aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2016-08-309pfs: handle walk of ".." in the root directoryGreg Kurz
The 9P spec at http://man.cat-v.org/plan_9/5/intro says: All directories must support walks to the directory .. (dot-dot) meaning parent directory, although by convention directories contain no explicit entry for .. or . (dot). The parent of the root directory of a server's tree is itself. This means that a client cannot walk further than the root directory exported by the server. In other words, if the client wants to walk "/.." or "/foo/../..", the server should answer like the request was to walk "/". This patch just does that: - we cache the QID of the root directory at attach time - during the walk we compare the QID of each path component with the root QID to detect if we're in a "/.." situation - if so, we skip the current component and go to the next one Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-309pfs: forbid . and .. in file namesGreg Kurz
According to the 9P spec http://man.cat-v.org/plan_9/5/open about the create request: The names . and .. are special; it is illegal to create files with these names. This patch causes the create and lcreate requests to fail with EINVAL if the file name is either "." or "..". Even if it isn't explicitly written in the spec, this patch extends the checking to all requests that may cause a directory entry to be created: - mknod - rename - renameat - mkdir - link - symlink The unlinkat request also gets patched for consistency (even if rmdir("foo/..") is expected to fail according to POSIX.1-2001). The various error values come from the linux manual pages. Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-309pfs: forbid illegal path namesGreg Kurz
Empty path components don't make sense for most commands and may cause undefined behavior, depending on the backend. Also, the walk request described in the 9P spec [1] clearly shows that the client is supposed to send individual path components: the official linux client never sends portions of path containing the / character for example. Moreover, the 9P spec [2] also states that a system can decide to restrict the set of supported characters used in path components, with an explicit mention "to remove slashes from name components". This patch introduces a new name_is_illegal() helper that checks the names sent by the client are not empty and don't contain unwanted chars. Since 9pfs is only supported on linux hosts, only the / character is checked at the moment. When support for other hosts (AKA. win32) is added, other chars may need to be blacklisted as well. If a client sends an illegal path component, the request will fail and ENOENT is returned to the client. [1] http://man.cat-v.org/plan_9/5/walk [2] http://man.cat-v.org/plan_9/5/intro Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-24Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
virtio: fixes some bugfixes for virtio balloon is still broken wrt migration Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Tue 23 Aug 2016 17:33:11 BST # gpg: using RSA key 0x281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: virtio: decrement vq->inuse in virtqueue_discard() virtio: recalculate vq->inuse after migration Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-23virtio: decrement vq->inuse in virtqueue_discard()Stefan Hajnoczi
virtqueue_discard() moves vq->last_avail_idx back so the element can be popped again. It's necessary to decrement vq->inuse to avoid "leaking" the element count. Cc: qemu-stable@nongnu.org Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-08-23virtio: recalculate vq->inuse after migrationStefan Hajnoczi
The vq->inuse field is not migrated. Many devices don't hold VirtQueueElements across migration so it doesn't matter that vq->inuse starts at 0 on the destination QEMU. At least virtio-serial, virtio-blk, and virtio-balloon migrate while holding VirtQueueElements. For these devices we need to recalculate vq->inuse upon load so the value is correct. Cc: qemu-stable@nongnu.org Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-08-22e1000e: remove internal interrupt flagCao jin
Commit 66bf7d58 removed internal msi state flag E1000E_USE_MSI, E1000E_USE_MSIX is not necessary too, remove it now. And interrupt flag field intr_state also can be removed now. CC: Dmitry Fleytman <dmitry@daynix.com> CC: Jason Wang <jasowang@redhat.com> CC: Markus Armbruster <armbru@redhat.com> CC: Marcel Apfelbaum <marcel@redhat.com> CC: Michael S. Tsirkin <mst@redhat.com> CC: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Acked-by: Dmitry Fleytman <dmitry@daynix.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-08-18net: vmxnet: use g_new for pkt initialisationLi Qiang
