Paolo Bonzini [Thu, 1 Oct 2015 08:59:50 +0000 (10:59 +0200)]
memory: allow destroying a non-empty MemoryRegion
This is legal; the MemoryRegion will simply unreference all the
existing subregions and possibly bring them down with it as well.
However, it requires a bit of care to avoid an infinite loop.
Finalizing a memory region cannot trigger an address space update,
but memory_region_del_subregion errs on the side of caution and
might trigger a spurious update: avoid that by resetting mr->enabled
first.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
1443689999-12182-2-git-send-email-armbru@redhat.com>
(cherry picked from commit
2e2b8eb70fdb7dfbec39f3a19b20f9a73f2f813e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Markus Armbruster [Thu, 8 Oct 2015 16:11:39 +0000 (18:11 +0200)]
update-linux-headers: Rename SW_MAX to SW_MAX_
The next commit will compile hw/input/virtio-input.c and
hw/input/virtio-input-hid.c even when CONFIG_LINUX is off. These
files include both "include/standard-headers/linux/input.h" and
<windows.h> then. Doesn't work, because both define SW_MAX. We don't
actually use it. Patch input.h to define SW_MAX_ instead.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <
1444320700-26260-2-git-send-email-armbru@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit
ac98fa849e834f48e5a64cf4b22218ba4047e142)
Conflicts:
scripts/update-linux-headers.sh
* remove dependency on
eddb4de3
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Wed, 16 Sep 2015 15:38:44 +0000 (17:38 +0200)]
trace: remove malloc tracing
The malloc vtable is not supported anymore in glib, because it broke
when constructors called g_malloc. Remove tracing of g_malloc,
g_realloc and g_free calls.
Note that, for systemtap users, glib also provides tracepoints
glib.mem_alloc, glib.mem_free, glib.mem_realloc, glib.slice_alloc
and glib.slice_free.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Message-id:
1442417924-25831-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit
98cf48f60aa4999f5b2808569a193a401a390e6a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Jason Wang [Fri, 25 Sep 2015 05:21:30 +0000 (13:21 +0800)]
virtio-net: correctly drop truncated packets
When packet is truncated during receiving, we drop the packets but
neither discard the descriptor nor add and signal used
descriptor. This will lead several issues:
- sg mappings are leaked
- rx will be stalled if a lots of packets were truncated
In order to be consistent with vhost, fix by discarding the descriptor
in this case.
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit
0cf33fb6b49a19de32859e2cdc6021334f448fb3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Jason Wang [Fri, 25 Sep 2015 05:21:29 +0000 (13:21 +0800)]
virtio: introduce virtqueue_discard()
This patch introduces virtqueue_discard() to discard a descriptor and
unmap the sgs. This will be used by the patch that will discard
descriptor when packet is truncated.
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit
29b9f5efd78ae0f9cc02dd169b6e80d2c404bade)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Jason Wang [Fri, 25 Sep 2015 05:21:28 +0000 (13:21 +0800)]
virtio: introduce virtqueue_unmap_sg()
Factor out sg unmapping logic. This will be reused by the patch that
can discard descriptor.
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Andrew James <andrew.james@hpe.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit
ce317461573bac12b10d67699b4ddf1f97cf066c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Gerd Hoffmann [Fri, 16 Oct 2015 11:33:07 +0000 (13:33 +0200)]
virtio-input: ignore events until the guest driver is ready
Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit
d9460a7557672af9c4d9d4f153200d1075ed5a78)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Dr. David Alan Gilbert [Tue, 13 Oct 2015 11:21:27 +0000 (12:21 +0100)]
Migration: Generate the completed event only when we complete
The current migration-completed event is generated a bit too early,
which means that an eager libvirt that's ready to go as soon
as it sees the event ends up racing with the actual end of migration.
This corresponds to RH bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1271145
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
xSigned-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit
ed1f3e0090069dcb9458aa9e450df12bf8eba0b0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Tony Krowiak [Mon, 12 Oct 2015 15:36:21 +0000 (11:36 -0400)]
util/qemu-config: fix missing machine command line options
Commit
0a7cf217 ("util/qemu-config: fix regression of
qmp_query_command_line_options") aimed to restore parsing of global
machine options, but missed two: "aes-key-wrap" and
"dea-key-wrap" (which were present in the initial version of that
patch). Let's add them to the machine_opts again.
Fixes:
0a7cf217 ("util/qemu-config: fix regression of
qmp_query_command_line_options")
CC: Marcel Apfelbaum <marcel@redhat.com>
CC: qemu-stable@nongnu.org
Signed-off-by: Tony Krowiak <akrowiak@linux.vnet.ibm.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Message-Id: <
1444664181-28023-1-git-send-email-akrowiak@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit
5bcfa0c543b42a560673cafd3b5225900ef617e1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Christian Borntraeger [Wed, 7 Oct 2015 08:29:42 +0000 (10:29 +0200)]
s390x/kvm: Fix vector validity bit in device machine checks
Device hotplugs trigger a crw machine check. All machine checks
have validity bits for certain register types. With vector support
we also have to claim that vector registers are valid.
This is a band-aid suitable for stable. Long term we should
create the full mcic value dynamically depending on the active
features in the kernel interrupt handler.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit
2ab75df38e34fe9bc271b5115ab52114e6e63a89)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Crosthwaite [Fri, 16 Oct 2015 10:14:53 +0000 (11:14 +0100)]
misc: zynq_slcr: Fix MMIO writes
The /4 for offset calculation in MMIO writes was happening twice giving
wrong write offsets. Fix.
While touching the code, change the if-else to be a short returning if
and convert the debug message to a GUEST_ERROR, which is more accurate
for this condition.
Cc: qemu-stable@nongnu.org
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit
c209b0537203c58a051e5d837320335cea23e494)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Markus Armbruster [Thu, 1 Oct 2015 08:59:59 +0000 (10:59 +0200)]
Revert "qdev: Use qdev_get_device_class() for -device <type>,help"
This reverts commit
31bed5509dfcbdfc293154ce81086a4dbd7a80b6.
The reverted commit changed qdev_device_help() to reject abstract
devices and devices that have cannot_instantiate_with_device_add_yet
set, to fix crash bugs like -device x86_64-cpu,help.
Rejecting abstract devices makes sense: they're purely internal, and
the implementation of the help feature can't cope with them.
Rejecting non-pluggable devices makes less sense: even though you
can't use them with -device, the help may still be useful elsewhere,
for instance with -global. This is a regression: -device FOO,help
used to help even for FOO that aren't pluggable.
The previous two commits fixed the crash bug at a lower layer, so
reverting this one is now safe. Fixes the -device FOO,help
regression, except for the broken devices marked
cannot_even_create_with_object_new_yet. For those, the error message
is improved.
Example of a device where the regression is fixed:
$ qemu-system-x86_64 -device PIIX4_PM,help
PIIX4_PM.command_serr_enable=bool (on/off)
PIIX4_PM.multifunction=bool (on/off)
PIIX4_PM.rombar=uint32
PIIX4_PM.romfile=str
PIIX4_PM.addr=int32 (Slot and optional function number, example: 06.0 or 06)
PIIX4_PM.memory-hotplug-support=bool
PIIX4_PM.acpi-pci-hotplug-with-bridge-support=bool
PIIX4_PM.s4_val=uint8
PIIX4_PM.disable_s4=uint8
PIIX4_PM.disable_s3=uint8
PIIX4_PM.smb_io_base=uint32
Example of a device where it isn't fixed:
$ qemu-system-x86_64 -device host-x86_64-cpu,help
Can't list properties of device 'host-x86_64-cpu'
Both failed with "Parameter 'driver' expects pluggable device type"
before.
