sdk/emulator/qemu.git
10 years agovirtio-net: fix guest-triggerable buffer overrun
Michael S. Tsirkin [Fri, 11 Apr 2014 12:18:08 +0000 (15:18 +0300)]
virtio-net: fix guest-triggerable buffer overrun

When VM guest programs multicast addresses for
a virtio net card, it supplies a 32 bit
entries counter for the number of addresses.
These addresses are read into tail portion of
a fixed macs array which has size MAC_TABLE_ENTRIES,
at offset equal to in_use.

To avoid overflow of this array by guest, qemu attempts
to test the size as follows:
-    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {

however, as mac_data.entries is uint32_t, this sum
can overflow, e.g. if in_use is 1 and mac_data.entries
is 0xffffffff then in_use + mac_data.entries will be 0.

Qemu will then read guest supplied buffer into this
memory, overflowing buffer on heap.

CVE-2014-0150

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMerge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Peter Maydell [Fri, 11 Apr 2014 13:07:24 +0000 (14:07 +0100)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches for 2.0.0-rc3

# gpg: Signature made Fri 11 Apr 2014 13:37:34 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  block-commit: speed is an optional parameter
  iscsi: Remember to set ret for iscsi_open in error case
  bochs: Fix catalog size check
  bochs: Fix memory leak in bochs_open() error path

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-1' into staging
Peter Maydell [Fri, 11 Apr 2014 12:51:15 +0000 (13:51 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-1' into staging

sdl2 relative mouse mode fixes.

# gpg: Signature made Fri 11 Apr 2014 11:36:46 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-sdl-1:
  input: sdl2: Fix relative mode to match SDL1 behavior
  input: sdl2: Fix guest_cursor logic

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoblock-commit: speed is an optional parameter
Max Reitz [Thu, 10 Apr 2014 17:36:25 +0000 (19:36 +0200)]
block-commit: speed is an optional parameter

As speed is an optional parameter for the QMP block-commit command, it
should be set to 0 if not given (as it is undefined if has_speed is
false), that is, the speed should not be limited.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
10 years agoiscsi: Remember to set ret for iscsi_open in error case
Fam Zheng [Thu, 10 Apr 2014 01:33:55 +0000 (09:33 +0800)]
iscsi: Remember to set ret for iscsi_open in error case

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
10 years agobochs: Fix catalog size check
Kevin Wolf [Wed, 9 Apr 2014 10:10:34 +0000 (12:10 +0200)]
bochs: Fix catalog size check

The old check was off by a factor of 512 and didn't consider cases where
we don't get an exact division. This could lead to an out-of-bounds
array access in seek_to_sector().

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
10 years agobochs: Fix memory leak in bochs_open() error path
Kevin Wolf [Wed, 9 Apr 2014 09:19:04 +0000 (11:19 +0200)]
bochs: Fix memory leak in bochs_open() error path

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
10 years agoinput: sdl2: Fix relative mode to match SDL1 behavior
Cole Robinson [Tue, 1 Apr 2014 20:37:11 +0000 (16:37 -0400)]
input: sdl2: Fix relative mode to match SDL1 behavior

Right now relative mode accelerates too fast, and has the 'invisible wall'
problem. SDL2 added an explicit API to handle this use case, so let's use
it.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10 years agoinput: sdl2: Fix guest_cursor logic
Cole Robinson [Tue, 1 Apr 2014 20:37:10 +0000 (16:37 -0400)]
input: sdl2: Fix guest_cursor logic

Unbreaks relative mouse mode with sdl2, just like was done with sdl.c
in c3aa84b6.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10 years agoMerge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
Peter Maydell [Thu, 10 Apr 2014 22:07:55 +0000 (23:07 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

acpi: DSDT update

Two fixes here:
- Test fix to avoid warning with make check.
- Hex file update so people building QEMU
  without installing iasl get exactly the same ACPI
  as with.

Both should help avoid user confusion.

As it's very easy to check that the produced ACPI
binary didn't change, I think these are very low risk.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Thu 10 Apr 2014 17:09:43 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  acpi: update generated hex files
  tests/acpi: update expected DSDT files

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoconfigure: use do_cc when checking for -fstack-protector support
Peter Maydell [Wed, 9 Apr 2014 11:04:47 +0000 (12:04 +0100)]
configure: use do_cc when checking for -fstack-protector support

MacOSX clang silently swallows unrecognized -f options when doing a link
with '-framework' also on the command line, so to detect support for
the various -fstack-protector options we must do a plain .c to .o compile,
not a complete compile-and-link.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1397041487-28477-1-git-send-email-peter.maydell@linaro.org

10 years agoacpi: update generated hex files
Michael S. Tsirkin [Thu, 10 Apr 2014 16:03:18 +0000 (19:03 +0300)]
acpi: update generated hex files

commit f2ccc311df55ec026a8f8ea9df998f26314f22b2
    dsdt: tweak ACPI ID for hotplug resource device
changes the DSDT, update hex files to match

Otherwise the fix is only effective if QEMU is built
with iasl.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
10 years agotests/acpi: update expected DSDT files
Michael S. Tsirkin [Wed, 9 Apr 2014 14:47:07 +0000 (17:47 +0300)]
tests/acpi: update expected DSDT files

commit f2ccc311df55ec026a8f8ea9df998f26314f22b2
    dsdt: tweak ACPI ID for hotplug resource device
changes the DSDT, update test expected files to match

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reported-by: Igor Mammedov <imammedo@redhat.com>
10 years agoUpdate version for v2.0.0-rc2 release
Peter Maydell [Tue, 8 Apr 2014 17:52:06 +0000 (18:52 +0100)]
Update version for v2.0.0-rc2 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agohw/pci-host/prep: Don't reverse IO accesses on bigendian hosts
Peter Maydell [Tue, 8 Apr 2014 15:51:11 +0000 (16:51 +0100)]
hw/pci-host/prep: Don't reverse IO accesses on bigendian hosts

The raven_io_read() and raven_io_write() functions pass and
return values in little-endian format (since the IO op struct
is marked DEVICE_LITTLE_ENDIAN); however they were storing the
values in the buffer to pass to address_space_read/write()
in host-endian order, which meant that on big-endian hosts
the values were inadvertently reversed. Use the *_le_p()
accessors instead so that we are consistent regardless of
host endianness.

Strictly speaking the byte order of the buffer for
address_space_rw() is target byte order (which for PPC
will be BE) but it doesn't actually matter as long as we
are consistent about the marking on the IO op struct and
which stl_*_p().

