- 02 Apr, 2015 2 commits
-
-
Peter Maydell authored
Commits 6e05a12f and db25a158 both attempt to fix the same "failed to free memory containing flash filename" bug, with the effect that when they were both applied we ended up freeing the memory twice. Delete the spurious extra free. Signed-off-by:
Peter Maydell <peter.maydell@linaro.org> Reviewed-by:
Stefan Weil <sw@weilnetz.de> Message-id: 1427968334-14527-1-git-send-email-peter.maydell@linaro.org
-
Shannon Zhao authored
As 4de9a883(hw/arm/virt: Fix memory leak reported by Coverity) and 6e05a12f (arm: fix memory leak) both handle the memory leak reported by Coverity, this cause qemu corruption due to double free. Signed-off-by:
Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by:
Shannon Zhao <shannon.zhao@linaro.org> Reviewed-by:
Stefan Weil <sw@weilnetz.de> Message-id: 1427944026-8968-1-git-send-email-zhaoshenglong@huawei.com Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
- 01 Apr, 2015 18 commits
-
-
Peter Maydell authored
target-arm: * Fix broken migration on AArch64 KVM * Fix minor memory leaks in virt, vexpress, highbank * Honour requested filename when loading highbank rom image # gpg: Signature made Wed Apr 1 18:06:09 2015 BST using RSA key ID 14360CDE # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" * remotes/pmaydell/tags/pull-target-arm-20150401: target-arm: kvm64 fix save/restore of SPSR regs target-arm: kvm64 sync FP register state hw/intc: arm_gic_kvm.c restore config first target-arm: kvm: save/restore mp state target-arm: Store SPSR_EL1 state in banked_spsr[1] (SPSR_svc) hw/arm/virt: Fix memory leak reported by Coverity hw/arm/vexpress: Fix memory leak reported by Coverity hw/arm/highbank: Fix resource leak and wrong image loading Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Alex Bennée authored
The current code was negatively indexing the cpu state array and not synchronizing banked spsr register state with the current mode's spsr state, causing occasional failures with migration. Some munging is done to take care of the aarch64 mapping and also to ensure the most current value of the spsr is updated to the banked registers (relevant for KVM<->TCG migration). Signed-off-by:
Alex Bennée <alex.bennee@linaro.org> Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Alex Bennée authored
For migration to work we need to sync all of the register state. This is especially noticeable when GCC starts using FP registers as spill registers even with integer programs. Signed-off-by:
Alex Bennée <alex.bennee@linaro.org> Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Alex Bennée authored
As there is logic to deal with the difference between edge and level triggered interrupts in the kernel we must ensure it knows the configuration of the IRQs before we restore the pending state. Signed-off-by:
Alex Bennée <alex.bennee@linaro.org> Acked-by:
Christoffer Dall <christoffer.dall@linaro.org> Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Alex Bennée authored
This adds the saving and restore of the current Multi-Processing state of the machine. While the KVM_GET/SET_MP_STATE API exposes a number of potential states for x86 we only use two for ARM. Either the process is running or not. We then save this state into the cpu_powered TCG state to avoid changing the serialisation format. Signed-off-by:
Alex Bennée <alex.bennee@linaro.org> Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Peter Maydell authored
The AArch64 SPSR_EL1 register is architecturally mandated to be mapped to the AArch32 SPSR_svc register. This means its state should live in QEMU's env->banked_spsr[1] field. Correct the various places in the code that incorrectly put it in banked_spsr[0]. Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Stefan Weil authored
As the conditional statement had to be split anyway, we can also add a better error report message. Signed-off-by:
Stefan Weil <sw@weilnetz.de> Message-id: 1426877982-3603-1-git-send-email-sw@weilnetz.de Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Stefan Weil authored
As the conditional statement had to be split anyway, we can also add a better error report message. Signed-off-by:
Stefan Weil <sw@weilnetz.de> Message-id: 1426877963-3556-1-git-send-email-sw@weilnetz.de Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Stefan Weil authored
