This patch factorizes some duplicate code into a new function,
sotranslate_out(). This function perform the address translation when a
packet is transmitted to the host network. If the packet is destinated
to the host, the loopback address is used, and if the packet is
destinated to the virtual DNS, the real DNS address is used. This code
is just a copy of the existent, but factorized and ready to manage the
IPv6 case.
On the same model, the major part of udp_output() code is moved into a
new sotranslate_in(). This function is directly used in sorecvfrom(),
like sotranslate_out() in sosendto().
udp_output() becoming useless, it is removed and udp_output2() is
renamed into udp_output(). This adds consistency with the udp6_output()
function introduced by further patches.
Lastly, this factorizes some duplicate code into sotranslate_accept(), which
performs the address translation when a connection is established on the host
for port forwarding: if it comes from localhost, the host virtual address is
used instead.
This patch replaces foreign and local address/port couples in Socket
structure by 2 sockaddr_storage which can be casted in sockaddr_in.
Direct access to address and port is still possible thanks to some
\#define, so retrocompatibility of the existing code is assured.
The ss_family field of sockaddr_storage is declared after each socket
creation.
The whole structure is also saved/restored when a Qemu session is
saved/restored.
Before this patch, if sosendto fails, udp_input is executed as if the
packet was sent, recording the packet for icmp errors, which does not
makes sense since the packet was not actually sent, errors would be
related to a previous packet.
This patch adds a goto bad to cut the execution of this function.
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest. If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.
net: cadence_gem: check packet size in gem_recieve
While receiving packets in 'gem_receive' routine, if Frame Check
Sequence(FCS) is enabled, it copies the packet into a local
buffer without checking its size. Add check to validate packet
length against the buffer size to avoid buffer overflow.
Thomas Huth [Wed, 13 Jan 2016 08:05:32 +0000 (09:05 +0100)]
net/slirp: Tell the users when they are using deprecated options
We don't want to support the legacy -tftp, -bootp, -smb and
-net channel options forever. So let's start telling the users
that they are deprecated and what option should be used instead.
Peter Maydell [Wed, 3 Feb 2016 19:00:33 +0000 (19:00 +0000)]
Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging
# gpg: Signature made Wed 03 Feb 2016 15:47:34 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>"
# gpg: aka "Stefan Hajnoczi <[email protected]>"
* remotes/stefanha/tags/tracing-pull-request:
log: add "-d trace:PATTERN"
trace: switch default backend to "log"
trace: convert stderr backend to log
log: move qemu-log.c into util/ directory
log: do not unnecessarily include qom/cpu.h
trace: add "-trace help"
trace: add "-trace enable=..."
trace: no need to call trace_backend_init in different branches now
trace: split trace_init_file out of trace_init_backends
trace: split trace_init_events out of trace_init_backends
trace: fix documentation
trace: track enabled events in a separate array
trace: count number of enabled events
All functions relative to DMA (DMA_*() functions) are stubs on sparc64 platform.
Disable the DMA of the floppy controller, instead of calling these stubs.
All functions relative to DMA (DMA_*() functions) are stubs on sparc platform.
Disable the DMA in the floppy controller, instead of calling these stubs.
Floppy uses the DMA controller in rc4030 chipset, and not the i8259 from the ISA bus.
It's better to disable DMA than to call the wrong DMA controller.
John Snow [Wed, 3 Feb 2016 16:28:55 +0000 (11:28 -0500)]
fdc: fix detection under Linux
Accidentally, I removed a "feature" where empty drives had geometry
values applied to them, which allows seek on empty drives to work
"by accident," as QEMU actually tries to disallow that.
Seeks on empty drives should work, though, but the easiest thing is to
restore the misfeature where empty drives have non-zero geometries
applied.
Document the hack accordingly.
[Maintainer edit]
This fix corrects a regression introduced in d5d47efc, where
pick_geometry was modified such that it would not operate on empty
drives, and as a result if there is no diskette inserted, QEMU
no longer populates it with geometry bounds. As a result, seek fails
when QEMU denies to move the current track, but reports success anyway.
