aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-12-04Update version for v2.2.0-rc5 releasev2.2.0-rc5Peter Maydell
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-12-04Merge remote-tracking branch ↵Peter Maydell
'remotes/kraxel/tags/pull-cve-2014-8106-20141204-1' into staging cirrus: fix blit region check # gpg: Signature made Thu 04 Dec 2014 11:54:57 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-cve-2014-8106-20141204-1: cirrus: don't overflow CirrusVGAState->cirrus_bltbuf cirrus: fix blit region check Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-12-01Update version for v2.2.0-rc4 releasev2.2.0-rc4Peter Maydell
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-12-01vhost: Fix vhostfd leak in error branchGonglei
Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1417166789-1960-1-git-send-email-arei.gonglei@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-12-01cirrus: don't overflow CirrusVGAState->cirrus_bltbufGerd Hoffmann
This is CVE-2014-8106. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-12-01cirrus: fix blit region checkGerd Hoffmann
Issues: * Doesn't check pitches correctly in case it is negative. * Doesn't check width at all. Turn macro into functions while being at it, also factor out the check for one region which we then can simply call twice for src + dst. This is CVE-2014-8106. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-28Fix for crash after migration in virtio-rng on bi-endian targetsDavid Gibson
VirtIO devices now remember which endianness they're operating in in order to support targets which may have guests of either endianness, such as powerpc. This endianness state is transferred in a subsection of the virtio device's information. With virtio-rng this can lead to an abort after a loadvm hitting the assert() in virtio_is_big_endian(). This can be reproduced by doing a migrate and load from file on a bi-endian target with a virtio-rng device. The actual guest state isn't particularly important to triggering this. The cause is that virtio_rng_load_device() calls virtio_rng_process() which accesses the ring and thus needs the endianness. However, virtio_rng_process() is called via virtio_load() before it loads the subsections. Essentially the ->load callback in VirtioDeviceClass should only be used for actually reading the device state from the stream, not for post-load re-initialization. This patch fixes the bug by moving the virtio_rng_process() after the call to virtio_load(). Better yet would be to convert virtio to use vmsd and have the virtio_rng_process() as a post_load callback, but that's a bigger project for another day. This is bugfix, and should be considered for the 2.2 branch. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Message-id: 1417067290-20715-1-git-send-email-david@gibson.dropbear.id.au Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-28virtio-net: fix unmap leakJason Wang
virtio_net_handle_ctrl() and other functions that process control vq request call iov_discard_front() which will shorten the iov. This will lead unmapping in virtqueue_push() leaks mapping. Fixes this by keeping the original iov untouched and using a temp variable in those functions. Cc: Wen Congyang <wency@cn.fujitsu.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Fam Zheng <famz@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1417082643-23907-1-git-send-email-jasowang@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-27hmp: fix regression of HMP device_del auto-completionMarcel Apfelbaum
The commits: - 6a1fa9f5 (monitor: add del completion for peripheral device) - 66e56b13 (qdev: add qdev_build_hotpluggable_device_list helper) cause a QEMU crash when trying to use HMP device_del auto-completion. It can be easily reproduced by: <qemu-bin> -enable-kvm ~/images/fedora.qcow2 -monitor stdio -device virtio-net-pci,id=vnet (qemu) device_del /home/mapfelba/git/upstream/qemu/hw/core/qdev.c:941:qdev_build_hotpluggable_device_list: Object 0x7f6ce04e4fe0 is not an instance of type device Aborted (core dumped) The root cause is qdev_build_hotpluggable_device_list going recursively over all peripherals and their children assuming all are devices. It doesn't work since PCI devices have at least on child which is a memory region (bus master). Solved by observing that all devices appear as direct children of /machine/peripheral container. No need of going recursively over all the children. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Reported-by: Gal Hammer <ghammer@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 1417002601-20799-1-git-send-email-marcel.a@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-27qemu-timer: Avoid overflows when converting timeout to struct timespecPeter Maydell
