aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2020-09-09virtio-pci: Changed vdev to proxy for VirtIO PCI BAR callbacks.Andrew Melnychenko
There is an issue when callback may be called with invalid vdev. It happens on unplug when vdev already deleted and VirtIOPciProxy is not. So now, callbacks accept proxy device, and vdev retrieved from it. Technically memio callbacks should be removed during the flatview update, but memoryregions remain til PCI device(and it's address space) completely deleted. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1716352 Signed-off-by: Andrew Melnychenko <andrew@daynix.com> Message-Id: <20200706112123.971087-1-andrew@daynix.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit ccec7e9603f446fe75c6c563ba335c00cfda6a06) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-09intel_iommu: Use correct shift for 256 bits qi descriptorLiu Yi L
In chapter 10.4.23 of VT-d spec 3.0, Descriptor Width bit was introduced in VTD_IQA_REG. Software could set this bit to tell VT-d the QI descriptor from software would be 256 bits. Accordingly, the VTD_IQH_QH_SHIFT should be 5 when descriptor size is 256 bits. This patch adds the DW bit check when deciding the shift used to update VTD_IQH_REG. Signed-off-by: Liu Yi L <yi.l.liu@intel.com> Message-Id: <1593850035-35483-1-git-send-email-yi.l.liu@intel.com> Reviewed-by: Peter Xu <peterx@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit a4544c45e109ceee87ee8c19baff28be3890d788) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02virtio-balloon: Replace free page hinting references to 'report' with 'hint'Alexander Duyck
Recently a feature named Free Page Reporting was added to the virtio balloon. In order to avoid any confusion we should drop the use of the word 'report' when referring to Free Page Hinting. So what this patch does is go through and replace all instances of 'report' with 'hint" when we are referring to free page hinting. Acked-by: David Hildenbrand <david@redhat.com> Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175128.21935.93927.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 3219b42f025d4d7a9c463235e9f937ab38067de3) Conflicts: hw/virtio/virtio-balloon.c include/hw/virtio/virtio-balloon.h *drop context deps on 91b867191d and 7483cbbaf8 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02virtio-balloon: always indicate S_DONE when migration failsDavid Hildenbrand
If something goes wrong during precopy, before stopping the VM, we will never send a S_DONE indication to the VM, resulting in the hinted pages not getting released to be used by the guest OS (e.g., Linux). Easy to reproduce: 1. Start migration (e.g., HMP "migrate -d 'exec:gzip -c > STATEFILE.gz'") 2. Cancel migration (e.g., HMP "migrate_cancel") 3. Oberve in the guest (e.g., cat /proc/meminfo) that there is basically no free memory left. While at it, add similar locking to virtio_balloon_free_page_done() as done in virtio_balloon_free_page_stop. Locking is still weird, but that has to be sorted out separately. There is nothing to do in the PRECOPY_NOTIFY_COMPLETE case. Add some comments regarding S_DONE handling. Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Cc: Wei Wang <wei.w.wang@intel.com> Cc: Alexander Duyck <alexander.duyck@gmail.com> Signed-off-by: David Hildenbrand <david@redhat.com> Message-Id: <20200629080615.26022-1-david@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit dd8eeb9671fc881e613008bd20035b85fe45383d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02virtio-balloon: Add locking to prevent possible race when starting hintingAlexander Duyck
There is already locking in place when we are stopping free page hinting but there is not similar protections in place when we start. I can only assume this was overlooked as in most cases the page hinting should not be occurring when we are starting the hinting, however there is still a chance we could be processing hints by the time we get back around to restarting the hinting so we are better off making sure to protect the state with the mutex lock rather than just updating the value with no protections. Based on feedback from Peter Maydell this issue had also been spotted by Coverity: CID 1430269 Acked-by: David Hildenbrand <david@redhat.com> Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175122.21935.78013.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 1a83e0b9c492a0eaeacd6fbb858fc81d04ab9c3e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02virtio-balloon: Prevent guest from starting a report when we didn't request oneAlexander Duyck
Based on code review it appears possible for the driver to force the device out of a stopped state when hinting by repeating the last ID it was provided. Prevent this by only allowing a transition to the start state when we are in the requested state. This way the driver is only allowed to send one descriptor that will transition the device into the start state. All others will leave it in the stop state once it has finished. Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") Acked-by: David Hildenbrand <david@redhat.com> Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175115.21935.99563.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 20a4da0f23078deeff5ea6d1e12f47d968d7c3c9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02tpm: tpm_spapr: Exit on TPM backend failuresStefan Berger
