aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2016-06-07scsi: megasas: null terminate bios version bufferPrasad J Pandit
While reading information via 'megasas_ctrl_get_info' routine, a local bios version buffer isn't null terminated. Add the terminating null byte to avoid any OOB access. Reported-by: Li Qiang <liqiang6-s@360.cn> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-06-06scsi: mark TYPE_SCSI_DISK_BASE as abstractPaolo Bonzini
Suggested-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-06-06scsi: esp: check TI buffer index before read/writePrasad J Pandit
The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte FIFO buffers. One is used to handle commands and other is for information transfer. Three control variables 'ti_rptr', 'ti_wptr' and 'ti_size' are used to control r/w access to the information transfer buffer ti_buf[TI_BUFSZ=16]. In that, 'ti_rptr' is used as read index, where read occurs. 'ti_wptr' is a write index, where write would occur. 'ti_size' indicates total bytes to be read from the buffer. While reading/writing to this buffer, index could exceed its size. Add check to avoid OOB r/w access. Reported-by: Huawei PSIRT <psirt@huawei.com> Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1465230883-22303-1-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-06-06hw/char: QOM'ify escc.c (fix)xiaoqiang zhao
The previous commit e7c9136977cb99c6eb52c9139f7b8d8b5fa87db9 (hw/char: QOM'ify escc.c) cause qemu-system-ppc/ppc64 OpenBIOS to freeze on startup, this commit fix it. Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Message-Id: <1464767898-30526-1-git-send-email-zxq_yx_007@163.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-06-06pc: allow raising low memory via max-ram-below-4g optionGerd Hoffmann
This patch extends the functionality of the max-ram-below-4g option to also allow increasing lowmem. Use case: Give as much memory as possible to legacy non-PAE guests. While being at it also rework the lowmem calculation logic and add a longish comment describing how it works and what the compatibility constrains are. Note: This is a incompatible change. When setting max-ram-below-4g to a value larger than 3.5G (or 3G with gigabyte alignment) it has no effect on older qemu versions: qemu silently ignores it. With the patch applied it actually has an effect and changes the ram layout. Highly unlikely to hit in practive though as there is no reason start old qemu versions that way. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <1464857305-26675-1-git-send-email-kraxel@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-06-06zynqmp: Add the ZCU102 boardAlistair Francis
Most Zynq UltraScale+ users will be targetting and using the ZCU102 board instead of the development focused EP108. To make our QEMU machine names clearer add a ZCU102 machine model. Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: cc82eec026b2febfca252d73362bb7084616c1ad.1464213234.git.alistair.francis@xilinx.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/char: QOM'ify xilinx_uartlite modelxiaoqiang zhao
* drop qemu_char_get_next_serial and use chardev prop * create xilinx_uartlite_create wrapper function to create xilinx_uartlite device * change affected board code to use the new way Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1465028065-5855-6-git-send-email-zxq_yx_007@163.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/char: QOM'ify stm32f2xx_usart modelxiaoqiang zhao
* drop qemu_char_get_next_serial and use chardev prop * change affected board code to use the new way Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1465028065-5855-5-git-send-email-zxq_yx_007@163.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/char: QOM'ify digic-uart modelxiaoqiang zhao
* drop qemu_char_get_next_serial and use chardev prop * change affected board code to use the new way Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1465028065-5855-4-git-send-email-zxq_yx_007@163.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/char: QOM'ify cadence_uart modelxiaoqiang zhao
* drop qemu_char_get_next_serial and use chardev prop * create cadence_uart_create wrapper function to create cadence_uart_device * change affected board code to use the new way Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1465028065-5855-3-git-send-email-zxq_yx_007@163.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/char: QOM'ify pl011 modelxiaoqiang zhao
* drop qemu_char_get_next_serial and use chardev prop * add pl011_create wrapper function to create pl011 uart device * change affected board code to use the new way Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1465028065-5855-2-git-send-email-zxq_yx_007@163.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/ptimer: Introduce ptimer_get_limitDmitry Osipenko
Currently ptimer users are used to store copy of the limit value, because ptimer doesn't provide facility to retrieve the limit. Let's provide it. Signed-off-by: Dmitry Osipenko <digetx@gmail.com> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: 8f1fa9f90d8dbf8086fb02f3b4835eaeb4089cf6.1464367869.git.digetx@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/ptimer: Support "on the fly" timer mode switchDmitry Osipenko