When network transport abstraction layer initialises pkt, the maximum fragmentation count is not checked. This could lead to an integer overflow causing a NULL pointer dereference. Replace g_malloc() with g_new() to catch the multiplication overflow. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Acked-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-08-15Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.7-20160815' ↵Peter Maydell
into staging ppc patch queue for 2016-08-15 Just a single patch here, I hope this is the last ppc / spapr fix to squeeze into qemu-2.7. # gpg: Signature made Mon 15 Aug 2016 07:46:36 BST # gpg: using RSA key 0x6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.7-20160815: ppc: parse cpu features once Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-15Merge remote-tracking branch 'remotes/sstabellini/tags/xen-20160812-tag-2' ↵Peter Maydell
into staging Xen 2016/08/12, fixed commit message # gpg: Signature made Sat 13 Aug 2016 00:39:09 BST # gpg: using RSA key 0x894F8F4870E1AE90 # gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>" # Primary key fingerprint: D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90 * remotes/sstabellini/tags/xen-20160812-tag-2: xen: handle inbound migration of VMs without ioreq server pages Xen: fix converity warning of xen_pt_config_init() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-15Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' ↵Peter Maydell
into staging # gpg: Signature made Fri 12 Aug 2016 11:48:03 BST # gpg: using RSA key 0x9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/tracing-pull-request: trace-events: fix first line comment in trace-events Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-15Revert "vhost-user: Attempt to fix a race with set_mem_table."Michael S. Tsirkin
This reverts commit 28ed5ef16384f12500abd3647973ee21b03cbe23. I still think it's the right thing to do, but tests have been failing sporadically. Revert for now, and hope to fix it before the release. Cc: Prerna Saxena <prerna.saxena@nutanix.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Marc-André Lureau <mlureau@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1471268075-3425-1-git-send-email-mst@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-13ppc: parse cpu features onceGreg Kurz
Considering that features are converted to global properties and global properties are automatically applied to every new instance of created CPU (at object_new() time), there is no point in parsing cpu_model string every time a CPU created. So move parsing outside CPU creation loop and do it only once. Parsing also should be done before any CPU is created so that features would affect the first CPU a well. This patch does that for all PowerPC machine types. It is based on previous work from Bharata: https://lists.nongnu.org/archive/html/qemu-devel/2016-06/msg07564.html Signed-off-by: Greg Kurz <groug@kaod.org> [clg: only kept the fix for the spapr platform. support for other platform will be added in 2.8 ] Signed-off-by: Cédric Le Goater <clg@kaod.org> Tested-by: Bharata B Rao <bharata@linux.vnet.ibm.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-12Xen: fix converity warning of xen_pt_config_init()Cao jin
emu_regs is a pointer, ARRAY_SIZE doesn't return what we expect. Since the remaining message is enough for debugging, so just remove it. Also tweaked the message a little. Signed-off-by: Cao jin <caoj.fnst@cn.fujitsu.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
2016-08-12trace-events: fix first line comment in trace-eventsLaurent Vivier
Documentation is docs/tracing.txt instead of docs/trace-events.txt. find . -name trace-events -exec \ sed -i "s?See docs/trace-events.txt for syntax documentation.?See docs/tracing.txt for syntax documentation.?" \ {} \; Signed-off-by: Laurent Vivier <lvivier@redhat.com> Message-id: 1470669081-17860-1-git-send-email-lvivier@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-08-11virtio-console: set frontend open permanently for console devsDaniel P. Berrange
The virtio-console.c file handles both serial consoles and interactive consoles, since they're backed by the same device model. Since serial devices are expected to be reliable and need to notify the guest when the backend is opened or closed, the virtio-console.c file wires up support for chardev events. This affects both serial consoles and interactive consoles, using a network connection based chardev backend such as 'socket', but not when using a PTY based backend or plain 'file' backends. When the host side is not connected the handle_output() method in virtio-serial-bus.c will drop any data sent by the guest, before it even reaches the virtio-console.c code. This means that if the chardev has a logfile configured, the data will never get logged. Consider for example, configuring a x86_64 guest with a