Commit Graph

76266 Commits

Author SHA1 Message Date
Luwei Kang
ddc2fc9e4e target/i386: set the CPUID level to 0x14 on old machine-type
The CPUID level need to be set to 0x14 manually on old
machine-type if Intel PT is enabled in guest. E.g. the
CPUID[0].EAX(level)=7 and CPUID[7].EBX[25](intel-pt)=1 when the
Qemu with "-machine pc-i440fx-3.1 -cpu qemu64,+intel-pt" parameter.

Some Intel PT capabilities are exposed by leaf 0x14 and the
missing capabilities will cause some MSRs access failed.
This patch add a warning message to inform the user to extend
the CPUID level.

Suggested-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Luwei Kang <luwei.kang@intel.com>
Message-Id: <1584031686-16444-1-git-send-email-luwei.kang@intel.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31 19:13:32 -03:00
Babu Moger
7b225762c8 i386: Fix pkg_id offset for EPYC cpu models
If the system is numa configured the pkg_offset needs
to be adjusted for EPYC cpu models. Fix it calling the
model specific handler.

Signed-off-by: Babu Moger <babu.moger@amd.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <158396725589.58170.16424607815207074485.stgit@naples-babu.amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31 19:13:32 -03:00
Babu Moger
247b18c593 target/i386: Enable new apic id encoding for EPYC based cpus models
The APIC ID is decoded based on the sequence sockets->dies->cores->threads.
This works fine for most standard AMD and other vendors' configurations,
but this decoding sequence does not follow that of AMD's APIC ID enumeration
strictly. In some cases this can cause CPU topology inconsistency.

When booting a guest VM, the kernel tries to validate the topology, and finds
it inconsistent with the enumeration of EPYC cpu models. The more details are
in the bug https://bugzilla.redhat.com/show_bug.cgi?id=1728166.

To fix the problem we need to build the topology as per the Processor
Programming Reference (PPR) for AMD Family 17h Model 01h, Revision B1
Processors. The documentation is available from the bugzilla Link below.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537
It is also available at
https://www.amd.com/system/files/TechDocs/55570-B1_PUB.zip

Here is the text from the PPR.
Operating systems are expected to use Core::X86::Cpuid::SizeId[ApicIdSize], the
number of least significant bits in the Initial APIC ID that indicate core ID
within a processor, in constructing per-core CPUID masks.
Core::X86::Cpuid::SizeId[ApicIdSize] determines the maximum number of cores
(MNC) that the processor could theoretically support, not the actual number of
cores that are actually implemented or enabled on the processor, as indicated
by Core::X86::Cpuid::SizeId[NC].
Each Core::X86::Apic::ApicId[ApicId] register is preset as follows:
• ApicId[6] = Socket ID.
• ApicId[5:4] = Node ID.
• ApicId[3] = Logical CCX L3 complex ID
• ApicId[2:0]= (SMT) ? {LogicalCoreID[1:0],ThreadId} : {1'b0,LogicalCoreID[1:0]}

The new apic id encoding is enabled for EPYC and EPYC-Rome models.

Signed-off-by: Babu Moger <babu.moger@amd.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <158396724913.58170.3539083528095710811.stgit@naples-babu.amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31 19:13:32 -03:00
Babu Moger
2e26f4ab3b hw/i386: Move arch_id decode inside x86_cpus_init
Apicid calculation depends on knowing the total number of numa nodes
for EPYC cpu models. Right now, we are calculating the arch_id while
parsing the numa(parse_numa). At this time, it is not known how many
total numa nodes are configured in the system.

Move the arch_id calculation inside x86_cpus_init. At this time, smp
parse is already completed and numa node information is available.

Override the handlers if use_epyc_apic_id_encoding is enabled in
cpu model definition.

Also replace the calling convention to use handlers from
X86MachineState.

Signed-off-by: Babu Moger <babu.moger@amd.com>
Message-Id: <158396724217.58170.12256158354204870716.stgit@naples-babu.amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31 19:13:32 -03:00
Babu Moger
0c1538cb1a i386: Introduce use_epyc_apic_id_encoding in X86CPUDefinition
Add a boolean variable use_epyc_apic_id_encoding in X86CPUDefinition.
This will be set if this cpu model needs to use new EPYC based
apic id encoding.

Override the handlers with EPYC based handlers if use_epyc_apic_id_encoding
is set. This will be done in x86_cpus_init.

Signed-off-by: Babu Moger <babu.moger@amd.com>
Message-Id: <158396723514.58170.14825482171652019765.stgit@naples-babu.amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31 19:13:32 -03:00
Babu Moger
6121c7fbfd hw/i386: Introduce apicid functions inside X86MachineState
Introduce model specific apicid functions inside X86MachineState.
These functions will be loaded from X86CPUDefinition.

Signed-off-by: Babu Moger <babu.moger@amd.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <158396722838.58170.5675998866484476427.stgit@naples-babu.amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31 19:13:32 -03:00
Babu Moger
dd08ef0318 target/i386: Cleanup and use the EPYC mode topology functions
Use the new functions from topology.h and delete the unused code. Given the
sockets, nodes, cores and threads, the new functions generate apic id for EPYC
mode. Removes all the hardcoded values.

