aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2018-11-27lsi: Reselection needed to remove pending commands from queueGeorge Kennedy
Under heavy IO (e.g. fio) the queue is not checked frequently enough for pending commands. As a result some pending commands are timed out by the linux sym53c8xx driver, which sends SCSI Abort messages for the timed out commands. The SCSI Abort messages result in linux errors, which show up on the console and in /var/log/messages. e.g. sd 0:0:3:0: [sdd] tag#33 ABORT operation started scsi target0:0:3: control msgout: 80 20 47 d sd 0:0:3:0: ABORT operation complete. scsi target0:0:4: message d sent on bad reselection Now following a WAIT DISCONNECT Script instruction, and if there is no current command, check for a pending command on the queue and if one exists call lsi_reselect(). Signed-off-by: George Kennedy <george.kennedy@oracle.com> Message-Id: <1541776692-12271-1-git-send-email-george.kennedy@oracle.com> [For safety, add a s->current check in lsi_update_irq - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-27Merge remote-tracking branch ↵Peter Maydell
'remotes/kraxel/tags/fixes-31-20181127-pull-request' into staging various bugfixes for 3.1: fmops, ps2, cirrus, hda, usb-host, qapi # gpg: Signature made Tue 27 Nov 2018 06:49:13 GMT # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/fixes-31-20181127-pull-request: qapi: add query-display-options command usb-host: set ifs.detached as true if kernel driver is not active audio/hda: fix guest triggerable assert cirrus_vga/migration: update the bank offset before use ps2kbd: default to scan enabled after reset fmops: fix off-by-one in AR_TABLE and DR_TABLE array size Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-27usb-host: set ifs.detached as true if kernel driver is not activelinzhecheng
If no kernel driver is active, we can already claim and perform I/O on it without detaching it. Signed-off-by: linzhecheng <linzhecheng@huawei.com> Message-id: 20181120083419.17716-1-linzhecheng@huawei.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-11-27audio/hda: fix guest triggerable assertGerd Hoffmann
Guest writes to a readonly register trigger the assert in intel_hda_reg_write(). Add a check and just ignore them. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1628433 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20181123063957.9515-1-kraxel@redhat.com
2018-11-27cirrus_vga/migration: update the bank offset before useWang Xin
The cirrus bank0/1 offset should be updated before we update the vram's alias offset. Signed-off-by: Wang Xin <wangxinxin.wang@huawei.com> Message-id: 20181123064646.23036-1-linzhecheng@huawei.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-11-27ps2kbd: default to scan enabled after resetHervé Poussineau
A check for scan_enabled has been added to ps2_keyboard_event in commit 143c04c7e0639e53086519592ead15d2556bfbf2 to prevent stream corruption. This works well as long as operating system is resetting keyboard, or enabling it. This fixes IBM 40p firmware, which doesn't bother sending KBD_CMD_RESET, KBD_CMD_ENABLE or KBD_CMD_RESET_ENABLE before trying to use the keyboard. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20181021190721.2148-1-hpoussin@reactos.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-11-26hw/hyperv: fix NULL dereference with pure-kvm SynICRoman Kagan
When started in compat configuration of SynIC, e.g. qemu-system-x86_64 -machine pc-i440fx-2.10,accel=kvm \ -cpu host,-vmx,hv-relaxed,hv_spinlocks=0x1fff,hv-vpindex,hv-synic or explicitly qemu-system-x86_64 -enable-kvm -cpu host,hv-synic,x-hv-synic-kvm-only=on QEMU crashes in hyperv_synic_reset() trying to access the non-present qobject for SynIC. Add the missing check for NULL. Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com> Reported-by: Igor Mammedov <imammedo@redhat.com> Fixes: 9b4cf107b09d18ac30f46fd1c4de8585ccba030c Fixes: 4a93722f9c279184e95b1e1ad775c01deec05065 Signed-off-by: Roman Kagan <rkagan@virtuozzo.com> Message-Id: <20181126152836.25379-1-rkagan@virtuozzo.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2018-11-26net: cadence_gem: Remove incorrect assert()Edgar E. Iglesias
