Commit Graph

32461 Commits

Author SHA1 Message Date
Michael S. Tsirkin
36cf2a3713 virtio: validate num_sg when mapping
CVE-2013-4535
CVE-2013-4536

Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.

Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael Roth
4b53c2c72c virtio: avoid buffer overrun on incoming migration
CVE-2013-6399

vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.

Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
d2ef4b61fe vmstate: fix buffer overflow in target-arm/machine.c
CVE-2013-4531

cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.

VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.

Fix this macro to valide the value appropriately.

The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
d8d0a0bc7e pl022: fix buffer overun on invalid state load
CVE-2013-4530

pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.

Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
5f691ff91d hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
4) CVE-2013-4529
hw/pci/pcie_aer.c    pcie aer log can overrun the buffer if log_num is
                     too large

There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.

Fix both issues.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
3f1c49e213 hpet: fix buffer overrun on invalid state load
CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
ae2158ad6c ahci: fix buffer overrun on invalid state load
CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
cc45995294 virtio: out-of-bounds buffer write on invalid state load
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Michael S. Tsirkin
eea750a562 virtio-net: out-of-bounds buffer write on invalid state load
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

This code is in hw/net/virtio-net.c:

    if (n->max_queues > 1) {
        if (n->max_queues != qemu_get_be16(f)) {
            error_report("virtio-net: different max_queues ");
            return -1;
        }

        n->curr_queues = qemu_get_be16(f);
        for (i = 1; i < n->curr_queues; i++) {
            n->vqs[i].tx_waiting = qemu_get_be32(f);
        }
    }

Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.

This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 14:15:10 +02:00
Michael S. Tsirkin
71f7fe48e1 virtio-net: fix buffer overflow on invalid state load
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c

Deals with loading a corrupted savevm image.

>         n->mac_table.in_use = qemu_get_be32(f);

in_use is int so it can get negative when assigned 32bit unsigned value.

>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {

passing this check ^^^

>             qemu_get_buffer(f, n->mac_table.macs,
>                             n->mac_table.in_use * ETH_ALEN);

with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.

Fix it by making the value unsigned.
For consistency, change first_multi as well.

Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 14:15:10 +02:00
Michael S. Tsirkin
4082f0889b vmstate: add VMSTATE_VALIDATE
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 14:15:10 +02:00
Michael S. Tsirkin
5bf81c8d63 vmstate: add VMS_MUST_EXIST
Can be used to verify a required field exists or validate
state in some other way.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 14:15:10 +02:00
Michael S. Tsirkin
35fc1f7189 vmstate: reduce code duplication
move size offset and number of elements math out
to functions, to reduce code duplication.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 14:15:10 +02:00
Peter Maydell
fdaad4715a target-arm queue:
* implement XScale cache lockdown cp15 ops
  * fix v7M CPUID base register
  * implement WFE and YIELD as yields for A64
  * fix A64 "BLR LR"
  * support Cortex-A57 in virt machine model
  * a few other minor AArch64 bugfixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABCAAGBQJTYl1JAAoJEDwlJe0UNgzeAZUP/1OP9OWKdNcBmfyc+rrpCzOn
 49m6FSYOw2jtUf1YYItr38tDIq0rFCLB3DYPUD7hWtll8tFUyE4TD3XsTr0nJ7Jq
 io12W8Gfuua6K57xmLMaLyrP8hu0gHtnZFEgi9vVz+ASXtqw6SUpFuOr7TFjfP2U
 qZfELHoWFCek7OnqaR+wn5qKRr+zqEAYr7FlnR2dT3GKT72JEuDGQUZlk2m5oOBb
 mChrc+SvQBJUXTk+HPNrXdA8i+FOmIfmNXN1lHaGatBjLQoGULb2TEBZU4Zvyg1z
 74vermgX9EaqZ7lFI4+gQT4+4wclnX4xP2K/+2b2iBZziLUFhc7Odp0jHw1gh5lY
 /zADi3+FuB7JJEQztjwD0Q30vZSqIu2PH6wvH3Axnl9va3tYHHGtj267X3MN+KIy
 KJqQS+0KG/UNzOCkY3bgjXIsmDhWJAZAa0HhL5eze7kznH17iGkej0GT1xVHWf54
 9GZydWgtaXaLk/ob9Js/3gLcQ7yEFZBtaVsRHBavrurSeTCV4MS00Xcn+YhTSpRS
 h6i37hDWpH8GyeqjVmbUaHY+Zxgy01QGXgvP5KwX6g+ulhYGIO+taqTJ+6EWoCSS
 aTNHsCwYQy1pMm3YtjQd1UC8WQJAKpfDFT8imxjXnU5QGSnqlgYDVSgUlyg4iSY2
 s0KRAvT26KV0HJ4FqaZ0
 =F2C9
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140501' into staging

