Commit Graph

35861 Commits

Author SHA1 Message Date
Denis V. Lunev
285030b0de iotests: replace fake parallels image with authentic one
The image was generated using http://openvz.org/Ploop utility and properly
filled with the same content as original one.

Signed-off-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1412759610-2257-2-git-send-email-den@openvz.org
CC: Jeff Cody <jcody@redhat.com>
CC: Kevin Wolf <kwolf@redhat.com>
CC: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Chris Spiegel
ba2b22888c snapshot: Reset err to NULL to avoid double free
If an error occurs in bdrv_snapshot_delete_by_id_or_name(), "err" is
freed.  If "err" is not set to NULL before calling
bdrv_snapshot_delete_by_id_or_name() again, it will not be updated on
error, and will be freed again.

This can be triggered by starting a VM with at least two drives and then
attempting to delete a non-existent snapshot.

Broken in commit a89d89d.

Signed-off-by: Chris Spiegel <chris.spiegel@cypherpath.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1412613225-32676-1-git-send-email-chris.spiegel@cypherpath.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
John Snow
54a7f8f38d ahci: Fix SDB FIS Construction
The SDB FIS creation was mangled;
We were writing the error byte to byte 0,
and omitting the SDB FIS magic byte.

Though the SDB packet layout states that:
byte 0: Must be 0xA1 to indicate SDB FIS.
byte 1: Port multiplier select & other flags
byte 2: status byte.
byte 3: error byte.

This patch adds an SDB FIS structure with
human-readable names, and ensures that we
are filling the structure appropriately.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1412204151-18117-7-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
John Snow
659142ecf7 ahci: Update byte count after DMA completion
Currently, DMA read/write operations neglect to update
the byte count after a successful transfer like ATAPI
DMA read or PIO read/write operations do.

We correct this oversight by adding another callback into
the IDEDMAOps structure. The commit callback is called
whenever we are cleaning up a scatter-gather list.
AHCI can register this callback in order to update post-
transfer information such as byte count updates.

We use this callback in AHCI to consolidate where we delete
the SGlist as generated from the PRDT, as well as update the
byte count after the transfer is complete.

The QEMUSGList structure has an init flag added to it in order
to make qemu_sglist_destroy a nop if it is called when
there is no sglist, which simplifies cleanup and error paths.

This patch fixes several AHCI problems, notably Non-NCQ modes
of operation for Windows 7 as well as Hibernate support for Windows 7.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1412204151-18117-3-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
John Snow
7b8bad1b6a ahci: Correct PIO/D2H FIS responses
Currently, the D2H FIS packets AHCI generates simply parrot back
the LBA that the guest sent to us in the cmd_fis. However, some
commands (like READ NATIVE MAX) modify the LBA registers as a
return value, through which the AHCI D2H FIS is the only response
mechanism. Thus, the D2H response should use the current register
values, not the initial ones.

This patch adjusts the LBA and drive select register responses for
PIO Setup and D2H FIS response packets.

Additionally, the PIO and D2H FIS responses copy too many bytes
from the command FIS that it is being generated from. Specifically,
byte 11 which is the Features(15:8) field for Register Host to
Device FIS packets, is instead reserved for the PIO Setup FIS and
should always be 0.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1412204151-18117-2-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
dc9e716369 block/iscsi: check for oversized requests
Cancel oversized requests early. They would generate
an iSCSI protocol error anyway; after having transferred
possibly a lot of data over the wire.

Suggested-By: Max Reitz <mreitz@redhat.com>
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
3dab155154 block/iscsi: use sector_limits_lun2qemu throughout iscsi_refresh_limits
As Max pointed out there is a hidden cast from int64_t to int for all
limits. So use the newly introduced sector_limits_lun2qemu for all
limits received from the target.

Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
6c5a42ac34 block: avoid creating oversized writes in multiwrite_merge
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
52f6fa1430 block/iscsi: set max_transfer_length
Copy the max_xfer_len from the BlockLimits VPD or use the
maximum value fitting in the CDB.

The helper function sector_limits_lun2qemu is introduced to convert
and cap the limits from the VPD to the maximum power of two fitting
in an integer; integer is the range for nb_sectors throughout
the block layer.

Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
2647fab57d BlockLimits: introduce max_transfer_length
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
ac3a872664 util: introduce MIN_NON_ZERO
at least in block layer we have the case of limits being defined for a
BlockDriverState. However, in this context often zero (0) has the special
meanining of undefined which means no limit. If two of those limits are
combined and the minimum is needed the minimum function should only return
zero if both parameters are zero.

Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Aurelien Jarno
0a2923f848 tcg/mips: fix store softmmu slow path
Commit 9d8bf2d1 moved the softmmu slow path out of line and introduce a
regression at the same time by always calling tcg_out_tlb_load with
is_load=1. This makes impossible to run any significant code under
qemu-system-mips*.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2014-11-02 13:30:00 +01:00
Peter Maydell
ee29498e4f Merge remote-tracking branch 'remotes/sstabellini/xen-2014-10-30' into staging
* remotes/sstabellini/xen-2014-10-30:
  fix off-by-one error in pci_piix3_xen_ide_unplug
  xen-hvm.c: Add support for Xen access to vmport

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 20:28:09 +00:00
Peter Maydell
4239e2dc01 vmware-vga: add rectangle verification (CVE-2014-3689)
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUUNNZAAoJEEy22O7T6HE4S3YP/jEHyGtodT6+Q2sTOFWX7y4q
 q4JP+xRONdLnY//7Xe8F2cZQffH0W5QS8DJxf4SaRVDVk2e2tvK2P9XiaMkekOEC
 zzfKxbvGozD4w2yrhVNAlQb4l1c09jcBuoa4T3JEXwdH28sq9TuOmGLNky7oEG2W
 nVEXcO14yMDHKCurbZuzvwxoc25XwY8Y2vTW558iLvGzFzXLMt3fIp2MIIcmQL1c
 lWQ2+6Ajeh2KzjpiWFym6fvMko3rM+IpdhYLNQE7PbbzsD9SynwWxnC3P6xSuSv9
 WFMz1RWcoDOylosnXmjQgZFgpgwl2jnfX4MWDclWO3z0ooGgchKnR4b1eWyefV6b
 oFsG8Pl2duESYRyojhnglXoTqQnT/lf0j+MoeVWkMSADSYgKoGYIVwNtdFM4LXY2
 0hlnuJl4uKbdCGmi1UWZ517h4sU1cdf4NuaQDLjkr2p4GREvGsUvww7ae++cxJtL
 xiqnheJOjrg6qM+P+N6x9Iqd3ChcsFF3xu5nKH/iO4nXgdsiL4sBqA0iUsVvujXV
 AQZyxBka81sXEdZBH1nOFuTj14TaStl8OCLWz2iOQj4fqAaMoibDeoSVUXnzo3CI
 HZ4fGnJ9j17qOJAv5VL8XnUOp8ZFGFpTFkVHhuZkqZyaMlP1t0ujpP/cUXrS1+Hm
 yabN/p6vO063JE23JN9W
 =Z1KH
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2014-3689-20141029-1' into staging

vmware-vga: add rectangle verification (CVE-2014-3689)

# gpg: Signature made Wed 29 Oct 2014 11:45:29 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-cve-2014-3689-20141029-1:
  vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
  vmware-vga: add vmsvga_verify_rect
  vmware-vga: CVE-2014-3689: turn off hw accel

