Commit Graph

94870 Commits

Author SHA1 Message Date
Alex Bennée
e618e1f9b4 target/i386: fix byte swap issue with XMM register access
During the conversion to the gdb_get_reg128 helpers the high and low
parts of the XMM register where inadvertently swapped. This causes
reads of the register to report the incorrect value to gdb.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/971
Fixes: b7b8756a9c (target/i386: use gdb_get_reg helpers)
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: qemu-stable@nongnu.org
Message-Id: <20220419091020.3008144-25-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Alex Bennée
f9caa8feea tests/tcg: add missing reference files for float_convs
We might as well include a reference file for i386/x86_64. I was going
to include s390x as well but it's broken hence I raised:

  https://gitlab.com/qemu-project/qemu/-/issues/979.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220419091020.3008144-24-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Alex Bennée
2931014c3d tests/tcg: add float_convd test
This is a simple transliteration of the float_convs test but this time
working with doubles. I'm used it to test the handling of vector
registers in gdbstub but wasn't able to find a non-ugly way to
automate it.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-23-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Alex Bennée
9730a27ef4 tests/tcg: remove duplicate sha512-sse case
We already generate the sha512-sse case in the i386 makefile which
works for both i386 and x86_64.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Fixes: f8a4c6d728 ("tests/tcg: add vectorised sha512 versions")
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-22-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
a5ed13cd31 tests/tcg: fix non-static build
If linking with -static fails at configure time, -static should not be used
at build time either. Do not include BUILD_STATIC in $config_target_mak.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-18-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-21-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
77162849a6 tests/docker: remove SKIP_DOCKER_BUILD
It is now unused.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-17-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-20-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
544f4a2578 tests/tcg: isolate from QEMU's config-host.mak
Do not include variables for the QEMU's own compiler, as they
are not necessarily related to the cross compiler used for tests/tcg.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-16-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-19-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
eebf199c09 tests/tcg: invoke Makefile.target directly from QEMU's makefile
Build the "docker.py cc" invocation directly in tests/tcg/configure.sh, and
remove the Makefile.qemu wrapper around Makefile.target.  The config-*.mak
files now include the actual variables used when building the tests, rather
than the CROSS_* variables that Makefile.qemu used to "translate".

This is a first step towards generalizing the cross-compilation infrastructure
so that it can be used for firmware as well.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-15-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-18-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
5377a10001 tests/tcg: list test targets in Makefile.prereqs
Omit the rules altogether for targets that do not have a compiler.
Makefile.qemu now is only invoked if the tests are actually built/run.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-14-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-17-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
f2d5935145 tests/tcg: prepare Makefile.prereqs at configure time
List the dependencies of the build-tcg-tests-* and run-tcg-tests-*
targets in a Makefile fragment, without going through Makefile.prereqs's
"parsing" of config-*.mak.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-13-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-16-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
8e61ecca4a tests/tcg: remove CONFIG_USER_ONLY from config-target.mak
Just check the target name instead.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-12-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-15-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
3996dab2be tests/tcg: remove CONFIG_LINUX_USER from config-target.mak
Just check the target name instead.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20220401141326.1244422-11-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-14-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
f084839aba tests/tcg: add compiler test variables when using containers
Even for container-based cross compilation use $(CROSS_CC_HAS_*) variables.
This makes the TCG test makefiles oblivious of whether the compiler is
invoked through a container or not.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220401141326.1244422-10-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-13-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
426045aed8 tests/docker: do not duplicate rules for hexagon-cross
The commands for docker-image-debian-hexagon-cross are the same as those
in debian-toolchain-run, just with a nonstandard path to build-toolchain.sh.
Reuse the definition by renaming the debian-hexagon-cross.docker.d directory.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-9-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-12-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
d39eaa2266 tests/docker: simplify docker-TEST@IMAGE targets
No need to go through the shell when we already have the test and images at
the point where the targets are declared.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-8-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-11-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
bbb5ba8633 tests/docker: remove unnecessary filtering of $(DOCKER_IMAGES)
Now that DOCKER_IMAGES is only defined after DOCKER_VIRTUAL_IMAGES is
complete, there is no need to re-filter DOCKER_IMAGES against it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-7-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-10-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
79bd3ae9d3 tests/docker: inline variable definitions or move close to use
Variables that are defined with ":=" are handled imperatively, so moving
them closer to the first use ensures that all the assignments prior to
the first use are taken into account.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-6-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-9-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
1d64909543 tests/docker: remove unnecessary default definitions
The definition of DOCKER_IMAGES and DOCKER_TESTS copes already with an
empty value of $(IMAGES) and $(TESTS), no need to force them to "%" if
undefined.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-5-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-8-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
681b685571 tests/docker: remove dead variable
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220401141326.1244422-4-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-7-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
28766b9eb4 tests/docker: remove test targets
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220401141326.1244422-3-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-6-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Paolo Bonzini
42ae4b0ef4 tests/docker: remove dead code for linux-user containers
debian-powerpc-user-cross was the only linux-user powered cross builder
and it was removed in commit 80394ccf21 ("tests/docker: remove
debian-powerpc-user-cross", 2019-09-26). Remove all the infrastructure
around it since it is now unused.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20220401141326.1244422-2-pbonzini@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-5-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Alex Bennée
ab20edf59d docs/devel: drop :hidden: and :includehidden: tags
This was confusing and in the case of qtest was hiding the details of
the qgraph sub-document in the qtest pages.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-4-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Alex Bennée
396408ee92 docs/devel: add some notes on the binfmt-image-debian targets
We document some of this on the wiki but lets move it into our
official developer notes documentation.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-3-alex.bennee@linaro.org>
2022-04-20 16:04:20 +01:00
Alex Bennée
11593544df tests/avocado: update aarch64_virt test to exercise -cpu max
The Fedora 29 kernel is quite old and importantly fails when running
in LPA2 scenarios. As it's not really exercising much of the CPU space
replace it with a custom 5.16.12 kernel with all the architecture
options turned on. There is a minimal buildroot initramfs included in
the kernel which has a few tools for stress testing the memory
subsystem. The userspace also targets the Neoverse N1 processor so
would fail with a v8.0 cpu like cortex-a53.

