From f8b3e48b2d269551cd40f94770dc20da2f402325 Mon Sep 17 00:00:00 2001 From: James Hogan Date: Fri, 24 Apr 2015 11:26:52 +0100 Subject: mips/kvm: Fix Big endian 32-bit register access Fix access to 32-bit registers on big endian targets. The pointer passed to the kernel must be for the actual 32-bit value, not a temporary 64-bit value, otherwise on big endian systems the kernel will only interpret the upper half. Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: Leon Alrae Cc: Aurelien Jarno Cc: kvm@vger.kernel.org Cc: qemu-stable@nongnu.org Message-Id: <1429871214-23514-2-git-send-email-james.hogan@imgtec.com> Signed-off-by: Paolo Bonzini --- target-mips/kvm.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/target-mips/kvm.c b/target-mips/kvm.c index bd64a70bcd..85256f3104 100644 --- a/target-mips/kvm.c +++ b/target-mips/kvm.c @@ -235,10 +235,9 @@ int kvm_mips_set_ipi_interrupt(MIPSCPU *cpu, int irq, int level) static inline int kvm_mips_put_one_reg(CPUState *cs, uint64_t reg_id, int32_t *addr) { - uint64_t val64 = *addr; struct kvm_one_reg cp0reg = { .id = reg_id, - .addr = (uintptr_t)&val64 + .addr = (uintptr_t)addr }; return kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &cp0reg); @@ -270,18 +269,12 @@ static inline int kvm_mips_put_one_reg64(CPUState *cs, uint64_t reg_id, static inline int kvm_mips_get_one_reg(CPUState *cs, uint64_t reg_id, int32_t *addr) { - int ret; - uint64_t val64 = 0; struct kvm_one_reg cp0reg = { .id = reg_id, - .addr = (uintptr_t)&val64 + .addr = (uintptr_t)addr }; - ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &cp0reg); - if (ret >= 0) { - *addr = val64; - } - return ret; + return kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &cp0reg); } static inline int kvm_mips_get_one_ulreg(CPUState *cs, uint64 reg_id, -- cgit v1.2.3 From 02dae26ac4ceb1e82c432cfca4d9b65ae82343c6 Mon Sep 17 00:00:00 2001 From: James Hogan Date: Fri, 24 Apr 2015 11:26:53 +0100 Subject: mips/kvm: Sign extend registers written to KVM In case we're running on a 64-bit host, be sure to sign extend the general purpose registers and hi/lo/pc before writing them to KVM, so as to take advantage of MIPS32/MIPS64 compatibility. Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: Leon Alrae Cc: Aurelien Jarno Cc: kvm@vger.kernel.org Cc: qemu-stable@nongnu.org Message-Id: <1429871214-23514-3-git-send-email-james.hogan@imgtec.com> Signed-off-by: Paolo Bonzini --- target-mips/kvm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/target-mips/kvm.c b/target-mips/kvm.c index 85256f3104..d287d42883 100644 --- a/target-mips/kvm.c +++ b/target-mips/kvm.c @@ -628,12 +628,12 @@ int kvm_arch_put_registers(CPUState *cs, int level) /* Set the registers based on QEMU's view of things */ for (i = 0; i < 32; i++) { - regs.gpr[i] = env->active_tc.gpr[i]; + regs.gpr[i] = (int64_t)(target_long)env->active_tc.gpr[i]; } - regs.hi = env->active_tc.HI[0]; - regs.lo = env->active_tc.LO[0]; - regs.pc = env->active_tc.PC; + regs.hi = (int64_t)(target_long)env->active_tc.HI[0]; + regs.lo = (int64_t)(target_long)env->active_tc.LO[0]; + regs.pc = (int64_t)(target_long)env->active_tc.PC; ret = kvm_vcpu_ioctl(cs, KVM_SET_REGS, ®s); -- cgit v1.2.3 From 586d2142a9f1aa5a1dceb0941e7b3f0953974a8b Mon Sep 17 00:00:00 2001 From: Gonglei Date: Fri, 10 Jul 2015 08:51:28 +0800 Subject: ppc/spapr_drc: fix memory leak fix CID 1311373. Signed-off-by: Gonglei Message-Id: <1436489490-236-3-git-send-email-arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini --- hw/ppc/spapr_drc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c index ef985381cb..ee874326ee 100644 --- a/hw/ppc/spapr_drc.c +++ b/hw/ppc/spapr_drc.c @@ -422,6 +422,7 @@ static void realize(DeviceState *d, Error **errp) error_free(err); object_unref(OBJECT(drc)); } + g_free(child_name); DPRINTFN("drc realize complete"); } -- cgit v1.2.3 From 5348c62cab309b68ecd13a33c9f21e8d6071af72 Mon Sep 17 00:00:00 2001 From: Gonglei Date: Fri, 10 Jul 2015 08:51:29 +0800 Subject: arm/xlnx-zynqmp: fix memory leak fix CID 1311372. Signed-off-by: Gonglei Message-Id: <1436489490-236-4-git-send-email-arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini --- hw/arm/xlnx-zynqmp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c index 5e7207846e..62ef4ceb32 100644 --- a/hw/arm/xlnx-zynqmp.c +++ b/hw/arm/xlnx-zynqmp.c @@ -144,6 +144,7 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) } else { s->boot_cpu_ptr = &s->apu_cpu[i]; } + g_free(name); object_property_set_int(OBJECT(&s->apu_cpu[i]), GIC_BASE_ADDR, "reset-cbar", &err); @@ -181,6 +182,7 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) } else { s->boot_cpu_ptr = &s->rpu_cpu[i]; } + g_free(name); object_property_set_bool(OBJECT(&s->rpu_cpu[i]), true, "reset-hivecs", &err); -- cgit v1.2.3 From 24b41d66c8ad8f77839fca777b92e365dad0cf5c Mon Sep 17 00:00:00 2001 From: "Dr. David Alan Gilbert" Date: Fri, 10 Jul 2015 20:08:52 +0100 Subject: RDMA: Fix error exits The error checks I added used 'break' after the error, but I'm in a switch inside the while loop, so they need to be 'goto out'. Spotted by coverity; entries 1311368 and 1311369 Fixes: afcddefd Signed-off-by: Dr. David Alan Gilbert Message-Id: <1436555332-19076-1-git-send-email-dgilbert@redhat.com> Signed-off-by: Paolo Bonzini --- migration/rdma.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/migration/rdma.c b/migration/rdma.c index f106b2a818..74876fd7ab 100644 --- a/migration/rdma.c +++ b/migration/rdma.c @@ -2997,7 +2997,7 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque) (unsigned int)comp->block_idx, rdma->local_ram_blocks.nb_blocks); ret = -EIO; - break; + goto out; } block = &(rdma->local_ram_blocks.block[comp->block_idx]); @@ -3092,7 +3092,7 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque) (unsigned int)reg->current_index, rdma->local_ram_blocks.nb_blocks); ret = -ENOENT; - break; + goto out; } block = &(rdma->local_ram_blocks.block[reg->current_index]); if (block->is_ram_block) { @@ -3102,7 +3102,7 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque) block->block_name, block->offset, reg->key.current_addr); ret = -ERANGE; - break; + goto out; } host_addr = (block->local_host_addr + (reg->key.current_addr - block->offset)); @@ -3118,7 +3118,7 @@ static int qemu_rdma_registration_handle(QEMUFile *f, void *opaque) " chunk: %" PRIx64, block->block_name, reg->key.chunk); ret = -ERANGE; - break; + goto out; } } chunk_start = ram_chunk_start(block, chunk); -- cgit v1.2.3 From c6742b14fe7352059cd4954a356a8105757af31b Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 14 Jul 2015 13:45:34 +0200 Subject: memory: fix refcount leak in memory_region_present memory_region_present() leaks a reference to a MemoryRegion in the case "mr == container". While fixing it, avoid reference counting altogether for memory_region_present(), by using RCU only. The return value could in principle be already invalid immediately after memory_region_present returns, but presumably the caller knows that and it's using memory_region_present to probe for devices that are unpluggable, or something like that. The RCU critical section is needed anyway, because it protects as->current_map. Reported-by: Peter Maydell Signed-off-by: Paolo Bonzini --- memory.c | 44 ++++++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/memory.c b/memory.c index 5a0cc66982..0acebb1f22 100644 --- a/memory.c +++ b/memory.c @@ -1887,23 +1887,16 @@ static FlatRange *flatview_lookup(FlatView *view, AddrRange addr) sizeof(FlatRange), cmp_flatrange_addr); } -bool memory_region_present(MemoryRegion *container, hwaddr addr) -{ - MemoryRegion *mr = memory_region_find(container, addr, 1).mr; - if (!mr || (mr == container)) { - return false; - } - memory_region_unref(mr); - return true; -} - bool memory_region_is_mapped(MemoryRegion *mr) { return mr->container ? true : false; } -MemoryRegionSection memory_region_find(MemoryRegion *mr, - hwaddr addr, uint64_t size) +/* Same as memory_region_find, but it does not add a reference to the + * returned region. It must be called from an RCU critical section. + */ +static MemoryRegionSection memory_region_find_rcu(MemoryRegion *mr, + hwaddr