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 19:11:25 +00:00
Peter Maydell
fecd54ccd7 vnc: return directly if no vnc client connected
vnc: sanitize bits_per_pixel from the client (CVE-2014-7815)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUT3VvAAoJEEy22O7T6HE4P8YP/ietMLSUkbt0UYOaFs4cyb4P
 Eb/omvVgA2nxgpJErovNq3nNHeRsHzo479Vm04CaNBavVZgT+4YiYhcMN2SsepqT
 SnzZ4YiuQ9VMIma4CeAvizjXCutQ9BDQAu6RkVv50TqqMgfzaxE7tcxKQgocYxDd
 CJdBB81/9g2IybHYhwyQUeh6Lra2Wh7N1JfKUt9bfRnGqVTgKeshrdZkwArsjUEa
 MwvVt7u6beGGOCAdVJRJMUzi8WzX0bQRpS9SoFYoLvRwsf+HIJQh16aJ9tDnqJpu
 Vv7xTnkmIFi13NhbPReVhS7f4qgAcDO718/A2KbHcml7EF3E78/zwVFQfAd4yqXc
 YyySdh8k2zsQ+F0YfX2N7soDM9eRtFdWj/Df6z+VqPDn/X0t8HmVZk7GAxHVg7cG
 4UT44v1g0RBIN381PnckPhQCX/1s0U8wRQTstuKJO9x7WpI5rKIAS/WDdFJkwm9V
 LDqBYlk44VAwSgAt5gas5b7efrhUPAECAA8HaX1Xjs0WIb5vzB3le/WEjbWc7XFn
 sORIJCE5+jBi0G0NQ21KaO7RocE21cFOGCgwJuAGcgboSzXAJc1z5+4RozerUaMK
 jjkIEk826AcFR1kL3xjPAeJ4qo4pJO3OhcWqQrRGpCL88s9eFe3pp+2FlZDNj01R
 SjQN3h4g9js4nYFF2o7v
 =Y163
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20141028-1' into staging

vnc: return directly if no vnc client connected
vnc: sanitize bits_per_pixel from the client (CVE-2014-7815)

# gpg: Signature made Tue 28 Oct 2014 10:52:31 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20141028-1:
  vnc: return directly if no vnc client connected
  vnc: sanitize bits_per_pixel from the client

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 18:21:25 +00:00
Peter Maydell
f33f43bd86 Fixes for libcacard (usb smartcard emulation), xhci and uhci.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUT3J4AAoJEEy22O7T6HE4CXoQAKII8pelQ7DuP6OgrkFzQ1h5
 W17Nx/0mwsw7OatTNgV9uwdFp9zojZBIw15XPJSG2tbaf5Cc+f8rTU9x4W78xDzm
 Q2jgD0UXQm/cQVseUbCc3aDiP0g4N73E4PhkaYbTEk2/wctDkxV0ILNhJBWVtx/A
 q4qAB+9jVhgYY61JSwSxHSneSe8hu3Gos7y40J/lqwEvd3yzY0G/uXF1myw5NNf9
 KFFjSOloLtoO/FaYg4VRY3e7QpMj2YlyytbDaG4+SMOzfZ6+P8thMbG3tWBDTSz0
 ggghS85cL7BBH8bCvatvVhL8YPqrt8k8eP4UkdaTL3ZnHjlW2/RFbHw6oao+//ev
 QOmXuAkuwH2HUAo1PUgmKmC3cHGuCiOYlNvsTQ87LBTLLCt822ugD1wZUgCleXpd
 1U6q9wxFeW65mKRrkC3JFCp2ljFgb4oxN6e4k0C1Naz4QKQjBKZTJWoTxzt6U56s
 ZnivZETvtP9TV1q8j09Hx/r8+sIG8UqFK84EMMQ8dglYdsTZB8TgzUebyUy6RiYE
 2ahNi35UDn2oW+NE3Eof4p8SO1Cxas/p9ylfJZZJ0EaMJkr5AJ0KBgW4i7Lz/WPQ
 Jy/DlmIyiipz0C/LL+tl8m4l/CtdhhZqeI4G/doJ6BxYZ0qH+pPyxC7BpK1ySUzs
 kMm7LrIkhVoTQ7pwpsN7
 =uT+E
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20141028-1' into staging

Fixes for libcacard (usb smartcard emulation), xhci and uhci.

# gpg: Signature made Tue 28 Oct 2014 10:39:52 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20141028-1:
  uhci: remove useless DEBUG
  xhci: add property to turn on/off streams support
  libcacard: don't free sign buffer while sign op is pending
  libcacard: Lock NSS cert db when selecting an applet on an emulated card
  libcacard: introduce new vcard_emul_logout

