qemu.git
5 years agovirtio-net: out-of-bounds buffer write on load
Michael S. Tsirkin [Mon, 28 Apr 2014 13:08:21 +0000 (16:08 +0300)] 
virtio-net: out-of-bounds buffer write on load

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agoopenpic: avoid buffer overrun on incoming migration
Michael Roth [Mon, 28 Apr 2014 13:08:17 +0000 (16:08 +0300)] 
openpic: avoid buffer overrun on incoming migration

CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agossi-sd: fix buffer overrun on invalid state load
Michael S. Tsirkin [Mon, 28 Apr 2014 13:08:14 +0000 (16:08 +0300)] 
ssi-sd: fix buffer overrun on invalid state load

CVE-2013-4537

s->arglen is taken from wire and used as idx
in ssi_sd_transfer().

Validate it before access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agosavevm: Ignore minimum_version_id_old if there is no load_state_old
Peter Maydell [Thu, 3 Apr 2014 16:52:28 +0000 (19:52 +0300)] 
savevm: Ignore minimum_version_id_old if there is no load_state_old

At the moment we require vmstate definitions to set minimum_version_id_old
to the same value as minimum_version_id if they do not provide a
load_state_old handler. Since the load_state_old functionality is
required only for a handful of devices that need to retain migration
compatibility with a pre-vmstate implementation, this means the bulk
of devices have pointless boilerplate. Relax the definition so that
minimum_version_id_old is ignored if there is no load_state_old handler.

Note that under the old scheme we would segfault if the vmstate
specified a minimum_version_id_old that was less than minimum_version_id
but did not provide a load_state_old function, and the incoming state
specified a version number between minimum_version_id_old and
minimum_version_id. Under the new scheme this will just result in
our failing the migration.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agousb: sanity check setup_index+setup_len in post_load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:52:25 +0000 (19:52 +0300)] 
usb: sanity check setup_index+setup_len in post_load

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
Michael S. Tsirkin [Thu, 3 Apr 2014 16:52:21 +0000 (19:52 +0300)] 
vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/

As the macro verifies the value is positive, rename it
to make the function clearer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovirtio-scsi: fix buffer overrun on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:52:17 +0000 (19:52 +0300)] 
virtio-scsi: fix buffer overrun on invalid state load

CVE-2013-4542

hw/scsi/scsi-bus.c invokes load_request.

 virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));

this probably can make elem invalid, for example,
make in_num or out_num huge, then:

    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);

will do:

    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }

and this will access out of array bounds.

Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agozaurus: fix buffer overrun on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:52:13 +0000 (19:52 +0300)] 
zaurus: fix buffer overrun on invalid state load

CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

Similarly for gpio_level and gpio_dir.

To fix, limit to 16 bit.

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agotsc210x: fix buffer overrun on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:52:09 +0000 (19:52 +0300)] 
tsc210x: fix buffer overrun on invalid state load

CVE-2013-4539

s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.

Validate after load to avoid buffer overrun.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agossd0323: fix buffer overun on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:52:05 +0000 (19:52 +0300)] 
ssd0323: fix buffer overun on invalid state load

CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.

For completeness, validate mode as well.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agopxa2xx: avoid buffer overrun on incoming migration
Michael S. Tsirkin [Thu, 3 Apr 2014 16:51:57 +0000 (19:51 +0300)] 
pxa2xx: avoid buffer overrun on incoming migration

CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovirtio: validate num_sg when mapping
Michael S. Tsirkin [Thu, 3 Apr 2014 16:51:53 +0000 (19:51 +0300)] 
virtio: validate num_sg when mapping

CVE-2013-4535
CVE-2013-4536

Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.

Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovirtio: avoid buffer overrun on incoming migration
Michael Roth [Thu, 3 Apr 2014 16:51:46 +0000 (19:51 +0300)] 
virtio: avoid buffer overrun on incoming migration

CVE-2013-6399

vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.

Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovmstate: fix buffer overflow in target-arm/machine.c
Michael S. Tsirkin [Thu, 3 Apr 2014 16:51:42 +0000 (19:51 +0300)] 
vmstate: fix buffer overflow in target-arm/machine.c

CVE-2013-4531

cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.

VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.

Fix this macro to valide the value appropriately.

The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agopl022: fix buffer overun on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:51:35 +0000 (19:51 +0300)] 
pl022: fix buffer overun on invalid state load

CVE-2013-4530

pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.

Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agohw/pci/pcie_aer.c: fix buffer overruns on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:51:31 +0000 (19:51 +0300)] 
hw/pci/pcie_aer.c: fix buffer overruns on invalid state load

4) CVE-2013-4529
hw/pci/pcie_aer.c    pcie aer log can overrun the buffer if log_num is
                     too large

There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.

Fix both issues.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agohpet: fix buffer overrun on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:51:23 +0000 (19:51 +0300)] 
hpet: fix buffer overrun on invalid state load

CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agoahci: fix buffer overrun on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:51:18 +0000 (19:51 +0300)] 
ahci: fix buffer overrun on invalid state load

CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovirtio: out-of-bounds buffer write on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:51:14 +0000 (19:51 +0300)] 
virtio: out-of-bounds buffer write on invalid state load

CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovirtio-net: out-of-bounds buffer write on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:50:56 +0000 (19:50 +0300)] 
virtio-net: out-of-bounds buffer write on invalid state load

CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

This code is in hw/net/virtio-net.c:

    if (n->max_queues > 1) {
        if (n->max_queues != qemu_get_be16(f)) {
            error_report("virtio-net: different max_queues ");
            return -1;
        }

        n->curr_queues = qemu_get_be16(f);
        for (i = 1; i < n->curr_queues; i++) {
            n->vqs[i].tx_waiting = qemu_get_be32(f);
        }
    }

Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.