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <
1443689999-12182-11-git-send-email-armbru@redhat.com>
(cherry picked from commit
33fe96833015cf15f4c0aa5bf8d34f60526e0732)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Markus Armbruster [Thu, 1 Oct 2015 08:59:58 +0000 (10:59 +0200)]
qdev: Protect device-list-properties against broken devices
Several devices don't survive object_unref(object_new(T)): they crash
or hang during cleanup, or they leave dangling pointers behind.
This breaks at least device-list-properties, because
qmp_device_list_properties() needs to create a device to find its
properties. Broken in commit f4eb32b "qmp: show QOM properties in
device-list-properties", v2.1. Example reproducer:
$ qemu-system-aarch64 -nodefaults -display none -machine none -S -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 50, "minor": 4, "major": 2}, "package": ""}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "pxa2xx-pcmcia" } }
qemu-system-aarch64: /home/armbru/work/qemu/memory.c:1307: memory_region_finalize: Assertion `((&mr->subregions)->tqh_first == ((void *)0))' failed.
Aborted (core dumped)
[Exit 134 (SIGABRT)]
Unfortunately, I can't fix the problems in these devices right now.
Instead, add DeviceClass member cannot_destroy_with_object_finalize_yet
to mark them:
* Hang during cleanup (didn't debug, so I can't say why):
"realview_pci", "versatile_pci".
* Dangling pointer in cpus: most CPUs, plus "allwinner-a10", "digic",
"fsl,imx25", "fsl,imx31", "xlnx,zynqmp", because they create such
CPUs
* Assert kvm_enabled(): "host-x86_64-cpu", host-i386-cpu",
"host-powerpc64-cpu", "host-embedded-powerpc-cpu",
"host-powerpc-cpu" (the powerpc ones can't currently reach the
assertion, because the CPUs are only registered when KVM is enabled,
but the assertion is arguably in the wrong place all the same)
Make qmp_device_list_properties() fail cleanly when the device is so
marked. This improves device-list-properties from "crashes, hangs or
leaves dangling pointers behind" to "fails". Not a complete fix, just
a better-than-nothing work-around. In the above reproducer,
device-list-properties now fails with "Can't list properties of device
'pxa2xx-pcmcia'".
This also protects -device FOO,help, which uses the same machinery
since commit ef52358 "qdev-monitor: include QOM properties in -device
FOO, help output", v2.2. Example reproducer:
$ qemu-system-aarch64 -machine none -device pxa2xx-pcmcia,help
Before:
qemu-system-aarch64: .../memory.c:1307: memory_region_finalize: Assertion `((&mr->subregions)->tqh_first == ((void *)0))' failed.
After:
Can't list properties of device 'pxa2xx-pcmcia'
Cc: "Andreas Färber" <afaerber@suse.de>
Cc: "Edgar E. Iglesias" <edgar.iglesias@gmail.com>
Cc: Alexander Graf <agraf@suse.de>
Cc: Anthony Green <green@moxielogic.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
Cc: Jia Liu <proljc@gmail.com>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Cc: Michael Walle <michael@walle.cc>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Richard Henderson <rth@twiddle.net>
Cc: qemu-ppc@nongnu.org
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <
1443689999-12182-10-git-send-email-armbru@redhat.com>
(cherry picked from commit
4c315c27661502a0813b129e41c0bf640c34a8d6)
Conflicts:
hw/arm/fsl-imx25.c
hw/arm/fsl-imx31.c
target-tilegx/cpu.c
tests/device-introspect-test.c
* removed hunks pertaining to devices/tests not in 2.4
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Markus Armbruster [Thu, 1 Oct 2015 08:59:57 +0000 (10:59 +0200)]
qmp: Fix device-list-properties not to crash for abstract device
Broken in commit f4eb32b "qmp: show QOM properties in
device-list-properties", v2.1.
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Message-Id: <
1443689999-12182-9-git-send-email-armbru@redhat.com>
(cherry picked from commit
edb1523d90415cb79f60f83b4028ef3820d15612)
Conflicts:
tests/device-introspect-test.c
* removed hunk specific to QAPI introspection (not in 2.4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Fam Zheng [Wed, 1 Jul 2015 02:26:27 +0000 (10:26 +0800)]
vmxnet3: Drop net_vmxnet3_info.can_receive
Commit 6e99c63 ("net/socket: Drop net_socket_can_send") changed the
semantics around .can_receive for sockets to now require the device to
flush queued pkts when transitioning to a .can_receive=true state. But
it's OK to drop incoming packets when the link is not active.
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit
2734a20b8161831ba68c9166014e00522599d1e2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Jason Wang [Fri, 11 Sep 2015 08:01:56 +0000 (16:01 +0800)]
virtio-net: unbreak self announcement and guest offloads after migration
After commit
019a3edbb25f1571e876f8af1ce4c55412939e5d ("virtio: make
features 64bit wide"). Device's guest_features was actually set after
vdc->load(). This breaks the assumption that device specific load()
function can check guest_features. For virtio-net, self announcement
and guest offloads won't work after migration.
Fixing this by defer them to virtio_net_load() where guest_features
were guaranteed to be set. Other virtio devices looks fine.
Fixes:
019a3edbb25f1571e876f8af1ce4c55412939e5d
("virtio: make features 64bit wide")
Cc: qemu-stable@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit
1f8828ef573c83365b4a87a776daf8bcef1caa21)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Cornelia Huck [Mon, 17 Aug 2015 09:48:29 +0000 (11:48 +0200)]
virtio: avoid leading underscores for helpers
Commit
ef546f1275f6563e8934dd5e338d29d9f9909ca6 ("virtio: add
feature checking helpers") introduced a helper __virtio_has_feature.
We don't want to use reserved identifiers, though, so let's
rename __virtio_has_feature to virtio_has_feature and virtio_has_feature
to virtio_vdev_has_feature.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit
95129d6fc9ead97155627a4ca0cfd37282883658)
* prereq for 1f8828e
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Aurelien Jarno [Sun, 13 Sep 2015 21:03:45 +0000 (23:03 +0200)]
target-ppc: fix xscmpodp and xscmpudp decoding
The xscmpodp and xscmpudp instructions only have the AX, BX bits in
there encoding, the lowest bit (usually TX) is marked as an invalid
bit. We therefore can't decode them with GEN_XX2FORM, which decodes
the two lowest bit.
Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark
the lowest bit as invalid.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit
8f60f8e2e574f341709128ff7637e685fd640254)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Aurelien Jarno [Sun, 13 Sep 2015 21:03:44 +0000 (23:03 +0200)]
target-ppc: fix vcipher, vcipherlast, vncipherlast and vpermxor
For vector instructions, the helpers get pointers to the vector register
in arguments. Some operands might point to the same register, including
the operand holding the result.
When emulating instructions which access the vector elements in a
non-linear way, we need to store the result in an temporary variable.
