aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2015-07-29virtio-blk-dataplane: delete bottom half before the AioContext is freedPaolo Bonzini
Other uses of aio_bh_new are safe as long as all scheduled bottom halves are run before an iothread is destroyed, which bdrv_drain will ensure: - archipelago_finish_aiocb: BH deletes itself - inject_error: BH deletes itself - blkverify_aio_bh: BH deletes itself - abort_aio_request: BH deletes itself - curl_aio_readv: BH deletes itself - gluster_finish_aiocb: BH deletes itself - bdrv_aio_rw_vector: BH deletes itself - bdrv_co_maybe_schedule_bh: BH deletes itself - iscsi_schedule_bh, iscsi_co_generic_cb: BH deletes itself - laio_attach_aio_context: deleted in laio_detach_aio_context, called through bdrv_detach_aio_context before deleting the iothread - nfs_co_generic_cb: BH deletes itself - null_aio_common: BH deletes itself - qed_aio_complete: BH deletes itself - rbd_finish_aiocb: BH deletes itself - dma_blk_cb: BH deletes itself - virtio_blk_dma_restart_cb: BH deletes itself - qemu_bh_new: main loop AioContext is never destroyed - test-aio.c: bh_delete_cb deletes itself, otherwise deleted in the same function that calls aio_bh_new Reported-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 1438101249-25166-2-git-send-email-pbonzini@redhat.com Message-Id: <1438086628-13000-1-git-send-email-pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-28Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into ↵Peter Maydell
staging Pull request These two .can_receive() are now reviewed. The net subsystem queue for 2.4 is now empty. # gpg: Signature made Tue Jul 28 13:26:03 2015 BST using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/net-pull-request: xen: Drop net_rx_ok hw/net: handle flow control in mcf_fec driver receiver Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
virtio fixes for 2.4 Mostly virtio 1 spec compliance fixes. We are unlikely to make it perfectly compliant in the first release, but it seems worth it to try. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Mon Jul 27 21:55:48 2015 BST using RSA key ID D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" * remotes/mst/tags/for_upstream: virtio: minor cleanup acpi: fix pvpanic device is not shown in ui virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device virtio-blk: fail get_features when both scsi and 1.0 were set virtio: get_features() can fail virtio-pci: fix memory MR cleanup for modern virtio: set any_layout in virtio core virtio-9p: fix any_layout virtio-serial: fix ANY_LAYOUT virtio: hide legacy features from modern guests Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150728' into stagingPeter Maydell
MIPS patches 2015-07-28 Changes: * net/dp8393x fixes * Vectored Interrupts bug fix * fix for a bug in machine.c which was provoking a warning on FreeBSD # gpg: Signature made Tue Jul 28 10:47:19 2015 BST using RSA key ID 0B29DA6B # gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4 4FC0 5211 8E3C 0B29 DA6B * remotes/lalrae/tags/mips-20150728: net/dp8393x: do not use memory_region_init_rom_device with NULL net/dp8393x: remove check of runt packets net/dp8393x: disable user creation target-mips: fix offset calculation for Interrupts target-mips: fix passing incompatible pointer type in machine.c Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
* crypto fixes * megasas SIGSEGV fix * memory refcount change to fix virtio hot-unplug # gpg: Signature made Tue Jul 28 08:29:07 2015 BST using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: memory: do not add a reference to the owner of aliased regions megasas: Add write function to handle write access to PCI BAR 3 crypto: extend unit tests to cover decryption too crypto: fix built-in AES decrypt function Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28xen: Drop net_rx_okFam Zheng
Let net_rx_packet() (which checks the same conditions) drops the packet if the device is not ready. Drop net_xen_info.can_receive and update the return value for the buffer full case. We rely on the qemu_flush_queued_packets() in net_event() to wake up the peer when the buffer becomes available again. Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1438077176-378-1-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-28hw/net: handle flow control in mcf_fec driver receiverGreg Ungerer
The network mcf_fec driver emulated receive side method is not dealing with network queue flow control properly. Modify the receive side to check if we have enough space in the descriptors to store the current packet. If not we process none of it and return 0. When the guest frees up some buffers through its descriptors we signal the qemu net layer to send more packets. [Fixed coding style: 4-space indent and curly braces on if statement. --Stefan] Signed-off-by: Greg Ungerer <gerg@uclinux.org> Message-id: 1438045374-10358-1-git-send-email-gerg@uclinux.org Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-28net/dp8393x: do not use memory_region_init_rom_device with NULLHervé Poussineau
