aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-04-01CVE-2015-1779: limit size of HTTP headers from websockets clientsDaniel P. Berrange
The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM. In practice, because QEMU runs g_strstr_len() across the buffered header data, it will spend increasingly long burning CPU time searching for the substring match and less & less time reading data. So while this does cause arbitrary memory growth, the bigger problem is that QEMU will be burning 100% of available CPU time. A novnc websockets client typically sends headers of around 512 bytes in length. As such it is reasonable to place a 4096 byte limit on the amount of data buffered while searching for the end of HTTP headers. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-01CVE-2015-1779: incrementally decode websocket framesDaniel P. Berrange
The logic for decoding websocket frames wants to fully decode the frame header and payload, before allowing the VNC server to see any of the payload data. There is no size limit on websocket payloads, so this allows a malicious network client to consume 2^64 bytes in memory in QEMU. It can trigger this denial of service before the VNC server even performs any authentication. The fix is to decode the header, and then incrementally decode the payload data as it is needed. With this fix the websocket decoder will allow at most 4k of data to be buffered before decoding and processing payload. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> [ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ] @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input, - *payload_size = input->offset; + *payload_size = *payload_remain; [ kraxel: fix 32bit build ] @@ -306,7 +306,7 @@ struct VncState - uint64_t ws_payload_remain; + size_t ws_payload_remain; Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-01Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Fix for object_del of in-use memory, pvpanic regression, PPC regression and bogus error message with Oxygen theme. # gpg: Signature made Wed Apr 1 09:08:20 2015 BST using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: Revert "exec: Respect as_tranlsate_internal length clamp" rcu: do not create thread in pthread_atfork callback pc: acpi: fix pvpanic regression hostmem: Prevent removing an in-use memory backend qom: Add can_be_deleted callback to UserCreatableClass Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-04-01Revert "exec: Respect as_tranlsate_internal length clamp"Paolo Bonzini
This reverts commit c3c1bb99d1c11978d9ce94d1bdcf0705378c1459. It causes problems with boards that declare memory regions shorter than the registers they contain. Reported-by: Zoltan Balaton <balaton@eik.bme.hu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-01rcu: do not create thread in pthread_atfork callbackPaolo Bonzini
If QEMU forks after the CPU threads have been created, qemu_mutex_lock_iothread will not be able to do qemu_cpu_kick_thread. There is no solution other than assuming that forks after the CPU threads have been created will end up in an exec. Forks before the CPU threads have been created (such as -daemonize) have to call rcu_after_fork manually. Notably, the oxygen theme for GTK+ forks and shows a "No such process" error without this patch. This patch can be reverted once the iothread loses the "kick the TCG thread" magic. User-mode emulation does not use the iothread, so it can also call rcu_after_fork. Reported by: Dr. David Alan Gilbert <dgilbert@redhat.com> Tested by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-01pc: acpi: fix pvpanic regressionIgor Mammedov
Commit cd61cb2 pc: acpi-build: generate pvpanic device description dynamically introduced regression changing pvpanic device HID from QEMU0001 to QEMU0002. Fix AML generated code so that pvpanic device would keep its original HID. i.e. QEMU0001 Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reported-by: Gal Hammer <ghammer@redhat.com> Message-Id: <1427717907-25027-1-git-send-email-imammedo@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-01hostmem: Prevent removing an in-use memory backendLin Ma
showing a memory device whose memdev is removed leads an assert: (qemu) object_add memory-backend-ram,id=ram0,size=128M (qemu) device_add pc-dimm,id=d0,memdev=ram0 (qemu) object_del ram0 (qemu) info memory-devices ** ERROR:qom/object.c:1274:object_get_canonical_path_component:\ assertion failed: (obj->parent != NULL) Aborted The patch prevents removing an in-use mem backend and error out. Signed-off-by: Lin Ma <lma@suse.com> Message-Id: <1427704589-7688-3-git-send-email-lma@suse.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-01qom: Add can_be_deleted callback to UserCreatableClassLin Ma
