Commit Graph

48275 Commits

Author SHA1 Message Date
Daniel P. Berrange
89d0a64f49 log: fix parsing of multiple trace:PATTERN log args
If giving QEMU a log arg which asks to enable multiple
different trace event patterns such as

  $QEMU -d trace:qio*,trace:qcrypto*

the parser will then invoke

  trace_enable_events("qio*,trace:qcrypto*")
  trace_enable_events("qcrypto*")

as when finding a 'trace:' prefix, it is not clever
enough to strip anything after the next comma. As
a result only the last 'trace:' match ever works.

Rather than trying to be more clever with parsing the
command line arg in place, simplify the code by
using g_strsplit to break it into individual strings
on ','. These resulting pieces can be directly used
without worrying about trailing data from the next
option.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1473186343-16704-1-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 22:52:44 +02:00
Lin Ma
71200fb966 qemu-char: avoid segfault if user lacks of permisson of a given logfile
Function qemu_chr_alloc returns NULL if it failed to open logfile by any reason,
says no write permission. For backends tty, stdio and msmouse, They need to
check this return value to avoid segfault in this case.

Signed-off-by: Lin Ma <lma@suse.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Message-Id: <20160914062250.22226-1-lma@suse.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 22:52:43 +02:00
Marc-André Lureau
0d8e065fc5 build-sys: add make 'help' target
Add a make 'help', to print a summary of the main Makefile targets.
The format is loosely inspired by Linux make 'help' output.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20160913142033.7705-1-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 22:52:43 +02:00
Wei Jiangang
b8da57fa15 linux-user: complete omission of removing uses of strdup
The 900cfbc just removed two unchecked uses of strdup
in fill_psinfo and missed the rest in core_dump_filename.
This patch fixes it.

Signed-off-by: Wei Jiangang <weijg.fnst@cn.fujitsu.com>
Message-Id: <1459997185-15669-2-git-send-email-weijg.fnst@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:14 +02:00
Paolo Bonzini
7616f1c2da target-i386: fix ordering of fields in CPUX86State
Make sure reset zeroes TSC_AUX, XCR0, PKRU.  Move XSTATE_BV from the
"vmstate only" section to the "KVM only" section.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:14 +02:00
Wanpeng Li
bb93e09988 pc: apic: fix touch LAPIC when irqchip is split
Add -kernel_irqchip=split
./x86-run x86/eventinj.flat

qemu-system-x86_64 -enable-kvm -machine kernel_irqchip=split -cpu host
-device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc
none -serial stdio -device pci-testdev -kernel x86/eventinj.flat
enabling apic
paging enabled
cr0 = 80010011
cr3 = 7fff000
cr4 = 20
Sending vec 33 and 62 and mask one with TPR
irq1 running
irq1 running
After 33/62 TPR test
FAIL: TPR
irq0 running
irq0 running

Both irq1 and irq0 are executing twice.

kvm_entry: vcpu 0
kvm_exit: reason MSR_WRITE rip 0x401f33 info 0 0
kvm_apic: apic_write APIC_EOI = 0x0
kvm_eoi: apicid 0 vector 62
kvm_msr: msr_write 80b = 0x0
kvm_entry: vcpu 0
kvm_exit: reason PENDING_INTERRUPT rip 0x401f35 info 0 0
kvm_userspace_exit: reason KVM_EXIT_IRQ_WINDOW_OPEN (7)
kvm_inj_virq: irq 62
kvm_entry: vcpu 0
kvm_exit: reason IO_INSTRUCTION rip 0x4016ec info 3fd0008 0

From the trace we can see there is an interrupt window exit
after the first interrupt EOI(irq 62), and the same irq(62)
is injected duplicately after the interrupt window.