This bug was probably introduced due to confusion caused by
the two different versions of ldl_p() and friends:
 bswap.h defines versions meaning "host endianness access"
 cpu-all.h defines versions meaning "target endianness access"
As a target-independent source file prep.c gets the bswap.h
versions; the very similar looking code in ioport.c is
compiled per-target and gets the cpu-all.h versions.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1396972271-22660-1-git-send-email-peter.maydell@linaro.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
10 years agoMerge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
Peter Maydell [Tue, 8 Apr 2014 12:59:28 +0000 (13:59 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

acpi bug fix

Here is a single last minute fix for 2.0

This changes the HID of the container used to claim
resources for CPU hotplug.
As a result, windows XP SP3 no longer brings up
an annoying "found new hardware" wizard on boot.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Tue 08 Apr 2014 13:23:30 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  dsdt: tweak ACPI ID for hotplug resource device

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agodsdt: tweak ACPI ID for hotplug resource device
Michael S. Tsirkin [Sun, 6 Apr 2014 09:47:37 +0000 (12:47 +0300)]
dsdt: tweak ACPI ID for hotplug resource device

ACPI0004 seems too new:
Windows XP complains about an unrecognized device.
This is a regression since 1.7.
Use PNP0A06 instead - Generic Container Device.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-By: Igor Mammedov <imammedo@redhat.com>
10 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-5' into staging
Peter Maydell [Tue, 8 Apr 2014 12:05:25 +0000 (13:05 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-5' into staging

gtk: Implement grab-on-click behavior in relative mode

# gpg: Signature made Tue 08 Apr 2014 12:58:49 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-5:
  gtk: Implement grab-on-click behavior in relative mode

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agogtk: Implement grab-on-click behavior in relative mode
Takashi Iwai [Tue, 8 Apr 2014 09:26:45 +0000 (11:26 +0200)]
gtk: Implement grab-on-click behavior in relative mode

This patch changes the behavior in the relative mode to be compatible
with other UIs, namely, grabbing the input at the first left click.
It improves the usability a lot; otherwise you have to press ctl-alt-G
or select from menu at each time you want to move the pointer.  Also,
the input grab is cleared when the current mode is switched to the
absolute mode.

The automatic reset of the implicit grabbing is needed since the
switching to the absolute mode happens always after the click even on
Gtk.  That is, we cannot check whether the absolute mode is already
available at the first click time even though it should have been
switched in X11 input driver side.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10 years agoMerge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' into staging
Peter Maydell [Tue, 8 Apr 2014 09:58:31 +0000 (10:58 +0100)]
Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' into staging

Patch queue for ppc - 2014-04-08

This is the final queue for 2.0! It fixes a lot of bugs people have
seen during testing:

  - Fix e500 SMP
  - Fix book3s_64 DEC
  - Fix VSX (new feature in 2.0) for LE hosts
  - Fix PR KVM on top of pHyp (SLOF update)

# gpg: Signature made Tue 08 Apr 2014 10:24:18 BST using RSA key ID 03FEDC60
# gpg: Can't check signature: public key not found

* remotes/agraf/tags/signed-ppc-for-upstream:
  PPC: Add l1 cache sizes for 970 and above systems
  ppce500_spin: Initialize struct properly
  PPC: Only enter MSR_POW when no interrupts pending
  PPC: Clean up DECR implementation
  target-ppc: Correct VSX Integer to FP Conversion
  target-ppc: Correct VSX FP to Integer Conversion
  target-ppc: Correct VSX FP to FP Conversions
  target-ppc: Correct VSX Scalar Compares
  target-ppc: Correct Simple VSR LE Host Inversions
  target-ppc: Correct LE Host Inversion of Lower VSRs
  target-ppc: Define Endian-Correct Accessors for VSR Field Access
  target-ppc: Bug: VSX Convert to Integer Should Truncate
  softfloat: Introduce float32_to_uint64_round_to_zero
  pseries: Update SLOF firmware image to qemu-slof-20140404
  PPC: E500: Set PIR default reset value rather than SPR value

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMerge remote-tracking branch 'remotes/mdroth/qga-pull-2014-4-7' into staging
Peter Maydell [Tue, 8 Apr 2014 09:41:30 +0000 (10:41 +0100)]
Merge remote-tracking branch 'remotes/mdroth/qga-pull-2014-4-7' into staging

* remotes/mdroth/qga-pull-2014-4-7:
  vss-win32: Fix build with mingw64-headers-3.1.0
  Makefile: add qga-vss-dll-obj-y to nested variables

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoPPC: Add l1 cache sizes for 970 and above systems
Alexander Graf [Mon, 7 Apr 2014 23:42:53 +0000 (01:42 +0200)]
PPC: Add l1 cache sizes for 970 and above systems

Book3s_64 guests expect the L1 cache size in device tree, so let's give
them proper values for all CPU types we support.

This fixes a "not compliant" warning with sles11 guests on -M pseries for me.

Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agoppce500_spin: Initialize struct properly
Alexander Graf [Mon, 7 Apr 2014 14:48:42 +0000 (16:48 +0200)]
ppce500_spin: Initialize struct properly

The spinning struct is in guest endianness, so we need to initialize
its variables in guest endianness too.

This fixes booting e500 guests with SMP on x86 for me.

Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agoPPC: Only enter MSR_POW when no interrupts pending
Alexander Graf [Sun, 6 Apr 2014 20:40:47 +0000 (22:40 +0200)]
PPC: Only enter MSR_POW when no interrupts pending

We were entering the power saving state even when interrupts (like an
external interrupt or a decrementer interrupt) were still in flight.

In case we find a pending interrupt, don't enter power saving state.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Tom Musta <tmusta@gmail.com>
10 years agoPPC: Clean up DECR implementation
Alexander Graf [Sat, 5 Apr 2014 23:32:06 +0000 (01:32 +0200)]
PPC: Clean up DECR implementation

There are 3 different variants of the decrementor for BookE and BookS.

The BookE variant sets TSR[DIS] to 1 when the DEC value becomes 1 or 0. TSR[DIS]
is then the indicator whether the decrementor interrupt line is asserted or not.

The old BookS variant treats DEC as an edge interrupt that gets triggered when
the DEC value's top bit turns 1 from 0.

The new BookS variant maintains the assertion bit inside DEC itself. Whenever
the DEC value becomes negative (top bit set) the DEC interrupt line is asserted.

So far we implemented mostly the old BookS variant. Let's do them all properly.

This fixes booting pseries ppc64 guest images in TCG mode for me.

Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agotarget-ppc: Correct VSX Integer to FP Conversion
Tom Musta [Mon, 31 Mar 2014 21:04:03 +0000 (16:04 -0500)]
target-ppc: Correct VSX Integer to FP Conversion

This patch corrects the VSX integer to floating point conversion instructions
by using the endian correct accessors.  The auxiliary "j" index used by the
existing macros is now obsolete and is removed.  The JOFFSET preprocessor
macro is also obsolete and removed.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agotarget-ppc: Correct VSX FP to Integer Conversion
Tom Musta [Mon, 31 Mar 2014 21:04:02 +0000 (16:04 -0500)]
target-ppc: Correct VSX FP to Integer Conversion

This patch corrects the VSX floating point to integer conversion
instructions by using the endian correct accessors.  The auxiliary
"j" index used by the existing macros is now obsolete and is removed.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agotarget-ppc: Correct VSX FP to FP Conversions
Tom Musta [Mon, 31 Mar 2014 21:04:01 +0000 (16:04 -0500)]
target-ppc: Correct VSX FP to FP Conversions

This change corrects the VSX double precision to single precision and
single precision to double precisions conversion routines.  The endian
correct accessors are now used.  The auxiliary "j" index is no longer
necessary and is eliminated.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agotarget-ppc: Correct VSX Scalar Compares
Tom Musta [Mon, 31 Mar 2014 21:04:00 +0000 (16:04 -0500)]
target-ppc: Correct VSX Scalar Compares

This change fixes the VSX scalar compare instructions.  The existing usage of "x.f64[0]"
is changed to "x.VsrD(0)".

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agotarget-ppc: Correct Simple VSR LE Host Inversions
Tom Musta [Mon, 31 Mar 2014 21:03:59 +0000 (16:03 -0500)]
target-ppc: Correct Simple VSR LE Host Inversions

A common pattern in the VSX helper code macros is the use of "x.fld[i]" where
"x" is a VSR and "fld" is an argument to a macro ("f64" or "f32" is passed).
This is not always correct on LE hosts.

This change addresses all instances of this pattern to be "x.fld" where "fld" is:

  - "VsrD(0)" for scalar instructions accessing 64-bit numbers
  - "VsrD(i)" for vector instructions accessing 64-bit numbers
  - "VsrW(i)" for vector instructions accessing 32-bit numbers

Note that there are no instances of this pattern where a scalar instruction
accesses a 32-bit number.

Note also that it would be correct to use "VsrD(i)" for scalar instructions since
the loop index is only ever "0".  I have choosen to use "VsrD(0)" instead ... it
seems a little clearer.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agotarget-ppc: Correct LE Host Inversion of Lower VSRs
Tom Musta [Mon, 31 Mar 2014 21:03:58 +0000 (16:03 -0500)]
target-ppc: Correct LE Host Inversion of Lower VSRs

This change properly orders the doublewords of the VSRs 0-31.  Because these
registers are constructed from separate doublewords, they must be inverted
on Little Endian hosts.  The inversion is performed both when the VSR is read
and when it is written.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agotarget-ppc: Define Endian-Correct Accessors for VSR Field Access
Tom Musta [Mon, 31 Mar 2014 21:03:57 +0000 (16:03 -0500)]
target-ppc: Define Endian-Correct Accessors for VSR Field Access

This change defines accessors for VSR doubleword and word fields that
are correct from a host Endian perspective.  This allows code to
use the Power ISA indexing numbers in code.

For example, the xscvdpsxws instruction has a target VSR that looks
like this:

  0           32       64                    127
  +-----------+--------+-----------+-----------+
  | undefined | SW     | undefined | undefined |
  +-----------+--------+-----------+-----------+

VSX helper code will use VsrW(1) to access this field.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agotarget-ppc: Bug: VSX Convert to Integer Should Truncate
Tom Musta [Mon, 31 Mar 2014 21:03:56 +0000 (16:03 -0500)]
target-ppc: Bug: VSX Convert to Integer Should Truncate

The various VSX Convert to Integer instructions should truncate the
floating point number to an integer value, which is equivalent to
a round-to-zero rounding mode.  The existing VSX floating point to
integer conversion helpers are erroneously using the rounding mode set
int the PowerPC Floating Point Status and Control Register (FPSCR).
This change corrects this defect by using the appropriate
float*_to_*_round_to_zero() routines fro the softfloat library.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agosoftfloat: Introduce float32_to_uint64_round_to_zero
Tom Musta [Mon, 31 Mar 2014 21:03:55 +0000 (16:03 -0500)]
softfloat: Introduce float32_to_uint64_round_to_zero

This change adds the float32_to_uint64_round_to_zero function to the softfloat
library.  This function fills out the complement of float32 to INT round-to-zero
conversion rountines, where INT is {int32_t, uint32_t, int64_t, uint64_t}.

This contribution can be licensed under either the softfloat-2a or -2b
license.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agopseries: Update SLOF firmware image to qemu-slof-20140404
Alexey Kardashevskiy [Fri, 4 Apr 2014 00:57:35 +0000 (11:57 +1100)]
pseries: Update SLOF firmware image to qemu-slof-20140404

The change log is:
  > Isolate sc 1 detection logic
  > build: auto-detect ppc64 architecture
  > cas: increase hcall buffer size to accomodate 256 cpus
  > usb: change device tree naming
  > usb-core: adjust port numbers in set_address
  > virtio-scsi: correct srplun comment
  > Fix kernel loading
  > Workaround to make grub2 assign server ip from dhcp ack packet only
  > ELF: Enter LE binary in LE mode
  > ELF loading should fail for virt != phys

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Alexander Graf <agraf@suse.de>
10 years agoPPC: E500: Set PIR default reset value rather than SPR value
Alexander Graf [Thu, 3 Apr 2014 18:45:27 +0000 (20:45 +0200)]
PPC: E500: Set PIR default reset value rather than SPR value

We now reset SPRs to their reset values on CPU reset. So if we want
to have an SPR persistently changed, we need to change its default
reset value rather than the value itself manually.

Do this for SPR_BOOKE_PIR, fixing e500v2 SMP boot.

Reported-by: Frederic Konrad <fred.konrad@greensocs.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Tested-by: KONRAD Frederic <fred.konrad@greensocs.com>
10 years agovss-win32: Fix build with mingw64-headers-3.1.0
Tomoki Sekiyama [Wed, 26 Mar 2014 18:28:51 +0000 (14:28 -0400)]
vss-win32: Fix build with mingw64-headers-3.1.0

In mingw64-headers-3.1.0, definition of _com_issue_error() is added, which
conflicts with definition in install.cpp. This adds version checking for
mingw headers to disable the definition when the headers>=3.1 is used.

Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
10 years agoMakefile: add qga-vss-dll-obj-y to nested variables
Tomoki Sekiyama [Wed, 26 Mar 2014 18:28:45 +0000 (14:28 -0400)]
Makefile: add qga-vss-dll-obj-y to nested variables

The build rule for qga/vss-win32/qga-vss.dll is broken by commit
ba1183da9a10b94611cad88c44a5c6df005f9b55, because it misses
qga-vss-dll-obj-y in the list of nested variables.
This fixes build of qga-vss.dll by adding qga-vss-dll-obj-y to the list.

Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
10 years agoMerge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-2.0' into staging
Peter Maydell [Mon, 7 Apr 2014 16:57:23 +0000 (17:57 +0100)]
Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-2.0' into staging

QOM/QTest infrastructure fixes

* Relicensing of FWPathProvider interface
* Clean up all targets' qtests

# gpg: Signature made Mon 07 Apr 2014 17:56:13 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qom-devices-for-2.0:
  tests: Update check-clean rule
  fw-path-provider: Change GPL version to 2+

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agotests: Update check-clean rule
Andreas Färber [Mon, 7 Apr 2014 16:33:22 +0000 (18:33 +0200)]
tests: Update check-clean rule

Only i386, x86_64, sparc and sparc64 qtests were cleaned up.
Make this more generic to not miss any newly tested targets.

Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andreas Färber <afaerber@suse.de>
10 years agoMakefile: remove bashism
Michael Tokarev [Sat, 5 Apr 2014 14:25:46 +0000 (18:25 +0400)]
Makefile: remove bashism

When installing modules (when --enable-modules is specified for
./configure), Makefile uses the following construct to replace all
slashes with dashes in module name:

 ${s//\//-}

This is a bash-specific substitution mechanism.  POSIX does not
have it, and some operating systems (for example Debian) does not
implement this construct in default shell (for example dash).

Use more traditional way to perform the substitution: use `tr' tool.

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 1396707946-21351-1-git-send-email-mjt@msgid.tls.msk.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agochar/serial: Fix emptyness handling
Don Slutz [Tue, 18 Mar 2014 16:29:34 +0000 (12:29 -0400)]
char/serial: Fix emptyness handling

The commit 88c1ee73d3231c74ff90bcfc084a7589670ec244
char/serial: Fix emptyness check

Still causes extra NULL byte(s) to be sent.

So if the fifo is empty, do not send an extra NULL byte.

Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Don Slutz <dslutz@verizon.com>
Message-id: 1395160174-16006-1-git-send-email-dslutz@verizon.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agofw-path-provider: Change GPL version to 2+
Alexey Kardashevskiy [Wed, 26 Mar 2014 14:13:02 +0000 (01:13 +1100)]
fw-path-provider: Change GPL version to 2+

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
10 years agoMerge remote-tracking branch 'remotes/spice/tags/pull-spice-6' into staging
Peter Maydell [Mon, 7 Apr 2014 11:48:34 +0000 (12:48 +0100)]
Merge remote-tracking branch 'remotes/spice/tags/pull-spice-6' into staging

spice: monitors_config: check pointer before dereferencing

# gpg: Signature made Mon 07 Apr 2014 11:19:19 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/spice/tags/pull-spice-6:
  spice: monitors_config: check pointer before dereferencing

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-4' into staging
Peter Maydell [Mon, 7 Apr 2014 11:27:10 +0000 (12:27 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-4' into staging

gtk: pointer fixes from Takashi Iwai.

# gpg: Signature made Mon 07 Apr 2014 09:51:52 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-4:
  ui: Update MAINTAINERS entry.
  gtk: Remember the last grabbed pointer position
  gtk: Fix the relative pointer tracking mode
  gtk: Use gtk generic event signal instead of motion-notify-event

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agospice: monitors_config: check pointer before dereferencing
Gerd Hoffmann [Mon, 7 Apr 2014 10:15:44 +0000 (12:15 +0200)]
spice: monitors_config: check pointer before dereferencing

Reported-by: Fabio Fantoni <fabio.fantoni@m2r.biz>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10 years agoui: Update MAINTAINERS entry.
Gerd Hoffmann [Mon, 7 Apr 2014 08:42:03 +0000 (10:42 +0200)]
ui: Update MAINTAINERS entry.

With Amazon eating Anthonys time status "Maintained" certainly isn't
true any more.  Update entry accordingly.

Also add myself, so scripts/get_maintainer.pl will Cc: me, to reduce
the chance ui patches fall through the cracks on our pretty loaded
qemu-devel mailing list.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10 years agogtk: Remember the last grabbed pointer position
Takashi Iwai [Fri, 4 Apr 2014 10:41:23 +0000 (12:41 +0200)]
gtk: Remember the last grabbed pointer position

It's pretty annoying that the pointer reappears at a random place once
after grabbing and ungrabbing the input.  Better to restore to the
original position where the pointer was grabbed.

Reference: https://bugzilla.novell.com/show_bug.cgi?id=849587
Tested-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10 years agogtk: Fix the relative pointer tracking mode
Takashi Iwai [Fri, 4 Apr 2014 10:41:22 +0000 (12:41 +0200)]
gtk: Fix the relative pointer tracking mode

The relative pointer tracking mode was still buggy even after the
previous fix of the motion-notify-event since the events are filtered
out when the pointer moves outside the drawing window due to the
boundary check for the absolute mode.

This patch fixes the issue by moving the unnecessary boundary check
into the if block of absolute mode, and keep the coordinate in the
relative mode even if it's outside the drawing area.  But this makes
the coordinate (last_x, last_y) possibly pointing to (-1,-1),
introduce a new flag to indicate the last coordinate has been
updated.

Reference: https://bugzilla.novell.com/show_bug.cgi?id=849587
Tested-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10 years agogtk: Use gtk generic event signal instead of motion-notify-event
Takashi Iwai [Fri, 4 Apr 2014 10:41:21 +0000 (12:41 +0200)]
gtk: Use gtk generic event signal instead of motion-notify-event

The GDK motion-notify-event isn't generated when the pointer goes out
of the target window even if the pointer is grabbed, which essentially
means to lose the pointer tracking in gtk-ui.

Meanwhile the generic "event" signal is sent when the pointer is
grabbed, so we can use this and pick the motion notify events manually
there instead.