Exit on TPM backend failures in the same way as the TPM CRB and TIS device models do. With this change we now get an error report when the backend did not start up properly: error: internal error: qemu unexpectedly closed the monitor: 2020-07-07T12:49:28.333928Z qemu-system-ppc64: tpm-emulator: \ TPM result for CMD_INIT: 0x101 operation failed Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20200707201625.4177419-2-stefanb@linux.vnet.ibm.com (cherry picked from commit f8b332a1ff107dc014a52eaf9bf547995205f18a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02hw/sd/sdcard: Do not switch to ReceivingData if address is invalidPhilippe Mathieu-Daudé
Only move the state machine to ReceivingData if there is no pending error. This avoids later OOB access while processing commands queued. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.3 Data Read Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. 4.3.4 Data Write Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). Fixes: CVE-2020-13253 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov <alxndr@bu.edu> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-6-f4bug@amsat.org> (cherry picked from commit 790762e5487114341cccc5bffcec4cb3c022c3cd) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02hw/sd/sdcard: Update coding style to make checkpatch.pl happyPhilippe Mathieu-Daudé
To make the next commit easier to review, clean this code first. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200630133912.9428-3-f4bug@amsat.org> (cherry picked from commit 794d68de2f021a6d3874df41d6bbe8590ec05207) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02hw/sd/sdcard: Do not allow invalid SD card sizesPhilippe Mathieu-Daudé
QEMU allows to create SD card with unrealistic sizes. This could work, but some guests (at least Linux) consider sizes that are not a power of 2 as a firmware bug and fix the card size to the next power of 2. While the possibility to use small SD card images has been seen as a feature, it became a bug with CVE-2020-13253, where the guest is able to do OOB read/write accesses past the image size end. In a pair of commits we will fix CVE-2020-13253 as: Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). While this is the correct behavior, in case QEMU create smaller SD cards, guests still try to access past the image size end, and QEMU considers this is an invalid address, thus "all further data transfer is ignored". This is wrong and make the guest looping until eventually timeouts. Fix by not allowing invalid SD card sizes (suggesting the expected size as a hint): $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw qemu-system-arm: Invalid SD card size: 60 MiB SD card size has to be a power of 2, e.g. 64 MiB. You can resize disk images with 'qemu-img resize <imagefile> <new-size>' (note that this will lose data if you make the image smaller than it currently is). Cc: qemu-stable@nongnu.org Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20200713183209.26308-8-f4bug@amsat.org> (cherry picked from commit a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02hw/sd/sdcard: Simplify realize() a bitPhilippe Mathieu-Daudé
We don't need to check if sd->blk is set twice. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-18-f4bug@amsat.org> (cherry picked from commit 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02hw/sd/sdcard: Restrict Class 6 commands to SCSD cardsPhilippe Mathieu-Daudé
Only SCSD cards support Class 6 (Block Oriented Write Protection) commands. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.14 Command Functional Difference in Card Capacity Types * Write Protected Group SDHC and SDXC do not support write-protected groups. Issuing CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error. Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-7-f4bug@amsat.org> (cherry picked from commit 9157dd597d293ab7f599f4d96c3fe8a6e07c633d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02usb/dev-mtp: Fix Error double free after inotify failureMarkus Armbruster
error_report_err() frees its first argument. Freeing it again is wrong. Don't. Fixes: 47287c27d0c367a89f7b2851e23a7f8b2d499dd6 Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Daniel P. Berrangé <berrange@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20200630090351.1247703-7-armbru@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 562a558647be6fe43e60f8bf3601e5b6122c0599) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02error: Use error_reportf_err() where appropriateMarkus Armbruster
Replace error_report("...: %s", ..., error_get_pretty(err)); by error_reportf_err(err, "...: ", ...); One of the replaced messages lacked a colon. Add it. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200505101908.6207-6-armbru@redhat.com> (cherry picked from commit 5217f1887a8041c51495fbd5d3f767d96a242000) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02net/virtio: Fix failover_replug_primary() return value regressionMarkus Armbruster
Commit 150ab54aa6 "net/virtio: fix re-plugging of primary device" fixed failover_replug_primary() to return false on failure. Commit 5a0948d36c "net/virtio: Fix failover error handling crash bugs" broke it again for hotplug_handler_plug() failure. Unbreak it. Commit 5a0948d36c4cbc1c5534afac6fee99de55245d12 Fixes: 5a0948d36c4cbc1c5534afac6fee99de55245d12 Cc: Jens Freimann <jfreimann@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Jens Freimann <jfreimann@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20200630090351.1247703-2-armbru@redhat.com> (cherry picked from commit ca72efccbe33373810341a0d8a10f5698b8fbc87) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02hw/audio/gus: Fix registers 32-bit accessAllan Peramaki