Don't assert on RX descriptor settings when the receiver is disabled. This fixes an issue with incoming packets on an unused GEM. Reported-by: mbilal <muhammad_bilal@mentor.com> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20181123135450.24829-2-edgar.iglesias@gmail.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-26Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into stagingPeter Maydell
Fixes a QEMU crash triggerable by guest userspace (CVE-2018-19489). # gpg: Signature made Mon 26 Nov 2018 07:25:01 GMT # gpg: using RSA key 71D4D5E5822F73D6 # gpg: Good signature from "Greg Kurz <groug@kaod.org>" # gpg: aka "Gregory Kurz <gregory.kurz@free.fr>" # gpg: aka "[jpeg image of size 3330]" # Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6 * remotes/gkurz/tags/for-upstream: 9p: fix QEMU crash when renaming files Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-26Merge remote-tracking branch 'remotes/xtensa/tags/20181125-xtensa' into stagingPeter Maydell
xtensa fixes for 3.1: - fix register counting logic for linux-user gdbserver; - provide default memory sizes for XTFPGA boards; - add missing xtensa patterns to MAINTAINTERS. # gpg: Signature made Sun 25 Nov 2018 23:07:54 GMT # gpg: using RSA key 51F9CC91F83FA044 # gpg: Good signature from "Max Filippov <filippov@cadence.com>" # gpg: aka "Max Filippov <max.filippov@cogentembedded.com>" # gpg: aka "Max Filippov <jcmvbkbc@gmail.com>" # Primary key fingerprint: 2B67 854B 98E5 327D CDEB 17D8 51F9 CC91 F83F A044 * remotes/xtensa/tags/20181125-xtensa: MAINTAINERS: add missing xtensa patterns target/xtensa: xtfpga: provide default memory sizes target/xtensa: drop num_[core_]regs from dc232b/dc233c configs target/xtensa: gdbstub fix register counting Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-26fmops: fix off-by-one in AR_TABLE and DR_TABLE array sizeGerd Hoffmann
Cc: P J P <ppandit@redhat.com> Reported-by: Wangjunqing <wangjunqing@huawei.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20181030082340.17170-1-kraxel@redhat.com Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-11-239p: fix QEMU crash when renaming filesGreg Kurz
When using the 9P2000.u version of the protocol, the following shell command line in the guest can cause QEMU to crash: while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done With 9P2000.u, file renaming is handled by the WSTAT command. The v9fs_wstat() function calls v9fs_complete_rename(), which calls v9fs_fix_path() for every fid whose path is affected by the change. The involved calls to v9fs_path_copy() may race with any other access to the fid path performed by some worker thread, causing a crash like shown below: Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59 59 while (*path && fd != -1) { (gdb) bt #0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59 #1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8, path=0x0) at hw/9pfs/9p-local.c:92 #2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8, fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185 #3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498, path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53 #4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498) at hw/9pfs/9p.c:1083 #5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767) at util/coroutine-ucontext.c:116 #6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6 #7 0x0000000000000000 in () (gdb) The fix is to take the path write lock when calling v9fs_complete_rename(), like in v9fs_rename(). Impact: DoS triggered by unprivileged guest users. Fixes: CVE-2018-19489 Cc: P J P <ppandit@redhat.com> Reported-by: zhibin hu <noirfate@gmail.com> Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Greg Kurz <groug@kaod.org>
2018-11-22nvme: fix bug with PCI IRQ pins on teardownLogan Gunthorpe
When the submission and completion queues are being torn down the IRQ will be asserted for the completion queue when the submsission queue is deleted. Then when the completion queue is deleted it stays asserted. Thus, on systems that do not use MSI, no further interrupts can be triggered on the host. Linux sees this as a long delay when unbinding the nvme device. Eventually the interrupt timeout occurs and it continues. To fix this we ensure we deassert the IRQ for a CQ when it is deleted. Signed-off-by: Logan Gunthorpe <logang@deltatee.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-22nvme: fix CMB endianness confusionPaolo Bonzini
