Commit Graph

36267 Commits

Author SHA1 Message Date
Peter Maydell
ca6028185d pc, pci, misc bugfixes
A bunch of bugfixes for 2.2.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJUc4AjAAoJECgfDbjSjVRp084IAIYh48pK0MrCTSrDh2/3UCkN
 Z+htfYS9uEpJHbIeJrn4u1e2Z90bgcovq8Cg36pUeGZtI5CVZYv/lmPjcOwJEruX
 RIveOes87S58rp39mM2/24k1lp2u6VyS+QlrQlmO/ukKEz4ABhy0yF70yTuldX3b
 RQ6d1aa/MaEsEx/iTWcQo6cDIdeWUYg8Mt34fSLfcphbHcSC02t8VCOX9cOR4jR9
 80Lf78LGEdTCMexrcxs392o7npZGJLzCTWXLRtf6Q4/uPBM8Cmq60yt8JI0WCqbT
 ram3XLv9u7GwPgeAp5HPKVV/LxRsDf5HjET3fW8QwbrUP2BvQ5PCgzKCUY6sT20=
 =akFH
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

pc, pci, misc bugfixes

A bunch of bugfixes for 2.2.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon 24 Nov 2014 18:59:47 GMT using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  pc: acpi: mark all possible CPUs as enabled in SRAT
  pcie: fix improper use of negative value
  pcie: fix typo in pcie_cap_deverr_init()
  target-i386: move generic memory hotplug methods to DSDTs
  acpi-build: mark RAM dirty on table update
  hw/pci: fix crash on shpc error flow
  pc: count in 1Gb hugepage alignment when sizing hotplug-memory container
  pc: explicitly check maxmem limit when adding DIMM
  pc: pc-dimm: use backend alignment during address auto allocation
  pc: align DIMM's address/size by backend's alignment value
  memory: expose alignment used for allocating RAM as MemoryRegion API
  pc: limit DIMM address and size to page aligned values
  pc: make pc_dimm_plug() more readble
  pc: kvm: check if KVM has free memory slots to avoid abort()
  qemu-char: fix tcp_get_fds

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-24 19:31:50 +00:00
Igor Mammedov
dd0247e09a pc: acpi: mark all possible CPUs as enabled in SRAT
If QEMU is started with  -numa ... Windows only notices that
CPU has been hot-added but it will not online such CPUs.

It's caused by the fact that possible CPUs are flagged as
not enabled in SRAT and Windows honoring that information
doesn't use corresponding CPU.

ACPI 5.0 Spec regarding to flag says:
"
Table 5-47 Local APIC Flags
...
Enabled: if zero, this processor is unusable, and the operating system
support will not attempt to use it.
"

Fix QEMU to adhere to spec and mark possible CPUs as enabled
in SRAT.

With that Windows onlines hot-added CPUs as expected.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24 20:57:11 +02:00
Gonglei
6c150fbd34 pcie: fix improper use of negative value
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24 20:57:11 +02:00
Gonglei
8e815eeefe pcie: fix typo in pcie_cap_deverr_init()
Reported-by:
 https://bugs.launchpad.net/qemu/+bug/1393440

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24 20:57:10 +02:00
Paolo Bonzini
4f99ab7a78 target-i386: move generic memory hotplug methods to DSDTs
This makes it simpler to keep the SSDT byte-for-byte identical for a
given machine type, which is a goal we want to have for 2.2 and newer
types.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24 20:57:10 +02:00
Michael S. Tsirkin
ad5b88b1f1 acpi-build: mark RAM dirty on table update
acpi build modifies internal FW CFG RAM on first access
but we forgot to mark it dirty.
If this RAM has been migrated already, it won't be
migrated again, returning corrupted tables to guest.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24 20:57:10 +02:00
Marcel Apfelbaum
109e90e470 hw/pci: fix crash on shpc error flow
If the pci bridge enters in error flow as part
of init process it will only delete the shpc mmio
subregion but not remove it from the properties list,
resulting in segmentation fault when the bridge runs
the exit function.

Example: add a pci bridge without specifing the chassis number:
    <qemu-bin> ... -device pci-bridge,id=p1
Result:
    (qemu) qemu-system-x86_64: -device pci-bridge,id=p1: Bridge chassis not specified. Each bridge is required to be assigned a unique chassis id > 0.
    qemu-system-x86_64: -device pci-bridge,id=p1: Device
    initialization failed.
    Segmentation fault (core dumped)

    if (child->class->unparent) {
    #0  0x00005555558d629b in object_finalize_child_property (obj=0x555556d2e830, name=0x555556d30630 "shpc-mmio[0]", opaque=0x555556a42fc8) at qom/object.c:1078
    #1  0x00005555558d4b1f in object_property_del_all (obj=0x555556d2e830) at qom/object.c:367
    #2  0x00005555558d4ca1 in object_finalize (data=0x555556d2e830) at qom/object.c:412
    #3  0x00005555558d55a1 in object_unref (obj=0x555556d2e830) at qom/object.c:720
    #4  0x000055555572c907 in qdev_device_add (opts=0x5555563544f0) at qdev-monitor.c:566
    #5  0x0000555555744f16 in device_init_func (opts=0x5555563544f0, opaque=0x0) at vl.c:2213
    #6  0x00005555559cf5f0 in qemu_opts_foreach (list=0x555555e0f8e0 <qemu_device_opts>, func=0x555555744efa <device_init_func>, opaque=0x0, abort_on_failure=1) at util/qemu-option.c:1057
    #7  0x000055555574a11b in main (argc=16, argv=0x7fffffffdde8, envp=0x7fffffffde70) at vl.c:423

Unparent the shpc mmio region as part of shpc cleanup.

Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Amos Kong <akong@redhat.com>
2014-11-24 20:57:10 +02:00
Igor Mammedov
085f8e88ba pc: count in 1Gb hugepage alignment when sizing hotplug-memory container
if DIMMs with different size/alignment are interleaved
in creation order, it could lead to hotplug-memory
container fragmentation and following inability to use
all RAM upto maxmem.
For example:
    -m 4G,slots=3,maxmem=7G
    -object memory-backend-file,id=mem-1,size=256M,mem-path=/pagesize-2MB
    -device pc-dimm,id=mem1,memdev=mem-1
    -object memory-backend-file,id=mem-2,size=1G,mem-path=/pagesize-1GB
    -device pc-dimm,id=mem2,memdev=mem-2
    -object memory-backend-file,id=mem-3,size=256M,mem-path=/pagesize-2MB
    -device pc-dimm,id=mem3,memdev=mem-3

fragments hotplug-memory container and doesn't allow
to use 1GB hugepage backend to consume remainig 1Gb.

To ease managment factor count in max 1Gb alignment for
each memory slot when sizing hotplug-memory region so
that regadless of fragmentaion it would be possible to
add max aligned DIMM.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24 20:57:10 +02:00
Igor Mammedov
b03541fa77 pc: explicitly check maxmem limit when adding DIMM
Currently maxmem limit is not checked and depends on
hotplug region container not being able to fit more RAM
than maxmem. Do check explicitly so that it would
be possible to change hotplug container size later
to deal with fragmentation.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24 20:57:10 +02:00
Peter Maydell
3d4a70f80f Block patches for 2.2.0-rc3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUcyoHAAoJEH8JsnLIjy/W8yEP/RgLkY5H1UAZRRmK2qd3qqFd
 NLR56G2ZGsRnDObqsPeFBk/w5DjIfVUL3J5sQiMpN+q/Jt3MhnevN6EZ7fmEnYKQ
 dxxhi8BvSvxdZqEc9UKM7V1EKnm7VWoqyOZi47OqM4Rj62hw4IbIHaeKFUe0HC8D
 kYtARvuvHdN2Ny57dhgQOqi5ZU7xfohPT7Z/nMNKJn8YS8JWZTGBa//1O17f+gz5
 whdQLVTVi6XH1VFcAd/YNRN0mmPwpEnm2kpnvlQRLcB4l5/otDwCmt/jzfom05HU
 9bnfQMm3OOrYhzlbp5LSBKgZo+Eaqsgsdhaq3d/QzYDgkY1ry1nkJgiVqlAXbtJ7
 2e44gDWddI/GLXW8gBMEIgjrowqMydmkuVKJgZNP3e2R+2aeWwirLfavtC6/ygQv
 t6Uz3iH9MZ7jy61JyXga9HkQWShhZzfeI2wEGdKBWEuyyqIaGjXZk+vpIskQs2K7
 QDk8eM3nzw+pEOuAFBwQB7aMciadMmCRsxAa6NSdtHedZXgCSY8ao+VEQi5TnQB1
 yeYTIO1QJO1KYLR4Z+gqVvbJKetKrBd9+ikGgd9w1BWopgS1mb58nMV/JTlN69QF
 Swz6kZ8iUoew2SrI1JtzMphmFmb+h5n19jWsb7sCIQQVLASqRRTaa2mUs1TpDRCo
 ZICyYlJMN/guF6HhfG+X
 =GKHw
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches for 2.2.0-rc3

# gpg: Signature made Mon 24 Nov 2014 12:52:23 GMT using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  Revert "qemu-img info: show nocow info"

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-24 15:01:54 +00:00
Peter Maydell
a31a7475e9 Three patches to fix ExtINT for the QEMU implementation of the local APIC.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJUczTcAAoJEL/70l94x66D/dEIAKMy5aOkmcPHcptzpK77LBJC
 H6FuYmdUOvLlzrPPV9DeWmFQDN8i1ySvJKRQ0F1KKAE9hm4vKl/w6cibY3abI/VB
 xu/c7o8XTeLt5f+3OFeqSvRX1Wx/3Fj+v0lauHzAjyVZxd3mQ1wOxygzQtSkoJPq
 akJEgb0jURN8MfiqwMl1ws1iSdRhPE4pR/q63GgOCNZFF9O0ADZueO+SNztBxTTp
 t2xYiNqjeG+b+AKrn0bkFdAQvLD4jzBIyOmQClwdQsd6Qwc88/246FJD6OdBwBBW
 Zp3HAeLuxvw8aWGfs+x4FRLDAeOJ+BPfwlyJJiyb9DuzpA/ayL0qQfWXcX9pY3g=
 =8ow4
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

Three patches to fix ExtINT for the QEMU implementation of the local APIC.

