aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2014-05-07xen: move Xen PV machine files to hw/xenpvWei Liu
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07qemu-xen: free all the pirqs for msi/msix when driver unloadZhenzhong Duan
Pirqs are not freed when driver unload, then new pirqs are allocated when driver reload. This could exhaust pirqs if do it in a loop. This patch fixes the bug by freeing pirqs when ENABLE bit is cleared in msi/msix control reg. There is also other way of fixing it such as reuse pirqs between driver reload, but this way is better. Xen-devel: http://marc.info/?l=xen-devel&m=136800120304275&w=2 Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20140507' into stagingPeter Maydell
Some improvements for s390. Two patches deal with address translation, one fixes a problem in the channel subsystem code. # gpg: Signature made Wed 07 May 2014 09:29:30 BST using RSA key ID C6F02FAF # gpg: Can't check signature: public key not found * remotes/cohuck/tags/s390x-20140507: s390x/css: Don't save orb in subchannel. s390x/helper: Added format control bit to MMU translation s390x/helper: Fixed real-to-absolute address translation Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140505' ↵Peter Maydell
into staging migration/next for 20140505 # gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723 # gpg: Can't check signature: public key not found * remotes/juanquintela/tags/migration/20140505: (36 commits) migration: expose xbzrle cache miss rate migration: expose the bitmap_sync_count to the end migration: Add counts of updating the dirty bitmap XBZRLE: Fix one XBZRLE corruption issues migration: remove duplicate code Coverity: Fix failure path for qemu_accept in migration Init the XBZRLE.lock in ram_mig_init Provide init function for ram migration Count used RAMBlock pages for migration_dirty_pages Make qemu_peek_buffer loop until it gets it's data Disallow outward migration while awaiting incoming migration virtio: validate config_len on load virtio-net: out-of-bounds buffer write on load openpic: avoid buffer overrun on incoming migration ssi-sd: fix buffer overrun on invalid state load savevm: Ignore minimum_version_id_old if there is no load_state_old usb: sanity check setup_index+setup_len in post_load vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ virtio-scsi: fix buffer overrun on invalid state load zaurus: fix buffer overrun on invalid state load ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' ↵Peter Maydell
into staging QOM/QTest infrastructure fixes and device conversions * -device / device_add assertion fix * QEMUMachine conversion to MachineClass * Device error handling improvements * QTest cleanups and test cases for some more PCI devices * PortIO memory leak fixes # gpg: Signature made Mon 05 May 2014 19:59:16 BST using RSA key ID 3E7E013F # gpg: Good signature from "Andreas Färber <afaerber@suse.de>" # gpg: aka "Andreas Färber <afaerber@suse.com>" * remotes/afaerber/tags/qom-devices-for-peter: PortioList: Store PortioList in device state tests: Add EHCI qtest tests: Add ioh3420 qtest tests: Add intel-hda qtests tests: Add es1370 qtest tests: Add ac97 qtest qtest: Be paranoid about accept() addrlen argument qtest: Add error reporting to socket_accept() qtest: Assure that init_socket()'s listen() does not fail MAINTAINERS: Document QOM arm: Clean up fragile use of error_is_set() in realize() methods qom: Clean up fragile use of error_is_set() in set() methods hw: Consistently name Error ** objects errp, and not err hw: Consistently name Error * objects err, and not errp machine: Remove QEMUMachine indirection from MachineClass machine: Replace QEMUMachine by MachineClass in accelerator configuration vl.c: Replace QEMUMachine with MachineClass in QEMUMachineInitArgs machine: Copy QEMUMachine's fields to MachineClass machine: Remove obsoleted field from QEMUMachine qdev: Fix crash by validating the object type Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07s390x/css: Don't save orb in subchannel.Cornelia Huck
Current css code saves the operation request block (orb) in the subchannel structure for later consumption by the start function handler. This might make sense for asynchronous execution of the start function (which qemu doesn't support), but not in our case; it would even be wrong since orb contains a reference to a local variable in the base ssch handler. Let's just pass the orb through the start function call chain for ssch; for rsch, we can pass NULL as the backend function does not use any information passed via the orb there. Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-05-06Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-6' into stagingPeter Maydell
ohci live migration. mtp bugfixes. # gpg: Signature made Mon 05 May 2014 12:08:48 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-usb-6: usb: mtp: reply INCOMPLETE_TRANSFER on read errors usb: mtp: fix possible buffer overflow usb: mtp: drop data-out hexdump usb: mtp: avoid empty description string usb: mtp: fix error path memory leak usb: mtp: fix serial (must be exact 32 chars) usb: mtp: fix version (is decimal not bcd) usb: mtp: fix usb_mtp_add_u64 usb: mtp: replace debug printfs with trace points usb-ohci: Add vmstate descriptor Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-05virtio: validate config_len on loadMichael S. Tsirkin
Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio-net: out-of-bounds buffer write on loadMichael S. Tsirkin
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c > } else if (n->mac_table.in_use) { > uint8_t *buf = g_malloc0(n->mac_table.in_use); We are allocating buffer of size n->mac_table.in_use > qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); and read to the n->mac_table.in_use size buffer n->mac_table.in_use * ETH_ALEN bytes, corrupting memory. If adversary controls state then memory written there is controlled by adversary. Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05openpic: avoid buffer overrun on incoming migrationMichael Roth
CVE-2013-4534 opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire. Fix this by failing migration if the value read from the wire exceeds MAX_CPU. Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Reviewed-by: Alexander Graf <agraf@suse.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05ssi-sd: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4537 s->arglen is taken from wire and used as idx in ssi_sd_transfer(). Validate it before access. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05usb: sanity check setup_index+setup_len in post_loadMichael S. Tsirkin
CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked to make sure they are not negative. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/Michael S. Tsirkin
As the macro verifies the value is positive, rename it to make the function clearer. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio-scsi: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4542 hw/scsi/scsi-bus.c invokes load_request. virtio_scsi_load_request does: qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); this probably can make elem invalid, for example, make in_num or out_num huge, then: virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); will do: if (req->elem.out_num > 1) { qemu_sgl_init_external(req, &req->elem.out_sg[1], &req->elem.out_addr[1], req->elem.out_num - 1); } else { qemu_sgl_init_external(req, &req->elem.in_sg[1], &req->elem.in_addr[1], req->elem.in_num - 1); } and this will access out of array bounds. Note: this adds security checks within assert calls since SCSIBusInfo's load_request cannot fail. For now simply disable builds with NDEBUG - there seems to be little value in supporting these. Cc: Andreas Färber <afaerber@suse.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05zaurus: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4540 Within scoop_gpio_handler_update, if prev_level has a high bit set, then we get bit > 16 and that causes a buffer overrun. Since prev_level comes from wire indirectly, this can happen on invalid state load. Similarly for gpio_level and gpio_dir. To fix, limit to 16 bit. Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05tsc210x: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4539 s->precision, nextprecision, function and nextfunction come from wire and are used as idx into resolution[] in TSC_CUT_RESOLUTION. Validate after load to avoid buffer overrun. Cc: Andreas Färber <afaerber@suse.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05ssd0323: fix buffer overun on invalid state loadMichael S. Tsirkin
CVE-2013-4538 s->cmd_len used as index in ssd0323_transfer() to store 32-bit field. Possible this field might then be supplied by guest to overwrite a return addr somewhere. Same for row/col fields, which are indicies into framebuffer array. To fix validate after load. Additionally, validate that the row/col_start/end are within bounds; otherwise the guest can provoke an overrun by either setting the _end field so large that the row++ increments just walk off the end of the array, or by setting the _start value to something bogus and then letting the "we hit end of row" logic reset row to row_start. For completeness, validate mode as well. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05pxa2xx: avoid buffer overrun on incoming migrationMichael S. Tsirkin
CVE-2013-4533 s->rx_level is read from the wire and used to determine how many bytes to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the length of s->rx_fifo[] the buffer can be overrun with arbitrary data from the wire. Fix this by validating rx_level against the size of s->rx_fifo. Cc: Don Koch <dkoch@verizon.com> Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Don Koch <dkoch@verizon.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio: validate num_sg when mappingMichael S. Tsirkin
CVE-2013-4535 CVE-2013-4536 Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE. To fix, validate num_sg. Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Cc: Amit Shah <amit.shah@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio: avoid buffer overrun on incoming migrationMichael Roth
CVE-2013-6399 vdev->queue_sel is read from the wire, and later used in the emulation code as an index into vdev->vq[]. If the value of vdev->queue_sel exceeds the length of vdev->vq[], currently allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun the buffer with arbitrary data originating from the source. Fix this by failing migration if the value from the wire exceeds VIRTIO_PCI_QUEUE_MAX. Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05pl022: fix buffer overun on invalid state loadMichael S. Tsirkin