This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovirtio-net: fix buffer overflow on invalid state load
Michael S. Tsirkin [Thu, 3 Apr 2014 16:50:39 +0000 (19:50 +0300)] 
virtio-net: fix buffer overflow on invalid state load

CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c

Deals with loading a corrupted savevm image.

>         n->mac_table.in_use = qemu_get_be32(f);

in_use is int so it can get negative when assigned 32bit unsigned value.

>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {

passing this check ^^^

>             qemu_get_buffer(f, n->mac_table.macs,
>                             n->mac_table.in_use * ETH_ALEN);

with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.

Fix it by making the value unsigned.
For consistency, change first_multi as well.

Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovmstate: add VMSTATE_VALIDATE
Michael S. Tsirkin [Thu, 3 Apr 2014 16:50:35 +0000 (19:50 +0300)] 
vmstate: add VMSTATE_VALIDATE

Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovmstate: add VMS_MUST_EXIST
Michael S. Tsirkin [Thu, 3 Apr 2014 16:50:31 +0000 (19:50 +0300)] 
vmstate: add VMS_MUST_EXIST

Can be used to verify a required field exists or validate
state in some other way.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agovmstate: reduce code duplication
Michael S. Tsirkin [Thu, 3 Apr 2014 16:50:26 +0000 (19:50 +0300)] 
vmstate: reduce code duplication

move size offset and number of elements math out
to functions, to reduce code duplication.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140501' into...
Peter Maydell [Fri, 2 May 2014 10:32:00 +0000 (11:32 +0100)] 
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140501' into staging

target-arm queue:
 * implement XScale cache lockdown cp15 ops
 * fix v7M CPUID base register
 * implement WFE and YIELD as yields for A64
 * fix A64 "BLR LR"
 * support Cortex-A57 in virt machine model
 * a few other minor AArch64 bugfixes

# gpg: Signature made Thu 01 May 2014 15:42:17 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20140501:
  hw/arm/virt: Add support for Cortex-A57
  hw/arm/virt: Put GIC register banks on 64K boundaries
  hw/arm/virt: Create the GIC ourselves rather than (ab)using a15mpcore_priv
  target-arm: Correct a comment refering to EL0
  target-arm: A64: Fix a typo when declaring TLBI ops
  target-arm: A64: Handle blr lr
  target-arm: Make vbar_write 64bit friendly on 32bit hosts
  target-arm: implement WFE/YIELD as a yield for AArch64
  armv7m_nvic: fix CPUID Base Register
  target-arm: Implement XScale cache lockdown operations as NOPs

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Peter Maydell [Fri, 2 May 2014 09:50:58 +0000 (10:50 +0100)] 
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches

# gpg: Signature made Wed 30 Apr 2014 19:19:32 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream: (31 commits)
  curl: Fix hang reading from slow connections
  curl: Ensure all informationals are checked for completion
  curl: Eliminate unnecessary use of curl_multi_socket_all
  curl: Remove unnecessary explicit calls to internal event handler
  curl: Remove erroneous sleep waiting for curl completion
  curl: Fix return from curl_read_cb with invalid state
  curl: Remove unnecessary use of goto
  curl: Fix long line
  block/vdi: Error out immediately in vdi_create()
  block/bochs: Fix error handling for seek_to_sector()
  qcow2: Check min_size in qcow2_grow_l1_table()
  qcow2: Catch bdrv_getlength() error
  block: Use correct width in format strings
  qcow2: Avoid overflow in alloc_clusters_noref()
  block: Use error_abort in bdrv_image_info_specific_dump()
  block: Fix open_flags in bdrv_reopen()
  Revert "block: another bdrv_append fix"
  block: Unlink temporary files in raw-posix/win32
  block: Remove BDRV_O_COPY_ON_READ for bs->file
  block: Create bdrv_backing_flags()
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/cohuck/tags/kvm_cap_helpers' into staging
Peter Maydell [Thu, 1 May 2014 16:32:25 +0000 (17:32 +0100)] 
Merge remote-tracking branch 'remotes/cohuck/tags/kvm_cap_helpers' into staging

Add helpers for enabling kvm capabilities and convert the existing
s390x and ppc users to use them.

# gpg: Signature made Wed 30 Apr 2014 14:48:45 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found

* remotes/cohuck/tags/kvm_cap_helpers:
  ppc: use kvm_vcpu_enable_cap()
  s390x: use kvm_vcpu_enable_cap()
  kvm: add kvm_{vm,vcpu}_enable_cap

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-vga-2' into staging
Peter Maydell [Thu, 1 May 2014 15:02:45 +0000 (16:02 +0100)] 
Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-2' into staging

vga: add secondary stdvga variant

# gpg: Signature made Mon 28 Apr 2014 10:11:44 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-2:
  add secondary-vga to display-vga test
  add display-vga test
  vga: add secondary stdvga variant
  vga: allow non-global vmstate

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agohw/arm/virt: Add support for Cortex-A57
Peter Maydell [Thu, 24 Apr 2014 17:54:43 +0000 (18:54 +0100)] 
hw/arm/virt: Add support for Cortex-A57

Support the Cortex-A57 in the virt machine model.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-4-git-send-email-peter.maydell@linaro.org

5 years agohw/arm/virt: Put GIC register banks on 64K boundaries
Peter Maydell [Thu, 24 Apr 2014 17:54:42 +0000 (18:54 +0100)] 
hw/arm/virt: Put GIC register banks on 64K boundaries

