Commit Graph

35867 Commits

Author SHA1 Message Date
Richard W.M. Jones
f76faeda4b block/curl: Improve type safety of s->timeout.
qemu_opt_get_number returns a uint64_t, and curl_easy_setopt expects a
long (not an int).  There is no warning about the latter type error
because curl_easy_setopt uses a varargs argument.

Store the timeout (which is a positive number of seconds) as a
uint64_t.  Check that the number given by the user is reasonable.
Zero is permissible (meaning no timeout is enforced by cURL).

Cast it to long before calling curl_easy_setopt to fix the type error.

Example error message after this change has been applied:

$ ./qemu-img create -f qcow2 /tmp/test.qcow2 \
    -b 'json: { "file.driver":"https",
                "file.url":"https://foo/bar",
                "file.timeout":-1 }'
qemu-img: /tmp/test.qcow2: Could not open 'json: { "file.driver":"https", "file.url":"https://foo/bar", "file.timeout":-1 }': timeout parameter is too large or negative: Invalid argument

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 11:41:47 +00:00
Zhang Haoyu
3432a1929e snapshot: add bdrv_drain_all() to bdrv_snapshot_delete() to avoid concurrency problem
If there are still pending i/o while deleting snapshot,
because deleting snapshot is done in non-coroutine context, and
the pending i/o read/write (bdrv_co_do_rw) is done in coroutine context,
so it's possible to cause concurrency problem between above two operations.
Add bdrv_drain_all() to bdrv_snapshot_delete() to avoid this problem.

Signed-off-by: Zhang Haoyu <zhanghy@sangfor.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 201410211637596311287@sangfor.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:42 +00:00
Peter Maydell
573742a543 block.c: Fix type of IoOperationType variable in send_qmp_error_event()
The local variable 'ac' in send_qmp_error_event() is declared with the
wrong type, which causes clang to complain when it is initialized
and again when it is used:

block.c:3655:20: warning: implicit conversion from enumeration type 'enum IoOperationType' to different enumeration type 'BlockErrorAction' (aka 'enum BlockErrorAction') [-Wenum-conversion]
    ac = is_read ? IO_OPERATION_TYPE_READ : IO_OPERATION_TYPE_WRITE;
       ~           ^~~~~~~~~~~~~~~~~~~~~~
block.c:3655:45: warning: implicit conversion from enumeration type 'enum IoOperationType' to different enumeration type 'BlockErrorAction' (aka 'enum BlockErrorAction') [-Wenum-conversion]
    ac = is_read ? IO_OPERATION_TYPE_READ : IO_OPERATION_TYPE_WRITE;
       ~                                    ^~~~~~~~~~~~~~~~~~~~~~~
block.c:3656:62: warning: implicit conversion from enumeration type 'BlockErrorAction' (aka 'enum BlockErrorAction') to different enumeration type 'IoOperationType' (aka 'enum IoOperationType') [-Wenum-conversion]
    qapi_event_send_block_io_error(bdrv_get_device_name(bs), ac, action,
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                           ^~

Correct the type to IoOperationType, and rename the variable
to 'optype' to match its correct type.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
Message-id: 1412969583-21045-1-git-send-email-peter.maydell@linaro.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Adam Crume
be21788495 rbd: Add support for bdrv_invalidate_cache
This fixes Ceph issue 2467: ttp://tracker.ceph.com/issues/2467

[Dropped return r in void function as suggested by Josh Durgin
<josh.durgin@inktank.com>.
--Stefan]

Signed-off-by: Adam Crume <adamcrume@gmail.com>
Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1412880272-3154-1-git-send-email-adamcrume@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Denis V. Lunev
da725d0b0e block/parallels: fix access to not initialized memory in catalog_bitmap
found by valgrind.