Fix audio on software that accesses DRAM above 64k via register peek/poke and some cases when more than 16 voices are used. Cc: qemu-stable@nongnu.org Fixes: 135f5ae1974c ("audio: GUSsample is int16_t") Signed-off-by: Allan Peramaki <aperamak@pp1.inet.fi> Tested-by: Volker Rümelin <vr_qemu@t-online.de> Reviewed-by: Volker Rümelin <vr_qemu@t-online.de> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20200618103623.6031-1-philmd@redhat.com Message-Id: <20200615201757.16868-1-aperamak@pp1.inet.fi> [PMD: Removed unrelated style changes] Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 586803455b3fa44d949ecd42cd9c87e5a6287aef) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02hw/net/e1000e: Do not abort() on invalid PSRCTL register valuePhilippe Mathieu-Daudé
libFuzzer found using 'qemu-system-i386 -M q35': qemu: hardware error: e1000e: PSRCTL.BSIZE0 cannot be zero CPU #0: EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000663 ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000 EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 00000000 0000ffff 00009300 CS =f000 ffff0000 0000ffff 00009b00 SS =0000 00000000 0000ffff 00009300 DS =0000 00000000 0000ffff 00009300 FS =0000 00000000 0000ffff 00009300 GS =0000 00000000 0000ffff 00009300 LDT=0000 00000000 0000ffff 00008200 TR =0000 00000000 0000ffff 00008b00 GDT= 00000000 0000ffff IDT= 00000000 0000ffff CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000 DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000 DR6=ffff0ff0 DR7=00000400 EFER=0000000000000000 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000 XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000 XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 ==1988== ERROR: libFuzzer: deadly signal #6 0x7fae4d3ea894 in __GI_abort (/lib64/libc.so.6+0x22894) #7 0x563f4cc59a1d in hw_error (qemu-fuzz-i386+0xe8ca1d) #8 0x563f4d7c93f2 in e1000e_set_psrctl (qemu-fuzz-i386+0x19fc3f2) #9 0x563f4d7b798f in e1000e_core_write (qemu-fuzz-i386+0x19ea98f) #10 0x563f4d7afc46 in e1000e_mmio_write (qemu-fuzz-i386+0x19e2c46) #11 0x563f4cc9a0a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7) #12 0x563f4cc99c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13) #13 0x563f4cc987b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4) It simply sent the following 2 I/O command to the e1000e PCI BAR #2 I/O region: writew 0x0100 0x0c00 # RCTL = E1000_RCTL_DTYP_MASK writeb 0x2170 0x00 # PSRCTL = 0 2813 static void 2814 e1000e_set_psrctl(E1000ECore *core, int index, uint32_t val) 2815 { 2816 if (core->mac[RCTL] & E1000_RCTL_DTYP_MASK) { 2817 2818 if ((val & E1000_PSRCTL_BSIZE0_MASK) == 0) { 2819 hw_error("e1000e: PSRCTL.BSIZE0 cannot be zero"); 2820 } Instead of calling hw_error() which abort the process (it is meant for CPU fatal error condition, not for device logging), log the invalid request with qemu_log_mask(LOG_GUEST_ERROR) and return, ignoring the request. Cc: qemu-stable@nongnu.org Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit fda43b1204aecd1db158b3255c591d227fbdd629) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-09-02hw/display/artist: Unbreak size mismatch memory accessesHelge Deller
Commit 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") broke the artist driver in a way that the dtwm window manager on HP-UX rendered wrong. Fixes: 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") Signed-off-by: Sven Schnelle <svens@stackframe.org> Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit e0cf02ce680f11893aca9642e76d6ae68b9375af) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-27acpi: accept byte and word access to core ACPI registersMichael Tokarev
All ISA registers should be accessible as bytes, words or dwords (if wide enough). Fix the access constraints for acpi-pm-evt, acpi-pm-tmr & acpi-cnt registers. Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") Fixes: afafe4bbe0 (apci: switch cnt to memory api) Fixes: 77d58b1e47 (apci: switch timer to memory api) Fixes: b5a7c024d2 (apci: switch evt to memory api) Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ Buglink: https://bugs.debian.org/964793 BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 BugLink: https://bugs.launchpad.net/bugs/1886318 Reported-By: Simon John <git@the-jedi.co.uk> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit dba04c3488c4699f5afe96f66e448b1d447cf3fb) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-27xhci: fix valid.max_access_size to access address registersLaurent Vivier
QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow 64-bit mode access in "runtime" and "operational" MemoryRegionOps. Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. XHCI specs: "If the xHC supports 64-bit addressing (AC64 = ‘1’), then software should write 64-bit registers using only Qword accesses. If a system is incapable of issuing Qword accesses, then writes to the 64-bit address fields shall be performed using 2 Dword accesses; low Dword-first, high-Dword second. If the xHC supports 32-bit addressing (AC64 = ‘0’), then the high Dword of registers containing 64-bit address fields are unused and software should write addresses using only Dword accesses" The problem has been detected with SLOF, as linux kernel always accesses registers using 32-bit access even if AC64 is set and revealed by 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com> Signed-off-by: Laurent Vivier <lvivier@redhat.com> Message-id: 20200721083322.90651-1-lvivier@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 8e67fda2dd6202ccec093fda561107ba14830a17) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-27hw/riscv: Allow 64 bit access to SiFive CLINTAlistair Francis
Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 "memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"" broke most RISC-V boards as they do 64 bit accesses to the CLINT and QEMU would trigger a fault. Fix this failure by allowing 8 byte accesses. Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com> Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com> (cherry picked from commit 70b78d4e71494c90d2ccb40381336bc9b9a22f79) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24Fix tulip breakageHelge Deller
The tulip network driver in a qemu-system-hppa emulation is broken in the sense that bigger network packages aren't received any longer and thus even running e.g. "apt update" inside the VM fails. The breakage was introduced by commit 8ffb7265af ("check frame size and r/w data length") which added checks to prevent accesses outside of the rx/tx buffers. But the new checks were implemented wrong. The variable rx_frame_len counts backwards, from rx_frame_size down to zero, and the variable len is never bigger than rx_frame_len, so accesses just can't happen and the checks are unnecessary. On the contrary the checks now prevented bigger packages to be moved into the rx buffers. This patch reverts the wrong checks and were sucessfully tested with a qemu-system-hppa emulation. Fixes: 8ffb7265af ("check frame size and r/w data length") Buglink: https://bugs.launchpad.net/bugs/1874539 Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit d9b69640391618045949f7c500b87fc129f862ed) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24es1370: check total frame count against current framePrasad J Pandit
A guest user may set channel frame count via es1370_write() such that, in es1370_transfer_audio(), total frame count 'size' is lesser than the number of frames that are processed 'cnt'. int cnt = d->frame_cnt >> 16; int size = d->frame_cnt & 0xffff; if (size < cnt), it results in incorrect calculations leading to OOB access issue(s). Add check to avoid it. Reported-by: Ren Ding <rding@gatech.edu> Reported-by: Hanqing Zhao <hanqing@gatech.edu> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 20200514200608.1744203-1-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 369ff955a8497988d079c4e3fa1e93c2570c1c69) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24ati-vga: check mm_index before recursive call (CVE-2020-13800)Prasad J Pandit
While accessing VGA registers via ati_mm_read/write routines, a guest may set 's->regs.mm_index' such that it leads to infinite recursion. Check mm_index value to avoid such recursion. Log an error message for wrong values. Reported-by: Ren Ding <rding@gatech.edu> Reported-by: Hanqing Zhao <hanqing@gatech.edu> Reported-by: Yi Ren <c4tren@gmail.com> Message-id: 20200604090830.33885-1-ppandit@redhat.com Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit a98610c429d52db0937c1e48659428929835c455) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24xen/9pfs: yield when there isn't enough room on the ringStefano Stabellini
Instead of truncating replies, which is problematic, wait until the client reads more data and frees bytes on the reply ring. Do that by calling qemu_coroutine_yield(). The corresponding qemu_coroutine_enter_if_inactive() is called from xen_9pfs_bh upon receiving the next notification from the client. We need to be careful to avoid races in case xen_9pfs_bh and the coroutine are both active at the same time. In xen_9pfs_bh, wait until either the critical section is over (ring->co == NULL) or until the coroutine becomes inactive (qemu_coroutine_yield() was called) before continuing. Then, simply wake up the coroutine if it is inactive. Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Message-Id: <20200521192627.15259-2-sstabellini@kernel.org> Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit a4c4d462729466c4756bac8a0a8d77eb63b21ef7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24Revert "9p: init_in_iov_from_pdu can truncate the size"Stefano Stabellini
This reverts commit 16724a173049ac29c7b5ade741da93a0f46edff7. It causes https://bugs.launchpad.net/bugs/1877688. Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Message-Id: <20200521192627.15259-1-sstabellini@kernel.org> Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit cf45183b718f02b1369e18c795dc51bc1821245d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24xen-9pfs: Fix log messages of reply errorsChristian Schoenebeck
If delivery of some 9pfs response fails for some reason, log the error message by mentioning the 9P protocol reply type, not by client's request type. The latter could be misleading that the error occurred already when handling the request input. Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org> Message-Id: <ad0e5a9b6abde52502aa40b30661d29aebe1590a.1589132512.git.qemu_oss@crudebyte.com> Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit 9bbb7e0fe081efff2e41f8517c256b72a284fe9b) *prereq for cf45183b718 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-249pfs: include linux/limits.h for XATTR_SIZE_MAXDan Robertson
