This patch fixes a bug in scsi_block_new_request() that was introduced
by commit 137745c5c6. If the host cache
is used - i.e. if BDRV_O_NOCACHE is _not_ set - the 'break' statement
needs to be executed to 'fall back' to SG_IO.
Cc: qemu-stable@nongnu.org
Signed-off-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 2fe5a9f73b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 91e7fcca47)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3c3ce98142)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Newer firmware implement a LD_LIST_QUERY command, and due to a driver
issue no drives might be detected if this command isn't supported.
So add emulation for this command, too.
Cc: qemu-stable@nongnu.org
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 34bb4d02e0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Current buffer size fails the assersion check in like
hw/scsi/scsi-bus.c:1655: assert(req->sense_len <= sizeof(req->sense));
when backend (block/iscsi.c) returns more data then 96.
Exercise the core dump path by booting an Gentoo ISO with scsi-generic
device backed with iscsi (built with libiscsi 1.7.0):
x86_64-softmmu/qemu-system-x86_64 \
-drive file=iscsi://localhost:3260/iqn.foobar/0,if=none,id=drive-disk \
-device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x6 \
-device scsi-generic,drive=drive-disk,bus=scsi1.0,id=iscsi-disk \
-boot d \
-cdrom gentoo.iso
qemu-system-x86_64: hw/scsi/scsi-bus.c:1655: scsi_req_complete:
Assertion `req->sense_len <= sizeof(req->sense)' failed.
According to SPC-4, section 4.5.2.1, 252 is the limit of sense data. So
increase the value to fix it.
Also remove duplicated define for the macro.
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c5f52875b9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The transfer length depends on field BYTCHK, which is encoded in byte
1, bits 1..2. However, the guard for for case BYTCHK=11b doesn't
work, and we get case 01b instead. Fix it.
Note that since emulated scsi-hd fails the command outright, it takes
SCSI passthrough of a device that actually implements VERIFY with
BYTCHK=11b to make the bug bite.
Screwed up in commit d12ad44. Spotted by Coverity.
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7ef8cf9a08)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
In some cases, an unplug can cause events to be dropped, which
leads to an assertion failure when preparing to notify the guest
kernel.
Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 49fb65c7f9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
There is still a small window that occurs when a cancel I/O affects
an asynchronous I/O operation that hasn't started. In other words,
when the residual data length equals the expected data length.
Today, the routine virtio_scsi_command_complete fails because the
VirtIOSCSIReq pointer (from the hba_private field in SCSIRequest)
was cleared earlier when virtio_scsi_complete_req was called by
the virtio_scsi_request_cancelled routine. As a result, the
virtio_scsi_command_complete routine needs to simply return when
it is processing a SCSIRequest block that was marked canceled.
Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e9c0f0f58a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Some emulated disk operations (MODE SELECT, UNMAP, WRITE SAME)
can trigger asynchronous I/Os. Provide the cancel_io callback
to ensure that AIOCBs are properly cleaned up.
Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
[Tweak commit message. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 33325a53f1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
SeaBIOS waits for LUN0 to respond to the TEST UNIT READY command
in order to decide whether it should part of the boot sequence.
If LUN0 does not respond to the command, boot is delayed by up
to 5 seconds. This currently happens when there is no LUN0 on
a target. Fix that by adding a trivial implementation of the
command.
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1cb27d9233)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
VERIFY emulation was completely botched (and remained botched through
all the refactorings). The command must be emulated both in check-medium
mode (BYTCHK=00, which we implement by doing nothing) and in check-bytes
mode (which we do not implement yet). Unlike WRITE AND VERIFY (which we
treat simply as WRITE with FUA bit set), VERIFY cannot be handled like
READ. In fact the device is _receiving_ data for VERIFY, not _sending_
it like READ.
Cc: qemu-stable@nongnu.org
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d97e773081)
Conflicts:
hw/scsi/scsi-disk.c
*fixed up WRITE_SAME_* conflicts due to 84f94a9a not being in 1.7.0
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The amount of bytes to transfer depends on the BYTCHK field.
If any data is transferred, it is sent to the device.
Cc: qemu-stable@nongnu.org
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d12ad44cc4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This ensures hot-unplug is handled properly by the proxy, and avoids
leaking bus_name which is freed by virtio_device_exit.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e3c9d76acc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
In order to get devices appear in output of
"./qemu-system-ppc64 -device ?",
they must be assigned to one of DEVICE_CATEGORY_XXXX.
This puts VIO devices classes to corresponding categories.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Alexander Graf <agraf@suse.de>
The qdev_free() function name is misleading since all the function does
is unlink the device from its parent. The device is not necessarily
freed.
The device will be freed when its QObject refcount reaches zero. It is
usual for the parent (bus) to hold the final reference but there are
cases where something else holds a reference so "free" is a misleading
name.