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 17:04:29 +00:00
Peter Maydell
3c1d9a15be gtk: fix two warnings with gtk 3.14+
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUT28wAAoJEEy22O7T6HE4deIQAKq6eHQCWqhlVoceRdyNKngV
 8x+daiocmv8SJ0BP/fXaJYO1PPHbk/xrkao9JGRMwQp4e3k0HN6qLDw2/I3CrlBp
 O9zKOHDl2LO7+RmEnSjDq071guG1WN9BLxW9sJwI1yYUHK5EnUhP0O97L4G1zfEW
 iI4NCjx0UKhiGGxukWRv0CmSpP64MAvazv2fQwCYM/SlB6vkshEfbGgAL+phQrb5
 VZFh+p7R3zKNmNX4i/GzO49rJ+7ak8eqWbjEnGorD12OH7A/7tHW94w7CrdGBkw/
 uXKkRI7mZ0KY5PY35T4pox3/5wcYIeqfLxW62TJVwLpmeWsnz40nnGsKsq77xzKl
 yFbEABxgPTi8CQflwcrlDf6aXG5v0EpS6bCLJjqmNv/aWbC5igB1Qp6kP8wPWuhS
 Dguo7PDRjxwX6BKabTjKEvVP94VimekghLXXqJk/IwWIr4Nuqa08tOierTKGubli
 q0j/IDE400qgrRcyeIs5zeFIFfo8WBZLIpqrDchjlaCjTn28n5y0ZoE1w0fnDZa4
 VwRfYhBR6c3S6Lst/WRRfFrqAXq5mqASAlOFF4tBIP8cLuhJh/zNfi7KRoVl1tOi
 6a/qOZDCP8rVO8oZlGhrAtHkY0VWZW3wgmeKebVi8xTuYvSrEXoYYLTAcU97qr16
 x8G/kU66xzcU9F7HAgKK
 =HpFW
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20141028-1' into staging

gtk: fix two warnings with gtk 3.14+

# gpg: Signature made Tue 28 Oct 2014 10:25:52 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-20141028-1:
  gtk: avoid gd_widget_reparent with gtk 3.14+
  gtk: drop gtk_widget_set_double_buffered call

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 14:45:53 +00:00
James Harper
d4f9e806c2 fix off-by-one error in pci_piix3_xen_ide_unplug
Fix off-by-one error when unplugging disks, which would otherwise leave the last ATA disk plugged, with obvious consequences. Also rewrite loop to be more readable.

Signed-off-by: James Harper <james.harper@ejbdigital.com.au>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-10-30 14:16:39 +00:00
Don Slutz
37f9e258b6 xen-hvm.c: Add support for Xen access to vmport
This adds synchronisation of the 6 vcpu registers (only 32bits of
them) that vmport.c needs between Xen and QEMU.

This is to avoid a 2nd and 3rd exchange between QEMU and Xen to
fetch and put these 6 vcpu registers used by the code in vmport.c
and vmmouse.c

The registers are passed in the new shared page provided by
HVM_PARAM_VMPORT_REGS_PFN.

Add new array to XenIOState that allows selection of current_cpu by
vcpu id.

Now pass XenIOState to handle_ioreq().

Add new routines regs_to_cpu(), regs_from_cpu(), and
handle_vmport_ioreq().

Signed-off-by: Don Slutz <dslutz@verizon.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-10-30 14:16:38 +00:00
Peter Maydell
08118672d0 virtio-scsi fixes, the first part of dynamic sysbus devices,
MAINTAINERS updates, and AVX512 support.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJUTmDNAAoJEL/70l94x66DPb0IAKKhf8IRfQZPEQgOWD2YeANd
 vwAZ4JcqAl2/dbeOTrs5TXOWdoNVXUFDmeHh4zsgUB7poxsOqZ/M7N844UGR5duC
 f4fKYXAkjyqocKH7dbpf/S+YuJtU40qowI02HQeEmGpZaJUjmfMAFwrguqerdMaB
 pGA79948XeoAjP8jNgf1EqCqLi31GBEfiU2q05xLKxd+M0xSFIM7IM2hGZfFv7Hq
 bbE2CGuCyj4NST/GH2C/22QBz9MyqFaL2prtDqoMugAHTKE7vO/rpFti9oTDRCXa
 x8U/JcBf/puBNI+Kq+cdxTJicwIuqrcBkNmjP9sLv/nJ37QwEG06VDCd4Xj9mEs=
 =zXqD
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

virtio-scsi fixes, the first part of dynamic sysbus devices,
MAINTAINERS updates, and AVX512 support.

