aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2017-02-289pfs: local: statfs: don't follow symlinksGreg Kurz
The local_statfs() callback is vulnerable to symlink attacks because it calls statfs() which follows symbolic links in all path elements. This patch converts local_statfs() to rely on open_nofollow() and fstatfs() instead. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: utimensat: don't follow symlinksGreg Kurz
The local_utimensat() callback is vulnerable to symlink attacks because it calls qemu_utimens()->utimensat(AT_SYMLINK_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one or qemu_utimens()->utimes() which follows symbolic links for all path elements. This patch converts local_utimensat() to rely on opendir_nofollow() and utimensat(AT_SYMLINK_NOFOLLOW) directly instead of using qemu_utimens(). It is hence assumed that the OS supports utimensat(), i.e. has glibc 2.6 or higher and linux 2.6.22 or higher, which seems reasonable nowadays. This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: remove: don't follow symlinksGreg Kurz
The local_remove() callback is vulnerable to symlink attacks because it calls: (1) lstat() which follows symbolic links in all path elements but the rightmost one (2) remove() which follows symbolic links in all path elements but the rightmost one This patch converts local_remove() to rely on opendir_nofollow(), fstatat(AT_SYMLINK_NOFOLLOW) to fix (1) and unlinkat() to fix (2). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: unlinkat: don't follow symlinksGreg Kurz
The local_unlinkat() callback is vulnerable to symlink attacks because it calls remove() which follows symbolic links in all path elements but the rightmost one. This patch converts local_unlinkat() to rely on opendir_nofollow() and unlinkat() instead. Most of the code is moved to a separate local_unlinkat_common() helper which will be reused in a subsequent patch to fix the same issue in local_remove(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: lremovexattr: don't follow symlinksGreg Kurz
The local_lremovexattr() callback is vulnerable to symlink attacks because it calls lremovexattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fremovexattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lremovexattr(). local_lremovexattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: lsetxattr: don't follow symlinksGreg Kurz
The local_lsetxattr() callback is vulnerable to symlink attacks because it calls lsetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fsetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lsetxattr(). local_lsetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: llistxattr: don't follow symlinksGreg Kurz
The local_llistxattr() callback is vulnerable to symlink attacks because it calls llistxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing flistxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to llistxattr(). local_llistxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: lgetxattr: don't follow symlinksGreg Kurz
The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: open/opendir: don't follow symlinksGreg Kurz
The local_open() and local_opendir() callbacks are vulnerable to symlink attacks because they call: (1) open(O_NOFOLLOW) which follows symbolic links in all path elements but the rightmost one (2) opendir() which follows symbolic links in all path elements This patch converts both callbacks to use new helpers based on openat_nofollow() to only open files and directories if they are below the virtfs shared folder This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: keep a file descriptor on the shared folderGreg Kurz
This patch opens the shared folder and caches the file descriptor, so that it can be used to do symlink-safe path walk. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: introduce relative_openat_nofollow() helperGreg Kurz