Command: ./qemu-img convert -f parallels -O qcow2 1.hds 1.img
Invalid read of size 4
   at 0x17D0EF: parallels_co_read (parallels.c:357)
   by 0x11FEE4: bdrv_aio_rw_vector (block.c:4640)
   by 0x11FFBF: bdrv_aio_readv_em (block.c:4652)
   by 0x11F55F: bdrv_co_readv_em (block.c:4862)
   by 0x123428: bdrv_aligned_preadv (block.c:3056)
   by 0x1239FA: bdrv_co_do_preadv (block.c:3162)
   by 0x125424: bdrv_rw_co_entry (block.c:2706)
   by 0x155DD9: coroutine_trampoline (coroutine-ucontext.c:118)
   by 0x6975B6F: ??? (in /lib/x86_64-linux-gnu/libc-2.19.so)

The problem is that s->catalog_bitmap is allocated/filled as
gmalloc(s->catalog_size) thus index validity check must be
inclusive, i.e. index >= s->catalog_size is invalid.

Signed-off-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1412759610-2257-4-git-send-email-den@openvz.org
CC: Jeff Cody <jcody@redhat.com>
CC: Kevin Wolf <kwolf@redhat.com>
CC: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Denis V. Lunev
76823c6e79 iotests: add v2 parallels sample image and simple test for it
This is simple test image for the following commit made by me.

    commit d25d598020
    Author: Denis V. Lunev <den@openvz.org>
    Date:   Mon Jul 28 20:23:55 2014 +0400
    parallels: 2TB+ parallels images support

Signed-off-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1412759610-2257-3-git-send-email-den@openvz.org
CC: Jeff Cody <jcody@redhat.com>
CC: Kevin Wolf <kwolf@redhat.com>
CC: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Denis V. Lunev
285030b0de iotests: replace fake parallels image with authentic one
The image was generated using http://openvz.org/Ploop utility and properly
filled with the same content as original one.

Signed-off-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1412759610-2257-2-git-send-email-den@openvz.org
CC: Jeff Cody <jcody@redhat.com>
CC: Kevin Wolf <kwolf@redhat.com>
CC: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Chris Spiegel
ba2b22888c snapshot: Reset err to NULL to avoid double free
If an error occurs in bdrv_snapshot_delete_by_id_or_name(), "err" is
freed.  If "err" is not set to NULL before calling
bdrv_snapshot_delete_by_id_or_name() again, it will not be updated on
error, and will be freed again.

This can be triggered by starting a VM with at least two drives and then
attempting to delete a non-existent snapshot.

Broken in commit a89d89d.

Signed-off-by: Chris Spiegel <chris.spiegel@cypherpath.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1412613225-32676-1-git-send-email-chris.spiegel@cypherpath.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
John Snow
54a7f8f38d ahci: Fix SDB FIS Construction
The SDB FIS creation was mangled;
We were writing the error byte to byte 0,
and omitting the SDB FIS magic byte.

Though the SDB packet layout states that:
byte 0: Must be 0xA1 to indicate SDB FIS.
byte 1: Port multiplier select & other flags
byte 2: status byte.
byte 3: error byte.

This patch adds an SDB FIS structure with
human-readable names, and ensures that we
are filling the structure appropriately.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1412204151-18117-7-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
John Snow
659142ecf7 ahci: Update byte count after DMA completion
Currently, DMA read/write operations neglect to update
the byte count after a successful transfer like ATAPI
DMA read or PIO read/write operations do.

We correct this oversight by adding another callback into
the IDEDMAOps structure. The commit callback is called
whenever we are cleaning up a scatter-gather list.
AHCI can register this callback in order to update post-
transfer information such as byte count updates.

We use this callback in AHCI to consolidate where we delete
the SGlist as generated from the PRDT, as well as update the
byte count after the transfer is complete.

The QEMUSGList structure has an init flag added to it in order
to make qemu_sglist_destroy a nop if it is called when
there is no sglist, which simplifies cleanup and error paths.

This patch fixes several AHCI problems, notably Non-NCQ modes
of operation for Windows 7 as well as Hibernate support for Windows 7.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1412204151-18117-3-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
John Snow
7b8bad1b6a ahci: Correct PIO/D2H FIS responses
Currently, the D2H FIS packets AHCI generates simply parrot back
the LBA that the guest sent to us in the cmd_fis. However, some
commands (like READ NATIVE MAX) modify the LBA registers as a
return value, through which the AHCI D2H FIS is the only response
mechanism. Thus, the D2H response should use the current register
values, not the initial ones.

