Commit Graph

312 Commits

Author SHA1 Message Date
Ivanov Arkady
227b45dc42 contrib/plugins: add a drcov plugin
This patch adds the ability to generate files in drcov format. Primary
goal this script is to have coverage logfiles thatwork in Lighthouse.

Signed-off-by: Ivanov Arkady <arkadiy.ivanov@ispras.ru>
Message-Id: <163491884553.304355.13246023070235438959.stgit@pc-System-Product-Name>
[AJB: use g_ptr_array instead of slist]
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220204204335.1689602-23-alex.bennee@linaro.org>
2022-02-09 12:08:42 +00:00
Paolo Bonzini
b962a1d507 meson: build contrib/ executables after generated headers
This will be needed as soon as config-poison.h moves from configure to
a meson custom_target (which is built at "ninja" time).

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-01-12 14:09:06 +01:00
Mahmoud Mandour
447f935674 plugins/cache: make L2 emulation optional through args
By default L2 is not enabled and is enabled by either using the
newly-introduced "l2" boolean argument, or by setting any of the L2
cache parameters using args. On specifying "l2=on", the default cache
configuration is used.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210810134844.166490-5-ma.mandourr@gmail.com>
Message-Id: <20211026102234.3961636-17-alex.bennee@linaro.org>
2021-11-04 10:32:01 +00:00
Mahmoud Mandour
53366adf9c plugins/cache: split command line arguments into name and value
This way of handling args is more lenient and sets a better framework to
parse boolean command line arguments.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210810134844.166490-4-ma.mandourr@gmail.com>
Message-Id: <20211026102234.3961636-16-alex.bennee@linaro.org>
2021-11-04 10:32:01 +00:00
Mahmoud Mandour
14f3110a99 plugins/cache: implement unified L2 cache emulation
This adds an implementation of a simple L2 configuration, in which a
unified L2 cache (stores both blocks of instructions and data) is
maintained for each core separately, with no inter-core interaction
taken in account. The L2 cache is used as a backup for L1 and is only
accessed if the wanted block does not exist in L1.

In terms of multi-threaded user-space emulation, the same approximation
of L1 is done, a static number of caches is maintained, and each and
every memory access initiated by a thread will have to go through one of
the available caches.

An atomic increment is used to maintain the number of L2 misses per
instruction.

The default cache parameters of L2 caches is:

    2MB cache size
    16-way associativity
    64-byte blocks

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210810134844.166490-3-ma.mandourr@gmail.com>
Message-Id: <20211026102234.3961636-15-alex.bennee@linaro.org>
2021-11-04 10:32:01 +00:00
Mahmoud Mandour
ad039c506e plugins/cache: freed heap-allocated mutexes
Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210810134844.166490-2-ma.mandourr@gmail.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211026102234.3961636-14-alex.bennee@linaro.org>
2021-11-04 10:32:01 +00:00
Peter Maydell
f015cbb546 elf2dmp: Fail cleanly if PDB file specifies zero block_size
Coverity points out that if the PDB file we're trying to read
has a header specifying a block_size of zero then we will
end up trying to divide by zero in pdb_ds_read_file().
Check for this and fail cleanly instead.

Fixes: Coverity CID 1458869
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
Message-id: 20210910170656.366592-3-philmd@redhat.com
Message-Id: <20210901143910.17112-3-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2021-09-20 09:54:32 +01:00
Peter Maydell
e59a7e0ec5 elf2dmp: Check curl_easy_setopt() return value
Coverity points out that we aren't checking the return value
from curl_easy_setopt().

Fixes: Coverity CID 1458895
Inspired-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
Tested-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
Message-id: 20210910170656.366592-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-09-20 09:54:32 +01:00
Thomas Huth
8bc5184d23 configure / meson: Move the GBM handling to meson.build
The GBM library detection does not need to be in the configure script,
since it does not have any user-facing options (there are no
--enable-gbm or --disable-gbm switches). Let's move it to meson.build
instead, so we don't have to clutter config-host.mak with the related
switches.

Additionally, only check for GBM if it is really required, i.e. if we
either compile with OpenGL or with virglrenderer support.

Message-Id: <20210714085045.797168-1-thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-09-06 10:00:14 +02:00
Mahmoud Mandour
d852535859 plugins/howvec: adapting to the new argument passing scheme
Correctly parsing plugin argument since they now must be provided as
full-form boolean parameters, e.g.:
    -plugin ./contrib/plugins/libhowvec.so,verbose=on,inline=on

Also, introduced the argument "count" that accepts one opt to count
individually at a time.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210730135817.17816-8-ma.mandourr@gmail.com>
2021-09-02 11:29:34 +01:00
Mahmoud Mandour
60753843f6 plugins/hwprofile: adapt to the new plugin arguments scheme
Parsing boolean arguments correctly (e.g. pattern=on or source=false).
Introduced a new "track" argument that takes a [read|write] value. This
substitutes passing read or write to "arg=" that is deprecated.

