Andreas Färber [Thu, 22 Nov 2012 16:19:35 +0000 (17:19 +0100)]
VERSION: Update to 0.15.2
Signed-off-by: Andreas Färber <afaerber@suse.de>
Andreas Färber [Sun, 4 Mar 2012 20:32:34 +0000 (21:32 +0100)]
kvmclock: Always register type
Currently, the "kvmclock" type is only registered when kvm_enabled().
This breaks when moving type registration to before command line
parsing (so that QOM types can be used for CPU and machine).
Since the QOM classes are lazy-initialized anyway and kvmclock_create()
has another kvm_enabled() check, simply drop the KVM check in
kvmclock_register_types().
kvm-i8259, kvm-apic and kvm-ioapic do not suffer from such a check.
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Avi Kivity <avi@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
03f48b0797c9904301ee91e0081e89b3a3250f91)
[AF: Backported; fixes -enable-kvm regression introduced by 2e2a8aa.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Kevin Wolf [Fri, 9 Nov 2012 15:42:06 +0000 (16:42 +0100)]
qcow2: Flush requests in AIO cancel
This matches the behavior of v1.0 without introducing coroutines.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Paolo Bonzini [Fri, 16 Sep 2011 14:40:04 +0000 (16:40 +0200)]
scsi-disk: lazily allocate bounce buffer
It will not be needed for reads and writes if the HBA provides a sglist.
In addition, this lets scsi-disk refuse commands with an excessive
allocation length, as well as limit memory on usual well-behaved guests.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
7285477ab11831b1cf56e45878a89170dd06d9b9)
[AF: Backported; BNC#728664 / CVE-2011-3346]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Paolo Bonzini [Fri, 16 Sep 2011 14:40:03 +0000 (16:40 +0200)]
scsi-disk: commonize iovec creation between reads and writes
Also, consistently use qiov.size instead of iov.iov_len.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
103b40f51e4012b3b0ad20f615562a1806d7f49a)
[AF: Backported; BNC#728664]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Xu He Jie [Thu, 27 Oct 2011 02:15:13 +0000 (10:15 +0800)]
kvm_init didn't set return value after create vm failed
And kvm_ioctl(s, KVM_CREATE_VM, 0)'s return value can be < -1,
so change the check of vmfd at label 'err'.
Signed-off-by: Xu He Jie <xuhj@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
db9eae1c49fe2766a7709d7b2c4cdfcd91b9c25b)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Jason Baron [Tue, 4 Sep 2012 20:08:08 +0000 (16:08 -0400)]
ahci: properly reset PxCMD on HBA reset
While testing q35, I found that windows 7 (specifically, windows 7 ultimate
with sp1 x64), wouldn't install because it can't find the cdrom or disk drive.
The failure message is: 'A required cd/dvd device driver is missing. If you
have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.'
This can also be reproduced on piix by adding an ahci controller, and
observing that windows 7 does not see any devices behind it.
The problem is that when windows issues a HBA reset, qemu does not reset the
individual ports' PxCMD register. Windows 7 then reads back the PxCMD register
and presumably assumes that the ahci controller has already been initialized.
Windows then never sets up the PxIE register to enable interrupts, and thus it
never gets irqs back when it sends ata device inquiry commands.
This change brings qemu into ahci 1.3 specification compliance.
Section 10.4.3 HBA Reset:
"
When GHC.HR is set to '1', GHC.AE, GHC.IE, the IS register, and all port
register fields (except PxFB/PxFBU/PxCLB/PxCLBU) that are not HwInit in the
HBA's register memory space are reset.
"
I've also re-tested Fedora 16 and 17 to verify that they continue to work with
this change.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
2a4f4f34e6fe55f4c82507c3e7ec9b58c2e24ad4)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Alexander Motin [Mon, 12 Sep 2011 08:19:25 +0000 (11:19 +0300)]
AHCI Port Interrupt Enable register cleaning on soft reset
I've found that FreeBSD AHCI driver doesn't work with AHCI hardware
emulation of QEMU 0.15.0. I believe the problem is on QEMU's side. As I
see, it clears port's Interrupt Enable register each time when reset of
any level happens. Is is reasonable for the global controller reset. It
is probably not good, but acceptable for FreeBSD driver for the port
hard reset. But it is IMO wrong for the device soft reset. None of real
hardware I know behaves that way.
Signed-off-by: Alexander Motin <mav@FreeBSD.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
a26a13da687f757c07e2a5c26fa411840405e6d7)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Jason Baron [Fri, 3 Aug 2012 19:57:10 +0000 (15:57 -0400)]
ahci: Fix sglist memleak in ahci_dma_rw_buf()
I noticed that in hw/ide/ahci:ahci_dma_rw_buf() we do not free the sglist. Thus,
I've added a call to qemu_sglist_destroy() to fix this memory leak.
In addition, I've adeed a call in qemu_sglist_destroy() to 0 all of the sglist
fields, in case there is some other codepath that tries to free the sglist.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
ea8d82a1ed72634f089ed1bccccd9c84cc1ab855)
[AF: Backported g_free() -> qemu_free()]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Jason Baron [Fri, 3 Aug 2012 19:57:06 +0000 (15:57 -0400)]
ahci: Fix ahci cdrom read corruptions for reads > 128k
While testing q35, which has its cdrom attached to the ahci controller, I found
that the Fedora 17 install would panic on boot. The panic occurs while
squashfs is trying to read from the cdrom. The errors are:
[ 8.622711] SQUASHFS error: xz_dec_run error, data probably corrupt
[ 8.625180] SQUASHFS error: squashfs_read_data failed to read block
0x20be48a
I was also able to produce corrupt data reads using an installed piix based
qemu machine, using 'dd'. I found that the corruptions were only occuring when
then read size was greater than 128k. For example, the following command
results in corrupted reads:
dd if=/dev/sr0 of=/tmp/blah bs=256k iflag=direct
The > 128k size reads exercise a different code path than 128k and below. In
ide_atapi_cmd_read_dma_cb() s->io_buffer_size is capped at 128k. Thus,
ide_atapi_cmd_read_dma_cb() is called a second time when the read is > 128k.
However, ahci_dma_rw_buf() restart the read from offset 0, instead of at 128k.
Thus, resulting in a corrupted read.
To fix this, I've introduced 'io_buffer_offset' field in IDEState to keep
track of the offset. I've also modified ahci_populate_sglist() to take a new
3rd offset argument, so that the sglist is property initialized.