Allow switching between periodic <-> oneshot modes while timer is running. Signed-off-by: Dmitry Osipenko <digetx@gmail.com> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: f030be6e28fbd219e1e8d22297aee367bd9af5bb.1464367869.git.digetx@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/ptimer: Update .delta on period/freq changeDmitry Osipenko
Delta value must be updated on period/freq change, otherwise running timer would be restarted (counter reloaded with old delta). Only m68k/mcf520x and arm/arm_timer devices are currently doing freq change correctly, i.e. stopping the timer. Perform delta update to fix affected devices and eliminate potential further mistakes. Signed-off-by: Dmitry Osipenko <digetx@gmail.com> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: 4987ef5fdc128bb9a744fd794d3f609135c6a39c.1464367869.git.digetx@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/ptimer: Perform counter wrap around if timer already expiredDmitry Osipenko
ptimer_get_count() might be called while QEMU timer already been expired. In that case ptimer would return counter = 0, which might be undesirable in case of polled timer. Do counter wrap around for periodic timer to keep it distributed. In order to achieve more accurate emulation behaviour of certain hardware, don't perform wrap around when in icount mode and return counter = 0 in that case (that doesn't affect polled counter distribution). Signed-off-by: Dmitry Osipenko <digetx@gmail.com> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: 4ce381c7d24d85d165ff251d2875d16a4b6a5c04.1464367869.git.digetx@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/ptimer: Fix issues caused by the adjusted timer limit valueDmitry Osipenko
Multiple issues here related to the timer with a adjusted .limit value: 1) ptimer_get_count() returns incorrect counter value for the disabled timer after loading the counter with a small value, because adjusted limit value is used instead of the original. For instance: 1) ptimer_stop(t) 2) ptimer_set_period(t, 1) 3) ptimer_set_limit(t, 0, 1) 4) ptimer_get_count(t) <-- would return 10000 instead of 0 2) ptimer_get_count() might return incorrect value for the timer running with a adjusted limit value. For instance: 1) ptimer_stop(t) 2) ptimer_set_period(t, 1) 3) ptimer_set_limit(t, 10, 1) 4) ptimer_run(t) 5) ptimer_get_count(t) <-- might return value > 10 3) Neither ptimer_set_period() nor ptimer_set_freq() are adjusting the limit value, so it is still possible to make timer timeout value arbitrary small. For instance: 1) ptimer_set_period(t, 10000) 2) ptimer_set_limit(t, 1, 0) 3) ptimer_set_period(t, 1) <-- bypass limit correction Fix all of the above issues by adjusting timer period instead of the limit. Perform the adjustment for periodic timer only. Use the delta value instead of the limit to make decision whether adjustment is required, as limit could be altered while timer is running, resulting in incorrect value returned by ptimer_get_count. Signed-off-by: Dmitry Osipenko <digetx@gmail.com> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> Message-id: cd141f74f5737480ec586b9c7d18cce1d69884e2.1464367869.git.digetx@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06xlnx-zynqmp: Use the in kernel GIC model for KVM runsEdgar E. Iglesias
Use the in kernel GIC model when running with KVM enabled. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: 1464173555-12800-5-git-send-email-edgar.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06xlnx-zynqmp: Delay realization of GIC until post CPU realizationEdgar E. Iglesias
Delay the realization of the GIC until after CPUs are realized. This is needed for KVM as the in-kernel GIC model will fail if it is realized with no available CPUs. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: 1464173555-12800-4-git-send-email-edgar.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06xlnx-zynqmp: Make the RPU subsystem optionalEdgar E. Iglesias
The way we currently model the RPU subsystem is of quite limited use. In addition to that, it causes problems for KVM and for GDB debugging. Make the RPU optional by adding a has_rpu property and default to having it disabled. This changes the default setup from having the RPU to not longer having it. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: 1464173555-12800-3-git-send-email-edgar.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06xlnx-zynqmp: Add a secure prop to en/disable ARM Security ExtensionsEdgar E. Iglesias
Add a secure prop to en/disable ARM Security Extensions. This is particularly useful for KVM runs. Default to disabled to match the behavior of KVM. This changes the default setup from having the ARM Security Extensions to not longer having them. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: 1464173555-12800-2-git-send-email-edgar.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/arm/virt: Reject gic-version=host for non-KVMCole Robinson