Replace memory_region_init_rom_device() with memory_region_init_ram() and memory_region_set_readonly(). This fixes a guest-triggerable QEMU crash when guest tries to write to PROM. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> [leon.alrae@imgtec.com: shorten subject length] Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-28net/dp8393x: remove check of runt packetsHervé Poussineau
Ethernet requires that messages are at least 64 bytes on the wire. This limitation does not exist on emulation (no wire message), so remove the check. Netcard is now able to receive small network packets. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-28net/dp8393x: disable user creationHervé Poussineau
Netcard needs an address space to write data to, which can't be specified on command line. This fixes a crash when user starts QEMU with "-device dp8393x" Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-27megasas: Add write function to handle write access to PCI BAR 3Salva Peiró
This patch fixes a QEMU SEGFAULT when a write operation is performed on the memory region of the PCI BAR 3 (base address space). When a writeb(0xe0000000) is performed the .write function is invoked to handle the write access, however, since the .write is not initialised, the call to 0, causes QEMU to SEGFAULT. Signed-off-by: Salva Peiró <speirofr@gmail.com> Acked-by: Hannes Reinecke <hare@suse.com> Message-Id: <1437987112-24744-1-git-send-email-speirofr@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-27virtio: minor cleanupMichael S. Tsirkin
There's no need for blk to set ANY_LAYOUT, it's done by virtio core as necessary. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-07-27acpi: fix pvpanic device is not shown in uiGal Hammer
Commit 2332333c added a _STA method that hides the device. The fact that the device is not shown in the gui make it harder to install its Windows' device. https://bugzilla.redhat.com/show_bug.cgi?id=1238141 Signed-off-by: Gal Hammer <ghammer@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com>
2015-07-27hw/acpi/ich9: clean up stale comment about KVM not supporting SMMLaszlo Ersek
Commit fba72476c6 ("ich9: add smm_enabled field and arguments") detached SMM availability from kvm_enabled(). However, the comment in pm_reset() was not updated; let's do it now. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-trivial@nongnu.org Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-07-27hw/acpi/ich9: clear smi_en on resetLaszlo Ersek
Otherwise on reboot firmware might think (due to APMC_EN remaining set from the previous boot) that SMI support is absent. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-trivial@nongnu.org Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-07-27virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy deviceJason Wang
Chapter 6.3 of spec said " Transitional devices MUST offer, and if offered by the device transitional drivers MUST accept the following: VIRTIO_F_ANY_LAYOUT (27) " So this patch only clear VIRTIO_F_LAYOUT for legacy device. Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Kevin Wolf <kwolf@redhat.com> Cc: qemu-block@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-27virtio-blk: fail get_features when both scsi and 1.0 were setJason Wang
SCSI passthrough was no longer supported in virtio 1.0, so this patch fail the get_features() when both 1.0 and scsi is set. And also only advertise VIRTIO_BLK_F_SCSI for legacy virtio-blk device. Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-27virtio: get_features() can failJason Wang
Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-27virtio-pci: fix memory MR cleanup for modernMichael S. Tsirkin
Each memory_region_add_subregion must be paired with memory_region_del_subregion. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-27Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into ↵Peter Maydell
staging Pull request Here are NIC fixes from Fam Zheng that prevent rx hangs (caused by NIC models where .can_receive() stops rx but qemu_flush_queued_packets() isn't called). # gpg: Signature made Mon Jul 27 14:51:48 2015 BST using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/net-pull-request: axienet: Flush queued packets when rx is done dp8393x: Flush packets when link comes up stellaris_enet: Flush queued packets when read done mipsnet: Flush queued packets when receiving is enabled milkymist-minimac2: Flush queued packets when link comes up mcf_fec: Drop mcf_fec_can_receive etsec: Flush queue when rx buffer is consumed etsec: Move etsec_can_receive into etsec_receive usbnet: Drop usbnet_can_receive eepro100: Drop nic_can_receive pcnet: Drop pcnet_can_receive xgmac: Drop packets with eth_can_rx is false. hw/net: fix mcf_fec driver receiver hw/net: add simple phy support to mcf_fec driver hw/net: add ANLPAR bit definitions to generic mii hw/net: create common collection of MII definitions Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-27axienet: Flush queued packets when rx is doneFam Zheng