I've tested this patch using 'dd' testing, and Fedora 17 now correctly boots
and installs on q35 with the cdrom ahci controller.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Tested-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
61f52e06f0a21bab782f98ef3ea789aa6d0aa046)
[AF: Backported; resolves BNC#725008]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Jan Kiszka [Fri, 11 May 2012 14:42:34 +0000 (11:42 -0300)]
ahci: Fix reset of MSI function
Call msi_reset on device reset as still required by the core.
CC: Alexander Graf <agraf@suse.de>
CC: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit
868a1a52267daddf933ee18480ae036da029b561)
[AF: Backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Daniel Verkamp [Tue, 22 May 2012 23:26:42 +0000 (16:26 -0700)]
ahci: SATA FIS is 20 bytes, not 0x20
As in the SATA and AHCI specifications, a FIS is 5 Dwords of 4 bytes
each, which comes to 20 bytes (decimal), not 0x20.
Signed-off-by: Daniel Verkamp <daniel@drv.nu>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
4bb9c939a57103898f5a51aa6a7336eb3320d923)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Alexander Graf [Mon, 30 Jan 2012 22:29:48 +0000 (23:29 +0100)]
AHCI: Masking of IRQs actually masks them
When masking IRQ lines, we should actually mask them out and not declare
them active anymore. Once we mask them in again, they are allowed to trigger
again.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
b867672884afc39b6537a8aa6aa2f20a5154bf4f)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Alexander Graf [Mon, 30 Jan 2012 22:29:47 +0000 (23:29 +0100)]
AHCI: Fix port reset race
bdrv_aio_cancel() can trigger bdrv_aio_flush() which makes all aio
that is currently in flight finish. So what we do is:
port reset
detect ncq in flight
cancel ncq
delete ncq sg list
at which point we have double freed the sg list. Instead, with this
patch we do:
port reset
detect ncq in flight
cancel ncq
check if we are really still in flight
delete ncq sg list
which makes things work and gets rid of the race.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
c9b308d20b642c106048f088ccc31f2aa7cf59ba)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Bo Yang [Wed, 29 Aug 2012 11:26:11 +0000 (19:26 +0800)]
eepro100: Fix network hang when rx buffers run out
This is reported by QA. When installing os with pxe, after the initial
kernel and initrd are loaded, the procedure tries to copy files from install
server to local harddisk, the network becomes stall because of running out of
receive descriptor.
[Whitespace fixes and removed qemu_notify_event() because Paolo's
earlier net patches have moved it into qemu_flush_queued_packets().
Additional info:
I can reproduce the network hang with a tap device doing a iPXE HTTP
boot as follows:
$ qemu -enable-kvm -m 1024 \
-netdev tap,id=netdev0,script=no,downscript=no \
-device i82559er,netdev=netdev0,romfile=
80861209.rom \
-drive if=virtio,cache=none,file=test.img
iPXE> ifopen net0
iPXE> config # set static network configuration
iPXE> kernel http://mirror.bytemark.co.uk/fedora/linux/releases/17/Fedora/x86_64/os/images/pxeboot/vmlinuz
I needed a vanilla iPXE ROM to get to the iPXE prompt. I think the boot
prompt has been disabled in the ROMs that ship with QEMU to reduce boot
time.
During the vmlinuz HTTP download there is a network hang. hw/eepro100.c
has reached the end of the rx descriptor list. When the iPXE driver
replenishes the rx descriptor list we don't kick the QEMU net subsystem
and event loop, thereby leaving the tap netdev without its file
descriptor in select(2).
Stefan Hajnoczi <stefanha@gmail.com>]
Signed-off-by: Bo Yang <boyang@suse.com>
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit
1069985fb132cd4324fc02d371f1e61492a1823f)
[AF: Resolves BNC#712137]
Signed-off-by: Andreas Färber <afaerber@suse.de>
David Gibson [Mon, 10 Sep 2012 02:30:56 +0000 (12:30 +1000)]
qemu-char: BUGFIX, don't call FD_ISSET with negative fd
tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour. On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.
This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
bbdd2ad0814ea0911076419ea21b7957505cf1cc)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Ian Campbell [Tue, 4 Sep 2012 15:26:09 +0000 (10:26 -0500)]
console: bounds check whenever changing the cursor due to an escape code
This is XSA-17 / CVE-2012-3515
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
3eea5498ca501922520b3447ba94815bfc109743)
[AF: Resolves BNC#777084]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Bruce Rogers [Thu, 9 Aug 2012 18:47:40 +0000 (12:47 -0600)]
handle device help before accelerator set up
A command line device probe using just -device "?" gets processed
after qemu-kvm initializes the accelerator. If /dev/kvm is not
present, the accelerator check will fail (kvm is defaulted to on),
which causes libvirt to not be set up to handle qemu guests.
Moving the device help handling before the accelerator set up allows
the device probe to work in this configuration and libvirt succeeds
in setting up for a qemu hypervisor mode.
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit
3d1d9652978ac5a32a0beb4bdf6065ca39440d89)
[AF: Backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Paolo Bonzini [Wed, 2 Nov 2011 12:19:40 +0000 (13:19 +0100)]
virtio-blk: pass full status to the guest
When SCSI passthrough is being used by the guest with virtio-blk, the
guest is not able to detect disk failures. This is because the status
field is expected by the guest driver to include also the msg_status,
host_status and driver_status fields, but the device is only passing
down the SCSI status.
The patch fixes this, and also makes sure that the guest always sees a
CHECK_CONDITION status when there is valid sense data.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
5bb23927761db0d48507c60f56c4e28f72f3c2a7)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Jim Meyering [Mon, 28 May 2012 07:27:54 +0000 (09:27 +0200)]
block: prevent snapshot mode $TMPDIR symlink attack
In snapshot mode, bdrv_open creates an empty temporary file without
checking for mkstemp or close failure, and ignoring the possibility
of a buffer overrun given a surprisingly long $TMPDIR.
Change the get_tmp_filename function to return int (not void),
so that it can inform its two callers of those failures.
Also avoid the risk of buffer overrun and do not ignore mkstemp
or close failure.
Update both callers (in block.c and vvfat.c) to propagate
temp-file-creation failure to their callers.
get_tmp_filename creates and closes an empty file, while its
callers later open that presumed-existing file with O_CREAT.
