aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2016-06-02msix: make msix_clr_pending() visible for clientsDmitry Fleytman
This function will be used by e1000e device code. Signed-off-by: Dmitry Fleytman <dmitry.fleytman@ravellosystems.com> Signed-off-by: Leonid Bloch <leonid.bloch@ravellosystems.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-05-25net: mipsnet: check packet length against bufferPrasad J Pandit
When receiving packets over MIPSnet network device, it uses receive buffer of size 1514 bytes. In case the controller accepts large(MTU) packets, it could lead to memory corruption. Add check to avoid it. Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-05-24Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' into ↵Peter Maydell
staging X86 queue, 2016-05-23 # gpg: Signature made Mon 23 May 2016 23:48:27 BST using RSA key ID 984DC5A6 # gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>" * remotes/ehabkost/tags/x86-pull-request: target-i386: kvm: Eliminate kvm_msr_entry_set() target-i386: kvm: Simplify MSR setting functions target-i386: kvm: Simplify MSR array construction target-i386: kvm: Increase MSR_BUF_SIZE target-i386: kvm: Allocate kvm_msrs struct once per VCPU target-i386: Call cpu_exec_init() on realize target-i386: Move TCG initialization to realize time target-i386: Move TCG initialization check to tcg_x86_init() cpu: Eliminate cpudef_init(), cpudef_setup() target-i386: Set constant model_id for qemu64/qemu32/athlon pc: Set CPU model-id on compat_props for pc <= 2.4 osdep: Move default qemu_hw_version() value to a macro target-i386: kvm: Use X86XSaveArea struct for xsave save/load target-i386: Use xsave structs for ext_save_area target-i386: Define structs for layout of xsave area Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-23hw/net/opencores_eth: Allocating Large sized arrays to heapZhou Jie
open_eth_start_xmit has a huge stack usage of 65536 bytes approx. Moving large arrays to heap to reduce stack usage. Reduce size of a buffer allocated on stack to 0x600 bytes, which is the maximal frame length when HUGEN bit is not set in MODER, only allocate buffer on heap when that is too small. Thus heap is not used in typical use case. Signed-off-by: Zhou Jie <zhoujie2011@cn.fujitsu.com> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
2016-05-23hw/net/opencores_eth: use mii.hMax Filippov
Drop local definitions of MII registers and use constants from mii.h for registers and register bits. No functional changes. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
2016-05-23pc: Set CPU model-id on compat_props for pc <= 2.4Eduardo Habkost
Instead of relying on x86_cpudef_setup() calling qemu_hw_version(), just make old machines set model-id explicitly on compat_props for qemu64, qemu32, and athlon. This will allow us to eliminate x86_cpudef_setup() later. Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-05-23Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
* NMI cleanups (Bandan) * RAMBlock/Memory cleanups and fixes (Dominik, Gonglei, Fam, me) * first part of linuxboot support for fw_cfg DMA (Richard) * IOAPIC fix (Peter Xu) * iSCSI SG_IO fix (Vadim) * Various infrastructure bug fixes (Zhijian, Peter M., Stefan) * CVE fixes (Prasad) # gpg: Signature made Mon 23 May 2016 16:06:18 BST using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" * remotes/bonzini/tags/for-upstream: (24 commits) cpus: call the core nmi injection function nmi: remove x86 specific nmi handling target-i386: add a generic x86 nmi handler coccinelle: add g_assert_cmp* to macro file iscsi: pass SCSI status back for SG_IO esp: check dma length before reading scsi command(CVE-2016-4441) esp: check command buffer length before write(CVE-2016-4439) scripts/signrom.py: Check for magic in option ROMs. scripts/signrom.py: Allow option ROM checksum script to write the size header. Remove config-devices.mak on 'make clean' cpus.c: Use pthread_sigmask() rather than sigprocmask() memory: remove unnecessary masking of MemoryRegion ram_addr memory: Drop FlatRange.romd_mode memory: Remove code for mr->may_overlap exec: adjust rcu_read_lock requirement memory: drop find_ram_block() vl: change runstate only if new state is different from current state ioapic: clear remote irr bit for edge-triggered interrupts ioapic: keep RO bits for IOAPIC entry target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2 ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-23nmi: remove x86 specific nmi handlingBandan Das
nmi_monitor_handle is wired to call the x86 nmi handler. So, we can directly use it at call sites. Signed-off-by: Bandan Das <bsd@redhat.com> Message-Id: <1463761717-26558-3-git-send-email-bsd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23target-i386: add a generic x86 nmi handlerBandan Das
