Commit Graph

11431 Commits

Author SHA1 Message Date
Michael S. Tsirkin
a890a2f913 virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

--

v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
98f93ddd84 virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael Roth
73d963c0a7 openpic: avoid buffer overrun on incoming migration
CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
a9c380db3b ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537

s->arglen is taken from wire and used as idx
in ssi_sd_transfer().

Validate it before access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
9f8e9895c5 usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
3476436a44 vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
As the macro verifies the value is positive, rename it
to make the function clearer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Michael S. Tsirkin
3c3ce98142 virtio-scsi: fix buffer overrun on invalid state load
CVE-2013-4542

hw/scsi/scsi-bus.c invokes load_request.

 virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));

this probably can make elem invalid, for example,
make in_num or out_num huge, then:

    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);

will do:

    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }

and this will access out of array bounds.

Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
52f91c3723 zaurus: fix buffer overrun on invalid state load
CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

Similarly for gpio_level and gpio_dir.

To fix, limit to 16 bit.

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
5193be3be3 tsc210x: fix buffer overrun on invalid state load
CVE-2013-4539

s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.

Validate after load to avoid buffer overrun.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
ead7a57df3 ssd0323: fix buffer overun on invalid state load
CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.

For completeness, validate mode as well.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
caa881abe0 pxa2xx: avoid buffer overrun on incoming migration
CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
36cf2a3713 virtio: validate num_sg when mapping
CVE-2013-4535
CVE-2013-4536

Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.

Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael Roth
4b53c2c72c virtio: avoid buffer overrun on incoming migration
CVE-2013-6399

vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.

Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
d8d0a0bc7e pl022: fix buffer overun on invalid state load
CVE-2013-4530

pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.

Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
5f691ff91d hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
4) CVE-2013-4529
hw/pci/pcie_aer.c    pcie aer log can overrun the buffer if log_num is
                     too large

There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.

Fix both issues.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
3f1c49e213 hpet: fix buffer overrun on invalid state load
CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
ae2158ad6c ahci: fix buffer overrun on invalid state load
CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
cc45995294 virtio: out-of-bounds buffer write on invalid state load
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
eea750a562 virtio-net: out-of-bounds buffer write on invalid state load
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

This code is in hw/net/virtio-net.c:

    if (n->max_queues > 1) {
        if (n->max_queues != qemu_get_be16(f)) {
            error_report("virtio-net: different max_queues ");
            return -1;
        }

        n->curr_queues = qemu_get_be16(f);
        for (i = 1; i < n->curr_queues; i++) {
            n->vqs[i].tx_waiting = qemu_get_be32(f);
        }
    }

Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.

This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 14:15:10 +02:00
Peter Maydell
fdaad4715a target-arm queue:
* implement XScale cache lockdown cp15 ops
  * fix v7M CPUID base register
  * implement WFE and YIELD as yields for A64
  * fix A64 "BLR LR"
  * support Cortex-A57 in virt machine model
  * a few other minor AArch64 bugfixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABCAAGBQJTYl1JAAoJEDwlJe0UNgzeAZUP/1OP9OWKdNcBmfyc+rrpCzOn
 49m6FSYOw2jtUf1YYItr38tDIq0rFCLB3DYPUD7hWtll8tFUyE4TD3XsTr0nJ7Jq
 io12W8Gfuua6K57xmLMaLyrP8hu0gHtnZFEgi9vVz+ASXtqw6SUpFuOr7TFjfP2U
 qZfELHoWFCek7OnqaR+wn5qKRr+zqEAYr7FlnR2dT3GKT72JEuDGQUZlk2m5oOBb
 mChrc+SvQBJUXTk+HPNrXdA8i+FOmIfmNXN1lHaGatBjLQoGULb2TEBZU4Zvyg1z
 74vermgX9EaqZ7lFI4+gQT4+4wclnX4xP2K/+2b2iBZziLUFhc7Odp0jHw1gh5lY
 /zADi3+FuB7JJEQztjwD0Q30vZSqIu2PH6wvH3Axnl9va3tYHHGtj267X3MN+KIy
 KJqQS+0KG/UNzOCkY3bgjXIsmDhWJAZAa0HhL5eze7kznH17iGkej0GT1xVHWf54
 9GZydWgtaXaLk/ob9Js/3gLcQ7yEFZBtaVsRHBavrurSeTCV4MS00Xcn+YhTSpRS
 h6i37hDWpH8GyeqjVmbUaHY+Zxgy01QGXgvP5KwX6g+ulhYGIO+taqTJ+6EWoCSS
 aTNHsCwYQy1pMm3YtjQd1UC8WQJAKpfDFT8imxjXnU5QGSnqlgYDVSgUlyg4iSY2
 s0KRAvT26KV0HJ4FqaZ0
 =F2C9
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140501' into staging