If you try to gic-version=host with TCG on a KVM aarch64 host, qemu segfaults, since host requires KVM APIs. Explicitly reject gic-version=host if KVM is not enabled https://bugzilla.redhat.com/show_bug.cgi?id=1339977 Signed-off-by: Cole Robinson <crobinso@redhat.com> Message-id: b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e.1464273085.git.crobinso@redhat.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06i2c: add aspeed i2c controllerCédric Le Goater
The Aspeed AST2400 integrates a set of 14 I2C/SMBus bus controllers directly connected to the APB bus. They can be programmed as master or slave but the propopsed model only supports the master mode. On the TODO list, we also have : - improve and harden the state machine. - bus recovery support (used by the Linux driver). - transfer mode state machine bits. this is not strictly necessary as it is mostly used for debug. The bus busy bit is deducted from the I2C core engine of qemu. - support of the pool buffer: 2048 bytes of internal SRAM (not used by the Linux driver). Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Andrew Jeffery <andrew@aj.id.au> Message-id: 1464704307-25178-1-git-send-email-clg@kaod.org [PMM: removed unused functions aspeed_i2c_bus_get_state() and aspeed_i2c_bus_set_state()] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/intc/gic: RAZ/WI non-sec access to sec interruptsJens Wiklander
Treat non-secure accesses to registers and bits in registers of secure interrupts as RAZ/WI. Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Message-id: 1464273945-2055-1-git-send-email-jens.wiklander@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06hw/arm/virt: fix limit of 64-bit ACPI/ECAM PCI MMIO rangeArd Biesheuvel
Set the MMIO range limit field to 'base + size - 1' as required. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org> Message-id: 1463856217-17969-1-git-send-email-ard.biesheuvel@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into stagingPeter Maydell
readdir_r() to readdir() conversion, various minor cleanups # gpg: Signature made Mon 06 Jun 2016 10:52:52 BST # gpg: using DSA key 0x02FC3AEB0101DBC2 # gpg: Good signature from "Greg Kurz <gkurz@fr.ibm.com>" # gpg: aka "Greg Kurz <groug@free.fr>" # gpg: aka "Greg Kurz <gkurz@linux.vnet.ibm.com>" # gpg: aka "Gregory Kurz (Groug) <groug@free.fr>" # gpg: aka "Gregory Kurz (Cimai Technology) <gkurz@cimai.com>" # gpg: aka "Gregory Kurz (Meiosys Technology) <gkurz@meiosys.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2 * remotes/gkurz/tags/for-upstream: 9p: switch back to readdir() 9p: add locking to V9fsDir 9p: introduce the V9fsDir type 9p: drop useless out: label 9p: drop useless inclusion of hw/i386/pc.h 9p/fsdev: remove obsolete references to virtio 9p: some more cleanup in #include directives Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160606-1' into ↵Peter Maydell
staging virtio-gpu: scanout fix, live migration support vmsvga: security fixes # gpg: Signature made Mon 06 Jun 2016 08:05:00 BST # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-vga-20160606-1: virtio-gpu: add live migration support vmsvga: don't process more than 1024 fifo commands at once vmsvga: shadow fifo registers vmsvga: add more fifo checks vmsvga: move fifo sanity checks to vmsvga_fifo_length virtio-gpu: fix scanout rectangles Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06scsi-disk: fix reads from scsi-disk devicesMark Cave-Ayland
Commit fcaafb1001b9c42817714dd3b2aadcfdb997b53d accidentally broke reads from scsi-disk devices when being updated from its original form to use the new byte-based block functions. Add the extra missing sector to offset conversion in order to restore read functionality. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1464931021-25117-1-git-send-email-mark.cave-ayland@ilande.co.uk Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20160606-1' ↵Peter Maydell
into staging audio: pa volume fix, some qomifying. # gpg: Signature made Mon 06 Jun 2016 08:01:21 BST # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-audio-20160606-1: hw/audio: QOM'ify milkymist-ac97.c hw/audio: QOM'ify intel-hda hw/audio: QOM cleanup for intel-hda hw/audio: QOM'ify cs4231.c audio: pa: Set volume of recording stream instead of recording device Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-069p: switch back to readdir()Greg Kurz
This patch changes the 9p code to use readdir() again instead of readdir_r(), which is deprecated in glibc 2.24. All the locking was put in place by a previous patch. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-069p: add locking to V9fsDirGreg Kurz
If several threads concurrently call readdir() with the same directory stream pointer, it is possible that they all get a pointer to the same dirent structure, whose content is overwritten each time readdir() is called. We must thus serialize accesses to the dirent structure. This may be achieved with a mutex like below: lock_mutex(); readdir(); // work with the dirent unlock_mutex(); This patch adds all the locking, to prepare the switch to readdir(). Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-069p: introduce the V9fsDir typeGreg Kurz