In qemu_poll_ns(), when we convert an int64_t nanosecond timeout into a struct timespec, we may accidentally run into overflow problems if the timeout is very long. This happens because the tv_sec field is a time_t, which is signed, so we might end up setting it to a negative value by mistake. This will result in what was intended to be a near-infinite timeout turning into an instantaneous timeout, and we'll busy loop. Cap the maximum timeout at INT32_MAX seconds (about 68 years) to avoid this problem. This specifically manifested on ARM hosts as an extreme slowdown on guest shutdown (when the guest reprogrammed the PL031 RTC to not generate alarms using a very long timeout) but could happen on other hosts and guests too. Reported-by: Christoffer Dall <christoffer.dall@linaro.org> Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Fam Zheng <famz@redhat.com> Message-id: 1416939705-1272-1-git-send-email-peter.maydell@linaro.org
2014-11-26Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
The final 2.2 patches from me. # gpg: Signature made Wed 26 Nov 2014 11:12:25 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: s390x/kvm: Fix compile error fw_cfg: fix boot order bug when dynamically modified via QOM -machine vmport=auto: Fix handling of VMWare ioport emulation for xen Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-26s390x/kvm: Fix compile errorChristian Borntraeger
commit a2b257d6212a "memory: expose alignment used for allocating RAM as MemoryRegion API" triggered a compile error on KVM/s390x. Fix the prototype and the implementation of legacy_s390_alloc. Cc: Igor Mammedov <imammedo@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-26fw_cfg: fix boot order bug when dynamically modified via QOMGonglei
When we dynamically modify boot order, the length of boot order will be changed, but we don't update s->files->f[i].size with new length. This casuse seabios read a wrong vale of qemu cfg file about bootorder. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-26-machine vmport=auto: Fix handling of VMWare ioport emulation for xenDon Slutz
c/s 9b23cfb76b3a5e9eb5cc899eaf2f46bc46d33ba4 or c/s b154537ad07598377ebf98252fb7d2aff127983b moved the testing of xen_enabled() from pc_init1() to pc_machine_initfn(). xen_enabled() does not return the correct value in pc_machine_initfn(). Changed vmport from a bool to an enum. Added the value "auto" to do the old way. Move check of xen_enabled() back to pc_init1(). Acked-by: Eric Blake <eblake@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Don Slutz <dslutz@verizon.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-25Update version for v2.2.0-rc3 releasev2.2.0-rc3Peter Maydell
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-25input: move input-send-event into experimental namespaceGerd Hoffmann
Ongoing discussions on how we are going to specify the console, so tag the command as experiental so we can refine things in the 2.3 development cycle. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1416923657-10614-1-git-send-email-armbru@redhat.com [Spell out "not a stable API", and x- the QAPI schema, too] Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Amos Kong <akong@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-24Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
pc, pci, misc bugfixes A bunch of bugfixes for 2.2. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Mon 24 Nov 2014 18:59:47 GMT using RSA key ID D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" * remotes/mst/tags/for_upstream: pc: acpi: mark all possible CPUs as enabled in SRAT pcie: fix improper use of negative value pcie: fix typo in pcie_cap_deverr_init() target-i386: move generic memory hotplug methods to DSDTs acpi-build: mark RAM dirty on table update hw/pci: fix crash on shpc error flow pc: count in 1Gb hugepage alignment when sizing hotplug-memory container pc: explicitly check maxmem limit when adding DIMM pc: pc-dimm: use backend alignment during address auto allocation pc: align DIMM's address/size by backend's alignment value memory: expose alignment used for allocating RAM as MemoryRegion API pc: limit DIMM address and size to page aligned values pc: make pc_dimm_plug() more readble pc: kvm: check if KVM has free memory slots to avoid abort() qemu-char: fix tcp_get_fds Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-24pc: acpi: mark all possible CPUs as enabled in SRATIgor Mammedov
If QEMU is started with -numa ... Windows only notices that CPU has been hot-added but it will not online such CPUs. It's caused by the fact that possible CPUs are flagged as not enabled in SRAT and Windows honoring that information doesn't use corresponding CPU. ACPI 5.0 Spec regarding to flag says: " Table 5-47 Local APIC Flags ... Enabled: if zero, this processor is unusable, and the operating system support will not attempt to use it. " Fix QEMU to adhere to spec and mark possible CPUs as enabled in SRAT. With that Windows onlines hot-added CPUs as expected. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24pcie: fix improper use of negative valueGonglei
Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24pcie: fix typo in pcie_cap_deverr_init()Gonglei
Reported-by: https://bugs.launchpad.net/qemu/+bug/1393440 Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24target-i386: move generic memory hotplug methods to DSDTsPaolo Bonzini
This makes it simpler to keep the SSDT byte-for-byte identical for a given machine type, which is a goal we want to have for 2.2 and newer types. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24acpi-build: mark RAM dirty on table updateMichael S. Tsirkin
