Commit 'virtio: validate config_len on load' restricted config_len
loaded from the wire to match the config_len that the device had.
Unfortunately, there are cases where this isn't true, the one
we found it on was the wce addition in virtio-blk.
Allow mismatched config-lengths:
*) If the version on the wire is shorter then fine
*) If the version on the wire is longer, load what we have space
for and skip the rest.
(This is mst@redhat.com's rework of what I originally posted)
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 2f5732e964)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
In function do_pci_register_device() in file hw/pci/pci.c, move the assignment
of pci_dev->devfn to the position before the call to
pci_device_iommu_address_space(pci_dev) which will use the value of
pci_dev->devfn.
Fixes: 9eda7d373e
pci: Introduce helper to retrieve a PCI device's DMA address space
Cc: qemu-stable@nongnu.org
Signed-off-by: Le Tan <tamlokveer@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit efc8188e93)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Replace qemu_allocate_irqs(foo, bar, 1)[0]
with qemu_allocate_irq(foo, bar, 0).
This avoids leaking the dereferenced qemu_irq *.
Cc: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andreas Färber <afaerber@suse.de>
[PC Changes:
* Applied change to instance in sh4/sh7750.c
]
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Kirill Batuzov <batuzovk@ispras.ru>
[AF: Fix IRQ index in sh4/sh7750.c]
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit f3c7d0389f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
It does a g_free() on the pointer, so don't pass a local &foo reference.
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 127a4e1a51)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The device configuration is set at realize time and never changes. It
should not be migrated as it is done today. For the sake of compatibility,
let's just skip them at load time.
Signed-off-by: Alexander Graf <agraf@suse.de>
[ added missing casts to uint16_t *,
added From, SoB and commit message,
Greg Kurz <gkurz@linux.vnet.ibm.com> ]
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit e38e943a1f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
TCP connectivity fails when the guest has a different endianness.
The packets are silently dropped on the host by the tap backend
when they are read from user space because the endianness of the
virtio-net header is in the wrong order. These lines may appear
in the guest console:
[ 454.709327] skbuff: bad partial csum: csum=8704/4096 len=74
[ 455.702554] skbuff: bad partial csum: csum=8704/4096 len=74
The issue that got first spotted with a ppc64le PowerKVM guest,
but it also exists for the less common case of a x86_64 guest run
by a big-endian ppc64 TCG hypervisor.
Signed-off-by: Cédric Le Goater <clg@fr.ibm.com>
[ Ported from PowerKVM,
Greg Kurz <gkurz@linux.vnet.ibm.com> ]
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 032a74a1c0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Due to an incomplete initialization, adding a usb-bt-dongle device through HMP
or QMP will cause a segmentation fault.
Signed-off-by: Hani Benhabiles <hani@linux.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c340a284f3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
vhost_verify_ring_mappings leaks mappings on error.
Fix this up.
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 8617343faa)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This patch fixes a bug in scsi_block_new_request() that was introduced
by commit 137745c5c6. If the host cache
is used - i.e. if BDRV_O_NOCACHE is _not_ set - the 'break' statement
needs to be executed to 'fall back' to SG_IO.
Cc: qemu-stable@nongnu.org
Signed-off-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 2fe5a9f73b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
We should not try to store the emw portion of the irb if extended
measurements are not applicable. In particular, we should not surprise
the guest by storing a larger irb if it did not enable extended
measurements.
Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit f068d320de)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 91e7fcca47)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
It's a loop from i < num_sg and the array is VIRTQUEUE_MAX_SIZE - so
it's OK if the value read is VIRTQUEUE_MAX_SIZE.
Not a big problem in practice as people don't use
such big queues, but it's inelegant.
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 9372514080)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
KVM only supports MSIX table size up to 256 vectors,
but some assigned devices support more vectors,
at the moment attempts to assign them fail with EINVAL.
Tweak the MSIX capability exposed to guest to limit table size
to a supported value.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Cc: qemu-stable@nongnu.org
Acked-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 639973a474)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Current guest kernels try allocating as many vectors as the quota is.
For example, in the case of virtio-net (which has just 3 vectors)
the guest requests 4 vectors (that is the quota in the test) and
the existing ibm,change-msi handler returns 4. But before it returns,
it calls msix_set_message() in a loop and corrupts memory behind
the end of msix_table.