QEMU does KVM_INTERRUPT(62) ioctl after KVM exits with
KVM_EXIT_IRQ_WINDOW_OPEN, which QEMU requested while the
guest was printing.  The printing calls

serial_update_irq() -> qemu_irq_lower() -> qemu_set_irq() ->
gsi_handler() -> qemu_set_irq() -> pic_irq_request() ->
apic_deliver_pic_intr() -> kvm_handle_interrupt()

kvm_handle_interrupt() does

	interrupt_request |= CPU_INTERRUPT_HARD

which later calls cpu_get_pic_interrupt() in kvm_arch_pre_run(),
but that function uses stale information from APIC and injects
62 again. If we synchronized the APIC, then the test would #GP,
because there would be no injectable interrupt in LAPIC or PIC,
so pic_read_irq() would return 15, thinking it was spurious.

This patch fix it by don't touch LAPIC if LAPIC is in kernel.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Radim Krčmář <rkrcmar@redhat.com>
Cc: qemu-stable@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Message-Id: <1473832464-3478-1-git-send-email-wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:14 +02:00
Prasad J Pandit
d251157ac1 scsi: pvscsi: limit process IO loop to ring size
Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.

Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:14 +02:00
Paolo Bonzini
58268c8d3d memory: remove memory_region_destructor_rom_device
It is equivalent to memory_region_destructor_ram, use that one.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:14 +02:00
Marc-André Lureau
883e4f7624 Change net/socket.c to use socket_*() functions
Use socket_*() functions from include/qemu/sockets.h instead of
listen()/bind()/connect()/parse_host_port(). socket_*() fucntions are
QAPI based and this patch  performs this api conversion since
everything will be using QAPI based sockets in the future. Also add a
helper function socket_address_to_string() in util/qemu-sockets.c
which returns the string representation of socket address. The task was
listed on http://wiki.qemu.org/BiteSizedTasks page.

Signed-off-by: Ashijeet Acharya <ashijeetacharya@gmail.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:14 +02:00
Richard Henderson
d9911d14e0 cutils: Rewrite x86 buffer zero checking
Handle alignment of buffers, so that the vector paths
can be used more often.

Signed-off-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1473800239-13841-1-git-send-email-rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:14 +02:00
Li Qiang
670e56d3ed scsi: mptsas: use g_new0 to allocate MPTSASRequest object
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:13 +02:00
Fam Zheng
2a2d69f490 virtio-scsi: Don't abort when media is ejected
With an ejected block backend, blk_get_aio_context() would return
qemu_aio_context. In this case don't assert.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1473848224-24809-3-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:13 +02:00
Fam Zheng
cd723b8560 scsi-disk: Cleaning up around tray open state
Even if tray is not open, it can be empty (blk_is_inserted() == false).
Handle both cases correctly by replacing the s->tray_open checks with
blk_is_available(), which is an AND of the two.

Also simplify successive checks of them into blk_is_available(), in a
couple cases.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1473848224-24809-2-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-14 12:25:13 +02:00
Isaac Lozano
67f3ef0c7a usb-mtp: added object properties
Windows uses object properties to determine the size of a file, so to
add object properties, we must also add a minimum set of new commands
and object properties. Most object properties are data that we already
have, except for the unique persistant object identifier. Windows
doesn't use this property, it seems, so we can cheat a bit and just use
the object handle for it.

Signed-off-by: Isaac Lozano <109lozanoi@gmail.com>
Message-id: a741d0dd380cd7eb1695e1eb34ee6f341183f20a.1470477265.git.109lozanoi@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-09-14 11:17:06 +02:00
Isaac Lozano
8a5865f331 usb-mtp: fix sending files larger than 4gb
MTP requires that if a file is larger than 4gb or if sending data larger
than 4gb, that the length field be set to 0xFFFFFFFF.

Also widened a couple variables to prevent overflow errors.

Signed-off-by: Isaac Lozano <109lozanoi@gmail.com>
Message-id: 01ad8ec7775f58575801ac3f13716f553a16815e.1470477265.git.109lozanoi@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-09-14 11:17:06 +02:00
Richard Henderson
083d012a38 cutils: Add generic prefetch
There's no real knowledge of the cacheline size,
just prefetching one loop ahead.