The problem was that a malicious user could provoke mkstemp failure
and race to create a symlink with the selected temporary file name,
thus causing the qemu process (usually root owned) to open through
the symlink, overwriting an attacker-chosen file.
This addresses CVE-2012-2652.
http://bugzilla.redhat.com/CVE-2012-2652
Signed-off-by: Jim Meyering <meyering@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
c2d76497b6eafcaedc806e07804e7bed55a98a0b)
[AF: Backported, g_free -> qemu_free]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Michael S. Tsirkin [Mon, 23 Apr 2012 12:46:22 +0000 (15:46 +0300)]
virtio: order index/descriptor reads
virtio has the equivalent of:
if (vq->last_avail_index != vring_avail_idx(vq)) {
read descriptor head at vq->last_avail_index;
}
In theory, processor can reorder descriptor head
read to happen speculatively before the index read.
this would trigger the following race:
host descriptor head read <- reads invalid head from ring
guest writes valid descriptor head
guest writes avail index
host avail index read <- observes valid index
as a result host will use an invalid head value.
This was not observed in the field by me but after
the experience with the previous two races
I think it is prudent to address this theoretical race condition.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit
a821ce59338c79bb72dc844dd44ea53701965b2b)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Michael S. Tsirkin [Mon, 23 Apr 2012 11:11:14 +0000 (14:11 +0300)]
virtio: add missing mb() on enable notification
This fixes an issue dual to the one fixed by
patch 'virtio: add missing mb() on notification'
and applies on top.
In this case, to enable vq kick to exit to host,
qemu writes out used flag then reads the
avail index. if these are reordered we get a race:
host avail index read: ring is empty
guest avail index write
guest flag read: exit disabled
host used flag write: enable exit
which results in a lost exit: host will never be notified about the
avail index update. Again, happens in the field but only seems to
trigger on some specific hardware.
Insert an smp_mb barrier operation to ensure the correct ordering.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit
92045d80badc43c9f95897aad675dc7ef17a3b3f)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Michael S. Tsirkin [Sun, 22 Apr 2012 13:45:53 +0000 (16:45 +0300)]
virtio: add missing mb() on notification
During normal operation, virtio first writes a used index
and then checks whether it should interrupt the guest
by reading guest avail index/flag values.
Guest does the reverse: writes the index/flag,
then checks the used ring.
The ordering is important: if host avail flag read bypasses the used
index write, we could in effect get this timing:
host avail flag read
guest enable interrupts: avail flag write
guest check used ring: ring is empty
host used index write
which results in a lost interrupt: guest will never be notified
about the used ring update.
This actually can happen when using kvm with an io thread,
such that the guest vcpu and qemu run on different host cpus,
and this has actually been observed in the field
(but only seems to trigger on very specific processor types)
with userspace virtio: vhost has the necessary smp_mb()
in place to prevent the regordering, so the same workload stalls
forever waiting for an interrupt with vhost=off but works
fine with vhost=on.
Insert an smp_mb barrier operation in userspace virtio to
ensure the correct ordering.
Applying this patch fixed the race condition we have observed.
Tested on x86_64. I checked the code generated by the new macro
for i386 and ppc but didn't run virtio.
Note: mb could in theory be implemented by __sync_synchronize, but this
would make us hit old GCC bugs. Besides old GCC
not implementing __sync_synchronize at all, there were bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=36793
in this functionality as recently as in 4.3.
As we need asm for rmb,wmb anyway, it's just as well to
use it for mb.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit
a281ebc11a6917fbc27e1a93bb5772cd14e241fc)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Eric Sunshine [Tue, 1 Nov 2011 09:39:49 +0000 (05:39 -0400)]
qemu-barrier: Fix build failure on PowerPC Mac OS X
qemu-barrier.h tests if macro __powerpc__ is defined, however, the
preprocessor on PowerPC Mac OS X defines only __POWERPC__, not
__powerpc__. Resolve by testing instead for qemu-provided _ARCH_PPC.
Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
463ce4ae2dc5214f1b3ce5951c7cc3904c903702)
Signed-off-by: Andreas Färber <afaerber@suse.de>
David Gibson [Tue, 20 Sep 2011 02:05:21 +0000 (12:05 +1000)]
Barriers in qemu-barrier.h should not be x86 specific
qemu-barrier.h contains a few macros implementing memory barrier
primitives used in several places throughout qemu. However, apart
from the compiler-only barrier, the defined wmb() is correct only for
x86, or platforms which are similarly strongly ordered.
This patch addresses the FIXME about this by making the wmb() macro
arch dependent. On x86, it remains a compiler barrier only, but with
a comment explaining in more detail the conditions under which this is
correct. On weakly-ordered powerpc, an "eieio" instruction is used,
again with explanation of the conditions under which it is sufficient.
On other platforms, we use the __sync_synchronize() primitive,
available in sufficiently recent gcc (4.2 and after?). This should
implement a full barrier which will be sufficient on all platforms,
although it may be overkill in some cases. Other platforms can add
optimized versions in future if it's worth it for them.
Without proper memory barriers, it is easy to reproduce ordering
problems with virtio on powerpc; specifically, the QEMU puts new
element into the "used" ring and then updates the ring free-running
counter. Without a barrier between these under the right
circumstances, the guest linux driver can receive an interrupt, read
the counter change but find the ring element to be handled still has
an old value, leading to an "id %u is not a head!\n" error message.
Similar problems are likely to be possible with kvm on other weakly
ordered platforms.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
e22517086bbdf8d09de2b9ba8b3dfa4c42ec0f6c)
Signed-off-by: Andreas Färber <afaerber@suse.de>
David Gibson [Tue, 20 Sep 2011 02:05:20 +0000 (12:05 +1000)]
virtio: Use global memory barrier macros
The virtio code uses wmb() macros in several places, as required by the
SMP-aware virtio protocol. However the wmb() macro is locally defined
to be a compiler barrier only. This is probably sufficient on x86
due to its strong storage ordering model, but it certainly isn't on other
platforms, such as ppc.
In any case, qemu already has some globally defined memory barrier macros
in qemu-barrier.h. This patch, therefore converts virtio.c to use those
barrier macros. The macros in qemu-barrier.h are also wrong (or at least,
safe for x86 only) but this way at least there's only one place to fix
them.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
b90d2f35125490b8f62484c5ea7e6bbecbe43b6f)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Gerhard Wiesinger [Wed, 25 Jan 2012 20:04:14 +0000 (21:04 +0100)]
hw/vmmouse.c: Disable vmmouse after reboot
Bugfix after reboot when vmmouse was enabled and another OS which uses e.g. PS/2
mouse.