Signed-off-by: Babu Moger <babu.moger@amd.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <158396722151.58170.8031705769621392927.stgit@naples-babu.amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31 19:13:32 -03:00
Babu Moger
7568b20555 hw/386: Add EPYC mode topology decoding functions
These functions add support for building EPYC mode topology given the smp
details like numa nodes, cores, threads and sockets.

The new apic id decoding is mostly similar to current apic id decoding
except that it adds a new field node_id when numa configured. Removes all
the hardcoded values. Subsequent patches will use these functions to build
the topology.

Following functions are added.
apicid_llc_width_epyc
apicid_llc_offset_epyc
apicid_pkg_offset_epyc
apicid_from_topo_ids_epyc
x86_topo_ids_from_idx_epyc
x86_topo_ids_from_apicid_epyc
x86_apicid_from_cpu_idx_epyc

The topology details are available in Processor Programming Reference (PPR)
for AMD Family 17h Model 01h, Revision B1 Processors. The revision guides are
available from the bugzilla Link below.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537

Signed-off-by: Babu Moger <babu.moger@amd.com>
Acked-by: Igor Mammedov <imammedo@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <158396721426.58170.2930696192478912976.stgit@naples-babu.amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-03-31 19:13:32 -03:00
Peter Maydell
2833ad487c Update version for v5.0.0-rc1 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-31 18:02:47 +01:00
Peter Maydell
82915faec3 virtio, pci, pc: bugfixes, checkpatch, maintainers
Bugfixes all over the place.
 Add a new balloon maintainer.
 A checkpatch enhancement to enforce ACPI change rules.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAl6DWawPHG1zdEByZWRo
 YXQuY29tAAoJECgfDbjSjVRpGmUIALX0k29B81f3zpjwYYVCNYx97MNSvQc0X3xJ
 0OjdMvw5oVqfvc7qjRLxqCJUzrXBbPGRGGZzKWj9XjOUzz9IfntxtlGERVqb1xSp
 lG4H254IKUP9q6p0P537ryzJunUbaeLLOaxtQVbEIR8alIX8w0tvSRGt6vKwfGTD
 53projQswyKApaoDM338lpJbdLsGAKf7qiamO+zAw7ldBvTtZ0h92snv49dMS941
 7+S9brLkrMYncyiQ2yKaekdwCHOam62NUgBzr7vrXFY4Ovq8WAp6EJuEkzQX0IBG
 Y0LJFpE+k6IMS5uRZYV5LwdARv9ZFFEFwNWufpVi1AY2NikUCk8=
 =AqIW
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio, pci, pc: bugfixes, checkpatch, maintainers

Bugfixes all over the place.
Add a new balloon maintainer.
A checkpatch enhancement to enforce ACPI change rules.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Tue 31 Mar 2020 15:54:36 BST
# gpg:                using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469
# gpg:                issuer "mst@redhat.com"
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full]
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>" [full]
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream:
  vhost-vsock: fix double close() in the realize() error path
  acpi: add acpi=OnOffAuto machine property to x86 and arm virt
  fix vhost_user_blk_watch crash
  hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
  virtio-iommu: avoid memleak in the unrealize
  virtio-blk: delete vqs on the error path in realize()
  acpi: pcihp: fix left shift undefined behavior in acpi_pcihp_eject_slot()
  virtio-serial-bus: Plug memory leak on realize() error paths
  MAINTAINERS: Add myself as virtio-balloon co-maintainer
  checkpatch: enforce process for expected files

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-31 16:29:02 +01:00
Stefano Garzarella
e82cdba394 vhost-vsock: fix double close() in the realize() error path
vhost_dev_cleanup() closes the vhostfd parameter passed to
vhost_dev_init(), so this patch avoids closing it twice in
the vhost_vsock_device_realize() error path.

Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20200331075910.42529-1-sgarzare@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-03-31 10:54:28 -04:00
Peter Maydell
17083d6d1e -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJeg0JmAAoJEO8Ells5jWIRriwIAIJP3RSeSZpipxXoI8aIVOHv
 mkteuLqJpid0+wwpmT+YAv6PpniJ76Rwrc54VsOKBURG/baJAoGR5ozsu+dS/pF5
 VW9rFarR6FyRcLJWA/I4q3C9rhzcNwhoA2l0Jwy0sXQFYegsptb2Qc+Mr+Fw1hGZ
 mnIB7g4wXZc0NuGY+SAuQdlS0HvIgf8Lbv8z1i0vO2h1ADTFIjhrrnbsZ2//Nttu
 YwFh4IZJzirZ7VqRbfqo0fK6yElAA3EI6VjkPospuxOT6XcNp4ODEMMfeEl2qSa/
 TSVCnCXBXaoX8HPdVfdb3zK4GA11wITDkF+uv9Nx0/AUYJSsOgMkqItHoQr24uQ=
 =Kh21
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Tue 31 Mar 2020 14:15:18 BST
# gpg:                using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 6211