When using the passthrough security mode, symbolic links created by the guest are actual symbolic links on the host file system. Since the resolution of symbolic links during path walk is supposed to occur on the client side. The server should hence never receive any path pointing to an actual symbolic link. This isn't guaranteed by the protocol though, and malicious code in the guest can trick the server to issue various syscalls on paths whose one or more elements are symbolic links. In the case of the "local" backend using the "passthrough" or "none" security modes, the guest can directly create symbolic links to arbitrary locations on the host (as per spec). The "mapped-xattr" and "mapped-file" security modes are also affected to a lesser extent as they require some help from an external entity to create actual symbolic links on the host, i.e. another guest using "passthrough" mode for example. The current code hence relies on O_NOFOLLOW and "l*()" variants of system calls. Unfortunately, this only applies to the rightmost path component. A guest could maliciously replace any component in a trusted path with a symbolic link. This could allow any guest to escape a virtfs shared folder. This patch introduces a variant of the openat() syscall that successively opens each path element with O_NOFOLLOW. When passing a file descriptor pointing to a trusted directory, one is guaranteed to be returned a file descriptor pointing to a path which is beneath the trusted directory. This will be used by subsequent patches to implement symlink-safe path walk for any access to the backend. Symbolic links aren't the only threats actually: a malicious guest could change a path element to point to other types of file with undesirable effects: - a named pipe or any other thing that would cause openat() to block - a terminal device which would become QEMU's controlling terminal These issues can be addressed with O_NONBLOCK and O_NOCTTY. Two helpers are introduced: one to open intermediate path elements and one to open the rightmost path element. Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> (renamed openat_nofollow() to relative_openat_nofollow(), assert path is relative and doesn't contain '//', fixed side-effect in assert, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org>
2017-02-289pfs: remove side-effects in local_open() and local_opendir()Greg Kurz
If these functions fail, they should not change *fs. Let's use local variables to fix this. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: remove side-effects in local_init()Greg Kurz
If this function fails, it should not modify *ctx. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-289pfs: local: move xattr security ops to 9p-xattr.cGreg Kurz
These functions are always called indirectly. It really doesn't make sense for them to sit in a header file. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-28fsdev: add IO throttle support to fsdev devicesPradeep Jagadeesh
This patchset adds the throttle support for the 9p-local driver. For now this functionality can be enabled only through qemu cli options. QMP interface and support to other drivers need further extensions. To make it simple for other 9p drivers, the throttle code has been put in separate files. Signed-off-by: Pradeep Jagadeesh <pradeep.jagadeesh@huawei.com> Reviewed-by: Alberto Garcia <berto@igalia.com> (pass extra NULL CoMutex * argument to qemu_co_queue_wait(), added options to qemu-options.hx, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org>
2017-02-289pfs: fix v9fs_lock error casePaolo Bonzini
In this case, we are marshaling an error status instead of the errno value. Reorganize the out and out_nofid labels to look like all the other cases. Coverity reports this because the "err = -ENOENT" and "err = -EINVAL" assignments above are dead, overwritten by the call to pdu_marshal. (Coverity issues CID1348512 and CID1348513) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (also open-coded the success path since locking is a nop for us, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org>
2017-02-28hw/acpi/tco.c: fix tco timer stopIgor Pavlikevich
TCO timer does not actually stop Signed-off-by: Igor Pavlikevich <ipavlikevich@gmail.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-28lm32: milkymist-tmu2: fix a third integer overflowPeter Maydell
Don't truncate the multiplication and do a 64 bit one instead because the result is stored in a 64 bit variable. This fixes a similar coverity warning to commits 237a8650d640 and 4382fa655498, in a similar way, and is the final third of the fix for coverity CID 1167561 (hopefully!). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Michael Walle <michael@walle.cc> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-28cadence_gem: Remove unused parameter debug messageFam Zheng
