qga: Use return values instead of error_is_set(errp)
Using error_is_set(errp) to check whether a function call failed is
fragile: it breaks when errp is null. ga_get_fd_handle() and
guest_file_handle_add() don't return a useful value when they fail,
but that's just stupid. Fix that, and check them instead. As far
as I can tell, errp can't be null there, but this is more robust and
more obviously correct.
Among the callers, only assigned_initfn() should set the monitor's stored
error. Other callers may run in contexts where the monitor's stored error
makes no sense. For example:
Also, change the return type to "void"; the function is static (with a
sole caller) and the negative errno values are not distinguished from each
other.
pci-assign: propagate errors from assigned_dev_register_msix_mmio()
The return type is also changed from "int" to "void", because it was used
in a success vs. failure sense only (the caller didn't distinguish error
codes from each other, and even assigned_dev_register_msix_mmio() masked
mmap()'s errno values with a common -EFAULT).
pci-assign: accept Error from pci_add_capability2()
Propagate any errors while adding PCI capabilities to
assigned_device_pci_cap_init(). We'll continue the propagation upwards
when assigned_device_pci_cap_init() becomes a leaf itself (when none of
its callees will report errors internally any longer when detecting and
returning them).
pci-assign: propagate Error from check_irqchip_in_kernel()
Rename check_irqchip_in_kernel() to verify_irqchip_in_kernel(), so that
the name reflects our expectation better. Rather than returning a bool,
make it do nothing or set an Error.
get_real_id() has two thin wrappers (and no other callers),
get_real_vendor_id() and get_real_device_id(); it's easiest to convert
them in one fell swoop.
pci-assign: accept Error from monitor_handle_fd_param2()
Propagate any errors in monitor fd handling up to get_real_device(), and
report them there. We'll continue the propagation upwards when
get_real_device() becomes a leaf itself (when none of its callees will
report errors internally any longer when detecting and returning an
error).
and rebase monitor_handle_fd_param() to it. (Note that this will slightly
change the behavior when the qemu_parse_fd() branch is selected and it
fails: we now report (and in case of QMP, set) the error immediately,
rather than allowing the caller to set its own error message (if any)).
qemu_parse_fd() used to handle at least the following strings incorrectly:
o "-2": simply let through
o "2147483648": returned as LONG_MAX==INT_MAX on ILP32 (with ERANGE
ignored); implementation-defined behavior on LP64
Amos Kong [Mon, 28 Apr 2014 05:53:49 +0000 (13:53 +0800)]
qapi: treat all negative return of strtosz_suffix() as error
strtosz_suffix() might return negative error, this patch fixes
the error handling.
This patch also changes to handle error in the if statement
rather than handle success specially, this will make this use
of strtosz_suffix consistent with all other uses.
Only notify spice-server about migration events in case we got
target host information beforehand. So we kick the seamless spice
client migration only in case a actual live migration happens, not
when libvirt uses live-migration-to-file for snapshotting.
In case no listening address was specified, "info spice" reports
"0.0.0.0" as address. Which is incorrect in case spice is listening
on ipv6. Replace it by a wildcard "*" to indicate it is not limited
to a specific address.
Note: Being more specific is not possible without extending the
spice-server api. The socket is handled by spice-server not
qemu, so qemu can't easily figure the actual socket address.
Peter Maydell [Wed, 7 May 2014 17:38:39 +0000 (18:38 +0100)]
Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-05-07' into staging
trivial patches for 2014-05-07
# gpg: Signature made Wed 07 May 2014 18:01:15 BST using RSA key ID A4C3D7DB
# gpg: Good signature from "Michael Tokarev <[email protected]>"
# gpg: aka "Michael Tokarev <[email protected]>"
# gpg: aka "Michael Tokarev <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5
# Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514 66A7 BEE5 9D74 A4C3 D7DB
* remotes/mjt/tags/trivial-patches-2014-05-07: (21 commits)
libcacard: remove unnecessary EOL from debug prints
docs/memory.txt: Fix document on MMIO operations
readline: Sort completions before printing them.
readline: use g_strndup instead of open-coding it
qmp: report path ambiguity error
libcacard: replace pstrcpy() with memcpy()
glib: move g_poll() replacement into glib-compat.h
do not call g_thread_init() for glib >= 2.31
hw/9pfs: Add include file for exported symbol
xen: remove unused global, xen_xcg
hw: Add missing 'static' attributes
qemu-timer: Add missing 'static' attribute
ui: Add missing 'static' attribute
monitor: Add missing 'static' attribute
hw/s390x: Add missing 'static' attribute
hw/mips: Add missing 'static' and 'const' attributes
hw/9pfs: Add missing 'static' attributes
arch_init: Be sure of only one exit entry with DPRINTF() for ram_load()
tests/tcg: Fix compilation of test_path
qga: Fix typo (plural) in comment
...