Instead of having x86 ifdefs in core nmi code, this change adds a arch specific handler that the nmi common code can call. Signed-off-by: Bandan Das <bsd@redhat.com> Message-Id: <1463761717-26558-2-git-send-email-bsd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23esp: check dma length before reading scsi command(CVE-2016-4441)Prasad J Pandit
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. Routine get_cmd() uses DMA to read scsi commands into this buffer. Add check to validate DMA length against buffer size to avoid any overrun. Fixes CVE-2016-4441. Reported-by: Li Qiang <liqiang6-s@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23esp: check command buffer length before write(CVE-2016-4439)Prasad J Pandit
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. While writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check was missing to validate input length. Add check to avoid OOB write access. Fixes CVE-2016-4439. Reported-by: Li Qiang <liqiang6-s@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23ioapic: clear remote irr bit for edge-triggered interruptsPeter Xu
This is to better emulate IOAPIC version 0x1X hardware. Linux kernel leveraged this "feature" to do explicit EOI since EOI register is still not introduced at that time. This will also fix the issue that level triggered interrupts failed to work when IR enabled (tested with Linux kernel version 4.5). Reviewed-by: Radim Krčmář <rkrcmar@redhat.com> Signed-off-by: Peter Xu <peterx@redhat.com> Message-Id: <1462875682-1349-3-git-send-email-peterx@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23ioapic: keep RO bits for IOAPIC entryPeter Xu
Currently IOAPIC RO bits can be written. To be better aligned with hardware, we should let them read-only. Reviewed-by: Radim Krčmář <rkrcmar@redhat.com> Signed-off-by: Peter Xu <peterx@redhat.com> Message-Id: <1462875682-1349-2-git-send-email-peterx@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23i386: kvmvapic: initialise imm32 variablePrasad J Pandit
When processing Task Priorty Register(TPR) access, it could leak automatic stack variable 'imm32' in patch_instruction(). Initialise the variable to avoid it. Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160523-1' into ↵Peter Maydell
staging usb: add xen pvUSB backend, add num-ports check to ohci. # gpg: Signature made Mon 23 May 2016 14:02:25 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-usb-20160523-1: usb/ohci: Fix crash with when specifying too many num-ports xen: add pvUSB backend xen: write information about supported backends xen: introduce dummy system device Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-23usb/ohci: Fix crash with when specifying too many num-portsThomas Huth
QEMU currently crashes when an OHCI controller is instantiated with too many ports, e.g. "-device pci-ohci,num-ports=100,masterbus=1". Thus add a proper check in usb_ohci_init() to make sure that we do not use more than OHCI_MAX_PORTS = 15 ports here. Ticket: https://bugs.launchpad.net/qemu/+bug/1581308 Signed-off-by: Thomas Huth <thuth@redhat.com> Message-id: 1463995387-11710-1-git-send-email-thuth@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23vga: add sr_vbe register setGerd Hoffmann
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact (CVE-2016-3712)." causes a regression. The win7 installer is unhappy because it can't freely modify vga registers any more while in vbe mode. This patch introduces a new sr_vbe register set. The vbe_update_vgaregs will fill sr_vbe[] instead of sr[]. Normal vga register reads and writes go to sr[]. Any sr register read access happens through a new sr() helper function which will read from sr_vbe[] with vbe active and from sr[] otherwise. This way we can allow guests update sr[] registers as they want, without allowing them disrupt vbe video modes that way. Cc: qemu-stable@nongnu.org Reported-by: Thomas Lamprecht <thomas@lamprecht.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
2016-05-23xen: add pvUSB backendJuergen Gross
Add a backend for para-virtualized USB devices for xen domains. The backend is using host-libusb to forward USB requests from a domain via libusb to the real device(s) passed through. Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com> Message-id: 1463062421-613-4-git-send-email-jgross@suse.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23virtio-gpu: fix ui idx checkMarc-André Lureau
Fix off-by-one value check (0 is the first scanout). Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-7-git-send-email-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23xen: write information about supported backendsJuergen Gross