This fixes openssl when emulating a POWER8 CPU.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit
65cf1f65be0fc4883edbd66feeab3ddaceb11c00)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
James Hogan [Mon, 14 Sep 2015 10:34:54 +0000 (11:34 +0100)]
tcg/mips: Fix clobbering of qemu_ld inputs
The MIPS TCG backend implements qemu_ld with 64-bit targets using the v0
register (base) as a temporary to load the upper half of the QEMU TLB
comparator (see line 5 below), however this happens before the input
address is used (line 8 to mask off the low bits for the TLB
comparison, and line 12 to add the host-guest offset). If the input
address (addrl) also happens to have been placed in v0 (as in the second
column below), it gets clobbered before it is used.
addrl in t2 addrl in v0
1 srl a0,t2,0x7 srl a0,v0,0x7
2 andi a0,a0,0x1fe0 andi a0,a0,0x1fe0
3 addu a0,a0,s0 addu a0,a0,s0
4 lw at,9136(a0) lw at,9136(a0) set TCG_TMP0 (at)
5 lw v0,9140(a0) lw v0,9140(a0) set base (v0)
6 li t9,-4093 li t9,-4093
7 lw a0,9160(a0) lw a0,9160(a0) set addend (a0)
8 and t9,t9,t2 and t9,t9,v0 use addrl
9 bne at,t9,0x836d8c8 bne at,t9,0x836d838 use TCG_TMP0
10 nop nop
11 bne v0,t8,0x836d8c8 bne v0,a1,0x836d838 use base
12 addu v0,a0,t2 addu v0,a0,v0 use addrl, addend
13 lw t0,0(v0) lw t0,0(v0)
Fix by using TCG_TMP0 (at) as the temporary instead of v0 (base),
pushing the load on line 5 forward into the delay slot of the low
comparison (line 10). The early load of the addend on line 7 also needs
pushing even further for 64-bit targets, or it will clobber a0 before
we're done with it. The output for 32-bit targets is unaffected.
srl a0,v0,0x7
andi a0,a0,0x1fe0
addu a0,a0,s0
lw at,9136(a0)
-lw v0,9140(a0) load high comparator
li t9,-4093
-lw a0,9160(a0) load addend
and t9,t9,v0
bne at,t9,0x836d838
- nop
+ lw at,9140(a0) load high comparator
+lw a0,9160(a0) load addend
-bne v0,a1,0x836d838
+bne at,a1,0x836d838
addu v0,a0,v0
lw t0,0(v0)
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit
5eb4f645eba8a79ea643b228c74a79183d436c97)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Markus Armbruster [Tue, 25 Aug 2015 18:00:46 +0000 (20:00 +0200)]
qom: Fix invalid error check in property_get_str()
When a function returns a null pointer on error and only on error, you
can do
if (!foo(foos, errp)) {
... handle error ...
}
instead of the more cumbersome
Error *err = NULL;
if (!foo(foos, &err)) {
error_propagate(errp, err);
... handle error ...
}
A StringProperty's getter, however, may return null on success! We
then fail to call visit_type_str().
Screwed up in 6a146eb, v1.1.
Fails tests/qom-test in my current, heavily hacked QAPI branch. No
reproducer for master known (but I didn't look hard).
Cc: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit
e1c8237df5395f6a453f18109bd9dd33fb2a397c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Markus Armbruster [Tue, 25 Aug 2015 18:00:45 +0000 (20:00 +0200)]
qom: Do not reuse errp after a possible error
The argument for an Error **errp parameter must point to a null
pointer. If it doesn't, and an error happens, error_set() fails its
assertion.
Instead of
foo(foos, errp);
bar(bars, errp);
you need to do something like
Error *err = NULL;
foo(foos, &err);
if (err) {
error_propagate(errp, err);
goto out;
}
bar(bars, errp);
out:
Screwed up in commit 0e55884 (v1.3.0): property_get_bool().
Screwed up in commit 1f21772 (v2.1.0): object_property_get_enum() and
object_property_get_uint16List().
Screwed up in commit a8e3fbe (v2.4.0): property_get_enum(),
property_set_enum().
Found by inspection, no actual crashes observed.
Fix them up.
Cc: Anthony Liguori <anthony@codemonkey.ws>
Cc: Hu Tao <hutao@cn.fujitsu.com>
Cc: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit
4715d42efe8632b0f9d2594a80e917de45e4ef88)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
John Snow [Thu, 17 Sep 2015 18:17:04 +0000 (14:17 -0400)]
ide: unify io_buffer_offset increments
IDEState's io_buffer_offset was originally added to keep track of offsets
in AHCI rather exclusively, but it was added to IDEState instead of an
AHCI-specific structure.
AHCI fakes all PIO transfers using DMA and a scatter-gather list. When
the core or atapi layers invoke HBA-specific mechanisms for transfers,
they do not always know that it is being backed by DMA or a sglist, so
this offset is not always updated by the HBA code everywhere.
If we modify it in dma_buf_commit, however, any HBA that needs to use
this offset to manage operating on only part of a sglist will have
access to it.
This will fix ATAPI PIO transfers performed through the AHCI HBA,
which were previously not modifying this value appropriately.
This will fix ATAPI PIO transfers larger than one sector.
Reported-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Message-id:
1440546331-29087-2-git-send-email-jsnow@redhat.com
CC: qemu-stable@nongnu.org
(cherry picked from commit
aaeda4a3c9e4d1d25c65ce8ca98e2de06daf1eec)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Stefan Weil [Thu, 30 Jul 2015 21:08:12 +0000 (23:08 +0200)]
slirp: Fix non blocking connect for w32
Signed-off-by: Stefan Weil <sw@weilnetz.de>
(cherry picked from commit
a246a01631f90230374c2b8ffce608232e2aa654)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Wen Congyang [Wed, 16 Sep 2015 08:35:46 +0000 (16:35 +0800)]
nbd: release exp->blk after all clients are closed
If the socket fd is shutdown, there may be some data which is received before
shutdown. We will read the data and do read/write in nbd_trip(). But the exp's
blk is NULL, and it will cause qemu crashed.
Reported-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Signed-off-by: Wen Congyang <wency@cn.fujitsu.com>
Message-Id: <
55F929E2.1020501@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
d6268348493f32ecc096caa637620757472a1196)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Michael Roth [Tue, 15 Sep 2015 21:34:59 +0000 (16:34 -0500)]
spapr_pci: fix device tree props for MSI/MSI-X
PAPR requires ibm,req#msi and ibm,req#msi-x to be present in the
device node to define the number of msi/msi-x interrupts the device
supports, respectively.
Currently we have ibm,req#msi-x hardcoded to a non-sensical constant
that happens to be 2, and are missing ibm,req#msi entirely. The result
of that is that msi-x capable devices get limited to 2 msi-x
interrupts (which can impact performance), and msi-only devices likely
wouldn't work at all. Additionally, if devices expect a minimum that
exceeds 2, the guest driver may fail to load entirely.
SLOF still owns the generation of these properties at boot-time
(although other device properties have since been offloaded to QEMU),
but for hotplugged devices we rely on the values generated by QEMU
and thus hit the limitations above.
Fix this by generating these properties in QEMU as expected by guests.
In the future it may make sense to modify SLOF to pass through these
values directly as we do with other props since we're duplicating SLOF
code.
Cc: qemu-ppc@nongnu.org
Cc: qemu-stable@nongnu.org
Cc: David Gibson <david@gibson.dropbear.id.au>
Cc: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
(cherry picked from commit
a8ad731a001d41582c9cec4015f73ab3bc11a28d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Alberto Garcia [Thu, 10 Sep 2015 15:19:32 +0000 (18:19 +0300)]
gtk: use setlocale() for LC_MESSAGES only
The QEMU code is not internationalized and assumes that it runs under
the C locale, but if we use the GTK+ UI we'll end up importing the
locale settings from the environment. This can break things, such as
the JSON generator and iotest 120 in locales that use a decimal comma.
We do however have translations for a few simple strings for the GTK+
menu items, so in order to run QEMU using the C locale, and yet have a
translated UI let's use setlocale() for LC_MESSAGES only.
Cc: qemu-stable@nongnu.org
Signed-off-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit
2cb5d2a47c655331bcf0ab16bab8fe4701182c58)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
John Snow [Thu, 17 Sep 2015 18:17:05 +0000 (14:17 -0400)]
ide: fix ATAPI command permissions
We're a little too lenient with what we'll let an ATAPI drive handle.
Clamp down on the IDE command execution table to remove CD_OK permissions
from commands that are not and have never been ATAPI commands.