# gpg: Signature made Mon 24 Nov 2014 13:38:36 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  apic: fix incorrect handling of ExtINT interrupts wrt processor priority
  apic: fix loss of IPI due to masked ExtINT
  apic: avoid getting out of halted state on masked PIC interrupts

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-24 13:50:22 +00:00
Paolo Bonzini
5224c88dd3 apic: fix incorrect handling of ExtINT interrupts wrt processor priority
This fixes another failure with ExtINT, demonstrated by QNX.  The failure
mode is as follows:
- IPI sent to cpu 0 (bit set in APIC irr)
- IPI accepted by cpu 0 (bit cleared in irr, set in isr)
- IPI sent to cpu 0 (bit set in both irr and isr)
- PIC interrupt sent to cpu 0

The PIC interrupt causes CPU_INTERRUPT_HARD to be set, but
apic_irq_pending observes that the highest pending APIC interrupt priority
(the IPI) is the same as the processor priority (since the IPI is still
being handled), so apic_get_interrupt returns a spurious interrupt rather
than the pending PIC interrupt. The result is an endless sequence of
spurious interrupts, since nothing will clear CPU_INTERRUPT_HARD.

Instead, ExtINT interrupts should have ignored the processor priority.
Calling apic_check_pic early in apic_get_interrupt ensures that
apic_deliver_pic_intr is called instead of delivering the spurious
interrupt.  apic_deliver_pic_intr then clears CPU_INTERRUPT_HARD if needed.

Reported-by: Richard Bilson <rbilson@qnx.com>
Tested-by: Richard Bilson <rbilson@qnx.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-24 14:37:45 +01:00
Paolo Bonzini
8092cb7132 apic: fix loss of IPI due to masked ExtINT
This patch fixes an obscure failure of the QNX kernel on QEMU x86 SMP.
In QNX, all hardware interrupts come via the PIC, and are delivered by
the cpu 0 LAPIC in ExtINT mode, while IPIs are delivered by the LAPIC
in fixed mode.

This bug happens as follows:
- cpu 0 masks a particular PIC interrupt
- IPI sent to cpu 0 (CPU_INTERRUPT_HARD is set)
- before the IPI is accepted, the masked interrupt line is asserted by the
device

Since the interrupt is masked, apic_deliver_pic_intr will clear
CPU_INTERRUPT_HARD. The IPI will still be set in the APIC irr, but since
CPU_INTERRUPT_HARD is not set the cpu will not notice. Depending on the
scenario this can cause a system hang, i.e. if cpu 0 is expected to unmask
the interrupt.

In order to fix this, do a full check of the APIC before an EXTINT
is acknowledged.  This can result in clearing CPU_INTERRUPT_HARD, but
can also result in delivering the lost IPI.

Reported-by: Richard Bilson <rbilson@qnx.com>
Tested-by: Richard Bilson <rbilson@qnx.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-24 14:37:40 +01:00
Paolo Bonzini
60e68042cf apic: avoid getting out of halted state on masked PIC interrupts
After the next patch, if a masked PIC interrupts causes CPU_INTERRUPT_POLL
to be set, the CPU will spuriously get out of halted state.  While this
is technically valid, we should avoid that.

Make CPU_INTERRUPT_POLL run apic_update_irq in the right thread and then
look at CPU_INTERRUPT_HARD.  If CPU_INTERRUPT_HARD does not get set,
do not report the CPU as having work.

Also move the handling of software-disabled APIC from apic_update_irq
to apic_irq_pending, and always trigger CPU_INTERRUPT_POLL.  This will
be important once we will add a case that resets CPU_INTERRUPT_HARD
from apic_update_irq.  We want to run it even if we go through
CPU_INTERRUPT_POLL, and even if the local APIC is software disabled.

Reported-by: Richard Bilson <rbilson@qnx.com>
Tested-by: Richard Bilson <rbilson@qnx.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-24 14:37:30 +01:00
Kevin Wolf
24bf10dac3 Revert "qemu-img info: show nocow info"
This reverts commit 000c4dfff4.

The main reason for reverting this commit before the 2.2 release is that
it adds a QAPI interface that we don't want to keep: The 'nocow' flag
doesn't generally make sense for block nodes, but only for the raw-posix
driver. It should therefore be part of ImageInfoSpecific rather than
ImageInfo.

The commit contains more problems, but unlike the API stability issue
they wouldn't justify reverting it.

Conflicts:
	block/qapi.c

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-24 13:52:10 +01:00
Igor Mammedov
0c0de1b681 pc: pc-dimm: use backend alignment during address auto allocation
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23 12:12:46 +02:00
Igor Mammedov
91aa70ab2a pc: align DIMM's address/size by backend's alignment value
Performance wise it's better to align GVA by the backend's
page size.