# gpg: Signature made Mon 27 Oct 2014 15:12:13 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream: (28 commits)
  aio / timers: De-document -clock
  hw/scsi/virtio-scsi.c: fix the "type" use error in virtio_scsi_handle_ctrl
  virtio-scsi: sense in virtio_scsi_command_complete
  target-i386: add Intel AVX-512 support
  get_maintainer.pl: restrict cases where it falls back to --git
  get_maintainer.pl: move git loop under "if ($email) {"
  qtest: fix qtest log fd should be initialized before qtest chardev
  MAINTAINERS: avoid M entries that point to mailing lists
  MAINTAINERS: add some tests directories
  MAINTAINERS: Add more TCG files
  MAINTAINERS: add myself for X86
  MAINTAINERS: add Samuel Thibault as usb-serial.c and baum.c maintainer
  MAINTAINERS: grab more files from Anthony's pile
  target-i386: warns users when CPU threads>1 for non-Intel CPUs
  sysbus: Use TYPE_DEVICE GPIO functionality
  qdev: gpio: Define qdev_pass_gpios()
  qdev: gpio: Remove qdev_init_gpio_out x1 restriction
  qdev: gpio: delete NamedGPIOList::out
  irq: Remove qemu_irq_intercept_out
  qtest/irq: Rework IRQ interception
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 13:35:12 +00:00
Paolo Bonzini
cbd5ac6991 virtio: link the rng backend through an alias property
The virtio-rng backend is currently linked twice, once in the proxy
device (e.g. virtio-rng-pci) and once in virtio-rng-device.  This causes
a double unref of the backend when the parent device is unplugged.

To fix this, make the proxy device use an alias, similar to what is
already being done for the iothread link.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Message-id: 1414577839-18695-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 12:59:27 +00:00
Gerd Hoffmann
bd9ccd8517 vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-29 12:01:30 +01:00
Gerd Hoffmann
61b41b4c20 vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-29 12:01:26 +01:00
ChenLiang
9d6b207047 vnc: return directly if no vnc client connected
graphic_hw_update and vnc_refresh_server_surface aren't
need to do when no vnc client connected. It can reduce
lock contention, because vnc_refresh will hold global big
lock two millisecond every three seconds.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:51:04 +01:00
Petr Matousek
e6908bfe8e vnc: sanitize bits_per_pixel from the client
bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.

To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.

This is CVE-2014-7815.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>

[ kraxel: apply codestyle fix ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:51:04 +01:00
Gonglei
a65e4ef90f uhci: remove useless DEBUG
commit 50dcc0f8 (uhci: tracing support) had removed
DPRINTF, the DEBUG marco is useless now, remove it.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:38:18 +01:00
Gerd Hoffmann
2aa6bfcb66 xhci: add property to turn on/off streams support
streams support in usb-redir and usb-host works only with recent enough
versions of the support libraries (libusbredir and libusbx).  Failure
mode is rather unelegant:  Any stream usb transfers will throw stall
errors.  Turning off support for streams in the xhci host controller
will work better as the guest can figure beforehand that streams are
not going to work.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
2014-10-28 11:38:18 +01:00
Ray Strode
81b49e8f89 libcacard: don't free sign buffer while sign op is pending
commit 57f97834ef cleaned up
the cac_applet_pki_process_apdu function to have a single
exit point. Unfortunately, that commit introduced a bug
where the sign buffer can get free'd and nullified while
it's still being used.

This commit corrects the bug by introducing a boolean to
track whether or not the sign buffer should be freed in
the function exit path.

Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-by: Alon Levy <alon@pobox.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:38:18 +01:00
Ray Strode
1223bc4cee libcacard: Lock NSS cert db when selecting an applet on an emulated card
When a process in a guest uses an emulated smartcard, libcacard running
on the host passes the PIN from the guest to the PK11_Authenticate NSS
function. The first time PK11_Authenticate is called the passed in PIN
is used to unlock the certificate database. Subsequent calls to
PK11_Authenticate will transparently succeed, regardless of the passed in
PIN. This is a convenience for applications provided by NSS.