Peter Maydell [Wed, 7 May 2014 17:12:14 +0000 (18:12 +0100)]
Merge remote-tracking branch 'remotes/sstabellini/xen-140507-2' into staging
* remotes/sstabellini/xen-140507-2:
xen_disk: add discard support
pass an inclusive address range to xc_domain_pin_memory_cacheattr
xen: factor out common functions
xen: move Xen HVM files under hw/i386/xen
xen: move Xen PV machine files to hw/xenpv
qemu-xen: free all the pirqs for msi/msix when driver unload
exec: Limit translation limiting in address_space_translate to xen
Michael Tokarev [Fri, 2 May 2014 14:35:59 +0000 (18:35 +0400)]
libcacard: replace pstrcpy() with memcpy()
Commit 2e679780ae86c6ca8 replaced strncpy() with pstrcpy()
in one place in libcacard. This is a qemu-specific function,
while libcacard is a stand-alone library (or tries to be).
But since we know the exact length of the string to copy,
and know that it definitely will fit in the destination
buffer, use memcpy() instead, and null-terminate the string
after that.
An alternative is to use g_strlcpy() or strncpy(), but memcpy()
is more than adequate in this place.
Michael Tokarev [Fri, 2 May 2014 14:35:55 +0000 (18:35 +0400)]
do not call g_thread_init() for glib >= 2.31
glib >= 2.31 always enables thread support and g_thread_supported()
is #defined to 1, there's no need to call g_thread_init() anymore,
and it definitely does not need to report error which never happens.
Keep code for old < 2.31 glibc anyway for now, just #ifdef it
differently.
Chen Gang [Thu, 1 May 2014 13:28:11 +0000 (21:28 +0800)]
arch_init: Be sure of only one exit entry with DPRINTF() for ram_load()
When DPRINTF() has effect, the original author wants to print all
ram_load() calling results. So need use 'goto' instead of 'return'
within ram_load(), just like other areas have done.
Peter Maydell [Tue, 29 Apr 2014 11:09:24 +0000 (12:09 +0100)]
tests/tcg: Fix compilation of test_path
The test_path binary is (unlike the other test binaries in tests/tcg)
actually intended to be compiled with the same compiler used to build
the main QEMU executables. It actually #includes a number of the
QEMU source files in an attempt to unit-test the util/path.c functions,
and so if it is not compiled with the same compiler used by configure
to set CONFIG_ settings then it is liable to fail to build.
Fix the makefile to build it with the default C compiler rules, not
CC_I386, and fix the test itself not to include a lot of unnecessary
trace related source files which cause the build to fail if the trace
backend is anything other than 'simple'.
Michael Tokarev [Fri, 2 May 2014 11:36:39 +0000 (15:36 +0400)]
configure: remove bashism
Commit e26110cfc67d48 added a check for shacmd to create a hash
for modules. This check in configure is using bash construct &>
to redirect both stdout and stderr, which does fun things on some
shells. Get rid of it, use standard redirection instead.
Olaf Hering [Wed, 7 May 2014 13:40:04 +0000 (13:40 +0000)]
xen_disk: add discard support
Implement discard support for xen_disk. It makes use of the existing
discard code in qemu.
The discard support is enabled unconditionally. The tool stack may
provide a property "discard-enable" in the backend node to optionally
disable discard support. This is helpful in case the backing file was
intentionally created non-sparse to avoid fragmentation.
Peter Maydell [Wed, 7 May 2014 16:16:03 +0000 (17:16 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
pc,net,MAINTAINERS,build updates
MAINTAINERS updated with link to the security process documentation
apic version modified to make more guests happy
On top of that, bugfixes all over the place
Signed-off-by: Michael S. Tsirkin <[email protected]>
# gpg: Signature made Wed 07 May 2014 17:15:29 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <[email protected]>"
# gpg: aka "Michael S. Tsirkin <[email protected]>"
* remotes/mst/tags/for_upstream:
configure: make source tree build more robust
MAINTAINERS: addresses for responsible disclosure
pm_smbus: correctly report unclaimed cycles
smbus: return -1 if nothing found at the given address
smbus: allow returning an error from reads
apic: use emulated lapic version 0x14 on pc machines >= 2.1
pc: add compat_props placeholder for 2.0 machine type
i8259: don't abort when trying to use level sensitive irqs
acpi: fix tables for no-hpet configuration
acpi-build: properly decrement objects' reference counters
acpi/pcihp.c: Rewrite acpi_pcihp_get_bsel using object_property_get_int
When source directory can be arrived at by two paths,
configure might misdetect an out of tree build.