Also do not allow to create DIMM device with suboptimal
size (i.e. not aligned to backends page size) to aviod
memory loss.

Do above only for 2.2 and newer machine types to avoid
breaking working configs with 2.1 machine type.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23 12:12:39 +02:00
Igor Mammedov
a2b257d621 memory: expose alignment used for allocating RAM as MemoryRegion API
introduce memory_region_get_alignment() that returns
underlying memory block alignment or 0 if it's not
relevant/implemented for backend.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23 12:11:30 +02:00
Igor Mammedov
92a37a04d6 pc: limit DIMM address and size to page aligned values
When running in KVM mode, kvm_set_phys_mem() will silently
fail if registered MemoryRegion address/size is not page
aligned. Causing memory hotplug failure in guest.

Mapping non aligned MemoryRegion in TCG mode 'works', but
sane guest OS still expects page aligned memory module
and fails to initialize it if it's not aligned.

So do not allow non aligned (i.e. valid) address/size
values for DIMM to avoid either KVM failure or guest
issues caused by it.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23 12:11:30 +02:00
Igor Mammedov
34dde13685 pc: make pc_dimm_plug() more readble
split addr initialization from declaration so that
later when new local vars are added property getter
wouldn't drift off of error check.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23 12:11:30 +02:00
Igor Mammedov
b8865591d4 pc: kvm: check if KVM has free memory slots to avoid abort()
When more memory devices are used than available
KVM memory slots, QEMU crashes with:

kvm_alloc_slot: no free slot available
Aborted (core dumped)

Fix this by checking that KVM has a free slot before
attempting to map memory in guest address space.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23 12:11:29 +02:00
Michael S. Tsirkin
c409572678 qemu-char: fix tcp_get_fds
tcp_get_fds API discards fds if there's more than 1 of these.

It's tricky to fix this without API changes in the generic case.

However, this API is only used by tests ATM, and tests know how
many fds they expect.

So let's not waste cycles trying to fix this properly:
simply assume at most 16 fds (tests use at most 8 now).
assert if some test tries to get more.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23 12:11:29 +02:00
Peter Maydell
0e88f47850 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJUbx4lAAoJEJykq7OBq3PI+/MH/0GQWCsoEr/6Xauh3jVmoi7L
 PcxmkYDA8bF7Gnqe22XJULClTfZhSb//SGKvc8mC4PZG8DkTwxlHWbYAdKy1QJ53
 F529WKjFzySicoZKoXyPix6cq/geRucY58LbxZqPhwpIJ9cgHlro/xqUmaY89IdF
 jVBe2j7GGIXCHqzbD/3AO/Xx8YxC70zgZ3hZEuPo3vlGLg7+ovkC2xCuEY0kXOBp
 qe54vrUEIH4kQ2q3XJSydDISZOjUbj9k2dVu12JobH3ArHciKX/2XF9Jn+bb6pTR
 +BRE+ONljlM1L3XmwO38ElIcxlbXRjcxY2Y6BeceCvYnnoUMo3aio637xB1imDc=
 =xlP+
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging

# gpg: Signature made Fri 21 Nov 2014 11:12:37 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  rtl8139: fix Pointer to local outside scope
  pcnet: fix Negative array index read
  net/socket: fix Uninitialized scalar variable
  net/slirp: fix memory leak

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-21 14:15:37 +00:00
Peter Maydell
a00c117338 gtk: two bugfixes for 2.2.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUbuwFAAoJEEy22O7T6HE49A8QANERRWP6syA4e5w8964ckqOu
 DcRX96xc2Y4ojwV3MgYjCcEUCspLFt78hR54cOgAAq0SET07/SaLc6hig2rqxRWX
 NZVvE50zLGeCHqcwSfxcCX7GcG0TuEpl3LG4MEY77AJ8BX7oBeMXC/pqRTrX9FBR
 yhYiAL3nww6bCKhvgB6LLkMMeJCligxHHdXPC3nl9SzGjjnHzgEhTiJWpTOYwKAs
 y/B97f+zX303su1PaJGyJWC5rYbfDntMZ1CUkhHjv4cZNFOY40t3mAr4NeO0ltbg
 3F4cTtmNwDDgCfn5EeEkJ7fpKxX1g7snHkd7oJ3oJNjw1zUoZktToGn1Iegmawpj
 U917E72kUOPJqEpifYTuDkHGxotLNHqd42RVDYzfQZYTDZcvsWPKpxPdL8w7LEbA
 ebl6FW0RWpjd5P+LO5f2DHep1E2YEFcd4cO2fDDfHOoQLa5UaNe8oT8YNQxO3nAa
 zQHefQMj+vOgpRG316tACxas4vlwoeIsLdeGqYJ1RY3E2qFMxkVGJrrsmn9cYPJg
 KjqfCqEHvbiK5mqgRV4pC6uRZjhU1VAa7Xi+wYD+PjFvETL/C+c8V4qTyCwXM4Uy
 QusC4NFhYxIpbu1DEN2hYQonzyZCgBibKeQEvaxfnBF/+MuqNLWnjPJ+CbLDe2lF
 GWAQFwjl+yK2Kihw76F1
 =K1ua
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20141121-1' into staging

gtk: two bugfixes for 2.2.