The CMB is marked as DEVICE_LITTLE_ENDIAN, so the data must be read/written as if it was little-endian output (in the case of big endian, we get two swaps, one in the memory core and one in nvme.c). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Tested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-22Revert "nvme: fix oob access issue(CVE-2018-16847)"Kevin Wolf
This reverts commit 5e3c0220d7e4f0361c4d36c697a8842f2b583402. We have a better fix commited for this now. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-22nvme: fix out-of-bounds access to the CMBPaolo Bonzini
Because the CMB BAR has a min_access_size of 2, if you read the last byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one error. This is CVE-2018-16847. Another way to fix this might be to register the CMB as a RAM memory region, which would also be more efficient. However, that might be a change for big-endian machines; I didn't think this through and I don't know how real hardware works. Add a basic testcase for the CMB in case somebody does this change later on. Cc: Keith Busch <keith.busch@intel.com> Cc: qemu-block@nongnu.org Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Tested-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-22nvme: call blk_drain in NVMe reset code to avoid lockupsIgor Druzhinin
When blk_flush called in NVMe reset path S/C queues are already freed which means that re-entering AIO handling loop having some IO requests unfinished will lockup or crash as their SG structures being potentially reused. Call blk_drain before freeing the queues to avoid this nasty scenario. Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-22scsi-disk: Fix crash if underlying host file or disk returns errorRichard W.M. Jones
Commit 40dce4ee6 "scsi-disk: fix rerror/werror=ignore" introduced a bug which causes qemu to crash with the assertion error below if the host file or disk returns an error: qemu-system-x86_64: hw/scsi/scsi-bus.c:1374: scsi_req_complete: Assertion `req->status == -1' failed. Kevin Wolf suggested this fix: < kwolf> Hm, should the final return false; in that patch actually be a return true? < kwolf> Because I think he didn't intend to change anything except BLOCK_ERROR_ACTION_IGNORE Buglink: https://bugs.launchpad.net/qemu/+bug/1804323 Fixes: 40dce4ee61c68395f6d463fae792f61b7c003bce Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-21target/xtensa: xtfpga: provide default memory sizesMax Filippov
Provide default RAM sizes for all XTFPGA boards, so that when started without -m option they do the right thing. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2018-11-20hw/i386: add pc-i440fx-3.1 & pc-q35-3.1Marc-André Lureau
We have a couple of PC_COMPAT_3_0, so we should have 3.1 PC machines, and update the 3.0 machines to make use of those. Fixes a "Known issue" from https://wiki.qemu.org/Planning/3.1. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-Id: <20181120132604.22854-1-marcandre.lureau@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2018-11-209p: take write lock on fid path updates (CVE-2018-19364)Greg Kurz
Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could possibly overwrite a fid path with v9fs_path_copy() while it is being accessed by some other thread, ie, use-after-free that can be detected by ASAN with a custom 9p client. It turns out that the same can happen at several locations where v9fs_path_copy() is used to set the fid path. The fix is again to take the write lock. Fixes CVE-2018-19364. Cc: P J P <ppandit@redhat.com> Reported-by: zhibin hu <noirfate@gmail.com> Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Greg Kurz <groug@kaod.org>
2018-11-19hw/block/onenand: use qemu_log_mask() for reportingPeter Maydell
Update the onenand device to use qemu_log_mask() for reporting guest errors and unimplemented features, rather than plain fprintf() and hw_error(). (We leave the hw_error() in onenand_reset(), as that is triggered by a failure to read the underlying block device for the bootRAM, not by guest action.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20181115143535.5885-3-peter.maydell@linaro.org
2018-11-19hw/block/onenand: Fix off-by-one error allowing out-of-bounds readPeter Maydell
