Commit Graph

378 Commits

Author SHA1 Message Date
Michael S. Tsirkin
a9c380db3b ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537

s->arglen is taken from wire and used as idx
in ssi_sd_transfer().

Validate it before access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
Peter Crosthwaite
1a7d9ee6dd ssi: Convert legacy SSI_SLAVE -> DEVICE casts
Convert legacy ->qdev style casts from TYPE_SSI_SLAVE to TYPE_DEVICE.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
[AF: Introduce local DeviceState variable for transition to QOM realize]
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-03-12 20:13:02 +01:00
Peter Maydell
61e8a92364 QOM infrastructure fixes and device conversions
* QTest cleanups and test cases for PCI NICs
 * NAND fix for "info qtree"
 * Cleanup and extension of QOM machine tests
 * IndustryPack test cases and conversion to QOM realize
 * I2C cleanups
 * Cleanups of legacy qdev properties
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTAooJAAoJEPou0S0+fgE/SuQQALW3zvra4ZLRAQV0e8kFoyj1
 vVtmLkDhnCe4cYfxxfOX91NA0rH1ts2EO1+UcnaCHJlptNWfA+8qJW69XgYpHE3c
 DKQlKPL/9pV5ywY5uUw/t1UJHg2BfrLBDDM4lP+vrpwiQYq4kp24JffnhfY3l9MA
 9qdkXu1HrlWoLRVGnMyGDXI8cb+5bTL+FEc6UuHl3P89/gj5BV+LDWn0QOFbAkxq
 4wk+Xh6sHKcfOdq6vMCNGlTjlJnpbY43D1a8+q6hFGG8JBlpne7Oer7bse9k4uTK
 q/CzyNzC0lnjjcULpa4ptRlycH0ruD9DPY7Lco9XqYd3l/c9742PmTEqN5TZseKD
 XD7+hwT1tk7W8rihm8KETCP6sKlXz4w8tJiWe6IT3zwRzvXIolxxK93heQuaX73Z
 HFDmvTPVLUiWF8ftKTyWZM3w+jsbSH0QSrMCIHKJrPTRWTKphx0DUP74lWjNsvGs
 FFBjpAgrflLihxiuRrcLmekGn0xCTjhQWIo2GoiWTgLSEHNQQQUNO+15/kcU/vlI
 hh3DJpiBKeSnUapHHL0OEK6ryeHoG95akiRjImwWVthNLk4KEuWtlhFPYBtulO5A
 PA02trE4Ah769effX0ZYdNl23KbW4VxpZ8VZv+kp7RTrDKxw551HoEFJ5ja0nkvB
 O1CfsE7x0GH/Rbi/Hxhu
 =KRcc
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' into staging

QOM infrastructure fixes and device conversions

* QTest cleanups and test cases for PCI NICs
* NAND fix for "info qtree"
* Cleanup and extension of QOM machine tests
* IndustryPack test cases and conversion to QOM realize
* I2C cleanups
* Cleanups of legacy qdev properties

# gpg: Signature made Mon 17 Feb 2014 22:15:37 GMT using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qom-devices-for-peter: (49 commits)
  qtest: Include system headers before user headers
  qapi: Refine human printing of sizes
  qdev: Use QAPI type names for properties
  qdev: Add enum property types to QAPI schema
  block: Handle "rechs" and "large" translation options
  qdev: Remove hex8/32/64 property types
  qdev: Remove most legacy printers
  qdev: Use human mode in "info qtree"
  qapi: Add human mode to StringOutputVisitor
  qdev: Inline qdev_prop_parse()
  qdev: Legacy properties are just strings
  qdev: Legacy properties are now read-only
  qdev: Remove legacy parsers for hex8/32/64
  qdev: Sizes are now parsed by StringInputVisitor
  qapi: Add size parser to StringInputVisitor
  qtest: Don't segfault with invalid -qtest option
  ipack: Move IndustryPack out of hw/char/
  ipoctal232: QOM parent field cleanup
  ipack: QOM parent field cleanup for IPackDevice
  ipack: QOM parent field cleanup for IPackBus
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-02-20 13:05:48 +00:00
Paolo Bonzini
c7bcc85d66 qdev: Remove hex8/32/64 property types
Replace them with uint8/32/64.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-02-14 21:12:04 +01:00
Kevin Wolf
1a838745b8 sdhci: Drop unnecessary #include
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-02-14 13:04:56 +01:00
Markus Armbruster
837d37167d sysbus: Set cannot_instantiate_with_device_add_yet
device_add plugs devices into suitable bus.  For "real" buses, that
actually connects the device.  For sysbus, the connections need to be
made separately, and device_add can't do that.  The device would be
left unconnected, and could not possibly work.