For an AArch64 CPU which supports 64K pages, having the GIC
register banks at 4K offsets is potentially awkward. Move
them out to being at 64K offsets. (This is harmless for
AArch32 CPUs and for AArch64 CPUs with 4K pages, so it is simpler
to use the same offsets everywhere than to try to use 64K offsets
only for AArch64 host CPUs.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-3-git-send-email-peter.maydell@linaro.org

5 years agohw/arm/virt: Create the GIC ourselves rather than (ab)using a15mpcore_priv
Peter Maydell [Thu, 1 May 2014 14:24:46 +0000 (15:24 +0100)] 
hw/arm/virt: Create the GIC ourselves rather than (ab)using a15mpcore_priv

Rather than having the virt machine model create an a15mpcore_priv
device regardless of the actual CPU type in order to instantiate the GIC,
move to having the machine model create the GIC directly. This
corresponds to a system which uses a standalone GIC (eg the GIC-400)
rather than the one built in to the CPU core.

The primary motivation for this is to support the Cortex-A57,
which for a KVM configuration will use a GICv2, which is not
built into the CPU.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1398362083-17737-2-git-send-email-peter.maydell@linaro.org

5 years agotarget-arm: Correct a comment refering to EL0
Edgar E. Iglesias [Thu, 1 May 2014 14:24:46 +0000 (15:24 +0100)] 
target-arm: Correct a comment refering to EL0

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1398926097-28097-5-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agotarget-arm: A64: Fix a typo when declaring TLBI ops
Edgar E. Iglesias [Thu, 1 May 2014 14:24:46 +0000 (15:24 +0100)] 
target-arm: A64: Fix a typo when declaring TLBI ops

Harmless typo as opc1 defaults to zero and opc2 gets
re-declared to its correct value.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 1398926097-28097-4-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agotarget-arm: A64: Handle blr lr
Edgar E. Iglesias [Thu, 1 May 2014 14:24:45 +0000 (15:24 +0100)] 
target-arm: A64: Handle blr lr

For linked branches, updates to the link register happen
conceptually after the read of the branch target register.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Cc: qemu-stable@nongnu.org
Message-id: 1398926097-28097-3-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agotarget-arm: Make vbar_write 64bit friendly on 32bit hosts
Edgar E. Iglesias [Thu, 1 May 2014 14:24:45 +0000 (15:24 +0100)] 
target-arm: Make vbar_write 64bit friendly on 32bit hosts

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 1398926097-28097-2-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agotarget-arm: implement WFE/YIELD as a yield for AArch64
Rob Herring [Thu, 1 May 2014 14:24:45 +0000 (15:24 +0100)] 
target-arm: implement WFE/YIELD as a yield for AArch64

Like was done for AArch32 for WFE, implement both WFE and YIELD as a
yield operation. This speeds up multi-core system emulation.

Signed-off-by: Rob Herring <rob.herring@linaro.org>
Message-id: 1397588401-20366-1-git-send-email-robherring2@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoarmv7m_nvic: fix CPUID Base Register
Rabin Vincent [Thu, 1 May 2014 14:24:44 +0000 (15:24 +0100)] 
armv7m_nvic: fix CPUID Base Register

cp15.c0_cpuid is never initialized for ARMv7-M; take the value directly
from cpu->midr instead.

Signed-off-by: Rabin Vincent <rabin@rab.in>
Message-id: 1398036308-32166-1-git-send-email-rabin@rab.in
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agotarget-arm: Implement XScale cache lockdown operations as NOPs
Peter Maydell [Thu, 1 May 2014 14:24:44 +0000 (15:24 +0100)] 
target-arm: Implement XScale cache lockdown operations as NOPs

XScale defines some implementation-specific coprocessor registers
for doing cache lockdown operations. Since QEMU doesn't model a
cache no proper implementation is possible, but NOP out the
registers so that guest code like u-boot that tries to use them
doesn't crash.

Reported-by: <prqek@centrum.cz>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-6' into staging
Peter Maydell [Thu, 1 May 2014 13:17:33 +0000 (14:17 +0100)] 
Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-6' into staging

gtk: collection of fixes and cleanups by Cole Robinson

# gpg: Signature made Tue 29 Apr 2014 10:44:44 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-6:
  gtk: Fix accelerators being triggered twice with gtk3
  gtk: Fix -serial vc
  gtk: Use ctrl+alt+q for quit accelerator
  gtk: Remove use of deprecated stock items
  gtk: Don't use deprecated vte_terminal_get_adjustment
  gtk: Don't use deprecated gtk_image_menu_item_new_with_mnemonic
  configure: Re-run make if gtkabi/sdlabi is changed
  configure: Document --with-gtkabi

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-2' into staging
Peter Maydell [Thu, 1 May 2014 12:51:23 +0000 (13:51 +0100)] 
Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-2' into staging

sdl2: mouse wheel support, ui config notify

# gpg: Signature made Tue 29 Apr 2014 11:17:01 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-sdl-2:
  sdl2: Support mouse wheel
  sdl2: add ui info setting.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-audio-4' into staging
Peter Maydell [Thu, 1 May 2014 12:05:54 +0000 (13:05 +0100)] 
Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-4' into staging

hda-audio: fix non-mixer codecs

# gpg: Signature made Tue 29 Apr 2014 10:03:44 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-audio-4:
  hda-audio: fix non-mixer codecs

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agocurl: Fix hang reading from slow connections
Matthew Booth [Tue, 29 Apr 2014 15:03:32 +0000 (16:03 +0100)] 
curl: Fix hang reading from slow connections