target-arm queue:
 * implement XScale cache lockdown cp15 ops
 * fix v7M CPUID base register
 * implement WFE and YIELD as yields for A64
 * fix A64 "BLR LR"
 * support Cortex-A57 in virt machine model
 * a few other minor AArch64 bugfixes

# gpg: Signature made Thu 01 May 2014 15:42:17 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20140501:
  hw/arm/virt: Add support for Cortex-A57
  hw/arm/virt: Put GIC register banks on 64K boundaries
  hw/arm/virt: Create the GIC ourselves rather than (ab)using a15mpcore_priv
  target-arm: Correct a comment refering to EL0
  target-arm: A64: Fix a typo when declaring TLBI ops
  target-arm: A64: Handle blr lr
  target-arm: Make vbar_write 64bit friendly on 32bit hosts
  target-arm: implement WFE/YIELD as a yield for AArch64
  armv7m_nvic: fix CPUID Base Register
  target-arm: Implement XScale cache lockdown operations as NOPs

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-02 11:32:00 +01:00
Peter Maydell
e50bf23438 Block patches
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTYT60AAoJEH8JsnLIjy/WQIoP/2n2/YoSOgtv3IwV1YdjzmLK
 fAVYhkZz+ElvMuoM/Mj9k1VEYlIImCrx2Y8vwLEM0tDbRa4+J2vORAOgt4EaY2G7
 OxEQoxdX380Cug94pJtupGhZmvkLPa/slnoOHoL2X1IfhD52k0xORVRPFy4nSaV0
 f2zOjhPNHCE5ZOnHZshgUjtPUqglJlsBKBlWnXE0EZLBk0jbZO0oRWNEtXZRS3Tp
 GQQEqtG46gEuGJcJ6F1f9bDCLJ6KAdCmHMK3weY7niDSem84p35I76xfM/oGHYmb
 Y5CgQXDys2STXshw9mAeSUfn4QfYW9JZvQAWGrTYM/y4/hbQKsi8jfbqSYinWcjm
 qfBH/nEAqKGgVEmQ4jLlWIa7/Lr0WsirdZZmhBXZcgkfg6+gUP6uw+kDJprqd385
 45mVu1AldLKVV4jBhAahuSLGdv8CErndGqVckVHaSPtl4XJxhZmemPJB4JAbczdM
 LZiQwRuVeYZC+ssQotr2ov5pzWg3n6IzFW6Zt0T7YWmluOAy9vTfm29IdUV7nxKl
 Ht6sm4vLLMtB3snHvLdpTOAXxTJ66J2IqpRGhIgNu71dKLjFU5IEgj5oddw38iiG
 sY2CA6DfWSwRmPfaVsH/F8o/T0vONQ9SrX40459UNADm81qvu70IuR8cr8b4xKXX
 vC9SwuNBO1upONNkX/4B
 =VH6g
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches

# gpg: Signature made Wed 30 Apr 2014 19:19:32 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream: (31 commits)
  curl: Fix hang reading from slow connections
  curl: Ensure all informationals are checked for completion
  curl: Eliminate unnecessary use of curl_multi_socket_all
  curl: Remove unnecessary explicit calls to internal event handler
  curl: Remove erroneous sleep waiting for curl completion
  curl: Fix return from curl_read_cb with invalid state
  curl: Remove unnecessary use of goto
  curl: Fix long line
  block/vdi: Error out immediately in vdi_create()
  block/bochs: Fix error handling for seek_to_sector()
  qcow2: Check min_size in qcow2_grow_l1_table()
  qcow2: Catch bdrv_getlength() error
  block: Use correct width in format strings
  qcow2: Avoid overflow in alloc_clusters_noref()
  block: Use error_abort in bdrv_image_info_specific_dump()
  block: Fix open_flags in bdrv_reopen()
  Revert "block: another bdrv_append fix"
  block: Unlink temporary files in raw-posix/win32
  block: Remove BDRV_O_COPY_ON_READ for bs->file
  block: Create bdrv_backing_flags()
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-02 10:50:58 +01:00
Peter Maydell
c090c10dc4 Add helpers for enabling kvm capabilities and convert the existing
s390x and ppc users to use them.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJTYP89AAoJEN7Pa5PG8C+vUfMQAKK+UnRTpwWXfZNk1XqdV5Mh
 enVYA0tAICNLAXDeZy3mWjj5Es2xgNxvAQ1QHAXzaVZqRB6KXwYgko2uadWedHon
 lZWvuWQfYWiKVQug7AU0+/mlZvSgBJEs4gw6l9Z5Ik0q/7y/8jXjlEqZ9WaaQ+Kg
 D3JRRqghalmDSmVlhFjNkRSxBO3CjZkeyVs4rCZH97blLaioMkrz/u02wvt15sX5
 RX+25bvq9wgjT1NAuYYKfEBtikE7fb8AR1Et3GMEWDYqrgPfMDJft3/L0gMDvDQk
 qO1BWwXy76PEgxl56fDURZhDfRFsWDLv8j3NaZ+Gu8EkLvOgNNlFHKuEshIIqRII
 XC48jAiXJlSPo/Nk4DSsN32phLCSAcniwGov0X8R2Q5PxKGL2RNaOGpx/veBj34p
 4TVOqEYaC6flYOTSPikFpaEe4C5E6CzFzkaaYJ8yKDaOG0kqkYkxMlbwG+cIUwjK
 fr5AgwjZS4FpgrsNU1p2/b8rqYB9QYu6PMb8mGOF1zCjvbN4tQwInJO8uri8i78Y
 +mPZ9nNCcjEmxjwaGIy9PYqZFgkPSe40t7793osP9NJTCp9RHaQTZ2AWNjontsO9
 8Pjnqq6WCtcigZKjqSI3Oak61rcCxRqOd2LcLNaWSvvonokl3QtH6yXwxK6ekVfM
 Eqy1m+/HnpEtZ4ZWVelI
 =4kuj
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/cohuck/tags/kvm_cap_helpers' into staging

Add helpers for enabling kvm capabilities and convert the existing
s390x and ppc users to use them.

# gpg: Signature made Wed 30 Apr 2014 14:48:45 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found

* remotes/cohuck/tags/kvm_cap_helpers:
  ppc: use kvm_vcpu_enable_cap()
  s390x: use kvm_vcpu_enable_cap()
  kvm: add kvm_{vm,vcpu}_enable_cap

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 17:32:25 +01:00
Peter Maydell
87f6ede9bb vga: add secondary stdvga variant
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTXhtQAAoJEEy22O7T6HE46UAQAJF1fXDHXSUDDU5XoW6vwmfN
 L6Eb85CxIv2iUrY4uX4VceBl2pLYW4hd2ElcihN7Hdk7/j4XeiytTKndYwOym9V6
 roowKf3urYk6vHxGCEQX1ME2VFt2FfpqmqUePdXjeFc4zdVxHHH7zD67doOTU2tx
 xOyhP/H8NvxUWyFhlFgTNiHMP4c9nG4lDEzvYubxVGWBWr1C5qNGqvc3o6wnT3bc
 Tr6JyANLIrxX4VIZFxif/ncnP3VAZeQLWpnsnj48liql0j7B1UdvXSllR9jKbSn8
 r3O9EHSgLpZGnqBx9OesjXO1CEVfpix3VkSax0ylbrWv2IgX5hzLwitd7g68Y2j2
 eVSfYLmWkD9taRkze2wtTwF3mAgPGDbRrg3GW5edeRLuFzzPTEHNl9Xx4AsaUWdk
 ioB1AuYKsWgFBd0IBT6aT21/2Eh3c6d8d8ziU4cZSh1IJ5JllzhuF07k0bH4KM82
 1Kl2fN5De8x3QS5fZPCOTHiJSyHZvAQZr5KTqi/bASYI1jY0dnoKa0+Eq4w67LJY
 yGhomZmIUI9s5dy5KuARmQpuXQwXsE8J77+8fNLNIsCb1kZbUG2ONE0VBTTooWuE
 eDy+pp0FfjV064UbtnFNIzTVkgaWfYUlM6G4Mae9GZaakn8w/J0Bnl+SbIkRnuPJ
 1N/W/OeJ2m0h3qegYShb
 =iuHp
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-2' into staging