Quite a few, but not all sysbus devices already set
cannot_instantiate_with_device_add_yet in their class init function.

Set it in their abstract base's class init function
sysbus_device_class_init(), and remove the now redundant assignments
from device class init functions.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-12-23 00:27:22 +01:00
Markus Armbruster
efec3dd631 qdev: Replace no_user by cannot_instantiate_with_device_add_yet
In an ideal world, machines can be built by wiring devices together
with configuration, not code.  Unfortunately, that's not the world we
live in right now.  We still have quite a few devices that need to be
wired up by code.  If you try to device_add such a device, it'll fail
in sometimes mysterious ways.  If you're lucky, you get an
unmysterious immediate crash.

To protect users from such badness, DeviceClass member no_user used to
make device models unavailable with -device / device_add, but that
regressed in commit 18b6dad.  The device model is still omitted from
help, but is available anyway.

Attempts to fix the regression have been rejected with the argument
that the purpose of no_user isn't clear, and it's prone to misuse.

This commit clarifies no_user's purpose.  Anthony suggested to rename
it cannot_instantiate_with_device_add_yet_due_to_internal_bugs, which
I shorten somewhat to keep checkpatch happy.  While there, make it
bool.

Every use of cannot_instantiate_with_device_add_yet gets a FIXME
comment asking for rationale.  The next few commits will clean them
all up, either by providing a rationale, or by getting rid of the use.

With that done, the regression fix is hopefully acceptable.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-12-23 00:27:22 +01:00
Andreas Färber
794cbc26eb sd: Avoid access to NULL BlockDriverState
Commit 4f8a066b5f (blockdev: Remove IF_*
check for read-only blockdev_init) added a usage of bdrv_is_read_only()
to sd_init(), which is called for versatilepb, versatileab and
xilinx-zynq-a9 machines among others with NULL argument by default,
causing the new qom-test to fail.

Add a check to prevent this.

Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-17 10:15:18 +02:00
Kevin Wolf
4f8a066b5f blockdev: Remove IF_* check for read-only blockdev_init
IF_NONE allows read-only, which makes forbidding it in this place
for other types pretty much pointless.

Instead, make sure that all devices for which the check would have
errored out check in their init function that they don't get a read-only
BlockDriverState. This catches even cases where IF_NONE and -device is
used.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2013-10-11 16:50:01 +02:00
Alex Bligh
bc72ad6754 aio / timers: Switch entire codebase to the new timer API
This is an autogenerated patch using scripts/switch-timer-api.

Switch the entire code base to using the new timer API.

Note this patch may introduce some line length issues.

Signed-off-by: Alex Bligh <alex@alex.org.uk>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-08-22 19:14:24 +02:00
Andreas Färber
630f444268 pl181: QOM cast cleanup
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:07:00 +02:00
Andreas Färber
1d998d93ac pl181: Rename pl181_state to PL181State
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:07:00 +02:00
Andreas Färber
7a239e46f7 milkymist-memcard: QOM cast cleanup
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:07:00 +02:00
Peter Maydell
8827b0fb66 sd/pl181.c: Avoid undefined shift behaviour in RWORD macro
Add a cast to avoid potentially shifting into the sign bit of
a signed value, which is undefined behaviour in C.