plain UART serial port -chardev socket,id=charserial1,host=127.0.0.1,port=9001,server,nowait,logfile=console1.log,logappend=on -device isa-serial,chardev=charserial1,id=serial1 vs a s390 guest which has to use the virtio-console port -chardev socket,id=charconsole1,host=127.0.0.1,port=9000,server,nowait,logfile=console2.log,logappend=on -device virtconsole,chardev=charconsole1,id=console1 The isa-serial one gets data written to the log regardless of whether a client is connected, while the virtioconsole one only gets data written to the log when a client is connected. There is no need for virtio-serial-bus.c to aggressively drop the data for console devices, as the chardev code is prefectly capable of discarding the data itself. So this patch changes virtconsole devices so that they are always marked as having the host side open. This ensures that the guest OS will always send any data it has (Linux virtio-console hvc driver actually ignores the host open state and sends data regardless, but we should not rely on that), and also prevents the virtio-serial-bus code prematurely discarding data. The behaviour of virtserialport devices is *not* changed, only virtconsole, because for the former, it is important that the guest OSknow exactly when the host side is opened / closed so it can do any protocol re-negotiation that may be required. Fixes bug: https://bugs.launchpad.net/qemu/+bug/1599214 Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <1470241360-3574-2-git-send-email-berrange@redhat.com> Signed-off-by: Amit Shah <amit.shah@redhat.com>
2016-08-10Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
virtio/vhost: fixes some bugfixes for virtio/vhost Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Wed 10 Aug 2016 16:16:22 BST # gpg: using RSA key 0x281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: vhost-user: Attempt to fix a race with set_mem_table. vhost-user: Introduce a new protocol feature REPLY_ACK. vhost: check for vhost_ops before using. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-10vhost-user: Attempt to fix a race with set_mem_table.Prerna Saxena
The set_mem_table command currently does not seek a reply. Hence, there is no easy way for a remote application to notify to QEMU when it finished setting up memory, or if there were errors doing so. As an example: (1) Qemu sends a SET_MEM_TABLE to the backend (eg, a vhost-user net application). SET_MEM_TABLE does not require a reply according to the spec. (2) Qemu commits the memory to the guest. (3) Guest issues an I/O operation over a new memory region which was configured on (1). (4) The application has not yet remapped the memory, but it sees the I/O request. (5) The application cannot satisfy the request because it does not know about those GPAs. While a guaranteed fix would require a protocol extension (committed separately), a best-effort workaround for existing applications is to send a GET_FEATURES message before completing the vhost_user_set_mem_table() call. Since GET_FEATURES requires a reply, an application that processes vhost-user messages synchronously would probably have completed the SET_MEM_TABLE before replying. Signed-off-by: Prerna Saxena <prerna.saxena@nutanix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-08-10vhost-user: Introduce a new protocol feature REPLY_ACK.Prerna Saxena
This introduces the VHOST_USER_PROTOCOL_F_REPLY_ACK. If negotiated, client applications should send a u64 payload in response to any message that contains the "need_reply" bit set on the message flags. Setting the payload to "zero" indicates the command finished successfully. Likewise, setting it to "non-zero" indicates an error. Currently implemented only for SET_MEM_TABLE. Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Prerna Saxena <prerna.saxena@nutanix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-08-10vhost: check for vhost_ops before using.Ilya Maximets
'vhost_set_vring_enable()' tries to call function using pointer to 'vhost_ops' which can be already zeroized in 'vhost_dev_cleanup()' while vhost disconnection. Fix that by checking 'vhost_ops' before using. This fixes QEMU crash on calling 'ethtool -L eth0 combined 2' if vhost disconnected. Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-08-10hw/ppc/spapr: Look up CPU alias names instead of hard-coding the aliasesThomas Huth
Hard-coding the CPU alias names in the spapr_cores[] array has two big disadvantages: 1) We register a real type with the CPU alias name in spapr_cpu_core_register_types() - this prevents us from registering a CPU family name in kvm_ppc_register_host_cpu_type() with the same name (as we do it for the non-hotpluggable CPU types). 2) It's quite cumbersome to maintain the aliases here in sync with the ppc_cpu_aliases list from target-ppc/cpu-models.c. So let's simply add proper alias lookup to the spapr cpu core code, too (by checking whether the given model can be used directly, and if not by trying to look up the given model as an alias name instead). Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-10spapr: remove extra type variableCédric Le Goater