This limits the number of vectors returned by ibm,change-msi to
the maximum supported by the actual device.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: qemu-stable@nongnu.org
[agraf: squash in bugfix from aik]
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit b26696b519)
*s/error_report/fprintf/ to reflect v1.7.x error reporting style
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Incoming migration with stellaris_enet is unsafe.
It's being reworked, but for now, simply block it
since noone is using it anyway.
Block outgoing migration for good measure.
CVE-2013-4532
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f913)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 9f8e9895c5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
As the macro verifies the value is positive, rename it
to make the function clearer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3476436a44)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3c3ce98142)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 52f91c3723)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5193be3be3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.
For completeness, validate mode as well.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ead7a57df3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4537
s->arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a9c380db3b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit caa881abe0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 36cf2a3713)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 73d963c0a7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4b53c2c72c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d8d0a0bc7e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5f691ff91d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3f1c49e213)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ae2158ad6c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit cc45995294)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 98f93ddd84)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit eea750a562)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-5-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit f12d048a52)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-4-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 3c99afc779)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-3-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 9878d173f5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-2-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 8c6c047899)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
acpi build tried to add offset of hpet table to rsdt even when hpet was
disabled. If no tables follow hpet, this could lead to a malformed
rsdt.
Fix it up.
To avoid such errors in the future, rearrange code slightly to make it
clear that acpi_add_table stores the offset of the following table - not
of the previous one.
Reported-by: TeLeMan <geleman@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 9ac1c4c07e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Newer firmware implement a LD_LIST_QUERY command, and due to a driver
issue no drives might be detected if this command isn't supported.
So add emulation for this command, too.
Cc: qemu-stable@nongnu.org
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 34bb4d02e0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The SMART self test counter was incorrectly being reset to zero,
not 1. This had the effect that on every 21st SMART EXECUTE OFFLINE:
* We would write off the beginning of a dynamically allocated buffer
* We forgot the SMART history
Fix this.
Signed-off-by: Benoit Canet <benoit@irqsave.net>
Message-id: 1397336390-24664-1-git-send-email-benoit.canet@irqsave.net
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Cc: qemu-stable@nongnu.org
Acked-by: Kevin Wolf <kwolf@redhat.com>
[PMM: tweaked commit message as per suggestions from Markus]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 940973ae0b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The PADEN bit in the transmit control register enables padding of short
data packets out to the required minimum length. However a typo here
meant we were adjusting tx_fifo_len rather than tx_frame_len, so the
padding didn't actually happen. Fix this bug.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 7fd5f064d1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.
Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 5c10495ab1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all
VLAN-tagged packets but send them to the guest.
This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because
the OpenBSD driver started as a port from NetBSD).
Signed-off-by: Stefan Fritsch <sf@sfritsch.de>
Signed-off-by: Amos Kong <akong@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 0b1eaa8803)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Current buffer size fails the assersion check in like
hw/scsi/scsi-bus.c:1655: assert(req->sense_len <= sizeof(req->sense));
when backend (block/iscsi.c) returns more data then 96.
Exercise the core dump path by booting an Gentoo ISO with scsi-generic
device backed with iscsi (built with libiscsi 1.7.0):
x86_64-softmmu/qemu-system-x86_64 \
-drive file=iscsi://localhost:3260/iqn.foobar/0,if=none,id=drive-disk \
-device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x6 \
-device scsi-generic,drive=drive-disk,bus=scsi1.0,id=iscsi-disk \
-boot d \
-cdrom gentoo.iso
qemu-system-x86_64: hw/scsi/scsi-bus.c:1655: scsi_req_complete:
Assertion `req->sense_len <= sizeof(req->sense)' failed.
According to SPC-4, section 4.5.2.1, 252 is the limit of sense data. So
increase the value to fix it.
Also remove duplicated define for the macro.
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c5f52875b9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The handler for diag 500 did not check whether the requested function
was in the supported range, so illegal values could crash QEMU in the
worst case.
Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
CC: qemu-stable@nongnu.org
(cherry picked from commit f2c55d1735)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The transfer length depends on field BYTCHK, which is encoded in byte
1, bits 1..2. However, the guard for for case BYTCHK=11b doesn't
work, and we get case 01b instead. Fix it.