* remotes/jasowang/tags/net-pull-request:
  qtest: add tulip test case
  hw/net/allwinner-sun8i-emac.c: Fix REG_ADDR_HIGH/LOW reads
  net: tulip: check frame size and r/w data length
  net/colo-compare.c: Expose "expired_scan_cycle" to users
  net/colo-compare.c: Expose "compare_timeout" to users
  hw/net/can: Make CanBusClientInfo::can_receive() return a boolean
  hw/net: Make NetCanReceive() return a boolean
  hw/net/rtl8139: Update coding style to make checkpatch.pl happy
  hw/net/rtl8139: Simplify if/else statement
  hw/net/smc91c111: Let smc91c111_can_receive() return a boolean
  hw/net/e1000e_core: Let e1000e_can_receive() return a boolean
  Fixed integer overflow in e1000e
  hw/net/i82596.c: Avoid reading off end of buffer in i82596_receive()
  hw/net/i82596: Correct command bitmask (CID 1419392)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-31 14:49:46 +01:00
Li Qiang
1153cf9f5b qtest: add tulip test case
The tulip networking card emulation has an OOB issue in
'tulip_copy_tx_buffers' when the guest provide malformed descriptor.
This test will trigger a ASAN heap overflow crash. To trigger this
issue we can construct the data as following:

1. construct a 'tulip_descriptor'. Its control is set to
'0x7ff | 0x7ff << 11', this will make the 'tulip_copy_tx_buffers's
'len1' and 'len2' to 0x7ff(2047). So 'len1+len2' will overflow
'TULIPState's 'tx_frame' field. This descriptor's 'buf_addr1' and
'buf_addr2' should set to a guest address.

2. write this descriptor to tulip device's CSR4 register. This will
set the 'TULIPState's 'current_tx_desc' field.

3. write 'CSR6_ST' to tulip device's CSR6 register. This will trigger
'tulip_xmit_list_update' and finally calls 'tulip_copy_tx_buffers'.

Following shows the backtrack of crash:

==31781==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000007cd0 at pc 0x7fe03c5a077a bp 0x7fff05b46770 sp 0x7fff05b45f18
WRITE of size 2047 at 0x628000007cd0 thread T0
    #0 0x7fe03c5a0779  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
    #1 0x5575fb6daa6a in flatview_read_continue /home/test/qemu/exec.c:3194
    #2 0x5575fb6daccb in flatview_read /home/test/qemu/exec.c:3227
    #3 0x5575fb6dae66 in address_space_read_full /home/test/qemu/exec.c:3240
    #4 0x5575fb6db0cb in address_space_rw /home/test/qemu/exec.c:3268
    #5 0x5575fbdfd460 in dma_memory_rw_relaxed /home/test/qemu/include/sysemu/dma.h:87
    #6 0x5575fbdfd4b5 in dma_memory_rw /home/test/qemu/include/sysemu/dma.h:110
    #7 0x5575fbdfd866 in pci_dma_rw /home/test/qemu/include/hw/pci/pci.h:787
    #8 0x5575fbdfd8a3 in pci_dma_read /home/test/qemu/include/hw/pci/pci.h:794
    #9 0x5575fbe02761 in tulip_copy_tx_buffers hw/net/tulip.c:585
    #10 0x5575fbe0366b in tulip_xmit_list_update hw/net/tulip.c:678
    #11 0x5575fbe04073 in tulip_write hw/net/tulip.c:783

Signed-off-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Peter Maydell
b88fb1247b hw/net/allwinner-sun8i-emac.c: Fix REG_ADDR_HIGH/LOW reads
Coverity points out (CID 1421926) that the read code for
REG_ADDR_HIGH reads off the end of the buffer, because it does a
32-bit read from byte 4 of a 6-byte buffer.

The code also has an endianness issue for both REG_ADDR_HIGH and
REG_ADDR_LOW, because it will do the wrong thing on a big-endian
host.

Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this;
the write code is not incorrect, but for consistency we make it use
stl_le_p() and stw_le_p().

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Prasad J Pandit
8ffb7265af net: tulip: check frame size and r/w data length
Tulip network driver while copying tx/rx buffers does not check
frame size against r/w data length. This may lead to OOB buffer
access. Add check to avoid it.

Limit iterations over descriptors to avoid potential infinite
loop issue in tulip_xmit_list_update.

Reported-by: Li Qiang <pangpei.lq@antfin.com>
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Reported-by: Jason Wang <jasowang@redhat.com>
Tested-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Zhang Chen
cca35ac4d1 net/colo-compare.c: Expose "expired_scan_cycle" to users
The "expired_scan_cycle" determines period of scanning expired
primary node net packets.

Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Zhang Chen
9cc43c94b3 net/colo-compare.c: Expose "compare_timeout" to users
The "compare_timeout" determines the maximum time to hold the primary net packet.
This patch expose the "compare_timeout", make user have ability to
adjest the value according to application scenarios.