# gpg: Signature made Fri 21 Nov 2014 07:38:45 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-20141121-1:
  gtk: Don't crash if -nodefaults
  gtk: fix possible memory leak about local_err

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-21 13:22:18 +00:00
Gonglei
b0af844007 rtl8139: fix Pointer to local outside scope
Coverity spot:
 Assigning: iov = struct iovec [3]({{buf, 12UL},
                       {(void *)dot1q_buf, 4UL},
                       {buf + 12, size - 12}})
 (address of temporary variable of type struct iovec [3]).
 out_of_scope: Temporary variable of type struct iovec [3] goes out of scope.

Pointer to local outside scope (RETURN_LOCAL)
use_invalid:
 Using iov, which points to an out-of-scope temporary variable of type struct iovec [3].

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21 10:50:54 +00:00
Gonglei
7b50d00911 pcnet: fix Negative array index read
s->xmit_pos maybe assigned to a negative value (-1),
but in this branch variable s->xmit_pos as an index to
array s->buffer. Let's add a check for s->xmit_pos.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21 10:50:54 +00:00
Gonglei
8db804ac41 net/socket: fix Uninitialized scalar variable
If is_connected parameter is false, the saddr
variable will no initialize. Coverity report:
uninit_use: Using uninitialized value saddr.sin_port.

We don't need add saddr information to nc->info_str
when is_connected is false.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21 10:50:54 +00:00
Gonglei
7a8919dc29 net/slirp: fix memory leak
commit b412eb61 introduce 'cmd:' target for guestfwd,
and fwd don't be used in this scenario, and will leak
memory in true branch with 'cmd:'. Let's allocate memory
for fwd variable just in else statement.

Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21 10:50:54 +00:00
Fam Zheng
b310a2a609 gtk: Don't crash if -nodefaults
This fixes a crash by just skipping the vte resize hack if cur is NULL.

Reproducer:

qemu-system-x86_64 -nodefaults

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-11-21 08:37:59 +01:00
zhanghailiang
8a0f9b5263 gtk: fix possible memory leak about local_err
local_err in gd_vc_gfx_init() is not freed, and we don't use it,
so remove it.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-11-21 08:37:59 +01:00
Leif Lindholm
9c7074da5e hw/arm/virt: set stdout-path instead of linux,stdout-path
ePAPR 1.1 defines the stdout-path property, making the os-specific
linux,stdout-path property redundant. Change the DT setup for ARM virt
to use the generic property - supported by Linux since 3.15.

The old QEMU behaviour was not present in any released version of
QEMU, and was only added to QEMU after the kernel changed, so
this should not break any existing setups.

Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
[PMM: add note to commit about the old behaviour never hving been
in a released version of QEMU]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-20 14:58:37 +00:00
Peter Maydell
ff323a6b54 Patch queue for ppc - 2014-11-20
Hopefully the last few fixups for 2.2:
 
   - KVM memory slot fix (should usually only occur on PPC)
   - e300 fix
   - Altivec mtvscr instruction fix
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJUbfJeAAoJECszeR4D/txgPkMQALosPR6oRCy85TVcx3IYBoJD
 5R//fMZ6tVkw2jrGO/TSY6VCesyruKDY6WIY4moHHmRudjlgbu4u1Cj7SRxujpNE
 UG+kpYmLMOjhvvoiFCFK+nsZ3lywXwDQ672WO6ilCM7dhuf2QsYYwjLJKVkHWHj5
 S4k+yvFkRdw4KlTVahLNI8pcq+W5cWueTHrFM5sCOFtlzgdx1l9Cteh1swr6k5eX
 GVfvDSvh/5jASymBejSYz/tcoDhrFLLahLsH7sxexN7d/hTDDhiuQzsuTxnSebXQ
 j2nAWVV/flpNUbbbr4H8iDluzSL0ZszCWHBLmT1aqb5MLBtNgFu2vkDwKK3rWSSB
 c5dfgKzBkSmSrf66++lkOkUy0fyhlpIVeW4zsi0trhweV26rT07xXjBEEHjI3GEE
 DwHfEEBC09DVbvSByClsD8sl6OASuphBDzog9zayAs3LRcC2Olf1SmCAo+gEBHcJ
 FKx2XM9aAT4eR+KdIcJCv8T8zAFMDhWldwDBb2EpDYCv9G2nC41IbImRb1QvNeEN
 Fm+b9+4Kp18UH+e6BzBwoaSrCOz0ENjsZ4r+A+GqOP3K6QoXR2G60KhLqU94CXWX
 mvMfHfgFRCHQB/nK1uLgb+1jzNQnry1cJVFQOMQvC/XRDvfaz5pXbwr8DDqdYGvc
 gnEWC2RT6cnMxlgZeRIz
 =naJE
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' into staging