For ATAPI command validity, please see:
- ATA4 Section 6.5 ("PACKET Command feature set")
- ATA8/ACS Section 4.3 ("The PACKET feature set")
- ACS3 Section 4.3 ("The PACKET feature set")
ACS3 has a historical command validity table in Table B.4
("Historical Command Assignments") that can be referenced to find when
a command was introduced, deprecated, obsoleted, etc.
The only reference for ATAPI command validity is by checking that
version's PACKET feature set section.
ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
therefore are assumed to have never been ATAPI commands.
Mandatory commands, as listed in ATA8-ACS3, are:
- DEVICE RESET
- EXECUTE DEVICE DIAGNOSTIC
- IDENTIFY DEVICE
- IDENTIFY PACKET DEVICE
- NOP
- PACKET
- READ SECTOR(S)
- SET FEATURES
Optional commands as listed in ATA8-ACS3, are:
- FLUSH CACHE
- READ LOG DMA EXT
- READ LOG EXT
- WRITE LOG DMA EXT
- WRITE LOG EXT
All other commands are illegal to send to an ATAPI device and should
be rejected by the device.
CD_OK removal justifications:
0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
This patch fixes a divide by zero fault that can be caused by sending
the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
attempt to use zeroed CHS values to perform sector arithmetic.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id:
1441816082-21031-1-git-send-email-jsnow@redhat.com
CC: qemu-stable@nongnu.org
(cherry picked from commit
d9033e1d3aa666c5071580617a57bd853c5d794a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Max Reitz [Mon, 14 Sep 2015 14:39:47 +0000 (16:39 +0200)]
qcow2: Make size_to_clusters() return uint64_t
Sadly, some images may have more clusters than what can be represented
using a plain int. We should be prepared for that case (in
qcow2_check_refcounts() we actually were trying to catch that case, but
since size_to_clusters() truncated the returned value, that check never
did anything useful).
Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
b6d36def6d9e9fd187327182d0abafc9b7085d8f)
Conflicts:
block/qcow2-cluster.c
block/qcow2.h
* removed context dependency on
ff99129a
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Richard Henderson [Mon, 14 Sep 2015 13:39:47 +0000 (14:39 +0100)]
target-arm: Share all common TCG temporaries
This is a bug fix for aarch64. At present, we have branches using
the 32-bit (translate.c) versions of cpu_[NZCV]F, but we set the flags
using the 64-bit (translate-a64.c) versions of cpu_[NZCV]F. From
the view of the TCG code generator, these are unrelated variables.
The bug is hard to see because we currently only read these variables
from branches, and upon reaching a branch TCG will first spill live
variables and then reload the arguments of the branch. Since the
32-bit versions were never live until reaching the branch, we'd re-read
the data that had just been spilled from the 64-bit versions.
There is currently no such problem with the cpu_exclusive_* variables,
but there's no point in tempting fate.
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>
Message-id:
1441909103-24666-2-git-send-email-rth@twiddle.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit
78bcaa3e37afbd0c5316634f917c13487384b6ca)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Pierre Morel [Mon, 7 Sep 2015 11:33:56 +0000 (13:33 +0200)]
virtio dataplane: adapt dataplane for virtio Version 1
Let dataplane allocate different region for the desc/avail/used
ring regions.
Take VIRTIO_RING_F_EVENT_IDX into account to increase the used/avail
rings accordingly.
[Fix 32-bit builds by changing 16lx format specifier to HWADDR_PRIx.
--Stefan]
Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Tested-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Message-id:
1441625636-23773-1-git-send-email-pmorel@linux.vnet.ibm.com
(changed __virtio16 into uint16_t,
map descriptor table and available ring read-only)
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit
a9718ef0005d6910097788936dc40c0204713729)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Aníbal Limón [Thu, 3 Sep 2015 20:48:33 +0000 (15:48 -0500)]
cpus.c: qemu_mutex_lock_iothread fix race condition at cpu thread init
When QEMU starts the RCU thread executes qemu_mutex_lock_thread
causing error "qemu:qemu_cpu_kick_thread: No such process" and exits.
This isn't occur frequently but in glibc the thread id can exist and
this not guarantee that the thread is on active/running state. If is
inserted a sleep(1) after newthread assignment [1] the issue appears.
So not make assumption that thread exist if first_cpu->thread is set
then change the validation of cpu to created that is set into cpu
threads (kvm, tcg, dummy).
[1] https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_create.c;h=
d10f4ea8004e1d8f3a268b95cc0f8d93b8d89867;hb=HEAD#l621
Cc: qemu-stable@nongnu.org
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Message-Id: <
1441313313-3040-1-git-send-email-anibal.limon@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
46036b2462c7ff56c0af6466ea6b9248197a38a8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Vladislav Yasevich [Tue, 1 Sep 2015 15:26:46 +0000 (11:26 -0400)]
rtl8139: Do not consume the packet during overflow in standard mode.
When operation in standard mode, we currently return the size
of packet during buffer overflow. This consumes the overflow
packet. Return 0 instead so we can re-process the overflow packet
when we have room.
This fixes issues with lost/dropped fragments of large messages.
Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id:
1441121206-6997-3-git-send-email-vyasevic@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit
26c4e7ca72d970d120f0f51244bc8d37458512a0)
*removed dependency on
b76f21a7
*removed context dependency on
4cbea598
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Vladislav Yasevich [Tue, 1 Sep 2015 15:26:45 +0000 (11:26 -0400)]
rtl8139: Fix receive buffer overflow check
rtl8139_do_receive() tries to check for the overflow condition
by making sure that packet_size + 8 does not exceed the
available buffer space. The issue here is that RxBuffAddr,
used to calculate available buffer space, is aligned to a
a 4 byte boundry after every update. So it is possible that
every packet ends up being slightly padded when written
to the receive buffer. This padding is not taken into
account when checking for overflow and we may end up missing
the overflow condition can causing buffer overwrite.
This patch takes alignment into consideration when
checking for overflow condition.
Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id:
1441121206-6997-2-git-send-email-vyasevic@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit
fabdcd3392f16fc666b1d04fc1bbe5f1dbbf10a4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Cornelia Huck [Fri, 24 Jul 2015 10:08:37 +0000 (12:08 +0200)]
s390x/css: start with cleared cstat/dstat
When executing the start function, we should start with a clear state
regarding subchannel and device status; it is easy to forget updating one
of them after the ccw has been processed.
Note that we don't need to care about resetting the various control
fields: They are cleared by tsch(), and if they were still pending,
we wouldn't be able to execute the start function in the first
place.
Also note that we don't want to clear cstat/dstat if a suspended
subchannel is resumed.
This fixes a bug where we would continue to present channel-program
check in cstat even though later ccw requests for the subchannel
finished without error (i.e. cstat should be 0).
Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
(cherry picked from commit
6b7741c2bedeae2e8c54fffce81723ca0a0c25c0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Alexander Graf [Fri, 28 Aug 2015 11:10:17 +0000 (13:10 +0200)]
PPC: E500: Update u-boot to commit
79c884d7e4
The current U-Boot binary in QEMU has a bug where it fails to support
dynamic CCSR addressing. Without this support, u-boot can not boot the
ppce500 machine anymore. This has been fixed upstream in u-boot commit
e834975b.
Update the u-boot blob we carry in QEMU to the latest u-boot upstream,
so that we can successfully run u-boot with the ppce500 machine again.
CC: qemu-stable@nongnu.org
Signed-off-by: Alexander Graf <agraf@suse.de>
Tested-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit
d4574435a6530bbd96ae130eddfe5b676f91367a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Michael S. Tsirkin [Thu, 27 Aug 2015 09:06:23 +0000 (12:06 +0300)]
scripts/dump-guest-memory.py: fix after RAMBlock change
commit
9b8424d5735278ca382f11adc7c63072b632ab83
"exec: split length -> used_length/max_length"
changed field names in struct RAMBlock
It turns out that scripts/dump-guest-memory.py was
poking at this field, update it accordingly.