QMP command demo:
    { "execute": "qom-get",
         "arguments": { "path": "/objects/comp0",
                        "property": "compare_timeout" } }

    { "execute": "qom-set",
         "arguments": { "path": "/objects/comp0",
                        "property": "compare_timeout",
                        "value": 5000} }

Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Philippe Mathieu-Daudé
767cc9a9c1 hw/net/can: Make CanBusClientInfo::can_receive() return a boolean
The CanBusClientInfo::can_receive handler return whether the
device can or can not receive new frames. Make it obvious by
returning a boolean type.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Philippe Mathieu-Daudé
b8c4b67e3e hw/net: Make NetCanReceive() return a boolean
The NetCanReceive handler return whether the device can or
can not receive new packets. Make it obvious by returning
a boolean type.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Philippe Mathieu-Daudé
3317db7439 hw/net/rtl8139: Update coding style to make checkpatch.pl happy
We will modify this code in the next commit. Clean it up
first to avoid checkpatch.pl errors.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Philippe Mathieu-Daudé
2fa3d2d401 hw/net/rtl8139: Simplify if/else statement
Rewrite:

      if (E) {
          return A;
      } else {
          return B;
      }
      /* EOF */
  }

as:

      if (E) {
          return A;
      }
      return B;
  }

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Philippe Mathieu-Daudé
0002c3a696 hw/net/smc91c111: Let smc91c111_can_receive() return a boolean
The smc91c111_can_receive() function simply returns a boolean value.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Philippe Mathieu-Daudé
205ce5670f hw/net/e1000e_core: Let e1000e_can_receive() return a boolean
The e1000e_can_receive() function simply returns a boolean value.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Andrew Melnychenko
f22a57ac09 Fixed integer overflow in e1000e
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1737400
Fixed setting max_queue_num if there are no peers in
NICConf. qemu_new_nic() creates NICState with 1 NetClientState(index
0) without peers, set max_queue_num to 0 - It prevents undefined
behavior and possible crashes, especially during pcie hotplug.

Fixes: 6f3fbe4ed0 ("net: Introduce e1000e device emulation")
Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Peter Maydell
a43790f2f6 hw/net/i82596.c: Avoid reading off end of buffer in i82596_receive()
The i82596_receive() function attempts to pass the guest a buffer
which is effectively the concatenation of the data it is passed and a
4 byte CRC value.  However, rather than implementing this as "write
the data; then write the CRC" it instead bumps the length value of
the data by 4, and writes 4 extra bytes from beyond the end of the
buffer, which it then overwrites with the CRC.  It also assumed that
we could always fit all four bytes of the CRC into the final receive
buffer, which might not be true if the CRC needs to be split over two
receive buffers.

Calculate separately how many bytes we need to transfer into the
guest's receive buffer from the source buffer, and how many we need
to transfer from the CRC work.

We add a count 'bufsz' of the number of bytes left in the source
buffer, which we use purely to assert() that we don't overrun.

Spotted by Coverity (CID 1419396) for the specific case when we end
up using a local array as the source buffer.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Philippe Mathieu-Daudé
baba731bc6 hw/net/i82596: Correct command bitmask (CID 1419392)
The command is 32-bit, but we are loading the 16 upper bits with
the 'get_uint16(s->scb + 2)' call.

Once shifted by 16, the command bits match the status bits:

- Command
  Bit 31 ACK-CX   Acknowledges that the CU completed an Action Command.
  Bit 30 ACK-FR   Acknowledges that the RU received a frame.
  Bit 29 ACK-CNA  Acknowledges that the Command Unit became not active.
  Bit 28 ACK-RNR  Acknowledges that the Receive Unit became not ready.

- Status
  Bit 15 CX       The CU finished executing a command with its I(interrupt) bit set.
  Bit 14 FR       The RU finished receiving a frame.
  Bit 13 CNA      The Command Unit left the Active state.
  Bit 12 RNR      The Receive Unit left the Ready state.

Add the SCB_COMMAND_ACK_MASK definition to simplify the code.

This fixes Coverity 1419392 (CONSTANT_EXPRESSION_RESULT):

  /hw/net/i82596.c: 352 in examine_scb()
  346         cuc = (command >> 8) & 0x7;
  347         ruc = (command >> 4) & 0x7;
  348         DBG(printf("MAIN COMMAND %04x  cuc %02x ruc %02x\n", command, cuc, ruc));
  349         /* and clear the scb command word */
  350         set_uint16(s->scb + 2, 0);
  351
  >>>     CID 1419392:    (CONSTANT_EXPRESSION_RESULT)
  >>>     "command & (2147483648UL /* 1UL << 31 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
  352         if (command & BIT(31))      /* ACK-CX */
  353             s->scb_status &= ~SCB_STATUS_CX;
  >>>     CID 1419392:    (CONSTANT_EXPRESSION_RESULT)
  >>>     "command & (1073741824UL /* 1UL << 30 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
  354         if (command & BIT(30))      /*ACK-FR */
  355             s->scb_status &= ~SCB_STATUS_FR;
  >>>     CID 1419392:    (CONSTANT_EXPRESSION_RESULT)
  >>>     "command & (536870912UL /* 1UL << 29 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
  356         if (command & BIT(29))      /*ACK-CNA */
  357             s->scb_status &= ~SCB_STATUS_CNA;
  >>>     CID 1419392:    (CONSTANT_EXPRESSION_RESULT)
  >>>     "command & (268435456UL /* 1UL << 28 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
  358         if (command & BIT(28))      /*ACK-RNR */
  359             s->scb_status &= ~SCB_STATUS_RNR;