Coverity reports a resource leak for sysboot_filename which is allocated by qemu_find_file. In addition, that name is used to get the size of the image, but a different image name was used to load it. In addition, instead of passing the maximum allowed image size the actual image size was passed to load_image_targphys. Fix all three issues. Signed-off-by:
Stefan Weil <sw@weilnetz.de> Message-id: 1426326781-2488-1-git-send-email-sw@weilnetz.de Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Peter Maydell authored
vnc: fix websocket security issues (cve-2015-1779). # gpg: Signature made Wed Apr 1 16:14:34 2015 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-cve-2015-1779-20150401-2: CVE-2015-1779: limit size of HTTP headers from websockets clients CVE-2015-1779: incrementally decode websocket frames Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Daniel P. Berrange authored
The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM. In practice, because QEMU runs g_strstr_len() across the buffered header data, it will spend increasingly long burning CPU time searching for the substring match and less & less time reading data. So while this does cause arbitrary memory growth, the bigger problem is that QEMU will be burning 100% of available CPU time. A novnc websockets client typically sends headers of around 512 bytes in length. As such it is reasonable to place a 4096 byte limit on the amount of data buffered while searching for the end of HTTP headers. Signed-off-by:
Daniel P. Berrange <berrange@redhat.com> Signed-off-by:
Gerd Hoffmann <kraxel@redhat.com>
-
Daniel P. Berrange authored
The logic for decoding websocket frames wants to fully decode the frame header and payload, before allowing the VNC server to see any of the payload data. There is no size limit on websocket payloads, so this allows a malicious network client to consume 2^64 bytes in memory in QEMU. It can trigger this denial of service before the VNC server even performs any authentication. The fix is to decode the header, and then incrementally decode the payload data as it is needed. With this fix the websocket decoder will allow at most 4k of data to be buffered before decoding and processing payload. Signed-off-by:
Daniel P. Berrange <berrange@redhat.com> [ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ] @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input, - *payload_size = input->offset; + *payload_size = *payload_remain; [ kraxel: fix 32bit build ] @@ -306,7 +306,7 @@ struct VncState - uint64_t ws_payload_remain; + size_t ws_payload_remain; Signed-off-by:
Gerd Hoffmann <kraxel@redhat.com>
-
Peter Maydell authored
Fix for object_del of in-use memory, pvpanic regression, PPC regression and bogus error message with Oxygen theme. # gpg: Signature made Wed Apr 1 09:08:20 2015 BST using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: Revert "exec: Respect as_tranlsate_internal length clamp" rcu: do not create thread in pthread_atfork callback pc: acpi: fix pvpanic regression hostmem: Prevent removing an in-use memory backend qom: Add can_be_deleted callback to UserCreatableClass Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Paolo Bonzini authored
This reverts commit c3c1bb99 . It causes problems with boards that declare memory regions shorter than the registers they contain. Reported-by:
Zoltan Balaton <balaton@eik.bme.hu> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com>
-
Paolo Bonzini authored
If QEMU forks after the CPU threads have been created, qemu_mutex_lock_iothread will not be able to do qemu_cpu_kick_thread. There is no solution other than assuming that forks after the CPU threads have been created will end up in an exec. Forks before the CPU threads have been created (such as -daemonize) have to call rcu_after_fork manually. Notably, the oxygen theme for GTK+ forks and shows a "No such process" error without this patch. This patch can be reverted once the iothread loses the "kick the TCG thread" magic. User-mode emulation does not use the iothread, so it can also call rcu_after_fork. Reported by: Dr. David Alan Gilbert <dgilbert@redhat.com> Tested by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com>
-
Igor Mammedov authored
Commit cd61cb2e pc: acpi-build: generate pvpanic device description dynamically introduced regression changing pvpanic device HID from QEMU0001 to QEMU0002. Fix AML generated code so that pvpanic device would keep its original HID. i.e. QEMU0001 Signed-off-by:
Igor Mammedov <imammedo@redhat.com> Reported-by:
Gal Hammer <ghammer@redhat.com> Message-Id: <1427717907-25027-1-git-send-email-imammedo@redhat.com> Acked-by:
Michael S. Tsirkin <mst@redhat.com> Reviewed-by:
Michael S. Tsirkin <mst@redhat.com> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com>
-
Lin Ma authored
showing a memory device whose memdev is removed leads an assert: (qemu) object_add memory-backend-ram,id=ram0,size=128M (qemu) device_add pc-dimm,id=d0,memdev=ram0 (qemu) object_del ram0 (qemu) info memory-devices ** ERROR:qom/object.c:1274:object_get_canonical_path_component:\ assertion failed: (obj->parent != NULL) Aborted The patch prevents removing an in-use mem backend and error out. Signed-off-by:
Lin Ma <lma@suse.com> Message-Id: <1427704589-7688-3-git-send-email-lma@suse.com> Reviewed-by:
Igor Mammedov <imammedo@redhat.com> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com>
-
Lin Ma authored
If backends implement the can_be_deleted and it returns false, Then the qmp_object_del won't delete the given backends. Signed-off-by:
Lin Ma <lma@suse.com> Message-Id: <1427704589-7688-2-git-send-email-lma@suse.com> Reviewed-by:
Igor Mammedov <imammedo@redhat.com> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com>
-
- 31 Mar, 2015 4 commits
-
-
Peter Maydell authored
QOM infrastructure fixes and device conversions * Fix for adding alias properties with [*] # gpg: Signature made Tue Mar 31 11:59:00 2015 BST using RSA key ID 3E7E013F # gpg: Good signature from "Andreas Färber <afaerber@suse.de>" # gpg: aka "Andreas Färber <afaerber@suse.com>" * remotes/afaerber/tags/qom-devices-for-peter: qom: Fix object_property_add_alias() with [*] Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Andreas Färber authored
Commit 80742642 (qom: Add description field in ObjectProperty struct) introduced property descriptions and copied them for alias properties. Instead of using the caller-supplied property name, use the returned property name for setting the description. This avoids an Error when setting a property description for a property with literal "[*]" that doesn't exist due to automatic property naming in object_property_add(). Reviewed-by:
Gonglei <arei.gonglei@huawei.com> Acked-by:
Paolo Bonzini <pbonzini@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: qemu-stable@nongnu.org (v2.2+) Signed-off-by:
Andreas Färber <afaerber@suse.de>
-
Peter Maydell authored
QTest cleanups * Change fw_cfg-test and i440fx-test GTester paths * Extend libqtest API as necessary # gpg: Signature made Mon Mar 30 18:29:39 2015 BST using RSA key ID 3E7E013F # gpg: Good signature from "Andreas Färber <afaerber@suse.de>" # gpg: aka "Andreas Färber <afaerber@suse.com>" * remotes/afaerber/tags/qtest-for-2.3: i440fx-test: Fix test paths to include architecture qtest: Add qtest_add() wrapper macro qtest: Add qtest_add_data_func() wrapper function fw_cfg-test: Fix test path to include architecture Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Peter Maydell authored
TriCore bugfixes # gpg: Signature made Mon Mar 30 12:40:50 2015 BST using RSA key ID 6B69CA14 # gpg: Good signature from "Bastian Koppelmann <kbastian@mail.uni-paderborn.de>" * remotes/bkoppelmann/tags/pull-tricore-20150330: target-tricore: fix CACHEA/I_POSTINC/PREINC using data register.. Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
- 30 Mar, 2015 10 commits
-
-
Peter Maydell authored
s390x fixes: - virtqueue index issues in virtio-ccw - cleanup and sign extension fix for the ipl device # gpg: Signature made Mon Mar 30 08:52:54 2015 BST using RSA key ID C6F02FAF # gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>" # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" * remotes/cohuck/tags/s390x-20150330: s390x/ipl: avoid sign extension s390x: do not include ram_addr.h virtio-ccw: range check in READ_VQ_CONF virtio-ccw: fix range check for SET_VQ Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Andreas Färber authored
Replace g_test_add_func() with new qtest_add_func() and g_test_add() macro with qtest_add() macro. This effectively changes GTester paths: /i440fx/foo -> /x86_64/i440fx/foo etc. Cc: qemu-stable@nongnu.org Reviewed-by:
John Snow <jsnow@redhat.com> Signed-off-by:
Andreas Färber <afaerber@suse.de>
-
Andreas Färber authored
It extends g_test_add() macro with the architecture path. Reviewed-by:
John Snow <jsnow@redhat.com> Signed-off-by:
Andreas Färber <afaerber@suse.de>
-
Andreas Färber authored
It calls g_test_add_data_func() with a path supplemented by the architecture, like qtest_add_func() does. Reviewed-by:
John Snow <jsnow@redhat.com> Reviewed-by:
Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by:
Andreas Färber <afaerber@suse.de>
-
Andreas Färber authored
Use qtest_add_func() instead of g_test_add_func() to reflect the architecture tested, changing GTester paths as follows: /fw_cfg/foo -> /x86_64/fw_cfg/foo etc. Cc: qemu-stable@nongnu.org Reviewed-by:
Paolo Bonzini <pbonzini@redhat.com> Signed-off-by:
Andreas Färber <afaerber@suse.de>
-
Bastian Koppelmann authored
..for address calculation instead address registers. Signed-off-by:
Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
-
Cornelia Huck authored
Make s390_update_iplstate() return uint32_t to avoid sign extensions for cssids > 127. While this doesn't matter in practice yet (as nobody supports MCSS-E and thus won't see the real cssid), play safe. Reported-by:
Paolo Bonzini <pbonzini@redhat.com> Reviewed-by:
Jason J. Herne <jjherne@linux.vnet.ibm.com> Signed-off-by:
Cornelia Huck <cornelia.huck@de.ibm.com>
-
Paolo Bonzini authored
ram_addr.h is an internal interface and it is not needed anyway by hw/s390x/ipl.c. Cc: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by:
Thomas Huth <huth@tuxfamily.org> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com> Signed-off-by:
Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by:
Cornelia Huck <cornelia.huck@de.ibm.com>
-
Cornelia Huck authored
Processing for READ_VQ_CONF needs to check whether the requested queue value is actually in the supported range and post a channel program check if not. Cc: qemu-stable@nongnu.org Reviewed-by:
David Hildenbrand <dahi@linux.vnet.ibm.com> Acked-by:
Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by:
Cornelia Huck <cornelia.huck@de.ibm.com>
-
Cornelia Huck authored
VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be able to trigger a write beyond the VirtQueue structure. Cc: qemu-stable@nongnu.org Reviewed-by:
David Hildenbrand <dahi@linux.vnet.ibm.com> Acked-by:
Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by:
Cornelia Huck <cornelia.huck@de.ibm.com>
-
- 28 Mar, 2015 1 commit
-
-
Peter Maydell authored
# gpg: Signature made Fri Mar 27 22:19:31 2015 GMT using RSA key ID AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/ide-pull-request: AHCI: Protect cmd register AHCI: Do not (re)map FB/CLB buffers while not running Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
- 27 Mar, 2015 5 commits
-
-
John Snow authored
Many bits in the CMD register are supposed to be strictly read-only. We should not be deleting them on every write. As a side-effect: pay explicit attention to when a guest marks off the FIS Receive or Start bits, and disable the status bits ourselves, instead of letting them implicitly fall off. Signed-off-by:
John Snow <jsnow@redhat.com> Reviewed-by:
Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1426283454-15590-3-git-send-email-jsnow@redhat.com
-
John Snow authored
The FIS Receive Buffer and Command List Buffer pointers should not be edited while the FIS receive engine or Command Receive engines are running. Currently, we attempt to re-map the buffers every time they are adjusted, but while the AHCI engines are off, these registers may contain stale values, so we should not attempt to re-map these values until the engines are reactivated. Reported-by:
Jordan Hargrave <jharg93@gmail.com> Signed-off-by:
John Snow <jsnow@redhat.com> Reviewed-by:
Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1426283454-15590-2-git-send-email-jsnow@redhat.com
-
Peter Maydell authored
# gpg: Signature made Fri Mar 27 11:59:41 2015 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/net-pull-request: hw/net/e1000: fix integer endianness Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Peter Maydell authored
# gpg: Signature made Fri Mar 27 10:13:35 2015 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/block-pull-request: block: Document blockdev-add's immaturity qemu-iotests: Test unaligned 4k zero write block: Fix unaligned zero write nvme: Fix unintentional integer overflow (OVERFLOW_BEFORE_WIDEN) Signed-off-by:
Peter Maydell <peter.maydell@linaro.org>
-
Shannon Zhao authored
It's detected by coverity.In is_vlan_packet s->mac_reg[VET] is unsigned int but is dereferenced as a narrower unsigned short. This may lead to unexpected results depending on machine endianness. Signed-off-by:
Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by:
Shannon Zhao <shannon.zhao@linaro.org> Message-id: 1426224119-8352-1-git-send-email-zhaoshenglong@huawei.com Signed-off-by:
Stefan Hajnoczi <stefanha@redhat.com>
-