Signed-off-by: Richard Henderson <rth@twiddle.net>
Message-Id: <1472496380-19706-7-git-send-email-rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:13:32 +02:00
Paolo Bonzini
86444f084b cutils: Add SSE4 version
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:13:32 +02:00
Richard Henderson
efad668245 cutils: Add test for buffer_is_zero
Signed-off-by: Richard Henderson <rth@twiddle.net>
Message-Id: <1472496380-19706-6-git-send-email-rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:13:32 +02:00
Richard Henderson
43ff5e01ec cutils: Remove ppc buffer zero checking
For ppc64le, gcc6 does extremely poorly with the Altivec code.
Moreover, on POWER7 and POWER8, a hand-optimized Altivec version
turns out to be no faster than the revised integer version, and
therefore not worth the effort.

Signed-off-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:13:32 +02:00
Richard Henderson
2250d3a293 cutils: Remove aarch64 buffer zero checking
The revised integer version is 4 times faster than the neon version
on an AppliedMicro Mustang.  Even with hand scheduling and additional
unrolling I cannot make any neon version run as fast as the integer.

Signed-off-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:13:31 +02:00
Richard Henderson
5e33a87222 cutils: Rearrange buffer_is_zero acceleration
Allow selection of several acceleration functions
based on the size and alignment of the buffer.
Do not require ifunc support for AVX2 acceleration.

Signed-off-by: Richard Henderson <rth@twiddle.net>
Message-Id: <1472496380-19706-5-git-send-email-rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:13:30 +02:00
Richard Henderson
a1febc4950 cutils: Export only buffer_is_zero
Since the two users don't make use of the returned offset,
beyond ensuring that the entire buffer is zero, consider the
can_use_buffer_find_nonzero_offset and buffer_find_nonzero_offset
functions internal.

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Richard Henderson <rth@twiddle.net>
Message-Id: <1472496380-19706-4-git-send-email-rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:45 +02:00
Richard Henderson
8c70c1b0c7 cutils: Remove SPLAT macro
This is unused and complicates the vector interface.

Signed-off-by: Richard Henderson <rth@twiddle.net>
Message-Id: <1472496380-19706-3-git-send-email-rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:45 +02:00
Richard Henderson
88ca8e80de cutils: Move buffer_is_zero and subroutines to a new file
Signed-off-by: Richard Henderson <rth@twiddle.net>
Message-Id: <1472496380-19706-2-git-send-email-rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:45 +02:00
Paolo Bonzini
2286459d3a ppc: do not redefine CPUPPCState
Just include the file that is supposed to bring it in.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:44 +02:00
Dr. David Alan Gilbert
78d6a05d2f x86/lapic: Load LAPIC state at post_load
Load the LAPIC state during post_load (rather than when the CPU
starts).

This allows an interrupt to be delivered from the ioapic to
the lapic prior to cpu loading, in particular the RTC that starts
ticking as soon as we load it's state.

Fixes a case where Windows hangs after migration due to RTC interrupts
disappearing.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:44 +02:00
Paolo Bonzini
0342454f8a optionrom: do not rely on compiler's bswap optimization
Recent compilers can detect and inline manually-written bswap code,
but GCC 4.2.1 (the last GPLv2 version) cannot and generates really
awful code.  Depending on how the compiler is configured, it might
also not want to generate bswap because it was not in i386.  Using
asm is fine because TCG knows about bswap and all processors with
virtualization extensions also do.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:44 +02:00
Lluís Vilanova
0cebabd5e8 checkpatch: Fix whitespace checks for documentation code blocks
Prevent blank lines in documentation code blocks to be signalled as
incorrect trailing whitespace.

Code blocks in documentation are 4-column aligned, and blank lines in
them should have exactly 4 columns of trailing whitespace to prevent
QEMU's wiki to render them as separate code blocks.

Signed-off-by: Lluís Vilanova <vilanova@ac.upc.edu>
Message-Id: <147325254382.22644.5531276787733455773.stgit@fimbulvetr.bsc.es>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Signed-off-by: Lluís Vilanova <vilanova@ac.upc.edu>
2016-09-13 19:09:44 +02:00
Pranith Kumar
89943de17c atomics: Use __atomic_*_n() variant primitives
Use the __atomic_*_n() primitives which take the value as argument. It
is not necessary to store the value locally before calling the
primitive, hence saving us a stack store and load.

Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
Message-Id: <20160829171701.14025-1-bobby.prani@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:44 +02:00
Pranith Kumar
705ac1ca53 atomics: Remove redundant barrier()'s
Remove the redundant barrier() after the fence as agreed in previous
discussion here:
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg00489.html

Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
Message-Id: <20160824204424.14041-3-bobby.prani@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:43 +02:00
Cao jin
c2cd627ddb kvm-all: drop kvm_setup_guest_memory
kvm_setup_guest_memory only does "madvise to QEMU_MADV_DONTFORK" and
is only called by ram_block_add, which actually is duplicate code.
Bonus: add simple comment for kvm_has_sync_mmu to make life easier.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com>
Message-Id: <1473662096-32598-1-git-send-email-caoj.fnst@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:43 +02:00
Markus Armbruster
a952c18683 i8257: Make device "i8257" unavailable with -device
The ISA DMA controller needs to be wired up to the ISA bus by
isa_bus_dma() to actually work.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1472660151-19517-1-git-send-email-armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:43 +02:00
Paolo Bonzini
421cc3e7e8 Revert "megasas: remove useless check for cmd->frame"
This reverts commit 8cc46787b5.
It turns out that cmd->frame can be NULL and thus the commit
can cause a SIGSEGV

Reported-by: Holger Schranz <holger@fam-schranz.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:43 +02:00
Daniel P. Berrange
90f998f5f4 char: convert qemu_chr_fe_write to qemu_chr_fe_write_all
The mux chardev was not checking the return value of any
qemu_chr_fe_write() call so would silently loose data
on EAGAIN.

Similarly the qemu_chr_fe_printf method would not check
errors and was not in a position to retry even if it
could check.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1473170165-540-5-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:43 +02:00
Daniel P. Berrange
6ab3fc32ea hw: replace most use of qemu_chr_fe_write with qemu_chr_fe_write_all
The qemu_chr_fe_write method will return -1 on EAGAIN if the
chardev backend write would block. Almost no callers of the
qemu_chr_fe_write() method check the return value, instead
blindly assuming data was successfully sent. In most cases
this will lead to silent data loss on interactive consoles,
but in some cases (eg RNG EGD) it'll just cause corruption
of the protocol being spoken.

We unfortunately can't fix the virtio-console code, due to
a bug in the Linux guest drivers, which would cause the
entire Linux kernel to hang if we delay processing of the
incoming data in any way. Fixing this requires first fixing
the guest driver to not hold spinlocks while writing to the
hvc device backend.

Fixes bug: https://bugs.launchpad.net/qemu/+bug/1586756

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1473170165-540-4-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:42 +02:00
Daniel P. Berrange
7983e82933 sclpconsolelm: remove bogus check for -EAGAIN
The write_console_data() method in sclpconsole-lm.c checks
whether the return value of qemu_chr_fe_write() has the
value of -EAGAIN and if so then increments the buffer offset
by the value of EAGAIN. Fortunately qemu_chr_fe_write() will
never return EAGAIN directly, rather it returns -1 with
errno set to EAGAIN, so this broken code path was not
reachable. The behaviour on EAGAIN was stil bad though,
causing the write_console_data() to busy_wait repeatedly
calling qemu_chr_fe_write() with no sleep between iters.

Just remove all this loop logic and replace with a call
to qemu_chr_fe_write_all().

Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1473170165-540-3-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:42 +02:00
Daniel P. Berrange
b72981b910 ipmi: check return of qemu_chr_fe_write() for errors
The continue_send() method in ipmi_bmc_extern.c directly
assigns the return value of qemu_chr_fe_write() to the
variable tracking the I/O buffer offset. This ignores the
possibility that the return value could be -1 and so will
cause I/O go backwards on EAGAIN. Fortunately 'outpos' is
unsigned, so can't go negative - it will become MAX_INT
which will cause the loop to stop, and avoid an accidental
out of bounds array access.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1473170165-540-2-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:42 +02:00
Daniel P. Berrange
e270d00afa default-configs: remove CONFIG_PIIX_PCI
The CONFIG_PIIX_PCI=y setting was added in

  commit 70615c38de
  Author: Blue Swirl <blauwirbel@gmail.com>
  Date:   Mon Mar 22 20:18:40 2010 +0000