Fixes: Covertiy CID 1419392 (commit 376b851909)
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
Peter Maydell
2a95551e8b Improve PIE and other linkage
Fix for decodetree vs Python3 floor division operator
 Fix i386 INDEX_op_dup2_vec expansion
 Fix loongson multimedia condition instructions
 -----BEGIN PGP SIGNATURE-----
 
 iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAl6CvfcdHHJpY2hhcmQu
 aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV+XrggApayNTkf5iPVa3UT7
 6iMlA0rKjzck7PUf4vxSnkiHKhBQ95Lkck9U2kSTjO4utzFEV/iirYL9HhbNfZgH
 J9HsfSPnE2I/AzT8hKWK0UMLXK8/lroTAPmMPZcUt7usL6VVj5aH8UDBKYKALsGd
 We3eSPdmdTxbAvmLE2Axa55R+YHJihrBaaY0BoDBSmQCqufy554HQmVKkJzbn5pw
 BQFKkKbdGillgptteUmT6lDlBOJ4Vs4DicPrxXV6ERfYGuLmfwC/zHvcWQj+3wV7
 FPlQN55qmcUy0Wqo4CIys3nQqF6ken4anpu+wGm4cC9YOuh6YGdUrJ7zr0rtyN1y
 f/3J5g==
 =muAX
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200330' into staging

Improve PIE and other linkage
Fix for decodetree vs Python3 floor division operator
Fix i386 INDEX_op_dup2_vec expansion
Fix loongson multimedia condition instructions

# gpg: Signature made Tue 31 Mar 2020 04:50:15 BST
# gpg:                using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg:                issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A  05C0 64DF 38E8 AF7E 215F

* remotes/rth/tags/pull-tcg-20200330:
  decodetree: Use Python3 floor division operator
  tcg/i386: Fix INDEX_op_dup2_vec
  target/mips: Fix loongson multimedia condition instructions
  configure: Support -static-pie if requested
  configure: Override the os default with --disable-pie
  configure: Unnest detection of -z,relro and -z,now
  configure: Always detect -no-pie toolchain support
  configure: Do not force pie=no for non-x86
  tcg: Remove softmmu code_gen_buffer fixed address
  configure: Drop adjustment of textseg

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-31 11:20:21 +01:00
Philippe Mathieu-Daudé
b412378785 decodetree: Use Python3 floor division operator
This script started using Python2, where the 'classic' division
operator returns the floor result. In commit 3d004a371 we started
to use Python3, where the division operator returns the float
result ('true division').
To keep the same behavior, use the 'floor division' operator "//"
which returns the floor result.

Fixes: 3d004a371
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200330121345.14665-1-f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2020-03-30 11:44:04 -07:00
Richard Henderson
e20cb81d9c tcg/i386: Fix INDEX_op_dup2_vec
We were only constructing the 64-bit element, and not
replicating the 64-bit element across the rest of the vector.

Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2020-03-30 11:16:17 -07:00
Peter Maydell
83019e81d1 target-arm queue:
* hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
  * hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
  * docs/conf.py: Raise ConfigError for bad Sphinx Python version
  * hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
  * hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
  * target/arm: fix incorrect current EL bug in aarch32 exception emulation
 -----BEGIN PGP SIGNATURE-----
 
 iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAl6B9cIZHHBldGVyLm1h
 eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3pQBD/9L9M02vXS54OaJba8TAhOP
 KM+2psCTwJOMS7r9NWUWUHUY4mHoQZurXb5yDt3XJwlBe3LTfBxU/Se4SGgbJ5OQ
 ETBm54IpBpdPfhHKF4UuckiBPCSg8DN5FWIXh9MslBrSPr/0BHfPfQfyvy21hm8w
 PV2TpLP27J1tYeZmnZ2cL0YMN2/dp/VmYJO0hE3o8SJPtLV7RrevYgcYzJ1J89uP
 HvX2hzQHyqgm0V+a9zKBdP7EsUZhxd7CYaBcTNmG2cukv/7srcaPs2fZw9KuzwsJ
 FlHnFQqJOOEhE4Ir6uj/IwD0dWf7sVFPunEssAy/YnQwgAbMRktSX9lQ/AkKMztt
 d3J+8X4ApIiysljBxtTtkT8JteCyPEisFumoKVx+lxn3hKhvRYdXlP1EZKreaLoz
 QbCJjlcO5+GLpn1BcBt4tWZ9cJPisHZZNbZlsaG5IMHGwFrH0NTxba261JQhLmWX
 a6InvekjwBMTY2rzFIxCkLFquZBal2t2H9salPaW26hcTAOPjGghHhpPqWkdXu0E
 t9P+NgCOLhi+oIVX8FGHDu5NQwbtSIUy1wwwP5AhKOeUXW+rHut/AQHS/BRq4XId
 relYucjsSdoMC9X1mrRHNWYPKaUBV+/0xQw29XKmoTlMkvvYZl13WNhWuvFV596U
 wapi0SFTN3VijDgr+TwVYw==
 =6mtl
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200330' into staging