target-arm queue:
 * implement XScale cache lockdown cp15 ops
 * fix v7M CPUID base register
 * implement WFE and YIELD as yields for A64
 * fix A64 "BLR LR"
 * support Cortex-A57 in virt machine model
 * a few other minor AArch64 bugfixes

# gpg: Signature made Thu 01 May 2014 15:42:17 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20140501:
  hw/arm/virt: Add support for Cortex-A57
  hw/arm/virt: Put GIC register banks on 64K boundaries
  hw/arm/virt: Create the GIC ourselves rather than (ab)using a15mpcore_priv
  target-arm: Correct a comment refering to EL0
  target-arm: A64: Fix a typo when declaring TLBI ops
  target-arm: A64: Handle blr lr
  target-arm: Make vbar_write 64bit friendly on 32bit hosts
  target-arm: implement WFE/YIELD as a yield for AArch64
  armv7m_nvic: fix CPUID Base Register
  target-arm: Implement XScale cache lockdown operations as NOPs

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-02 11:32:00 +01:00
Peter Maydell
c090c10dc4 Add helpers for enabling kvm capabilities and convert the existing
s390x and ppc users to use them.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJTYP89AAoJEN7Pa5PG8C+vUfMQAKK+UnRTpwWXfZNk1XqdV5Mh
 enVYA0tAICNLAXDeZy3mWjj5Es2xgNxvAQ1QHAXzaVZqRB6KXwYgko2uadWedHon
 lZWvuWQfYWiKVQug7AU0+/mlZvSgBJEs4gw6l9Z5Ik0q/7y/8jXjlEqZ9WaaQ+Kg
 D3JRRqghalmDSmVlhFjNkRSxBO3CjZkeyVs4rCZH97blLaioMkrz/u02wvt15sX5
 RX+25bvq9wgjT1NAuYYKfEBtikE7fb8AR1Et3GMEWDYqrgPfMDJft3/L0gMDvDQk
 qO1BWwXy76PEgxl56fDURZhDfRFsWDLv8j3NaZ+Gu8EkLvOgNNlFHKuEshIIqRII
 XC48jAiXJlSPo/Nk4DSsN32phLCSAcniwGov0X8R2Q5PxKGL2RNaOGpx/veBj34p
 4TVOqEYaC6flYOTSPikFpaEe4C5E6CzFzkaaYJ8yKDaOG0kqkYkxMlbwG+cIUwjK
 fr5AgwjZS4FpgrsNU1p2/b8rqYB9QYu6PMb8mGOF1zCjvbN4tQwInJO8uri8i78Y
 +mPZ9nNCcjEmxjwaGIy9PYqZFgkPSe40t7793osP9NJTCp9RHaQTZ2AWNjontsO9
 8Pjnqq6WCtcigZKjqSI3Oak61rcCxRqOd2LcLNaWSvvonokl3QtH6yXwxK6ekVfM
 Eqy1m+/HnpEtZ4ZWVelI
 =4kuj
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/cohuck/tags/kvm_cap_helpers' into staging

Add helpers for enabling kvm capabilities and convert the existing
s390x and ppc users to use them.