When receiving a new aio read request, we first look for an existing
transaction whose range will cover the read request by the time it
completes. However, we weren't checking that the existing transaction
was still active. If it had timed out, we were adding the request to a
transaction which would never complete and had already been cancelled,
resulting in a hang.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agocurl: Ensure all informationals are checked for completion
Matthew Booth [Tue, 29 Apr 2014 15:03:31 +0000 (16:03 +0100)] 
curl: Ensure all informationals are checked for completion

According to the documentation, the correct way to ensure all
informationals have been returned by curl_multi_info_read is to loop
until it returns NULL.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agocurl: Eliminate unnecessary use of curl_multi_socket_all
Matthew Booth [Tue, 29 Apr 2014 15:03:30 +0000 (16:03 +0100)] 
curl: Eliminate unnecessary use of curl_multi_socket_all

curl_multi_socket_all is a deprecated catch-all which checks for
activities on all open curl sockets. We have enough information from
the event loop to check only the sockets with activity. This change
removes use of curl_multi_socket_all in favour of
curl_multi_socket_action called with the relevant handle.

At the same time, it also ensures that the driver only checks for
completion of read operations after reading from a socket, rather than
both reading and writing.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agocurl: Remove unnecessary explicit calls to internal event handler
Matthew Booth [Tue, 29 Apr 2014 15:03:29 +0000 (16:03 +0100)] 
curl: Remove unnecessary explicit calls to internal event handler

Remove calls to curl_multi_do where the relevant handles are already
registered to the event loop.

Ensure that we kick off socket handling with CURL_SOCKET_TIMEOUT after
adding a new handle.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agocurl: Remove erroneous sleep waiting for curl completion
Matthew Booth [Tue, 29 Apr 2014 15:03:28 +0000 (16:03 +0100)] 
curl: Remove erroneous sleep waiting for curl completion

The driver will not start more than a fixed number of curl sessions.
If it needs more, it must wait for the completion of an existing one.
The driver was sleeping, which will prevent the main loop from
running, and therefore the event it's waiting on. It was also directly
calling its internal handler rather than waiting on existing
registered handlers to be called from the main loop.

This change causes it simply to wait for a period of time whilst
allowing the main loop to execute.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agocurl: Fix return from curl_read_cb with invalid state
Matthew Booth [Tue, 29 Apr 2014 15:03:27 +0000 (16:03 +0100)] 
curl: Fix return from curl_read_cb with invalid state

A curl write callback is supposed to return the number of bytes it
handled.  curl_read_cb would have erroneously reported it had handled
all bytes in the event that the internal curl state was invalid.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agocurl: Remove unnecessary use of goto
Matthew Booth [Tue, 29 Apr 2014 15:03:26 +0000 (16:03 +0100)] 
curl: Remove unnecessary use of goto

This isn't any of the usually acceptable uses of goto.

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agocurl: Fix long line
Matthew Booth [Tue, 29 Apr 2014 15:03:25 +0000 (16:03 +0100)] 
curl: Fix long line

Signed-off-by: Matthew Booth <mbooth@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock/vdi: Error out immediately in vdi_create()
Max Reitz [Tue, 29 Apr 2014 17:03:16 +0000 (19:03 +0200)] 
block/vdi: Error out immediately in vdi_create()

Currently, if an error occurs during the part of vdi_create() which
actually writes the image, the function stores -errno, but continues
anyway.

Instead of trying to write data which (if it can be written at all) does
not make any sense without the operations before succeeding (e.g.,
writing the image header), just error out immediately.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock/bochs: Fix error handling for seek_to_sector()
Max Reitz [Tue, 29 Apr 2014 17:03:15 +0000 (19:03 +0200)] 
block/bochs: Fix error handling for seek_to_sector()

Currently, seek_to_sector() returns -1 both for errors and unallocated
sectors, resulting in silent errors. As 0 is an invalid offset of data
clusters (bitmap_offset is greater than 0 because s->data_offset is
greater than 0), just return 0 for unallocated sectors and -errno in
case of error. This should then be propagated by bochs_read(), the sole
user of seek_to_sector().

That function also has a case of "return -1 in case of error", which is
fixed by this patch as well.

bochs_read() is called by bochs_co_read() which passes the return value
through, therefore it is indeed correct for bochs_read() to return
-errno.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoqcow2: Check min_size in qcow2_grow_l1_table()
Max Reitz [Tue, 29 Apr 2014 17:03:14 +0000 (19:03 +0200)] 
qcow2: Check min_size in qcow2_grow_l1_table()

First, new_l1_size is an int64_t, whereas min_size is a uint64_t.
Therefore, during the loop which adjusts new_l1_size until it equals or
exceeds min_size, new_l1_size might overflow and become negative. The
comparison in the loop condition however will take it as an unsigned
value (because min_size is unsigned) and therefore recognize it as
exceeding min_size. Therefore, the loop is left with a negative
new_l1_size, which is not correct. This could be fixed by making
new_l1_size uint64_t.

On the other hand, however, by doing this, the while loop may take
forever. If min_size is e.g. UINT64_MAX, it will take new_l1_size
probably multiple overflows to reach the exact same value (if it reaches
it at all). Then, right after the loop, new_l1_size will be recognized
as being too big anyway.

Both problems require a ridiculously high min_size value, which is very
unlikely to occur; but both problems are also simply avoided by checking
whether min_size is sane before calculating new_l1_size (which should
still be checked separately, though).