This can confuse the guest, leading to kernel panics in the guest.
Andrew Baumann [Fri, 29 Jan 2016 22:50:41 +0000 (14:50 -0800)]
bcm2836_control: add bcm2836 ARM control logic
This module is specific to the bcm2836 (Pi2). It implements the top
level interrupt controller, and mailboxes used for inter-processor
synchronisation.
Andrew Baumann [Fri, 29 Jan 2016 22:50:40 +0000 (14:50 -0800)]
bcm2835_peripherals: add rollup device for bcm2835 peripherals
This device maintains all the non-CPU peripherals on bcm2835 (Pi1)
which are also present on bcm2836 (Pi2). It also implements the
private address spaces used for DMA and mailboxes.
Andrew Baumann [Fri, 29 Jan 2016 22:50:38 +0000 (14:50 -0800)]
bcm2835_property: add bcm2835 property channel
This sits behind the mailbox interface, and implements
request/response queries for system properties. The
framebuffer-related properties will be added in a later patch.
Peter Maydell [Tue, 2 Feb 2016 18:20:42 +0000 (18:20 +0000)]
target-arm: Don't report presence of EL2 if it doesn't exist
We already modify the processor feature bits to not report EL3
support to the guest if EL3 isn't enabled for the CPU we're emulating.
Add similar support for not reporting EL2 unless it is enabled.
This is necessary because real world guest code running at EL3
(trusted firmware or bootloaders) will query the ID registers to
determine whether it should start a guest Linux kernel in EL2 or EL3.
Peter Maydell [Wed, 3 Feb 2016 13:46:34 +0000 (13:46 +0000)]
libvixl: Avoid std::abs() of 64-bit type
The std::abs() function did not get a version that works on
'long long' until C++11. Avoid it, so that we can compile on
32-bit platforms (where int64_t is 'long long') with older
compilers (which don't support C++11).
Igor Mammedov [Wed, 3 Feb 2016 13:46:34 +0000 (13:46 +0000)]
arm: virt-acpi: each MADT.GICC entry as enabled unconditionally
in current impl. condition
build_madt() {
...
if (test_bit(i, cpuinfo->found_cpus))
is always true since loop handles only present CPUs
in range [0..smp_cpus).
But to fill usless cpuinfo->found_cpus we do unnecessary
scan over QOM tree to find the same CPUs.
So mark GICC as present always and drop not needed
code that fills cpuinfo->found_cpus.
Peter Maydell [Wed, 3 Feb 2016 13:46:33 +0000 (13:46 +0000)]
target-arm: Make various system registers visible to EL3
The AArch64 system registers DACR32_EL2, IFSR32_EL2, SPSR_IRQ,
SPSR_ABT, SPSR_UND and SPSR_FIQ are visible and fully functional from
EL3 even if the CPU has no EL2 (unlike some others which are RES0
from EL3 in that configuration). Move them from el2_cp_reginfo[] to
v8_cp_reginfo[] so they are always present.
Andrew Jones [Wed, 3 Feb 2016 13:46:32 +0000 (13:46 +0000)]
virt-acpi-build: add always-on property for timer
This patch is the ACPI equivalent of "hw/arm/virt: Add always-on
property to the virt board timer". The timer is always on, and
thus setting this informs Linux that it may switch off the periodic
timer. Switching off the periodic timer substantially reduces the
number of interrupts the host needs to inject.
Testing note: AArch64 guests (the only ones currently booting with
ACPI) do not actually need this patch to determine it can turn the
periodic timer off. I therefore used a hacked guest kernel to ensure
this patch works as the equivalent DT patch does.