# gpg: Signature made Wed 30 Apr 2014 14:48:45 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found

* remotes/cohuck/tags/kvm_cap_helpers:
  ppc: use kvm_vcpu_enable_cap()
  s390x: use kvm_vcpu_enable_cap()
  kvm: add kvm_{vm,vcpu}_enable_cap

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 17:32:25 +01:00
Peter Maydell
87f6ede9bb vga: add secondary stdvga variant
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTXhtQAAoJEEy22O7T6HE46UAQAJF1fXDHXSUDDU5XoW6vwmfN
 L6Eb85CxIv2iUrY4uX4VceBl2pLYW4hd2ElcihN7Hdk7/j4XeiytTKndYwOym9V6
 roowKf3urYk6vHxGCEQX1ME2VFt2FfpqmqUePdXjeFc4zdVxHHH7zD67doOTU2tx
 xOyhP/H8NvxUWyFhlFgTNiHMP4c9nG4lDEzvYubxVGWBWr1C5qNGqvc3o6wnT3bc
 Tr6JyANLIrxX4VIZFxif/ncnP3VAZeQLWpnsnj48liql0j7B1UdvXSllR9jKbSn8
 r3O9EHSgLpZGnqBx9OesjXO1CEVfpix3VkSax0ylbrWv2IgX5hzLwitd7g68Y2j2
 eVSfYLmWkD9taRkze2wtTwF3mAgPGDbRrg3GW5edeRLuFzzPTEHNl9Xx4AsaUWdk
 ioB1AuYKsWgFBd0IBT6aT21/2Eh3c6d8d8ziU4cZSh1IJ5JllzhuF07k0bH4KM82
 1Kl2fN5De8x3QS5fZPCOTHiJSyHZvAQZr5KTqi/bASYI1jY0dnoKa0+Eq4w67LJY
 yGhomZmIUI9s5dy5KuARmQpuXQwXsE8J77+8fNLNIsCb1kZbUG2ONE0VBTTooWuE
 eDy+pp0FfjV064UbtnFNIzTVkgaWfYUlM6G4Mae9GZaakn8w/J0Bnl+SbIkRnuPJ
 1N/W/OeJ2m0h3qegYShb
 =iuHp
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-2' into staging

vga: add secondary stdvga variant

# gpg: Signature made Mon 28 Apr 2014 10:11:44 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-2:
  add secondary-vga to display-vga test
  add display-vga test
  vga: add secondary stdvga variant
  vga: allow non-global vmstate

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 16:02:45 +01:00
Peter Maydell
f42c5c8ec8 hw/arm/virt: Add support for Cortex-A57
Support the Cortex-A57 in the virt machine model.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-4-git-send-email-peter.maydell@linaro.org
2014-05-01 15:25:52 +01:00
Peter Maydell
3078e848fa hw/arm/virt: Put GIC register banks on 64K boundaries
For an AArch64 CPU which supports 64K pages, having the GIC
register banks at 4K offsets is potentially awkward. Move
them out to being at 64K offsets. (This is harmless for
AArch32 CPUs and for AArch64 CPUs with 4K pages, so it is simpler
to use the same offsets everywhere than to try to use 64K offsets
only for AArch64 host CPUs.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-3-git-send-email-peter.maydell@linaro.org
2014-05-01 15:25:52 +01:00
Peter Maydell
6420474384 hw/arm/virt: Create the GIC ourselves rather than (ab)using a15mpcore_priv
Rather than having the virt machine model create an a15mpcore_priv
device regardless of the actual CPU type in order to instantiate the GIC,
move to having the machine model create the GIC directly. This
corresponds to a system which uses a standalone GIC (eg the GIC-400)
rather than the one built in to the CPU core.