An off-by-one error in a switch case in onenand_read() allowed a misbehaving guest to read off the end of a block of memory. NB: the onenand device is used only by the "n800" and "n810" machines, which are usable only with TCG, not KVM, so this is not a security issue. Reported-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20181115143535.5885-2-peter.maydell@linaro.org Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-19hw/arm/stm32f205: Fix the UART and Timer region sizeSeth Kintigh
The UART and timer devices for the stm32f205 were being created with memory regions that were too large. Use the size specified in the chip datasheet. The old sizes were so large that the devices would overlap with each other in the SoC memory map, so this fixes a bug that caused odd behavior and/or crashes when trying to set up multiple UARTs. Signed-off-by: Seth Kintigh <skintigh@gmail.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> [PMM: rephrased commit message to follow our usual standard] Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-19fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabledMark Cave-Ayland
Commit c8a35f1cf0f "fdc: use IsaDma interface instead of global DMA_* functions" accidentally introduced a segfault in fdctrl_stop_transfer() for non-DMA transfers. If fdctrl->dma_chann has not been configured then the fdctrl->dma interface reference isn't initialised during isabus_fdc_realize(). Unfortunately fdctrl_stop_transfer() unconditionally references the DMA interface when finishing the transfer causing a NULL pointer dereference. Fix the issue by adding a check in fdctrl_stop_transfer() so that the DMA interface reference and release method is only invoked if fdctrl->dma_chann has been set. (This issue was discovered by Martin testing a recent change in the NetBSD installer under qemu-system-sparc) Cc: qemu-stable@nongnu.org Reported-by: Martin Husemann <martin@duskware.de> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Hervé Poussineau <hpoussin@reactos.org> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-19nvme: fix oob access issue(CVE-2018-16847)Li Qiang
Currently, the nvme_cmb_ops mr doesn't check the addr and size. This can lead an oob access issue. This is triggerable in the guest. Add check to avoid this issue. Fixes CVE-2018-16847. Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-19Merge remote-tracking branch 'remotes/riscv/tags/riscv-for-master-3.1-rc2' ↵Peter Maydell
into staging RISC-V Patches for 3.1-rc2 This pull request contains four patches that aren't really related to each other aside from all being bug fixes that I think should go in for 3.1.0: * The second half of Alistair's memory leak patch set that I missed last week. * A fix to make fclass.d availiable only on RV64IFD systems (without this it's availiable on RV32IFD systems, truncating the result). * A fix to make sfence.vm availiable only in priv-1.9.1, and sfence.vma only availiable in priv-1.10. * A change to respect fences in user-mode emulators, which were previously treated as NOPs. As usual, this builds and boot Linux for me. I don't think I have anything else planned for 3.1.0, but I may be wrong as things are a bit hectic this week. # gpg: Signature made Tue 13 Nov 2018 23:48:38 GMT # gpg: using RSA key EF4CA1502CCBAB41 # gpg: Good signature from "Palmer Dabbelt <palmer@dabbelt.com>" # gpg: aka "Palmer Dabbelt <palmer@sifive.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 00CE 76D1 8349 60DF CE88 6DF8 EF4C A150 2CCB AB41 * remotes/riscv/tags/riscv-for-master-3.1-rc2: RISC-V: Respect fences for user-only emulators target/riscv: Fix sfence.vm/a both available in any priv version target/riscv: Fix FCLASS_D being treated as RV64 only hw/riscv/virt: Free the test device tree node name Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-15Merge remote-tracking branch ↵Peter Maydell
'remotes/stefanberger/tags/pull-tpm-2018-11-15-1' into staging Merge tpm 2018/11/15 v1 # gpg: Signature made Thu 15 Nov 2018 14:03:45 GMT # gpg: using RSA key 75AD65802A0B4211 # gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211 * remotes/stefanberger/tags/pull-tpm-2018-11-15-1: tests: tpm: Use g_test_message rather than fprintf tpm: use loop iterator to set sts data field Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-14tpm: use loop iterator to set sts data fieldPrasad J Pandit