Details:
When a guest activated the vmmouse followed by a reboot the vmmouse was still
enabled and the PS/2 mouse was therefore unsusable. When another guest is then
booted without vmmouse support (e.g. PS/2 mouse) the mouse is not working.
Reason is that VMMouse has priority and disables all other mouse entities
and therefore must be disabled on reset.
Testscenario:
1.) Boot e.g. OS with VMMouse support (e.g. Windows with VMMouse tools)
2.) reboot
3.) Boot e.g. OS without VMMouse support (e.g. DOS) => PS/2 mouse doesn't work
any more. Fixes that issue.
Testscenario 2 by Jan Kiszka <jan.kiszka@siemens.com>:
Confirm that this patch fixes a real issue. Setup: qemu.git,
opensuse 11.4 guest, SDL graphic, system_reset while guest is using the
vmmouse. Without the patch, the vmmouse become unusable after the
reboot. Also, the mouse stays in absolute mode even before X starts again.
Fixed by:
Disabling the vmmouse in its reset handler.
Tested-by: Andreas F=E4rber <afaerber@suse.de>
Signed-off-by: Gerhard Wiesinger <lists@wiesinger.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
069ab0eb8a46bc4ff6f4d4d81bf037d3441347da)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Andreas Färber [Wed, 30 Nov 2011 15:26:21 +0000 (16:26 +0100)]
exec.c: Fix subpage memory access to RAM MemoryRegion
Commit
95c318f5e1f88d7e5bcc6deac17330fd4806a2d3 (Fix segfault in mmio
subpage handling code.) prevented a segfault by making all subpage
registrations over an existing memory page perform an unassigned access.
Symptoms were writes not taking effect and reads returning zero.
Very small page sizes are not currently supported either,
so subpage memory areas cannot fully be avoided.
Therefore change the previous fix to use a new IO_MEM_SUBPAGE_RAM
instead of IO_MEM_UNASSIGNED. Suggested by Avi.
Reviewed-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Cc: Avi Kivity <avi@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
56384e8b1eebac750e6186f5041af710433ddc9e)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Max Filippov [Thu, 10 Nov 2011 11:38:42 +0000 (15:38 +0400)]
vl.c: prohibit simultaneous use of -icount with kvm or xen
With -icount, The vm_clock is updated with help from TCG (it counts
instructions at 2^ICOUNT ns/instructions). With KVM, the instruction
count is not available so KVM cannot provide this help.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
0abe905d29f556128c5fb2ea8d93e982e94aaa67)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Stefan Weil [Sat, 21 Jan 2012 12:54:24 +0000 (13:54 +0100)]
block/vdi: Zero unused parts when allocating a new block (fix #919242)
The new block was filled with zero when it was allocated by g_malloc0,
but when it was reused later and only partially used, data from the
previously allocated block were still present and written to the new
block.
This caused the problems reported by bug #919242
(https://bugs.launchpad.net/qemu/+bug/919242).
Now the unused parts of the new block which are before and after the data
are always filled with zero, so it is no longer necessary to zero the whole
block with g_malloc0.
I also updated the copyright comment.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
641543b76b82a8b361482b727e08de0c8ec093b0)
[AF: g_malloc() -> qemu_malloc()]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Stefan Weil [Sat, 25 Feb 2012 13:50:25 +0000 (14:50 +0100)]
ds1338: Add missing break statement
Without the break statement, case 5 sets month and year from the same
data. This does not look correct.
The missing break was reported by splint.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit
fbac6a7d35d119a52606c175aface9bcec805f09)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Stefan Hajnoczi [Thu, 12 Jan 2012 14:17:04 +0000 (14:17 +0000)]
bt-host: add missing break statement
The switch statement in bt_host_read() is missing a break in one case.
Andrzej Zaborowski <andrew.zaborowski@intel.com> confirmed that this is
not an intentional fall-through.
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit
f7253270fc66a60e4faf639a3c4ce0b352553b24)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Zhang Shengju [Tue, 13 Mar 2012 14:38:13 +0000 (22:38 +0800)]
block/vpc: write checksum back to footer after check
After validation check, the 'checksum' is not written back
to footer, which leave it with zero.
This results in errors while loadding it under Microsoft's
Hyper-V environment, and also errors from utilities like
Citrix's vhd-util.
Signed-off-by: Zhang Shengju <sean_zhang@trendmicro.com.cn>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
c088b691363070d151f80cc1fde4b7c151bdfe8f)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Avi Kivity [Mon, 5 Sep 2011 08:07:05 +0000 (11:07 +0300)]
qemu_vmalloc: align properly for transparent hugepages and KVM
To make good use of transparent hugepages, KVM requires that guest-physical
and host-virtual addresses share the low 21 bits (as opposed to just the low
12 bits normally required).
Adjust qemu_vmalloc() to honor that requirement. Ignore it for small regions
to avoid fragmentation.
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
36b586284e678da28df3af9fd0907d2b16f9311c)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Jes Sorensen [Mon, 25 Jul 2011 15:13:36 +0000 (17:13 +0200)]
Add missing trace call to oslib-posix.c:qemu_vmalloc()
Acked-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
c7f4111a06208b46c6d05934d2a1e5cfbebc0180)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Anthony Liguori [Sun, 18 Dec 2011 19:07:03 +0000 (13:07 -0600)]
pc: fix event_idx compatibility for virtio devices
event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices
(including virtio-balloon-pci).
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
ea830ebb74461c5ad6d199857fb000d2e0284c69)
[BR: bnc#741460]
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Anthony Liguori [Sun, 18 Dec 2011 18:59:12 +0000 (12:59 -0600)]
pc: add pc-0.15
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
ce01a508e8053350544c88ba68a3f90c44b6bb93)
[BR: bnc#741460]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Alex Williamson [Mon, 31 Oct 2011 14:54:09 +0000 (08:54 -0600)]
Error check find_ram_offset
Spotted via code review, we initialize offset to 0 to avoid a
compiler warning, but in the unlikely case that offset is
never set to something else, we should abort instead of return
a value that will almost certainly cause problems.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
3e837b2c05bc63fe2226baf3c29923d5a688593f)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Anthony PERARD [Wed, 20 Jul 2011 08:17:42 +0000 (08:17 +0000)]
cpu-common: Have a ram_addr_t of uint64 with Xen.