Peter Maydell [Wed, 3 Feb 2016 12:23:48 +0000 (12:23 +0000)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160203-1' into staging
virtio-gpu: bugfixes and spice support preparation
# gpg: Signature made Wed 03 Feb 2016 09:47:13 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <[email protected]>"
# gpg: aka "Gerd Hoffmann <[email protected]>"
# gpg: aka "Gerd Hoffmann (private) <[email protected]>"
* remotes/kraxel/tags/pull-vga-20160203-1:
virtio-gpu: block any rendering until client (ui) is done
virtio-gpu: add support to enable/disable command processing
virtio-gpu: maintain command queue
virtio-gpu: fix memory leak in error path
console: block rendering until client is done
zap qemu_egl_has_ext in include/ui/egl-helpers.h
Paolo Bonzini [Thu, 7 Jan 2016 13:55:32 +0000 (16:55 +0300)]
log: add "-d trace:PATTERN"
This is a bit easier to use than "-trace" if you are also enabling
other kinds of logging. It is also more discoverable for experienced
QEMU users, and accessible from user-mode emulators.
Gerd Hoffmann [Tue, 1 Dec 2015 11:05:14 +0000 (12:05 +0100)]
virtio-gpu: maintain command queue
We'll go take out the commands we receive out of the virt queue and put
them into a linked list, to decouple virtio queue handling from actual
command processing.
Also move cmd processing to new virtio_gpu_handle_ctrl func, so we can
easily kick it from different places.
Gerd Hoffmann [Thu, 3 Dec 2015 11:34:25 +0000 (12:34 +0100)]
console: block rendering until client is done
Allow gl user interfaces to block display device gl rendering.
The ui code might want to do that in case it takes a little
longer to bring things to screen, for example because we'll
hand over a dma-buf to another process (spice will do that).
Paolo Bonzini [Wed, 28 Oct 2015 06:06:26 +0000 (07:06 +0100)]
trace: count number of enabled events
This lets trace_event_get_state_dynamic quickly return false. Right
now there is hardly any benefit because there are also many assertions
and indirections, but the next patch will streamline all of this.
hmp: fix sendkey out of bounds write (CVE-2015-8619)
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.
Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.
Reported-by: Ling Liu <[email protected]> Signed-off-by: Wolfgang Bumiller <[email protected]>
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked] Signed-off-by: Markus Armbruster <[email protected]>
Peter Maydell [Tue, 2 Feb 2016 18:04:04 +0000 (18:04 +0000)]
Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-for-peter-2016-02-02' into staging
Block patches
# gpg: Signature made Tue 02 Feb 2016 17:23:44 GMT using RSA key ID E838ACAD
# gpg: Good signature from "Max Reitz <[email protected]>"
* remotes/maxreitz/tags/pull-block-for-peter-2016-02-02: (50 commits)
block: qemu-iotests - add test for snapshot, commit, snapshot bug
block: set device_list.tqe_prev to NULL on BDS removal
iotests: Add "qemu-img map" test for VMDK extents
qemu-img: Make MapEntry a QAPI struct
qemu-img: In "map", use the returned "file" from bdrv_get_block_status
block: Use returned *file in bdrv_co_get_block_status
vmdk: Return extent's file in bdrv_get_block_status
vmdk: Fix calculation of block status's offset
vpc: Assign bs->file->bs to file in vpc_co_get_block_status
vdi: Assign bs->file->bs to file in vdi_co_get_block_status
sheepdog: Assign bs to file in sd_co_get_block_status
qed: Assign bs->file->bs to file in bdrv_qed_co_get_block_status
parallels: Assign bs->file->bs to file in parallels_co_get_block_status
iscsi: Assign bs to file in iscsi_co_get_block_status
raw: Assign bs to file in raw_co_get_block_status
qcow2: Assign bs->file->bs to file in qcow2_co_get_block_status
qcow: Assign bs->file->bs to file in qcow_co_get_block_status
block: Add "file" output parameter to block status query functions
block: acquire in bdrv_query_image_info
iotests: Add test for block jobs and BDS ejection
...