CVE-2013-4530 pl022.c did not bounds check tx_fifo_head and rx_fifo_head after loading them from file and before they are used to dereference array. Reported-by: Michael S. Tsirkin <mst@redhat.com Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05hw/pci/pcie_aer.c: fix buffer overruns on invalid state loadMichael S. Tsirkin
4) CVE-2013-4529 hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is too large There are two issues in this file: 1. log_max from remote can be larger than on local then buffer will overrun with data coming from state file. 2. log_num can be larger then we get data corruption again with an overflow but not adversary controlled. Fix both issues. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05hpet: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4527 hw/timer/hpet.c buffer overrun hpet is a VARRAY with a uint8 size but static array of 32 To fix, make sure num_timers is valid using VMSTATE_VALID hook. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05ahci: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4526 Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio: out-of-bounds buffer write on invalid state loadMichael S. Tsirkin
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in virtio_load@hw/virtio/virtio.c So we have this code since way back when: num = qemu_get_be32(f); for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); array of vqs has size VIRTIO_PCI_QUEUE_MAX, so on invalid input this will write beyond end of buffer. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05PortioList: Store PortioList in device stateKirill Batuzov
PortioList is an abstraction used for construction of MemoryRegionPortioList from MemoryRegionPortio. It can be used later to unmap created memory regions. It also requires proper cleanup because some of the memory inside is allocated dynamically. By moving PortioList ot device state we make it possible to cleanup later and avoid leaking memory. This change spans several target platforms. The following testcases cover all changed lines: qemu-system-ppc -M prep qemu-system-i386 -vga qxl qemu-system-i386 -M isapc -soundhw adlib -device ib700,id=watchdog0,bus=isa.0 Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05arm: Clean up fragile use of error_is_set() in realize() methodsMarkus Armbruster
Using error_is_set(ERRP) to find out whether a function failed is either wrong, fragile, or unnecessarily opaque. It's wrong when ERRP may be null, because errors go undetected when it is. It's fragile when proving ERRP non-null involves a non-local argument. Else, it's unnecessarily opaque (see commit 84d18f0). I guess the error_is_set(errp) in the DeviceClass realize() methods are merely fragile right now, because I can't find a call chain that passes a null errp argument. Make the code more robust and more obviously correct: receive the error in a local variable, then propagate it through the parameter. Signed-off-by: Markus Armbruster <armbru@redhat.com> Acked-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05qom: Clean up fragile use of error_is_set() in set() methodsMarkus Armbruster
Using error_is_set(ERRP) to find out whether a function failed is either wrong, fragile, or unnecessarily opaque. It's wrong when ERRP may be null, because errors go undetected when it is. It's fragile when proving ERRP non-null involves a non-local argument. Else, it's unnecessarily opaque (see commit 84d18f0). I guess the error_is_set(errp) in the ObjectProperty set() methods are merely fragile right now, because I can't find a call chain that passes a null errp argument. Make the code more robust and more obviously correct: receive the error in a local variable, then propagate it through the parameter. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05hw: Consistently name Error ** objects errp, and not errMarkus Armbruster
Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05hw: Consistently name Error * objects err, and not errpMarkus Armbruster
Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05machine: Remove QEMUMachine indirection from MachineClassMarcel Apfelbaum
No need to go through qemu_machine field. Use MachineClass fields directly. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05machine: Copy QEMUMachine's fields to MachineClassMarcel Apfelbaum
In order to eliminate the QEMUMachine indirection, add its fields directly to MachineClass. Do not yet remove qemu_machine field because it is still in use by sPAPR. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> [AF: Copied fields for sPAPR, too] Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05virtio-net: out-of-bounds buffer write on invalid state loadMichael S. Tsirkin