If backends implement the can_be_deleted and it returns false, Then the qmp_object_del won't delete the given backends. Signed-off-by: Lin Ma <lma@suse.com> Message-Id: <1427704589-7688-2-git-send-email-lma@suse.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-31Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' ↵Peter Maydell
into staging QOM infrastructure fixes and device conversions * Fix for adding alias properties with [*] # gpg: Signature made Tue Mar 31 11:59:00 2015 BST using RSA key ID 3E7E013F # gpg: Good signature from "Andreas Färber <afaerber@suse.de>" # gpg: aka "Andreas Färber <afaerber@suse.com>" * remotes/afaerber/tags/qom-devices-for-peter: qom: Fix object_property_add_alias() with [*] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-31qom: Fix object_property_add_alias() with [*]Andreas Färber
Commit 8074264 (qom: Add description field in ObjectProperty struct) introduced property descriptions and copied them for alias properties. Instead of using the caller-supplied property name, use the returned property name for setting the description. This avoids an Error when setting a property description for a property with literal "[*]" that doesn't exist due to automatic property naming in object_property_add(). Reviewed-by: Gonglei <arei.gonglei@huawei.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: qemu-stable@nongnu.org (v2.2+) Signed-off-by: Andreas Färber <afaerber@suse.de>
2015-03-31Merge remote-tracking branch 'remotes/afaerber/tags/qtest-for-2.3' into stagingPeter Maydell
QTest cleanups * Change fw_cfg-test and i440fx-test GTester paths * Extend libqtest API as necessary # gpg: Signature made Mon Mar 30 18:29:39 2015 BST using RSA key ID 3E7E013F # gpg: Good signature from "Andreas Färber <afaerber@suse.de>" # gpg: aka "Andreas Färber <afaerber@suse.com>" * remotes/afaerber/tags/qtest-for-2.3: i440fx-test: Fix test paths to include architecture qtest: Add qtest_add() wrapper macro qtest: Add qtest_add_data_func() wrapper function fw_cfg-test: Fix test path to include architecture Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-31Merge remote-tracking branch ↵Peter Maydell
'remotes/bkoppelmann/tags/pull-tricore-20150330' into staging TriCore bugfixes # gpg: Signature made Mon Mar 30 12:40:50 2015 BST using RSA key ID 6B69CA14 # gpg: Good signature from "Bastian Koppelmann <kbastian@mail.uni-paderborn.de>" * remotes/bkoppelmann/tags/pull-tricore-20150330: target-tricore: fix CACHEA/I_POSTINC/PREINC using data register.. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-30Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150330' into stagingPeter Maydell
s390x fixes: - virtqueue index issues in virtio-ccw - cleanup and sign extension fix for the ipl device # gpg: Signature made Mon Mar 30 08:52:54 2015 BST using RSA key ID C6F02FAF # gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>" # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" * remotes/cohuck/tags/s390x-20150330: s390x/ipl: avoid sign extension s390x: do not include ram_addr.h virtio-ccw: range check in READ_VQ_CONF virtio-ccw: fix range check for SET_VQ Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-30i440fx-test: Fix test paths to include architectureAndreas Färber
Replace g_test_add_func() with new qtest_add_func() and g_test_add() macro with qtest_add() macro. This effectively changes GTester paths: /i440fx/foo -> /x86_64/i440fx/foo etc. Cc: qemu-stable@nongnu.org Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2015-03-30qtest: Add qtest_add() wrapper macroAndreas Färber
It extends g_test_add() macro with the architecture path. Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2015-03-30qtest: Add qtest_add_data_func() wrapper functionAndreas Färber
It calls g_test_add_data_func() with a path supplemented by the architecture, like qtest_add_func() does. Reviewed-by: John Snow <jsnow@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2015-03-30fw_cfg-test: Fix test path to include architectureAndreas Färber
Use qtest_add_func() instead of g_test_add_func() to reflect the architecture tested, changing GTester paths as follows: /fw_cfg/foo -> /x86_64/fw_cfg/foo etc. Cc: qemu-stable@nongnu.org Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2015-03-30target-tricore: fix CACHEA/I_POSTINC/PREINC using data register..Bastian Koppelmann
..for address calculation instead address registers. Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
2015-03-30s390x/ipl: avoid sign extensionCornelia Huck