This patch adjusts the LBA and drive select register responses for
PIO Setup and D2H FIS response packets.

Additionally, the PIO and D2H FIS responses copy too many bytes
from the command FIS that it is being generated from. Specifically,
byte 11 which is the Features(15:8) field for Register Host to
Device FIS packets, is instead reserved for the PIO Setup FIS and
should always be 0.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1412204151-18117-2-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
dc9e716369 block/iscsi: check for oversized requests
Cancel oversized requests early. They would generate
an iSCSI protocol error anyway; after having transferred
possibly a lot of data over the wire.

Suggested-By: Max Reitz <mreitz@redhat.com>
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
3dab155154 block/iscsi: use sector_limits_lun2qemu throughout iscsi_refresh_limits
As Max pointed out there is a hidden cast from int64_t to int for all
limits. So use the newly introduced sector_limits_lun2qemu for all
limits received from the target.

Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
6c5a42ac34 block: avoid creating oversized writes in multiwrite_merge
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
52f6fa1430 block/iscsi: set max_transfer_length
Copy the max_xfer_len from the BlockLimits VPD or use the
maximum value fitting in the CDB.

The helper function sector_limits_lun2qemu is introduced to convert
and cap the limits from the VPD to the maximum power of two fitting
in an integer; integer is the range for nb_sectors throughout
the block layer.

Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
2647fab57d BlockLimits: introduce max_transfer_length
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Peter Lieven
ac3a872664 util: introduce MIN_NON_ZERO
at least in block layer we have the case of limits being defined for a
BlockDriverState. However, in this context often zero (0) has the special
meanining of undefined which means no limit. If two of those limits are
combined and the minimum is needed the minimum function should only return
zero if both parameters are zero.

Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-03 09:48:41 +00:00
Aurelien Jarno
0a2923f848 tcg/mips: fix store softmmu slow path
Commit 9d8bf2d1 moved the softmmu slow path out of line and introduce a
regression at the same time by always calling tcg_out_tlb_load with
is_load=1. This makes impossible to run any significant code under
qemu-system-mips*.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2014-11-02 13:30:00 +01:00
Peter Maydell
ee29498e4f Merge remote-tracking branch 'remotes/sstabellini/xen-2014-10-30' into staging
* remotes/sstabellini/xen-2014-10-30:
  fix off-by-one error in pci_piix3_xen_ide_unplug
  xen-hvm.c: Add support for Xen access to vmport

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 20:28:09 +00:00
Peter Maydell
4239e2dc01 vmware-vga: add rectangle verification (CVE-2014-3689)
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUUNNZAAoJEEy22O7T6HE4S3YP/jEHyGtodT6+Q2sTOFWX7y4q
 q4JP+xRONdLnY//7Xe8F2cZQffH0W5QS8DJxf4SaRVDVk2e2tvK2P9XiaMkekOEC
 zzfKxbvGozD4w2yrhVNAlQb4l1c09jcBuoa4T3JEXwdH28sq9TuOmGLNky7oEG2W
 nVEXcO14yMDHKCurbZuzvwxoc25XwY8Y2vTW558iLvGzFzXLMt3fIp2MIIcmQL1c
 lWQ2+6Ajeh2KzjpiWFym6fvMko3rM+IpdhYLNQE7PbbzsD9SynwWxnC3P6xSuSv9
 WFMz1RWcoDOylosnXmjQgZFgpgwl2jnfX4MWDclWO3z0ooGgchKnR4b1eWyefV6b
 oFsG8Pl2duESYRyojhnglXoTqQnT/lf0j+MoeVWkMSADSYgKoGYIVwNtdFM4LXY2
 0hlnuJl4uKbdCGmi1UWZ517h4sU1cdf4NuaQDLjkr2p4GREvGsUvww7ae++cxJtL
 xiqnheJOjrg6qM+P+N6x9Iqd3ChcsFF3xu5nKH/iO4nXgdsiL4sBqA0iUsVvujXV
 AQZyxBka81sXEdZBH1nOFuTj14TaStl8OCLWz2iOQj4fqAaMoibDeoSVUXnzo3CI
 HZ4fGnJ9j17qOJAv5VL8XnUOp8ZFGFpTFkVHhuZkqZyaMlP1t0ujpP/cUXrS1+Hm
 yabN/p6vO063JE23JN9W
 =Z1KH
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2014-3689-20141029-1' into staging

vmware-vga: add rectangle verification (CVE-2014-3689)