Note that since emulated scsi-hd fails the command outright, it takes
SCSI passthrough of a device that actually implements VERIFY with
BYTCHK=11b to make the bug bite.
Screwed up in commit d12ad44. Spotted by Coverity.
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7ef8cf9a08)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The GIC_SET_LEVEL macro unfortunately overwrote the entire level
bitmask instead of just or'ing on the necessary bits, causing active
level PPIs on a core to clear PPIs on other cores.
Cc: qemu-stable@nongnu.org
Reported-by: Rob Herring <rob.herring@linaro.org>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Message-id: 1393031030-8692-1-git-send-email-christoffer.dall@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 6453fa998a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The ethernet device in the musicpal only has two tx queues,
but we modelled it with four CTDP registers, presumably a
cut and paste from the rx queue registers. Since the tx_queue[]
array is only 2 entries long this allowed a guest to overrun
this buffer. Remove the nonexistent registers.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1392737293-10073-1-git-send-email-peter.maydell@linaro.org
Acked-by: Jan Kiszka <jan.kiszka@web.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit cf143ad350)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The Exynos4210 combiner has IIC_NIRQ inputs and IIC_NGRP outputs;
use the correct constant in the loop initializing our output
sysbus IRQs so that we don't overrun the output_irq[] array.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1392659611-8439-1-git-send-email-peter.maydell@linaro.org
Reviewed-by: Andreas Färber <afaerber@suse.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit fce0a82608)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The integrator's timer read/write functions log an error for
bad addresses in guest accesses, but were falling through and
using an out of bounds array index rather than returning early.
Fix this.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Message-id: 1392647854-8067-4-git-send-email-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
(cherry picked from commit cba933b225)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Fix incorrect use of sizeof() rather than ARRAY_SIZE() to guard
accesses into the mb_clock[] array, which was allowing a malicious
guest to overwrite the end of the array.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Message-id: 1392647854-8067-2-git-send-email-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
(cherry picked from commit ec1efab957)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Commit 2b21fb5 (adlib: sort offsets in portio registration, 2013-08-14)
fixed the offsets in adlib_portio_list, but forgot the matching indices
in adlib_realizefn.
Reported at http://virtuallyfun.superglobalmegacorp.com/?p=3616 by
"neozeed".
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 7f0ba7bb43)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Instead of packing BiosLinkerLoaderEntry, an unused global variable called
QEMU_PACKED was created (detected by smatch static code analysis).
Including qemu-common.h gets the right definition and also includes some
standard include files which now can be removed here.
Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit c428c5a21c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
In some cases, an unplug can cause events to be dropped, which
leads to an assertion failure when preparing to notify the guest
kernel.
Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 49fb65c7f9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
There is still a small window that occurs when a cancel I/O affects
an asynchronous I/O operation that hasn't started. In other words,
when the residual data length equals the expected data length.
Today, the routine virtio_scsi_command_complete fails because the
VirtIOSCSIReq pointer (from the hba_private field in SCSIRequest)
was cleared earlier when virtio_scsi_complete_req was called by
the virtio_scsi_request_cancelled routine. As a result, the
virtio_scsi_command_complete routine needs to simply return when
it is processing a SCSIRequest block that was marked canceled.
Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e9c0f0f58a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Some emulated disk operations (MODE SELECT, UNMAP, WRITE SAME)
can trigger asynchronous I/Os. Provide the cancel_io callback
to ensure that AIOCBs are properly cleaned up.
Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
[Tweak commit message. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 33325a53f1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
SeaBIOS waits for LUN0 to respond to the TEST UNIT READY command
in order to decide whether it should part of the boot sequence.
If LUN0 does not respond to the command, boot is delayed by up
to 5 seconds. This currently happens when there is no LUN0 on
a target. Fix that by adding a trivial implementation of the
command.
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1cb27d9233)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
We were relying on msix_unset_vector_notifiers() to release all the
vectors when we disable MSI-X, but this only happens when MSI-X is
still enabled on the device. Perform further cleanup by releasing
any remaining vectors listed as in-use after this call. This caused
a leak of IRQ routes on hotplug depending on how the guest OS prepared
the device for removal.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 3e40ba0faf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
cgcc reported a duplicate initialisation. Mainstone includes a matrix
keyboard where two different positions map to 'space'.
QEMU uses the reversed mapping and does not map 'space' to two different
matrix positions.