Make s390_update_iplstate() return uint32_t to avoid sign extensions for cssids > 127. While this doesn't matter in practice yet (as nobody supports MCSS-E and thus won't see the real cssid), play safe. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Jason J. Herne <jjherne@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-03-30s390x: do not include ram_addr.hPaolo Bonzini
ram_addr.h is an internal interface and it is not needed anyway by hw/s390x/ipl.c. Cc: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Thomas Huth <huth@tuxfamily.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-03-30virtio-ccw: range check in READ_VQ_CONFCornelia Huck
Processing for READ_VQ_CONF needs to check whether the requested queue value is actually in the supported range and post a channel program check if not. Cc: qemu-stable@nongnu.org Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-03-30virtio-ccw: fix range check for SET_VQCornelia Huck
VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be able to trigger a write beyond the VirtQueue structure. Cc: qemu-stable@nongnu.org Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-03-28Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into stagingPeter Maydell
# gpg: Signature made Fri Mar 27 22:19:31 2015 GMT using RSA key ID AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/ide-pull-request: AHCI: Protect cmd register AHCI: Do not (re)map FB/CLB buffers while not running Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-27AHCI: Protect cmd registerJohn Snow
Many bits in the CMD register are supposed to be strictly read-only. We should not be deleting them on every write. As a side-effect: pay explicit attention to when a guest marks off the FIS Receive or Start bits, and disable the status bits ourselves, instead of letting them implicitly fall off. Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1426283454-15590-3-git-send-email-jsnow@redhat.com
2015-03-27AHCI: Do not (re)map FB/CLB buffers while not runningJohn Snow
The FIS Receive Buffer and Command List Buffer pointers should not be edited while the FIS receive engine or Command Receive engines are running. Currently, we attempt to re-map the buffers every time they are adjusted, but while the AHCI engines are off, these registers may contain stale values, so we should not attempt to re-map these values until the engines are reactivated. Reported-by: Jordan Hargrave <jharg93@gmail.com> Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1426283454-15590-2-git-send-email-jsnow@redhat.com
2015-03-27Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Fri Mar 27 11:59:41 2015 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/net-pull-request: hw/net/e1000: fix integer endianness Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-27Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Fri Mar 27 10:13:35 2015 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/block-pull-request: block: Document blockdev-add's immaturity qemu-iotests: Test unaligned 4k zero write block: Fix unaligned zero write nvme: Fix unintentional integer overflow (OVERFLOW_BEFORE_WIDEN) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-27hw/net/e1000: fix integer endiannessShannon Zhao
It's detected by coverity.In is_vlan_packet s->mac_reg[VET] is unsigned int but is dereferenced as a narrower unsigned short. This may lead to unexpected results depending on machine endianness. Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Message-id: 1426224119-8352-1-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-03-27block: Document blockdev-add's immaturityMarkus Armbruster
Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 1426858337-21423-1-git-send-email-armbru@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-03-27qemu-iotests: Test unaligned 4k zero writeFam Zheng
Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1427160230-4489-3-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-03-27block: Fix unaligned zero writeFam Zheng
If the zero write is not aligned, bdrv_co_do_pwritev will segfault because of accessing to the NULL qiov passed in by bdrv_co_write_zeroes. Fix this by allocating a local qiov in bdrv_co_do_pwritev if the request is not aligned. (In this case the padding iovs are necessary anyway, so it doesn't hurt.) Also add a check at the end of bdrv_co_do_pwritev to clear the zero flag if padding is involved. Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1427160230-4489-2-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-03-27nvme: Fix unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)Stefan Weil