Cc: qemu-stable@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <
1440666378-3152-1-git-send-email-mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
0c71d41e2aa3c7356500ae624166f3bb8c201aee)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Gonglei [Wed, 26 Aug 2015 01:52:51 +0000 (09:52 +0800)]
vhost-scsi: fix wrong vhost-scsi firmware path
vhost-scsi bootindex does't work because Qemu passes
wrong fireware path to seabios.
before:
/pci@i0cf8/scsi@7channel@0/vhost-scsi@0,0
after applying the patch:
/pci@i0cf8/scsi@7/channel@0/vhost-scsi@0,0
Reported-by: Subo <subo7@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Message-Id: <
1440553971-11108-1-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
f42bf6a262ab5923a1a3bc8f731b830396937c47)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Mark Cave-Ayland [Sun, 23 Aug 2015 10:50:55 +0000 (11:50 +0100)]
mac_dbdma: always clear FLUSH bit once DBDMA channel flush is complete
The code to flush the DBDMA channel was effectively duplicated in
dbdma_control_write(), except for the fact that the copy executed outside of a
RUN bit transition was broken by not clearing the FLUSH bit once the flush was
complete.
Newer PPC Linux kernels would timeout waiting for the FLUSH bit to clear again
after submitting a FLUSH command. Fix this by always clearing the FLUSH bit
once the channel flush is complete and removing the repeated code.
Reported-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit
1cde732d88af34849343dc1f0e68072eab0841b9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Max Reitz [Thu, 20 Aug 2015 23:00:38 +0000 (16:00 -0700)]
qemu-img: Fix crash in amend invocation
Example:
$ ./qemu-img create -f qcow2 /tmp/t.qcow2 64M
$ ./qemu-img amend -f qcow2 -o backing_file=/tmp/t.qcow2, -o help \
/tmp/t.qcow2
This should not crash. This actually is tested by iotest 082, but not
caught due to the segmentation fault being silent (which is something
that needs to be fixed, too).
Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
e814dffcc9810ed77fe99081be9751b620a894c4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Lieven [Thu, 20 Aug 2015 10:46:47 +0000 (12:46 +0200)]
block/nfs: fix calculation of allocated file size
st.st_blocks is always counted in 512 byte units. Do not
use st.st_blksize as multiplicator which may be larger.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Message-id:
1440067607-14547-1-git-send-email-pl@kamp.de
Signed-off-by: Jeff Cody <jcody@redhat.com>
(cherry picked from commit
055c6f912c8d3cd9a901972ae432c47e5872f71a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Crosthwaite [Tue, 18 Aug 2015 03:28:18 +0000 (20:28 -0700)]
exec-all: Translate TCI return addresses backwards too
This subtraction of return addresses applies directly to TCI as well as
host-TCG. This fixes Linux boots for at least Microblaze, CRIS, ARM and
SH4 when using TCI.
[sw: Removed indentation for preprocessor statement]
[sw: The patch also fixes Linux boot for x86_64]
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
(cherry picked from commit
a17d448274575efbfcc1c04ec2641a0afeb74e17)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Lieven [Fri, 14 Aug 2015 11:33:36 +0000 (13:33 +0200)]
block/iscsi: validate block size returned from target
It has been reported that at least tgtd returns a block size of 0
for LUN 0. To avoid running into divide by zero later on and protect
against other problematic block sizes validate the block size right
at connection time.
Cc: qemu-stable@nongnu.org
Reported-by: Andrey Korolyov <andrey@xdel.ru>
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <
1439552016-8557-1-git-send-email-pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
6d1f252d8c1ba73bf6ed9af28731a9c9c3d473a2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Maydell [Mon, 7 Sep 2015 09:39:27 +0000 (10:39 +0100)]
target-arm/arm-semi.c: Fix broken SYS_WRITE0 via gdb
A spurious trailing "\n" in the gdb syscall format string used
for SYS_WRITE0 meant that gdb would reject the remote syscall,
with the effect that the output from the guest was silently dropped.
Remove the newline so that gdb accepts the packet.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit
857b55adb77004d9ec9202078b7f1f3a1a076112)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Kevin Wolf [Thu, 13 Aug 2015 08:41:50 +0000 (10:41 +0200)]
mirror: Fix coroutine reentrance
This fixes a regression introduced by commit
dcfb3beb ("mirror: Do zero
write on target if sectors not allocated"), which was reported to cause
aborts with the message "Co-routine re-entered recursively".
The cause for this bug is the following code in mirror_iteration_done():
if (s->common.busy) {
qemu_coroutine_enter(s->common.co, NULL);
}
This has always been ugly because - unlike most places that reenter - it
doesn't have a specific yield that it pairs with, but is more
uncontrolled. What we really mean here is "reenter the coroutine if
it's in one of the four explicit yields in mirror.c".
This used to be equivalent with s->common.busy because neither
mirror_run() nor mirror_iteration() call any function that could yield.
However since commit
dcfb3beb this doesn't hold true any more:
bdrv_get_block_status_above() can yield.
So what happens is that bdrv_get_block_status_above() wants to take a
lock that is already held, so it adds itself to the queue of waiting
coroutines and yields. Instead of being woken up by the unlock function,
however, it gets woken up by mirror_iteration_done(), which is obviously
wrong.
In most cases the code actually happens to cope fairly well with such
cases, but in this specific case, the unlock must already have scheduled
the coroutine for wakeup when mirror_iteration_done() reentered it. And
then the coroutine happened to process the scheduled restarts and tried
to reenter itself recursively.
This patch fixes the problem by pairing the reenter in
mirror_iteration_done() with specific yields instead of abusing
s->common.busy.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Message-id:
1439455310-11263-1-git-send-email-kwolf@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
(cherry picked from commit
e424aff5f307227b1c2512bbb8ece891bb895cef)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Fam Zheng [Wed, 29 Jul 2015 08:45:11 +0000 (16:45 +0800)]
scsi-disk: Fix assertion failure on WRITE SAME
The last portion of an unaligned WRITE SAME command could fail the
assertion in bdrv_aligned_pwritev:
assert(!qiov || bytes == qiov->size);
Because we updated data->iov.iov_len right above this if block, but
data->qiov still has the old size.
Reinitialize the qiov to make them equal and keep block layer happy.
Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <
1438159512-3871-2-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
a56537a12757a8cdee24ad8c83e5af7a9833ea70)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Michael Roth [Tue, 22 Sep 2015 21:53:17 +0000 (16:53 -0500)]
Update version for 2.4.0.1 release
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
P J P [Tue, 15 Sep 2015 11:16:59 +0000 (16:46 +0530)]
net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit
737d2b3c41d59eb8f94ab7eb419b957938f24943)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
P J P [Tue, 15 Sep 2015 11:10:49 +0000 (16:40 +0530)]
net: add checks to validate ring buffer pointers(CVE-2015-5279)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit
9bbdbc66e5765068dce76e9269dce4547afd8ad4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
P J P [Fri, 4 Sep 2015 16:21:06 +0000 (17:21 +0100)]
e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id:
1441383666-6590-1-git-send-email-stefanha@redhat.com
(cherry picked from commit
b947ac2bf26479e710489739c465c8af336599e7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Gerd Hoffmann [Mon, 17 Aug 2015 17:56:53 +0000 (19:56 +0200)]
vnc: fix memory corruption (CVE-2015-5225)
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative. Result is (possibly
exploitable) memory corruption. Reason for that is it uses the stride
instead of bytes per scanline to apply limits.
For the server surface is is actually fine. vnc creates that itself,
there is never any padding and thus scanline length always equals stride.