In Xen case, memory can be bigger than the host memory. that mean a
32bits host (and QEMU) should be able to handle a RAM address of 64bits.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit
f15fbc4bd1a24bd1477a846e63e62c6d435912f8)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Kevin Wolf [Thu, 20 Oct 2011 14:37:26 +0000 (16:37 +0200)]
pc: Fix floppy drives with if=none
Commit
63ffb564 broke floppy devices specified on the command line like
-drive file=...,if=none,id=floppy -global isa-fdc.driveA=floppy because it
relies on drive_get() which works only with -fda/-drive if=floppy.
This patch resembles what we're already doing for IDE, i.e. remember the floppy
device that was created and use that to extract the BlockDriverStates where
needed.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit
34d4260e1846d69d7241f690534e3dd4b3e6fd5b)
[BR: bnc#733777]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Kevin Wolf [Wed, 26 Oct 2011 10:25:52 +0000 (12:25 +0200)]
vmdk: Fix possible segfaults
Data we read from the disk isn't necessarily null terminated and may not
contain the string we're looking for. The code needs to be a bit more careful
here.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
93897b9fd43548e9c15cf8bece2d9e5174b01fc7)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Gerd Hoffmann [Fri, 21 Oct 2011 13:59:07 +0000 (15:59 +0200)]
qxl: stride fixup
spice uses negative stride value to signal the bitmap is upside down.
The qxl renderer (used for scl, vnc and screenshots) wants a positive
value because it is easier to work with. The positive value is then
stored in the very same variable, which has the drawback that the
upside-down test works only once. Fix by using two variables.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit
0e2487bd6f56445b43307536a465ee2ba810aed9)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Stefan Hajnoczi [Thu, 27 Oct 2011 09:54:28 +0000 (10:54 +0100)]
block: reinitialize across bdrv_close()/bdrv_open()
Several BlockDriverState fields are not being reinitialized across
bdrv_close()/bdrv_open(). Make sure they are reset to their default
values.
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
03f541bd6eacdc6c2893f72b975257c89cab2b74)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Kevin Wolf [Wed, 26 Oct 2011 09:21:50 +0000 (11:21 +0200)]
qcow: Fix bdrv_write_compressed error handling
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
64ebe71aa0e498d24e8c02b133192142fce3a0d0)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Charles Arnold [Wed, 9 Nov 2011 16:32:25 +0000 (09:32 -0700)]
block: Fix vpc initialization of the Dynamic Disk Header
The Data Offset field in the Dynamic Disk Header is an 8 byte field.
Although the specification (2006-10-11) gives an example of initializing
only the first 4 bytes, images generated by Microsoft on Windows initialize
all 8 bytes.
Failure to initialize all 8 bytes results in errors from utilities
like Citrix's vhd-util which checks specifically for the proper Data
Offset field initialization.
Signed-off-by: Charles Arnold <carnold@suse.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
78439f6af1caa3e8bdafc9fc2d62aeefa53ed63a)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Markus Armbruster [Fri, 4 Nov 2011 09:38:29 +0000 (10:38 +0100)]
console: Fix rendering of VGA underline
vga_putcharxy()'s underline code sets font_data to 0xffff instead of
0xff. vga_putcharxy() then reads dmask16[0xffff >> 4] and
dmask4[0xffff >> 6]. In practice, these out-of-bounds subscripts
"only" put a few crap bits into the display surface.
For 32 bit pixels, there's no array access. font_data's extra bits go
straight into the display surface.
Broken when commit
6d6f7c28 implemented underline.
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
439229c7cb97f6c4cddd3965c3e9d2b8319fe83c)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Stefan Hajnoczi [Thu, 27 Oct 2011 09:54:27 +0000 (10:54 +0100)]
block: set bs->read_only before .bdrv_open()
Several block drivers set bs->read_only in .bdrv_open() but
block.c:bdrv_open_common() clobbers its value. Additionally, QED uses
bdrv_is_read_only() in .bdrv_open() to decide whether to perform
consistency checks.
The correct ordering is to initialize bs->read_only from the open flags
before calling .bdrv_open(). This way block drivers can override it if
necessary and can use bdrv_is_read_only() in .bdrv_open().
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
e7c637967e6aad195b5f30cfd995913c9e0b4666)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Kevin Wolf [Wed, 26 Oct 2011 10:25:25 +0000 (12:25 +0200)]
vmdk: Improve error handling
Return the right error values in some more places.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
99f1835d9bc744f98370254600530e66f32e6d81)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Eric Sunshine [Wed, 26 Oct 2011 19:51:18 +0000 (15:51 -0400)]
Teach block/vdi about "discarded" (no longer allocated) blocks
An entry in the VDI block map will hold an offset to the actual block if
the block is allocated, or one of two specially-interpreted values if
not allocated. Using VirtualBox terminology, value VDI_IMAGE_BLOCK_FREE
(0xffffffff) represents a never-allocated block (semantically arbitrary
content). VDI_IMAGE_BLOCK_ZERO (0xfffffffe) represents a "discarded"
block (semantically zero-filled). block/vdi knows only about
VDI_IMAGE_BLOCK_FREE. Teach it about VDI_IMAGE_BLOCK_ZERO.
Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
c794b4e0fd9ef8d72b068614dcdb2418c105d5cc)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Marc-André Lureau [Tue, 25 Oct 2011 14:53:01 +0000 (16:53 +0200)]
hda: do not mix output and input stream states, RHBZ #740493
Windows 7 may use the same stream number for input and output.
Current code will confuse streams.
Changes since v1:
- keep running_compat[] for migration version 1
- add running_real[] for migration version 2
Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit
ba43d28916c4f51c19bd7366089155ce81bee058)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Marc-André Lureau [Tue, 25 Oct 2011 14:53:00 +0000 (16:53 +0200)]
hda: do not mix output and input streams, RHBZ #740493
Windows 7 may use the same stream number for input and output.
That will result in lot of garbage on playback.
The hardcoded value of 4 needs to be in sync with GCAP streams
description and IN/OUT registers.
Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit
36ac4ad3d054a7b4962a6393630a73591cfa9558)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Nick Thomas [Wed, 21 Sep 2011 10:55:49 +0000 (11:55 +0100)]
block/curl: Implement a flush function on the fd handlers
Signed-off-by: Nick Thomas <nick@bytemark.co.uk>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
c84dcdc1d6583ebe5841907c99d95deb8c40a6e0)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Gerd Hoffmann [Wed, 7 Sep 2011 15:52:10 +0000 (17:52 +0200)]
vns/tls: don't use depricated gnutls functions
Avoid using deprecated gnutls functions with recent gnutls versions.
Fixes build failure on Fedora 16. Keep the old way for compatibility
with old installations such as RHEL-5 (gnutls 1.4.x).
Based on a patch from Raghavendra D Prabhu <raghu.prabhu13@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
f40d55081667a716312b9a8b6e13835c4074f56b)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Kevin Wolf [Wed, 1 Jun 2011 08:57:00 +0000 (10:57 +0200)]
vvfat: Fix potential buffer overflow
path2[PATH_MAX] can be used for the null termination, so make the array big
enough to allow this.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
0d460d6f414e02805cbc348404db03b2b7907360)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Gerd Hoffmann [Mon, 7 Nov 2011 15:33:09 +0000 (16:33 +0100)]
ac97: don't override the pci subsystem id
This patch removes the code lines which set the subsystem id for the
emulated ac97 card to 8086:0000. Due to the device id being zero the
subsystem id isn't vaild anyway. With the patch applied the sound card
gets the default qemu subsystem id (1af4:1100) instead.
[ v2: old & broken id is maintained for -M pc-$oldqemuversion ]
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
25a21c94c0055e078acb7f7455e66c8a15f32385)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Peter Maydell [Wed, 9 Nov 2011 18:59:54 +0000 (18:59 +0000)]
hw/lan9118.c: Add missing 'break' to fix buffer overrun
Add a missing 'break' statement to fix a buffer overrun when
executing the EEPROM write-all command. Spotted by Coverity
(see bug 887883).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit
0e3b800e71cb7759d099eabbd8ad4c4fe848e381)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Bharata B Rao [Wed, 2 Nov 2011 08:46:08 +0000 (14:16 +0530)]
Fix X86 CPU topology in KVM mode
apic id returned to guest kernel in ebx for cpuid(function=1) depends on
CPUX86State->cpuid_apic_id which gets populated after the cpuid information
is cached in the host kernel. This results in broken CPU topology in guest.
Fix this by setting cpuid_apic_id before cpuid information is passed to
the host kernel. This is done by moving the setting of cpuid_apic_id
to cpu_x86_init() where it will work for both KVM as well as TCG modes.
Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Bharata B Rao <bharata.rao@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
f2209eb854a016eabc444b45f6d6b1636949141f)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Gerd Hoffmann [Thu, 27 Oct 2011 07:12:04 +0000 (09:12 +0200)]
migration: flush migration data to disk.
This patch increases robustness when migrating to a file with
two little changes:
(1) Before closing the migration file handle checks if it happens to be
a regular file and if so it issues a fsync. This way the data is
flushed to disk before qemu sends the migration completed event.
(2) It adds error checking. In case either fsync or close syscall
fails pass up the error (and fail migration).
[ v2: return -errno instead of -1 ]
Cc: Juan Quintela <quintela@redhat.com>
Cc: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
aab2293687ee54a409f3fb53a1ab3595b595e0fb)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Markus Armbruster [Fri, 28 Oct 2011 15:07:02 +0000 (17:07 +0200)]
acl: Fix use after free in qemu_acl_reset()
Reproducer:
$ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...]
QEMU 0.15.50 monitor - type 'help' for more information
(qemu) acl_add vnc.username fred allow
acl: added rule at position 1
(qemu) acl_reset vnc.username
Segmentation fault (core dumped)
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit
0ce6a434176e274a7e86bcaa268542c5cc402696)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Kevin Wolf [Wed, 26 Oct 2011 09:52:47 +0000 (11:52 +0200)]
ide: Fix off-by-one error in array index check
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
fb60105d4942a26f571b1be92a8b9e7528d0c4d8)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Kevin Wolf [Wed, 26 Oct 2011 09:03:01 +0000 (11:03 +0200)]
block: Fix bdrv_open use after free
tmp_filename was used outside the block it was defined in, i.e. after it went
out of scope. Move its declaration to the top level.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit
2b5728164fcf5211bbae8d3c2fc6df62dd6b2295)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Pavel Borzenkov [Tue, 18 Oct 2011 17:19:03 +0000 (21:19 +0400)]
vmdk: vmdk_read_cid returns garbage if p_name is NULL
Spotted by Clang Analyzer
Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit
8379e46d1fd681b8aa4714382e2cdab05e5d0575)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Avi Kivity [Tue, 18 Oct 2011 17:43:12 +0000 (19:43 +0200)]
kvm: avoid reentring kvm_flush_coalesced_mmio_buffer()
mmio callbacks invoked by kvm_flush_coalesced_mmio_buffer() may
themselves indirectly call kvm_flush_coalesced_mmio_buffer().
Prevent reentering the function by checking a flag that indicates
we're processing coalesced mmio requests.
Signed-off-by: Avi Kivity <avi@redhat.com>
(cherry picked from commit
1cae88b9f4121c9af0bf677435c6129e643280fd)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Peter Maydell [Thu, 13 Oct 2011 17:45:37 +0000 (18:45 +0100)]
compatfd.c: Don't pass NULL pointer to SYS_signalfd
Don't pass a NULL pointer in to SYS_signalfd in qemu_signalfd_available():
this isn't valid and Valgrind complains about it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
(cherry picked from commit
7f84c1272b601be88daeb828ec1890890c7aae25)
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Anthony Liguori [Mon, 23 Jan 2012 13:30:43 +0000 (07:30 -0600)]
e1000: bounds packet size against buffer size
Otherwise we can write beyond the buffer and corrupt memory. This is tracked
as CVE-2012-0029.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
65f82df0d7a71ce1b10cd4c5ab08888d176ac840)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: stable-0.15 does not have pci_dma_read(). Fixes BNC#740165.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
dann frazier [Wed, 21 Sep 2011 20:06:25 +0000 (14:06 -0600)]
e1000: Don't set the Capabilities List bit
[Originally sent to qemu-kvm list, but I was redirected here]
The Capabilities Pointer is NULL, so this bit shouldn't be set. The state of
this bit doesn't appear to change any behavior on Linux/Windows versions we've
tested, but it does cause Windows' PCI/PCI Express Compliance Test to balk.