Reported by cppcheck. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-28register: fix incorrect read maskPhilippe Mathieu-Daudé
The register_read() and register_write() functions expect a bitmask argument. To avoid duplicated code, a new inlined function register_enabled_mask() is introduced. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-28hw/core/register: Mark the device with cannot_instantiate_with_device_add_yetThomas Huth
The "qemu,register" device needs to be wired up in source code, there is no way the user can make any real use of this device with the "-device" parameter or the "device_add" monitor command yet. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-28hw/core/or-irq: Mark the device with cannot_instantiate_with_device_add_yetThomas Huth
The "or-irq" device needs to be wired up in source code, there is no way the user can make any real use of this device with the "-device" parameter or the "device_add" monitor command yet. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-27virtio-gpu: use dpy_gl_scanout_disableGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1487669841-13668-4-git-send-email-kraxel@redhat.com
2017-02-27console: rename dpy_gl_scanout to dpy_gl_scanout_textureGerd Hoffmann
We'll add a variant which accepts dmabufs soon. Change the name so we can easily disturgish the two variants. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1487669841-13668-2-git-send-email-kraxel@redhat.com
2017-02-26Merge remote-tracking branch 'remotes/artyom/tags/pull-sun4v-20170226' into ↵Peter Maydell
staging Pull request for Niagara patches 2017 02 26 # gpg: Signature made Sun 26 Feb 2017 21:56:06 GMT # gpg: using RSA key 0x3360C3F7411A125F # gpg: Good signature from "Artyom Tarasenko <atar4qemu@gmail.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 2AD8 6149 17F4 B2D7 05C0 BB12 3360 C3F7 411A 125F * remotes/artyom/tags/pull-sun4v-20170226: niagara: check if a serial port is available niagara: fail if a firmware file is missing Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-26niagara: check if a serial port is availableArtyom Tarasenko
Reported-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
2017-02-26niagara: fail if a firmware file is missingArtyom Tarasenko
fail if a firmware file is missing and not qtest_enabled(), the later is necessary to allow some basic tests if firmware is not available Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
2017-02-25Merge remote-tracking branch 'remotes/yongbok/tags/mips-20170224-2' into stagingPeter Maydell
MIPS patches 2017-02-24-2 CHanges: * Add the Boston board with fixing the make check issue on 32-bit hosts. # gpg: Signature made Fri 24 Feb 2017 11:43:45 GMT # gpg: using RSA key 0x2238EB86D5F797C2 # gpg: Good signature from "Yongbok Kim <yongbok.kim@imgtec.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 8600 4CF5 3415 A5D9 4CFA 2B5C 2238 EB86 D5F7 97C2 * remotes/yongbok/tags/mips-20170224-2: hw/mips: MIPS Boston board support Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-25Merge remote-tracking branch 'remotes/stsquad/tags/pull-mttcg-240217-1' into ↵Peter Maydell
staging This is the MTTCG pull-request as posted yesterday. # gpg: Signature made Fri 24 Feb 2017 11:17:51 GMT # gpg: using RSA key 0xFBD0DB095A9E2A44 # gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" # Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44 * remotes/stsquad/tags/pull-mttcg-240217-1: (24 commits) tcg: enable MTTCG by default for ARM on x86 hosts hw/misc/imx6_src: defer clearing of SRC_SCR reset bits target-arm: ensure all cross vCPUs TLB flushes complete target-arm: don't generate WFE/YIELD calls for MTTCG target-arm/powerctl: defer cpu reset work to CPU context cputlb: introduce tlb_flush_*_all_cpus[_synced] cputlb: atomically update tlb fields used by tlb_reset_dirty cputlb: add tlb_flush_by_mmuidx async routines cputlb and arm/sparc targets: convert mmuidx flushes from varg to bitmap cputlb: introduce tlb_flush_* async work. cputlb: tweak qemu_ram_addr_from_host_nofail reporting cputlb: add assert_cpu_is_self checks tcg: handle EXCP_ATOMIC exception for system emulation tcg: enable thread-per-vCPU tcg: enable tb_lock() for SoftMMU tcg: remove global exit_request tcg: drop global lock during TCG code execution tcg: rename tcg_current_cpu to tcg_current_rr_cpu tcg: add kick timer for single-threaded vCPU emulation tcg: add options for enabling MTTCG ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-25Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20170224' into stagingPeter Maydell