While we are at it move the test into its own file so it can have an
assigned maintainer.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220419091020.3008144-2-alex.bennee@linaro.org>
2022-04-20 16:04:16 +01:00
Richard Henderson
1be5a765c0 * Add cpu0-id to query-sev-capabilities
* whpx support for breakpoints and stepping
 * initial support for Hyper-V Synthetic Debugging
 * use monotonic clock for QemuCond and QemuSemaphore
 * Remove qemu-common.h include from most units and lots of other clenaups
 * do not include headers for all virtio devices in virtio-ccw.h
 -----BEGIN PGP SIGNATURE-----
 
 iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmJXCQAUHHBib256aW5p
 QHJlZGhhdC5jb20ACgkQv/vSX3jHroNT6wf+NHDJUEdDiwaVGVTGXgHuiaycsymi
 FpNPiw/+XxSGN5xF3fkUGgqaDrcwIYwVfnXlghKSz8kp1cP3cjxa5CzNMLGTp5je
 N6BxFbD7yC6dhagGm3mj32jlsptv3M38OHqKc3t+RaUAotP5RF2VdCyfUBLG6vU0
 aMzvMfMtB5aG0D8Fr5EV63t1JMTceFU0YxsG73UCFs2Yx4Z0cGBbNxMbHweRhd1q
 tPeVDS46MFPM3/2cGGHpeeqxkoCTU7A9j1VuNQI3k+Kg+6W5YVxiK/UP7bw77E/a
 yAHsmIVTNro8ajMBch73weuHtGtdfFLvCKc6QX6aVjzK4dF1voQ01E7gPQ==
 =rMle
 -----END PGP SIGNATURE-----

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* Add cpu0-id to query-sev-capabilities
* whpx support for breakpoints and stepping
* initial support for Hyper-V Synthetic Debugging
* use monotonic clock for QemuCond and QemuSemaphore
* Remove qemu-common.h include from most units and lots of other clenaups
* do not include headers for all virtio devices in virtio-ccw.h