Of course, the guest may have many applications using the one emulated
smart card all driven from the same host QEMU process.  That means if a
user enters the right PIN in one program in the guest, and then enters the
wrong PIN in another program in the guest, the wrong PIN will still
successfully unlock the virtual smartcard.

This commit forces the NSS certificate database to be locked anytime an
applet is selected on an emulated smartcard by calling vcard_emul_logout.

Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-By: Robert Relyea <rrelyea@redhat.com>
Reviewed-By: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:38:18 +01:00
Ray Strode
f032cfab61 libcacard: introduce new vcard_emul_logout
vcard_emul_reset currently only logs NSS out, but there is a TODO
for potentially sending insertion/removal events when powering down
or powering up.

For clarity, this commit moves the current guts of vcard_emul_reset to
a new vcard_emul_logout function which will never send insertion/removal
events. The vcard_emul_reset function now just calls vcard_emul_logout,
but also retains its TODO for watching power state transitions and sending
insertion/removal events.

Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-By: Robert Relyea <rrelyea@redhat.com>
Reviewed-By: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:38:18 +01:00
Gerd Hoffmann
316cb068bd gtk: avoid gd_widget_reparent with gtk 3.14+
gtk_widget_reparent is depricated in gtk 3.14, stop using it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:25:14 +01:00
Gerd Hoffmann
987fec54e1 gtk: drop gtk_widget_set_double_buffered call
Dunno why it is here.  Removing it seems to have no ill side effects.
It is depricated in 3.14+.  In some cases it has no effect since 3.10
according to the docs:

https://developer.gnome.org/gtk3/stable/GtkWidget.html#gtk-widget-set-double-buffered

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:25:14 +01:00
Gerd Hoffmann
1735fe1edb vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
in behavior:  We don't try to automatically fixup rectangles any more.
In case we find invalid update requests we'll do a full-screen update
instead.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:40:08 +01:00
Gerd Hoffmann
07258900fd vmware-vga: add vmsvga_verify_rect
Add verification function for rectangles, returning
true if verification passes and false otherwise.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:40:04 +01:00
Gerd Hoffmann
83afa38eb2 vmware-vga: CVE-2014-3689: turn off hw accel
Quick & easy stopgap for CVE-2014-3689:  We just compile out the
hardware acceleration functions which lack sanity checks.  Thankfully
we have capability bits for them (SVGA_CAP_RECT_COPY and
SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.

Subsequent patches will add the missing checks and re-enable the
hardware acceleration emulation.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:39:58 +01:00
Markus Armbruster
e218052f92 aio / timers: De-document -clock
Commit 6d32717 "aio / timers: Remove alarm timers" has issues:

1. It silently ignores -clock for backward compatibility.
Incompatible change: -clock help no longer terminates the program.
Tolerable.

2. Failed to update option documentation.  In particular, -help still
advises users to try -clock help for available timers.  Drop all
documentation on -clock.

3. The 'query-alarm-clock' example in docs/writing-commands.txt no
longer works, and needs to be redone.  Can't do that right now, so I
just stick in a FIXME.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-27 16:11:45 +01:00
Bin Wu
024d9adc79 hw/scsi/virtio-scsi.c: fix the "type" use error in virtio_scsi_handle_ctrl
The local variable "type" in virtio_scsi_handle_ctl represents the tmf
command type from the guest and it has the same meaning as the
req->req.tmf.type. However, before the invoking of virtio_scsi_parse_req
the req->req.tmf.type doesn't has the correct value(just initialized to
zero). Therefore, we need to use the "type" variable to judge the case.

Cc: qemu-stable@nongnu.org
Signed-off-by: Bin Wu <wu.wubin@huawei.com>
[Actually make it compile, "type" must be uint32_t in order to pass
 it to virtio_tswap32s. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-27 16:11:45 +01:00
Ting Wang
b7890c40e5 virtio-scsi: sense in virtio_scsi_command_complete
If req->resp.cmd.status is not GOOD, the address of sense for
qemu_iovec_from_buf should be modified from &req->resp to sense.