I happen to have a physical 82540EM controller, and it also sets the
Capabilities Bit, but it actually has items on the capabilities list to go
with it :)
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
dd8e93799f13ef82d83c185b8e71e049452f7d40)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Bjørn Mork [Wed, 17 Aug 2011 09:03:14 +0000 (11:03 +0200)]
e1000: use MII status register for link up/down
Some guests will use the standard MII status register
to verify link state. They will not notice link changes
unless this register is updated.
Verified with Linux 3.0 and Windows XP guests.
Without this patch, ethtool will report speed and duplex as
unknown when the link is down, but still report the link as
up. This is because the Linux e1000 driver checks the
mac_reg[STATUS] register link state before it checks speed
and duplex, but uses the phy_reg[PHY_STATUS] register for
the actual link state check. Fix by updating both registers
on link state changes.
Linux guest before:
(qemu) set_link e1000.0 off
kvm-sid:~# ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: Unknown!
Duplex: Unknown! (255)
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: umbg
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
(qemu) set_link e1000.0 on
Linux guest after:
(qemu) set_link e1000.0 off
[ 63.384221] e1000: eth0 NIC Link is Down
kvm-sid:~# ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: Unknown!
Duplex: Unknown! (255)
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: umbg
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: no
(qemu) set_link e1000.0 on
[ 84.304582] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
d4044c2a6b9ba4a00dd653f515a4b0ebfcb7e125)
Signed-off-by: Andreas Färber <afaerber@suse.de>
Jan Kiszka [Sun, 24 Jul 2011 17:38:36 +0000 (19:38 +0200)]
qdev: Reset hot-plugged devices
Device models rely on the core invoking their reset handlers after init.
We do this in the cold-plug case, but so far we miss this step after
hot-plug.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
5ab28c8340f683121c081a181adfd9f72ab85cba)
[AF: Fixes BNC#722958 / LTC#75394.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Markus Armbruster [Mon, 28 Nov 2011 19:27:37 +0000 (20:27 +0100)]
ccid: Fix buffer overrun in handling of VSC_ATR message
ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].
The message is read from a character device. Obvious security
implications unless the other end of the character device is trusted.
Spotted by Coverity. CVE-2011-4111.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Fixes BNC#731086.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Justin M. Forbes [Tue, 11 Oct 2011 14:46:03 +0000 (09:46 -0500)]
Version 0.15.1
Signed-off-by: Justin M. Forbes <jforbes@redhat.com>
Stefan Hajnoczi [Fri, 30 Sep 2011 10:39:11 +0000 (11:39 +0100)]
qed: fix use-after-free during l2 cache commit
QED's metadata caching strategy allows two parallel requests to race for
metadata lookup. The first one to complete will populate the metadata
cache and the second one will drop the data it just read in favor of the
cached data.
There is a use-after-free in qed_read_l2_table_cb() and
qed_commit_l2_update() where l2_table->offset was used after the
l2_table may have been freed due to a metadata lookup race. Fix this by
keeping the l2_offset in a local variable and not reaching into the
possibly freed l2_table.
Reported-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Jan Kiszka [Sat, 30 Jul 2011 09:39:04 +0000 (11:39 +0200)]
sdl: Fix termination in -no-shutdown mode
Just like the monitor does, we need to clear no_shutdown before calling
qemu_system_shutdown_request on quit requests. Otherwise, QEMU just
stops the VM.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Kevin Wolf [Wed, 14 Sep 2011 13:38:40 +0000 (15:38 +0200)]
Fix termination by signal with -no-shutdown
On signals such as SIGTERM qemu should exit instead of just stopping the VM
even with -no-shutdown.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Brad [Sat, 30 Jul 2011 05:45:55 +0000 (01:45 -0400)]
Add support for finding libpng via pkg-config.
Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Brad [Mon, 8 Aug 2011 00:02:11 +0000 (20:02 -0400)]
Check for presence of compiler -pthread flag.
OpenBSD / FreeBSD and some other OS's require the use of
cc -pthread to link threaded programs so have QEMU's
configure script check for the presence of the flag
and use it if so.
Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Brad [Fri, 2 Sep 2011 20:53:28 +0000 (16:53 -0400)]
Allow overriding the location of Samba's smbd.
Allow overriding the location of Samba's smbd.
Pretty much every OS I look at has some means of
changing this path (patching) so lets just make
it easier for OS developers creating packages
and/or end users to override the location.
Signed-off-by: Brad Smith <brad@comstyle.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Gerd Hoffmann [Fri, 26 Aug 2011 09:16:10 +0000 (11:16 +0200)]
Fix linker scripts
Remove PROVIDE_HIDDEN and ONLY_IF_{RO,RW} from linker scripts to make
them work with older binutils versions. Fixes *-bsd-user build on
OpenBSD 4.9 which ships binutils 2.15.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Brad [Sun, 28 Aug 2011 08:01:33 +0000 (04:01 -0400)]
Fix install(1) usage to be compatible with OpenBSD's install(1).
Fix install(1) usage to be compatible with OpenBSD's install(1).
When creating a directory via the -d flag the -p flag cannot be
used at the same time. Also in the context of installing QEMU it
doesn't make sense to use the -p flag anyway so use the [default]
-c flag instead.
Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Jan Kiszka [Fri, 26 Aug 2011 17:52:11 +0000 (19:52 +0200)]
Fix qjson test of solidus encoding
"\/" is supposed to be decoded as "/", but there is no need to encode
"/" via escape. Fix the existing test and add a second one expressing
this.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Acked-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Luiz Capitulino [Fri, 26 Aug 2011 18:00:13 +0000 (15:00 -0300)]
configure: Copy test data to build directory
The QDict unit-tests (check-qdict) will fail when ran on a different
build directory. That's, it only works when ran on the source dir.
This happens because its data file (qdict-test-data.txt) is not
copied to the build dir. Fix it.
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Conflicts:
configure
Jamie Iles [Wed, 10 Aug 2011 14:18:42 +0000 (15:18 +0100)]
monitor: fix build breakage for !CONFIG_VNC
Commit c62f6d1 (monitor: fix build breakage with --disable-vnc)
conditionalised some VNC setup code but left an unused variable. Move
the variable into the conditional code to fix the build breakage.