vga: add secondary stdvga variant

# gpg: Signature made Mon 28 Apr 2014 10:11:44 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-2:
  add secondary-vga to display-vga test
  add display-vga test
  vga: add secondary stdvga variant
  vga: allow non-global vmstate

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 16:02:45 +01:00
Peter Maydell
f42c5c8ec8 hw/arm/virt: Add support for Cortex-A57
Support the Cortex-A57 in the virt machine model.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-4-git-send-email-peter.maydell@linaro.org
2014-05-01 15:25:52 +01:00
Peter Maydell
3078e848fa hw/arm/virt: Put GIC register banks on 64K boundaries
For an AArch64 CPU which supports 64K pages, having the GIC
register banks at 4K offsets is potentially awkward. Move
them out to being at 64K offsets. (This is harmless for
AArch32 CPUs and for AArch64 CPUs with 4K pages, so it is simpler
to use the same offsets everywhere than to try to use 64K offsets
only for AArch64 host CPUs.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-3-git-send-email-peter.maydell@linaro.org
2014-05-01 15:25:52 +01:00
Peter Maydell
6420474384 hw/arm/virt: Create the GIC ourselves rather than (ab)using a15mpcore_priv
Rather than having the virt machine model create an a15mpcore_priv
device regardless of the actual CPU type in order to instantiate the GIC,
move to having the machine model create the GIC directly. This
corresponds to a system which uses a standalone GIC (eg the GIC-400)
rather than the one built in to the CPU core.

The primary motivation for this is to support the Cortex-A57,
which for a KVM configuration will use a GICv2, which is not
built into the CPU.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-2-git-send-email-peter.maydell@linaro.org
2014-05-01 15:24:46 +01:00
Edgar E. Iglesias
37f0806ed9 target-arm: Correct a comment refering to EL0
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1398926097-28097-5-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 15:24:46 +01:00
Edgar E. Iglesias
6ab9f49934 target-arm: A64: Fix a typo when declaring TLBI ops
Harmless typo as opc1 defaults to zero and opc2 gets
re-declared to its correct value.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 1398926097-28097-4-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 15:24:46 +01:00
Edgar E. Iglesias
1b505f93bc target-arm: A64: Handle blr lr
For linked branches, updates to the link register happen
conceptually after the read of the branch target register.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Cc: qemu-stable@nongnu.org
Message-id: 1398926097-28097-3-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 15:24:45 +01:00
Edgar E. Iglesias
fed3ffb9f1 target-arm: Make vbar_write 64bit friendly on 32bit hosts
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 1398926097-28097-2-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 15:24:45 +01:00
Rob Herring
252ec40576 target-arm: implement WFE/YIELD as a yield for AArch64
Like was done for AArch32 for WFE, implement both WFE and YIELD as a
yield operation. This speeds up multi-core system emulation.

Signed-off-by: Rob Herring <rob.herring@linaro.org>
Message-id: 1397588401-20366-1-git-send-email-robherring2@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 15:24:45 +01:00
Rabin Vincent
e3da9921eb armv7m_nvic: fix CPUID Base Register
cp15.c0_cpuid is never initialized for ARMv7-M; take the value directly
from cpu->midr instead.