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmJXCQAUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroNT6wf+NHDJUEdDiwaVGVTGXgHuiaycsymi
# FpNPiw/+XxSGN5xF3fkUGgqaDrcwIYwVfnXlghKSz8kp1cP3cjxa5CzNMLGTp5je
# N6BxFbD7yC6dhagGm3mj32jlsptv3M38OHqKc3t+RaUAotP5RF2VdCyfUBLG6vU0
# aMzvMfMtB5aG0D8Fr5EV63t1JMTceFU0YxsG73UCFs2Yx4Z0cGBbNxMbHweRhd1q
# tPeVDS46MFPM3/2cGGHpeeqxkoCTU7A9j1VuNQI3k+Kg+6W5YVxiK/UP7bw77E/a
# yAHsmIVTNro8ajMBch73weuHtGtdfFLvCKc6QX6aVjzK4dF1voQ01E7gPQ==
# =rMle
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 13 Apr 2022 10:31:44 AM PDT
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [undefined]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (53 commits)
  target/i386: Remove unused XMMReg, YMMReg types and CPUState fields
  target/i386: do not access beyond the low 128 bits of SSE registers
  virtio-ccw: do not include headers for all virtio devices
  virtio-ccw: move device type declarations to .c files
  virtio-ccw: move vhost_ccw_scsi to a separate file
  s390x: follow qdev tree to detect SCSI device on a CCW bus
  hw: hyperv: Initial commit for Synthetic Debugging device
  hyperv: Add support to process syndbg commands
  hyperv: Add definitions for syndbg
  hyperv: SControl is optional to enable SynIc
  thread-posix: optimize qemu_sem_timedwait with zero timeout
  thread-posix: implement Semaphore with QemuCond and QemuMutex
  thread-posix: use monotonic clock for QemuCond and QemuSemaphore
  thread-posix: remove the posix semaphore support
  whpx: Added support for breakpoints and stepping
  build-sys: simplify AF_VSOCK check
  build-sys: drop ntddscsi.h check
  Remove qemu-common.h include from most units
  qga: remove explicit environ argument from exec/spawn
  Move fcntl_setfl() to oslib-posix
  ...

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2022-04-19 18:22:16 -07:00
Richard Henderson
3202995c13 Open 7.1 development tree
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2022-04-19 18:21:23 -07:00
Peter Maydell
823a3f11fb Update version for v7.0.0 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-04-19 18:44:36 +01:00
Peter Maydell
c9e28ae797 target/i386: Remove unused XMMReg, YMMReg types and CPUState fields
In commit b7711471f5 in 2014 we refactored the handling of the x86
vector registers so that instead of separate structs XMMReg, YMMReg
and ZMMReg for representing the 16-byte, 32-byte and 64-byte width
vector registers and multiple fields in the CPU state, we have a
single type (XMMReg, later renamed to ZMMReg) and a single struct
field (xmm_regs).  However, in 2017 in commit c97d6d2cdf some of
the old struct types and CPU state fields got added back, when we
merged in the hvf support (which had developed in a separate fork
that had presumably not had the refactoring of b7711471f5), as part
of code handling xsave.  Commit f585195ec0 then almost immediately
dropped that xsave code again in favour of sharing the xsave handling
with KVM, but forgot to remove the now unused CPU state fields and
struct types.

Delete the unused types and CPUState fields.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20220412110047.1497190-1-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-13 19:00:31 +02:00
Paolo Bonzini
d22697dde0 target/i386: do not access beyond the low 128 bits of SSE registers
The i386 target consolidates all vector registers so that instead of
XMMReg, YMMReg and ZMMReg structs there is a single ZMMReg that can
fit all of SSE, AVX and AVX512.

When TCG copies data from and to the SSE registers, it uses the
full 64-byte width.  This is not a correctness issue because TCG
never lets guest code see beyond the first 128 bits of the ZMM
registers, however it causes uninitialized stack memory to
make it to the CPU's migration stream.

Fix it by only copying the low 16 bytes of the ZMMReg union into
the destination register.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-13 18:59:52 +02:00
Peter Maydell
81c7ed41a1 Update version for v7.0.0-rc4 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-04-12 17:01:34 +01:00
Wentao Liang
4bf58c7213 virtio-iommu: use-after-free fix
A potential Use-after-free was reported in virtio_iommu_handle_command
when using virtio-iommu:

> I find a potential Use-after-free in QEMU 6.2.0, which is in
> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c).
>
>
> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be
> freed by g_free() at line 659. However, if the execution path enters the loop
> body again and the if branch takes true at line 616, the control will directly
> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not
> assigned with an allocated memory but used at line 653. As a result, a UAF bug
> is triggered.
>
>
>
> 599     for (;;) {
> ...
> 615         sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
> 616         if (unlikely(sz != sizeof(head))) {
> 617             tail.status = VIRTIO_IOMMU_S_DEVERR;
> 618             goto out;
> 619         }
> ...
> 639             buf = g_malloc0(output_size);
> ...
> 651 out:
> 652         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653                           buf ? buf : &tail, output_size);
> ...
> 659         g_free(buf);
>
> We can fix it by set ‘buf‘ to NULL after freeing it:
>
>
> 651 out:
> 652         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653                           buf ? buf : &tail, output_size);
> ...
> 659         g_free(buf);
> +++ buf = NULL;
> 660     }

Fix as suggested by the reporter.