If we are to switch back to readdir(), we need a more complex type than DIR * to be able to serialize concurrent accesses to the directory stream. This patch introduces a placeholder type and fixes all users. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-069p: drop useless out: labelGreg Kurz
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-069p: drop useless inclusion of hw/i386/pc.hGreg Kurz
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-069p/fsdev: remove obsolete references to virtioGreg Kurz
Most of the 9p code is now virtio agnostic. This patch does a final cleanup: - drop references to Virtio from the header comments - fix includes Also drop a couple of leading empty lines while here. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-069p: some more cleanup in #include directivesGreg Kurz
The "9p-attr.h" header isn't needed by 9p synth and virtio 9p. While here, also drop last references to virtio from 9p synth since it is now transport agnostic code. Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
2016-06-06e1000e: Fix build with gcc 4.6.3 and ust tracingDmitry Fleytman
This patch fixes used-uninitialized false positive while compiling with ust tracing backend plus gcc 4.6.3: hw/net/e1000e.c: In function ‘e1000e_io_write’: hw/net/e1000e.c:170:39: error: ‘idx’ may be used uninitialized in this function [-Werror=uninitialized] hw/net/e1000e.c: In function ‘e1000e_io_read’: hw/net/e1000e.c:145:35: error: ‘idx’ may be used uninitialized in this function [-Werror=uninitialized] cc1: all warnings being treated as errors make: *** [hw/net/e1000e.o] Error 1 Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Acked-by: Jason Wang <jasowang@redhat.com> Message-id: 1465023763-10773-1-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-06virtio-gpu: add live migration supportGerd Hoffmann
Store some additional state for cursor and resource backing storage, so we can write out and reload things. Implement vmsave+vmload for 2d mode. Continue blocking live migration in 3d/virgl mode. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1464009727-7753-1-git-send-email-kraxel@redhat.com
2016-06-06vmsvga: don't process more than 1024 fifo commands at onceGerd Hoffmann
vmsvga_fifo_run is called in regular intervals (on each display update) and will resume where it left off. So we can simply exit the loop, without having to worry about how processing will continue. Fixes: CVE-2016-4453 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
2016-06-06vmsvga: shadow fifo registersGerd Hoffmann
The fifo is normal ram. So kvm vcpu threads and qemu iothread can access the fifo in parallel without syncronization. Which in turn implies we can't use the fifo pointers in-place because the guest can try changing them underneath us. So add shadows for them, to make sure the guest can't modify them after we've applied sanity checks. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
2016-06-06vmsvga: add more fifo checksGerd Hoffmann
Make sure all fifo ptrs are within range. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
2016-06-06vmsvga: move fifo sanity checks to vmsvga_fifo_lengthGerd Hoffmann
Sanity checks are applied when the fifo is enabled by the guest (SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest changes the fifo registers afterwards. Move the checks to vmsvga_fifo_length so they are done each time qemu is about to read from the fifo. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
2016-06-03e1000e: Fix build with ust trace backendDmitry Fleytman
ust trace backend has limitation of maximum 10 arguments per event. Traces with more arguments cannot be compiled for this backend. Trace e1000e_rx_rss_ip6 introduced by previous commits has 11 arguments and fails to compile with ust trace backend. This patch fixes the problem by splitting this tracepoint into two successive tracepoints with smaller number of arguments. For more information see comment regarding TP_ARGS in lttng/tracepoint.h: /* * TP_ARGS takes tuples of type, argument separated by a comma. * It can take up to 10 tuples (which means that less than 10 tuples is * fine too). * Each tuple is also separated by a comma. */ Build log generated by this problem: In file included from ./trace/generated-tracers.h:9:0, from /home/travis/build/qemu/qemu/include/trace.h:4, from util/oslib-posix.c:36: ./trace/generated-ust-provider.h:16556:3: error: unknown type name ‘_TP_EXPROTO_Bool’ In file included from /home/travis/build/qemu/qemu/include/trace.h:4:0, from util/oslib-posix.c:36: ./trace/generated-tracers.h: In function ‘trace_e1000e_rx_rss_ip6’: ./trace/generated-tracers.h:8379:431: error: expected string literal before ‘_SDT_ASM_OPERANDS_ipv6_enabled’ ./trace/generated-tracers.h:8379:431: error: implicit declaration of