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoqcow2: Catch bdrv_getlength() error
Max Reitz [Tue, 29 Apr 2014 17:03:13 +0000 (19:03 +0200)] 
qcow2: Catch bdrv_getlength() error

The call to bdrv_getlength() from qcow2_check_refcounts() may result in
an error. Check this and abort if necessary.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock: Use correct width in format strings
Max Reitz [Tue, 29 Apr 2014 17:03:12 +0000 (19:03 +0200)] 
block: Use correct width in format strings

Instead of blindly relying on a normal integer having a width of 32 bits
(which is a pretty good assumption, but we should not rely on it if
there is no need), use the correct format string macros.

This does not touch DEBUG output.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoqcow2: Avoid overflow in alloc_clusters_noref()
Max Reitz [Tue, 29 Apr 2014 17:03:11 +0000 (19:03 +0200)] 
qcow2: Avoid overflow in alloc_clusters_noref()

alloc_clusters_noref() stores the cluster index in a uint64_t. However,
offsets are often represented as int64_t (as for example the return
value of alloc_clusters_noref() itself demonstrates). Therefore, we
should make sure all offsets in the allocated range of clusters are
representable using int64_t without overflows.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoppc: use kvm_vcpu_enable_cap()
Cornelia Huck [Wed, 9 Apr 2014 15:21:57 +0000 (17:21 +0200)] 
ppc: use kvm_vcpu_enable_cap()

Convert existing users of KVM_ENABLE_CAP to new helper.

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
5 years agos390x: use kvm_vcpu_enable_cap()
Cornelia Huck [Wed, 9 Apr 2014 15:23:34 +0000 (17:23 +0200)] 
s390x: use kvm_vcpu_enable_cap()

Make kvm_s390_enable_css_support() use new interface.

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
5 years agokvm: add kvm_{vm,vcpu}_enable_cap
Cornelia Huck [Wed, 23 Oct 2013 16:19:26 +0000 (18:19 +0200)] 
kvm: add kvm_{vm,vcpu}_enable_cap

Provide helper functions for enabling capabilities (on a vcpu and on a vm).

Reviewed-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
5 years agoblock: Use error_abort in bdrv_image_info_specific_dump()
Max Reitz [Tue, 29 Apr 2014 16:32:25 +0000 (18:32 +0200)] 
block: Use error_abort in bdrv_image_info_specific_dump()

Currently, bdrv_image_info_specific_dump() uses an error variable for
visit_type_ImageInfoSpecific, but ignores the result. As this function
is used here with an output visitor to transform the ImageInfoSpecific
object to a generic QDict, an error should actually be impossible. It is
however better to assert that this is indeed the case. This is done by
this patch using error_abort instead of an unused local Error variable.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock: Fix open_flags in bdrv_reopen()
Kevin Wolf [Fri, 25 Apr 2014 17:04:55 +0000 (19:04 +0200)] 
block: Fix open_flags in bdrv_reopen()

Use the same function as bdrv_open() for determining what the right
flags for bs->file are. Without doing this, a reopen means that
bs->file loses BDRV_O_CACHE_WB or BDRV_O_UNMAP if bs doesn't have it as
well.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
5 years agoRevert "block: another bdrv_append fix"
Kevin Wolf [Fri, 25 Apr 2014 10:36:07 +0000 (12:36 +0200)] 
Revert "block: another bdrv_append fix"

This reverts commit 3a389e7926750cba5c83f662b1941888b2bebc04. The commit
was wrong and what it tried to fix just works today without any change.

What the commit tried to fix:

    When creating live snapshots, the new image file is opened with
    BDRV_O_NO_BACKING because the whole backing chain is already opened.
    It is then appended to the chain using bdrv_append(). The result of
    this was that the image had a backing file, but BDRV_O_NO_BACKING
    was still set. This is obviously inconsistent.

    There used to be some places in qemu that closed and image and then
    opened it again, with its old flags (a bdrv_open()/close() sequence
    involves reopening the whole backing file chain, too). In this case
    the BDRV_O_NO_BACKING flag meant that the backing chain wasn't
    reopened and only the top layer was left.

    (Most, but not all of these places are replaced by bdrv_reopen()
    today, which doesn't touch the backing files at all.)

    Other places that looked at bs->open_flags weren't interested in
    BDRV_O_NO_BACKING, so no breakage there.

What it actually did:

    The commit moved the BDRV_O_NO_BACKING away to the backing file.
    Because the bdrv_open()/close() sequences only looked at the flags
    of the top level BlockDriverState and used it for the whole chain,
    the flag didn't hurt there any more. Obviously, it is still
    inconsistent because the backing file may have another backing file,
    but without practical impact.

    At the same time, it swapped all other flags. This is practically
    irrelevant as long as live snapshots only allow opening the new
    layer with the same flags as the old top layer. It still doesn't
    make any sense, and it is a time bomb that explodes as soon as the
    flags can differ.

    bdrv_append_temp_snapshot() is such a case: It adds the new flag
    BDRV_O_TEMPORARY for the temporary snapshot. The swapping of commit
    3a389e79 results in the following nonsensical configuration:

    bs->open_flags:                     BDRV_O_TEMPORARY cleared
    bs->file->open_flags:               BDRV_O_TEMPORARY set
    bs->backing_hd->open_flags:         BDRV_O_TEMPORARY set
    bs->backing_hd->file->open_flags:   BDRV_O_TEMPORARY cleared

    We're still lucky because the format layer ignores the flag and the
    protocol layer happens to get the right value, but sooner or later
    this is bound to go wrong...

What the right fix would have been:

    Simply clear the BDRV_O_NO_BACKING flag when the BlockDriverState is
    appended to an existing backing file chain, because now it does have
    a backing file.