Call object_unparent(obj) directly instead of having a qdev wrapper
function.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
This includes some pretty big changes:
- pci master abort support by Marcel
- pci IRQ API rework by Marcel
- acpi generation support by myself
Everything has gone through several revisions, latest versions have been on
list for a while without any more comments, tested by several
people.
Please pull for 1.7.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAABAgAGBQJSXNO8AAoJECgfDbjSjVRp7VAH/0B73mCOiyVACGx7fazK3SGK
X8TxZWVtG5A77ISqKyrtjLAhK9DCQjEzQTbMNhXHM3Ar6crwo7nJZnQvH2Gh1X2p
34BOQSVc4rtXz5pwDIr48dBLrxeslwXub79chUs+IK1/4RSn3h3nuS3k6JVkmLJN
rcHMj4ljJmi4Hd9vOpmS1jo/a61usi36hhU7CMgcrsXzStZycBBzCozOB3VW8p1X
/iwyf91YjmNPkn9gA3/aViGjszu8jE91dkA0C+ljwvcGbs2yEl3LCWEJfsMvoh5P
2M+k0XXbHwq/P9PFMa/2/lWOo4EO4Oxa+G/6QvovJrteYnktr+E9DqjU8pCT7yI=
=CVfs
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'mst/tags/for_anthony' into staging
pci, pc, acpi fixes, enhancements
This includes some pretty big changes:
- pci master abort support by Marcel
- pci IRQ API rework by Marcel
- acpi generation support by myself
Everything has gone through several revisions, latest versions have been on
list for a while without any more comments, tested by several
people.
Please pull for 1.7.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Tue 15 Oct 2013 07:33:48 AM CEST using RSA key ID D28D5469
# gpg: Can't check signature: public key not found
* mst/tags/for_anthony: (39 commits)
ssdt-proc: update generated file
ssdt: fix PBLK length
i386: ACPI table generation code from seabios
pc: use new api to add builtin tables
acpi: add interface to access user-installed tables
hpet: add API to find it
pvpanic: add API to access io port
ich9: APIs for pc guest info
piix: APIs for pc guest info
acpi/piix: add macros for acpi property names
i386: define pc guest info
loader: allow adding ROMs in done callbacks
i386: add bios linker/loader
loader: use file path size from fw_cfg.h
acpi: ssdt pcihp: updat generated file
acpi: pre-compiled ASL files
acpi: add rules to compile ASL source
i386: add ACPI table files from seabios
q35: expose mmcfg size as a property
q35: use macro for MCFG property name
...
Message-id: 1381818560-18367-1-git-send-email-mst@redhat.com
Signed-off-by: Anthony Liguori <anthony@codemonkey.ws>
pci_set_irq and the other pci irq wrappers use
PCI_INTERRUPT_PIN config register to compute device
INTx pin to assert/deassert.
An irq is allocated using pci_allocate_irq wrapper
only if is needed by non pci devices.
Removed irq related fields from state if not used anymore.
Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
most. If more than 256 luns are specified by user, we have buffer
overflow in scsi_target_emulate_report_luns.
To fix, we allocate the buffer dynamically.
Signed-off-by: Asias He <asias@redhat.com>
Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Currently, treat it exactly as a 53C895A.
53C895A is a 53C810 with more capabilities, so this should work.
However, this lets us test different code paths on Linux, which
don't use lastest features if it detect a 810, or on some OSes
which only support 810 and not 895A (like very old Windows NT
versions).
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
LSI emulation has been tested with Linux on PPC platform.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
53C895A datasheet says that this register is read/write, and that the value
returned on read access is dependant of DMA FIFO state. However, nothing is
said for written value.
53C810A datasheet gives more insight about this register:
"This was a general purpose read/write register in previous SYM53C8XX
family chips. Although it is still a read/write register, Symbios reserves
the right to use these bits for future 53C8XX family enhancements."
This prevents going to the default case, which prints an error message.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This prevents some (invalid) error messages on console.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The existing driver just dropped unsupported requests. This adds error
responses to those unhandled requests.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This implements capabilities exchange between vscsi host and client. As
at the moment no capability is supported, put zero flags everywhere and
return.
Signed-off-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Nikunj A. Dadhania <nikunj@linux.vnet.ibm.com>
Use deposit32() rather than handcoded shifts/masks to update the
scratch registers. This is cleaner and incidentally avoids a clang
sanitizer complaint ("runtime error: left shift of 255 by 24 places
cannot be represented in type 'int'").
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Use sextract32() for doing sign-extension rather than rolling
our own implementation.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
scsi_bus_legacy_add_drive() creates either a scsi-disk or a
scsi-generic device. It sets property "serial" to argument serial
unless null. Crashes with scsi-generic, because it doesn't have such
the property.