(Detected with clang's -fsanitize=undefined.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1372341831-4264-1-git-send-email-peter.maydell@linaro.org
2013-07-15 16:17:30 +01:00
Paolo Bonzini
2977673992 hw/s*: pass owner to memory_region_init* functions
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:48 +02:00
Paolo Bonzini
2c9b15cab1 memory: add owner argument to initialization functions
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:44 +02:00
liguang
6790f59da3 sd: pass bool parameter for sd_init
Signed-off-by: liguang <lig.fnst@cn.fujitsu.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-06-21 22:52:50 +04:00
Paolo Bonzini
df32fd1c9f dma: eliminate DMAContext
The DMAContext is a simple pointer to an AddressSpace that is now always
already available.  Make everyone hold the address space directly,
and clean up the DMA API to use the AddressSpace directly.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-06-20 16:39:52 +02:00
Peter Crosthwaite
37ab4a5668 sd/sd.c: Fix "inquiry" ACMD41
QEMU models two (of the three) ACMD41 has two modes, "inquiry" and
"first". The selection logic for which of the two is incorrect - it
compares != 0 for the entire argument value rather than only bits 23:0
as per the spec. Fix.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 3ef0a7fd1b2f3ebb23b4fdeabcc14caf3fad6d71.1369622254.git.peter.crosthwaite@xilinx.com
Reviewed-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2013-06-03 17:17:45 +01:00
Peter Crosthwaite
1d32c26f28 sd/sdhci:ADMA: fix interrupt
The end of transfer check was occurring and potentially returning before
the interrupt flag was checked. This means the interrupt will be missed
if it occurs on the last packet. Fix by checking for the interrupt
before checking for the end of transfer.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
Message-id: 9969ec154777957ec738fc4e539d68e7494d0081.1369370934.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2013-06-03 17:17:45 +01:00
Peter Crosthwaite
677ff2ae66 sd/sdhci.c: Fix bdata_read DPRINT message
This message was printing out the data in decimal only, which is not
very friendly to the debugging developer. Add hex variant in
parenthesis to make it consistent with other similar messages in this
module.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: d624179649137832eaa8caa263ef9589b4395d5e.1369370934.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2013-06-03 17:17:45 +01:00
Peter Crosthwaite
dcdb4cd850 sd/sdhci: Fix Buffer Write Ready interrupt
This interrupt is not risen after the last block is written to sd. It
is mutually exclusive with the end of transfer conditions. Fix.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
Message-id: 7ca9fd3e03ce1bec94aff08f607c15a0ec3d3371.1369370934.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2013-06-03 17:17:44 +01:00
Peter Crosthwaite
656f416c65 sd/sdhci.c: Only reset data_count on new commands
The data_count variable was being reset on every transfer, including
DMA transfer resumptions. This is incorrect, it should only be set
on a new command.

Manifests as a bug when using ADMA and there is a timer delay between
ADMA frames where the fifo is left in a non empty state.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
Message-id: 15a98609cc32315211b0963091a8efd67522e160.1369370934.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2013-06-03 17:17:44 +01:00
Peter Maydell
e03ba13637 Typo, spelling and grammatical fixes
Minor fixes to documentation and code comments.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-04-12 14:33:20 +02:00
Paolo Bonzini
47b43a1f41 hw: move private headers to hw/ subdirectories.
Many headers are used only in a single directory.  These can be
kept in hw/.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08 18:13:16 +02:00
Paolo Bonzini
8ac5c6510b hw: move SD/MMC devices to hw/sd/, configure with default-configs/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08 18:13:14 +02:00
Paolo Bonzini
49ab747f66 hw: move target-independent files to subdirectories
This patch tackles all files that are compiled once, moving
them to subdirectories of hw/.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08 18:13:12 +02:00
Paolo Bonzini
1fd6bb44ed hw: make subdirectories for devices
Prepare the new directory structure.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08 18:13:11 +02:00