target-arm queue:
 * hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
 * hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
 * docs/conf.py: Raise ConfigError for bad Sphinx Python version
 * hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
 * hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
 * target/arm: fix incorrect current EL bug in aarch32 exception emulation

# gpg: Signature made Mon 30 Mar 2020 14:36:02 BST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20200330:
  target/arm: fix incorrect current EL bug in aarch32 exception emulation
  hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
  hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
  docs/conf.py: Raise ConfigError for bad Sphinx Python version
  hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
  hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-30 14:37:20 +01:00
Changbin Du
88828bf133 target/arm: fix incorrect current EL bug in aarch32 exception emulation
The arm_current_el() should be invoked after mode switching. Otherwise, we
get a wrong current EL value, since current EL is also determined by
current mode.

Fixes: 4a2696c0d4 ("target/arm: Set PAN bit as required on exception entry")
Signed-off-by: Changbin Du <changbin.du@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200328140232.17278-1-changbin.du@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-30 13:55:32 +01:00
Peter Maydell
660b4e7042 hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
In some places in xlnx_zynqmp_realize() we were putting an
error into our local Error*, but forgetting to check for
failure and pass it back to the caller. Add the missing code.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200324134947.15384-3-peter.maydell@linaro.org
2020-03-30 13:18:59 +01:00
Peter Maydell
63fef6287e hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
In xlnx_zynqmp_realize() if the attempt to realize the SD
controller object fails then the error-return path will leak
the 'bus_name' string. Fix this by deferring the allocation
until after the realize has succeeded.

Fixes: Coverity CID 1421911
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200324134947.15384-2-peter.maydell@linaro.org
2020-03-30 13:18:59 +01:00
Peter Maydell
e22684e34d docs/conf.py: Raise ConfigError for bad Sphinx Python version
Raise ConfigError rather than VersionRequirementError when we detect
that the Python being used by Sphinx is too old.

Currently the way we flag the Python version problem up to the user
causes Sphinx to print an unnecessary Python stack trace as well as
the information about the problem; in most versions of Sphinx this is
unavoidable.

The upstream Sphinx developers kindly added a feature to allow
conf.py to report errors to the user without the backtrace:
  be608ca231
but the exception type they chose for this was ConfigError.

Switch to ConfigError, which won't make any difference with currently
deployed Sphinx versions, but will be prettier one day when the user
is using a Sphinx version with the new feature.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 20200313163616.30674-1-peter.maydell@linaro.org
2020-03-30 13:18:59 +01:00
Niek Linnenbank
34d8df2a1d hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
The allwinner_h3_dramc_map_rows function simulates row addressing behavior
when bootloader software attempts to detect the amount of available SDRAM.

Currently the line that calculates the 64-bit address of the mirrored row
uses a signed 32-bit multiply operation that in theory could result in the
upper 32-bit be all 1s. This commit ensures that the row mirror address
is calculated using only 64-bit operations.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20200323192944.5967-1-nieklinnenbank@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-30 13:18:58 +01:00
Niek Linnenbank
c251191eae hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
The Orange Pi PC initialization function needs to verify that the SD card
block backend is usable before calling the Boot ROM setup routine. When
calling blk_is_available() the input parameter should not be NULL.
This commit ensures that blk_is_available is only called with non-NULL input.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20200322205439.15231-1-nieklinnenbank@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-30 13:18:58 +01:00
Peter Maydell
f9fe8450fa Add support for futex_time64
-----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEEzS913cjjpNwuT1Fz8ww4vT8vvjwFAl6ByfwSHGxhdXJlbnRA
 dml2aWVyLmV1AAoJEPMMOL0/L748FkkP/R+CI6lKTg97ZbQBlnQ4aeeu/amp/WYb
 +qbVnsC0ZMm3gQn5jwrILfUHfX12TimLwwIcEsD0/CgOFOClkyA7GafdoT8SiPSV
 R58L95/eB7EPSXo813b9SIa6dIIYprsyKrq6rvywMyiC3EOMQj86KkNR4PF5jtdQ
 qCDOlGV+GVUZVleuhpGsBeghvCSArLr07PQUP3QuUk/Gn88OrAOqk1cBSFxhpsq8
 iD29Vq/RTwHsrEzrFd1+g+4GzClQZAMB3llZpMBN1m5t04+Ip0OxdHh0O34BMwq2
 M4tAm9idzkZBKirAz6kDhxQTLDiPS8AnrjR0JTEALxB6k16DZ4fDVYSwvziMsiP/
 H0XccK+1ogbsYYwjxErJRP1lRpXJzdxlTChTwp54f2ihn4YL0ulIPLZ/aFyqrBGM
 5Nk98XM/Yr3kKUvyBYDe7MP3z/O9WZryc+UHS/IlvRC96iu7eZADaEbt8HkdLvw8
 yS5jVxyAovvITUgQsyA5rNPC5ryk0g9ZLd8p26hN7PrEcYfbQG9jjqRyhjS/zCo0
 NIZ20zjMjOYOV+f1NQ66n0ZYPOtmfjZQG11TrKxx7XBk76FRRY5hQXTRe3QsMxwd
 uPP+VeP8SnUIrhOL2shlgPxF8TXkrzdP52xxKALE1qYynC8DNUWi1kUpIBL0z1Pf
 E3/kjhwoTG2m
 =NcDg
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-5.0-pull-request' into staging