Add a Xenstore directory for each supported pv backend. This will allow Xen tools to decide which backend type to use in case there are multiple possibilities. The information is added under /local/domain/<backend-domid>/device-model/<domid>/backends before the "running" state is written to Xenstore. Using a directory for each backend enables us to add parameters for specific backends in the future. This interface is documented in the Xen source repository in the file docs/misc/qemu-backends.txt In order to reuse the Xenstore directory creation already present in hw/xen/xen_devconfig.c move the related functions to hw/xen/xen_backend.c where they fit better. Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Message-id: 1463062421-613-3-git-send-email-jgross@suse.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTSMarc-André Lureau
The value is defined in virtio_gpu.h already (changing from 4 to 16). Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-6-git-send-email-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23xen: introduce dummy system deviceJuergen Gross
Introduce a new dummy system device serving as parent for virtual buses. This will enable new pv backends to introduce virtual buses which are removable again opposed to system buses which are meant to stay once added. Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Message-id: 1463062421-613-2-git-send-email-jgross@suse.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23virtio-gpu: check max_outputs onlyMarc-André Lureau
The scanout id should not be above the configured num_scanouts. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-5-git-send-email-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23virtio-gpu: check max_outputs valueMarc-André Lureau
The value must be less than VIRTIO_GPU_MAX_SCANOUT. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-4-git-send-email-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23virtio-vga: propagate on gpu realized errorMarc-André Lureau
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-3-git-send-email-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23virtio-gpu: check early scanout idMarc-André Lureau
Before accessing the g->scanout array, in order to avoid potential out-of-bounds access. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-2-git-send-email-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-20machine: add properties to compat_props incrementalyIgor Mammedov
Switch to adding compat properties incrementaly instead of completly overwriting compat_props per machine type. That removes data duplication which we have due to nested [PC|SPAPR]_COMPAT_* macros. It also allows to set default device properties from default foo_machine_options() hook, which will be used in following patch for putting VMGENID device as a function if ISA bridge on pc/q35 machines. Suggested-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Igor Mammedov <imammedo@redhat.com> Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> [ehabkost: Fixed CCW_COMPAT_* and PC_COMPAT_0_* defines] Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-05-20vl: Replace DT_NOGRAPHIC with machine optionEduardo Habkost
All DisplayType values are just UI options that don't affect any hardware emulation code, except for DT_NOGRAPHIC. Replace DT_NOGRAPHIC with DT_NONE plus a new "-machine graphics=on|off" option, so hardware emulation code don't need to use the display_type variable. Cc: Michael Walle <michael@walle.cc> Cc: Blue Swirl <blauwirbel@gmail.com> Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-05-20milkymist: Move DT_NOGRAPHIC check outside milkymist_tmu2_create()Eduardo Habkost
DT_NOGRAPHIC handling will be moved to a MachineState field, and it will be easier to change milkymist_init() to check that field. Cc: Michael Walle <michael@walle.cc> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2016-05-20aspeed: include qemu/log.hPaolo Bonzini
This is not visible with the default "log" trace backend. With other backends however trace.h does not include qemu/log.h, resulting in build failures. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 1463745452-25831-2-git-send-email-pbonzini@redhat.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-19hw: clean up hw/hw.h includesPaolo Bonzini
Include qom/object.h and exec/memory.h instead of exec/ioport.h; exec/ioport.h was almost everywhere required only for those two includes, not for the content of the header itself. Remove block/aio.h, everybody is already including it through another path. With this change, include/hw/hw.h is freed from qemu-common.h. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19hw: remove pio_addr_tPaolo Bonzini