function ‘__tracepoint_cb_qemu___e1000e_rx_rss_ip6’ [-Werror=implicit-function-declaration] ./trace/generated-tracers.h:8379:431: error: nested extern declaration of ‘__tracepoint_cb_qemu___e1000e_rx_rss_ip6’ [-Werror=nested-externs] cc1: all warnings being treated as errors make: *** [util/oslib-posix.o] Error 1 make: *** Waiting for unfinished jobs.... In file included from ./trace/generated-tracers.h:9:0, from /home/travis/build/qemu/qemu/include/trace.h:4, from util/hbitmap.c:16: ./trace/generated-ust-provider.h:16556:3: error: unknown type name ‘_TP_EXPROTO_Bool’ In file included from /home/travis/build/qemu/qemu/include/trace.h:4:0, from util/hbitmap.c:16: ./trace/generated-tracers.h: In function ‘trace_e1000e_rx_rss_ip6’: ./trace/generated-tracers.h:8379:431: error: expected string literal before ‘_SDT_ASM_OPERANDS_ipv6_enabled’ ./trace/generated-tracers.h:8379:431: error: implicit declaration of function ‘__tracepoint_cb_qemu___e1000e_rx_rss_ip6’ [-Werror=implicit-function-declaration] ./trace/generated-tracers.h:8379:431: error: nested extern declaration of ‘__tracepoint_cb_qemu___e1000e_rx_rss_ip6’ [-Werror=nested-externs] cc1: all warnings being treated as errors make: *** [util/hbitmap.o] Error 1 Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Message-id: 1464894748-27803-1-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-03hw/audio: QOM'ify milkymist-ac97.cxiaoqiang zhao
* Drop the old SysBus init function and use instance_init * Move AUD_open_in / AUD_open_out function into realize stage Acked-by: Michael Walle <michael@walle.cc> Tested-by: Michael Walle <michael@walle.cc> Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1463111220-30335-5-git-send-email-zxq_yx_007@163.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-06-03hw/audio: QOM'ify intel-hdaxiaoqiang zhao
* use DeviceClass::realize instead of DeviceClass::init Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1463111220-30335-4-git-send-email-zxq_yx_007@163.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-06-03hw/audio: QOM cleanup for intel-hdaxiaoqiang zhao
drop the DO_UPCAST macro Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1463111220-30335-3-git-send-email-zxq_yx_007@163.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-06-03hw/audio: QOM'ify cs4231.cxiaoqiang zhao
Drop the old SysBus init function and use instance_init Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1463111220-30335-2-git-send-email-zxq_yx_007@163.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-06-03virtio-gpu: fix scanout rectanglesGerd Hoffmann
Commit "ca58b45 ui/virtio-gpu: add and use qemu_create_displaysurface_pixman" breaks scanouts which use a region of the underlying resource only. So, we need another way to handle the underlying issue. Lets create a new pixman image, grab a reference on the pixman providing the underlying storage, hook up a destroy callback which releases the reference. That way regions work again and releasing the backing storage should still be impossible thanks to the extra reference we are holding. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1464597655-26341-1-git-send-email-kraxel@redhat.com
2016-06-02Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Thu 02 Jun 2016 07:23:18 BST using RSA key ID 398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: (31 commits) Add ENET device to i.MX6 SOC. Add ENET/Gbps Ethernet support to FEC device i.MX: move FEC device to a register array structure. i.MX: Rename i.MX FEC defines to ENET_XXX i.MX: reset TX/RX descriptors when FEC is disabled. i.MX: Fix FEC code for ECR register reset value. i.MX: Fix FEC code for MDIO address selection i.MX: Fix FEC code for MDIO operation selection net: handle optional VLAN header in checksum computation. net: improve UDP/TCP checksum computation. e1000e: Introduce qtest for e1000e device net: Introduce e1000e device emulation e1000: Move out code that will be reused in e1000e e1000_regs: Add definitions for Intel 82574-specific bits vmxnet3: Use pci_dma_* API instead of cpu_physical_memory_* net_pkt: Extend packet abstraction as required by e1000e functionality rtl8139: Move more TCP definitions to common header net_pkt: Name vmxnet3 packet abstractions more generic vmxnet3: Use common MAC address tracing macros net: Add macros for MAC address tracing ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-02Add ENET device to i.MX6 SOC.Jean-Christophe Dubois
This adds the ENET device to the i.MX6 SOC. This was tested by booting Linux on an Qemu i.MX6 instance and accessing the internet from the linux guest. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-06-02Add ENET/Gbps Ethernet support to FEC deviceJean-Christophe Dubois
The ENET device (present in i.MX6) is "derived" from FEC and backward compatible with it. This patch adds the necessary support of the added feature in the ENET device to allow Linux to use it (on supported processors). Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net> Signed-off-by: Jason Wang <jasowang@redhat.com>