linux/limits.h should be included for the XATTR_SIZE_MAX definition used by v9fs_xattrcreate. Fixes: 3b79ef2cf488 ("9pfs: limit xattr size in xattrcreate") Signed-off-by: Dan Robertson <dan@dlrobertson.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Message-Id: <20200515203015.7090-2-dan@dlrobertson.com> Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit 03556ea920b23c466ce7c1283199033de33ee671) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-249pfs: local: ignore O_NOATIME if we don't have permissionsOmar Sandoval
QEMU's local 9pfs server passes through O_NOATIME from the client. If the QEMU process doesn't have permissions to use O_NOATIME (namely, it does not own the file nor have the CAP_FOWNER capability), the open will fail. This causes issues when from the client's point of view, it believes it has permissions to use O_NOATIME (e.g., a process running as root in the virtual machine). Additionally, overlayfs on Linux opens files on the lower layer using O_NOATIME, so in this case a 9pfs mount can't be used as a lower layer for overlayfs (cf. https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c and https://github.com/NixOS/nixpkgs/issues/54509). Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g., network filesystems. open(2) notes that O_NOATIME "may not be effective on all filesystems. One example is NFS, where the server maintains the access time." This means that we can honor it when possible but fall back to ignoring it. Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Signed-off-by: Omar Sandoval <osandov@fb.com> Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com> Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24virtio-balloon: unref the iothread when unrealizingDavid Hildenbrand
We took a reference when realizing, so let's drop that reference when unrealizing. Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") Cc: qemu-stable@nongnu.org Cc: Wei Wang <wei.w.wang@intel.com> Cc: Alexander Duyck <alexander.duyck@gmail.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: David Hildenbrand <david@redhat.com> Message-Id: <20200520100439.19872-4-david@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 105aef9c9479786d27c1c45c9b0b1fa03dc46be3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24virtio-balloon: fix free page hinting check on unrealizeDavid Hildenbrand
Checking against guest features is wrong. We allocated data structures based on host features. We can rely on "free_page_bh" as an indicator whether to un-do stuff instead. Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") Cc: qemu-stable@nongnu.org Cc: Wei Wang <wei.w.wang@intel.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Alexander Duyck <alexander.duyck@gmail.com> Signed-off-by: David Hildenbrand <david@redhat.com> Message-Id: <20200520100439.19872-3-david@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 49b01711b8eb3796c6904c7f85d2431572cfe54f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-24virtio-balloon: fix free page hinting without an iothreadDavid Hildenbrand
In case we don't have an iothread, we mark the feature as abscent but still add the queue. 'free_page_bh' remains set to NULL. qemu-system-i386 \ -M microvm \ -nographic \ -device virtio-balloon-device,free-page-hint=true \ -nographic \ -display none \ -monitor none \ -serial none \ -qtest stdio Doing a "write 0xc0000e30 0x24 0x030000000300000003000000030000000300000003000000030000000300000003000000" We will trigger a SEGFAULT. Let's move the check and bail out. While at it, move the static initializations to instance_init(). free_page_report_status and block_iothread are implicitly set to the right values (0/false) already, so drop the initialization. Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") Reported-by: Alexander Bulekov <alxndr@bu.edu> Cc: qemu-stable@nongnu.org Cc: Wei Wang <wei.w.wang@intel.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Alexander Duyck <alexander.duyck@gmail.com> Signed-off-by: David Hildenbrand <david@redhat.com> Message-Id: <20200520100439.19872-2-david@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 12fc8903a8ee09fb5f642de82699a0b211e1b5a7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-08-249p: Lock directory streams with a CoMutexGreg Kurz
Locking was introduced in QEMU 2.7 to address the deprecation of readdir_r(3) in glibc 2.24. It turns out that the frontend code is the worst place to handle a critical section with a pthread mutex: the code runs in a coroutine on behalf of the QEMU mainloop and then yields control, waiting for the fsdev backend to process the request in a worker thread. If the client resends another readdir request for the same fid before the previous one finally unlocked the mutex, we're deadlocked. This never bit us because the linux client serializes readdir requests for the same fid, but it is quite easy to demonstrate with a custom client. A good solution could be to narrow the critical section in the worker thread code and to return a copy of the dirent to the frontend, but this causes quite some changes in both 9p.c and codir.c. So, instead of that, in order for people to easily backport the fix to older QEMU versions, let's simply use a CoMutex since all the users for this sit in coroutines. Fixes: 7cde47d4a89d ("9p: add locking to V9fsDir") Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Message-Id: <158981894794.109297.3530035833368944254.stgit@bahia.lan> Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit ed463454efd0ac3042ff772bfe1b1d846dc281a5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2020-04-13Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