For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way. So add and use a new variable
(guest_ll) for the guest scanline length. Also rename min_stride to
line_bytes to make more clear what it actually is. Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.
Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
Reviewed-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit
eb8934b0418b3b1d125edddc4fc334a54334a49b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Maydell [Tue, 11 Aug 2015 14:30:34 +0000 (15:30 +0100)]
Update version for v2.4.0 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 5 Aug 2015 16:02:58 +0000 (17:02 +0100)]
Update version for v2.4.0-rc4 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 5 Aug 2015 15:02:00 +0000 (16:02 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
virtio fix for 2.4
Fixes migration in virtio 1 mode.
We still have a known bug with memory hotplug, it doesn't
look like we can fix that in time for 2.4.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Wed 05 Aug 2015 15:57:39 BST using RSA key ID
D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>"
* remotes/mst/tags/for_upstream:
virtio: fix 1.0 virtqueue migration
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Sascha Silbe [Tue, 4 Aug 2015 14:48:25 +0000 (16:48 +0200)]
block: don't register quorum driver if SHA256 support is unavailable
Commit
488981a4 [block: convert quorum blockdrv to use crypto APIs]
broke qemu-iotest 041 on hosts with GnuTLS < 2.10.0. It converted a
compile-time check to a run-time check at device open time. The result
is that we now advertise a feature (the quorum block driver) that will
never work (on those hosts). There's no way (short of parsing
human-readable error messages) for qemu-iotests or any other API
consumer to recognise that the quorum block driver isn't _actually_
available and shouldn't be used or tested.
Move the run-time check to bdrv_quorum_init() to avoid registering the
quorum block driver if we know it cannot work. This way API consumers
can recognise it's unavailable.
Fixes:
488981a4af396551a3178d032cc2b41d9553ada2
Signed-off-by: Sascha Silbe <silbe@linux.vnet.ibm.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Message-id:
1438699705-21761-1-git-send-email-silbe@linux.vnet.ibm.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jason Wang [Wed, 5 Aug 2015 09:50:07 +0000 (17:50 +0800)]
virtio: fix 1.0 virtqueue migration
1.0 does not requires physically-contiguous pages layout for a
virtqueue. So we could not infer avail and used from desc. This means
we need to migrate vring.avail and vring.used when host support virtio
1.0. This fixes malfunction of virtio 1.0 device after migration.
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Peter Maydell [Tue, 4 Aug 2015 15:51:24 +0000 (16:51 +0100)]
Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' into staging
X86 queue, 2015-08-04
# gpg: Signature made Tue 04 Aug 2015 16:49:42 BST using RSA key ID
984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF D1AA 2807 936F 984D C5A6
* remotes/ehabkost/tags/x86-pull-request:
target-i386: fix IvyBridge xlevel in PC_COMPAT_2_3
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Radim Krčmář [Tue, 4 Aug 2015 14:17:21 +0000 (16:17 +0200)]
target-i386: fix IvyBridge xlevel in PC_COMPAT_2_3
Previous patch changed xlevel and missed the compatibility code.
Fixes:
3046bb5debc8 ("target-i386: emulate CPUID level of real hardware")
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Peter Maydell [Tue, 4 Aug 2015 11:57:06 +0000 (12:57 +0100)]
Merge remote-tracking branch 'remotes/lalrae/tags/mips-
20150804' into staging
MIPS patches 2015-08-04
Changes:
* fix semihosting for microMIPS R6
* fix an abort when booting mips64 kernel with --enable-tcg-debug
# gpg: Signature made Tue 04 Aug 2015 12:32:17 BST using RSA key ID
0B29DA6B
# gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4 4FC0 5211 8E3C 0B29 DA6B
* remotes/lalrae/tags/mips-
20150804:
target-mips: Copy restrictions from ext/ins to dext/dins
target-mips: fix semihosting for microMIPS R6
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Richard Henderson [Mon, 3 Aug 2015 19:35:53 +0000 (12:35 -0700)]
target-mips: Copy restrictions from ext/ins to dext/dins
The checks in dins is required to avoid triggering an assertion
in tcg_gen_deposit_tl. The check in dext is just for completeness.
Fold the other D cases in via fallthru.
In this case the errant dins appears to be data, not code, as
translation failed to stop after a break insn.
Signed-off-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Leon Alrae <leon.alrae@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Leon Alrae [Mon, 3 Aug 2015 12:01:19 +0000 (13:01 +0100)]
target-mips: fix semihosting for microMIPS R6
In semihosting mode the SDBBP 1 instructions should trigger UHI syscall,
but in QEMU this does not happen for recently added microMIPS R6.
Consequently bare metal microMIPS R6 programs supporting UHI will not run.
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Maydell [Mon, 3 Aug 2015 17:52:55 +0000 (18:52 +0100)]
Merge remote-tracking branch 'remotes/sstabellini/tags/cve-2015-5166-tag' into staging
cve-2015-5166
# gpg: Signature made Mon 03 Aug 2015 15:27:44 BST using RSA key ID
70E1AE90
# gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"
* remotes/sstabellini/tags/cve-2015-5166-tag:
Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 3 Aug 2015 16:33:35 +0000 (17:33 +0100)]
Merge remote-tracking branch 'remotes/sstabellini/tags/xen-migration-2.4-tag' into staging
xen-migration-2.4
# gpg: Signature made Mon 03 Aug 2015 17:18:36 BST using RSA key ID
70E1AE90
# gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"
* remotes/sstabellini/tags/xen-migration-2.4-tag:
migration: Fix regression for xenfv and pc,accel=xen machine.
migration: Fix global state with Xen.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Anthony PERARD [Mon, 3 Aug 2015 14:29:21 +0000 (15:29 +0100)]
migration: Fix regression for xenfv and pc,accel=xen machine.
This fix migration from the same QEMU version and from previous QEMU
version.
>From the global state section, we don't need runstate with Xen. Right now,
the way the Xen toolstack knows when QEMU is ready is when QEMU reach
"running" runstate.
The configuration section and the section footers are not going to be
present in previous version of QEMU with xenfv machine, so we skip them.
The Xen toolstack libxenlight does not specify a particular version of the
'pc' machine, so migration from older version of QEMU used by Xen to newer
one would break due to missing "configuration" section and section footers.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Anthony PERARD [Mon, 3 Aug 2015 14:29:19 +0000 (15:29 +0100)]
migration: Fix global state with Xen.
When doing migration via the QMP command xen_save_devices_state, the
current runstate is not store into the global state section. Also the
current runstate is not the one we want on the receiver side.
During migration, the Xen toolstack paused QEMU before save the devices
state. Also, the toolstack expect QEMU to autostart when the migration is
finished.
So this patch store "running" as it's current runstate.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Andreas Färber [Fri, 24 Jul 2015 14:47:37 +0000 (16:47 +0200)]
configure: Drop vnc-ws feature from help text
Commit 8e9b0d2 (ui: convert VNC websockets to use crypto APIs) dropped
the --enable-vnc-ws option but forgot to update the help text. Fix this.
Cc: Daniel P. Berrange <berrange@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Message-id:
1437749257-3313-1-git-send-email-afaerber@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefano Stabellini [Mon, 3 Aug 2015 13:56:57 +0000 (13:56 +0000)]
Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)
pci_piix3_xen_ide_unplug should completely unhook the unplugged
IDEDevice from the corresponding BlockBackend, otherwise the next call
to release_drive will try to detach the drive again.
Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Peter Maydell [Mon, 3 Aug 2015 12:09:10 +0000 (13:09 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request' into staging
Pull request
# gpg: Signature made Mon Aug 3 13:08:25 2015 BST using RSA key ID
81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>"
* remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request:
rtl8139: check TCP Data Offset field (CVE-2015-5165)
rtl8139: skip offload on short TCP header (CVE-2015-5165)
rtl8139: check IP Total Length field (CVE-2015-5165)
rtl8139: check IP Header Length field (CVE-2015-5165)
rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefan Hajnoczi [Wed, 15 Jul 2015 16:39:29 +0000 (17:39 +0100)]
rtl8139: check TCP Data Offset field (CVE-2015-5165)
The TCP Data Offset field contains the length of the header. Make sure
it is valid and does not exceed the IP data length.
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 16:36:15 +0000 (17:36 +0100)]
rtl8139: skip offload on short TCP header (CVE-2015-5165)
TCP Large Segment Offload accesses the TCP header in the packet. If the
packet is too short we must not attempt to access header fields:
tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 16:34:40 +0000 (17:34 +0100)]
rtl8139: check IP Total Length field (CVE-2015-5165)
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 16:32:32 +0000 (17:32 +0100)]
rtl8139: check IP Header Length field (CVE-2015-5165)
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 13:30:37 +0000 (14:30 +0100)]
rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
...
eth_payload_data = saved_buffer + ETH_HLEN;
...
ip = (ip_header*)eth_payload_data;
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 16:17:28 +0000 (17:17 +0100)]
rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 16:13:32 +0000 (17:13 +0100)]
rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Peter Maydell [Mon, 3 Aug 2015 10:44:07 +0000 (11:44 +0100)]
Merge remote-tracking branch 'remotes/aurel/tags/pull-tcg-mips-s390-
20150803' into staging
TCG MIPS and S390 fixes for 2.4.
# gpg: Signature made Mon Aug 3 09:09:59 2015 BST using RSA key ID
1DDD8C9B
# gpg: Good signature from "Aurelien Jarno <aurelien@aurel32.net>"
# gpg: aka "Aurelien Jarno <aurelien@jarno.fr>"
# gpg: aka "Aurelien Jarno <aurel32@debian.org>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 7746 2642 A9EF 94FD 0F77 196D BA9C 7806 1DDD 8C9B
* remotes/aurel/tags/pull-tcg-mips-s390-
20150803:
tcg/mips: fix add2
tcg/s390x: Mask TCGMemOp appropriately for indexing
tcg/mips: Mask TCGMemOp appropriately for indexing
tcg/mips: fix TLB loading for BE host with 32-bit guests
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 3 Aug 2015 09:44:23 +0000 (10:44 +0100)]
Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into staging
# gpg: Signature made Fri Jul 31 23:24:06 2015 BST using RSA key ID
AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB
# Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E
* remotes/jnsnow/tags/ide-pull-request:
ahci: fix ICC mask definition
macio: re-add TRIM support
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Aurelien Jarno [Fri, 31 Jul 2015 14:38:25 +0000 (16:38 +0200)]
tcg/mips: fix add2
The add2 code in the tcg_out_addsub2 function doesn't take into account
the case where rl == al == bl. In that case we can't compute the carry
after the addition. As it corresponds to a multiplication by 2, the
carry bit is the bit 31.
While this is a corner case, this prevents x86-64 guests to boot on a
MIPS host.
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 30 Jul 2015 20:13:26 +0000 (22:13 +0200)]
tcg/s390x: Mask TCGMemOp appropriately for indexing
Commit
2b7ec66f fixed TCGMemOp masking following the MO_AMASK addition,
but two cases were forgotten in the TCG S390 backend.
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 30 Jul 2015 20:11:51 +0000 (22:11 +0200)]
tcg/mips: Mask TCGMemOp appropriately for indexing
Commit
2b7ec66f fixed TCGMemOp masking following the MO_AMASK addition,
but two cases were forgotten in the TCG MIPS backend.
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 30 Jul 2015 21:39:34 +0000 (23:39 +0200)]
tcg/mips: fix TLB loading for BE host with 32-bit guests
For 32-bit guest, we load a 32-bit address from the TLB, so there is no
need to compensate for the low or high part. This fixes 32-bit guests on
big-endian hosts.
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
John Snow [Tue, 21 Jul 2015 18:02:01 +0000 (14:02 -0400)]
ahci: fix ICC mask definition
There are likely others that could be updated, but we'll
go with a light touch for 2.4 for now.
Without the Unsigned specifier, this shifts bits into the
signed bit, which makes clang unhappy and could cause
unwanted behavior.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: John Snow <jsnow@redhat.com>
Message-id:
1437501721-24495-1-git-send-email-jsnow@redhat.com
Aurelien Jarno [Wed, 29 Jul 2015 19:27:48 +0000 (21:27 +0200)]
macio: re-add TRIM support
Commit
bd4214fc dropped TRIM support by mistake. Given it is still
advertised to the host when using a drive with discard=on, this cause
the IDE bus to hang when the host issues a TRIM command.
This patch fixes that by re-adding the TRIM code, ported to the new
new DMA implementation.
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Cc: John Snow <jsnow@redhat.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id:
1438198068-32428-1-git-send-email-aurelien@aurel32.net
Signed-off-by: John Snow <jsnow@redhat.com>
Richard Henderson [Wed, 29 Jul 2015 18:40:52 +0000 (11:40 -0700)]
bsd-user: Fix operand to cpu_x86_exec
Signed-off-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id:
1438195252-21968-1-git-send-email-rth@twiddle.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 29 Jul 2015 17:50:11 +0000 (18:50 +0100)]
Update version for v2.4.0-rc3 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 29 Jul 2015 16:08:38 +0000 (17:08 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Pull request
These fixes make dataplane work again after the notify_me optimization was
added. They also solve QEMUBH memory leaks and fix a bug in dataplane's
cleanup code.
# gpg: Signature made Wed Jul 29 14:50:26 2015 BST using RSA key ID
81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>"
* remotes/stefanha/tags/block-pull-request:
AioContext: force event loop iteration using BH
AioContext: avoid leaking BHs on cleanup
virtio-blk-dataplane: delete bottom half before the AioContext is freed
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefan Hajnoczi [Tue, 28 Jul 2015 16:34:09 +0000 (18:34 +0200)]
AioContext: force event loop iteration using BH
The notify_me optimization introduced in commit
eabc97797310
("AioContext: fix broken ctx->dispatching optimization") skips
event_notifier_set() calls when the event loop thread is not blocked in
ppoll(2).
This optimization causes a deadlock if two aio_context_acquire() calls
race. notify_me = 0 during the race so the winning thread can enter
ppoll(2) unaware that the other thread is waiting its turn to acquire
the AioContext.
This patch forces ppoll(2) to return by scheduling a BH instead of
calling aio_notify().
The following deadlock with virtio-blk dataplane is fixed:
qemu ... -object iothread,id=iothread0 \
-drive if=none,id=drive0,file=test.img,... \
-device virtio-blk-pci,iothread=iothread0,drive=drive0
This command-line results in a hang early on without this patch.
Thanks to Paolo Bonzini <pbonzini@redhat.com> for investigating this bug
with me.
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id:
1438101249-25166-4-git-send-email-pbonzini@redhat.com
Message-Id: <
1438014819-18125-3-git-send-email-stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Tue, 28 Jul 2015 16:34:08 +0000 (18:34 +0200)]
AioContext: avoid leaking BHs on cleanup
BHs are freed during aio_bh_poll(). This leads to memory leaks if there
is no aio_bh_poll() between qemu_bh_delete() and aio_ctx_finalize().