Some other keys are either missing or might be mapped wrongly (cf. Linux
kernel code). Don't fix these until someone can test them with real
hardware, but add TODO comments.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 7dbc1158bc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
make hpet_find inline so we don't need
to build hpet.c to check if hpet is enabled.
Fixes link error with CONFIG_HPET off.
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 142e0950cf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Make the 32bit pci hole start at end of ram, so all possible address
space is covered.
We used to try and make addresses aligned so they are easier to cover
with MTRRs, but since they are cosmetic on KVM, this is probably not
worth worrying about.
Of course the firmware can use less than that. Leaving space unused is
no problem, mapping pci bars outside the hole causes problems though.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit ddaaefb4dd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
With a help of negative memory region priority PCI address space
is mapped underneath RAM regions effectively catching every access
to addresses not mapped by any other region.
It simplifies PCI address space mapping into system address space.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
(cherry picked from commit 83d08f2673)
*prereq for ddaaefb backport
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Fix position buffer updates to use the correct stream offset.
Without this patch both IN (record) and OUT (playback) streams
will update the IN buffer positions. The linux kernel notices
and complains:
hda-intel: Invalid position buffer, using LPIB read method instead.
The bug may also lead to glitches when recording and playing
at the same time:
https://bugzilla.redhat.com/show_bug.cgi?id=947785
Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit d58ce68a45)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
VERIFY emulation was completely botched (and remained botched through
all the refactorings). The command must be emulated both in check-medium
mode (BYTCHK=00, which we implement by doing nothing) and in check-bytes
mode (which we do not implement yet). Unlike WRITE AND VERIFY (which we
treat simply as WRITE with FUA bit set), VERIFY cannot be handled like
READ. In fact the device is _receiving_ data for VERIFY, not _sending_
it like READ.
Cc: qemu-stable@nongnu.org
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d97e773081)
Conflicts:
hw/scsi/scsi-disk.c
*fixed up WRITE_SAME_* conflicts due to 84f94a9a not being in 1.7.0
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The amount of bytes to transfer depends on the BYTCHK field.
If any data is transferred, it is sent to the device.
Cc: qemu-stable@nongnu.org
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d12ad44cc4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This fixes a crash in hot-unplug of virtio-pci devices behind a PCIe
switch. The crash happens because the ioeventfd is still set whent the
child is destroyed (destruction happens in postorder). Then the proxy
tries to unset to ioeventfd, but the virtqueue structure that holds the
EventNotifier has been trashed in the meanwhile. kvm_set_ioeventfd_pio
does not expect failure and aborts.
The fix is simply to move parts of uninitialization to a new
device_unplugged callback, which is called before the child is destroyed.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 06a1307379)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This ensures hot-unplug is handled properly by the proxy, and avoids
leaking bus_name which is freed by virtio_device_exit.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7bb6edb0e3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This ensures hot-unplug is handled properly by the proxy, and avoids
leaking bus_name which is freed by virtio_device_exit.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit baa61b9870)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This ensures hot-unplug is handled properly by the proxy, and avoids
leaking bus_name which is freed by virtio_device_exit.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e3c9d76acc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This ensures hot-unplug is handled properly by the proxy, and avoids
leaking bus_name which is freed by virtio_device_exit.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3786cff5eb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This ensures hot-unplug is handled properly by the proxy, and avoids
leaking bus_name which is freed by virtio_device_exit.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 0e86c13fe2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
This ensures hot-unplug is handled properly by the proxy, and avoids
leaking bus_name which is freed by virtio_device_exit.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 40dfc16f5f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Right now we have these pairs:
- virtio_bus_plug_device/virtio_bus_destroy_device. The first
takes a VirtIODevice, the second takes a VirtioBusState
- device_plugged/device_unplug callbacks in the VirtioBusClass
(here it's just the naming that is inconsistent)
- virtio_bus_destroy_device is not called by anyone (and since
it calls qdev_free, it would be called by the proxies---but
then the callback is useless since the proxies can do whatever
they want before calling virtio_bus_destroy_device)
And there is a k->init but no k->exit, hence virtio_device_exit is
overwritten by subclasses (except virtio-9p). This cleans it up by:
- renaming the device_unplug callback to device_unplugged
- renaming virtio_bus_plug_device to virtio_bus_device_plugged,
matching the callback name
- renaming virtio_bus_destroy_device to virtio_bus_device_unplugged,
removing the qdev_free, making it take a VirtIODevice and calling it
from virtio_device_exit
- adding a k->exit callback
virtio_device_exit is still overwritten, the next patches will fix that.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 5e96f5d2f8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The vdev field is complicated to synchronize. Just access the
BusState's list of children.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a3fc66d9fd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The vdev field is complicated to synchronize. Just access the
BusState's list of children.