Reference: https://bugzilla.novell.com/show_bug.cgi?id=849587
Tested-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
10 years agotarget-i386: reorder fields in cpu/msr_hyperv_hypercall subsection
Paolo Bonzini [Wed, 2 Apr 2014 15:33:02 +0000 (17:33 +0200)]
target-i386: reorder fields in cpu/msr_hyperv_hypercall subsection

The subsection already exists in one well-known enterprise Linux
distribution, but for some strange reason the fields were swapped
when forward-porting the patch to upstream.

Limit headaches for said enterprise Linux distributor when the
time will come to rebase their version of QEMU.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1396452782-21473-1-git-send-email-pbonzini@redhat.com
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMerge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Peter Maydell [Fri, 4 Apr 2014 23:18:19 +0000 (00:18 +0100)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches for 2.0.0

# gpg: Signature made Fri 04 Apr 2014 20:25:08 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  dataplane: replace iothread object_add() with embedded instance
  iothread: make IOThread struct definition public
  dma-helpers: Initialize DMAAIOCB in_cancel flag
  block: Check bdrv_getlength() return value in bdrv_append_temp_snapshot()
  block: Fix snapshot=on for protocol parsed from filename
  qemu-iotests: Remove CR line endings in reference output
  block: Don't parse 'filename' option
  qcow2: Put cache reference in error case
  qcow2: Flush metadata during read-only reopen
  iscsi: Don't set error if already set in iscsi_do_inquiry

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agodataplane: replace iothread object_add() with embedded instance
Stefan Hajnoczi [Thu, 20 Mar 2014 14:06:32 +0000 (15:06 +0100)]
dataplane: replace iothread object_add() with embedded instance

Before IOThread was its own object, each virtio-blk device would create
its own internal thread.  We need to preserve this behavior for
backwards compatibility when users do not specify -device
virtio-blk-pci,iothread=<id>.

This patch changes how the internal IOThread object is created.
Previously we used the monitor object_add() function, which is really a
layering violation.  The problem is that this needs to assign a name but
we don't have a name for this internal object.

Generating names for internal objects is a pain but even worse is that
they may collide with user-defined names.

Paolo Bonzini <pbonzini@redhat.com> suggested that the internal IOThread
object should not be named.  This way the conflict cannot happen and we
no longer need object_add().

One gotcha is that internal IOThread objects will not be listed by the
query-iothreads command since they are not named.  This is okay though
because query-iothreads is new and the internal IOThread is just for
backwards compatibility.  New users should explicitly define IOThread
objects.

Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
10 years agoiothread: make IOThread struct definition public
Stefan Hajnoczi [Thu, 20 Mar 2014 14:06:31 +0000 (15:06 +0100)]
iothread: make IOThread struct definition public

Make the IOThread struct definition public so objects can be embedded in
parent structs.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
10 years agodma-helpers: Initialize DMAAIOCB in_cancel flag
Peter Maydell [Fri, 28 Mar 2014 14:22:49 +0000 (14:22 +0000)]
dma-helpers: Initialize DMAAIOCB in_cancel flag

Initialize the dbs->in_cancel flag in dma_bdrv_io(), since qemu_aio_get()
does not return zero-initialized memory. Spotted by the clang sanitizer
(which complained when the value loaded in dma_complete() was not valid
for a bool type); this might have resulted in leaking the AIO block.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
10 years agoblock: Check bdrv_getlength() return value in bdrv_append_temp_snapshot()
Kevin Wolf [Fri, 4 Apr 2014 15:07:19 +0000 (17:07 +0200)]
block: Check bdrv_getlength() return value in bdrv_append_temp_snapshot()

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
10 years agoblock: Fix snapshot=on for protocol parsed from filename
Kevin Wolf [Thu, 3 Apr 2014 10:09:34 +0000 (12:09 +0200)]
block: Fix snapshot=on for protocol parsed from filename

Since commit 9fd3171a, BDRV_O_SNAPSHOT uses an option QDict to specify
the originally requested image as the backing file of the newly created
temporary snapshot. This means that the filename is stored in
"file.filename", which is an option that is not parsed for protocol
names. Therefore things like -drive file=nbd:localhost:10809 were
broken because it looked for a local file with the literal name
'nbd:localhost:10809'.

This patch changes the way BDRV_O_SNAPSHOT works once again. We now open
the originally requested image as normal, and then do a similar
operation as for live snapshots to put the temporary snapshot on top.
This way, both driver specific options and parsed filenames work.

As a nice side effect, this results in code movement to factor
bdrv_append_temp_snapshot() out. This is a good preparation for moving
its call to drive_init() and friends eventually.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
10 years agocpu-exec: Unlock tb_lock if we longjmp out of code generation
Peter Maydell [Fri, 4 Apr 2014 16:42:56 +0000 (17:42 +0100)]
cpu-exec: Unlock tb_lock if we longjmp out of code generation

If the guest attempts to execute from unreadable memory, this will
cause us to longjmp back to the main loop from inside the
target frontend decoder. For linux-user mode, this means we will
still hold the tb_ctx.tb_lock, and will deadlock when we try to
start executing code again. Unlock the lock in the return-from-longjmp
code path to avoid this.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Andrei Warkentin <andrey.warkentin@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
10 years agopage_check_range: don't bail out early after unprotecting page
Andrei Warkentin [Fri, 4 Apr 2014 16:42:55 +0000 (17:42 +0100)]
page_check_range: don't bail out early after unprotecting page

When checking a page range, if we found that a page was
made read-only by QEMU because it contained translated code,
we were incorrectly returning immediately after unprotecting
that page, rather than continuing to check the entire range,
so we might fail to unprotect pages later in the range, or
might incorrectly return a "success" result even if later
pages were not writable.

In particular, this could cause segfaults in a case where
signals are delivered back to back on a target architecture
which uses trampoline code in the stack frame (as AArch64
currently does). The second signal causes a segfault because
the frame cannot be written to (it was protected because
we translated and executed the restorer trampoline, and the
unprotect logic did not unprotect the whole range).