The shift operation on nlb gives a 32 bit result if no type cast is applied. This bug was reported by Coverity. Signed-off-by: Stefan Weil <sw@weilnetz.de> Message-id: 1426348844-8793-1-git-send-email-sw@weilnetz.de Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-03-26Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150326-1' into ↵Peter Maydell
staging gtk: do not call gtk_widget_get_window if drawing area is not initialized # gpg: Signature made Thu Mar 26 16:59:55 2015 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-gtk-20150326-1: gtk: do not call gtk_widget_get_window if drawing area is not initialized Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-26Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Bugfixes and making SCSI adapters IOMMU-friendly. # gpg: Signature made Thu Mar 26 13:24:05 2015 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: virtio-scsi-dataplane: fix memory leak for VirtIOSCSIVring misc: fix typos in copyright declaration exec: avoid possible overwriting of mmaped area in qemu_ram_remap sparc: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory mips: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory m68k: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory nbd: Fix up comment after commit e140177 vmw_pvscsi: use PCI DMA APIs megasas: use PCI DMA APIs cpus: Don't kick un-realized cpus. i6300esb: Fix signed integer overflow i6300esb: Correct endiannness fw_cfg: factor out initialization of FW_CFG_ID (rev. number) rcu tests: fix compilation on 32-bit ppc Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-26seccomp: libseccomp version varying according to archEduardo Otubo
Libseccomp dependency was mandating version 2.2.0 on all architectures and this was causing configure and virt-test to break on non-updates distros. This patch works-around it and give a more flexible way to check the version, giving more time for other distros to update libseccomp version. Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com> Reported-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Tested-by: Juan Quintela <quintela@redhat.com> Message-id: 1427385385-30571-1-git-send-email-eduardo.otubo@profitbricks.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-26gtk: do not call gtk_widget_get_window if drawing area is not initializedHervé Poussineau
This prevents gtk_widget_get_window to return a NULL pointer. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-26Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20150326' ↵Peter Maydell
into staging migration/next for 20150326 # gpg: Signature made Thu Mar 26 14:31:55 2015 GMT using RSA key ID 5872D723 # gpg: Can't check signature: public key not found * remotes/juanquintela/tags/migration/20150326: migration: remove last_sent_block from save_page_header rdma: Fix cleanup in error paths Avoid crashing on multiple -incoming Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-26migration: remove last_sent_block from save_page_headerJuan Quintela
Compression code (still not on tree) want to call this funtion from outside the migration thread, so we can't write to last_sent_block. Instead of reverting full patch: [PULL 07/11] save_block_hdr: we can recalculate Just revert the parts that touch last_sent_block. Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2015-03-26rdma: Fix cleanup in error pathsPadmanabh Ratnakar
As part of commit e325b49a320b493cc5d69e263751ff716dc458fe, order in which resources are destroyed was changed for fixing a seg fault. Due to this change, CQ will never get destroyed as CQ should be destroyed after QP destruction. Seg fault is caused improper cleanup when connection fails. Fixing cleanup after connection failure and order in which resources are destroyed in qemu_rdma_cleanup() routine. Signed-off-by: Meghana Cheripady <meghana.cheripady@emulex.com> Signed-off-by: Padmanabh Ratnakar <padmanabh.ratnakar@emulex.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2015-03-26Avoid crashing on multiple -incomingDr. David Alan Gilbert
Passing multiple -incoming options used to crash qemu (due to an invalid state transition incoming->incoming). Instead we now take the last -incoming option, e.g.: qemu-system-x86_64 -nographic -incoming tcp::4444 -incoming defer ends up doing the defer. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Amit Shah <amit.shah@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2015-03-26Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' ↵Peter Maydell