Only usb_msd_initfn_storage() passes non-null serial. Reproducer:
$ qemu-system-x86_64 -nodefaults -display none -S -usb \
-drive if=none,file=/dev/sg1,id=usb-drv0 \
-device usb-storage,id=usb-msd0,drive=usb-drv0,serial=123
qemu-system-x86_64: -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=123: Property '.serial' not found
Aborted (core dumped)
Fix by handling exactly like "removable": set the property only when
it exists.
Cc: qemu-stable@nongnu.org
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
It's the abstract base of virtio-scsi-device and vhost-scsi.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
At the moment the guest kernel issues two types of task management
requests to the hypervisor - task about and lun reset. This adds
handling for these tasks. As spapr-vscsi starts calling scsi_req_cancel(),
free_request callback was implemented.
As virtio-vscsi, spapr-vscsi does not handle CLEAR_ACA either as CDB
control byte does not seem to be used at all so NACA bit is not
set to the guest so the guest has no good reason to call CLEAR_ACA task.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
[Fix choice of UCSOLCNT vs. SCSOLCNT. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
To be passed to object_initialize().
Since commit 39355c3826 the argument is
void*, so drop some superfluous (BusState *) casts or direct parent
field usages.
Signed-off-by: Andreas Färber <afaerber@suse.de>
To be passed to qbus_create_inplace().
Use DEVICE() casts instead of direct parent field access.
Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
'dprintf' is the name of a POSIX standard function so we should not be
stealing it for our debug macro. Rename to 'DPRINTF' (in line with
a number of other source files.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Acked-by: Richard Henderson <rth@twiddle.net>
Acked-by: Kevin Wolf <kwolf@redhat.com>
Message-id: 1375100199-13934-5-git-send-email-peter.maydell@linaro.org
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
The category will be used to sort the devices displayed in
the command line help.
Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Message-id: 1375107465-25767-4-git-send-email-marcel.a@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
The driver calculates SOLNT bit from UCSOLNT and SCSOLNT bits from
the request. The iu pointer has a type of srp_iu* which points to a union,
so cmd and rsp overlap. As the vscsi_send_rsp function calls
memset(iu, 0, sizeof(rsp)), it clears first 36 bytes of both cmd and rsp
so cmd.sol_not is always zero at the moment of calculating rsp.sol_not.
This fixes the bug.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Message-id: 1375073319-17488-1-git-send-email-aik@ozlabs.ru
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This patch adds the necessary support for saving the state of the PAPR VIO
virtual SCSI device. This also saves and restores active SCSI requests.
[aik: implemented vscsi_req save/restore]
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Message-id: 1374175984-8930-8-git-send-email-aliguori@us.ibm.com
Cc: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
The patch reimplements handling of indirect requests in order to
simplify upcoming live migration support.
- all pointers (except SCSIRequest*) were replaces with integer
indexes and offsets;
- DMA'ed srp_direct_buf kept untouched (ie. BE format);
- vscsi_fetch_desc() is added, now it is the only place where
descriptors are fetched and byteswapped;
- vscsi_req struct fields converted to migration-friendly types;
- many dprintf()'s fixed.
This also removed an unused field 'lun' from the spapr_vscsi device
which is assigned, but never used. So, remove it.
[David Gibson: removed unused 'lun']
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Message-id: 1374175984-8930-7-git-send-email-aliguori@us.ibm.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Let scsi_bus_legacy_add_drive() and scsi_bus_legacy_handle_cmdline()
return an Error**. Prepare qdev initfns for QOM realize error model.
Signed-off-by: Andreas Färber <afaerber@suse.de>
Only apply legacy command line handling when the device has not been
hot-plugged. Propagate failure of legacy command line handling.
Cc: qemu-stable@nongnu.org
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Introduce type constant and avoid DO_UPCAST().
Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
[AF: Renamed parent field]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Replace direct uses of PCIESPState::dev with QOM casts and rename it to
parent_obj.
Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Define and use standard QOM cast macro. Remove usages of DO_UPCAST()
and direct -> style upcasting.
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Replace direct uses of MegasasState::dev with QOM casts and rename it to
parent_obj.
Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Define and use standard QOM cast macro. Remove usages of DO_UPCAST()
and direct -> style upcasting.
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Replace direct uses of LSIState::dev with QOM casts and rename it to
parent_obj.
Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Define and use standard QOM cast macro. Remove usages of DO_UPCAST()
and direct -> style upcasting.
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
The name field in a VMStateDescription is part of the migration state
versioning, so changing it will break migration. It's therefore a
bad idea to use a QOM typename macro to initialize it, because in
general we're free to rename QOM types as part of code refactoring
and cleanup. For the handful of devices that were doing this by
mistake, replace the QOM typenames with the corresponding literal
strings.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
[AF: Use TYPE_PVSCSI for TypeInfo instead]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Ulrich Obergfell