pio_addr_t is almost unused, because these days I/O ports are simply accessed through the address space. cpu_{in,out}[bwl] themselves are almost unused; monitor.c and xen-hvm.c could use address_space_read/write directly, since they have an integer size at hand. This leaves qtest as the only user of those functions. On the other hand even portio_* functions use this type; the only interesting use of pio_addr_t thus is include/hw/sysbus.h. I guess I could move it there, but I don't see much benefit in that either. Using uint32_t is enough and avoids the need to include ioport.h everywhere. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19cpu: move exec-all.h inclusion out of cpu.hPaolo Bonzini
exec-all.h contains TCG-specific definitions. It is not needed outside TCG-specific files such as translate.c, exec.c or *helper.c. One generic function had snuck into include/exec/exec-all.h; move it to include/qom/cpu.h. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19hw: explicitly include qemu/log.hPaolo Bonzini
Move the inclusion out of hw/hw.h, most files do not need it. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19qemu-common: push cpu.h inclusion out of qemu-common.hPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19acpi: do not use TARGET_PAGE_SIZEPaolo Bonzini
This is a #define used by the CPU. NVDIMM can just use 4K unconditionally. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19s390x: reorganize CSS bits between cpu.h and other headersPaolo Bonzini
Move cpu_inject_* to the only C file where they are used. Move ioinst.h declarations that need S390CPU to cpu.h, to make ioinst.h independent of cpu.h. Move channel declarations that only need SubchDev from cpu.h to css.h, to make more channel users independent of cpu.h. Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19dma: do not depend on kvm_enabled()Paolo Bonzini
Memory barriers are needed also by Xen and, when the ioeventfd bugs are fixed, by TCG as well. sysemu/kvm.h is not anymore needed in sysemu/dma.h, move it to the actual users. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19qemu-common: stop including qemu/host-utils.h from qemu-common.hPaolo Bonzini
Move it to the actual users. There are some inclusions of qemu/host-utils.h in headers, but they are all necessary. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19qemu-common: stop including qemu/bswap.h from qemu-common.hPaolo Bonzini
Move it to the actual users. There are still a few includes of qemu/bswap.h in headers; removing them is left for future work. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19hw: do not use VMSTATE_*TLPaolo Bonzini
Reserve this to CPU state serialization. Luckily, they were only used by sPAPR devices and these are ppc64 only. So there is no change to migration format. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19include: poison symbols in osdep.hPaolo Bonzini
Ensure that all target-independent files ignore poisoned symbols, and fix the fallout. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19apic: move target-dependent definitions to cpu.hPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19explicitly include linux/kvm.hPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19explicitly include qom/cpu.hPaolo Bonzini
exec/cpu-all.h includes qom/cpu.h. Explicit inclusion will keep things working when cpu.h will not be included indirectly almost everywhere (either directly or through qemu-common.h). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19ppc: use PowerPCCPU instead of CPUPPCStatePaolo Bonzini
This changes a cpu.h dependency for hw/ppc/ppc.h into a cpu-qom.h dependency. For it to compile we also need to clean up a few unused definitions. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19mips: use MIPSCPU instead of CPUMIPSStatePaolo Bonzini
This changes a cpu.h dependency into a cpu-qom.h dependency. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19alpha: include cpu-qom.h in files that require AlphaCPUPaolo Bonzini
This will keep things working when cpu.h will not be included indirectly almost everywhere (either directly or through qemu-common.h). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19arm: include cpu-qom.h in files that require ARMCPUPaolo Bonzini
This will keep things working when cpu.h will not be included indirectly almost everywhere (either directly or through qemu-common.h). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-18Fix some typos found by codespellStefan Weil
Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>