pc: bugfixes, maintainers A couple of bugfixes. Add a new vhost-user-blk maintainer. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Mon 13 Apr 2020 11:57:17 BST # gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469 # gpg: issuer "mst@redhat.com" # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full] # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [full] # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: exec: Fix for qemu_ram_resize() callback fw_cfg: Migrate ACPI table mr sizes separately acpi: Use macro for table-loader file name MAINTAINERS: Add myself as vhost-user-blk maintainer Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-13Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Bugfixes, and reworking of the atomics documentation. # gpg: Signature made Mon 13 Apr 2020 07:56:22 BST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: module: increase dirs array size by one memory: Do not allow direct write access to rom_device regions vl.c: error out if -mem-path is used together with -M memory-backend rcu: do not mention atomic_mb_read/set in documentation atomics: update documentation atomics: convert to reStructuredText oslib-posix: take lock before qemu_cond_broadcast piix: fix xenfv regression, add compat machine xenfv-4.2 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-13fw_cfg: Migrate ACPI table mr sizes separatelyShameer Kolothum
Any sub-page size update to ACPI MRs will be lost during migration, as we use aligned size in ram_load_precopy() -> qemu_ram_resize() path. This will result in inconsistency in FWCfgEntry sizes between source and destination. In order to avoid this, save and restore them separately during migration. Up until now, this problem may not be that relevant for x86 as both ACPI table and Linker MRs gets padded and aligned. Also at present, qemu_ram_resize() doesn't invoke callback to update FWCfgEntry for unaligned size changes. But since we are going to fix the qemu_ram_resize() in the subsequent patch, the issue may become more serious especially for RSDP MR case. Moreover, the issue will soon become prominent in arm/virt as well where the MRs are not padded or aligned at all and eventually have acpi table changes as part of future additions like NVDIMM hot-add feature. Suggested-by: David Hildenbrand <david@redhat.com> Signed-off-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com> Acked-by: David Hildenbrand <david@redhat.com> Message-Id: <20200403101827.30664-3-shameerali.kolothum.thodi@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-04-13acpi: Use macro for table-loader file nameShameer Kolothum
Use macro for "etc/table-loader" and move it to the header file similar to ACPI_BUILD_TABLE_FILE/ACPI_BUILD_RSDP_FILE etc. Signed-off-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-Id: <20200403101827.30664-2-shameerali.kolothum.thodi@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2020-04-11piix: fix xenfv regression, add compat machine xenfv-4.2Olaf Hering
With QEMU 4.0 an incompatible change was added to pc_piix, which makes it practical impossible to migrate domUs started with qemu2 or qemu3 to newer qemu versions. Commit 7fccf2a06890e3bc3b30e29827ad3fb93fe88fea added and enabled a new member "smbus_no_migration_support". In commit 4ab2f2a8aabfea95cc53c64e13b3f67960b27fdf the vmstate_acpi got new elements, which are conditionally filled. As a result, an incoming migration expected smbus related data unless smbus migration was disabled for a given MachineClass. Since first commit forgot to handle 'xenfv', domUs started with QEMU 4.x are incompatible with their QEMU siblings. Using other existing machine types, such as 'pc-i440fx-3.1', is not possible because 'xenfv' creates the 'xen-platform' PCI device at 00:02.0, while all other variants to run a domU would create it at 00:04.0. To cover both the existing and the broken case of 'xenfv' in a single qemu binary, a new compatibility variant of 'xenfv-4.2' must be added which targets domUs started with qemu 4.2. The existing 'xenfv' restores compatibility of QEMU 5.x with qemu 3.1. Host admins who started domUs with QEMU 4.x (preferrable QEMU 4.2) have to use a wrapper script which appends '-machine xenfv-4.2' to the device-model command line. This is only required if there is no maintenance window which allows to temporary shutdown the domU and restart it with a fixed device-model. The wrapper script is as simple as this: #!/bin/sh exec /usr/bin/qemu-system-i386 "$@" -machine xenfv-4.2 With xl this script will be enabled with device_model_override=, see xl.cfg(5). To live migrate a domU, adjust the existing domU.cfg and pass it to xl migrate or xl save/restore: xl migrate -C new-domU.cfg domU remote-host xl save domU CheckpointFile new-domU.cfg xl restore new-domU.cfg CheckpointFile With libvirt this script will be enabled with the <emulator> element in domU.xml. Use 'virsh edit' prior 'virsh migrate' to replace the existing <emulator> element to point it to the wrapper script. Signed-off-by: Olaf Hering <olaf@aepfle.de> Message-Id: <20200327151841.13877-1-olaf@aepfle.de> [Adjust tests for blacklisted machine types, simplifying the one in qom-test. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-04-07Merge remote-tracking branch 'remotes/stsquad/tags/pull-misc-fixes-070420-1' ↵Peter Maydell