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id:
1438101249-25166-3-git-send-email-pbonzini@redhat.com
Message-Id: <
1438014819-18125-2-git-send-email-stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Paolo Bonzini [Tue, 28 Jul 2015 16:34:07 +0000 (18:34 +0200)]
virtio-blk-dataplane: delete bottom half before the AioContext is freed
Other uses of aio_bh_new are safe as long as all scheduled bottom
halves are run before an iothread is destroyed, which bdrv_drain will
ensure:
- archipelago_finish_aiocb: BH deletes itself
- inject_error: BH deletes itself
- blkverify_aio_bh: BH deletes itself
- abort_aio_request: BH deletes itself
- curl_aio_readv: BH deletes itself
- gluster_finish_aiocb: BH deletes itself
- bdrv_aio_rw_vector: BH deletes itself
- bdrv_co_maybe_schedule_bh: BH deletes itself
- iscsi_schedule_bh, iscsi_co_generic_cb: BH deletes itself
- laio_attach_aio_context: deleted in laio_detach_aio_context,
called through bdrv_detach_aio_context before deleting the iothread
- nfs_co_generic_cb: BH deletes itself
- null_aio_common: BH deletes itself
- qed_aio_complete: BH deletes itself
- rbd_finish_aiocb: BH deletes itself
- dma_blk_cb: BH deletes itself
- virtio_blk_dma_restart_cb: BH deletes itself
- qemu_bh_new: main loop AioContext is never destroyed
- test-aio.c: bh_delete_cb deletes itself, otherwise deleted in
the same function that calls aio_bh_new
Reported-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id:
1438101249-25166-2-git-send-email-pbonzini@redhat.com
Message-Id: <
1438086628-13000-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Peter Maydell [Tue, 28 Jul 2015 18:02:04 +0000 (19:02 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging
Pull request
These two .can_receive() are now reviewed. The net subsystem queue for 2.4 is now empty.
# gpg: Signature made Tue Jul 28 13:26:03 2015 BST using RSA key ID
81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>"
* remotes/stefanha/tags/net-pull-request:
xen: Drop net_rx_ok
hw/net: handle flow control in mcf_fec driver receiver
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 28 Jul 2015 16:09:56 +0000 (17:09 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
virtio fixes for 2.4
Mostly virtio 1 spec compliance fixes.
We are unlikely to make it perfectly compliant in
the first release, but it seems worth it to try.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Mon Jul 27 21:55:48 2015 BST using RSA key ID
D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>"
* remotes/mst/tags/for_upstream:
virtio: minor cleanup
acpi: fix pvpanic device is not shown in ui
virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device
virtio-blk: fail get_features when both scsi and 1.0 were set
virtio: get_features() can fail
virtio-pci: fix memory MR cleanup for modern
virtio: set any_layout in virtio core
virtio-9p: fix any_layout
virtio-serial: fix ANY_LAYOUT
virtio: hide legacy features from modern guests
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 28 Jul 2015 14:25:24 +0000 (15:25 +0100)]
Merge remote-tracking branch 'remotes/lalrae/tags/mips-
20150728' into staging
MIPS patches 2015-07-28
Changes:
* net/dp8393x fixes
* Vectored Interrupts bug fix
* fix for a bug in machine.c which was provoking a warning on FreeBSD
# gpg: Signature made Tue Jul 28 10:47:19 2015 BST using RSA key ID
0B29DA6B
# gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4 4FC0 5211 8E3C 0B29 DA6B
* remotes/lalrae/tags/mips-
20150728:
net/dp8393x: do not use memory_region_init_rom_device with NULL
net/dp8393x: remove check of runt packets
net/dp8393x: disable user creation
target-mips: fix offset calculation for Interrupts
target-mips: fix passing incompatible pointer type in machine.c
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 28 Jul 2015 13:19:16 +0000 (14:19 +0100)]
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
* crypto fixes
* megasas SIGSEGV fix
* memory refcount change to fix virtio hot-unplug
# gpg: Signature made Tue Jul 28 08:29:07 2015 BST using RSA key ID
78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini/tags/for-upstream:
memory: do not add a reference to the owner of aliased regions
megasas: Add write function to handle write access to PCI BAR 3
crypto: extend unit tests to cover decryption too
crypto: fix built-in AES decrypt function
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 28 Jul 2015 12:22:57 +0000 (13:22 +0100)]
Merge remote-tracking branch 'remotes/cody/tags/jtc-for-upstream-pull-request' into staging
# gpg: Signature made Tue Jul 28 05:22:29 2015 BST using RSA key ID
C0DE3057
# gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>"
# gpg: aka "Jeffrey Cody <jeff@codyprime.org>"
# gpg: aka "Jeffrey Cody <codyprime@gmail.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 9957 4B4D 3474 90E7 9D98 D624 BDBE 7B27 C0DE 3057
* remotes/cody/tags/jtc-for-upstream-pull-request:
block/ssh: Avoid segfault if inet_connect doesn't set errno.
sheepdog: serialize requests to overwrapping area
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Fam Zheng [Tue, 28 Jul 2015 09:52:56 +0000 (17:52 +0800)]
xen: Drop net_rx_ok
Let net_rx_packet() (which checks the same conditions) drops the packet
if the device is not ready. Drop net_xen_info.can_receive and update the
return value for the buffer full case.
We rely on the qemu_flush_queued_packets() in net_event() to wake up
the peer when the buffer becomes available again.
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id:
1438077176-378-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Peter Maydell [Tue, 28 Jul 2015 10:28:44 +0000 (11:28 +0100)]
Merge remote-tracking branch 'remotes/mjt/tags/pull-trivial-patches-2015-07-27' into staging
trivial patches for 2015-07-27
# gpg: Signature made Mon Jul 27 20:50:14 2015 BST using RSA key ID
A4C3D7DB
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg: aka "Michael Tokarev <mjt@corpit.ru>"
# gpg: aka "Michael Tokarev <mjt@debian.org>"
* remotes/mjt/tags/pull-trivial-patches-2015-07-27:
gdbstub: Set current CPU on interruptions
qapi: add missing @
Fix Cortex-A9 global timer
gitignore: Ignore shader generated files
vmstate: remove unused declaration
make: Clean build messages
qemu-common.h: Document cutils.c string functions
device_tree: Fix a typo
hw/acpi/ich9: clean up stale comment about KVM not supporting SMM
hw/acpi/ich9: clear smi_en on reset
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Greg Ungerer [Tue, 28 Jul 2015 01:02:54 +0000 (11:02 +1000)]
hw/net: handle flow control in mcf_fec driver receiver
The network mcf_fec driver emulated receive side method is not dealing
with network queue flow control properly.
Modify the receive side to check if we have enough space in the
descriptors to store the current packet. If not we process none of it
and return 0. When the guest frees up some buffers through its descriptors
we signal the qemu net layer to send more packets.
[Fixed coding style: 4-space indent and curly braces on if statement.
--Stefan]
Signed-off-by: Greg Ungerer <gerg@uclinux.org>
Message-id:
1438045374-10358-1-git-send-email-gerg@uclinux.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Hervé Poussineau [Sun, 26 Jul 2015 20:32:55 +0000 (22:32 +0200)]
net/dp8393x: do not use memory_region_init_rom_device with NULL
Replace memory_region_init_rom_device() with memory_region_init_ram() and
memory_region_set_readonly().
This fixes a guest-triggerable QEMU crash when guest tries to write to PROM.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
[leon.alrae@imgtec.com: shorten subject length]
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Hervé Poussineau [Fri, 24 Jul 2015 18:42:23 +0000 (20:42 +0200)]
net/dp8393x: remove check of runt packets
Ethernet requires that messages are at least 64 bytes on the wire. This
limitation does not exist on emulation (no wire message), so remove the
check. Netcard is now able to receive small network packets.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Hervé Poussineau [Fri, 24 Jul 2015 18:42:21 +0000 (20:42 +0200)]
net/dp8393x: disable user creation
Netcard needs an address space to write data to, which can't be specified
on command line.
This fixes a crash when user starts QEMU with "-device dp8393x"
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>