A selection of s390x patches: - cleanups, fixes and improvements - program check loop detection (useful with the corresponding kernel patch) - wire up virtio-crypto for ccw - and finally support many virtqueues for virtio-ccw # gpg: Signature made Fri 24 Feb 2017 09:19:19 GMT # gpg: using RSA key 0xDECF6B93C6F02FAF # gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>" # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" # Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF * remotes/cohuck/tags/s390x-20170224: s390x/css: handle format-0 TIC CCW correctly s390x/arch_dump: pass cpuid into notes sections s390x/arch_dump: use proper note name and note size virtio-ccw: support VIRTIO_QUEUE_MAX virtqueues s390x: bump ADAPTER_ROUTES_MAX_GSI virtio-ccw: check flic->adapter_routes_max_batch s390x: add property adapter_routes_max_batch virtio-ccw: Check the number of vqs in CCW_CMD_SET_IND virtio-ccw: add virtio-crypto-ccw device virtio-ccw: handle virtio 1 only devices s390x/flic: fail migration on source already s390x/kvm: detect some program check loops s390x/s390-virtio: get rid of DPRINTF Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24Merge remote-tracking branch 'remotes/armbru/tags/pull-util-2017-02-23' into ↵Peter Maydell
staging option cutils: Fix and clean up number conversions # gpg: Signature made Thu 23 Feb 2017 19:41:17 GMT # gpg: using RSA key 0x3870B400EB918653 # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-util-2017-02-23: (24 commits) option: Fix checking of sizes for overflow and trailing crap util/cutils: Change qemu_strtosz*() from int64_t to uint64_t util/cutils: Return qemu_strtosz*() error and value separately util/cutils: Let qemu_strtosz*() optionally reject trailing crap qemu-img: Wrap cvtnum() around qemu_strtosz() test-cutils: Drop suffix from test_qemu_strtosz_simple() test-cutils: Use qemu_strtosz() more often util/cutils: Drop QEMU_STRTOSZ_DEFSUFFIX_* macros util/cutils: New qemu_strtosz() util/cutils: Rename qemu_strtosz() to qemu_strtosz_MiB() util/cutils: New qemu_strtosz_metric() test-cutils: Cover qemu_strtosz() around range limits test-cutils: Cover qemu_strtosz() with trailing crap test-cutils: Cover qemu_strtosz() invalid input test-cutils: Add missing qemu_strtosz()... endptr checks option: Fix to reject invalid and overflowing numbers util/cutils: Clean up control flow around qemu_strtol() a bit util/cutils: Clean up variable names around qemu_strtol() util/cutils: Rename qemu_strtoll(), qemu_strtoull() util/cutils: Rewrite documentation of qemu_strtol() & friends ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20170223.0' ↵Peter Maydell
into staging VFIO updates 2017-02-23 - Report qdev_unplug errors (Alex Williamson) - Fix ecap ID 0 handling, improve comment (Alex Williamson) - Disable IGD stolen memory in UPT mode too (Xiong Zhang) # gpg: Signature made Thu 23 Feb 2017 19:04:17 GMT # gpg: using RSA key 0x239B9B6E3BB08B22 # gpg: Good signature from "Alex Williamson <alex.williamson@redhat.com>" # gpg: aka "Alex Williamson <alex@shazbot.org>" # gpg: aka "Alex Williamson <alwillia@redhat.com>" # gpg: aka "Alex Williamson <alex.l.williamson@gmail.com>" # Primary key fingerprint: 42F6 C04E 540B D1A9 9E7B 8A90 239B 9B6E 3BB0 8B22 * remotes/awilliam/tags/vfio-updates-20170223.0: vfio/pci-quirks.c: Disable stolen memory for igd VFIO vfio/pci: Improve extended capability comments, skip masked caps vfio/pci: Report errors from qdev_unplug() via device request Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2017-02-22' into ↵Peter Maydell