into staging Various fixes: - add .github repo lockdown config - better handle missing symbols in elf-ops - protect fcntl64 with #ifdef - remove unused macros from test - fix handling of /proc/self/maps - avoid BAD_SHIFT in x80 softfloat - properly terminate on .hex EOF - fix configure probe on windows cross build - fix %r12 guest_base initialization # gpg: Signature made Tue 07 Apr 2020 16:31:14 BST # gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44 # gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [full] # Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44 * remotes/stsquad/tags/pull-misc-fixes-070420-1: tcg/i386: Fix %r12 guest_base initialization configure: Add -Werror to PIE probe hw/core: properly terminate loading .hex on EOF record linux-user: clean-up padding on /proc/self/maps linux-user: factor out reading of /proc/self/maps softfloat: Fix BAD_SHIFT from normalizeFloatx80Subnormal gdbstub: fix compiler complaining target/xtensa: add FIXME for translation memory leak linux-user: more debug for init_guest_space tests/tcg: remove extraneous pasting macros linux-user: protect fcntl64 with an #ifdef elf-ops: bail out if we have no function symbols .github: Enable repo-lockdown bot to refuse GitHub pull requests Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-07Merge remote-tracking branch 'remotes/aperard/tags/pull-xen-20200407' into ↵Peter Maydell
staging Xen queue for QEMU 5.0 - Fix for xen-block. - A fix for a Coverity false positive in xen-usb. - Update MAINTAINERS to add xen-usb.c to Xen section. # gpg: Signature made Tue 07 Apr 2020 16:21:16 BST # gpg: using RSA key F80C006308E22CFD8A92E7980CF5572FD7FB55AF # gpg: issuer "anthony.perard@citrix.com" # gpg: Good signature from "Anthony PERARD <anthony.perard@gmail.com>" [marginal] # gpg: aka "Anthony PERARD <anthony.perard@citrix.com>" [marginal] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 5379 2F71 024C 600F 778A 7161 D8D5 7199 DF83 42C8 # Subkey fingerprint: F80C 0063 08E2 2CFD 8A92 E798 0CF5 572F D7FB 55AF * remotes/aperard/tags/pull-xen-20200407: MAINTAINERS: Add xen-usb.c to Xen section xen-block: Fix uninitialized variable hw/usb/xen-usb.c: Pass struct usbback_req* to usbback_packet_complete() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-07Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-04-07' ↵Peter Maydell
into staging Block patches for 5.0-rc2: - Fix double QLIST_REMOVE() and potential request object leak in xen-block - Prevent a potential assertion failure in qcow2's code for compressed clusters by rejecting invalid (unaligned) requests with -EIO - Prevent discards on qcow2 v2 images from making backing data reappear - Make qemu-img convert report I/O error locations by byte offsets consistently - Fix for potential I/O test errors (accidental globbing due to missing quotes) # gpg: Signature made Tue 07 Apr 2020 13:30:01 BST # gpg: using RSA key 91BEB60A30DB3E8857D11829F407DB0061D5CF40 # gpg: issuer "mreitz@redhat.com" # gpg: Good signature from "Max Reitz <mreitz@redhat.com>" [full] # Primary key fingerprint: 91BE B60A 30DB 3E88 57D1 1829 F407 DB00 61D5 CF40 * remotes/maxreitz/tags/pull-block-2020-04-07: xen-block: Fix double qlist remove and request leak iotests/common.pattern: Quote echos qcow2: Check request size in qcow2_co_pwritev_compressed_part() qemu-img: Report convert errors by bytes, not sectors qcow2: Forbid discard in qcow2 v2 images with backing files Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-07hw/core: properly terminate loading .hex on EOF recordAlex Bennée
The https://makecode.microbit.org/#editor generates slightly weird .hex files which work fine on a real microbit but causes QEMU to choke. The reason is extraneous data after the EOF record which causes the loader to attempt to write a bigger file than it should to the "rom". According to the HEX file spec an EOF really should be the last thing we process so lets do that. Reported-by: Ursula Bennée <alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200403191150.863-12-alex.bennee@linaro.org>
2020-04-07xen-block: Fix uninitialized variableAnthony PERARD
Since 7f5d9b206d1e ("object-add: don't create return value if failed"), qmp_object_add() don't write any value in 'ret_data', thus has random data. Then qobject_unref() fails and abort(). Fix by initialising 'ret_data' properly. Fixes: 5f07c4d60d09 ("qapi: Flatten object-add") Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20200406164207.1446817-1-anthony.perard@citrix.com>
2020-04-07hw/usb/xen-usb.c: Pass struct usbback_req* to usbback_packet_complete()Peter Maydell
The function usbback_packet_complete() currently takes a USBPacket*, which must be a pointer to the packet field within a struct usbback_req; the function uses container_of() to get the struct usbback_req* given the USBPacket*. This is unnecessarily confusing (and in particular it confuses the Coverity Scan analysis, resulting in the false positive CID 1421919 where it thinks that we write off the end of the structure). Since both callsites already have the pointer to the struct usbback_req, just pass that in directly. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> Message-Id: <20200323164318.26567-1-peter.maydell@linaro.org> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