# gpg: Signature made Wed 29 Oct 2014 11:45:29 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-cve-2014-3689-20141029-1:
  vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
  vmware-vga: add vmsvga_verify_rect
  vmware-vga: CVE-2014-3689: turn off hw accel

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 19:11:25 +00:00
Peter Maydell
fecd54ccd7 vnc: return directly if no vnc client connected
vnc: sanitize bits_per_pixel from the client (CVE-2014-7815)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUT3VvAAoJEEy22O7T6HE4P8YP/ietMLSUkbt0UYOaFs4cyb4P
 Eb/omvVgA2nxgpJErovNq3nNHeRsHzo479Vm04CaNBavVZgT+4YiYhcMN2SsepqT
 SnzZ4YiuQ9VMIma4CeAvizjXCutQ9BDQAu6RkVv50TqqMgfzaxE7tcxKQgocYxDd
 CJdBB81/9g2IybHYhwyQUeh6Lra2Wh7N1JfKUt9bfRnGqVTgKeshrdZkwArsjUEa
 MwvVt7u6beGGOCAdVJRJMUzi8WzX0bQRpS9SoFYoLvRwsf+HIJQh16aJ9tDnqJpu
 Vv7xTnkmIFi13NhbPReVhS7f4qgAcDO718/A2KbHcml7EF3E78/zwVFQfAd4yqXc
 YyySdh8k2zsQ+F0YfX2N7soDM9eRtFdWj/Df6z+VqPDn/X0t8HmVZk7GAxHVg7cG
 4UT44v1g0RBIN381PnckPhQCX/1s0U8wRQTstuKJO9x7WpI5rKIAS/WDdFJkwm9V
 LDqBYlk44VAwSgAt5gas5b7efrhUPAECAA8HaX1Xjs0WIb5vzB3le/WEjbWc7XFn
 sORIJCE5+jBi0G0NQ21KaO7RocE21cFOGCgwJuAGcgboSzXAJc1z5+4RozerUaMK
 jjkIEk826AcFR1kL3xjPAeJ4qo4pJO3OhcWqQrRGpCL88s9eFe3pp+2FlZDNj01R
 SjQN3h4g9js4nYFF2o7v
 =Y163
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20141028-1' into staging

vnc: return directly if no vnc client connected
vnc: sanitize bits_per_pixel from the client (CVE-2014-7815)

# gpg: Signature made Tue 28 Oct 2014 10:52:31 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20141028-1:
  vnc: return directly if no vnc client connected
  vnc: sanitize bits_per_pixel from the client

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 18:21:25 +00:00
Peter Maydell
f33f43bd86 Fixes for libcacard (usb smartcard emulation), xhci and uhci.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUT3J4AAoJEEy22O7T6HE4CXoQAKII8pelQ7DuP6OgrkFzQ1h5
 W17Nx/0mwsw7OatTNgV9uwdFp9zojZBIw15XPJSG2tbaf5Cc+f8rTU9x4W78xDzm
 Q2jgD0UXQm/cQVseUbCc3aDiP0g4N73E4PhkaYbTEk2/wctDkxV0ILNhJBWVtx/A
 q4qAB+9jVhgYY61JSwSxHSneSe8hu3Gos7y40J/lqwEvd3yzY0G/uXF1myw5NNf9
 KFFjSOloLtoO/FaYg4VRY3e7QpMj2YlyytbDaG4+SMOzfZ6+P8thMbG3tWBDTSz0
 ggghS85cL7BBH8bCvatvVhL8YPqrt8k8eP4UkdaTL3ZnHjlW2/RFbHw6oao+//ev
 QOmXuAkuwH2HUAo1PUgmKmC3cHGuCiOYlNvsTQ87LBTLLCt822ugD1wZUgCleXpd
 1U6q9wxFeW65mKRrkC3JFCp2ljFgb4oxN6e4k0C1Naz4QKQjBKZTJWoTxzt6U56s
 ZnivZETvtP9TV1q8j09Hx/r8+sIG8UqFK84EMMQ8dglYdsTZB8TgzUebyUy6RiYE
 2ahNi35UDn2oW+NE3Eof4p8SO1Cxas/p9ylfJZZJ0EaMJkr5AJ0KBgW4i7Lz/WPQ
 Jy/DlmIyiipz0C/LL+tl8m4l/CtdhhZqeI4G/doJ6BxYZ0qH+pPyxC7BpK1ySUzs
 kMm7LrIkhVoTQ7pwpsN7
 =uT+E
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20141028-1' into staging