The sPAPR CPU core typename is already available in the upper block. Let's use it and move the check upward also. Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-09atapi: fix halted DMA resetJohn Snow
Followup to 87ac25fd, this time for ATAPI DMA. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com> Message-id: 1470164128-28158-1-git-send-email-jsnow@redhat.com Acked-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com>
2016-08-09hw/net: Fix a heap overflow in xlnx.xps-ethernetlitechaojianhu
The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-08-09net: vmxnet3: check for device_active before writeLi Qiang
Vmxnet3 device emulator does not check if the device is active, before using it for write. It leads to a use after free issue, if the vmxnet3_io_bar0_write routine is called after the device is deactivated. Add check to avoid it. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Acked-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-08-09net: check fragment length during fragmentationPrasad J Pandit
Network transport abstraction layer supports packet fragmentation. While fragmenting a packet, it checks for more fragments from packet length and current fragment length. It is susceptible to an infinite loop, if the current fragment length is zero. Add check to avoid it. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> CC: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-08-08Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into stagingPeter Maydell
More block layer patches for 2.7.0-rc2 # gpg: Signature made Mon 08 Aug 2016 12:51:30 BST # gpg: using RSA key 0x7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6 * remotes/kevin/tags/for-upstream: iotests: fix 109 mirror: finish earlier on error tests: Test blockjob IDs block/qdev: Let 'drive' property fall back to node name Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20160808' into stagingPeter Maydell
One more s390x fix for a bug in the pci rework. # gpg: Signature made Mon 08 Aug 2016 11:49:34 BST # gpg: using RSA key 0xDECF6B93C6F02FAF # gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>" # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" # Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF * remotes/cohuck/tags/s390x-20160808: s390x/pci: fix null pointer bug Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08hw/sparc/leon3: Don't call get_image_size() on a NULL pointerPeter Maydell
get_image_size() doesn't handle being passed a NULL pointer, so avoid doing that. Spotted by the clang ub sanitizer (which notices the attempt to pass NULL to open()). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1470391439-28427-1-git-send-email-peter.maydell@linaro.org
2016-08-08Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2016-08-08' ↵Peter Maydell
into staging Error reporting patches for 2016-08-08 # gpg: Signature made Mon 08 Aug 2016 08:14:49 BST # gpg: using RSA key 0x3870B400EB918653 # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-error-2016-08-08: error: Fix error_printf() calls lacking newlines vfio: Use error_report() instead of error_printf() for errors checkpatch: Fix newline detection in error_setg() & friends error: Strip trailing '\n' from error string arguments (again) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08Merge remote-tracking branch ↵Peter Maydell
'remotes/elmarco/tags/leaks-for-2.7-pull-request' into staging # gpg: Signature made Sun 07 Aug 2016 21:03:14 BST # gpg: using RSA key 0xDAE8E10975969CE5 # gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" # gpg: aka "Marc-André Lureau <marcandre.lureau@gmail.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 87A9 BD93 3F87 C606 D276 F62D DAE8 E109 7596 9CE5 * remotes/elmarco/tags/leaks-for-2.7-pull-request: ahci: fix sglist leak on retry usb: free leaking path usb: free USBDevice.strings virtio-input: free config list qjson: free str ahci: free irqs array char: free MuxDriver when closing char: free the tcp connection data when closing numa: do not leak NumaOptions Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08block/qdev: Let 'drive' property fall back to node nameKevin Wolf
If a qdev block device is created with an anonymous BlockBackend (i.e. a node name rather than a BB name was given for the drive property), qdev used to return an empty string when the property was read. This patch fixes it to return the node name instead. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2016-08-08s390x/pci: fix null pointer bugYi Min Zhao