Add support for futex_time64

# gpg: Signature made Mon 30 Mar 2020 11:29:16 BST
# gpg:                using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C
# gpg:                issuer "laurent@vivier.eu"
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full]
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>" [full]
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full]
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier2/tags/linux-user-for-5.0-pull-request:
  linux-user: Support futex_time64

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-30 11:32:01 +01:00
Alistair Francis
146902964d linux-user: Support futex_time64
Add support for host and target futex_time64. If futex_time64 exists on
the host we try that first before falling back to the standard futex
syscall.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <d9390e368a9a1fd32d52aa771815e6e3d40cb1d4.1584571250.git.alistair.francis@wdc.com>
[lv: define sys_futex() if __NR_futex is defined (fix bug on 32bit host),
     remove duplicate get_errno()]
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2020-03-30 12:28:30 +02:00
Gerd Hoffmann
17e89077b7 acpi: add acpi=OnOffAuto machine property to x86 and arm virt
Remove the global acpi_enabled bool and replace it with an
acpi OnOffAuto machine property.

qemu throws an error now if you use -no-acpi while the machine
type you are using doesn't support acpi in the first place.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20200320100136.11717-1-kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 09:52:13 -04:00
Li Feng
9d283f85d7 fix vhost_user_blk_watch crash
the G_IO_HUP is watched in tcp_chr_connect, and the callback
vhost_user_blk_watch is not needed, because tcp_chr_hup is registered as
callback. And it will close the tcp link.

Signed-off-by: Li Feng <fengli@smartx.com>
Message-Id: <20200323052924.29286-1-fengli@smartx.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 09:52:13 -04:00
Peter Maydell
32a2d6b1f6 hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
In the function amdvi_log_event(), we write an event log buffer
entry into guest ram, whose contents are passed to the function
via the "uint64_t *evt" argument. Unfortunately, a spurious
'&' in the call to dma_memory_write() meant that instead of
writing the event to the guest we would write the literal value
of the pointer, plus whatever was in the following 8 bytes
on the stack. This error was spotted by Coverity.

Fix the bug by removing the '&'.

Fixes: CID 1421945
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200326105349.24588-1-peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 09:52:13 -04:00
Pan Nengyuan
de38ed3007 virtio-iommu: avoid memleak in the unrealize
req_vq/event_vq forgot to free in unrealize. Fix that.
And also do clean 's->as_by_busptr' hash table in unrealize to fix another leak.

Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
Acked-by: Eric Auger <eric.auger@redhat.com>
Message-Id: <20200328005705.29898-3-pannengyuan@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 09:52:13 -04:00
Pan Nengyuan
cfaf757edd virtio-blk: delete vqs on the error path in realize()
virtio_vqs forgot to free on the error path in realize(). Fix that.

The asan stack:
Direct leak of 14336 byte(s) in 1 object(s) allocated from:
    #0 0x7f58b93fd970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
    #1 0x7f58b858249d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
    #2 0x5562cc627f49 in virtio_add_queue /mnt/sdb/qemu/hw/virtio/virtio.c:2413
    #3 0x5562cc4b524a in virtio_blk_device_realize /mnt/sdb/qemu/hw/block/virtio-blk.c:1202
    #4 0x5562cc613050 in virtio_device_realize /mnt/sdb/qemu/hw/virtio/virtio.c:3615
    #5 0x5562ccb7a568 in device_set_realized /mnt/sdb/qemu/hw/core/qdev.c:891
    #6 0x5562cd39cd45 in property_set_bool /mnt/sdb/qemu/qom/object.c:2238

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20200328005705.29898-2-pannengyuan@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 09:52:13 -04:00
Igor Mammedov
a3ec4bb7e5 acpi: pcihp: fix left shift undefined behavior in acpi_pcihp_eject_slot()
Coverity spots subj in following guest triggered code path
  pci_write(, data = 0) -> acpi_pcihp_eject_slot(,slots = 0)
     uinst32_t slot = ctz32(slots)
     ...
     ... = ~(1U << slot)
where 'slot' value is 32 in case 'slots' bitmap is empty.
'slots' is a bitmap and empty one shouldn't  do anything
so return early doing nothing if resulted slot value is
not valid (i.e. not in 0-31 range)