Signed-off-by: Rabin Vincent <rabin@rab.in>
Message-id: 1398036308-32166-1-git-send-email-rabin@rab.in
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 15:24:44 +01:00
Peter Maydell
3b77157964 target-arm: Implement XScale cache lockdown operations as NOPs
XScale defines some implementation-specific coprocessor registers
for doing cache lockdown operations. Since QEMU doesn't model a
cache no proper implementation is possible, but NOP out the
registers so that guest code like u-boot that tries to use them
doesn't crash.

Reported-by: <prqek@centrum.cz>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 15:24:44 +01:00
Peter Maydell
051b9980b9 gtk: collection of fixes and cleanups by Cole Robinson
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTX3SMAAoJEEy22O7T6HE4unAQAK1fhwAdvZxA/zwsTAMhKpIF
 rhhbJvSk8Vf6Nklob+iTTvUk6epHqmWi/cU/8D2u6H7pjaJFpvuusP327htPW8M7
 EYyDnICGWFcGSvilqvE/hIEG/Fwpyz7AHPOBv/csoU5u6EN1lPO4fqyvzWEuyDMg
 H5ouYJDBTfp/sqCQRrZzii/9sCcwjRL2gmvDLeP5zGLvog9WtdbzG/jbGpoGC5cn
 fVUfieXRA0o183x8GCe33EAsyndrObPtItpGj2dCLfi2jW50UyXibj8JSh4HOzYU
 RfMmnMKDbSFhmnRPtJxavE6Ekg+ZEUN9KbiIqlcLj4EXRizmgIQc8j6Fa5a0pCJj
 hiINR/BV4rMPgEtiEPiYslgoi6H4e+AuGMgy7RtkHnnlnIDTwuEP9sgtlPpFNJ/x
 l33qIcbT5/PKREy/vhlAlQnu9ZRKbHgisewEfw8yP8iD3Yg5mqb6dxuz7wKhWccZ
 bKYQX3XOHtkbGX2guo6KZz7mq4NIUO0kB/4GU1Qd7MC89E3LmghwFdlHbtcvZ7Tt
 JsAjh+1M/+SVrOj8VGWHqdafVq0ifEdsuE5U0NVXkivIo/g181ckpP2YmPByhcLS
 +IXQX5q7w+40/wWhtRHlKz58CgpDE4w6m90jRnurDvSCXBLSXnV+jFqgQRAYQLfE
 zycUI0InTiCcPb0nKhv3
 =EjaT
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-6' into staging

gtk: collection of fixes and cleanups by Cole Robinson

# gpg: Signature made Tue 29 Apr 2014 10:44:44 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-6:
  gtk: Fix accelerators being triggered twice with gtk3
  gtk: Fix -serial vc
  gtk: Use ctrl+alt+q for quit accelerator
  gtk: Remove use of deprecated stock items
  gtk: Don't use deprecated vte_terminal_get_adjustment
  gtk: Don't use deprecated gtk_image_menu_item_new_with_mnemonic
  configure: Re-run make if gtkabi/sdlabi is changed
  configure: Document --with-gtkabi

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 14:17:33 +01:00
Peter Maydell
52b08670e2 sdl2: mouse wheel support, ui config notify
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTX3wdAAoJEEy22O7T6HE4PQoQALJY6k95iB9a/tuLH+kV226E
 ICERL0sQqAa9IKBtNmtbsIyDSt2LnsTNZQLOpihxZ1/En+xtt47e2Ojr8lGi4E9v
 JK3isfbiHrxANJdR3Fw0J1RPjvR+bx/xHV1s7TO+vmq9Ooy8xiAT1S9RrmxElq24
 J23IV6OH0e4OtzGXf8gxyOcoelIAXNCLPFYDISzE/imxFtyZi71zVzLZ75VooE1m
 d5kg2qA+07Nk5uslzJx/dip+s1d1hODqS7oZoS20M4S/8OkeMwzE7R1VLawsi6Vh
 Bonc+XzRL19+fNgixXGZlPy94xFAgDqZOgIYyBpExluM44n1b7pi1CuxBibZ/GN5
 2lKIIWPnH+Nw+r1pO45U7j6D5zk21HO1MiY52BaOif8achiWfPD+KnjbdYx66uPa
 SGwvD7hudXT5btp5GyKk2S/57b3PDO19bidKKE8ZjyNgWfOcRxT1kwZvOKUaYe6w
 Dgx2C8MmQ55YtcKhCwQWwcUBpGi4/UHWu8lMC2mP79rdERD0ALcTsWkfRCSsYla0
 5WT9u6GkkRQhcRZ1bJZrUjMq0Hpr4KxCbLj4fcsKbNiFwk54oxSRYmWyrZKLq7BP
 FNO75UggvRvmu59Upbq+1lVokcTnoaiHKzjmc0Ypi5t+iJu6znTblJBMiqyQb1Em
 MA72SbqrWXyAJJeQos7M
 =ERvz
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-2' into staging