Fixes for libcacard (usb smartcard emulation), xhci and uhci.

# gpg: Signature made Tue 28 Oct 2014 10:39:52 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20141028-1:
  uhci: remove useless DEBUG
  xhci: add property to turn on/off streams support
  libcacard: don't free sign buffer while sign op is pending
  libcacard: Lock NSS cert db when selecting an applet on an emulated card
  libcacard: introduce new vcard_emul_logout

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 17:04:29 +00:00
Peter Maydell
3c1d9a15be gtk: fix two warnings with gtk 3.14+
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUT28wAAoJEEy22O7T6HE4deIQAKq6eHQCWqhlVoceRdyNKngV
 8x+daiocmv8SJ0BP/fXaJYO1PPHbk/xrkao9JGRMwQp4e3k0HN6qLDw2/I3CrlBp
 O9zKOHDl2LO7+RmEnSjDq071guG1WN9BLxW9sJwI1yYUHK5EnUhP0O97L4G1zfEW
 iI4NCjx0UKhiGGxukWRv0CmSpP64MAvazv2fQwCYM/SlB6vkshEfbGgAL+phQrb5
 VZFh+p7R3zKNmNX4i/GzO49rJ+7ak8eqWbjEnGorD12OH7A/7tHW94w7CrdGBkw/
 uXKkRI7mZ0KY5PY35T4pox3/5wcYIeqfLxW62TJVwLpmeWsnz40nnGsKsq77xzKl
 yFbEABxgPTi8CQflwcrlDf6aXG5v0EpS6bCLJjqmNv/aWbC5igB1Qp6kP8wPWuhS
 Dguo7PDRjxwX6BKabTjKEvVP94VimekghLXXqJk/IwWIr4Nuqa08tOierTKGubli
 q0j/IDE400qgrRcyeIs5zeFIFfo8WBZLIpqrDchjlaCjTn28n5y0ZoE1w0fnDZa4
 VwRfYhBR6c3S6Lst/WRRfFrqAXq5mqASAlOFF4tBIP8cLuhJh/zNfi7KRoVl1tOi
 6a/qOZDCP8rVO8oZlGhrAtHkY0VWZW3wgmeKebVi8xTuYvSrEXoYYLTAcU97qr16
 x8G/kU66xzcU9F7HAgKK
 =HpFW
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20141028-1' into staging

gtk: fix two warnings with gtk 3.14+

# gpg: Signature made Tue 28 Oct 2014 10:25:52 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-20141028-1:
  gtk: avoid gd_widget_reparent with gtk 3.14+
  gtk: drop gtk_widget_set_double_buffered call

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 14:45:53 +00:00
James Harper
d4f9e806c2 fix off-by-one error in pci_piix3_xen_ide_unplug
Fix off-by-one error when unplugging disks, which would otherwise leave the last ATA disk plugged, with obvious consequences. Also rewrite loop to be more readable.

Signed-off-by: James Harper <james.harper@ejbdigital.com.au>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-10-30 14:16:39 +00:00
Don Slutz
37f9e258b6 xen-hvm.c: Add support for Xen access to vmport
This adds synchronisation of the 6 vcpu registers (only 32bits of
them) that vmport.c needs between Xen and QEMU.