eth_can_rx checks s->rxsize and returns false if it is non-zero. Because of the .can_receive semantics change, this will make the incoming queue disabled by peer, until it is explicitly flushed. So we should flush it when s->rxsize is becoming zero. Squash eth_can_rx semantics into etx_rx and drop .can_receive() callback, also add flush when rx buffer becomes available again after a packet gets queued. The other conditions, "!axienet_rx_resetting(s) && axienet_rx_enabled(s)" are OK because enet_write already calls qemu_flush_queued_packets when the register bits are changed. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1436955553-22791-13-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27dp8393x: Flush packets when link comes upFam Zheng
.can_receive callback changes semantics that once return 0, backend will try sending again until explicitly flushed, change the device to meet that. dp8393x_can_receive checks SONIC_CR_RXEN bit in SONIC_CR register and SONIC_ISR_RBE bit in SONIC_ISR register, try flushing the queue when either bit is being updated. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-12-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27stellaris_enet: Flush queued packets when read doneFam Zheng
If s->np reaches 31, the queue will be disabled by peer when it sees stellaris_enet_can_receive() returns false, until we explicitly flushes it which notifies the peer. Do this when guest is done reading all existing data. Move the semantics to stellaris_enet_receive, by returning 0 when the buffer is full, so that new packets will be queued. In stellaris_enet_read, flush and restart the queue when guest has done reading. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-11-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27mipsnet: Flush queued packets when receiving is enabledFam Zheng
Drop .can_receive and move the semantics to mipsnet_receive, by returning 0. After 0 is returned, we must flush the queue explicitly to restart it: Call qemu_flush_queued_packets when s->busy or s->rx_count is being updated. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-10-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27milkymist-minimac2: Flush queued packets when link comes upFam Zheng
Drop .can_receive and move the semantics into minimac2_rx, by returning 0. That is once minimac2_rx returns 0, incoming packets will be queued until the queue is explicitly flushed. We do this when s->regs[R_STATE0] or s->regs[R_STATE1] is changed in minimac2_write. Also drop the unused trace point. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1436955553-22791-9-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27mcf_fec: Drop mcf_fec_can_receiveFam Zheng
The semantics of .can_receive requires us to flush the queue explicitly when s->rx_enabled becomes true after it returns 0, but the packet being queued is not meaningful since the guest hasn't activated the card. Let's just drop the packet in this case. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-8-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27etsec: Flush queue when rx buffer is consumedFam Zheng
The BH will be scheduled when etsec->rx_buffer_len is becoming 0, which is the condition of queuing. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1436955553-22791-7-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27etsec: Move etsec_can_receive into etsec_receiveFam Zheng
When etsec_reset returns 0, peer would queue the packet as if .can_receive returns false. Drop etsec_can_receive and let etsec_receive carry the semantics. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-6-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27usbnet: Drop usbnet_can_receiveFam Zheng
usbnet_receive already drops packet if rndis_state is not RNDIS_DATA_INITIALIZED, and queues packet if in buffer is not available. The only difference is s->dev.config but that is similar to rndis_state. Drop usbnet_can_receive and move these checks to usbnet_receive, so that we don't need to explicitly flush the queue when s->dev.config changes value. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-5-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27eepro100: Drop nic_can_receiveFam Zheng
nic_receive already checks the conditions and drop packets if false. Due to the new semantics since 6e99c63 ("net/socket: Drop net_socket_can_send"), having .can_receive returning 0 requires us to explicitly flush the queued packets when the conditions are becoming true, but queuing the packets when guest driver is not ready doesn't make much sense. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-4-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27pcnet: Drop pcnet_can_receiveFam Zheng