Also, matches are now taken one by one through the "match" argument.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210730135817.17816-7-ma.mandourr@gmail.com>
2021-09-02 11:29:34 +01:00
Mahmoud Mandour
b18a0cad81 plugins/lockstep: make socket path not positional & parse bool arg
Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210730135817.17816-6-ma.mandourr@gmail.com>
2021-09-02 11:29:34 +01:00
Mahmoud Mandour
8a3eab66e6 plugins/hotblocks: Added correct boolean argument parsing
Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210730135817.17816-5-ma.mandourr@gmail.com>
2021-09-02 11:29:34 +01:00
Mahmoud Mandour
f698d5ef1c plugins/hotpages: introduce sortby arg and parsed bool args correctly
Since plugin arguments now expect boolean arguments, a plugin argument
name "sortby" now expects a value of "read", "write", or "address".

"io" arg is now expected to be passed as a full-form boolean parameter,
i.e. "io=on|true|yes|off|false|no"

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210730135817.17816-4-ma.mandourr@gmail.com>
2021-09-02 11:29:34 +01:00
Mahmoud Mandour
c79a2116af plugins/cache: supported multicore cache modelling
Multicore L1 cache modelling is introduced and is supported for both
full system emulation and linux-user.

For full-system emulation, L1 icache and dcache are maintained for each
available core, since this information is exposed to the plugin through
`qemu_plugin_n_vcpus()`.

For linux-user, a static number of cores is assumed (default 1 core, and
can be provided as a plugin argument `cores=N`). Every memory access
goes through one of these caches, this approach is taken as it's
somewhat akin to what happens on real setup, where a program that
dispatches more threads than the available cores, they'll thrash
each other

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Message-Id: <20210803151301.123581-2-ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
2021-09-02 11:29:34 +01:00
Mahmoud Mandour
b40310616d plugins/execlog: removed unintended "s" at the end of log lines.
Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210803151428.125323-1-ma.mandourr@gmail.com>
Message-Id: <20210806141015.2487502-2-alex.bennee@linaro.org>
Cc: qemu-stable@nongnu.org
2021-09-02 11:29:34 +01:00
Mahmoud Mandour
c2888a679d plugins/cache: Fixed "function decl. is not a prototype" warnings
Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210714172151.8494-7-ma.mandourr@gmail.com>
Message-Id: <20210720232703.10650-24-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Mahmoud Mandour
072c444b0d plugins/cache: limited the scope of a mutex lock
It's not necessary to lock the address translation portion of the
vcpu_mem_access callback.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210714172151.8494-3-ma.mandourr@gmail.com>
Message-Id: <20210720232703.10650-23-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Mahmoud Mandour
de9fc40f36 plugins/cache: Fixed a bug with destroying FIFO metadata
This manifests itself when associativity degree is greater than the
number of sets and FIFO is used, otherwise it's also a memory leak
whenever FIFO was used.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210714172151.8494-2-ma.mandourr@gmail.com>
Message-Id: <20210720232703.10650-22-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
094d278547 contrib/gitdm: add more individual contributor entries.
Also ensure Li's canonical gmail address is used.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Li Qiang <liq3ea@gmail.com>
Acked-by: Chetan Pant <chetan4windows@gmail.com>
Acked-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <20210720232703.10650-20-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
a10f373de4 contrib/gitdm: add a new interns group-map for GSoC/Outreachy work
It makes sense to put our various interns in a group so we can see the
overall impact of GSoC and Outreachy on the project.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Cc: Ahmed Karaman <ahmedkhaledkaraman@gmail.com>
Cc: César Belley <cesar.belley@lse.epita.fr>
Message-Id: <20210720232703.10650-19-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
a7659cd675 contrib/gitdm: add an explicit academic entry for BU
For some reason Alexander's contributions were not getting grouped
from the plain "edu" mapping.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210720232703.10650-18-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
e061e481a6 contrib/gitdm: add group-map for Netflix
Warner confirmed he works for Netflix on IRC.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Message-Id: <20210720232703.10650-17-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
efe2165a0f contrib/gitdm: add domain-map for NVIDIA
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Kirti Wankhede <kwankhede@nvidia.com>
Cc: Yishai Hadas <yishaih@nvidia.com>
Message-Id: <20210720232703.10650-16-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
3d4fcf4200 contrib/gitdm: add domain-map for Crudebyte
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-Id: <20210720232703.10650-15-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
a8d1095a10 contrib/gitdm: un-ironically add a mapping for LWN
I think this mainly comes from kernel-doc stuff imported into the QEMU
tree.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Message-Id: <20210720232703.10650-14-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
0e7933e314 contrib/gitdm: add domain-map/group-map for Wind River
As per discussion at:
  http://patchwork.ozlabs.org/project/qemu-devel/patch/20201004180443.2035359-19-f4bug@amsat.org/