Patch queue for ppc - 2014-11-20

Hopefully the last few fixups for 2.2:

  - KVM memory slot fix (should usually only occur on PPC)
  - e300 fix
  - Altivec mtvscr instruction fix

# gpg: Signature made Thu 20 Nov 2014 13:53:34 GMT using RSA key ID 03FEDC60
# gpg: Good signature from "Alexander Graf <agraf@suse.de>"
# gpg:                 aka "Alexander Graf <alex@csgraf.de>"

* remotes/agraf/tags/signed-ppc-for-upstream:
  target-ppc: Altivec's mtvscr Decodes Wrong Register
  kvm: Fix memory slot page alignment logic
  target-ppc: Fix breakpoint registers for e300

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-20 14:02:24 +00:00
Tom Musta
76cb658419 target-ppc: Altivec's mtvscr Decodes Wrong Register
The Move to Vector Status and Control Register (mtvscr) instruction
uses VRB as the source register.  Fix the code generator to correctly
decode the VRB field.  That is, use "rB(ctx->opcode)" instead of
"rD(ctx->opcode)".

Signed-off-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
2014-11-20 14:52:01 +01:00
Alexander Graf
f2a64032a1 kvm: Fix memory slot page alignment logic
Memory slots have to be page aligned to get entered into KVM. There
is existing logic that tries to ensure that we pad memory slots that
are not page aligned to the biggest region that would still fit in the
alignment requirements.

Unfortunately, that logic is broken. It tries to calculate the start
offset based on the region size.

Fix up the logic to do the thing it was intended to do and document it
properly in the comment above it.

With this patch applied, I can successfully run an e500 guest with more
than 3GB RAM (at which point RAM starts overlapping subpage memory regions).

Cc: qemu-stable@nongnu.org
Signed-off-by: Alexander Graf <agraf@suse.de>
2014-11-20 14:52:01 +01:00
Fabien Chouteau
3ade1a055c target-ppc: Fix breakpoint registers for e300
In the previous patch, the registers were added to init_proc_G2LE
instead of init_proc_e300.

Signed-off-by: Fabien Chouteau <chouteau@adacore.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
2014-11-20 14:52:01 +01:00
Peter Maydell
f75ad80f6c Fix from a while back that unfortunately got ignored. Dave Gilbert says
it may actually fix a case where autoconverge would break on a repeat
 migration (and not just fix stats).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUbeQZAAoJEB6aO1+FQIO2LVcP/0aTLt2uZFdbQC6wkQ4ubd8g
 /J0+O7TiMh4DAEmfPrd3T+WaEhvduptMa/q4rSJATo8pUIDVJ1Ac3jP3n7ETBfx0
 EWReCrPN1WAEOzSOud/KRss60+ryo3AmL0I5AQNGSi8Gctia3XFIJ3VU3i2owgMp
 jhO4zILKEW9Mpd39YtiOOzQktkID9aJKHyLvqLgxwGT1NS8iIsHDjPedCKEAtcvg
 5mqPfR4K15jarjPS0M+t2Rx3mjpy8FzMo14H6856dvGqoZHznFjw0uq2bKo2FqKn
 /eUqjFISBzXG9pDXlyouqQhu4NKcdzCB++2Wf/7pbgltEV3P4pROWWBaLHm9fHYy
 O+NBq+df6Dxykcaj46jw1FHg/YrUIuJ0u7NNrqRVoHZBR6l+OktiWnCraY2psDdn
 nNCLrVKRW64qx64HEXKrLxyLPhadfQrmVOksGc5kCecWotANpqKGWZp1qnBYVE6K
 spEEPDRAgYD6Eb3OHVH/hUIuBYpegD/hSHHAOpdBZN8kjq+Hj8Plwn/mqxkkxxf+
 +FtznF4OkSpJCRr1n6ijK5A4e6U7pK18L7NNwDZW6H+UyXDjc2qRkklX/FGfZuKD
 qXbqeAC9MlUl8VGVCUtmkmPHeVxCHDa9Lw/5nZIggBCrH+H45aWgkVxJhmQnQq3m
 XYXJdIrS3/MGJnCLfhnJ
 =wxby
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/amit-migration/tags/for-2.2-2' into staging

Fix from a while back that unfortunately got ignored.  Dave Gilbert says
it may actually fix a case where autoconverge would break on a repeat
migration (and not just fix stats).

# gpg: Signature made Thu 20 Nov 2014 12:52:41 GMT using RSA key ID 854083B6
# gpg: Good signature from "Amit Shah <amit@amitshah.net>"
# gpg:                 aka "Amit Shah <amit@kernel.org>"
# gpg:                 aka "Amit Shah <amitshah@gmx.net>"

* remotes/amit-migration/tags/for-2.2-2:
  migration: static variables will not be reset at second migration

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-20 13:00:28 +00:00
ChenLiang
6c1b663c4c migration: static variables will not be reset at second migration
The static variables in migration_bitmap_sync will not be reset in
the case of a second attempted migration.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
2014-11-20 18:17:22 +05:30
Peter Maydell
af3ff19b48 Update version for v2.2.0-rc2 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-18 18:00:58 +00:00
Don Slutz
6b896ab261 hw/ide/core.c: Prevent SIGSEGV during migration
The other callers to blk_set_enable_write_cache() in this file
already check for s->blk == NULL.