staging QAPI patches for 2017-02-22 # gpg: Signature made Wed 22 Feb 2017 19:12:27 GMT # gpg: using RSA key 0x3870B400EB918653 # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-qapi-2017-02-22: block: Don't bother asserting type of output visitor's output monitor: Clean up handle_hmp_command() a bit tests: Don't check qobject_type() before qobject_to_qbool() tests: Don't check qobject_type() before qobject_to_qfloat() tests: Don't check qobject_type() before qobject_to_qint() tests: Don't check qobject_type() before qobject_to_qstring() tests: Don't check qobject_type() before qobject_to_qlist() Don't check qobject_type() before qobject_to_qdict() test-qmp-event: Simplify and tighten event_test_emit() libqtest: Clean up qmp_response() a bit check-qjson: Simplify around compare_litqobj_to_qobj() check-qdict: Tighten qdict_crumple_test_recursive() some check-qdict: Simplify qdict_crumple_test_recursive() qdict: Make qdict_get_qlist() safe like qdict_get_qdict() net: Flatten simple union NetLegacyOptions numa: Flatten simple union NumaOptions Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24Merge remote-tracking branch ↵Peter Maydell
'remotes/kraxel/tags/pull-cve-2017-2620-20170224-1' into staging cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620) # gpg: Signature made Fri 24 Feb 2017 13:42:39 GMT # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/pull-cve-2017-2620-20170224-1: cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)Gerd Hoffmann
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination and blit width, at all. Oops. Fix it. Security impact: high. The missing blit destination check allows to write to host memory. Basically same as CVE-2014-8106 for the other blit variants. Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-24Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20170223-1' into ↵Peter Maydell
staging usb: ohci bugfix, switch core to unrealize, xhci property cleanup # gpg: Signature made Thu 23 Feb 2017 15:37:57 GMT # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/pull-usb-20170223-1: xhci: properties cleanup usb: ohci: fix error return code in servicing td usb: replace handle_destroy with unrealize Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24hw/mips: MIPS Boston board supportPaul Burton
Introduce support for emulating the MIPS Boston development board. The Boston board is built around an FPGA & 3 PCIe controllers, one of which is connected to an Intel EG20T Platform Controller Hub. It is used during the development & debug of new CPUs and the software intended to run on them, and is essentially the successor to the older MIPS Malta board. This patch does not implement the EG20T, instead connecting an already supported ICH-9 AHCI controller. Whilst this isn't accurate it's enough for typical stock Boston software (eg. Linux kernels) to work with hard disks given that both the ICH-9 & EG20T implement the AHCI specification. Boston boards typically boot kernels in the FIT image format, and this patch will treat kernels provided to QEMU as such. When loading a kernel directly, the board code will generate minimal firmware much as the Malta board code does. This firmware will set up the CM, CPC & GIC register base addresses then set argument registers & jump to the kernel entry point. Alternatively, bootloader code may be loaded using the bios argument in which case no firmware will be generated & execution will proceed from the start of the boot code at the default MIPS boot exception vector (offset 0x1fc00000 into (c)kseg1). Currently real Boston boards are always used with FPGA bitfiles that include a Global Interrupt Controller (GIC), so the interrupt configuration is only defined for such cases. Therefore the board will only allow use of CPUs which implement the CPS components, including the GIC, and will otherwise exit with a message. Signed-off-by: Paul Burton <paul.burton@imgtec.com> Reviewed-by: Yongbok Kim <yongbok.kim@imgtec.com> [yongbok.kim@imgtec.com: isolated boston machine support for mips64el. updated for recent Chardev changes. ignore missing bios/kernel for qtest. added default -drive to if=ide explicitly. changed default memory size into 1G due to make check failure on 32-bit hosts] Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
2017-02-24hw/misc/imx6_src: defer clearing of SRC_SCR reset bitsAlex Bennée
The arm_reset_cpu/set_cpu_on/set_cpu_off() functions do their work asynchronously in the target vCPUs context. As a result we need to ensure the SRC_SCR reset bits correctly report the reset status at the right time. To do this we defer the clearing of the bit with an async job which will run after the work queued by ARM powerctl functions. Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24tcg: drop global lock during TCG code executionJan Kiszka