Cc: qemu-stable@nongnu.org
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit f24a684073)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The vdev field is complicated to synchronize. Just access the
BusState's list of children.
Cc: qemu-stable@nongnu.org
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 06d3dff072)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Similar to the PCI bug that prompted these patches, virtio-ccw will
segfault after the reworking of hotplug/hot-unplug. Prepare for
this by moving virtio_ccw_stop_ioeventfd to before the freeing
of the proxy device.
A better place for this could be the device_unplugged callback
for the virtio-ccw bus. However, we do not yet have a callback
that works: this patch avoids the problem while leaving the tree
bisectable.
Cc: qemu-stable@nongnu.org
Reported-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Suggested-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Andreas Faerber <afaerber@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 0b81c1ef5c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The default granularity for the FIT timer on 440 is on every 0x1000th
transition of TB from 0 to 1. Translated that means 48828 times a second.
Since interrupts are quite expensive for 440 and we don't really care
about the accuracy of the FIT to that significance, let's force FIT and
WDT to at best millisecond granularity.
This basically restores behavior as it was in QEMU 1.6, where timers
could only deal with millisecond granularities at all.
This patch greatly improves performance with the 440 target and restores
roughly the same performance level that QEMU 1.6 had for me.
Signed-off-by: Alexander Graf <agraf@suse.de>
Message-id: 1385416015-22775-3-git-send-email-agraf@suse.de
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
Today we fire FIT and WDT timer events every time the respective bit
position in TB flips from 0 -> 1.
However, there is no need to do this if the end result would be that
we're changing a TSR bit that is set to 1 to 1 again. No guest visible
change would have occured.
So whenever we see that the TSR bit to our timer is already set, don't
even bother to update the timer that would potentially fire it off.
However, we do need to make sure that we update our timer that notifies
us of the TB flip when the respective TSR bit gets unset. In that case
we do care about the flip and need to notify the guest again. So add
a callback into our timer handlers when TSR bits get unset.
This improves performance for me when the guest is busy processing things.
Signed-off-by: Alexander Graf <agraf@suse.de>
Message-id: 1385416015-22775-2-git-send-email-agraf@suse.de
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
glib < 2.22 does not have g_array_get_element_size,
limit it's use (to check all elements are 1 byte
in size) to newer glib.
This fixes build on RHEL 5.3.
Reported-by: Richard Henderson <rth@redhat.com>
Reported-by: Erik Rull <erik.rull@rdsoftware.de>
Tested-by: Richard Henderson <rth@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20131125220039.GA16386@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
This has a fix for a crasher bug with pci bridges,
boot failure fix for s390 on 32 bit hosts,
and fixes build for hosts with old glib.
There's also a fix for --iasl configure flag - it can be used
to work around broken iasl on some systems either
by using a non-standard iasl or by disabling it.
I've also reverted a e1000/rtl mac programming change
that seems slightly wrong and too risky for 1.8.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAABAgAGBQJSkzcXAAoJECgfDbjSjVRprVkIAJI0t8gfgichVVthsXPjCEI+
WlibVjN+BDt0S/y8sb5H43JAJS9JN6myi9rSNc2t2bdEynVJEDpGL9BZG/9RMjZ3
ekhyQsDVu8jzAseiFicBTtHt31RSjSyGsTAFks28FaB2p3DxYT6DY2enJ4CrtLR0
CCqMmvBWJY/hLjdiuYyuAKNrTSKkmdlddUWJyI5lWXJQbP6dx3cjF6OrUnCngBFG
TJ6Oh9lWC2IWf86P+73JtwpkTkm41shyMBz4MTAY0AvriKBzn27qTrP9BwL5rfaM
Tsaoc9Y81+4bd5EiDo3NpA2pAyCF9H+oeR1Zblce6p60wOKKfGvwT65KOH7fc1M=
=bdsX
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'mst/tags/for_anthony' into staging
pc very last minute fixes for 1.7
This has a fix for a crasher bug with pci bridges,
boot failure fix for s390 on 32 bit hosts,
and fixes build for hosts with old glib.