The primary motivation for this is to support the Cortex-A57,
which for a KVM configuration will use a GICv2, which is not
built into the CPU.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-2-git-send-email-peter.maydell@linaro.org
2014-05-01 15:24:46 +01:00
Rabin Vincent
e3da9921eb armv7m_nvic: fix CPUID Base Register
cp15.c0_cpuid is never initialized for ARMv7-M; take the value directly
from cpu->midr instead.

Signed-off-by: Rabin Vincent <rabin@rab.in>
Message-id: 1398036308-32166-1-git-send-email-rabin@rab.in
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 15:24:44 +01:00
Cornelia Huck
48add816cf ppc: use kvm_vcpu_enable_cap()
Convert existing users of KVM_ENABLE_CAP to new helper.

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-04-30 14:39:58 +02:00
Gerd Hoffmann
4843877e5d hda-audio: fix non-mixer codecs
They don't advertise mixer support, but still allow the guest change
mixer settings.  Add a check to avoid it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-29 10:46:29 +02:00
Peter Maydell
93156cef1c trivial patches for 2014-04-28
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQEcBAABAgAGBQJTXd9hAAoJEL7lnXSkw9fb9XUIAKRVB/RAIuaQExVDOxq1C6ml
 o9gpFbCm1rE/fDB3fxUdppMxeOy4nLaX+H/RspYCtzEF8QBWA+OXiB5sH19I2Yd5
 1eiseNXimTMIWIJNwqgXCEabxOE2ae/9kQWry7pI3F7u2cA8EZZlgUIDzO5ogREj
 bi+Fy6KDlrMCLUBxtmoAkOnDPbTdnkVxu3Uv/oBFcrNCgklpGitIM+dMcayCUJ2q
 Mp2M/jRrGsCVB+cTpEbzqPoC/l2Xv6VYAvnjQWvJM9RpitzghufVAJ9IJa1xJM83
 2F05MEIr6h+ymLB7qh8x2lrJHN14O3t50uFaXL//om9JPlPei9lHQhfpVrg0UmQ=
 =2Bsm
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-04-28' into staging

trivial patches for 2014-04-28

# gpg: Signature made Mon 28 Apr 2014 05:56:01 BST using RSA key ID A4C3D7DB
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg:                 aka "Michael Tokarev <mjt@corpit.ru>"
# gpg:                 aka "Michael Tokarev <mjt@debian.org>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
#      Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514  66A7 BEE5 9D74 A4C3 D7DB

* remotes/mjt/tags/trivial-patches-2014-04-28:
  slirp/smb: Move ncalrpc directory to tmp
  po: add proper Language: tags to .po files
  po/Makefile: fix $SRC_PATH reference
  init_paths: fix minor memory leak
  virtfs-proxy-helper: fix call to accept
  net/net.c: remove unnecessary semicolon
  Add QEMU logo (SVG file)
  vl: avoid closing stdout with 'writeconfig'
  xilinx: Fix typo in comment (Marvel -> Marvell)
  vl: Eliminate a superfluous local variable
  vl: Remove useless 'continue'
  gitignore: cleanups #2
  tests/.gitignore: Ignore test-rfifolock
  move test-* from .gitignore to tests/.gitignore
  configure: Improve help behavior
  vl: convert -m to QemuOpts
  qemu-option: introduce qemu_find_opts_singleton
  misc: Use cpu_physical_memory_read and cpu_physical_memory_write

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-28 13:43:17 +01:00
Peter Maydell
13de54eedd Merge remote-tracking branch 'remotes/qmp-unstable/queue/qmp' into staging
* remotes/qmp-unstable/queue/qmp:
  monitor: fix qmp_getfd() fd leak in error case
  HMP: support specifying dump format for dump-guest-memory
  HMP: fix doc of dump-guest-memory
  qmp: object-add: Validate class before creating object
  monitor: Add device_add and device_del completion.
  monitor: Add command_completion callback to mon_cmd_t.
  monitor: Fix drive_del id argument type completion.
  error: Remove some unused headers
  qerror.h: Replace QERR_NOT_SUPPORTED with QERR_UNSUPPORTED
  qerror.h: Remove QERR defines that are only used once
  qerror.h: Remove unused error classes
  error: Print error_report() to stderr if using qmp
  monitor: Remove unused monitor_print_filename
  error: Privatize error_print_loc
  vnc: Remove default_mon usage
  slirp: Remove default_mon usage