sdl2: mouse wheel support, ui config notify

# gpg: Signature made Tue 29 Apr 2014 11:17:01 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-sdl-2:
  sdl2: Support mouse wheel
  sdl2: add ui info setting.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 13:51:23 +01:00
Peter Maydell
61e5b75c17 hda-audio: fix non-mixer codecs
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTX2rwAAoJEEy22O7T6HE4JLcP/1bqf2Sx+tGA0mgVtWgkgemA
 FHZLPmrtZOYe6WL1opcB7wgSmQPw+i4RHB8/tBg4t7h8d2d+3kb1zUFkAjpDaJkL
 x0veR4ulkGFskQNe0V6gEuo9jfhicunfUTtv3nnI1H3DwnqJ2dFG58nqzNpL1tQK
 Cu0lSaj0oLthUxtBkH8n+V0xW8vlUuRu2xamO+m4l2JLq4cCU1pmlNjbVpssngE3
 IsNgyCI6BXCWtxIk55Fn//eXWkDD42k5U1jRhX3Xg/Jc0x0cYlul37ZjJpWzio8m
 VmD2coPLQ6fDYFnNUWiv8VDSRqdQopBWL86/TK4ewTNCDA93Dy8oWvTdmXlLPQnG
 DjFa27xnbarwF+ezLbHauucW9MOBOk4/V40F/CmCfHbrYLzfe5vHKXdshmOFTJGX
 S9/6AqgjbVlBfDU8P/7V8W117pLK5Pz7zE2eqCoke5dOokoBCkLoXz1Dp0gvurg6
 8mMZwx4Q5SBhBY0edgaJquh/vP/kISafOEpMaBzOpYBNgoMeyBhp6Q1p4UyBDIzP
 qEiU+n30zTP+AiP88+YuQ4kh+epYUpE8DNLy5oZPsIuwgtRfFaaizZIUBD0+HwXi
 aVOF5PLW0YNAiow1lj4nyDmZcPRLHoAdlEZxpxoQkHgp6tD9Dwq8NGDnfm91YRLL
 QjQqmDg/GaXzWyjrTMkl
 =Utj1
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-4' into staging

hda-audio: fix non-mixer codecs

# gpg: Signature made Tue 29 Apr 2014 10:03:44 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-audio-4:
  hda-audio: fix non-mixer codecs

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-01 13:05:54 +01:00
Matthew Booth
b7079df410 curl: Fix hang reading from slow connections
When receiving a new aio read request, we first look for an existing
transaction whose range will cover the read request by the time it
completes. However, we weren't checking that the existing transaction
was still active. If it had timed out, we were adding the request to a
transaction which would never complete and had already been cancelled,
resulting in a hang.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 16:34:21 +02:00
Matthew Booth
1f2cead324 curl: Ensure all informationals are checked for completion
According to the documentation, the correct way to ensure all
informationals have been returned by curl_multi_info_read is to loop
until it returns NULL.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 16:34:18 +02:00
Matthew Booth
838ef60249 curl: Eliminate unnecessary use of curl_multi_socket_all
curl_multi_socket_all is a deprecated catch-all which checks for
activities on all open curl sockets. We have enough information from
the event loop to check only the sockets with activity. This change
removes use of curl_multi_socket_all in favour of
curl_multi_socket_action called with the relevant handle.

At the same time, it also ensures that the driver only checks for
completion of read operations after reading from a socket, rather than
both reading and writing.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 16:34:16 +02:00
Matthew Booth
b69cdef876 curl: Remove unnecessary explicit calls to internal event handler
Remove calls to curl_multi_do where the relevant handles are already
registered to the event loop.