There's also a fix for --iasl configure flag - it can be used
to work around broken iasl on some systems either
by using a non-standard iasl or by disabling it.
I've also reverted a e1000/rtl mac programming change
that seems slightly wrong and too risky for 1.8.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Mon 25 Nov 2013 03:40:07 AM PST using RSA key ID D28D5469
# gpg: Can't check signature: public key not found
# By Michael S. Tsirkin (5) and Bandan Das (1)
# Via Michael S. Tsirkin
* mst/tags/for_anthony:
configure: make --iasl option actually work
Revert "e1000/rtl8139: update HMP NIC when every bit is written"
acpi-build: fix build on glib < 2.14
acpi-build: fix build on glib < 2.22
pci: unregister vmstate_pcibus on unplug
s390x: fix flat file load on 32 bit systems
Message-id: 1385379990-32093-1-git-send-email-mst@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
were getting forgotten or that did not have a clear maintainer responsible
for making a pull request.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJSjjebAAoJEBvWZb6bTYbySaYP/RgDcAK/+VTEwM9kLa3OlWA+
kp0RNu+8fV9I5ocWDOlh19svZ/KS81D2o3TA4Fv3PBe3d4Mcjqcw1qxk+2Vh+Plt
omN5ysM0jnTxsAgvszS/WaHGzS1Xpge9zazpynCoDYYPTC3JVoD96zYTut62frnk
4i3t5wZwW64Al7f8l4UkWMnneEJW66pHDDI7QgHXhb3YkGX6RYGqTA6hFp+AKV75
IppGVpO46LbzQnGENa7myhnoQrOu1jDlHjhogIuLRwCLZqdqMI+JiPuMACrFb+34
QfcF8lHj9T+RmZj9X1Boq7ZfdveNBmXasDaV+L97uUVBcHHr8t6hniHVXDa07QFL
pGhLz58W/S0PD8UJ5MfKLHqMROiZ7OUCF6uu77sKG4Xnli842lnxJHqy0NYiJ7OL
JA/bYOMb2p+xFLmDJylRdkyDowAk/WZiMRI6QG8oE+nm3Bl4ERH4zlYhAz7nH2KA
K3wsZzV4hZ7IUYrq2H2zDXUCMLUJgA1T+pLSusLeQxGuTcfRLxacFzZSjzlFhlBr
5/qJvzce5AMz/jTbv0ygq2jacKP8aq/dOgUOjaenzinC/G7aaW2m7dEyt+eMYUjj
EiqM1rX2w0ATS1iR2nQdxMNvFBBqLe8VPEuajg3wal+f7Js0ZegsBjrTKUULsPwq
kIuZaZviKLGYnK1zrnYR
=c4Hz
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'bonzini/tags/for-anthony' into staging
Here are a bunch of 1.7-tagged patches that I was afraid
were getting forgotten or that did not have a clear maintainer responsible
for making a pull request.
# gpg: Signature made Thu 21 Nov 2013 08:40:59 AM PST using RSA key ID 9B4D86F2
# gpg: Can't check signature: public key not found
# By Peter Maydell (3) and others
# Via Paolo Bonzini
* bonzini/tags/for-anthony:
qga: Fix compiler warnings (missing format attribute, wrong format strings)
mips jazz: do not raise data bus exception when accessing invalid addresses
target-i386: yield to another VCPU on PAUSE
rng-egd: offset the point when repeatedly read from the buffer
rng-egd: remove redundant free
target-i386: Fix build by providing stub kvm_arch_get_supported_cpuid()
vfio-pci: Fix multifunction=on
atomic.h: Fix build with clang
pc: get rid of builtin pvpanic for "-M pc-1.5"
configure: Explicitly set ARFLAGS so we can build with GNU Make 4.0
sun4m: Add FCode ROM for TCX framebuffer
Message-id: 1385052578-32352-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
It is currently possible to specify things like:
-device e1000,netdev=foo,vlan=1
With this usage, whichever argument was specified last (vlan or netdev)
overwrites what was previousely set and results in a non-working
configuration. Even worse, when used with multiqueue devices,
it causes a segmentation fault on exit in qemu_free_net_client.