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-28 12:56:34 +01:00
Peter Maydell
d09a18d44d Net patches
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJTWmwjAAoJEJykq7OBq3PI32kH+gMZlANje8MPlPn0rjuQC3Eb
 9dt5Oz7dbRbEbRJQHvadbKSvV0beeIdSBxVe8vD3IOyPwGQQg0LqwTnUfXadwNYD
 SGYwOXMNgKe/+o9NRAcZonRxNLoU9J+cSCfLnqXUPdhLzlPF1uuaglBBjlcrhOOE
 YQfDIEe3UcPLpehl6ALrgtiF6+ZrjDnvFnL0KZcMKomQlCnMHvBuzVJ26lQ0m+38
 JxYYc99q6qGvBleH/tHMT7jRWPdEud5rEINKAFnb/OB82YL44fbVTboDFmGVW5WI
 keWiWbs2BwpxXjOwyf7ZunmSMLWIdSVLiSja+WE0YUMiNh+DFxdO7I9YVNlYK4Q=
 =0oRs
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging

Net patches

# gpg: Signature made Fri 25 Apr 2014 15:07:31 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  net: Don't use error_is_set() to suppress additional errors
  net: Make qmp_query_rx_filter() with name argument more obvious
  net: xilinx_axienet.c: Add phy soft reset bit clearing
  net/net.c: Remove unnecessary semicolon
  pcnet: remove duplicate assignment
  tap: Avoid extra iterations while closing file fd

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-28 11:29:03 +01:00
Gerd Hoffmann
63e3e24db2 vga: add secondary stdvga variant
Add a standard vga variant which doesn't occupy any legacy
resources and thus can easily be used as secondary (or legacy-free)
graphics adapter.  Programming must be done using the MMIO bar.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-28 11:03:32 +02:00
Gerd Hoffmann
e2bbfc8ee2 vga: allow non-global vmstate
Need a way to opt-out from vga.vram being global vmstate, for
secondary vga cards.  Add a bool parameter to vga_common_init
to support this.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-28 10:21:55 +02:00
Stefan Weil
24c12b7923 xilinx: Fix typo in comment (Marvel -> Marvell)
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-04-28 08:55:31 +04:00
Stefan Weil
eb6282f230 misc: Use cpu_physical_memory_read and cpu_physical_memory_write
These functions don't need type casts (as does cpu_physical_memory_rw)
and also make the code better readable.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-04-27 13:04:18 +04:00
Cole Robinson
f231b88db1 qerror.h: Remove QERR defines that are only used once
Just hardcode them in the callers

Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2014-04-25 09:19:59 -04:00
Nathan Rossi
f663faac3e net: xilinx_axienet.c: Add phy soft reset bit clearing
Clear the BMCR Reset when writing to registers.