Signed-off-by: Don Slutz <dslutz@verizon.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1416259239-13281-1-git-send-email-dslutz@verizon.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-18 17:36:14 +00:00
Peter Maydell
8336e465ac -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJUa2AVAAoJEJykq7OBq3PIYYMH/38g6vk60lp/OmIo2AHz9kjW
 SOCdW/9aZ2R16THwiF6tuSaAD95UPr+D45wED47eKrlCKo3aZ5QY9VtM20j8aQvV
 WGwLJ809to5EfsOaJY+vbutCM1uHdTAXFOv8FUjdLKkQF6mLKp1iEo/BLxxMRdPW
 WKlsXC29s6yof6c8pKlarUwuGGv6VKWrkj73vQsWgaDgOJGqXST3zZynyqEf1ARI
 XRWa13qQ76Pwy0UTzeTSu+W3dXuTbuw/PSuiavcrjvoi9Ewm5+6YEHob/0j8fEad
 cAxcWaMVowbKdJSNV+UDgMaXje1Zt7EArYSTvRx0kf4rWBbeieA1K9jtlxShrYE=
 =lVQH
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging

# gpg: Signature made Tue 18 Nov 2014 15:04:53 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  net: The third parameter of getsockname should be initialized

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-18 16:17:32 +00:00
Peter Maydell
b1b1e81fb5 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJUa1/uAAoJEJykq7OBq3PIcokIAJorNG+l0M3mbOkCyK2DdrLf
 6UltWLIDKqxiKubI/2mj0ESjspo803AGQEpUMbT8Ptyq3HMQegZ0io3T5q+v63+q
 HIsYmXjcorkfvmJTQGT6FePz+uuo+lkZn1AM001Yexadn3K1OraLI7D4m6WqbAT3
 bagAwv6CvwCp35UHG7eCtOCj5XIZXatxJr4Sq+flFYr1KCHGzPz0KHsVA+Gu7MIs
 VeSnp6kq9NF/bPAmJjJCKSqjUCruShcyXeB+FVeiAeHHCcupCHQQy2dH0MgxK1uj
 19OLbBidpvK2+K+SJ5p/rGVKbtm9LHsWXQpIn3YnTuSY39lNQAJ5NZFspzJdjO8=
 =5Csa
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging

# gpg: Signature made Tue 18 Nov 2014 15:04:14 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/tracing-pull-request:
  Tracing: Fix simpletrace.py error on tcg enabled binary traces
  Tracing docs fix configure option and description

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-18 15:05:36 +00:00
zhanghailiang
ed6273e26f net: The third parameter of getsockname should be initialized
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-18 15:04:35 +00:00
Christoph Seifert
776ec96f79 Tracing: Fix simpletrace.py error on tcg enabled binary traces
simpletrace.py does not recognize the tcg option while reading trace-events  file. In result simpletrace does not work on binary traces and tcg enabled events. Moved transformation of tcg enabled events to _read_events() which is used by simpletrace.

Signed-off-by: Christoph Seifert <christoph.seifert@posteo.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-18 14:05:58 +00:00
Dr. David Alan Gilbert
b73e8bd414 Tracing docs fix configure option and description
Fix the example trace configure option.
Update the text to say that multiple backends are allowed and what
happens when multiple backends are enabled.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1412691161-31785-1-git-send-email-dgilbert@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-18 14:05:54 +00:00
Peter Maydell
1ab8f867ef Block patches for 2.2.0-rc2
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUay5nAAoJEH8JsnLIjy/W7RQQAMUko37jld+dpqybxm8Vc1AL
 bKIlieyjcOTj6CeUvlb0bjS6Kg4Mg4LOEopv5g7fjTLn4V5ZtPBO3+AKcxOGmMpp
 2O1pCo+CBe+q29YV0HIx+t+3HCQInz31GZlAnXa2FkHk/urdFHW7IWSljkLULOKe
 V6WnHoX87ZyP41aNJD5nsXza7cF0Z2DiyLYiAAJnZqpXS8aaLlS9IC2qEbfR3mjS
 X8gVbpUotjfBLu0XjqwuVtZXuUvnY2PJWXaYK8DFKzx/LXwtD2Ynz08bVAL06KMB
 ERRHF4HSY7weJV3t/r+mE0JfOpqxCbOcfO1eHhQGlqXxvoTVDRNS/fsrYrs62N8I
 L7R4NHeqDFm0mx2FLVjmrZb90KpwciLoum8IgJlFipotJOlhESxrNYqh3rjgJaQ7
 51N6ApywK6RjZfDFbPrD7PeYl4rilxno0BgAfw+SKlNTAE3htoQvoeigMgnOzrMN
 4W/eiO8GHK1ll+24Rmbf6ZRAkowwJzCfvugoi5zfTpmy0awJU+tOEpB8zH9Ayqaw
 kIADrMUXEgitwwwVj4j5629zGbKydxNFjVlysSiyTHECGCoQPcwS38Eb76f0TA+i
 barcC/SRY2ls7skbVWEDMqWoI/kk0xz4I1nF8YSscGbul3d6WfBf9VJbm/+gsbIz
 JA9UXVtTEJqR6WyYuEK/
 =9y58
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches for 2.2.0-rc2