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Jamie Iles <jamie@jamieiles.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
TeLeMan [Mon, 25 Jul 2011 08:29:14 +0000 (16:29 +0800)]
monitor: fix build breakage with --disable-vnc
The breakage was introduced by the commit
13661089810d3e59931f3e80d7cb541b99af7071
Signed-off-by: TeLeMan <geleman@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Brad [Sun, 7 Aug 2011 11:06:43 +0000 (11:06 +0000)]
Fix forcing multicast msgs to loopback on OpenBSD.
Fix forcing multicast msgs to loopback on OpenBSD.
e.g.
$ sudo qemu -m 128 -no-fd-bootchk \
-hda virtual.img -boot n -nographic \
-net nic,vlan=0,model=rtl8139,macaddr=52:54:00:12:34:03 \
-net user -tftp /usr/src/sys/arch/i386/compile/TEST -bootp pxeboot \
-net nic,vlan=1,model=rtl8139,macaddr=52:54:00:23:03:01 \
-net tap,vlan=1,script=no \
-net nic,vlan=3,model=rtl8139,macaddr=52:54:00:23:03:03 \
-net socket,vlan=3,mcast=230.0.0.1:10003
setsockopt(SOL_IP, IP_MULTICAST_LOOP): Invalid argument
qemu: -net socket,vlan=3,mcast=230.0.0.1:10003: Device 'socket' could not be initialized
Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Justin M. Forbes [Sun, 14 Aug 2011 15:55:05 +0000 (10:55 -0500)]
Merge branch 'stable-0.15' of git://git.qemu.org/qemu
Anthony Liguori [Mon, 8 Aug 2011 18:27:32 +0000 (13:27 -0500)]
Update version to 0.15.0
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Kevin Wolf [Fri, 5 Aug 2011 10:06:11 +0000 (12:06 +0200)]
qcow2: Fix L1 table size after bdrv_snapshot_goto
When loading an internal snapshot whose L1 table is smaller than the current L1
table, the size of the current L1 would be shrunk to the snapshot's L1 size in
memory, but not on disk. This lead to incorrect refcount updates and eventuelly
to image corruption.
Instead of writing the new L1 size to disk, this simply retains the bigger L1
size that is currently in use and makes sure that the unused part is zeroed.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Tested-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit
35d7ace74bd07e3d6983c1fd7cbfab4e11175689)
Justin M. Forbes [Thu, 4 Aug 2011 21:40:07 +0000 (16:40 -0500)]
Merge branch 'stable-0.15' of git://git.qemu.org/qemu
Anthony Liguori [Thu, 4 Aug 2011 20:28:01 +0000 (15:28 -0500)]
Revert "floppy: save and restore DIR register"
This reverts commit
7d905f716bea633f2836e1d661387983aacdc6d6.
The use of subsections by this commit are broken because of a fundamental
limitations of subsections in the current protocol.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Richard Henderson [Sun, 31 Jul 2011 23:47:20 +0000 (16:47 -0700)]
alpha-softmmu: Disable for the 0.15 release branch.
The system emulation code was not merged before the branch.
Let's leave that work for the next release.
Signed-off-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Wolfgang Mauerer [Mon, 11 Jul 2011 12:57:43 +0000 (14:57 +0200)]
vhost build fix for i386
vhost.c uses __sync_fetch_and_and(), which is only
available for -march=i486 and above (see
https://bugzilla.redhat.com/show_bug.cgi?id=624279).
Signed-off-by: Wolfgang Mauerer <wolfgang.mauerer@siemens.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit
023367e6cd41199521613674b44e9c703c8be1a1)
Michael Roth [Mon, 1 Aug 2011 19:52:57 +0000 (14:52 -0500)]
guest agent: add --enable-guest-agent config option
QAPI will require glib/python, but for now the guest agent is the only
user. For now, make these dependencies an explicit guest agent one, and
give users the option to disable it if need be.
Once QAPI is adopted in core QEMU code, we would basically revert this
patch.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Peter Maydell [Sat, 30 Jul 2011 12:18:35 +0000 (13:18 +0100)]
user: Restore debug usage message for '-d ?' in user mode emulation
The code which prints the debug usage message on '-d ?' for *-user
has to come before the check for "not enough arguments", so that
"qemu-foo -d ?" prints the list of possible debug log items rather than
the generic usage message. (This was inadvertently broken in commit
c235d73.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Michael Walle [Thu, 21 Jul 2011 18:52:24 +0000 (20:52 +0200)]
lm32: softusb: claim to support full speed
The QEMU keyboard and mouse reports themselves as full speed devices,
though they are actually low speed devices. Until this is fixed, claim that
we are supporting full speed devices.
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
Peter Maydell [Sat, 30 Jul 2011 12:18:35 +0000 (13:18 +0100)]
user: Restore debug usage message for '-d ?' in user mode emulation
The code which prints the debug usage message on '-d ?' for *-user
has to come before the check for "not enough arguments", so that
"qemu-foo -d ?" prints the list of possible debug log items rather than
the generic usage message. (This was inadvertently broken in commit
c235d73.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Michael Roth [Tue, 26 Jul 2011 16:39:24 +0000 (11:39 -0500)]
Makefile: add missing deps on $(GENERATED_HEADERS)
This fixes a build issue with make -j6+ due to qapi-generated files
being built before $(GENERATED_HEADERS) have been created.
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Anthony Liguori [Sun, 31 Jul 2011 20:38:11 +0000 (15:38 -0500)]
Update version to 0.15.0-rc2
Anthony Liguori [Fri, 29 Jul 2011 22:14:11 +0000 (17:14 -0500)]
Bump version to 0.15.0-rc1
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Justin M. Forbes [Fri, 29 Jul 2011 15:14:01 +0000 (10:14 -0500)]
Merge branch 'for-upstream-0.15' of git://git.linaro.org/people/pmaydell/qemu-arm
Amit Shah [Thu, 28 Jul 2011 06:06:26 +0000 (11:36 +0530)]
virtio-balloon: Unregister savevm section on device unplug
Migrating after unplugging a virtio-balloon device resulted in an error
message on the destination:
Unknown savevm section or instance '0000:00:04.0/virtio-balloon' 0
load of migration failed
Fix this by unregistering the section on device unplug.
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Amit Shah [Wed, 27 Jul 2011 08:20:41 +0000 (13:50 +0530)]
virtio-balloon: Add exit handler, fix memleaks
Add an exit handler that will free up RAM after a virtio-balloon device
is unplugged.
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>