo "CONFIG_VTE=y" >> $config_host_mak
diff --git a/crypto/cipher-nettle.c b/crypto/cipher-nettle.c
index e5a14bc139..e61aaa29f0 100644
--- a/crypto/cipher-nettle.c
+++ b/crypto/cipher-nettle.c
@@ -23,12 +23,16 @@
#include <nettle/des.h>
#include <nettle/cbc.h>
+#if CONFIG_NETTLE_VERSION_MAJOR < 3
+typedef nettle_crypt_func nettle_cipher_func;
+#endif
+
typedef struct QCryptoCipherNettle QCryptoCipherNettle;
struct QCryptoCipherNettle {
void *ctx_encrypt;
void *ctx_decrypt;
- nettle_crypt_func *alg_encrypt;
- nettle_crypt_func *alg_decrypt;
+ nettle_cipher_func *alg_encrypt;
+ nettle_cipher_func *alg_decrypt;
uint8_t *iv;
size_t niv;
};
@@ -83,8 +87,8 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
des_set_key(ctx->ctx_encrypt, rfbkey);
g_free(rfbkey);
- ctx->alg_encrypt = (nettle_crypt_func *)des_encrypt;
- ctx->alg_decrypt = (nettle_crypt_func *)des_decrypt;
+ ctx->alg_encrypt = (nettle_cipher_func *)des_encrypt;
+ ctx->alg_decrypt = (nettle_cipher_func *)des_decrypt;
ctx->niv = DES_BLOCK_SIZE;
break;
@@ -98,8 +102,8 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
aes_set_encrypt_key(ctx->ctx_encrypt, nkey, key);
aes_set_decrypt_key(ctx->ctx_decrypt, nkey, key);
- ctx->alg_encrypt = (nettle_crypt_func *)aes_encrypt;
- ctx->alg_decrypt = (nettle_crypt_func *)aes_decrypt;
+ ctx->alg_encrypt = (nettle_cipher_func *)aes_encrypt;
+ ctx->alg_decrypt = (nettle_cipher_func *)aes_decrypt;
ctx->niv = AES_BLOCK_SIZE;
break;
From d3462e378f40ba6838b6c42584c30769ca633e6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
Date: Fri, 10 Jul 2015 19:18:01 +0200
Subject: [PATCH 8/8] crypto: avoid undefined behavior in nettle calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Calling a function pointer that was cast from an incompatible function
results in undefined behavior. 'void *' isn't compatible with 'struct
XXX *', so we can't cast to nettle_cipher_func, but have to provide a
wrapper. (Conversion from 'void *' to 'struct XXX *' might require
computation, which won't be done if we drop argument's true type, and
pointers can have different sizes so passing arguments on stack would
bug.)
Having two different prototypes based on nettle version doesn't make
this solution any nicer.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Message-Id: <1437062641-12684-3-git-send-email-rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
crypto/cipher-nettle.c | 43 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 39 insertions(+), 4 deletions(-)
diff --git a/crypto/cipher-nettle.c b/crypto/cipher-nettle.c
index e61aaa29f0..a55a8e8bc5 100644
--- a/crypto/cipher-nettle.c
+++ b/crypto/cipher-nettle.c
@@ -25,8 +25,43 @@
#if CONFIG_NETTLE_VERSION_MAJOR < 3
typedef nettle_crypt_func nettle_cipher_func;
+
+typedef void * cipher_ctx_t;
+typedef unsigned cipher_length_t;
+#else
+typedef const void * cipher_ctx_t;
+typedef size_t cipher_length_t;
#endif
+static nettle_cipher_func aes_encrypt_wrapper;
+static nettle_cipher_func aes_decrypt_wrapper;
+static nettle_cipher_func des_encrypt_wrapper;
+static nettle_cipher_func des_decrypt_wrapper;
+
+static void aes_encrypt_wrapper(cipher_ctx_t ctx, cipher_length_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ aes_encrypt(ctx, length, dst, src);
+}
+
+static void aes_decrypt_wrapper(cipher_ctx_t ctx, cipher_length_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ aes_encrypt(ctx, length, dst, src);
+}
+
+static void des_encrypt_wrapper(cipher_ctx_t ctx, cipher_length_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ des_encrypt(ctx, length, dst, src);
+}
+
+static void des_decrypt_wrapper(cipher_ctx_t ctx, cipher_length_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ des_decrypt(ctx, length, dst, src);
+}
+
typedef struct QCryptoCipherNettle QCryptoCipherNettle;
struct QCryptoCipherNettle {
void *ctx_encrypt;
@@ -87,8 +122,8 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
des_set_key(ctx->ctx_encrypt, rfbkey);
g_free(rfbkey);
- ctx->alg_encrypt = (nettle_cipher_func *)des_encrypt;
- ctx->alg_decrypt = (nettle_cipher_func *)des_decrypt;
+ ctx->alg_encrypt = des_encrypt_wrapper;
+ ctx->alg_decrypt = des_decrypt_wrapper;
ctx->niv = DES_BLOCK_SIZE;
break;
@@ -102,8 +137,8 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
aes_set_encrypt_key(ctx->ctx_encrypt, nkey, key);
aes_set_decrypt_key(ctx->ctx_decrypt, nkey, key);
- ctx->alg_encrypt = (nettle_cipher_func *)aes_encrypt;
- ctx->alg_decrypt = (nettle_cipher_func *)aes_decrypt;
+ ctx->alg_encrypt = aes_encrypt_wrapper;
+ ctx->alg_decrypt = aes_decrypt_wrapper;
ctx->niv = AES_BLOCK_SIZE;
break;