pcnet_receive already checks the conditions and drop packets if false. Due to the new semantics since 6e99c63 ("net/socket: Drop net_socket_can_send"), having .can_receive returning 0 requires us to explicitly flush the queued packets when the conditions are becoming true, but queuing the packets when guest driver is not ready doesn't make much sense. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-3-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27xgmac: Drop packets with eth_can_rx is false.Fam Zheng
Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-2-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27hw/net: fix mcf_fec driver receiverGreg Ungerer
The network mcf_fec driver emulated receive side method is returning a result of 0 causing the network layer to disable receive for this emulated device. This results in the guest only ever receiving one packet. Fix the recieve side processing to return the number of bytes that we passed back through to the guest. Signed-off-by: Greg Ungerer <gerg@uclinux.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1435296436-12152-5-git-send-email-gerg@uclinux.org Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27hw/net: add simple phy support to mcf_fec driverGreg Ungerer
The Linux fec driver needs at least basic phy support to probe and work. The current qemu mcf_fec emulation has no support for the reading or writing of the MDIO lines to access an attached phy. This code adds a very simple set of register results for a fixed phy setup - very similar to that used on an m5208evb board. This is enough to probe and identify an emulated attached phy. Signed-off-by: Greg Ungerer <gerg@uclinux.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1435296436-12152-4-git-send-email-gerg@uclinux.org Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27virtio: set any_layout in virtio coreMichael S. Tsirkin
Exceptions: - virtio-blk - compat machine types Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-07-27virtio-9p: fix any_layoutMichael S. Tsirkin
virtio pci allows any device to have a modern interface, this in turn requires ANY_LAYOUT support. Fix up ANY_LAYOUT for virtio-9p. Reported-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com>
2015-07-27virtio-serial: fix ANY_LAYOUTMichael S. Tsirkin
Don't assume a specific layout for control messages. Required by virtio 1. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Amit Shah <amit.shah@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com>
2015-07-27virtio: hide legacy features from modern guestsMichael S. Tsirkin
NOTIFY_ON_EMPTY, ANY_LAYOUT and BAD are only valid on the legacy interface. Hide them from modern guests. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-07-26ide: Clear DRQ after handling all expected accessesKevin Wolf
This is additional hardening against an end_transfer_func that fails to clear the DRQ status bit. The bit must be unset as soon as the PIO transfer has completed, so it's better to do this in a central place instead of duplicating the code in all commands (and forgetting it in some). Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
2015-07-26ide/atapi: Fix START STOP UNIT command completionKevin Wolf
The command must be completed on all code paths. START STOP UNIT with pwrcnd set should succeed without doing anything. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
2015-07-26ide: Check array bounds before writing to io_buffer (CVE-2015-5154)Kevin Wolf
If the end_transfer_func of a command is called because enough data has been read or written for the current PIO transfer, and it fails to correctly call the command completion functions, the DRQ bit in the status register and s->end_transfer_func may remain set. This allows the guest to access further bytes in s->io_buffer beyond s->data_end, and eventually overflowing the io_buffer. One case where this currently happens is emulation of the ATAPI command START STOP UNIT. This patch fixes the problem by adding explicit array bounds checks before accessing the buffer instead of relying on end_transfer_func to function correctly. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
2015-07-24Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
* qemu-char fixes * SCSI fixes (including CVE-2015-5158) * RCU fixes * Framebuffer logic to set DIRTY_MEMORY_VGA * Fix compiler warning for --disable-vnc * qemu-doc fixes * x86 TCG pasto fix # gpg: Signature made Fri Jul 24 12:57:52 2015 BST using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: target-i386/FPU: a misprint in helper_fistll_ST0 qemu-doc: fix typos framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer memory: count number of active VGA logging clients vl: Fix compiler warning for builds without VNC scsi: Handle no media case for scsi_get_configuration rcu: actually register threads that have RCU read-side critical sections scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) vnc: fix memory leak qemu-char: Fix missed data on unix socket qemu-char: handle EINTR for TCP character devices exec.c: Use atomic_rcu_read() to access dispatch in memory_region_section_get_iotlb() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-24framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebufferPaolo Bonzini