When TIS request is done, set 'sts' data field across all localities. Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2018-11-13hw/riscv/virt: Free the test device tree node nameAlistair Francis
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
2018-11-13s390x/pci: properly fail if the zPCI device cannot be createdDavid Hildenbrand
Right now, errors during realize()/pre_plug/plug of the zPCI device would result in QEMU crashing instead of failing nicely when creating a zPCI device for a PCI device. Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Collin Walling <walling@linux.ibm.com> Signed-off-by: David Hildenbrand <david@redhat.com> Message-Id: <20181113121710.18490-1-david@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2018-11-13hw/arm/sysbus-fdt: Only call match_fn callback if the type matchesEric Auger
Commit af7d64ede0b9 (hw/arm/sysbus-fdt: Allow device matching with DT compatible value) introduced a match_fn callback which gets called for each registered combo to check whether a sysbus device can be dynamically instantiated. However the callback gets called even if the device type does not match the binding combo typename field. This causes an assert when passing "-device ramfb" to the qemu command line as vfio_platform_match() gets called on a non vfio-platform device. To fix this regression, let's change the add_fdt_node() logic so that we first check the type and if the match_fn callback is defined, then we also call it. Binding combos only requesting a type check do not define the match_fn callback. Fixes: af7d64ede0b9 (hw/arm/sysbus-fdt: Allow device matching with DT compatible value) Signed-off-by: Eric Auger <eric.auger@redhat.com> Reported-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alex Williamson <alex.williamson@redhat.com> Tested-by: Geert Uytterhoeven <geert+renesas@glider.be> Message-id: 20181106184212.29377-1-eric.auger@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-12nvme: free cmbuf in nvme_exitLi Qiang
This avoid a memory leak in unhotplug nvme device. Signed-off-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-12nvme: don't unref ctrl_mem when device unrealizedLi Qiang
Currently, when hotplug/unhotplug nvme device, it will cause an assert in object.c. Following is the backtrack: ERROR:qom/object.c:981:object_unref: assertion failed: (obj->ref > 0) Thread 2 "qemu-system-x86" received signal SIGABRT, Aborted. [Switching to Thread 0x7fffcbd32700 (LWP 18844)] 0x00007fffdb9e4fff in raise () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt /lib/x86_64-linux-gnu/libglib-2.0.so.0 /lib/x86_64-linux-gnu/libglib-2.0.so.0 qom/object.c:981 /home/liqiang02/qemu-upstream/qemu/memory.c:1732 /home/liqiang02/qemu-upstream/qemu/memory.c:285 util/qemu-thread-posix.c:504 /lib/x86_64-linux-gnu/libpthread.so.0 This is caused by memory_region_unref in nvme_exit. Remove it to make the PCIdevice refcount correct. Signed-off-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-11-12Merge remote-tracking branch ↵Peter Maydell
'remotes/kraxel/tags/fixes-31-20181112-pull-request' into staging fixes for 3.1: mark bt as deprecated, bugfixes for pulse, gtk and edid. # gpg: Signature made Mon 12 Nov 2018 15:14:58 GMT # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/fixes-31-20181112-pull-request: ui/gtk: fix cursor in egl mode pulseaudio: process audio data in smaller chunks edid: silence a stringop-overflow warning bt: Mark the bluetooth subsystem as deprecated Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-12hw/acpi/nvdimm: Don't take address of fields in packed structsPeter Maydell
Taking the address of a field in a packed struct is a bad idea, because it might not be actually aligned enough for that pointer type (and thus cause a crash on dereference on some host architectures). Newer versions of clang warn about this. Avoid the bug by not using the "modify in place" byte swapping functions. Patch produced with scripts/coccinelle/inplace-byteswaps.cocci. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 20181016175236.5840-1-peter.maydell@linaro.org
2018-11-12edid: silence a stringop-overflow warningMarc-André Lureau