I've added Bin's personal email as an individual contributor.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Bin Meng <bin.meng@windriver.com>
Cc: Ruimei Yan <ruimei.yan@windriver.com>
Cc: Xuzhou Cheng <xuzhou.cheng@windriver.com>
Message-Id: <20210720232703.10650-13-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
061a20d50a contrib/gitdm: add domain-map for Eldorado
Luis acked on IRC:

  #qemu@znc-oftc_2021-07-13.txt:[15:00:02] <lffpires> stsquad: "eldorado.org.br Eldorado" is fine

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Luis Pires <luis.pires@eldorado.org.br>
Message-Id: <20210720232703.10650-12-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
44114d3fda contrib/gitdm: add domain-map/group-map mappings for Samsung
Minwoo's work from their personal address are treated as personal
contributions.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Klaus Jensen <k.jensen@samsung.com>
Cc: Gollu Appalanaidu <anaidu.gollu@samsung.com>
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Message-Id: <20210720232703.10650-11-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
200a10279e contrib/gitdm: add a group mapping for robot scanners
This mostly affects Reported-by: tags

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210720232703.10650-9-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
0204e6482b contrib/gitdm: add domain-map for MontaVista
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Corey Minyard <cminyard@mvista.com>
Message-Id: <20210720232703.10650-8-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Alex Bennée
fa3d60953c contrib/gitdm: add some new aliases to fix up commits
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: Yuval Shaia <yuval.shaia.ml@gmail.com>
Message-Id: <20210720232703.10650-6-alex.bennee@linaro.org>
2021-07-23 17:22:16 +01:00
Mahmoud Mandour
40c4a5533f plugins/cache: Added FIFO and LRU eviction policies
Implemented FIFO and LRU eviction policies. Now one of the three
eviction policies can be chosen as an argument. On not specifying an
argument, LRU is used by default.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210623125458.450462-4-ma.mandourr@gmail.com>
Message-Id: <20210709143005.1554-39-alex.bennee@linaro.org>
2021-07-14 15:54:13 +01:00
Mahmoud Mandour
86ae3a1daa plugins/cache: Enable cache parameterization
Enabled configuring both icache and dcache parameters using plugin
parameters.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210623125458.450462-3-ma.mandourr@gmail.com>
Message-Id: <20210709143005.1554-38-alex.bennee@linaro.org>
2021-07-14 15:54:13 +01:00
Mahmoud Mandour
e2c5557ce1 plugins: Added a new cache modelling plugin
Added a cache modelling plugin that uses a static configuration used in
many of the commercial microprocessors and uses random eviction policy.

The purpose of the plugin is to identify the most cache-thrashing
instructions for both instruction cache and data cache.

Signed-off-by: Mahmoud Mandour <ma.mandourr@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210623125458.450462-2-ma.mandourr@gmail.com>
Message-Id: <20210709143005.1554-37-alex.bennee@linaro.org>
2021-07-14 15:54:13 +01:00
Alexandre Iooss
3d7caf145e contrib/plugins: add execlog to log instruction execution and memory access
Log instruction execution and memory access to a file.
This plugin can be used for reverse engineering or for side-channel analysis
using QEMU.

Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210702081307.1653644-2-erdnaxe@crans.org>
Message-Id: <20210709143005.1554-35-alex.bennee@linaro.org>
2021-07-14 15:54:13 +01:00
Alex Bennée
7a1f6e5975 contrib/plugins: enable -Wall for building plugins
Lets spot the obvious errors.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210709143005.1554-34-alex.bennee@linaro.org>
2021-07-14 15:54:13 +01:00
Paolo Bonzini
63a7f85306 meson: fix missing preprocessor symbols
While most libraries do not need a CONFIG_* symbol because the
"when:" clauses are enough, some do.  Add them back or stop
using them if possible.

In the case of libpmem, the statement to add the CONFIG_* symbol
was still in configure, but could not be triggered because it
checked for "no" instead of "disabled" (and it would be wrong anyway
since the test for the library has not been done yet).

Reported-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Fixes: 587d59d6cc ("configure, meson: convert virgl detection to meson", 2021-07-06)
Fixes: 83ef16821a ("configure, meson: convert libdaxctl detection to meson", 2021-07-06)
Fixes: e36e8c70f6 ("configure, meson: convert libpmem detection to meson", 2021-07-06)
Fixes: 53c22b68e3 ("configure, meson: convert liburing detection to meson", 2021-07-06)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-07-09 18:19:00 +02:00
Gerd Hoffmann
25b2ef2e8e vhost-user-gpu: reorder free calls.
Free in correct order to avoid use-after-free.