This is to avoid a 2nd and 3rd exchange between QEMU and Xen to
fetch and put these 6 vcpu registers used by the code in vmport.c
and vmmouse.c

The registers are passed in the new shared page provided by
HVM_PARAM_VMPORT_REGS_PFN.

Add new array to XenIOState that allows selection of current_cpu by
vcpu id.

Now pass XenIOState to handle_ioreq().

Add new routines regs_to_cpu(), regs_from_cpu(), and
handle_vmport_ioreq().

Signed-off-by: Don Slutz <dslutz@verizon.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-10-30 14:16:38 +00:00
Peter Maydell
08118672d0 virtio-scsi fixes, the first part of dynamic sysbus devices,
MAINTAINERS updates, and AVX512 support.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJUTmDNAAoJEL/70l94x66DPb0IAKKhf8IRfQZPEQgOWD2YeANd
 vwAZ4JcqAl2/dbeOTrs5TXOWdoNVXUFDmeHh4zsgUB7poxsOqZ/M7N844UGR5duC
 f4fKYXAkjyqocKH7dbpf/S+YuJtU40qowI02HQeEmGpZaJUjmfMAFwrguqerdMaB
 pGA79948XeoAjP8jNgf1EqCqLi31GBEfiU2q05xLKxd+M0xSFIM7IM2hGZfFv7Hq
 bbE2CGuCyj4NST/GH2C/22QBz9MyqFaL2prtDqoMugAHTKE7vO/rpFti9oTDRCXa
 x8U/JcBf/puBNI+Kq+cdxTJicwIuqrcBkNmjP9sLv/nJ37QwEG06VDCd4Xj9mEs=
 =zXqD
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

virtio-scsi fixes, the first part of dynamic sysbus devices,
MAINTAINERS updates, and AVX512 support.

# gpg: Signature made Mon 27 Oct 2014 15:12:13 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream: (28 commits)
  aio / timers: De-document -clock
  hw/scsi/virtio-scsi.c: fix the "type" use error in virtio_scsi_handle_ctrl
  virtio-scsi: sense in virtio_scsi_command_complete
  target-i386: add Intel AVX-512 support
  get_maintainer.pl: restrict cases where it falls back to --git
  get_maintainer.pl: move git loop under "if ($email) {"
  qtest: fix qtest log fd should be initialized before qtest chardev
  MAINTAINERS: avoid M entries that point to mailing lists
  MAINTAINERS: add some tests directories
  MAINTAINERS: Add more TCG files
  MAINTAINERS: add myself for X86
  MAINTAINERS: add Samuel Thibault as usb-serial.c and baum.c maintainer
  MAINTAINERS: grab more files from Anthony's pile
  target-i386: warns users when CPU threads>1 for non-Intel CPUs
  sysbus: Use TYPE_DEVICE GPIO functionality
  qdev: gpio: Define qdev_pass_gpios()
  qdev: gpio: Remove qdev_init_gpio_out x1 restriction
  qdev: gpio: delete NamedGPIOList::out
  irq: Remove qemu_irq_intercept_out
  qtest/irq: Rework IRQ interception
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 13:35:12 +00:00
Paolo Bonzini
cbd5ac6991 virtio: link the rng backend through an alias property
The virtio-rng backend is currently linked twice, once in the proxy
device (e.g. virtio-rng-pci) and once in virtio-rng-device.  This causes
a double unref of the backend when the parent device is unplugged.

To fix this, make the proxy device use an alias, similar to what is
already being done for the iothread link.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Message-id: 1414577839-18695-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 12:59:27 +00:00
Gerd Hoffmann
bd9ccd8517 vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-29 12:01:30 +01:00
Gerd Hoffmann
61b41b4c20 vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-29 12:01:26 +01:00
ChenLiang
9d6b207047 vnc: return directly if no vnc client connected
graphic_hw_update and vnc_refresh_server_surface aren't
need to do when no vnc client connected. It can reduce
lock contention, because vnc_refresh will hold global big
lock two millisecond every three seconds.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:51:04 +01:00
Petr Matousek
e6908bfe8e vnc: sanitize bits_per_pixel from the client
bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.