Simplify the code that doesn't need strncpy() since length of string is already computed. /home/elmarco/src/qemu/hw/display/edid-generate.c: In function 'edid_desc_text': /home/elmarco/src/qemu/hw/display/edid-generate.c:168:5: error: 'strncpy' specified bound depends on the length of the source argument [-Werror=stringop-overflow=] strncpy((char *)(desc + 5), text, len); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /home/elmarco/src/qemu/hw/display/edid-generate.c:164:11: note: length computed here len = strlen(text); ^~~~~~~~~~~~ cc1: all warnings being treated as errors Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-id: 20181110111623.31356-1-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-11-12pc-testdev: use HTTPS git URLStefan Hajnoczi
When you clone the repository without previous commit history, 'git://' doesn't protect from man-in-the-middle attacks. HTTPS is more secure since the client verifies the server certificate. Cc: Paolo Bonzini <pbonzini@redhat.com> Suggested-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Message-id: 20181108111531.30671-7-stefanha@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-09Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into stagingPeter Maydell
Fixes a potential use-after-free issue that could be triggered by a misbehaving guest. # gpg: Signature made Thu 08 Nov 2018 20:36:48 GMT # gpg: using RSA key 71D4D5E5822F73D6 # gpg: Good signature from "Greg Kurz <groug@kaod.org>" # gpg: aka "Gregory Kurz <gregory.kurz@free.fr>" # gpg: aka "[jpeg image of size 3330]" # Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6 * remotes/gkurz/tags/for-upstream: 9p: write lock path in v9fs_co_open2() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-089p: write lock path in v9fs_co_open2()Greg Kurz
The assumption that the fid cannot be used by any other operation is wrong. At least, nothing prevents a misbehaving client to create a file with a given fid, and to pass this fid to some other operation at the same time (ie, without waiting for the response to the creation request). The call to v9fs_path_copy() performed by the worker thread after the file was created can race with any access to the fid path performed by some other thread. This causes use-after-free issues that can be detected by ASAN with a custom 9p client. Unlike other operations that only read the fid path, v9fs_co_open2() does modify it. It should hence take the write lock. Cc: P J P <ppandit@redhat.com> Reported-by: zhibin hu <noirfate@gmail.com> Signed-off-by: Greg Kurz <groug@kaod.org>
2018-11-08riscv: spike: Fix memory leak in the board initAlistair Francis
Coverity caught a malloc() call that was never freed. This patch ensures that we free the memory but also updates the allocation to use g_strdup_printf() instead of malloc(). Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Palmer Dabbelt <palmer@sifive.com> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
2018-11-08Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-3.1-20181108' ↵Peter Maydell
into staging ppc patch queue 2018-11-08 Here's another patch of accumulated ppc patches for qemu-3.1. Highlights are: * Support for nested HV KVM on POWER9 hosts * Remove Alex Graf as ppc maintainer * Emulation of external PID instructions # gpg: Signature made Thu 08 Nov 2018 12:14:27 GMT # gpg: using RSA key 6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-3.1-20181108: (22 commits) ppc/spapr_caps: Add SPAPR_CAP_NESTED_KVM_HV target/ppc: Add one reg id for ptcr This patch fixes processing of rfi instructions in icount mode. hw/ppc/ppc440_uc: Remove dead code in sdram_size() MAINTAINERS: PPC: Remove myself ppc/pnv: check size before data buffer access target/ppc: fix mtmsr instruction for icount hw/ppc/mac_newworld: Free openpic_irqs array after use macio/pmu: Fix missing vmsd terminator spapr_pci: convert g_malloc() to g_new() target/ppc: Split out float_invalid_cvt target/ppc: Split out float_invalid_op_div target/ppc: Split out float_invalid_op_mul target/ppc: Split out float_invalid_op_addsub target/ppc: Introduce fp number classification target/ppc: Remove float_check_status target/ppc: Split up float_invalid_op_excp hw/ppc/spapr_rng: Introduce CONFIG_SPAPR_RNG switch for spapr_rng.c PPC: e500: convert SysBus init method to a realize method ppc4xx_pci: convert SysBus init method to a realize method ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-08Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