acpi build modifies internal FW CFG RAM on first access but we forgot to mark it dirty. If this RAM has been migrated already, it won't be migrated again, returning corrupted tables to guest. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24hw/pci: fix crash on shpc error flowMarcel Apfelbaum
If the pci bridge enters in error flow as part of init process it will only delete the shpc mmio subregion but not remove it from the properties list, resulting in segmentation fault when the bridge runs the exit function. Example: add a pci bridge without specifing the chassis number: <qemu-bin> ... -device pci-bridge,id=p1 Result: (qemu) qemu-system-x86_64: -device pci-bridge,id=p1: Bridge chassis not specified. Each bridge is required to be assigned a unique chassis id > 0. qemu-system-x86_64: -device pci-bridge,id=p1: Device initialization failed. Segmentation fault (core dumped) if (child->class->unparent) { #0 0x00005555558d629b in object_finalize_child_property (obj=0x555556d2e830, name=0x555556d30630 "shpc-mmio[0]", opaque=0x555556a42fc8) at qom/object.c:1078 #1 0x00005555558d4b1f in object_property_del_all (obj=0x555556d2e830) at qom/object.c:367 #2 0x00005555558d4ca1 in object_finalize (data=0x555556d2e830) at qom/object.c:412 #3 0x00005555558d55a1 in object_unref (obj=0x555556d2e830) at qom/object.c:720 #4 0x000055555572c907 in qdev_device_add (opts=0x5555563544f0) at qdev-monitor.c:566 #5 0x0000555555744f16 in device_init_func (opts=0x5555563544f0, opaque=0x0) at vl.c:2213 #6 0x00005555559cf5f0 in qemu_opts_foreach (list=0x555555e0f8e0 <qemu_device_opts>, func=0x555555744efa <device_init_func>, opaque=0x0, abort_on_failure=1) at util/qemu-option.c:1057 #7 0x000055555574a11b in main (argc=16, argv=0x7fffffffdde8, envp=0x7fffffffde70) at vl.c:423 Unparent the shpc mmio region as part of shpc cleanup. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Amos Kong <akong@redhat.com>
2014-11-24pc: count in 1Gb hugepage alignment when sizing hotplug-memory containerIgor Mammedov
if DIMMs with different size/alignment are interleaved in creation order, it could lead to hotplug-memory container fragmentation and following inability to use all RAM upto maxmem. For example: -m 4G,slots=3,maxmem=7G -object memory-backend-file,id=mem-1,size=256M,mem-path=/pagesize-2MB -device pc-dimm,id=mem1,memdev=mem-1 -object memory-backend-file,id=mem-2,size=1G,mem-path=/pagesize-1GB -device pc-dimm,id=mem2,memdev=mem-2 -object memory-backend-file,id=mem-3,size=256M,mem-path=/pagesize-2MB -device pc-dimm,id=mem3,memdev=mem-3 fragments hotplug-memory container and doesn't allow to use 1GB hugepage backend to consume remainig 1Gb. To ease managment factor count in max 1Gb alignment for each memory slot when sizing hotplug-memory region so that regadless of fragmentaion it would be possible to add max aligned DIMM. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24pc: explicitly check maxmem limit when adding DIMMIgor Mammedov
Currently maxmem limit is not checked and depends on hotplug region container not being able to fit more RAM than maxmem. Do check explicitly so that it would be possible to change hotplug container size later to deal with fragmentation. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-24Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into stagingPeter Maydell
Block patches for 2.2.0-rc3 # gpg: Signature made Mon 24 Nov 2014 12:52:23 GMT using RSA key ID C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" * remotes/kevin/tags/for-upstream: Revert "qemu-img info: show nocow info" Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-24Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Three patches to fix ExtINT for the QEMU implementation of the local APIC. # gpg: Signature made Mon 24 Nov 2014 13:38:36 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: apic: fix incorrect handling of ExtINT interrupts wrt processor priority apic: fix loss of IPI due to masked ExtINT apic: avoid getting out of halted state on masked PIC interrupts Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-24apic: fix incorrect handling of ExtINT interrupts wrt processor priorityPaolo Bonzini
This fixes another failure with ExtINT, demonstrated by QNX. The failure mode is as follows: - IPI sent to cpu 0 (bit set in APIC irr) - IPI accepted by cpu 0 (bit cleared in irr, set in isr) - IPI sent to cpu 0 (bit set in both irr and isr) - PIC interrupt sent to cpu 0 The PIC interrupt causes CPU_INTERRUPT_HARD to be set, but apic_irq_pending observes that the highest pending APIC interrupt priority (the IPI) is the same as the processor priority (since the IPI is still being handled), so apic_get_interrupt returns a spurious interrupt rather than the pending PIC interrupt. The result is an endless sequence of spurious interrupts, since nothing will clear CPU_INTERRUPT_HARD. Instead, ExtINT interrupts should have ignored the processor priority. Calling apic_check_pic early in apic_get_interrupt ensures that apic_deliver_pic_intr is called instead of delivering the spurious interrupt. apic_deliver_pic_intr then clears CPU_INTERRUPT_HARD if needed. Reported-by: Richard Bilson <rbilson@qnx.com> Tested-by: Richard Bilson <rbilson@qnx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-24apic: fix loss of IPI due to masked ExtINTPaolo Bonzini