We should make sure that it's not NULL firstly. Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-08-08error: Fix error_printf() calls lacking newlinesMarkus Armbruster
Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1470224274-31522-5-git-send-email-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2016-08-08vfio: Use error_report() instead of error_printf() for errorsMarkus Armbruster
Cc: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1470224274-31522-4-git-send-email-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2016-08-08error: Strip trailing '\n' from error string arguments (again)Markus Armbruster
Commit 9af9e0f, 6daf194d, be62a2eb and 312fd5f got rid of a bunch, but they keep coming back. checkpatch.pl tries to flag them since commit 5d596c2, but it's not very good at it. Offenders tracked down with Coccinelle script scripts/coccinelle/err-bad-newline.cocci, an updated version of the script from commit 312fd5f. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1470224274-31522-2-git-send-email-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2016-08-08spapr: Fix undefined behaviour in spapr_tce_reset()David Gibson
When a TCE table (sPAPR IOMMU context) is in disabled state (which is true by default for the 64-bit window), it has tcet->nb_table == 0 and tcet->table == NULL. However, on system reset, spapr_tce_reset() executes, which unconditionally calls memset(tcet->table, 0, table_size); We get away with this in practice, because it's a zero length memset(), but memset() on a NULL pointer is undefined behaviour, so we should not call it in this case. Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-08macio: set res_count value to 0 after non-block ATAPI DMA transfersMark Cave-Ayland
res_count should be set to the number of outstanding bytes after a DBDMA request. Unfortunately this wasn't being set to zero by the non-block transfer codepath meaning drivers that checked the descriptor result for such requests (e.g reading the CDROM TOC) would assume from a non-zero result that the transfer had failed. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-08spapr: Correctly set query_hotpluggable_cpus hook based on machine versionDavid Gibson
Prior to c8721d3 "spapr: Error out when CPU hotplug is attempted on older pseries machines", attempting to use query-hotpluggable-cpus on pseries-2.6 and earlier machine types would SEGV. That change fixed that, but due to some unexpected interactions in init order and a brown-paper-bag worthy failure to test, it accidentally disabled query-hotpluggable-cpus for all pseries machine types, including the current one which should allow it. In fact, query_hotpluggable_cpus needs to be non-NULL when and only when the dr_cpu_enabled flag in sPAPRMachineClass is set, which makes dr_cpu_enabled itself redundant. This patch removes dr_cpu_enabled, instead directly setting query_hotpluggable_cpus from the machine class_init functions, and using that to determine the availability of CPU hotplug when necessary. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-08ahci: fix sglist leak on retryMarc-André Lureau
ahci-test /x86_64/ahci/io/dma/lba28/retry triggers the following leak: Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x7fc4b2a25e20 in malloc (/lib64/libasan.so.3+0xc6e20) #1 0x7fc4993bce58 in g_malloc (/lib64/libglib-2.0.so.0+0x4ee58) #2 0x556a187d4b34 in ahci_populate_sglist hw/ide/ahci.c:896 #3 0x556a187d8237 in ahci_dma_prepare_buf hw/ide/ahci.c:1367 #4 0x556a187b5a1a in ide_dma_cb hw/ide/core.c:844 #5 0x556a187d7eec in ahci_start_dma hw/ide/ahci.c:1333 #6 0x556a187b650b in ide_start_dma hw/ide/core.c:921 #7 0x556a187b61e6 in ide_sector_start_dma hw/ide/core.c:911 #8 0x556a187b9e26 in cmd_write_dma hw/ide/core.c:1486 #9 0x556a187bd519 in ide_exec_cmd hw/ide/core.c:2027 #10 0x556a187d71c5 in handle_reg_h2d_fis hw/ide/ahci.c:1204 #11 0x556a187d7681 in handle_cmd hw/ide/ahci.c:1254 #12 0x556a187d168a in check_cmd hw/ide/ahci.c:510 #13 0x556a187d0afc in ahci_port_write hw/ide/ahci.c:314 #14 0x556a187d105d in ahci_mem_write hw/ide/ahci.c:435 #15 0x556a1831d959 in memory_region_write_accessor /home/elmarco/src/qemu/memory.c:525 #16 0x556a1831dc35 in access_with_adjusted_size /home/elmarco/src/qemu/memory.c:591 #17 0x556a18323ce3 in memory_region_dispatch_write /home/elmarco/src/qemu/memory.c:1262 #18 0x556a1828cf67 in address_space_write_continue /home/elmarco/src/qemu/exec.c:2578 #19 0x556a1828d20b in address_space_write /home/elmarco/src/qemu/exec.c:2635 #20 0x556a1828d92b in address_space_rw /home/elmarco/src/qemu/exec.c:2737 #21 0x556a1828daf7 in cpu_physical_memory_rw /home/elmarco/src/qemu/exec.c:2746 #22 0x556a183068d3 in cpu_physical_memory_write /home/elmarco/src/qemu/include/exec/cpu-common.h:72 #23 0x556a18308194 in qtest_process_command /home/elmarco/src/qemu/qtest.c:382 #24 0x556a18309999 in qtest_process_inbuf /home/elmarco/src/qemu/qtest.c:573 #25 0x556a18309a4a in qtest_read /home/elmarco/src/qemu/qtest.c:585 #26 0x556a18598b85 in qemu_chr_be_write_impl /home/elmarco/src/qemu/qemu-char.c:387 #27 0x556a18598c52 in qemu_chr_be_write /home/elmarco/src/qemu/qemu-char.c:399 #28 0x556a185a2afa in tcp_chr_read /home/elmarco/src/qemu/qemu-char.c:2902 #29 0x556a18cbaf52 in qio_channel_fd_source_dispatch io/channel-watch.c:84 Follow John Snow recommendation: Everywhere else ncq_err is used, it is accompanied by a list cleanup except for ncq_cb, which is the case you are fixing here. Move the sglist destruction inside of ncq_err and then delete it from the other two locations to keep it tidy. Call dma_buf_commit in ide_dma_cb after the early return. Though, this is also a little wonky because this routine does more than clear the list, but it is at the moment the centralized "we're done with the sglist" function and none of the other side effects that occur in dma_buf_commit will interfere with the reset that occurs from ide_restart_bh, I think Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
2016-08-08usb: free leaking pathMarc-André Lureau
qdev_get_dev_path() returns an allocated string, free it when no longer needed. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2016-08-08usb: free USBDevice.stringsMarc-André Lureau
The list is created during instance init and further populated with usb_desc_set_string(). Clear it when unrealizing the device. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2016-08-08virtio-input: free config listMarc-André Lureau
Clear the list when finalizing. The list is created during realize with virtio_input_idstr_config() and later by further calls to virtio_input_init_config() and virtio_input_add_config(). This leak can be reproduced with device-introspect-test -p /x86_64/device/introspect/concrete. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2016-08-08ahci: free irqs arrayMarc-André Lureau
Each irq is referenced by the IDEBus in ide_init2(), thus we can free the no longer used array. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Acked-by: John Snow <jsnow@redhat.com>
2016-08-05Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into stagingPeter Maydell
Block layer patches for 2.7.0-rc2 # gpg: Signature made Fri 05 Aug 2016 10:30:12 BST # gpg: using RSA key 0x7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6 * remotes/kevin/tags/for-upstream: nvme: bump PCI revision nvme: fix identify to be NVMe 1.1 compliant block: Accept any target node for transactional blockdev-backup Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-05Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Fri 05 Aug 2016 10:24:34 BST # gpg: using RSA key 0x9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/block-pull-request: virtio-blk: Remove stale comment about draining virtio-blk: Release s->rq queue at system_reset throttle: Test burst limits lower than the normal limits throttle: Don't allow burst limits to be lower than the normal limits block/parallels: check new image size Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-05virtio-blk: Remove stale comment about drainingFam Zheng
This is stale after commit 6e40b3bf (virtio-blk: Use blk_drain() to drain IO requests), remove it. Suggested-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1470278654-13525-3-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-08-05virtio-blk: Release s->rq queue at system_resetFam Zheng
At system_reset, there is no point in retrying the queued request, because the driver that issued the request won't be around any more. Analyzed-by: Laszlo Ersek <lersek@redhat.com> Reported-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-id: 1470278654-13525-2-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-08-05nvme: bump PCI revisionChristoph Hellwig
The broken Identify implementation in earlier Qemu versions means we need to blacklist it from issueing the NVMe 1.1 Identify Namespace List command. As we want to be able to use it in newer Qemu versions we need a way to identify those. Bump the PCI revision as a guest visible indicator of this bug fix. Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Keith Busch <keith.busch@intel.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-08-05nvme: fix identify to be NVMe 1.1 compliantChristoph Hellwig
NVMe 1.1 requires devices to implement a Namespace List subcommand of the identify command. Qemu not only not implements this features, but also misinterprets it as an Identify Controller request. Due to this any OS trying to use the Namespace List will fail the probe. Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Keith Busch <keith.busch@intel.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>