* icount fix (Clement) * dumping fixes for non-volatile memory (Marc-André, myself) * x86 emulation fix (Rudolf) * recent Hyper-V CPUID flag (Vitaly) * Q35 doc fix (Daniel) * lsi fix (Prasad) * SCSI block limits emulation fixes (myself) * qemu_thread_atexit rework (Peter) * ivshmem memory leak fix (Igor) # gpg: Signature made Tue 06 Nov 2018 21:34:30 GMT # gpg: using RSA key BFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: util/qemu-thread-posix: Fix qemu_thread_atexit* for OSX include/qemu/thread.h: Document qemu_thread_atexit* API scsi-generic: do not do VPD emulation for sense other than ILLEGAL_REQUEST scsi-generic: avoid invalid access to struct when emulating block limits scsi-generic: avoid out-of-bounds access to VPD page list scsi-generic: keep VPD page list sorted lsi53c895a: check message length value is valid scripts/dump-guest-memory: Synchronize with guest_phys_blocks_region_add memory-mapping: skip non-volatile memory regions in GuestPhysBlockList nvdimm: set non-volatile on the memory region memory: learn about non-volatile memory region target/i386: Clear RF on SYSCALL instruction MAINTAINERS: remove or downgrade myself to reviewer from some subsystems ivshmem: fix memory backend leak i386: clarify that the Q35 machine type implements a P35 chipset x86: hv_evmcs CPU flag support icount: fix deadlock when all cpus are sleeping Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-11-08ppc/spapr_caps: Add SPAPR_CAP_NESTED_KVM_HVSuraj Jitindar Singh
Add the spapr cap SPAPR_CAP_NESTED_KVM_HV to be used to control the availability of nested kvm-hv to the level 1 (L1) guest. Assuming a hypervisor with support enabled an L1 guest can be allowed to use the kvm-hv module (and thus run it's own kvm-hv guests) by setting: -machine pseries,cap-nested-hv=true or disabled with: -machine pseries,cap-nested-hv=false Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-11-08hw/ppc/ppc440_uc: Remove dead code in sdram_size()Peter Maydell
Coverity points out in CID 1390588 that the test for sh == 0 in sdram_size() can never fire, because we calculate sh with sh = 1024 - ((bcr >> 6) & 0x3ff); which must result in a value between 1 and 1024 inclusive. Without the relevant manual for the SoC, we're not completely sure of the correct behaviour here, but we can remove the dead code without changing how QEMU currently behaves. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-11-08ppc/pnv: check size before data buffer accessPrasad J Pandit
While performing PowerNV memory r/w operations, the access length 'sz' could exceed the data[4] buffer size. Add check to avoid OOB access. Reported-by: Moguofang <moguofang@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-11-08hw/ppc/mac_newworld: Free openpic_irqs array after usePeter Maydell
In ppc_core99_init(), we allocate an openpic_irqs array, which we then use to collect up the various qemu_irqs which we're going to connect to the interrupt controller. Once we've called sysbus_connect_irq() to connect them all up, the array is no longer required, but we forgot to free it. Since board init is only run once at startup, the memory leak is not a significant one. Spotted by Coverity: CID 1192916. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-11-08macio/pmu: Fix missing vmsd terminatorDr. David Alan Gilbert
Fix missing terminator in VMStateDescription Fixes: d811d61fbc6ca5f2be2185fd7cfa916e7ba613ce Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-11-08spapr_pci: convert g_malloc() to g_new()Greg Kurz
When allocating an array, it is a recommended coding practice to call g_new(FooType, n) instead of g_malloc(n * sizeof(FooType)) because it takes care to avoid overflow when calculating the size of the allocated block and it returns FooType *, which allows the compiler to perform type checking. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2018-11-08hw/ppc/spapr_rng: Introduce CONFIG_SPAPR_RNG switch for spapr_rng.cThomas Huth
The spapr-rng device is suboptimal when compared to virtio-rng, so users might want to disable it in their builds. Thus let's introduce a proper CONFIG switch to allow us to compile QEMU without this device. The function spapr_rng_populate_dt is required for linking, so move it to a different location. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Greg Kurz <groug@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>