into staging Patch queue for 2.3 ppc - 2015-03-25 Just a few bug fixes before 2.3 gets released: - pseries: Firmware update, bugfixes - remove POWER5+ v0.0 that we incorrectly introduced in 2.3 - Fix -machine usb=no - Fix -boot once=foo in pseries - Add NULL pointer check in pseries machine init # gpg: Signature made Wed Mar 25 21:53:20 2015 GMT using RSA key ID 03FEDC60 # gpg: Good signature from "Alexander Graf <agraf@suse.de>" # gpg: aka "Alexander Graf <alex@csgraf.de>" * remotes/agraf/tags/signed-ppc-for-upstream: powerpc: fix -machine usb=no for newworld and pseries machines PPC: pseries: Implement boot once=foo target-ppc: Remove POWER5+ v0.0 that never existed spapr: Add missing checks for NULL pointers and report failures pseries: Update SLOF firmware image to qemu-slof-20150313 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-26virtio-scsi-dataplane: fix memory leak for VirtIOSCSIVringTing Wang
VirtIOSCSIVring which allocated in virtio_scsi_vring_init should be free when dataplane has been stopped or failed to start. Signed-off-by: Ting Wang <kathy.wangting@huawei.com> Message-Id: <1427355752-25844-1-git-send-email-kathy.wangting@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-26misc: fix typos in copyright declarationGonglei
Add a space after comma. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Message-Id: <1427374663-10168-1-git-send-email-arei.gonglei@huawei.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-26Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
pc, virtio bugfixes for 2.3 Several bugfixes, nothing stands out especially. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Wed Mar 25 12:42:10 2015 GMT using RSA key ID D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" * remotes/mst/tags/for_upstream: virtio-net: validate backend queue numbers against bus limitation virtio-serial: fix virtio config size acpi: Add missing GCC_FMT_ATTR to local function Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-26Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20150325' into ↵Peter Maydell
staging seccomp branch queue # gpg: Signature made Wed Mar 25 10:09:29 2015 GMT using RSA key ID 12F8BD2F # gpg: Can't check signature: public key not found * remotes/otubo/tags/pull-seccomp-20150325: seccomp: update libseccomp version and remove arch restriction Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-26exec: avoid possible overwriting of mmaped area in qemu_ram_remapPaolo Bonzini
It is not necessary to munmap an area before remapping it with MAP_FIXED; if the memory region specified by addr and len overlaps pages of any existing mapping, then the overlapped part of the existing mapping will be discarded. On the other hand, if QEMU does munmap the pages, there is a small probability that another mmap sneaks in and catches the just-freed portion of the address space. In effect, munmap followed by mmap(MAP_FIXED) is a use-after-free error, and Coverity flags it as such. Fix it. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-25powerpc: fix -machine usb=no for newworld and pseries machinesPaolo Bonzini
Capture the explicit setting of "usb=no" into a separate bool, and use it to skip the update of machine->usb in the board init function. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-03-25PPC: pseries: Implement boot once=fooAlexander Graf
On sPAPR we haven't supported boot once ever since it emerged, but recently grew need for it. This patch implements boot once logic to it. While at it, we also move to the new bootdevice handling that got introduced to the tree recently. Reported-by: Dinar Valeev <dvaleev@suse.de> Signed-off-by: Alexander Graf <agraf@suse.de>
2015-03-25target-ppc: Remove POWER5+ v0.0 that never existedAlexey Kardashevskiy
IBM uses low 16bits to specify the chip version of a POWER CPU. So there has never been an actual silicon with PVR = 0x003B0000. The first silicon would have PVR 0x003B0100 but it is very unlikely to find it in any machine shipped to any customer as it was too raw. This removes CPU_POWERPC_POWER5P_v00 definition and changes POWER5+ and POWERgs aliases (which are synonyms) to point to POWER5+_v2.1 which can still be found in real machines. Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Reviewed-by: Andreas Färber <afaerber@suse.de> [agraf: fix commit message] Signed-off-by: Alexander Graf <agraf@suse.de>
2015-03-25spapr: Add missing checks for NULL pointers and report failuresStefan Weil
This fixes potential runtime crashes and two warnings from Coverity. The new error message does not add a prefix "qemu:" because that is already done in function hw_error. It also starts with an uppercase letter because that seems to be the mostly used form. Signed-off-by: Stefan Weil <sw@weilnetz.de> [agraf: fix typo] Signed-off-by: Alexander Graf <agraf@suse.de>