addr, uint64_t size) { MemoryRegionSection ret = { .mr = NULL }; MemoryRegion *root; @@ -1924,11 +1917,10 @@ MemoryRegionSection memory_region_find(MemoryRegion *mr, } range = addrrange_make(int128_make64(addr), int128_make64(size)); - rcu_read_lock(); view = atomic_rcu_read(&as->current_map); fr = flatview_lookup(view, range); if (!fr) { - goto out; + return ret; } while (fr > view->ranges && addrrange_intersects(fr[-1].addr, range)) { @@ -1944,12 +1936,32 @@ MemoryRegionSection memory_region_find(MemoryRegion *mr, ret.size = range.size; ret.offset_within_address_space = int128_get64(range.start); ret.readonly = fr->readonly; - memory_region_ref(ret.mr); -out: + return ret; +} + +MemoryRegionSection memory_region_find(MemoryRegion *mr, + hwaddr addr, uint64_t size) +{ + MemoryRegionSection ret; + rcu_read_lock(); + ret = memory_region_find_rcu(mr, addr, size); + if (ret.mr) { + memory_region_ref(ret.mr); + } rcu_read_unlock(); return ret; } +bool memory_region_present(MemoryRegion *container, hwaddr addr) +{ + MemoryRegion *mr; + + rcu_read_lock(); + mr = memory_region_find_rcu(container, addr, 1).mr; + rcu_read_unlock(); + return mr && mr != container; +} + void address_space_sync_dirty_bitmap(AddressSpace *as) { FlatView *view; -- cgit v1.2.3 From becaeb726ae7da4212a788773ebdfe87b4833f5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= Date: Fri, 10 Jul 2015 19:18:00 +0200 Subject: crypto: fix build with nettle >= 3.0.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In nettle 3, cbc_encrypt() accepts 'nettle_cipher_func' instead of 'nettle_crypt_func' and these two differ in 'const' qualifier of the first argument. The build fails with: In file included from crypto/cipher.c:71:0: ./crypto/cipher-nettle.c: In function ‘qcrypto_cipher_encrypt’: ./crypto/cipher-nettle.c:154:38: error: passing argument 2 of ‘nettle_cbc_encrypt’ from incompatible pointer type cbc_encrypt(ctx->ctx_encrypt, ctx->alg_encrypt, ^ In file included from ./crypto/cipher-nettle.c:24:0, from crypto/cipher.c:71: /usr/include/nettle/cbc.h:48:1: note: expected ‘void (*)(const void *, size_t, uint8_t *, const uint8_t *) but argument is of type ‘void (*)( void *, size_t, uint8_t *, const uint8_t *) To allow both versions, we switch to the new definition and #if typedef it for old versions. Signed-off-by: Radim Krčmář Message-Id: <1436548682-9315-2-git-send-email-rkrcmar@redhat.com> Signed-off-by: Paolo Bonzini --- configure | 4 +++- crypto/cipher-nettle.c | 16 ++++++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/configure b/configure index 33b945530e..cc0338ddbd 100755 --- a/configure +++ b/configure @@ -2183,6 +2183,7 @@ if test "$gnutls_nettle" != "no"; then if $pkg_config --exists "nettle"; then nettle_cflags=`$pkg_config --cflags nettle` nettle_libs=`$pkg_config --libs nettle` + nettle_version=`$pkg_config --modversion nettle` libs_softmmu="$nettle_libs $libs_softmmu" libs_tools="$nettle_libs $libs_tools" QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags" @@ -4490,7 +4491,7 @@ echo "GTK support $gtk" echo "GNUTLS support $gnutls" echo "GNUTLS hash $gnutls_hash" echo "GNUTLS gcrypt $gnutls_gcrypt" -echo "GNUTLS nettle $gnutls_nettle" +echo "GNUTLS nettle $gnutls_nettle ${gnutls_nettle+($nettle_version)}" echo "VTE support $vte" echo "curses support $curses" echo "curl support $curl" @@ -4858,6 +4859,7 @@ if test "$gnutls_gcrypt" = "yes" ; then fi if test "$gnutls_nettle" = "yes" ; then echo "CONFIG_GNUTLS_NETTLE=y" >> $config_host_mak + echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak fi if test "$vte" = "yes" ; then echo "CONFIG_VTE=y" >> $config_host_mak diff --git a/crypto/cipher-nettle.c b/crypto/cipher-nettle.c index e5a14bc139..e61aaa29f0 100644 --- a/crypto/cipher-nettle.c +++ b/crypto/cipher-nettle.c @@ -23,12 +23,16 @@ #include #include +#if CONFIG_NETTLE_VERSION_MAJOR < 3 +typedef nettle_crypt_func nettle_cipher_func; +#endif + typedef struct QCryptoCipherNettle QCryptoCipherNettle; struct QCryptoCipherNettle { void *ctx_encrypt; void *ctx_decrypt; - nettle_crypt_func *alg_encrypt; - nettle_crypt_func *alg_decrypt; + nettle_cipher_func *alg_encrypt; + nettle_cipher_func *alg_decrypt; uint8_t *iv; size_t niv; }; @@ -83,8 +87,8 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg, des_set_key(ctx->ctx_encrypt, rfbkey); g_free(rfbkey); - ctx->alg_encrypt = (nettle_crypt_func *)des_encrypt; - ctx->alg_decrypt = (nettle_crypt_func *)des_decrypt; + ctx->alg_encrypt = (nettle_cipher_func *)des_encrypt; + ctx->alg_decrypt = (nettle_cipher_func *)des_decrypt; ctx->niv = DES_BLOCK_SIZE; break; @@ -98,8 +102,8 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg, aes_set_encrypt_key(ctx->ctx_encrypt, nkey, key); aes_set_decrypt_key(ctx->ctx_decrypt, nkey, key); - ctx->alg_encrypt = (nettle_crypt_func *)aes_encrypt; - ctx->alg_decrypt = (nettle_crypt_func *)aes_decrypt; + ctx->alg_encrypt = (nettle_cipher_func *)aes_encrypt; + ctx->alg_decrypt = (nettle_cipher_func *)aes_decrypt; ctx->niv = AES_BLOCK_SIZE; break; -- cgit v1.2.3 From d3462e378f40ba6838b6c42584c30769ca633e6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= Date: Fri, 10 Jul 2015 19:18:01 +0200 Subject: crypto: avoid undefined behavior in nettle calls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Calling a function pointer that was cast from an incompatible function results in undefined behavior. 'void *' isn't compatible with 'struct XXX *', so we can't cast to nettle_cipher_func, but have to provide a wrapper. (Conversion from 'void *' to 'struct XXX *' might require computation, which won't be done if we drop argument's true type, and pointers can have different sizes so passing arguments on stack would bug.) Having two different prototypes based on nettle version doesn't make this solution any nicer. Reported-by: Peter Maydell Signed-off-by: Radim Krčmář Message-Id: <1437062641-12684-3-git-send-email-rkrcmar@redhat.com> Signed-off-by: Paolo Bonzini --- crypto/cipher-nettle.c | 43 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 39 insertions(+), 4 deletions(-) diff --git a/crypto/cipher-nettle.c b/crypto/cipher-nettle.c index e61aaa29f0..a55a8e8bc5 100644 --- a/crypto/cipher-nettle.c +++ b/crypto/cipher-nettle.c @@ -25,8 +25,43 @@ #if CONFIG_NETTLE_VERSION_MAJOR < 3 typedef nettle_crypt_func nettle_cipher_func; + +typedef void * cipher_ctx_t; +typedef unsigned cipher_length_t; +#else +typedef const void * cipher_ctx_t; +typedef size_t cipher_length_t; #endif +static nettle_cipher_func aes_encrypt_wrapper; +static nettle_cipher_func aes_decrypt_wrapper; +static nettle_cipher_func des_encrypt_wrapper; +static nettle_cipher_func des_decrypt_wrapper; + +static void aes_encrypt_wrapper(cipher_ctx_t ctx, cipher_length_t length, + uint8_t *dst, const uint8_t *src) +{ + aes_encrypt(ctx, length, dst, src); +} + +static void aes_decrypt_wrapper(cipher_ctx_t ctx, cipher_length_t length, + uint8_t *dst, const uint8_t *src) +{ + aes_encrypt(ctx, length, dst, src); +} + +static void des_encrypt_wrapper(cipher_ctx_t ctx, cipher_length_t length, + uint8_t *dst, const uint8_t *src) +{ + des_encrypt(ctx, length, dst, src); +} + +static void des_decrypt_wrapper(cipher_ctx_t ctx, cipher_length_t length, + uint8_t *dst, const uint8_t *src) +{ + des_decrypt(ctx, length, dst, src); +} + typedef struct QCryptoCipherNettle QCryptoCipherNettle; struct QCryptoCipherNettle { void *ctx_encrypt; @@ -87,8 +122,8 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg, des_set_key(ctx->ctx_encrypt, rfbkey); g_free(rfbkey); - ctx->alg_encrypt = (nettle_cipher_func *)des_encrypt; - ctx->alg_decrypt = (nettle_cipher_func *)des_decrypt; + ctx->alg_encrypt = des_encrypt_wrapper; + ctx->alg_decrypt = des_decrypt_wrapper; ctx->niv = DES_BLOCK_SIZE; break; @@ -102,8 +137,8 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg, aes_set_encrypt_key(ctx->ctx_encrypt, nkey, key); aes_set_decrypt_key(ctx->ctx_decrypt, nkey, key); - ctx->alg_encrypt = (nettle_cipher_func *)aes_encrypt; - ctx->alg_decrypt = (nettle_cipher_func *)aes_decrypt; + ctx->alg_encrypt = aes_encrypt_wrapper; + ctx->alg_decrypt = aes_decrypt_wrapper; ctx->niv = AES_BLOCK_SIZE; break; -- cgit v1.2.3