    Commit 4ddc07ca already implemented this silently in bdrv_append(),
    so we don't have to come up with a new fix.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
5 years agoblock: Unlink temporary files in raw-posix/win32
Kevin Wolf [Fri, 11 Apr 2014 17:16:36 +0000 (19:16 +0200)] 
block: Unlink temporary files in raw-posix/win32

Instead of having unlink() calls in the generic block layer, where we
aren't even guarateed to have a file name, move them to those block
drivers that are actually used and that always have a filename. Gets us
rid of some #ifdefs as well.

The patch also converts bs->is_temporary to a new BDRV_O_TEMPORARY open
flag so that it is inherited in the protocol layer and the raw-posix and
raw-win32 drivers can unlink the file.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
5 years agoblock: Remove BDRV_O_COPY_ON_READ for bs->file
Kevin Wolf [Fri, 11 Apr 2014 19:36:45 +0000 (21:36 +0200)] 
block: Remove BDRV_O_COPY_ON_READ for bs->file

Copy on Read makes sense on the format level where backing files are
implemented, but it's not required on the protocol level. While it
shouldn't actively break anything to have COR enabled on both layers,
needless serialisation and allocation checks may impact performance.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
5 years agoblock: Create bdrv_backing_flags()
Kevin Wolf [Fri, 25 Apr 2014 11:27:34 +0000 (13:27 +0200)] 
block: Create bdrv_backing_flags()

Instead of manipulation flags inline, move the derivation of the flags
of a backing file into a new function next to the existing functions
that derive flags for bs->file and for the block driver open function.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
5 years agoblock: Create bdrv_inherited_flags()
Kevin Wolf [Fri, 11 Apr 2014 19:29:52 +0000 (21:29 +0200)] 
block: Create bdrv_inherited_flags()

Instead of having bdrv_open_flags() as a function that creates flags for
several unrelated places and then adding open-coded flags on top, create
a new function that derives the flags for bs->file from the flags for bs.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
5 years agoiotests: Discarding compressed clusters on qcow2
Max Reitz [Tue, 29 Apr 2014 14:12:31 +0000 (16:12 +0200)] 
iotests: Discarding compressed clusters on qcow2

Add a test which discards a compressed cluster on qcow2. This should
work without any problems.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoqcow2: Fix discard
Max Reitz [Tue, 29 Apr 2014 14:12:30 +0000 (16:12 +0200)] 
qcow2: Fix discard

discard_single_l2() should not implement its own version of
qcow2_get_cluster_type(), but rather rely on this already existing
function. By doing so, it will work for compressed clusters as well
(which it did not so far).

Also, rename "old_offset" to "old_l2_entry", as both are quite different
(and the value is indeed of the latter kind).

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock: qemu-iotests: make test 019 and 086 work with spaced pathnames
Jeff Cody [Thu, 10 Apr 2014 20:47:40 +0000 (16:47 -0400)] 
block: qemu-iotests: make test 019 and 086 work with spaced pathnames

Both tests 019 and 086 need proper quotations to work with pathnames
that contain spaces.

Reviewed-by: Benoit Canet <benoit@irqsave.net>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock: qemu-iotests - fix image cleanup when using spaced pathnames
Jeff Cody [Thu, 10 Apr 2014 20:47:39 +0000 (16:47 -0400)] 
block: qemu-iotests - fix image cleanup when using spaced pathnames

The _rm_test_img() function in common.rc did not quote the image
file, which left droppings in the scratch directory (and performed
a potentially unsafe rm -f).

This adds the necessary quotes.

Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/rth/tags/tcg-sparc-pull-20140428' into staging
Peter Maydell [Tue, 29 Apr 2014 12:03:25 +0000 (13:03 +0100)] 
Merge remote-tracking branch 'remotes/rth/tags/tcg-sparc-pull-20140428' into staging

TCG sparc backend update for 20140428

# gpg: Signature made Mon 28 Apr 2014 19:36:55 BST using RSA key ID 4DD0279B
# gpg: Can't check signature: public key not found

* remotes/rth/tags/tcg-sparc-pull-20140428:
  tcg-sparc: Accept stores of zero
  tcg-sparc: Fix small 32-bit movi
  tcg-sparc: Fixup function argument types
  tcg-sparc: Hoist common argument loads in tcg_out_op
  tcg-sparc: Don't handle mov/movi in tcg_out_op
  tcg-sparc: Tidy check_fit_* tests
  tcg-sparc: Implement muls2_i32
  tcg-sparc: Use the RETURN instruction
  tcg-sparc: Use 64-bit registers with sparcv8plus
  tcg-sparc: Support trunc_shr_i32
  tcg-sparc: Remove most uses of TCG_TARGET_REG_BITS
  tcg: Add INDEX_op_trunc_shr_i32
  tcg: Fix missed pointer size != TCG_TARGET_REG_BITS changes

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agomirror: Check for bdrv_get_info result
Fam Zheng [Tue, 29 Apr 2014 10:14:17 +0000 (18:14 +0800)] 
mirror: Check for bdrv_get_info result

bdrv_get_info could fail. Add check before using the returned value.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agomirror: Fix resource leak when bdrv_getlength fails
Fam Zheng [Tue, 29 Apr 2014 10:09:09 +0000 (18:09 +0800)] 
mirror: Fix resource leak when bdrv_getlength fails

The direct return will skip releasing of all the resouces at
immediate_exit, don't miss that.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock: Ignore duplicate or NULL format_name in bdrv_iterate_format
Jeff Cody [Mon, 28 Apr 2014 22:29:54 +0000 (18:29 -0400)] 
block: Ignore duplicate or NULL format_name in bdrv_iterate_format

Some block drivers have multiple BlockDriver instances with identical
format_name fields (e.g. gluster, nbd).