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c This code is in hw/net/virtio-net.c: if (n->max_queues > 1) { if (n->max_queues != qemu_get_be16(f)) { error_report("virtio-net: different max_queues "); return -1; } n->curr_queues = qemu_get_be16(f); for (i = 1; i < n->curr_queues; i++) { n->vqs[i].tx_waiting = qemu_get_be32(f); } } Number of vqs is max_queues, so if we get invalid input here, for example if max_queues = 2, curr_queues = 3, we get write beyond end of the buffer, with data that comes from wire. This might be used to corrupt qemu memory in hard to predict ways. Since we have lots of function pointers around, RCE might be possible. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05SMBIOS: Build aggregate smbios tables and entry pointGabriel L. Somlo
Build an aggregate set of smbios tables and an entry point structure. Insert tables and entry point into fw_cfg respectively under "etc/smbios/smbios-tables" and "etc/smbios/smbios-anchor". Machine types <= 2.0 will for now continue using field-by-field overrides to SeaBIOS defaults, but for machine types 2.1 and up we expect the BIOS to look for and use the aggregate tables generated by this patch. Signed-off-by: Gabriel Somlo <somlo@cmu.edu> [ kraxel: fix 32bit build ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-05-05usb: mtp: reply INCOMPLETE_TRANSFER on read errorsGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb: mtp: fix possible buffer overflowGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb: mtp: drop data-out hexdumpGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb: mtp: avoid empty description stringGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb: mtp: fix error path memory leakGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb: mtp: fix serial (must be exact 32 chars)Gerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb: mtp: fix version (is decimal not bcd)Gerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb: mtp: fix usb_mtp_add_u64Gerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb: mtp: replace debug printfs with trace pointsGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-05usb-ohci: Add vmstate descriptorAlexey Kardashevskiy
This adds migration support for OHCI. This defines a descriptor for OHCIState. This changes some OHCIState field types to be migration compatible. This adds a descriptor for OHCIPort. This migrates the EOF timer if the USB was started at the time of migration. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-05-05SMBIOS: Use bitmaps to prevent incompatible comand line optionsGabriel L. Somlo
Replace existing smbios_check_collision() functionality with a pair of bitmaps: have_binfile_bitmap and have_fields_bitmap. Bits corresponding to each smbios type are set by smbios_entry_add(), which also uses the bitmaps to ensure that binary blobs and field values are never accepted for the same type. These bitmaps will also be used in the future to decide whether or not to build a full table for a given smbios type. Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-05-05SMBIOS: Use macro to set smbios defaultsGabriel L. Somlo
The function smbios_set_defaults() uses a repeating code pattern for each field. This patch replaces that pattern with a macro. This patch contains no functional changes. Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-05-05SMBIOS: Rename symbols to better reflect future useGabriel L. Somlo
Rename the following symbols: - smbios_set_type1_defaults() to the more general smbios_set_defaults(); - bool smbios_type1_defaults to the more general smbios_defaults; - smbios_get_table() to smbios_get_table_legacy(); This patch contains no functional changes. Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-05-05E820: Add interface for accessing e820 tableGabriel L. Somlo
Add the following two functions: - e820_get_num_entries() - query the size of the e820 table - e820_get_entry() - grab an entry matching a given set of criteria This interface is currently necessary for creating type 19 (memory array mapped address) structures in smbios. Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-05-05pc: add 2.1 machine typeMichael S. Tsirkin
At the moment, 2.1 and 2.0 machines are identical. As several people are working on incompatible changes to the PC machine, collaboration will be made easier by merging this place-holder. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-05-02Merge remote-tracking branch ↵Peter Maydell
'remotes/pmaydell/tags/pull-target-arm-20140501' into staging target-arm queue: * implement XScale cache lockdown cp15 ops * fix v7M CPUID base register * implement WFE and YIELD as yields for A64 * fix A64 "BLR LR" * support Cortex-A57 in virt machine model * a few other minor AArch64 bugfixes # gpg: Signature made Thu 01 May 2014 15:42:17 BST using RSA key ID 14360CDE # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" * remotes/pmaydell/tags/pull-target-arm-20140501: hw/arm/virt: Add support for Cortex-A57 hw/arm/virt: Put GIC register banks on 64K boundaries hw/arm/virt: Create the GIC ourselves rather than (ab)using a15mpcore_priv target-arm: Correct a comment refering to EL0 target-arm: A64: Fix a typo when declaring TLBI ops target-arm: A64: Handle blr lr target-arm: Make vbar_write 64bit friendly on 32bit hosts target-arm: implement WFE/YIELD as a yield for AArch64 armv7m_nvic: fix CPUID Base Register target-arm: Implement XScale cache lockdown operations as NOPs Signed-off-by: Peter Maydell <peter.maydell@linaro.org>