Resolves: CID 1453812
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210604103714.1237414-1-kraxel@redhat.com>
2021-06-15 07:16:25 +02:00
Li Qiang
3ea32d1355 vhost-user-gpu: abstract vg_cleanup_mapping_iov
Currently in vhost-user-gpu, we free resource directly in
the cleanup case of resource. If we change the cleanup logic
we need to change several places, also abstruct a
'vg_create_mapping_iov' can be symmetry with the
'vg_create_mapping_iov'. This is like what virtio-gpu does,
no function changed.

Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-9-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-05-27 11:55:59 +02:00
Li Qiang
9f22893adc vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546)
If 'virgl_cmd_get_capset' set 'max_size' to 0,
the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
This patch avoid this by checking the returned 'max_size'.

virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
virgl capabilities max_size")

Fixes: CVE-2021-3546
Reported-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-8-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-05-27 11:55:59 +02:00
Li Qiang
63736af5a6 vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544)
If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
be leaked.

Fixes: CVE-2021-3544
Reported-by: Li Qiang <liq3ea@163.com>
virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
in resource attach backing")

Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-7-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-05-27 11:55:59 +02:00
Li Qiang
f6091d86ba vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
The 'res->iov' will be leaked if the guest trigger following sequences:

	virgl_cmd_create_resource_2d
	virgl_resource_attach_backing
	virgl_cmd_resource_unref

This patch fixes this.

Fixes: CVE-2021-3544
Reported-by: Li Qiang <liq3ea@163.com>
virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
in virgl_cmd_resource_unref"

Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-6-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-05-27 11:55:59 +02:00
Li Qiang
b7afebcf9e vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
If the guest trigger following sequences, the attach_backing will be leaked:

	vg_resource_create_2d
	vg_resource_attach_backing
	vg_resource_unref

This patch fix this by freeing 'res->iov' in vg_resource_destroy.

Fixes: CVE-2021-3544
Reported-by: Li Qiang <liq3ea@163.com>
virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
in virgl_cmd_resource_unref")

Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-5-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-05-27 11:55:59 +02:00
Li Qiang
b9f79858a6 vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
Check whether the 'res' has already been attach_backing to avoid
memory leak.

Fixes: CVE-2021-3544
Reported-by: Li Qiang <liq3ea@163.com>
virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
in resource attach backing")

Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-4-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-05-27 11:55:59 +02:00
Li Qiang
86dd8fac2a vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
Call 'vugbm_buffer_destroy' in error path to avoid resource leak.

Fixes: CVE-2021-3544
Reported-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-3-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-05-27 11:55:59 +02:00
Li Qiang
121841b25d vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545)
Otherwise some of the 'resp' will be leaked to guest.

Fixes: CVE-2021-3545
Reported-by: Li Qiang <liq3ea@163.com>
virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
in getting capset info dispatch")

Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-2-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-05-27 11:55:59 +02:00
Fabrice Fontaine
f7a6df5f5b Fix build with 64 bits time_t
time element is deprecated on new input_event structure in kernel's
input.h [1]

This will avoid the following build failure:

hw/input/virtio-input-host.c: In function 'virtio_input_host_handle_status':
hw/input/virtio-input-host.c:198:28: error: 'struct input_event' has no member named 'time'
  198 |     if (gettimeofday(&evdev.time, NULL)) {
      |                            ^

Fixes:
 - http://autobuild.buildroot.org/results/a538167e288c14208d557cd45446df86d3d599d5
 - http://autobuild.buildroot.org/results/efd4474fb4b6c0ce0ab3838ce130429c51e43bbb

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=152194fe9c3f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Message-Id: <20201203195819.583626-1-fontaine.fabrice@gmail.com>
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/246
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-05-14 10:26:18 -04:00
Marc-André Lureau
59be75e7d8 vhost-user-gpu: fix cursor move/update
"move" is incorrectly initialized.

Fix it by using a switch statement and also treating unknown commands
with a fallback.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210312100108.2706195-5-marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-03-26 06:37:03 +01:00
Marc-André Lureau
96ee096a13 vhost-user-gpu: fix vugbm_device_init fallback
vugbm implements GBM device wrapping, udmabuf and memory fallback.
However, the fallback/detection logic is flawed, as if "/dev/udmabuf"
failed to be opened, it will not initialize vugbm and crash later.

Rework the vugbm_device_init() logic to initialize correctly in all
cases.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210312100108.2706195-4-marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-03-26 06:37:03 +01:00