Signed-off-by: Andrei Warkentin <andrey.warkentin@gmail.com
[PMM: expanded commit message a bit]
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agohw/arm/vexpress, hw/arm/highbank: Don't insist that CPU has reset-cbar property
Peter Maydell [Fri, 4 Apr 2014 16:42:34 +0000 (17:42 +0100)]
hw/arm/vexpress, hw/arm/highbank: Don't insist that CPU has reset-cbar property

For the machine models which can have a Cortex-A15 CPU (vexpress-a15 and
midway), silently continue if the CPU object has no reset-cbar property
rather than failing. This allows these boards to be used under KVM with
the "-cpu host" option, since the 'host' CPU object has no reset-cbar
property.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Rob Herring <rob.herring@linaro.org>
10 years agohw/arm/highbank: Don't segfault on unknown CPU names
Peter Maydell [Fri, 4 Apr 2014 16:42:33 +0000 (17:42 +0100)]
hw/arm/highbank: Don't segfault on unknown CPU names

If the user passes an unknown CPU name via the '-cpu' option, exit
with an error message rather than segfaulting.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Rob Herring <rob.herring@linaro.org>
10 years agoqemu-iotests: Remove CR line endings in reference output
Kevin Wolf [Thu, 3 Apr 2014 10:48:38 +0000 (12:48 +0200)]
qemu-iotests: Remove CR line endings in reference output

qemu doesn't print these CRs any more. The test still didn't fail
because the output comparison ignores line endings, but the change turns
up each time when you want to update the output.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
10 years agoblock: Don't parse 'filename' option
Kevin Wolf [Thu, 3 Apr 2014 10:45:51 +0000 (12:45 +0200)]
block: Don't parse 'filename' option

When using the QDict option 'filename', it is supposed to be interpreted
literally. The code did correctly avoid guessing the protocol from any
string before the first colon, but it still called bdrv_parse_filename()
which would, for example, incorrectly remove a 'file:' prefix in the
raw-posix driver.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
10 years agoqcow2: Put cache reference in error case
Kevin Wolf [Sat, 8 Feb 2014 16:44:59 +0000 (17:44 +0100)]
qcow2: Put cache reference in error case

When qcow2_get_cluster_offset() sees a zero cluster in a version 2
image, it (rightfully) returns an error. But in doing so it shouldn't
leak an L2 table cache reference.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
10 years agoqcow2: Flush metadata during read-only reopen
Kevin Wolf [Thu, 3 Apr 2014 11:47:50 +0000 (13:47 +0200)]
qcow2: Flush metadata during read-only reopen

If lazy refcounts are enabled for a backing file, committing to this
backing file may leave it in a dirty state even if the commit succeeds.
The reason is that the bdrv_flush() call in bdrv_commit() doesn't flush
refcount updates with lazy refcounts enabled, and qcow2_reopen_prepare()
doesn't take care to flush metadata.

In order to fix this, this patch also fixes qcow2_mark_clean(), which
contains another ineffective bdrv_flush() call beause lazy refcounts are
disabled only afterwards. All existing callers of qcow2_mark_clean()
either don't modify refcounts or already flush manually, so that this
fixes only a latent, but not yet actually triggerable bug.

Another instance of the same problem is live snapshots. Again, a real
corruption is prevented by an explicit flush for non-read-only images in
external_snapshot_prepare(), but images using lazy refcounts stay dirty.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoiscsi: Don't set error if already set in iscsi_do_inquiry
Fam Zheng [Fri, 4 Apr 2014 11:53:29 +0000 (19:53 +0800)]
iscsi: Don't set error if already set in iscsi_do_inquiry

This eliminates the possible assertion failure in error_setg().

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
10 years agoUpdate version for v2.0.0-rc1 release
Peter Maydell [Thu, 3 Apr 2014 14:51:01 +0000 (15:51 +0100)]
Update version for v2.0.0-rc1 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMerge remote-tracking branch 'remotes/riku/for-2.0' into staging
Peter Maydell [Thu, 3 Apr 2014 13:31:20 +0000 (14:31 +0100)]
Merge remote-tracking branch 'remotes/riku/for-2.0' into staging

* remotes/riku/for-2.0:
  linux-user: pass correct host flags to accept4()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agobswap: Fix build on FreeBSD 10.0
Andreas Färber [Wed, 2 Apr 2014 14:06:38 +0000 (16:06 +0200)]
bswap: Fix build on FreeBSD 10.0

FreeBSD 10.0-RELEASE has bswap16() etc. macros defined in sys/endian.h,
which leads to a conflict with our static inline definitions.

Force using the system version of the macros.

Signed-off-by: Andreas Färber <andreas.faerber@web.de>
Tested-by: Ed Maste <emaste@freebsd.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoPPC: openpic_kvm: Filter memory events properly
Alexander Graf [Wed, 2 Apr 2014 09:41:58 +0000 (11:41 +0200)]
PPC: openpic_kvm: Filter memory events properly

Commit 6f1834a2b exposed a bug in openpic_kvm where we don't filter
for memory events that only happen to the region we want to know
events about.

Add proper filtering, fixing the e500plat target with KVM.

Signed-off-by: Alexander Graf <agraf@suse.de>
Message-id: 1396431718-14908-1-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMerge remote-tracking branch 'remotes/bonzini/scsi-next' into staging
Peter Maydell [Thu, 3 Apr 2014 11:24:35 +0000 (12:24 +0100)]
Merge remote-tracking branch 'remotes/bonzini/scsi-next' into staging

* remotes/bonzini/scsi-next:
  iscsi: always query max WRITE SAME length
  iscsi: ignore flushes on scsi-generic devices
  iscsi: recognize "invalid field" ASCQ from WRITE SAME command
  scsi-bus: remove bogus assertion

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMAINTAINERS: Update Peter Crosthwaite's email
Peter Crosthwaite [Thu, 3 Apr 2014 06:31:11 +0000 (23:31 -0700)]
MAINTAINERS: Update Peter Crosthwaite's email

Change over to my proper Xilinx email. s/petalogix.com/xilinx.com.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: cdff0c388c70df06217c467dcfb89267b7911feb.1396506607.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoiscsi: always query max WRITE SAME length
Paolo Bonzini [Wed, 2 Apr 2014 13:30:29 +0000 (15:30 +0200)]
iscsi: always query max WRITE SAME length

Max WRITE SAME length is also used when the UNMAP bit is zero, so it
should be queried even if LBPWS=0.  Same for the optimal transfer
length.

However, the write_zeroes_alignment only matters for UNMAP=1 so we
still restrict it to LBPWS=1.

Reviewed-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
10 years agoiscsi: ignore flushes on scsi-generic devices
Paolo Bonzini [Wed, 2 Apr 2014 13:04:41 +0000 (15:04 +0200)]
iscsi: ignore flushes on scsi-generic devices

Non-block SCSI devices do not support flushing, but we may still send
them requests via bdrv_flush_all.  Just ignore them.