Signed-off-by: Nathan Rossi <nathan.rossi@xilinx.com>
[ PC:
 * Trivial style fixes to commit message
]
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-25 13:40:10 +02:00
Prasad Joshi
16cf0b2b34 pcnet: remove duplicate assignment
Signed-off-by: Prasad Joshi <prasadjoshi.linux@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-25 13:40:03 +02:00
Peter Maydell
7931b05987 Block patches
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTV4+1AAoJEH8JsnLIjy/Wx+wP+gJfhqxu8VJghro3YD1idhre
 iGBlKRWkkNqQmKNRV7coN2qb9rAEtHOPTkdlbYFSCd+mg/1vhZVS79wLa4jpwCMJ
 sfP4pmeJRj4XT2/3aFGuI3cLPMpZHD+lXMsldt+0f/tcmcF5LUHas+ss6grk52fb
 /u4WKPxl+BRc1zXRFXYTBVZyX2x2RaS0gUL0HTzXd9cXY76eXDyONKXsGUREgHE3
 O+paV6b4m8Hfnvahce5lM1Gz6wXUXk7JM9ZiQdZXqTe0Cnz9bjfhuMNTPlNlzWio
 TAnjBBEM2yLgwT9oPt6liMviPeb1NdY0m+SIhu+yrSqnxUto5AfMt3JawV8njP42
 TemQv4uGHUu60rSFb7MaPXkzzR3XoTMEAy2U2jXLeXgAfAfqdUhE3gcHwSDU6ctv
 Oxh7eWVoWzxJ92cUe88XMCv+KlQFZteF3WHYQZmPCRXJ8fb21W/ZQXtui0+sJArq
 /qjpOiOHk3F+geId3OLWcwHDLUV6GUfR2bLvS8ayQdRIVq2orltJqICnoAiRq4cM
 IwWxrZRlhPaLhnryeGeNS7AkmK0JopIBYTa+3CL7yUBFP8ziPDiQC6qS82dIsXGF
 5emPJux1Wg7qcZ56J21LydnsXjpzAOw9HxQzOBRWpgh8Ougd5NyxVer3UsZx9NAH
 2Dpu2uTqXJsLJq0KAPLZ
 =iitJ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches

# gpg: Signature made Wed 23 Apr 2014 11:02:29 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  block/cloop: use PRIu32 format specifier for uint32_t
  vmdk: Fix "%x" to PRIx32 in format strings for cid
  qemu-img: Improve error messages
  qemu-iotests: Check common namespace for id and node-name
  block: Catch duplicate IDs in bdrv_new()
  qemu-img: Avoid duplicate block device IDs
  block: Add errp to bdrv_new()
  convert fprintf() calls to error_setg() in block/qed.c:bdrv_qed_create()
  block: Remove -errno return value from bdrv_assign_node_name
  curl: Replaced old error handling with error reporting API.
  block: Handle error of bdrv_getlength in bdrv_create_dirty_bitmap
  vmdk: Fix %d and %lld to PRI* in format strings
  block: Check bdrv_getlength() return value in bdrv_make_zero()
  block: Catch integer overflow in bdrv_rw_co()
  block: Limit size to INT_MAX in bdrv_check_byte_request()
  block: Fix nb_sectors check in bdrv_check_byte_request()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-25 12:22:37 +01:00
Peter Maydell
0e96643c98 usb: mtp filesharing
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTV3m1AAoJEEy22O7T6HE49N4P+QFtqY3HOWbxguzALuRMAnhB
 yZyujJOdC4N5W41kHrC7cG3rK5gLeQ24BcYVJOimreDtD1QRFyz5yC6Rb/FTT9+M
 4ldEO0WwD4bfewej4ax3ptopMGmpin/RgTslYyhq3QKAHICGcjtb9l5CV/ozHuyR
 ZgB7LaZBk49a5RL7QYd9EwcIH3X+5GtnPnDI1qG8IK6/ivvOGYVmPo9fdE5hm0YL
 Y2YO2nnIwgHCPiqlY1YGPwhiwhqiCWlQoumRvidSKDNgWCu2uraAERajgrcmUYBc
 oB8JHW+KTZJ/4JyO2okFVSpq+sSsSCnFlTvIDK6zSdvA4CPuNiFKhoqSkW/2Ioc5
 GZJ5/DLOor1kzcPbEDiBvosiNtUCWNyI1/UnzFnyc5XJyrfZ0INhR6w1++3N62nT
 w6InjD+BgdpXP+BHtWqnypEwKGXCfXeC8CUD5iUwYyj5mbg+FrTVXCGePk8x8UXP
 zn12MkM8Awh+Dm/EoVnmGKdt+rbT1qUu3cB+DSyuFNfFUT7FrwVvfmwOYv1FfJ2h
 I34jHw6r+GvV4awAdzNibT24/vQw+82iOPOzzo8RZpL65OEne/v+mrsyXl5GDiGG
 rW4TwO+2R717PpD5cmji/DO1BtkgmjjP/nkzHbnvPPq4S46PpinzDEICQ3WputeB
 oP8VESG0/3os3cIeCoB2
 =KDFB
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-5' into staging