To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.

This is CVE-2014-7815.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>

[ kraxel: apply codestyle fix ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:51:04 +01:00
Gonglei
a65e4ef90f uhci: remove useless DEBUG
commit 50dcc0f8 (uhci: tracing support) had removed
DPRINTF, the DEBUG marco is useless now, remove it.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:38:18 +01:00
Gerd Hoffmann
2aa6bfcb66 xhci: add property to turn on/off streams support
streams support in usb-redir and usb-host works only with recent enough
versions of the support libraries (libusbredir and libusbx).  Failure
mode is rather unelegant:  Any stream usb transfers will throw stall
errors.  Turning off support for streams in the xhci host controller
will work better as the guest can figure beforehand that streams are
not going to work.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
2014-10-28 11:38:18 +01:00
Ray Strode
81b49e8f89 libcacard: don't free sign buffer while sign op is pending
commit 57f97834ef cleaned up
the cac_applet_pki_process_apdu function to have a single
exit point. Unfortunately, that commit introduced a bug
where the sign buffer can get free'd and nullified while
it's still being used.

This commit corrects the bug by introducing a boolean to
track whether or not the sign buffer should be freed in
the function exit path.

Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-by: Alon Levy <alon@pobox.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:38:18 +01:00
Ray Strode
1223bc4cee libcacard: Lock NSS cert db when selecting an applet on an emulated card
When a process in a guest uses an emulated smartcard, libcacard running
on the host passes the PIN from the guest to the PK11_Authenticate NSS
function. The first time PK11_Authenticate is called the passed in PIN
is used to unlock the certificate database. Subsequent calls to
PK11_Authenticate will transparently succeed, regardless of the passed in
PIN. This is a convenience for applications provided by NSS.

Of course, the guest may have many applications using the one emulated
smart card all driven from the same host QEMU process.  That means if a
user enters the right PIN in one program in the guest, and then enters the
wrong PIN in another program in the guest, the wrong PIN will still
successfully unlock the virtual smartcard.

This commit forces the NSS certificate database to be locked anytime an
applet is selected on an emulated smartcard by calling vcard_emul_logout.

Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-By: Robert Relyea <rrelyea@redhat.com>
Reviewed-By: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:38:18 +01:00
Ray Strode
f032cfab61 libcacard: introduce new vcard_emul_logout
vcard_emul_reset currently only logs NSS out, but there is a TODO
for potentially sending insertion/removal events when powering down
or powering up.

For clarity, this commit moves the current guts of vcard_emul_reset to
a new vcard_emul_logout function which will never send insertion/removal
events. The vcard_emul_reset function now just calls vcard_emul_logout,
but also retains its TODO for watching power state transitions and sending
insertion/removal events.

Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-By: Robert Relyea <rrelyea@redhat.com>
Reviewed-By: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:38:18 +01:00
Gerd Hoffmann
316cb068bd gtk: avoid gd_widget_reparent with gtk 3.14+
gtk_widget_reparent is depricated in gtk 3.14, stop using it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:25:14 +01:00
Gerd Hoffmann
987fec54e1 gtk: drop gtk_widget_set_double_buffered call
Dunno why it is here.  Removing it seems to have no ill side effects.
It is depricated in 3.14+.  In some cases it has no effect since 3.10
according to the docs:

https://developer.gnome.org/gtk3/stable/GtkWidget.html#gtk-widget-set-double-buffered

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-28 11:25:14 +01:00
Gerd Hoffmann
1735fe1edb vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
in behavior:  We don't try to automatically fixup rectangles any more.
In case we find invalid update requests we'll do a full-screen update
instead.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:40:08 +01:00
Gerd Hoffmann
07258900fd vmware-vga: add vmsvga_verify_rect
Add verification function for rectangles, returning
true if verification passes and false otherwise.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:40:04 +01:00
Gerd Hoffmann
83afa38eb2 vmware-vga: CVE-2014-3689: turn off hw accel
Quick & easy stopgap for CVE-2014-3689:  We just compile out the
hardware acceleration functions which lack sanity checks.  Thankfully
we have capability bits for them (SVGA_CAP_RECT_COPY and
SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.