The MemoryRegionSection contains enough information to access the RAM region underlying the framebuffer, and can be cached inside the display device. By doing this, the new framebuffer_update_memory_section function can enable dirty memory logging on the relevant RAM region. The function must be called whenever the stride or base of the framebuffer changes; a simple way to cover these cases is to call it on every full frame invalidation, which is a rare case. framebuffer_update_display now works entirely on a MemoryRegionSection, without going through cpu_physical_memory_map/unmap. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-24scsi: Handle no media case for scsi_get_configurationMatthew Rosato
Currently, scsi_get_configuration always returns a current profile (DVD or CD), even when there is actually no media present. By comparison, ide/atapi uses a default profile of 0 (MMC_PROFILE_NONE) for this case and checks for tray_open, so let's do the same for scsi. This fixes a problem I'm seeing with Fedora 22 guests where systemd cdrom_id fails to unmount after a QEMU-initiated eject against a scsi cdrom device because it believes the media is still present (but unreadable). Signed-off-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com> Message-Id: <1436986352-10695-1-git-send-email-mjrosato@linux.vnet.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-24scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)Paolo Bonzini
This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 Reviewed-by: Fam Zheng <famz@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-22vfio/pci: Fix bootindexAlex Williamson
bootindex was incorrectly changed to a device Property during the platform code split, resulting in it no longer working. Remove it. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Cc: qemu-stable@nongnu.org # v2.3+
2015-07-22vfio/pci: Fix RTL8168 NIC quirksAlex Williamson
The RTL8168 quirk correctly describes using bit 31 as a signal to mark a latch/completion, but the code mistakenly uses bit 28. This causes the Realtek driver to spin on this register for quite a while, 20k cycles on Windows 7 v7.092 driver. Then it gets frustrated and tries to set the bit itself and spins for another 20k cycles. For some this still results in a working driver, for others not. About the only thing the code really does in its current form is protect the guest from sneaking in writes to the real hardware MSI-X table. The fix is obviously to use bit 31 as we document that we should. The other problem doesn't seem to affect current drivers as nobody seems to use these window registers for writes to the MSI-X table, but we need to use the stored data when a write is triggered, not the value of the current write, which only provides the offset. Note that only the Windows drivers from Realtek seem to use these registers, the Microsoft drivers provided with Windows 8.1 do not access them, nor do Linux in-kernel drivers. Link: https://bugs.launchpad.net/qemu/+bug/1384892 Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Cc: qemu-stable@nongnu.org # v2.1+
2015-07-22qxl: Fix new function name for spice-server libraryFrediano Ziglio
The new spice-server function to limit the number of monitors (0.12.6) changed while development from spice_qxl_set_monitors_config_limit to spice_qxl_max_monitors (accepted upstream). By mistake I post patch with former name. This patch fix the function name. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Christophe Fergeau <cfergeau@redhat.com> Acked-by: Martin Kletzander <mkletzan@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2015-07-21Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into stagingPeter Maydell
# gpg: Signature made Mon Jul 20 19:27:04 2015 BST using RSA key ID AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/ide-pull-request: tests: Fix broken targets check-report-qtest-* ahci: Force ICC bits in PxCMD to zero qtest/ide: add another short PRDT test flavor Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-20Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Mon Jul 20 18:25:14 2015 BST using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/net-pull-request: net: Flush queued packets when guest resumes lan9118: Drop lan9118_can_receive etraxfs_eth: Drop eth_can_receive musicpal: Drop eth_can_receive net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data' socket: pass correct size in net_socket_send() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>