# gpg: Signature made Tue 18 Nov 2014 11:32:55 GMT using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  block/raw-posix: Catch fsync() errors
  block/raw-posix: Only sync after successful preallocation
  block/raw-posix: Fix preallocating write() loop
  raw-posix: The SEEK_HOLE code is flawed, rewrite it
  raw-posix: SEEK_HOLE suffices, get rid of FIEMAP
  raw-posix: Fix comment for raw_co_get_block_status()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-18 13:43:37 +00:00
Peter Maydell
ea5b201a0a Fix for CVE-2014-7840, avoiding arbitrary qemu memory overwrite for
migration by Michael S. Tsirkin.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUaywUAAoJEB6aO1+FQIO2pOMP/0i+4/6QKJdzkd6BbW5ms6pt
 0s8q3Bb3W78FQ53fuztlVuCTbwgS5eNpXj9zKhdqxtYf1ag+8PYT6n2pefQPm8un
 cYA4UagABsq14Ae17MAswLwoEncUK/FVoUyh4qd54FFZGiqtwVoxfNu648RsZurf
 0sRHtfUUG3vj3YJiFCT6QBuhl17J0Ks345nVv+2V8oQlyktrI88dtGAQn2axschv
 IfIR4D1Z2KwV27V6f4/f1W1FmxgSeuaMx6KTU9SbdOmVxfaRhl3y8mCZXMVl8R0R
 0IubeRgJvUit/+x8sDMzH+p2fBsQAzwdfz7sX6OZykSPOzd9jGdCPFGp7Tl/PZ1Q
 QA0wTHoOzZyP/KYw1OSr3JuiZpGV5LqH+RZFjemyIQxRUeSWLHwDsecvWe4k1238
 P9jnsH7aU9ZiRiKfhRUFyrODWVh7cE97qJlMJKruFgKWw2Jyj+oQ8flImRJrYQA7
 670g+y8K66afA19Ci61yZqLhdyXU0FpFAomgWLru+HFqGimKXboMWehPzjAA6J1L
 3038lQsTqOPTlJDx5MbHbc/gtrDyL8Rei/ywQw3p0c2Ct3PaQ1xcGkMlAhnf+wNw
 TmxcunyOqNhSsedJyKmWn6GxRiHMM4jXpi21q3X3yVAgnINTSQMQ5ERn4TzYqmsC
 MPDuWYOtsLVf5YrfLiTU
 =xwMv
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/amit-migration/tags/for-2.2' into staging

Fix for CVE-2014-7840, avoiding arbitrary qemu memory overwrite for
migration by Michael S. Tsirkin.

# gpg: Signature made Tue 18 Nov 2014 11:23:00 GMT using RSA key ID 854083B6
# gpg: Good signature from "Amit Shah <amit@amitshah.net>"
# gpg:                 aka "Amit Shah <amit@kernel.org>"
# gpg:                 aka "Amit Shah <amitshah@gmx.net>"

* remotes/amit-migration/tags/for-2.2:
  migration: fix parameter validation on ram load

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-18 12:29:05 +00:00
Ard Biesheuvel
444b1996cb linux-headers: update to 3.18-rc5
This updates the Linux header to version 3.18-rc5, adding support for
(among other things) read-only memslots on ARM and arm64.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Message-id: 1416248898-6302-1-git-send-email-ard.biesheuvel@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-18 11:24:31 +00:00
Michael S. Tsirkin
0be839a270 migration: fix parameter validation on ram load
During migration, the values read from migration stream during ram load
are not validated. Especially offset in host_from_stream_offset() and
also the length of the writes in the callers of said function.

To fix this, we need to make sure that the [offset, offset + length]
range fits into one of the allocated memory regions.

Validating addr < len should be sufficient since data seems to always be
managed in TARGET_PAGE_SIZE chunks.

Fixes: CVE-2014-7840

Note: follow-up patches add extra checks on each block->host access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
2014-11-18 16:49:44 +05:30
Max Reitz
098ffa6674 block/raw-posix: Catch fsync() errors
fsync() may fail, and that case should be handled.

Reported-by: László Érsek <lersek@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-11-18 12:09:00 +01:00
Max Reitz
731de38052 block/raw-posix: Only sync after successful preallocation
The loop which filled the file with zeroes may have been left early due
to an error. In that case, the fsync() should be skipped.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-11-18 12:09:00 +01:00