Both qemu-img and qemu will use bdrv_iterate_format() to list the
supported formats when a help option is invoked.  As protocols and
formats may register multiple drivers, redundant listings of formats
occur (e.g., "Supported formats: ... gluster gluster gluster gluster ...
").

Since the list of driver formats will be small, this performs a simple
linear search on format_name, and ignores any duplicates.

The end result change is that the iterator will no longer receive
duplicate string names, nor will it receive NULL pointers.

Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agosdl2: Support mouse wheel
Cole Robinson [Mon, 21 Apr 2014 22:58:50 +0000 (18:58 -0400)] 
sdl2: Support mouse wheel

In SDL2, wheel movement is its own event, not a button event. Wire
it up similar to gtk.c

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agosdl2: add ui info setting.
Dave Airlie [Tue, 25 Mar 2014 06:50:36 +0000 (16:50 +1000)] 
sdl2: add ui info setting.

Allows you to resize the sdl2 window and have the guest notice.

[ kraxel: zero-initialize QemuUIInfo ]

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agogtk: Fix accelerators being triggered twice with gtk3
Cole Robinson [Thu, 24 Apr 2014 17:35:56 +0000 (13:35 -0400)] 
gtk: Fix accelerators being triggered twice with gtk3

When keyboard focus is grabbed, current qemu wants to pass every
keypress to the VM, unless the user is pressing a UI accelerator.

That's exactly how things work without any of the fancy handling. Drop
the special handling, which seems to trigger accelerators twice on gtk3.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agogtk: Fix -serial vc
Cole Robinson [Thu, 24 Apr 2014 17:35:54 +0000 (13:35 -0400)] 
gtk: Fix -serial vc

Try kicking off a rhel5 text install over serial, the text menu navigation
is all messed up, and some of the kernel boot messages are randomly
corrupted.

Drop use of a pty and just use vte infrastructure for reading and writing.
This fixes the above corruption, and is simpler to boot.

(I don't know what was wrong with the original code though. FWIW this is
what virt-manager has done for years).

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agogtk: Use ctrl+alt+q for quit accelerator
Cole Robinson [Mon, 17 Mar 2014 20:06:27 +0000 (16:06 -0400)] 
gtk: Use ctrl+alt+q for quit accelerator

Using the standard ctrl+q makes it too easy to kill the whole VM. Using
ctrl+alt+FOO is consistent with our other accelerators.

https://bugzilla.redhat.com/show_bug.cgi?id=1062393
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agogtk: Remove use of deprecated stock items
Cole Robinson [Mon, 17 Mar 2014 20:06:26 +0000 (16:06 -0400)] 
gtk: Remove use of deprecated stock items

Stock items are deprecated. As are ImageMenuItems. Convert everything to
text only MenuItems, with the same text content as mentioned in the
conversion guide:

https://docs.google.com/spreadsheet/pub?key=0AsPAM3pPwxagdGF4THNMMUpjUW5xMXZfdUNzMXhEa2c&output=html

gtk2 users lose their menu icons as well, but I don't think that's enough
of a problem to warrant keeping around back compat code.

Example error:

ui/gtk.c:1328:5: error: ‘GtkStock’ is deprecated [-Werror=deprecated-declarations]
ui/gtk.c:1335:5: error: ‘gtk_image_menu_item_new_from_stock’ is deprecated (declared at /usr/include/gtk-3.0/gtk/deprecated/gtkimagemenuitem.h:78): Use 'gtk_menu_item_new' instead [-Werror=deprecated-declarations]
     s->zoom_out_item = gtk_image_menu_item_new_from_stock(GTK_STOCK_ZOOM_OUT, NULL);

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agogtk: Don't use deprecated vte_terminal_get_adjustment
Cole Robinson [Mon, 17 Mar 2014 20:06:25 +0000 (16:06 -0400)] 
gtk: Don't use deprecated vte_terminal_get_adjustment

Guard this with a VTE version check, since I'm not sure if this is backwards
compatible.

ui/gtk.c: In function ‘gd_vc_init’:
ui/gtk.c:1176:5: error: ‘vte_terminal_get_adjustment’ is deprecated (declared at /usr/include/vte-2.90/vte/vtedeprecated.h:101) [-Werror=deprecated-declarations]

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agogtk: Don't use deprecated gtk_image_menu_item_new_with_mnemonic
Cole Robinson [Mon, 17 Mar 2014 20:06:24 +0000 (16:06 -0400)] 
gtk: Don't use deprecated gtk_image_menu_item_new_with_mnemonic

In these cases we weren't using an image in the menu item anyways, so
just do as the suggestion says. Should be fine for all qemu supported
gtk versions.

ui/gtk.c: In function ‘gd_create_menu_machine’:
ui/gtk.c:1284:5: error: ‘gtk_image_menu_item_new_with_mnemonic’ is deprecated (declared at /usr/include/gtk-3.0/gtk/deprecated/gtkimagemenuitem.h:76): Use 'gtk_menu_item_new_with_mnemonic' instead [-Werror=deprecated-declarations]
     s->reset_item = gtk_image_menu_item_new_with_mnemonic(_("_Reset"));
     ^
ui/gtk.c:1287:5: error: ‘gtk_image_menu_item_new_with_mnemonic’ is deprecated (declared at /usr/include/gtk-3.0/gtk/deprecated/gtkimagemenuitem.h:76): Use 'gtk_menu_item_new_with_mnemonic' instead [-Werror=deprecated-declarations]
     s->powerdown_item = gtk_image_menu_item_new_with_mnemonic(_("Power _Down"));