Ensure that we kick off socket handling with CURL_SOCKET_TIMEOUT after
adding a new handle.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 16:34:14 +02:00
Matthew Booth
e466183718 curl: Remove erroneous sleep waiting for curl completion
The driver will not start more than a fixed number of curl sessions.
If it needs more, it must wait for the completion of an existing one.
The driver was sleeping, which will prevent the main loop from
running, and therefore the event it's waiting on. It was also directly
calling its internal handler rather than waiting on existing
registered handlers to be called from the main loop.

This change causes it simply to wait for a period of time whilst
allowing the main loop to execute.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 16:34:11 +02:00
Matthew Booth
38bbc0a580 curl: Fix return from curl_read_cb with invalid state
A curl write callback is supposed to return the number of bytes it
handled.  curl_read_cb would have erroneously reported it had handled
all bytes in the event that the internal curl state was invalid.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 16:34:08 +02:00
Matthew Booth
9e550b3260 curl: Remove unnecessary use of goto
This isn't any of the usually acceptable uses of goto.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 16:34:06 +02:00
Matthew Booth
f6246509be curl: Fix long line
Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 16:33:39 +02:00
Max Reitz
0549ea8b6d block/vdi: Error out immediately in vdi_create()
Currently, if an error occurs during the part of vdi_create() which
actually writes the image, the function stores -errno, but continues
anyway.

Instead of trying to write data which (if it can be written at all) does
not make any sense without the operations before succeeding (e.g.,
writing the image header), just error out immediately.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 14:46:17 +02:00
Max Reitz
e1b42f456f block/bochs: Fix error handling for seek_to_sector()
Currently, seek_to_sector() returns -1 both for errors and unallocated
sectors, resulting in silent errors. As 0 is an invalid offset of data
clusters (bitmap_offset is greater than 0 because s->data_offset is
greater than 0), just return 0 for unallocated sectors and -errno in
case of error. This should then be propagated by bochs_read(), the sole
user of seek_to_sector().

That function also has a case of "return -1 in case of error", which is
fixed by this patch as well.

bochs_read() is called by bochs_co_read() which passes the return value
through, therefore it is indeed correct for bochs_read() to return
-errno.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 14:46:17 +02:00
Max Reitz
b93f995081 qcow2: Check min_size in qcow2_grow_l1_table()
First, new_l1_size is an int64_t, whereas min_size is a uint64_t.
Therefore, during the loop which adjusts new_l1_size until it equals or
exceeds min_size, new_l1_size might overflow and become negative. The
comparison in the loop condition however will take it as an unsigned
value (because min_size is unsigned) and therefore recognize it as
exceeding min_size. Therefore, the loop is left with a negative
new_l1_size, which is not correct. This could be fixed by making
new_l1_size uint64_t.

On the other hand, however, by doing this, the while loop may take
forever. If min_size is e.g. UINT64_MAX, it will take new_l1_size
probably multiple overflows to reach the exact same value (if it reaches
it at all). Then, right after the loop, new_l1_size will be recognized
as being too big anyway.

Both problems require a ridiculously high min_size value, which is very
unlikely to occur; but both problems are also simply avoided by checking
whether min_size is sane before calculating new_l1_size (which should
still be checked separately, though).

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 14:46:17 +02:00
Max Reitz
a49139af77 qcow2: Catch bdrv_getlength() error
The call to bdrv_getlength() from qcow2_check_refcounts() may result in
an error. Check this and abort if necessary.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 14:46:17 +02:00
Max Reitz
521b2b5df0 block: Use correct width in format strings
Instead of blindly relying on a normal integer having a width of 32 bits
(which is a pretty good assumption, but we should not rely on it if
there is no need), use the correct format string macros.

This does not touch DEBUG output.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 14:46:17 +02:00
Max Reitz
91f827dcff qcow2: Avoid overflow in alloc_clusters_noref()
alloc_clusters_noref() stores the cluster index in a uint64_t. However,
offsets are often represented as int64_t (as for example the return
value of alloc_clusters_noref() itself demonstrates). Therefore, we
should make sure all offsets in the allocated range of clusters are
representable using int64_t without overflows.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 14:46:13 +02:00
Cornelia Huck
48add816cf ppc: use kvm_vcpu_enable_cap()
Convert existing users of KVM_ENABLE_CAP to new helper.