This finally allows TCG to benefit from the iothread introduction: Drop the global mutex while running pure TCG CPU code. Reacquire the lock when entering MMIO or PIO emulation, or when leaving the TCG loop. We have to revert a few optimization for the current TCG threading model, namely kicking the TCG thread in qemu_mutex_lock_iothread and not kicking it in qemu_cpu_kick. We also need to disable RAM block reordering until we have a more efficient locking mechanism at hand. Still, a Linux x86 UP guest and my Musicpal ARM model boot fine here. These numbers demonstrate where we gain something: 20338 jan 20 0 331m 75m 6904 R 99 0.9 0:50.95 qemu-system-arm 20337 jan 20 0 331m 75m 6904 S 20 0.9 0:26.50 qemu-system-arm The guest CPU was fully loaded, but the iothread could still run mostly independent on a second core. Without the patch we don't get beyond 32206 jan 20 0 330m 73m 7036 R 82 0.9 1:06.00 qemu-system-arm 32204 jan 20 0 330m 73m 7036 S 21 0.9 0:17.03 qemu-system-arm We don't benefit significantly, though, when the guest is not fully loading a host CPU. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Message-Id: <1439220437-23957-10-git-send-email-fred.konrad@greensocs.com> [FK: Rebase, fix qemu_devices_reset deadlock, rm address_space_* mutex] Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com> [EGC: fixed iothread lock for cpu-exec IRQ handling] Signed-off-by: Emilio G. Cota <cota@braap.org> [AJB: -smp single-threaded fix, clean commit msg, BQL fixes] Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Reviewed-by: Pranith Kumar <bobby.prani@gmail.com> [PM: target-arm changes] Acked-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.9-20170222' ↵Peter Maydell
into staging ppc patch queue for 2017-02-22 This pull request has: * Yet more POWER9 instruction implementations * Some extensions to the softfloat code which are necesssary for some of those instructions * Some preliminary patches in preparation for POWER9 softmmu implementation * Igor Mammedov's cleanups to unify hotplug cpu handling across architectures * Assorted bugfixes The softfloat and cpu hotplug changes aren't entirely ppc specific (in fact the hotplug stuff contains some pc specific patches). However they're included here because ppc is one of the main beneficiaries, and the series depend on some ppc specific patches. # gpg: Signature made Wed 22 Feb 2017 06:29:47 GMT # gpg: using RSA key 0x6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.9-20170222: (43 commits) hw/ppc/ppc405_uc.c: Avoid integer overflows hw/ppc/spapr: Check for valid page size when hot plugging memory target-ppc: fix Book-E TLB matching hw/net/spapr_llan: 6 byte mac address device tree entry machine: replace query_hotpluggable_cpus() callback with has_hotpluggable_cpus flag machine: unify [pc_|spapr_]query_hotpluggable_cpus() callbacks spapr: reuse machine->possible_cpus instead of cores[] change CPUArchId.cpu type to Object* pc: pass apic_id to pc_find_cpu_slot() directly so lookup could be done without CPU object pc: calculate topology only once when possible_cpus is initialised pc: move pcms->possible_cpus init out of pc_cpus_init() machine: move possible_cpus to MachineState hw/pci-host/prep: Do not use hw_error() in realize function target/ppc/POWER9: Direct all instr and data storage interrupts to the hypv target/ppc/POWER9: Adapt LPCR handling for POWER9 target/ppc/POWER9: Add ISAv3.00 MMU definition target/ppc: Fix LPCR DPFD mask define target-ppc: Add xscvqpudz and xscvqpuwz instructions target-ppc: Implement round to odd variants of quad FP instructions softfloat: Add float128_to_uint32_round_to_zero() ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-24s390x/css: handle format-0 TIC CCW correctlyDong Jia Shi
For TIC CCW, bit positions 8-32 of the format-1 CCW must contain zeros; otherwise, a program-check condition is generated. For format-0 TIC CCWs, bits 32-63 are ignored. To convert TIC from format-0 CCW to format-1 CCW correctly, let's clear bits 8-32 to guarantee compatibility. Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com> Signed-off-by: Dong Jia Shi <bjsdjshi@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-02-24virtio-ccw: support VIRTIO_QUEUE_MAX virtqueuesHalil Pasic