usb: mtp filesharing

# gpg: Signature made Wed 23 Apr 2014 09:28:37 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-5:
  usb: mtp filesharing
  usb: add CompatibleID support to msos

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-24 16:16:57 +01:00
Gerd Hoffmann
840a178c94 usb: mtp filesharing
Implementation of a USB Media Transfer Device device for easy
filesharing.  Read-only.  No access control inside qemu, it will
happily export any file it is able to open to the guest, i.e.
standard unix access rights for the qemu process apply.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-23 10:28:14 +02:00
Gerd Hoffmann
409951f552 usb: add CompatibleID support to msos
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-22 12:40:57 +02:00
Kevin Wolf
98522f63f4 block: Add errp to bdrv_new()
This patch adds an errp parameter to bdrv_new() and updates all its
callers. The next patches will make use of this in order to check for
duplicate IDs. Most of the callers know that their ID is fine, so they
can simply assert that there is no error.

Behaviour doesn't change with this patch yet as bdrv_new() doesn't
actually assign errors to errp.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2014-04-22 12:00:20 +02:00
Stefan Weil
b36dc67b95 Fix grammar in comment
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-04-18 10:33:36 +04:00
Peter Maydell
ee25595f01 hw/ide/ahci.c: Avoid shift left into sign bit
Add U suffix to avoid shifting left into the sign bit, which
is undefined behaviour.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-04-18 10:33:36 +04:00
Peter Crosthwaite
5538937368 net: cadence_gem: Make phy respond to broadcast
Phys must respond to address 0 by specification. Implement.

Signed-off-by: Nathan Rossi <nathan.rossi@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 6f4d53b04ddbfb19895bfb61a595e69f1c08859a.1396594056.git.peter.crosthwaite@xilinx.com
Reviewed-by: Beniamino Galvani <b.galvani@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-17 21:34:07 +01:00
Peter Crosthwaite
6954a1cd97 misc: zynq_slcr: Make DB_PRINTs always compile
Change the DB_PRINT macro over to a regular if() rather than
conditional compilation to give constant compile testing of formats.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 942477847353c5cff5f45a228cc88c633dc012f3.1396503037.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-17 21:34:07 +01:00
Peter Crosthwaite
15e3611e1c misc: zynq_slcr: Convert SBD::init to object init
To bring it up to date with styling guidelines.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 2e837af80a18216c21e73241032e048f39d78b99.1396503037.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-17 21:34:07 +01:00
Peter Crosthwaite
db302f8f93 misc: zynq-slcr: Rewrite
Near total rewrite of this device model. It is stylistically
obsolete, has numerous coverity fails and is not up to date with latest
Xilinx documentation. Fix.

The registers are flattened into a single array. This greatly simplifies
the MMIO accessor functions.

We take the oppurtunity to update the register Macro definitions to
match the latest TRM. Xilinx has de-documented some regs hence there are
some straight deletions. We only do this however in the case or a stock
read-as-written reset-zero register. Non-zero resets are always
preserved. New register definitions are added as needed.

This all comes with a VMSD version break as the union layout from before
was a bit strange and we are better off without it.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 3aa016167b352ed224666909217137285fd3351d.1396503037.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-17 21:34:06 +01:00
Beniamino Galvani
6619bc5c55 allwinner-emac: update irq status after writes to interrupt registers
The irq line status must be updated after writes to the INT_CTL and
INT_STA registers.

Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 1395771730-16882-8-git-send-email-b.galvani@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-17 21:34:06 +01:00