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agoconfigure: Re-run make if gtkabi/sdlabi is changed
Cole Robinson [Thu, 24 Apr 2014 17:35:52 +0000 (13:35 -0400)] 
configure: Re-run make if gtkabi/sdlabi is changed

Reconfiguring with a different --with-gtkabi or --with-sdlabi doesn't
trigger a remake. Generate an (unused) CONFIG_GTKABI/CONFIG_SDLABI
so config-host.h will actually give 'make' something to trigger on.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agoconfigure: Document --with-gtkabi
Cole Robinson [Mon, 17 Mar 2014 20:06:23 +0000 (16:06 -0400)] 
configure: Document --with-gtkabi

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agohda-audio: fix non-mixer codecs
Gerd Hoffmann [Thu, 17 Apr 2014 10:43:26 +0000 (12:43 +0200)] 
hda-audio: fix non-mixer codecs

They don't advertise mixer support, but still allow the guest change
mixer settings.  Add a check to avoid it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agoblock: Add '--version' option to qemu-img
Jeff Cody [Mon, 28 Apr 2014 18:37:18 +0000 (14:37 -0400)] 
block: Add '--version' option to qemu-img

This allows qemu-img to print out version information, without
needing to print the long help wall of text.

While there, perform some minor whitespace cleanup, and remove the
unused option_index variable in the call to getopt_long().

Reported-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agotcg-sparc: Accept stores of zero
Richard Henderson [Mon, 17 Mar 2014 18:10:59 +0000 (11:10 -0700)] 
tcg-sparc: Accept stores of zero

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Fix small 32-bit movi
Richard Henderson [Fri, 7 Mar 2014 00:06:24 +0000 (16:06 -0800)] 
tcg-sparc: Fix small 32-bit movi

We tested imm13 before discarding garbage high bits.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Fixup function argument types
Richard Henderson [Thu, 6 Mar 2014 23:12:48 +0000 (15:12 -0800)] 
tcg-sparc: Fixup function argument types

Use TCGReg everywhere appropriate.  Use int32_t for all arguments
that may be registers or immediate constants.  Merge tcg_out_addi
into its only caller.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Hoist common argument loads in tcg_out_op
Richard Henderson [Thu, 6 Mar 2014 22:21:26 +0000 (14:21 -0800)] 
tcg-sparc: Hoist common argument loads in tcg_out_op

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Don't handle mov/movi in tcg_out_op
Richard Henderson [Thu, 6 Mar 2014 22:16:26 +0000 (14:16 -0800)] 
tcg-sparc: Don't handle mov/movi in tcg_out_op

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Tidy check_fit_* tests
Richard Henderson [Thu, 6 Mar 2014 21:44:15 +0000 (13:44 -0800)] 
tcg-sparc: Tidy check_fit_* tests

Use sextract instead of raw bit shifting for the tests.  Introduce
a new check_fit_ptr macro to make it clear we're looking at pointers.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Implement muls2_i32
Richard Henderson [Thu, 6 Mar 2014 19:46:11 +0000 (11:46 -0800)] 
tcg-sparc: Implement muls2_i32

Using the 32-bit SMUL is a tad more efficient than
resorting to extending and using the 64-bit MULX.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Use the RETURN instruction
Richard Henderson [Thu, 6 Mar 2014 17:34:29 +0000 (09:34 -0800)] 
tcg-sparc: Use the RETURN instruction

Saves one insn per TB exit over JMPL+RESTORE.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Use 64-bit registers with sparcv8plus
Richard Henderson [Tue, 4 Mar 2014 21:39:48 +0000 (13:39 -0800)] 
tcg-sparc: Use 64-bit registers with sparcv8plus

Quite a lot of effort was spent composing and decomposing 64-bit
quantities in registers, when we should just create them and leave
them as one 64-bit register.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Support trunc_shr_i32
Richard Henderson [Wed, 5 Mar 2014 20:27:23 +0000 (12:27 -0800)] 
tcg-sparc: Support trunc_shr_i32

Unlike a 64-bit shift op, allows the output to be in %l or %i registers
for sparcv8plus.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg-sparc: Remove most uses of TCG_TARGET_REG_BITS
Richard Henderson [Sun, 8 Sep 2013 18:00:59 +0000 (11:00 -0700)] 
tcg-sparc: Remove most uses of TCG_TARGET_REG_BITS

Replace with SPARC64 define.  Soon even sparcv8plus will use
64-bit register as far as TCG is concerned.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg: Add INDEX_op_trunc_shr_i32
Richard Henderson [Tue, 10 Sep 2013 00:03:24 +0000 (17:03 -0700)] 
tcg: Add INDEX_op_trunc_shr_i32

Let the backend do something special for truncation.

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agotcg: Fix missed pointer size != TCG_TARGET_REG_BITS changes
Richard Henderson [Mon, 9 Sep 2013 15:26:49 +0000 (08:26 -0700)] 
tcg: Fix missed pointer size != TCG_TARGET_REG_BITS changes

Signed-off-by: Richard Henderson <rth@twiddle.net>
5 years agomirror: Use DIV_ROUND_UP
Fam Zheng [Mon, 28 Apr 2014 02:59:28 +0000 (10:59 +0800)] 
mirror: Use DIV_ROUND_UP

Although bdrv_getlength() was just called above this, and checked for
error, it is better to just use the value we already get, and use
DIV_ROUND_UP.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock: fix qemu-img --help invocation
Jeff Cody [Fri, 25 Apr 2014 21:02:32 +0000 (17:02 -0400)] 
block: fix qemu-img --help invocation

This fixes a bug introduced in commit ac1307ab, that caused the
'--help' option to not be recognized as a valid command, and not
print any help.

Signed-off-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>