The maximal number of virtqueues per device can be limited on a per transport basis. For virtio-ccw this limit is defined by VIRTIO_CCW_QUEUE_MAX, however the limitation used to come form the number of adapter routes supported by flic (via notifiers). Recently the limitation of the flic was adjusted so that it can accommodate VIRTIO_QUEUE_MAX queues, and is in the meanwhile checked for separately too. Let us remove the transport specific limitation of virtio-ccw by dropping VIRTIO_CCW_QUEUE_MAX and using VIRTIO_QUEUE_MAX instead. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-02-24s390x: bump ADAPTER_ROUTES_MAX_GSIHalil Pasic
Let's increase ADAPTER_ROUTES_MAX_GSI to VIRTIO_QUEUE_MAX which is the largest demand foreseeable at the moment. Let us add a compatibility macro for the previous machines so client code can maintain backwards migration compatibility To not mess up migration compatibility for virtio-ccw VIRTIO_CCW_QUEUE_MAX is left at it's current value, and will be dropped when virtio-ccw is converted to use the capability of the flic introduced by this patch. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-02-24virtio-ccw: check flic->adapter_routes_max_batchHalil Pasic
Currently VIRTIO_CCW_QUEUE_MAX is defined as ADAPTER_ROUTES_MAX_GSI. That is when checking queue max we implicitly check the constraint concerning the number of adapter routes. This won't be satisfactory any more (due to backward migration considerations) if ADAPTER_ROUTES_MAX_GSI changes (ADAPTER_ROUTES_MAX_GSI is going to change because we want to support up to VIRTIO_QUEUE_MAX queues per virtio-ccw device). Let us introduce a check on a recently introduce flic property which gives us the compatibility machine aware limit on adapter routes. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-02-24s390x: add property adapter_routes_max_batchHalil Pasic
To make virtio-ccw supports more that 64 virtqueues we will have to increase ADAPTER_ROUTES_MAX_GSI which is currently limiting the number if possible adapter routes. Of course increasing the number of supported routes can break backwards migration. Let us introduce a compatibility property adapter_routes_max_batch so client code can use the some old limit if in compatibility mode and retain the migration compatibility. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-02-24virtio-ccw: Check the number of vqs in CCW_CMD_SET_INDHalil Pasic
We cannot support more than 64 virtqueues with the 64 bits provided by classic indicators. If a driver tries to setup classic indicators (which it is free to do even for virtio-1 devices) for a device with more than 64 virtqueues, we should reject the attempt so that the driver does not end up with an unusable device. This is in preparation for bumping the number of supported virtqueues on the ccw transport. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-02-24virtio-ccw: add virtio-crypto-ccw deviceHalil Pasic
Wire up virtio-crypto for the CCW based VIRTIO. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-02-24virtio-ccw: handle virtio 1 only devicesHalil Pasic
As a preparation for wiring-up virtio-crypto, the first non-transitional virtio device on the ccw transport, let us introduce a mechanism for disabling revision 0. This is more or less equivalent with disabling legacy as revision 0 is legacy only, and legacy drivers use the revision 0 exclusively. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2017-02-24s390x/flic: fail migration on source alreadyCornelia Huck
Current code puts a 'FLIC_FAILED' marker into the migration stream to indicate something went wrong while saving flic state and fails load if it encounters that marker. VMState's put routine recently gained the ability to return error codes (but did not wire it up yet). In order to be able to reap the benefits of returning an error and failing migration on the source already once this gets wired up in core, return an error in addition to storing 'FLIC_FAILED'. Suggested-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Jens Freimann <jfrei@linux.vnet.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
2017-02-24s390x/s390-virtio: get rid of DPRINTFCornelia Huck
The DPRINTF approach is likely to introduce bitrot, and the preferred way for debugging is tracing anyway. Fortunately, there are no users (left), so nuke it. Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Halil Pasic <pasic@linux.vnet.ibm.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>