The simplest way to trigger the problem is running
configure using a full path. E.g. (<firstpath> refers to qemu source
tree):
ln -s <firstpath> <secondpath>
cd <firstpath>
<secondpath>/configure
A more practical way is when make runs configure automatically:
1. cd <firstpath>/; ./configure
SRC_PATH=<firstpath>/ is written into config_host.mak
2. cd <secondpath>/; touch configure; make
make now runs <firstpath>/configure, so configure
assumes it's an out of tree build
When this happens configure overwrites parts of
the current tree with symlinks.
Make the test more robust: look for configure
in the current directory.
If there - we know it's a source build!
Adding addresses to MAINTAINERS, as agreed on the last conference call:
http://wiki.qemu.org/SecurityProcess
People sometimes detect security issues in upstream
QEMU and don't know where to report them in a non-public way.
Of course whoever just wants full disclosure can just go public,
but there's nothing specified for non-public - until recently Anthony
was doing this informally.
As I started doing this recently anyway, I can handle this on the QEMU side
in a more formal way.
Adding a secalert mailing list as well - they are the ones who is actually
opening CVEs, communicating issues to all downstreams etc,
and they are already handling this for upstream, not just Red Hat.
Keeping Anthony's address around in case he wants to be informed.
Peter Maydell said that he prefers not to be on this contact list at
this point.
A public mailing list has been created - not listing it here yet -
until we know how to set it up in a secure fashion and
until there are more people so manually copying everyone
becomes unwieldy for reporters.
Zhenzhong Duan [Wed, 7 May 2014 13:41:48 +0000 (13:41 +0000)]
qemu-xen: free all the pirqs for msi/msix when driver unload
Pirqs are not freed when driver unload, then new pirqs are allocated when
driver reload. This could exhaust pirqs if do it in a loop.
This patch fixes the bug by freeing pirqs when ENABLE bit is cleared in
msi/msix control reg.
There is also other way of fixing it such as reuse pirqs between driver reload,
but this way is better.
Xen-devel: http://marc.info/?l=xen-devel&m=136800120304275&w=2
exec: Limit translation limiting in address_space_translate to xen
The address_space_translate() function cuts the returned plen (page size)
to hardcoded TARGET_PAGE_SIZE. This function can be used on pages bigger
than that so this limiting should not be used on such pages.
Since originally the limiting was introduced for XEN, we can safely
limit this piece of code to XEN. So does the patch.
apic: use emulated lapic version 0x14 on pc machines >= 2.1
Add "version" property to local apic, and have it default to
0x14 for pc machines starting at 2.1. For compatibility with
previous releases, pc machines up to 2.0 will have their local
apic version set to 0x11.
i8259: don't abort when trying to use level sensitive irqs
This is a guest-triggerable error, as seen when using Xenix 2.3.4.
Replace hw_error by LOG_UNIMPL, so that guests can continue.
With this patch, I can install and use Xenix 2.3.4a without any problem.
I can also start installation of Xenix 2.3.4q, but it fails due to not
finding an hard disk.
Peter Maydell [Wed, 7 May 2014 15:06:38 +0000 (16:06 +0100)]
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20140507' into staging
Some improvements for s390.
Two patches deal with address translation, one fixes a problem in the
channel subsystem code.
# gpg: Signature made Wed 07 May 2014 09:29:30 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found
* remotes/cohuck/tags/s390x-20140507:
s390x/css: Don't save orb in subchannel.
s390x/helper: Added format control bit to MMU translation
s390x/helper: Fixed real-to-absolute address translation
# gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723
# gpg: Can't check signature: public key not found
* remotes/juanquintela/tags/migration/20140505: (36 commits)
migration: expose xbzrle cache miss rate
migration: expose the bitmap_sync_count to the end
migration: Add counts of updating the dirty bitmap
XBZRLE: Fix one XBZRLE corruption issues
migration: remove duplicate code
Coverity: Fix failure path for qemu_accept in migration
Init the XBZRLE.lock in ram_mig_init
Provide init function for ram migration
Count used RAMBlock pages for migration_dirty_pages
Make qemu_peek_buffer loop until it gets it's data
Disallow outward migration while awaiting incoming migration
virtio: validate config_len on load
virtio-net: out-of-bounds buffer write on load
openpic: avoid buffer overrun on incoming migration
ssi-sd: fix buffer overrun on invalid state load
savevm: Ignore minimum_version_id_old if there is no load_state_old
usb: sanity check setup_index+setup_len in post_load
vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
virtio-scsi: fix buffer overrun on invalid state load
zaurus: fix buffer overrun on invalid state load
...