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20200326135624.32464-1-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 09:52:13 -04:00
Pan Nengyuan
0d930b870a virtio-serial-bus: Plug memory leak on realize() error paths
We neglect to free port->bh on the error paths.  Fix that.
Reproducer:
    {'execute': 'device_add', 'arguments': {'id': 'virtio_serial_pci0', 'driver': 'virtio-serial-pci', 'bus': 'pci.0', 'addr': '0x5'}, 'id': 'yVkZcGgV'}
    {'execute': 'device_add', 'arguments': {'id': 'port1', 'driver': 'virtserialport', 'name': 'port1', 'chardev': 'channel1', 'bus': 'virtio_serial_pci0.0', 'nr': 1}, 'id': '3dXdUgJA'}
    {'execute': 'device_add', 'arguments': {'id': 'port2', 'driver': 'virtserialport', 'name': 'port2', 'chardev': 'channel2', 'bus': 'virtio_serial_pci0.0', 'nr': 1}, 'id': 'qLzcCkob'}
    {'execute': 'device_add', 'arguments': {'id': 'port2', 'driver': 'virtserialport', 'name': 'port2', 'chardev': 'channel2', 'bus': 'virtio_serial_pci0.0', 'nr': 2}, 'id': 'qLzcCkob'}

The leak stack:
Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x7f04a8008ae8 in __interceptor_malloc (/lib64/libasan.so.5+0xefae8)
    #1 0x7f04a73cf1d5 in g_malloc (/lib64/libglib-2.0.so.0+0x531d5)
    #2 0x56273eaee484 in aio_bh_new /mnt/sdb/backup/qemu/util/async.c:125
    #3 0x56273eafe9a8 in qemu_bh_new /mnt/sdb/backup/qemu/util/main-loop.c:532
    #4 0x56273d52e62e in virtser_port_device_realize /mnt/sdb/backup/qemu/hw/char/virtio-serial-bus.c:946
    #5 0x56273dcc5040 in device_set_realized /mnt/sdb/backup/qemu/hw/core/qdev.c:891
    #6 0x56273e5ebbce in property_set_bool /mnt/sdb/backup/qemu/qom/object.c:2238
    #7 0x56273e5e5a9c in object_property_set /mnt/sdb/backup/qemu/qom/object.c:1324
    #8 0x56273e5ef5f8 in object_property_set_qobject /mnt/sdb/backup/qemu/qom/qom-qobject.c:26
    #9 0x56273e5e5e6a in object_property_set_bool /mnt/sdb/backup/qemu/qom/object.c:1390
    #10 0x56273daa40de in qdev_device_add /mnt/sdb/backup/qemu/qdev-monitor.c:680
    #11 0x56273daa53e9 in qmp_device_add /mnt/sdb/backup/qemu/qdev-monitor.c:805

Fixes: 199646d815
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Amit Shah <amit@kernel.org>
Message-Id: <20200309021738.30072-1-pannengyuan@huawei.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 06:33:47 -04:00
David Hildenbrand
6d7b25ad6e MAINTAINERS: Add myself as virtio-balloon co-maintainer
As suggested by Michael, let's add me as co-maintainer of virtio-balloon.
While at it, also add "balloon.c" and "include/sysemu/balloon.h" to the
file list.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20200312133725.8192-1-david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 06:33:47 -04:00
Michael S. Tsirkin
1c3c9a8c5a checkpatch: enforce process for expected files
If the process documented in tests/qtest/bios-tables-test.c
is followed, then same patch never touches both expected
files and code. Teach checkpatch to enforce this rule.

Tested-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-03-29 06:33:47 -04:00
Jiaxun Yang
84878f4c00 target/mips: Fix loongson multimedia condition instructions
Loongson multimedia condition instructions were previously implemented as
write 0 to rd due to lack of documentation. So I just confirmed with Loongson
about their encoding and implemented them correctly.

Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Acked-by: Huacai Chen <chenhc@lemote.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>
Message-Id: <20200324122212.11156-1-jiaxun.yang@flygoat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2020-03-28 14:09:45 -07:00
Richard Henderson
127814629b configure: Support -static-pie if requested
Recent toolchains support static and pie at the same time.

As with normal dynamic builds, allow --static to default to PIE
if supported by the toolchain.  Allow --enable/--disable-pie to
override the default.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
v2: Fix --disable-pie --static
v3: Update for QEMU_LDFLAGS.
2020-03-28 14:09:45 -07:00
Richard Henderson
2c674109c2 configure: Override the os default with --disable-pie
Some distributions, e.g. Ubuntu 19.10, enable PIE by default.
If for some reason one wishes to build a non-pie binary, we
must provide additional options to override.

At the same time, reorg the code to an elif chain.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
v3: Update for QEMU_LDFLAGS.
2020-03-28 14:09:45 -07:00