This patch fixes an obscure failure of the QNX kernel on QEMU x86 SMP. In QNX, all hardware interrupts come via the PIC, and are delivered by the cpu 0 LAPIC in ExtINT mode, while IPIs are delivered by the LAPIC in fixed mode. This bug happens as follows: - cpu 0 masks a particular PIC interrupt - IPI sent to cpu 0 (CPU_INTERRUPT_HARD is set) - before the IPI is accepted, the masked interrupt line is asserted by the device Since the interrupt is masked, apic_deliver_pic_intr will clear CPU_INTERRUPT_HARD. The IPI will still be set in the APIC irr, but since CPU_INTERRUPT_HARD is not set the cpu will not notice. Depending on the scenario this can cause a system hang, i.e. if cpu 0 is expected to unmask the interrupt. In order to fix this, do a full check of the APIC before an EXTINT is acknowledged. This can result in clearing CPU_INTERRUPT_HARD, but can also result in delivering the lost IPI. Reported-by: Richard Bilson <rbilson@qnx.com> Tested-by: Richard Bilson <rbilson@qnx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-24apic: avoid getting out of halted state on masked PIC interruptsPaolo Bonzini
After the next patch, if a masked PIC interrupts causes CPU_INTERRUPT_POLL to be set, the CPU will spuriously get out of halted state. While this is technically valid, we should avoid that. Make CPU_INTERRUPT_POLL run apic_update_irq in the right thread and then look at CPU_INTERRUPT_HARD. If CPU_INTERRUPT_HARD does not get set, do not report the CPU as having work. Also move the handling of software-disabled APIC from apic_update_irq to apic_irq_pending, and always trigger CPU_INTERRUPT_POLL. This will be important once we will add a case that resets CPU_INTERRUPT_HARD from apic_update_irq. We want to run it even if we go through CPU_INTERRUPT_POLL, and even if the local APIC is software disabled. Reported-by: Richard Bilson <rbilson@qnx.com> Tested-by: Richard Bilson <rbilson@qnx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-11-24Revert "qemu-img info: show nocow info"Kevin Wolf
This reverts commit 000c4dfff4d7686e2fba3066a477a1290ed60622. The main reason for reverting this commit before the 2.2 release is that it adds a QAPI interface that we don't want to keep: The 'nocow' flag doesn't generally make sense for block nodes, but only for the raw-posix driver. It should therefore be part of ImageInfoSpecific rather than ImageInfo. The commit contains more problems, but unlike the API stability issue they wouldn't justify reverting it. Conflicts: block/qapi.c Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-23pc: pc-dimm: use backend alignment during address auto allocationIgor Mammedov
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23pc: align DIMM's address/size by backend's alignment valueIgor Mammedov
Performance wise it's better to align GVA by the backend's page size. Also do not allow to create DIMM device with suboptimal size (i.e. not aligned to backends page size) to aviod memory loss. Do above only for 2.2 and newer machine types to avoid breaking working configs with 2.1 machine type. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23memory: expose alignment used for allocating RAM as MemoryRegion APIIgor Mammedov
introduce memory_region_get_alignment() that returns underlying memory block alignment or 0 if it's not relevant/implemented for backend. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23pc: limit DIMM address and size to page aligned valuesIgor Mammedov
When running in KVM mode, kvm_set_phys_mem() will silently fail if registered MemoryRegion address/size is not page aligned. Causing memory hotplug failure in guest. Mapping non aligned MemoryRegion in TCG mode 'works', but sane guest OS still expects page aligned memory module and fails to initialize it if it's not aligned. So do not allow non aligned (i.e. valid) address/size values for DIMM to avoid either KVM failure or guest issues caused by it. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23pc: make pc_dimm_plug() more readbleIgor Mammedov
split addr initialization from declaration so that later when new local vars are added property getter wouldn't drift off of error check. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23pc: kvm: check if KVM has free memory slots to avoid abort()Igor Mammedov
When more memory devices are used than available KVM memory slots, QEMU crashes with: kvm_alloc_slot: no free slot available Aborted (core dumped) Fix this by checking that KVM has a free slot before attempting to map memory in guest address space. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-23qemu-char: fix tcp_get_fdsMichael S. Tsirkin