2020-04-07Merge remote-tracking branch ↵Peter Maydell
'remotes/kraxel/tags/fixes-20200407-pull-request' into staging fixes for 5.0: - audio: windows (dsound) fixes. - vga: ati blitter sanity check fixes. # gpg: Signature made Tue 07 Apr 2020 10:21:44 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/fixes-20200407-pull-request: ati-vga: Fix checks in ati_2d_blt() to avoid crash dsoundaudio: dsound_get_buffer_in should honor *size dsoundaudio: fix "Could not lock capture buffer" warning dsoundaudio: fix never-ending playback loop Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-04-07xen-block: Fix double qlist remove and request leakAnthony PERARD
Commit a31ca6801c02 ("qemu/queue.h: clear linked list pointers on remove") revealed that a request was removed twice from a list, once in xen_block_finish_request() and a second time in xen_block_release_request() when both function are called from xen_block_complete_aio(). But also, the `requests_inflight' counter is decreased twice, and thus became negative. This is a bug that was introduced in bfd0d6366043 ("xen-block: improve response latency"), where a `finished' list was removed. That commit also introduced a leak of request in xen_block_do_aio(). That function calls xen_block_finish_request() but the request is never released after that. To fix both issue, we do two changes: - we squash finish_request() and release_request() together as we want to remove a request from 'inflight' list to add it to 'freelist'. - before releasing a request, we need to let the other end know the result, thus we should call xen_block_send_response() before releasing a request. The first change fixes the double QLIST_REMOVE() as we remove the extra call. The second change makes the leak go away because if we want to call finish_request(), we need to call a function that does all of finish, send response, and release. Fixes: bfd0d6366043 ("xen-block: improve response latency") Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Message-Id: <20200406140217.1441858-1-anthony.perard@citrix.com> Reviewed-by: Paul Durrant <paul@xen.org> [mreitz: Amended commit message as per Paul's suggestions] Signed-off-by: Max Reitz <mreitz@redhat.com>
2020-04-07ati-vga: Fix checks in ati_2d_blt() to avoid crashBALATON Zoltan
In some corner cases (that never happen during normal operation but a malicious guest could program wrong values) pixman functions were called with parameters that result in a crash. Fix this and add more checks to disallow such cases. Reported-by: Ziming Zhang <ezrakiez@gmail.com> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-04-07ppc/pnv: Create BMC devices only when defaults are enabledCédric Le Goater
Commit e2392d4395dd ("ppc/pnv: Create BMC devices at machine init") introduced default BMC devices which can be a problem when the same devices are defined on the command line with : -device ipmi-bmc-sim,id=bmc0 -device isa-ipmi-bt,bmc=bmc0,irq=10 QEMU fails with : qemu-system-ppc64: error creating device tree: node: FDT_ERR_EXISTS Use defaults_enabled() when creating the default BMC devices to let the user provide its own BMC devices using '-nodefaults'. If no BMC device are provided, output a warning but let QEMU run as this is a supported configuration. However, when multiple BMC devices are defined, stop QEMU with a clear error as the results are unexpected. Fixes: e2392d4395dd ("ppc/pnv: Create BMC devices at machine init") Reported-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> Message-Id: <20200404153655.166834-1-clg@kaod.org> Tested-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2020-04-07hw/ppc/ppc440_uc.c: Remove incorrect iothread locking from dcr_write_pcie()Peter Maydell
In dcr_write_pcie() we take the iothread lock around a call to pcie_host_mmcfg_udpate(). This is an incorrect attempt to deal with the bug fixed in commit 235352ee6e73d7716, where we were not taking the iothread lock before calling device dcr read/write functions. (It's not sufficient locking, because although the other cases in the switch statement won't assert, there is no locking which prevents multiple guest CPUs from trying to access the PPC460EXPCIEState struct at the same time and corrupting data.) Unfortunately with commit 235352ee6e73d7716 we are now trying to recursively take the iothread lock, which will assert: $ qemu-system-ppc -M sam460ex --display none ** ERROR:/home/petmay01/linaro/qemu-from-laptop/qemu/cpus.c:1830:qemu_mutex_lock_iothread_impl: assertion failed: (!qemu_mutex_iothread_locked()) Aborted (core dumped) Remove the locking within dcr_write_pcie(). Fixes: 235352ee6e73d7716 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20200330125228.24994-1-peter.maydell@linaro.org> Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2020-04-07spapr: Fix failure path for attempting to hot unplug PCI bridgesDavid Gibson
For various technical reasons we can't currently allow unplug a PCI to PCI bridge on the pseries machine. spapr_pci_unplug_request() correctly generates an error message if that's attempted. But.. if the given errp is not error_abort or error_fatal, it doesn't actually stop trying to unplug the bridge anyway. Fixes: 14e714900f6b "spapr: Allow hot plug/unplug of PCI bridges and devices under PCI bridges" Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Greg Kurz <groug@kaod.org>