Reviewed-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
10 years agoiscsi: recognize "invalid field" ASCQ from WRITE SAME command
Paolo Bonzini [Wed, 2 Apr 2014 10:12:50 +0000 (12:12 +0200)]
iscsi: recognize "invalid field" ASCQ from WRITE SAME command

Some targets may return "invalid field" as the ASCQ from WRITE SAME
if they support the command only without the UNMAP field.  Recognize
that, and return ENOTSUP just like for "invalid operation code".

Reviewed-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
10 years agoscsi-bus: remove bogus assertion
Paolo Bonzini [Wed, 2 Apr 2014 11:24:23 +0000 (13:24 +0200)]
scsi-bus: remove bogus assertion

This assertion is invalid, because get_sg_list can return an
empty sg-list even for commands that transfer no data (such
as SYNCHRONIZE CACHE).

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
10 years agoMerge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging
Peter Maydell [Tue, 1 Apr 2014 19:45:42 +0000 (20:45 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging

Tracing pull request

# gpg: Signature made Tue 01 Apr 2014 19:08:48 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/tracing-pull-request:
  trace: add workaround for SystemTap PR13296

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agotrace: add workaround for SystemTap PR13296
Frank Ch. Eigler [Tue, 25 Mar 2014 12:08:30 +0000 (13:08 +0100)]
trace: add workaround for SystemTap PR13296

SystemTap sdt.h sometimes results in compiled probes without sufficient
information to extract arguments.  This can be solved in a slightly
hacky way by encouraging the compiler to place arguments into registers.

This patch fixes the apic_reset_irq_delivered() trace event on Fedora 20
with gcc-4.8.2-7.fc20 and systemtap-sdt-devel-2.4-2.fc20 on x86_64.

Signed-off-by: Frank Ch. Eigler <fche@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoMerge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Peter Maydell [Tue, 1 Apr 2014 17:23:28 +0000 (18:23 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging

Block pull request

# gpg: Signature made Tue 01 Apr 2014 18:11:16 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/block-pull-request: (51 commits)
  qcow2: link all L2 meta updates in preallocate()
  parallels: Sanity check for s->tracks (CVE-2014-0142)
  parallels: Fix catalog size integer overflow (CVE-2014-0143)
  qcow2: Limit snapshot table size
  qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
  qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
  qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
  qcow2: Fix copy_sectors() with VM state
  block: Limit request size (CVE-2014-0143)
  block: vdi bounds check qemu-io tests
  dmg: prevent chunk buffer overflow (CVE-2014-0145)
  dmg: use uint64_t consistently for sectors and lengths
  dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
  dmg: use appropriate types when reading chunks
  dmg: drop broken bdrv_pread() loop
  dmg: prevent out-of-bounds array access on terminator
  dmg: coding style and indentation cleanup
  qcow2: Fix new L1 table size check (CVE-2014-0143)
  qcow2: Protect against some integer overflows in bdrv_check
  qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-input-7' into staging
Peter Maydell [Tue, 1 Apr 2014 15:58:04 +0000 (16:58 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-7' into staging

input bugfixes for 2.0

# gpg: Signature made Tue 01 Apr 2014 10:16:43 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-input-7:
  input: add sanity check
  input: mouse_set should check input device type.
  input: fix input_event_key_number trace event

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10 years agoqcow2: link all L2 meta updates in preallocate()
Stefan Hajnoczi [Tue, 1 Apr 2014 09:12:57 +0000 (11:12 +0200)]
qcow2: link all L2 meta updates in preallocate()

preallocate() only links the first QCowL2Meta's data clusters into the
L2 table and ignores any chained QCowL2Metas in the linked list.

Chains of QCowL2Meta structs are built up when contiguous clusters span
L2 tables.  Each QCowL2Meta describes one L2 table update.  This is a
rare case in preallocate() but can happen.

This patch fixes preallocate() by iterating over the whole list of
QCowL2Metas.  Compare with the qcow2_co_writev() function's
implementation, which is similar but also also handles request
dependencies.  preallocate() only performs one allocation at a time so
there can be no dependencies.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoparallels: Sanity check for s->tracks (CVE-2014-0142)
Kevin Wolf [Wed, 26 Mar 2014 12:06:09 +0000 (13:06 +0100)]
parallels: Sanity check for s->tracks (CVE-2014-0142)

This avoids a possible division by zero.

Convert s->tracks to unsigned as well because it feels better than
surviving just because the results of calculations with s->tracks are
converted to unsigned anyway.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoparallels: Fix catalog size integer overflow (CVE-2014-0143)
Kevin Wolf [Wed, 26 Mar 2014 12:06:08 +0000 (13:06 +0100)]
parallels: Fix catalog size integer overflow (CVE-2014-0143)

The first test case would cause a huge memory allocation, leading to a
qemu abort; the second one to a too small malloc() for the catalog
(smaller than s->catalog_size), which causes a read-only out-of-bounds
array access and on big endian hosts an endianess conversion for an
undefined memory area.

The sample image used here is not an original Parallels image. It was
created using an hexeditor on the basis of the struct that qemu uses.
Good enough for trying to crash the driver, but not for ensuring
compatibility.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoqcow2: Limit snapshot table size
Kevin Wolf [Wed, 26 Mar 2014 12:06:07 +0000 (13:06 +0100)]
qcow2: Limit snapshot table size

Even with a limit of 64k snapshots, each snapshot could have a filename
and an ID with up to 64k, which would still lead to pretty large
allocations, which could potentially lead to qemu aborting. Limit the
total size of the snapshot table to an average of 1k per entry when
the limit of 64k snapshots is fully used. This should be plenty for any
reasonable user.

This also fixes potential integer overflows of s->snapshot_size.

Suggested-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoqcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
Kevin Wolf [Wed, 26 Mar 2014 12:06:06 +0000 (13:06 +0100)]
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)

This avoids an unbounded allocation.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoqcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
Kevin Wolf [Wed, 26 Mar 2014 12:06:05 +0000 (13:06 +0100)]
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)

For the L1 table to loaded for an internal snapshot, the code allocated
only enough memory to hold the currently active L1 table. If the
snapshot's L1 table is actually larger than the current one, this leads
to a buffer overflow.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoqcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
Kevin Wolf [Wed, 26 Mar 2014 12:06:04 +0000 (13:06 +0100)]
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)

The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots
!= 0. By having the initialisation of both fields separated in
qcow2_open(), any error occuring in between would cause the error path
to dereference NULL in qcow2_free_snapshots() if the image had any
snapshots.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoqcow2: Fix copy_sectors() with VM state
Kevin Wolf [Wed, 26 Mar 2014 12:06:03 +0000 (13:06 +0100)]
qcow2: Fix copy_sectors() with VM state

bs->total_sectors is not the highest possible sector number that could
be involved in a copy on write operation: VM state is after the end of
the virtual disk. This resulted in wrong values for the number of
sectors to be copied (n).