tcp_get_fds API discards fds if there's more than 1 of these. It's tricky to fix this without API changes in the generic case. However, this API is only used by tests ATM, and tests know how many fds they expect. So let's not waste cycles trying to fix this properly: simply assume at most 16 fds (tests use at most 8 now). assert if some test tries to get more. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-11-21Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Fri 21 Nov 2014 11:12:37 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/net-pull-request: rtl8139: fix Pointer to local outside scope pcnet: fix Negative array index read net/socket: fix Uninitialized scalar variable net/slirp: fix memory leak Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-21Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20141121-1' into ↵Peter Maydell
staging gtk: two bugfixes for 2.2. # gpg: Signature made Fri 21 Nov 2014 07:38:45 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-gtk-20141121-1: gtk: Don't crash if -nodefaults gtk: fix possible memory leak about local_err Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-21rtl8139: fix Pointer to local outside scopeGonglei
Coverity spot: Assigning: iov = struct iovec [3]({{buf, 12UL}, {(void *)dot1q_buf, 4UL}, {buf + 12, size - 12}}) (address of temporary variable of type struct iovec [3]). out_of_scope: Temporary variable of type struct iovec [3] goes out of scope. Pointer to local outside scope (RETURN_LOCAL) use_invalid: Using iov, which points to an out-of-scope temporary variable of type struct iovec [3]. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21pcnet: fix Negative array index readGonglei
s->xmit_pos maybe assigned to a negative value (-1), but in this branch variable s->xmit_pos as an index to array s->buffer. Let's add a check for s->xmit_pos. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21net/socket: fix Uninitialized scalar variableGonglei
If is_connected parameter is false, the saddr variable will no initialize. Coverity report: uninit_use: Using uninitialized value saddr.sin_port. We don't need add saddr information to nc->info_str when is_connected is false. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21net/slirp: fix memory leakGonglei
commit b412eb61 introduce 'cmd:' target for guestfwd, and fwd don't be used in this scenario, and will leak memory in true branch with 'cmd:'. Let's allocate memory for fwd variable just in else statement. Cc: Alexander Graf <agraf@suse.de> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21gtk: Don't crash if -nodefaultsFam Zheng
This fixes a crash by just skipping the vte resize hack if cur is NULL. Reproducer: qemu-system-x86_64 -nodefaults Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-11-21gtk: fix possible memory leak about local_errzhanghailiang
local_err in gd_vc_gfx_init() is not freed, and we don't use it, so remove it. Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-11-20hw/arm/virt: set stdout-path instead of linux,stdout-pathLeif Lindholm
ePAPR 1.1 defines the stdout-path property, making the os-specific linux,stdout-path property redundant. Change the DT setup for ARM virt to use the generic property - supported by Linux since 3.15. The old QEMU behaviour was not present in any released version of QEMU, and was only added to QEMU after the kernel changed, so this should not break any existing setups. Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org> [PMM: add note to commit about the old behaviour never hving been in a released version of QEMU] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-20Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' ↵Peter Maydell
into staging Patch queue for ppc - 2014-11-20 Hopefully the last few fixups for 2.2: - KVM memory slot fix (should usually only occur on PPC) - e300 fix - Altivec mtvscr instruction fix # gpg: Signature made Thu 20 Nov 2014 13:53:34 GMT using RSA key ID 03FEDC60 # gpg: Good signature from "Alexander Graf <agraf@suse.de>" # gpg: aka "Alexander Graf <alex@csgraf.de>" * remotes/agraf/tags/signed-ppc-for-upstream: target-ppc: Altivec's mtvscr Decodes Wrong Register kvm: Fix memory slot page alignment logic target-ppc: Fix breakpoint registers for e300 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-11-20target-ppc: Altivec's mtvscr Decodes Wrong RegisterTom Musta
The Move to Vector Status and Control Register (mtvscr) instruction uses VRB as the source register. Fix the code generator to correctly decode the VRB field. That is, use "rB(ctx->opcode)" instead of "rD(ctx->opcode)". Signed-off-by: Tom Musta <tommusta@gmail.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2014-11-20kvm: Fix memory slot page alignment logicAlexander Graf
Memory slots have to be page aligned to get entered into KVM. There is existing logic that tries to ensure that we pad memory slots that are not page aligned to the biggest region that would still fit in the alignment requirements. Unfortunately, that logic is broken. It tries to calculate the start offset based on the region size. Fix up the logic to do the thing it was intended to do and document it properly in the comment above it. With this patch applied, I can successfully run an e500 guest with more than 3GB RAM (at which point RAM starts overlapping subpage memory regions). Cc: qemu-stable@nongnu.org Signed-off-by: Alexander Graf <agraf@suse.de>