Subsequent patches will add the missing checks and re-enable the
hardware acceleration emulation.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:39:58 +01:00
Markus Armbruster
e218052f92 aio / timers: De-document -clock
Commit 6d32717 "aio / timers: Remove alarm timers" has issues:

1. It silently ignores -clock for backward compatibility.
Incompatible change: -clock help no longer terminates the program.
Tolerable.

2. Failed to update option documentation.  In particular, -help still
advises users to try -clock help for available timers.  Drop all
documentation on -clock.

3. The 'query-alarm-clock' example in docs/writing-commands.txt no
longer works, and needs to be redone.  Can't do that right now, so I
just stick in a FIXME.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-27 16:11:45 +01:00
Bin Wu
024d9adc79 hw/scsi/virtio-scsi.c: fix the "type" use error in virtio_scsi_handle_ctrl
The local variable "type" in virtio_scsi_handle_ctl represents the tmf
command type from the guest and it has the same meaning as the
req->req.tmf.type. However, before the invoking of virtio_scsi_parse_req
the req->req.tmf.type doesn't has the correct value(just initialized to
zero). Therefore, we need to use the "type" variable to judge the case.

Cc: qemu-stable@nongnu.org
Signed-off-by: Bin Wu <wu.wubin@huawei.com>
[Actually make it compile, "type" must be uint32_t in order to pass
 it to virtio_tswap32s. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-27 16:11:45 +01:00
Ting Wang
b7890c40e5 virtio-scsi: sense in virtio_scsi_command_complete
If req->resp.cmd.status is not GOOD, the address of sense for
qemu_iovec_from_buf should be modified from &req->resp to sense.

Cc: qemu-stable@nongnu.org
Signed-off-by: Ting Wang <kathy.wangting@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-27 16:10:53 +01:00
Jan Kiszka
3e9418e160 Revert "main-loop.c: Handle SIGINT, SIGHUP and SIGTERM synchronously"
This reverts commit 15124e1420. It breaks
debuggability of qemu and is no longer needed as the problem has
now been addressed in a different way.

Instead we provide a comment about why these signals must be
handled asynchronously.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
[PMM: added comment]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-27 15:05:09 +00:00
Jan Kiszka
817ef04db2 Make qemu_shutdown_requested signal-safe
qemu_shutdown_requested may be interrupted by qemu_system_killed. If the
latter sets shutdown_requested after qemu_shutdown_requested has read it
but before it was cleared, the shutdown event is lost. Fix this by using
atomic_xchg.

This provides a different fix for the problem which commit 15124e142
attempts to deal with. That commit breaks use of ^C to drop into gdb,
and so this approach is better (and 15124e142 can be reverted).

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
[PMM: commit message tweak]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-27 14:09:27 +00:00
Chao Peng
9aecd6f8ae target-i386: add Intel AVX-512 support
Add AVX512 feature bits, register definition and corresponding
xsave/vmstate support.

Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 18:03:14 +02:00
Peter Maydell
ff0d48768b MAINTAINERS: add myself under 'general project admin' section
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Acked-by: Kevin Wolf <kwolf@redhat.com>
Acked-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1413405052-4527-1-git-send-email-peter.maydell@linaro.org
2014-10-24 14:30:18 +01:00
Leon Alrae
6f64091786 MAINTAINERS: add myself as MIPS guest cores co-maintainer
Add myself to the maintainer list for MIPS guest cores and update the status
from "Odd Fixes" to "Maintained".

Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Acked-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 1413459487-13658-1-git-send-email-leon.alrae@imgtec.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 14:28:18 +01:00
Leon Alrae
74dda9876b target-mips: add ULL suffix in bitswap to avoid compiler warning
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Message-id: 1413982829-27225-1-git-send-email-leon.alrae@imgtec.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-24 14:07:51 +01:00