The code that checks for the end of the image isn't required any more
because the code hasn't been calling the block layer's bdrv_read() for a
long time; instead, it directly calls qcow2_readv(), which doesn't error
out on VM state sector numbers.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoblock: Limit request size (CVE-2014-0143)
Kevin Wolf [Wed, 26 Mar 2014 12:06:02 +0000 (13:06 +0100)]
block: Limit request size (CVE-2014-0143)

Limiting the size of a single request to INT_MAX not only fixes a
direct integer overflow in bdrv_check_request() (which would only
trigger bad behaviour with ridiculously huge images, as in close to
2^64 bytes), but can also prevent overflows in all block drivers.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoblock: vdi bounds check qemu-io tests
Jeff Cody [Fri, 28 Mar 2014 15:42:25 +0000 (11:42 -0400)]
block: vdi bounds check qemu-io tests

This test checks for proper bounds checking of some VDI input
headers.  The following is checked:

1. Max image size (1024TB) with the appropriate Blocks In Image
   value (0x3fffffff) is detected as valid.

2. Image size exceeding max (1024TB) is seen as invalid

3. Valid image size but with Blocks In Image value that is too
   small fails

4. Blocks In Image size exceeding max (0x3fffffff) is seen as invalid

5. 64MB image, with 64 Blocks In Image, and 1MB Block Size is seen
   as valid

6. Block Size < 1MB not supported

7. Block Size > 1MB not supported

[Max Reitz <mreitz@redhat.com> pointed out that "1MB + 1" in the test
case is wrong.  Change to "1MB + 64KB" to match the 0x110000 value.
--Stefan]

Signed-off-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agodmg: prevent chunk buffer overflow (CVE-2014-0145)
Stefan Hajnoczi [Wed, 26 Mar 2014 12:06:00 +0000 (13:06 +0100)]
dmg: prevent chunk buffer overflow (CVE-2014-0145)

Both compressed and uncompressed I/O is buffered.  dmg_open() calculates
the maximum buffer size needed from the metadata in the image file.

There is currently a buffer overflow since ->lengths[] is accounted
against the maximum compressed buffer size but actually uses the
uncompressed buffer:

  switch (s->types[chunk]) {
  case 1: /* copy */
      ret = bdrv_pread(bs->file, s->offsets[chunk],
                       s->uncompressed_chunk, s->lengths[chunk]);

We must account against the maximum uncompressed buffer size for type=1
chunks.

This patch fixes the maximum buffer size calculation to take into
account the chunk type.  It is critical that we update the correct
maximum since there are two buffers ->compressed_chunk and
->uncompressed_chunk.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agodmg: use uint64_t consistently for sectors and lengths
Stefan Hajnoczi [Wed, 26 Mar 2014 12:05:59 +0000 (13:05 +0100)]
dmg: use uint64_t consistently for sectors and lengths

The DMG metadata is stored as uint64_t, so use the same type for
sector_num.  int was a particularly poor choice since it is only 32-bit
and would truncate large values.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agodmg: sanitize chunk length and sectorcount (CVE-2014-0145)
Stefan Hajnoczi [Wed, 26 Mar 2014 12:05:58 +0000 (13:05 +0100)]
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)

Chunk length and sectorcount are used for decompression buffers as well
as the bdrv_pread() count argument.  Ensure that they have reasonable
values so neither memory allocation nor conversion from uint64_t to int
will cause problems.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agodmg: use appropriate types when reading chunks
Stefan Hajnoczi [Wed, 26 Mar 2014 12:05:57 +0000 (13:05 +0100)]
dmg: use appropriate types when reading chunks

Use the right types instead of signed int:

  size_t new_size;

  This is a byte count for g_realloc() that is calculated from uint32_t
  and size_t values.

  uint32_t chunk_count;

  Use the same type as s->n_chunks, which is used together with
  chunk_count.

This patch is a cleanup and does not fix bugs.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agodmg: drop broken bdrv_pread() loop
Stefan Hajnoczi [Wed, 26 Mar 2014 12:05:56 +0000 (13:05 +0100)]
dmg: drop broken bdrv_pread() loop

It is not necessary to check errno for EINTR and the block layer does
not produce short reads.  Therefore we can drop the loop that attempts
to read a compressed chunk.

The loop is buggy because it incorrectly adds the transferred bytes
twice:

  do {
      ret = bdrv_pread(...);
      i += ret;
  } while (ret >= 0 && ret + i < s->lengths[chunk]);

Luckily we can drop the loop completely and perform a single
bdrv_pread().

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agodmg: prevent out-of-bounds array access on terminator
Stefan Hajnoczi [Wed, 26 Mar 2014 12:05:55 +0000 (13:05 +0100)]
dmg: prevent out-of-bounds array access on terminator

When a terminator is reached the base for offsets and sectors is stored.
The following records that are processed will use this base value.

If the first record we encounter is a terminator, then calculating the
base values would result in out-of-bounds array accesses.  Don't do
that.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agodmg: coding style and indentation cleanup
Stefan Hajnoczi [Wed, 26 Mar 2014 12:05:54 +0000 (13:05 +0100)]
dmg: coding style and indentation cleanup

Clean up the mix of tabs and spaces, as well as the coding style
violations in block/dmg.c.  There are no semantic changes since this
patch simply reformats the code.

This patch is necessary before we can make meaningful changes to this
file, due to the inconsistent formatting and confusing indentation.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoqcow2: Fix new L1 table size check (CVE-2014-0143)
Kevin Wolf [Wed, 26 Mar 2014 12:05:53 +0000 (13:05 +0100)]
qcow2: Fix new L1 table size check (CVE-2014-0143)

The size in bytes is assigned to an int later, so check that instead of
the number of entries.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoqcow2: Protect against some integer overflows in bdrv_check
Kevin Wolf [Wed, 26 Mar 2014 12:05:52 +0000 (13:05 +0100)]
qcow2: Protect against some integer overflows in bdrv_check

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
10 years agoqcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
Kevin Wolf [Wed, 26 Mar 2014 12:05:51 +0000 (13:05 +0100)]
qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref

In order to avoid integer overflows.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>