    Compile sound devices only once

but nothing in that commit, nor anything pre-existing,
ever referenced CONFIG_PIIX_PCI.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1473096320-1638-4-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:42 +02:00
Daniel P. Berrange
dd32222b6e default-configs: removed obsolete CONFIG_ISA_MMIO
The use of the CONFIG_ISA_MMIO setting was removed in

  commit 61fcb62862
  Author: Paolo Bonzini <pbonzini@redhat.com>
  Date:   Mon Jul 22 15:54:24 2013 +0200

    isa_mmio: delete

but this commit only removed it from some of the default
config files.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1473096320-1638-3-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:42 +02:00
Daniel P. Berrange
a3b6e2bb71 default-configs: remove CONFIG_PAM
The CONFIG_PAM=y setting was added in

  commit c0907c9e64
  Author: Paolo Bonzini <pbonzini@redhat.com>
  Date:   Tue Feb 5 15:06:20 2013 +0100

    hw: move PCI bridges to hw/pci-* or hw/ARCH

but nothing in that commit, nor anything pre-existing,
ever referenced CONFIG_PAM.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1473096320-1638-2-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:09:41 +02:00
Prasad J Pandit
49adc5d3f8 scsi: pvscsi: limit loop to fetch SG list
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
long time or go into an infinite loop due to two different bugs:

1) the request descriptor data length is defined to be 64 bit. While
building SG list from a request descriptor, it gets truncated to 32bit
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
situation large 'dataLen' values when data_length is cast to uint32_t and
chunk_size becomes always zero.  Fix this by removing the incorrect cast.

2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
element has a zero length.  Get out of the loop early when this happens,
by introducing an upper limit on the number of SG list elements.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:47 +02:00
Thomas Huth
a2feb3483e MAINTAINERS: Add some header files to the PC chipset section
These header files obviously belong to the PC chipset (since
their names match the other .c files in this section).

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1473111075-25311-1-git-send-email-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:47 +02:00
Thomas Huth
74460f3431 MAINTAINERS: Fix wildcard for scsi headers
get_maintainer.pl currently thinks that the scsi headers are
currrently unmaintained. So let's fix the corresponding wildcard
expression.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1473106301-23102-1-git-send-email-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:47 +02:00
Lin Ma
517b3d4016 chardev: Add 'help' option to print all available chardev backend types
Signed-off-by: Lin Ma <lma@suse.com>
Message-Id: <20160816171352.17021-1-lma@suse.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:47 +02:00
Cao jin
173134467a doc/rcu: fix typo
Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com>
Message-Id: <1472696479-3619-1-git-send-email-caoj.fnst@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:47 +02:00
Eduardo Habkost
349cb2fbfd vmxcap: Add TSC scaling bit
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <1472181025-10889-3-git-send-email-ehabkost@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:46 +02:00
Eduardo Habkost
6a7b47a786 vmxcap: Show raw MSR value
This will be helpful to allow checking of bits that are not in
the 'bits' table yet.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <1472181025-10889-2-git-send-email-ehabkost@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:46 +02:00
Paolo Bonzini
65a8e1f641 scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
These issues cause respectively a QEMU crash and a leak of 2 bytes of
stack.  They were discovered by VictorV of 360 Marvel Team.

Reported-by: Tom Victor <i-tangtianwen@360.cm>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:46 +02:00
Prasad J Pandit
cf2bce203a scsi: mptconfig: fix an assert expression
When LSI SAS1068 Host Bus emulator builds configuration page
headers, mptsas_config_pack() should assert that the size
fits in a byte.  However, the size is expressed in 32-bit
units, so up to 1020 bytes fit.  The assertion was only
allowing replies up to 252 bytes, so fix it.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:46 +02:00
Prasad J Pandit
7f61f4690d vmw_pvscsi: check page count while initialising descriptor rings
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the page count for these rings to
an arbitrary value, leading to infinite loop or OOB access.
Add check to avoid it.

Reported-by: Tom Victor <vv474172261@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-13 19:08:46 +02:00