Cc: qemu-stable@nongnu.org
Signed-off-by: Ting Wang <kathy.wangting@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-27 16:10:53 +01:00
Jan Kiszka
3e9418e160 Revert "main-loop.c: Handle SIGINT, SIGHUP and SIGTERM synchronously"
This reverts commit 15124e1420. It breaks
debuggability of qemu and is no longer needed as the problem has
now been addressed in a different way.

Instead we provide a comment about why these signals must be
handled asynchronously.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
[PMM: added comment]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-27 15:05:09 +00:00
Jan Kiszka
817ef04db2 Make qemu_shutdown_requested signal-safe
qemu_shutdown_requested may be interrupted by qemu_system_killed. If the
latter sets shutdown_requested after qemu_shutdown_requested has read it
but before it was cleared, the shutdown event is lost. Fix this by using
atomic_xchg.

This provides a different fix for the problem which commit 15124e142
attempts to deal with. That commit breaks use of ^C to drop into gdb,
and so this approach is better (and 15124e142 can be reverted).

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
[PMM: commit message tweak]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-27 14:09:27 +00:00
Chao Peng
9aecd6f8ae target-i386: add Intel AVX-512 support
Add AVX512 feature bits, register definition and corresponding
xsave/vmstate support.

Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 18:03:14 +02:00
Peter Maydell
ff0d48768b MAINTAINERS: add myself under 'general project admin' section
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Acked-by: Kevin Wolf <kwolf@redhat.com>
Acked-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1413405052-4527-1-git-send-email-peter.maydell@linaro.org
2014-10-24 14:30:18 +01:00
Leon Alrae
6f64091786 MAINTAINERS: add myself as MIPS guest cores co-maintainer
Add myself to the maintainer list for MIPS guest cores and update the status
from "Odd Fixes" to "Maintained".

Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Acked-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 1413459487-13658-1-git-send-email-leon.alrae@imgtec.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 14:28:18 +01:00
Leon Alrae
74dda9876b target-mips: add ULL suffix in bitswap to avoid compiler warning
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Message-id: 1413982829-27225-1-git-send-email-leon.alrae@imgtec.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 14:07:51 +01:00
Peter Maydell
71b7f54fdf target-arm queue:
* remove pointless 'info pcmcia' and a lot of now-dead code
  * register ARM cpu reset handlers even if not using -kernel
  * update to libvixl 1.6
  * various minor code cleanups
  * support PSCI under TCG ('virt' machine can now be shut down,
    SMP configurations work)
  * correct the sense of the AArch64 DCZID DZP bit
  * report a valid L1Ip field in CTR_EL0 for CPU type "any"
  * correctly UNDEF writes to FPINST/FPINST2 from EL0
  * more preparatory code refactoring for EL2/EL3 support
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJUSjmYAAoJEDwlJe0UNgzebJgQAJnPbPNhwT/S4xbE+RVpJDPY
 tkmFOwMijao7w1+teg2HmG5QwGDe/Fyzr15Abp5Kx7DxhdN2qflWCgZYnmxaQfJe
 e2MRpvmyji8nrHEhBqvdEj/qA0j0BuO//QaDU2JDeyM0CZ3un6kzHArLNMiV5nSj
 DXhl9/Zn6zuvUOEi605zFc5mVchMzen6Mvc4bHNUWgE/eGH1/o/UyUjQRhaCyAwI
 owDbKohKFWQ9wpsUQVGeH3inTFNDMcFNggDnuw9F+GowUXK7usQhulHoix8Wfhi9
 ku47kp1w7XrF0sp05dCjh9pK9F0iv0gbdh5Wg31yaw7pCEWwLiPWHblu2BoGc37P
 pEqI/H21eImGfnLT04EPO0w1KD5B3OapSqI8Tsq9l3hd2yXtHm8KVk2eEGfUJpuN
 pAePNEwhYX2oqHugrH1zkZXEsSw7VsY57WOCkmwwLdKf6xdbqJwdWEehxLUdkiSx
 KcYYkO8g6voDUBUvhpDrlmSceUgzFqCE7wrcwhOiQQ5oY8jDd5DE5Gtg1I/T7yXc
 5wXeNh6nSj/MYtL4sYBiEEOVI/aaDiK6xqUxeT38VhI5amCj2EARfLEb2qqo25aC
 mmB6WujUFQmu3Eu95lK5Iced3ZjbjcJ8UaSu3NwSTiAATqf8ezTSdSktLDNmpPpj
 jsgOKj9aDOBP9aWNaGlp
 =uBin
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20141024' into staging