That patch treates the above command line options as invalid and
generates an error at start-up.
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
MIPS Jazz chipset doesn't seem to raise data bus exceptions on invalid accesses.
However, there is no easy way to prevent them. Creating a big memory region
for the whole address space doesn't prevent memory core to directly call
unassigned_mem_read/write which in turn call cpu->do_unassigned_access,
which (for MIPS CPU) raise an data bus exception.
This fixes a MIPS Jazz regression introduced in c658b94f6e.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When an assigned device is initialized it copies the device config
space into the emulated config space. Unfortunately multifunction is
setup prior to the device initfn and gets clobbered. We need to
restore it just like pci-assign does.
Cc: qemu-stable@nongnu.org
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This causes two slight backwards-incompatibilities between "-M pc-1.5"
and 1.5's "-M pc":
(1) a fw_cfg file is removed with this patch. This is only a problem
if migration stops the virtual machine exactly during fw_cfg enumeration.
(2) after migration, a VM created without an explicit "-device pvpanic"
will stop reporting panics to management.
The first problem only occurs if migration is done at a very, very
early point (and I'm not sure it can happen in practice for reasonable-size
VMs, since it will likely take more time to send the RAM to destination,
than it will take for BIOS to scan fw_cfg).
The second problem only occurs if the guest panics _and_ has a guest
driver _and_ management knows to look at the crash event, so it is
mostly theoretical at this point in time.
Thus keep the code simple, and pretend it was never broken.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Upstream OpenBIOS now implements SBus probing in order to determine the
contents of a physical bus slot, which is required to allow OpenBIOS to
identify the framebuffer without help from the fw_cfg interface.
SBus probing works by detecting the presence of an FCode program
(effectively tokenised Forth) at the base address of each slot, and if
present executes it so that it creates its own device node in the
OpenBIOS device tree.
The FCode ROM is generated as part of the OpenBIOS build and should
generally be updated at the same time.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Blue Swirl <blauwirbel@gmail.com>
CC: Bob Breuer <breuerr@mc.net>
CC: Artyom Tarasenko <atar4qemu@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When an assigned device is initialized it copies the device config
space into the emulated config space. Unfortunately multifunction is
setup prior to the device initfn and gets clobbered. We need to
restore it just like pci-assign does.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Bandan Das <bsd@redhat.com>
Message-id: 20131112185059.7262.33780.stgit@bling.home
Cc: qemu-stable@nongnu.org
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
MIPS Jazz chipset doesn't seem to raise data bus exceptions on invalid accesses.
However, there is no easy way to prevent them. Creating a big memory region
for the whole address space doesn't prevent memory core to directly call
unassigned_mem_read/write which in turn call cpu->do_unassigned_access,
which (for MIPS CPU) raise an data bus exception.
This fixes a MIPS Jazz regression introduced in c658b94f6e.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Message-id: 1383603977-7003-1-git-send-email-hpoussin@reactos.org
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
If period is assigned to 0, limit timer will expire immediately.
It causes a qemu warning:
"main-loop: WARNING: I/O thread spun for 1000 iterations"
This limit is meaningless. This patch forbids to assign 0 to period.
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Amos Kong <akong@redhat.com>
Message-id: 1385031203-23790-1-git-send-email-akong@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
pc-bios/s390-zipl.rom is a flat image so it's expected that
loading it as elf will fail.
It should fall back on loading a flat file, but doesn't
on 32 bit systems, instead it fails printing:
qemu: hardware error: could not load bootloader 's390-zipl.rom'
The result is boot failure.
The reason is that a 64 bit unsigned interger which is set
to -1 on error is compared to -1UL which on a 32 bit system
with gcc is a 32 bit unsigned interger.
Since both are unsigned, no sign extension takes place and
comparison evaluates to non-equal.
There's no reason to do clever tricks: all functions
we call actually return int so just use int.
And then we can use == -1 everywhere, consistently.
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20131121133426.GA30827@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
g_array_get_element_size was only added in glib 2.14.
Fortunately we don't use it for any arrays where
element size is > 1, so just add an assert.
Reported-by: Richard Henderson <rth@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1385036128-8753-2-git-send-email-mst@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
espes