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-04-30 14:39:58 +02:00
Cornelia Huck
e080f0fdff s390x: use kvm_vcpu_enable_cap()
Make kvm_s390_enable_css_support() use new interface.

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-04-30 14:39:49 +02:00
Cornelia Huck
40f1ee27aa kvm: add kvm_{vm,vcpu}_enable_cap
Provide helper functions for enabling capabilities (on a vcpu and on a vm).

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-04-30 14:39:39 +02:00
Max Reitz
35d0d40a03 block: Use error_abort in bdrv_image_info_specific_dump()
Currently, bdrv_image_info_specific_dump() uses an error variable for
visit_type_ImageInfoSpecific, but ignores the result. As this function
is used here with an output visitor to transform the ImageInfoSpecific
object to a generic QDict, an error should actually be impossible. It is
however better to assert that this is indeed the case. This is done by
this patch using error_abort instead of an unused local Error variable.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-04-30 12:43:30 +02:00
Kevin Wolf
f1f25a2e2e block: Fix open_flags in bdrv_reopen()
Use the same function as bdrv_open() for determining what the right
flags for bs->file are. Without doing this, a reopen means that
bs->file loses BDRV_O_CACHE_WB or BDRV_O_UNMAP if bs doesn't have it as
well.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
2014-04-30 11:05:00 +02:00
Kevin Wolf
7e3d98dd31 Revert "block: another bdrv_append fix"
This reverts commit 3a389e7926. The commit
was wrong and what it tried to fix just works today without any change.

What the commit tried to fix:

    When creating live snapshots, the new image file is opened with
    BDRV_O_NO_BACKING because the whole backing chain is already opened.
    It is then appended to the chain using bdrv_append(). The result of
    this was that the image had a backing file, but BDRV_O_NO_BACKING
    was still set. This is obviously inconsistent.

    There used to be some places in qemu that closed and image and then
    opened it again, with its old flags (a bdrv_open()/close() sequence
    involves reopening the whole backing file chain, too). In this case
    the BDRV_O_NO_BACKING flag meant that the backing chain wasn't
    reopened and only the top layer was left.

    (Most, but not all of these places are replaced by bdrv_reopen()
    today, which doesn't touch the backing files at all.)

    Other places that looked at bs->open_flags weren't interested in
    BDRV_O_NO_BACKING, so no breakage there.

What it actually did:

    The commit moved the BDRV_O_NO_BACKING away to the backing file.
    Because the bdrv_open()/close() sequences only looked at the flags
    of the top level BlockDriverState and used it for the whole chain,
    the flag didn't hurt there any more. Obviously, it is still
    inconsistent because the backing file may have another backing file,
    but without practical impact.

    At the same time, it swapped all other flags. This is practically
    irrelevant as long as live snapshots only allow opening the new
    layer with the same flags as the old top layer. It still doesn't
    make any sense, and it is a time bomb that explodes as soon as the
    flags can differ.

    bdrv_append_temp_snapshot() is such a case: It adds the new flag
    BDRV_O_TEMPORARY for the temporary snapshot. The swapping of commit
    3a389e79 results in the following nonsensical configuration:

    bs->open_flags:                     BDRV_O_TEMPORARY cleared
    bs->file->open_flags:               BDRV_O_TEMPORARY set
    bs->backing_hd->open_flags:         BDRV_O_TEMPORARY set
    bs->backing_hd->file->open_flags:   BDRV_O_TEMPORARY cleared

    We're still lucky because the format layer ignores the flag and the
    protocol layer happens to get the right value, but sooner or later
    this is bound to go wrong...

What the right fix would have been:

    Simply clear the BDRV_O_NO_BACKING flag when the BlockDriverState is
    appended to an existing backing file chain, because now it does have
    a backing file.

    Commit 4ddc07ca already implemented this silently in bdrv_append(),
    so we don't have to come up with a new fix.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
2014-04-30 11:05:00 +02:00