Jeff Cody [Tue, 2 Feb 2016 01:33:10 +0000 (20:33 -0500)]
block: set device_list.tqe_prev to NULL on BDS removal
This fixes a regression introduced with commit 3f09bfbc7. Multiple
bugs arise in conjunction with live snapshots and mirroring operations
(which include active layer commit).
After a live snapshot occurs, the active layer and the base layer both
have a non-NULL tqe_prev field in the device_list, although the base
node's tqe_prev field points to a NULL entry. This non-NULL tqe_prev
field occurs after the bdrv_append() in the external snapshot calls
change_parent_backing_link().
In change_parent_backing_link(), when the previous active layer is
removed from device_list, the device_list.tqe_prev pointer is not
set to NULL.
The operating scheme in the block layer is to indicate that a BDS belongs
in the bdrv_states device_list iff the device_list.tqe_prev pointer
is non-NULL.
This patch does two things:
1.) Introduces a new block layer helper bdrv_device_remove() to remove a
BDS from the device_list, and
2.) uses that new API, which also fixes the regression once used in
change_parent_backing_link().
Fam Zheng [Tue, 26 Jan 2016 03:58:48 +0000 (11:58 +0800)]
block: Add "file" output parameter to block status query functions
The added parameter can be used to return the BDS pointer which the
valid offset is referring to. Its value should be ignored unless
BDRV_BLOCK_OFFSET_VALID in ret is set.
Until block drivers fill in the right value, let's clear it explicitly
right before calling .bdrv_get_block_status.
The "bs->file" condition in bdrv_co_get_block_status is kept now to keep iotest
case 102 passing, and will be fixed once all drivers return the right file
pointer.
Max Reitz [Fri, 29 Jan 2016 15:36:15 +0000 (16:36 +0100)]
iotests: Add test for multiple BB on BDS tree
This adds a test for having multiple BlockBackends in one BDS tree. In
this case, there is one BB for the protocol BDS and one BB for the
format BDS in a simple two-BDS tree (with the protocol BDS and BB added
first).
When bdrv_close_all() is executed, no cached data from any BDS should be
lost; the protocol BDS may not be closed until the format BDS is closed.
Otherwise, metadata updates may be lost.
Max Reitz [Fri, 29 Jan 2016 15:36:14 +0000 (16:36 +0100)]
block: Rewrite bdrv_close_all()
This patch rewrites bdrv_close_all(): Until now, all root BDSs have been
force-closed. This is bad because it can lead to cached data not being
flushed to disk.
Instead, try to make all reference holders relinquish their reference
voluntarily:
1. All BlockBackend users are handled by making all BBs simply eject
their BDS tree. Since a BDS can never be on top of a BB, this will
not cause any of the issues as seen with the force-closing of BDSs.
The references will be relinquished and any further access to the BB
will fail gracefully.
2. All BDSs which are owned by the monitor itself (because they do not
have a BB) are relinquished next.
3. Besides BBs and the monitor, block jobs and other BDSs are the only
things left that can hold a reference to BDSs. After every remaining
block job has been canceled, there should not be any BDSs left (and
the loop added here will always terminate (as long as NDEBUG is not
defined), because either all_bdrv_states will be empty or there will
not be any block job left to cancel, failing the assertion).
Max Reitz [Fri, 29 Jan 2016 15:36:13 +0000 (16:36 +0100)]
block: Add blk_remove_all_bs()
When bdrv_close_all() is called, instead of force-closing all root
BlockDriverStates, it is better to just drop the reference from all
BlockBackends and let them be closed automatically. This prevents BDS
from getting closed that are still referenced by other BDS, which may
result in loss of cached data.
This patch adds a function for doing that, but does not yet incorporate
it in bdrv_close_all().
Max Reitz [Fri, 29 Jan 2016 15:36:11 +0000 (16:36 +0100)]
block: Add list of all BlockDriverStates
We need this list so that bdrv_close_all() can keep track of which BDSs
are still open after having removed the BDSs from all of the BBs and
having released all monitor BDS references.
projects / qemu.git / log