Signed-off-by: Wentao Liang <Wentao_Liang_g@163.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220407095047.50371-1-mst@redhat.com
Message-ID: <20220406040445-mutt-send-email-mst@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-04-08 15:02:09 +01:00
Peter Maydell
dde8689d1f two cursor/qxl related security fixes.
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmJPu/wACgkQTLbY7tPo
 cTj+JRAAkPmHGgICyETafBCFJbaDD6ySLxUjPbvzz1ng3OT/pzUMDIyJZn5AgKBK
 4pnLQIFHBCO7JRAFaI85bUmvZUcLIca+5wmWcqeiRkrqD/FMqWPFQv6uLlJSVHri
 BsR6ZGgeqkiw743syZfWfuHLU0OgoirwihkymJe7hpiQ21isb/k6b2iqD9gVSgsJ
 fbMQ9byLeTPrm3W/znNhXe3zAGPd2hCmXFp1+UGkMYhIU3hSJpOz0CCCKBLoEVS1
 F2dGMtdZw65eaUe61TLO8TYHhjm6bbXwtKIKRs+81Nb/zhavOoR7g0u5MfwPLnme
 +UxUUGV3o+ziVM7lmwwImTLA2qr4VQHQ87sN9kDmBKOcAhYKv04UYSAQaQ9zOA+s
 FN+oQLxUL0TsYj2I6AAcLJ+zrnsZas1h1MptJTGBvUV3MU33qDvwJbk12EjiaRnK
 zy46J66QmwaNWJa0IMW9rnBcOkMu+qEshYmJZPsy8U1dif33fY4pGOeGoHzXmxVd
 RB94tXE/s/noBmNHw952a9SAGBKUFpQd8wPPNoYUlUV3qdg1wbf+babEr4Wxh8YE
 EBlBuWjSJoa0EWDAmtTo/52j2dup+aw90COsLrDZrJm/9nOiJSz0EfkxJsVzIjFn
 qfgzfEEdjHcMp2WqRip/eoHkAgtP7KGy7vO+11jHOXix93CJo1Y=
 =5ZKq
 -----END PGP SIGNATURE-----

Merge tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu into staging

two cursor/qxl related security fixes.

# gpg: Signature made Fri 08 Apr 2022 05:37:16 BST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu:
  ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
  display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-04-08 10:43:30 +01:00
Mauro Matteo Cascella
fa892e9abb ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.

Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-04-07 12:30:54 +02:00
Mauro Matteo Cascella
9569f5cb5b display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.

Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-04-07 12:30:54 +02:00
Peter Maydell
95a3fcc748 Update version for v7.0.0-rc3 release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-04-06 21:26:13 +01:00
Dr. David Alan Gilbert
a83c284490 acpi: fix acpi_index migration
vmstate_acpi_pcihp_use_acpi_index() was expecting AcpiPciHpState
as state but it actually received PIIX4PMState, because
VMSTATE_PCI_HOTPLUG is a macro and not another struct.
So it ended up accessing random pointer, which resulted
in 'false' return value and acpi_index field wasn't ever
sent.

However in 7.0 that pointer de-references to value > 0, and
destination QEMU starts to expect the field which isn't
sent in migratioon stream from older QEMU (6.2 and older).
As result migration fails with:
  qemu-system-x86_64: Missing section footer for 0000:00:01.3/piix4_pm
  qemu-system-x86_64: load of migration failed: Invalid argument

In addition with QEMU-6.2, destination due to not expected
state, also never expects the acpi_index field in migration
stream.

Q35 is not affected as it always sends/expects the field as
long as acpi based PCI hotplug is enabled.

Fix issue by introducing compat knob to never send/expect
acpi_index in migration stream for 6.2 and older PC machine
types and always send it for 7.0 and newer PC machine types.

Diagnosed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Fixes: b32bd76 ("pci: introduce acpi-index property for PCI device")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/932
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-04-06 20:03:26 +01:00
Paolo Bonzini
a43de79802 virtio-ccw: do not include headers for all virtio devices
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Paolo Bonzini
7da50d6411 virtio-ccw: move device type declarations to .c files
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Paolo Bonzini
7a523d96a0 virtio-ccw: move vhost_ccw_scsi to a separate file
Remove unecessary use of #ifdef CONFIG_VHOST_SCSI, instead just use a
separate file and a separate rule in meson.build.

Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Paolo Bonzini
7d2eb76d04 s390x: follow qdev tree to detect SCSI device on a CCW bus
Do not make assumptions on the parent type of the SCSIDevice, instead
use object_dynamic_cast all the way up to the CcwDevice.  This is cleaner
because there is no guarantee that the bus is on a virtio-scsi device;
that is only the case for the default configuration of QEMU's s390x
target.

Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Jon Doron
d8701185f4 hw: hyperv: Initial commit for Synthetic Debugging device
Signed-off-by: Jon Doron <arilou@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20220216102500.692781-5-arilou@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Jon Doron
73d2407407 hyperv: Add support to process syndbg commands
SynDbg commands can come from two different flows:
1. Hypercalls, in this mode the data being sent is fully
   encapsulated network packets.
2. SynDbg specific MSRs, in this mode only the data that needs to be
   transfered is passed.

Signed-off-by: Jon Doron <arilou@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20220216102500.692781-4-arilou@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Jon Doron
ccbdf5e81b hyperv: Add definitions for syndbg
Add all required definitions for hyperv synthetic debugger interface.

Signed-off-by: Jon Doron <arilou@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20220216102500.692781-3-arilou@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Jon Doron
64ddecc88b hyperv: SControl is optional to enable SynIc
SynIc can be enabled regardless of the SControl mechanisim which can
register a GSI for a given SintRoute.

This behaviour can achived by setting enabling SIMP and then the guest
will poll on the message slot.

Once there is another message pending the host will set the message slot
with the pending flag.
When the guest polls from the message slot, in case the pending flag is
set it will write to the HV_X64_MSR_EOM indicating it has cleared the
slot and we can try and push our message again.

Signed-off-by: Jon Doron <arilou@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20220216102500.692781-2-arilou@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Paolo Bonzini
8ab3026489 thread-posix: optimize qemu_sem_timedwait with zero timeout
In this case there is no need to call pthread_cond_timedwait; the
function is just a trywait and waiting on the condition variable would
always time out.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Longpeng(Mike)
a0d45db854 thread-posix: implement Semaphore with QemuCond and QemuMutex
Now that QemuSemaphore is implemented through pthread_cond_t only, we can use
QemuCond and QemuMutex to make the code smaller.  Features such as mutex
tracing and CLOCK_MONOTONIC timedwait are supported in qemu-sem naturally.

Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
Message-Id: <20220222090507.2028-4-longpeng2@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Longpeng(Mike)
657ac98b58 thread-posix: use monotonic clock for QemuCond and QemuSemaphore
Use CLOCK_MONOTONIC, so the timeout isn't affected by changes to
the system time. It depends on the pthread_condattr_setclock(),
while some systems(e.g. mac os) does not support it, so the behavior
won't change in these systems.

Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
Message-Id: <20220222090507.2028-3-longpeng2@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:56 +02:00
Longpeng(Mike)
f9fc8932b1 thread-posix: remove the posix semaphore support
POSIX specifies an absolute time for sem_timedwait(), it would be
affected if the system time is changing, but there is not a relative
time or monotonic clock version of sem_timedwait, so we cannot gain
from POSIX semaphore any more.

An alternative way is to use sem_trywait + usleep, maybe we can
remove CONFIG_SEM_TIMEDWAIT in this way? No, because some systems
(e.g. mac os) mark the sem_xxx API as deprecated.

So maybe remove the usage of POSIX semaphore and turn to use the
pthread variant for all systems looks better.

Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
Message-Id: <20220222090507.2028-2-longpeng2@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:55 +02:00
Ivan Shcherbakov
d7482ffe97 whpx: Added support for breakpoints and stepping
Below is the updated version of the patch adding debugging support to WHPX.
It incorporates feedback from Alex Bennée and Peter Maydell regarding not
changing the emulation logic depending on the gdb connection status.

Instead of checking for an active gdb connection to determine whether QEMU
should intercept the INT1 exceptions, it now checks whether any breakpoints
have been set, or whether gdb has explicitly requested one or more CPUs to
do single-stepping. Having none of these condition present now has the same
effect as not using gdb at all.

Message-Id: <0e7f01d82e9e$00e9c360$02bd4a20$@sysprogs.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:55 +02:00
Marc-André Lureau
9d734b85ed build-sys: simplify AF_VSOCK check
The current test checks more than AF_VSOCK availability, and doesn't
need to be that long.

Since its introduction in Linux in 2013, AF_VSOCK came with
linux/vm_sockets.h for sockaddr_vm, let's check that.

We could even go back to the initial configure-less approach
proposed by Stefan Hajnoczi, since Michael Roth added the configure-time
check back then to satisfy glibc in Ubuntu 14. See:
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg08208.html

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220401115005.2204000-1-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-04-06 14:31:55 +02:00