target-arm queue:
 * remove pointless 'info pcmcia' and a lot of now-dead code
 * register ARM cpu reset handlers even if not using -kernel
 * update to libvixl 1.6
 * various minor code cleanups
 * support PSCI under TCG ('virt' machine can now be shut down,
   SMP configurations work)
 * correct the sense of the AArch64 DCZID DZP bit
 * report a valid L1Ip field in CTR_EL0 for CPU type "any"
 * correctly UNDEF writes to FPINST/FPINST2 from EL0
 * more preparatory code refactoring for EL2/EL3 support

# gpg: Signature made Fri 24 Oct 2014 12:35:52 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20141024: (23 commits)
  target-arm: A32: Emulate the SMC instruction
  target-arm: make arm_current_el() return EL3
  target-arm: rename arm_current_pl to arm_current_el
  target-arm: reject switching to monitor mode
  target-arm: add arm_is_secure() function
  target-arm: increase arrays of registers R13 & R14
  target-arm: correctly UNDEF writes to FPINST/FPINST2 from EL0
  target-arm: Report a valid L1Ip field in CTR_EL0 for CPU type "any"
  target-arm: Correct sense of the DCZID DZP bit
  arm/virt: enable PSCI emulation support for system emulation
  target-arm: add emulation of PSCI calls for system emulation
  target-arm: Add support for A32 and T32 HVC and SMC insns
  target-arm: Handle SMC/HVC undef-if-no-ELx in pre_* helpers
  target-arm: add missing PSCI constants needed for PSCI emulation
  target-arm: do not set do_interrupt handlers for ARM and AArch64 user modes
  target-arm: add powered off cpu state
  omap_gpmc.c: Remove duplicate assignment
  disas/libvixl/a64/instructions-a64.h: Remove unused constants
  arm_gic: remove unused parameter.
  disas/libvixl: Update to libvixl 1.6
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 12:40:29 +01:00
Fabian Aggeler
dbe9d16367 target-arm: A32: Emulate the SMC instruction
Implements SMC instruction in AArch32 using the A32 syndrome. When executing
SMC instruction from monitor CPU mode SCR.NS bit is reset.

Signed-off-by: Sergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: Greg Bellows <greg.bellows@linaro.org>
Message-id: 1413910544-20150-7-git-send-email-greg.bellows@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 12:19:15 +01:00
Fabian Aggeler
592125f83a target-arm: make arm_current_el() return EL3
Make arm_current_el() return EL3 for secure PL1 and monitor mode.
Increase MMU modes since mmu_index is directly inferred from arm_
current_el(). Change assertion in arm_el_is_aa64() to allow EL3.

Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: Greg Bellows <greg.bellows@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1413910544-20150-6-git-send-email-greg.bellows@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 12:19:14 +01:00
Greg Bellows
dcbff19bd0 target-arm: rename arm_current_pl to arm_current_el
Renamed the arm_current_pl CPU function to more accurately represent that it
returns the ARMv8 EL rather than ARMv7 PL.

Signed-off-by: Greg Bellows <greg.bellows@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1413910544-20150-5-git-send-email-greg.bellows@linaro.org
[PMM: fixed a minor merge resolution error in a couple of hunks]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 12:19:14 +01:00
Sergey Fedorov
027fc52704 target-arm: reject switching to monitor mode
Reject switching to monitor mode from non-secure state.

Signed-off-by: Sergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: Greg Bellows <greg.bellows@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1413910544-20150-4-git-send-email-greg.bellows@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 12:19:14 +01:00
Fabian Aggeler
19e0fefa6f target-arm: add arm_is_secure() function
arm_is_secure() function allows to determine CPU security state
if the CPU implements Security Extensions/EL3.
arm_is_secure_below_el3() returns true if CPU is in secure state
below EL3.

Signed-off-by: Sergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: Fabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: Greg Bellows <greg.bellows@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1413910544-20150-3-git-send-email-greg.bellows@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 12:19:14 +01:00