Peter Maydell [Wed, 7 May 2014 12:47:25 +0000 (13:47 +0100)]
Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' into staging
QOM/QTest infrastructure fixes and device conversions
* -device / device_add assertion fix
* QEMUMachine conversion to MachineClass
* Device error handling improvements
* QTest cleanups and test cases for some more PCI devices
* PortIO memory leak fixes
# gpg: Signature made Mon 05 May 2014 19:59:16 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <[email protected]>"
# gpg: aka "Andreas Färber <[email protected]>"
* remotes/afaerber/tags/qom-devices-for-peter:
PortioList: Store PortioList in device state
tests: Add EHCI qtest
tests: Add ioh3420 qtest
tests: Add intel-hda qtests
tests: Add es1370 qtest
tests: Add ac97 qtest
qtest: Be paranoid about accept() addrlen argument
qtest: Add error reporting to socket_accept()
qtest: Assure that init_socket()'s listen() does not fail
MAINTAINERS: Document QOM
arm: Clean up fragile use of error_is_set() in realize() methods
qom: Clean up fragile use of error_is_set() in set() methods
hw: Consistently name Error ** objects errp, and not err
hw: Consistently name Error * objects err, and not errp
machine: Remove QEMUMachine indirection from MachineClass
machine: Replace QEMUMachine by MachineClass in accelerator configuration
vl.c: Replace QEMUMachine with MachineClass in QEMUMachineInitArgs
machine: Copy QEMUMachine's fields to MachineClass
machine: Remove obsoleted field from QEMUMachine
qdev: Fix crash by validating the object type
acpi build tried to add offset of hpet table to rsdt even when hpet was
disabled. If no tables follow hpet, this could lead to a malformed
rsdt.
Fix it up.
To avoid such errors in the future, rearrange code slightly to make it
clear that acpi_add_table stores the offset of the following table - not
of the previous one.
acpi/pcihp.c: Rewrite acpi_pcihp_get_bsel using object_property_get_int
acpi_pcihp_get_bsel implements functionality of object_property_get_int for
specific property named ACPI_PCIHP_PROP_BSEL, but fails to decrement object's
reference counter properly. Rewriting it using generic object_property_get_int
serves two purposes: reducing code duplication and fixing memory leak.
Cornelia Huck [Tue, 11 Feb 2014 15:23:32 +0000 (16:23 +0100)]
s390x/css: Don't save orb in subchannel.
Current css code saves the operation request block (orb) in the
subchannel structure for later consumption by the start function
handler. This might make sense for asynchronous execution of the
start function (which qemu doesn't support), but not in our case;
it would even be wrong since orb contains a reference to a local
variable in the base ssch handler.
Let's just pass the orb through the start function call chain for
ssch; for rsch, we can pass NULL as the backend function does not
use any information passed via the orb there.
Thomas Huth [Fri, 25 Apr 2014 13:37:19 +0000 (15:37 +0200)]
s390x/helper: Added format control bit to MMU translation
With the EDAT-1 facility, the MMU translation can stop at the
segment table already, pointing to a 1 MB block. And while we're
at it, move the page table entry handling to a separate function,
too, as suggested by Alexander Graf.
The real-to-absolute address translation in mmu_translate() was
missing the second part for translating the page at the prefix
address back to the 0 page. And while we're at it, also moved the
code into a separate helper function since this might come in
handy for other parts of the code, too.
Peter Maydell [Tue, 6 May 2014 11:23:05 +0000 (12:23 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-smbios-2' into staging
smbios: make qemu generate smbios tables.
# gpg: Signature made Mon 05 May 2014 12:20:27 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <[email protected]>"
# gpg: aka "Gerd Hoffmann <[email protected]>"
# gpg: aka "Gerd Hoffmann (private) <[email protected]>"
* remotes/kraxel/tags/pull-smbios-2:
SMBIOS: Build aggregate smbios tables and entry point
SMBIOS: Use bitmaps to prevent incompatible comand line options
SMBIOS: Use macro to set smbios defaults
SMBIOS: Update header file definitions
SMBIOS: Rename symbols to better reflect future use
E820: Add interface for accessing e820 table
pc: add 2.1 machine type
Peter Maydell [Tue, 6 May 2014 09:56:38 +0000 (10:56 +0100)]
Merge remote-tracking branch 'remotes/riku/linux-user-for-upstream' into staging
* remotes/riku/linux-user-for-upstream:
linux-user: fix getrusage and wait4 failures with invalid rusage struct
linux-user/elfload.c: Support ARM HWCAP2 flags
linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32
linux-user/elfload.c: Update ARM HWCAP bits
linux-user/elfload.c: Fix incorrect ARM HWCAP bits
linux-user: remove configure option for setting uname release
linux-user: move uname functions to uname.c
linux-user: rename cpu-uname -> uname
linux-user/signal.c: Set fault address in AArch64 signal info
linux-user: avoid using glibc internals in _syscall5 and in definition of target_sigevent struct
linux-user: Handle arches with llseek instead of _llseek
linux-user: Add support for SCM_CREDENTIALS.
linux-user: Move if-elses to a switch statement.
linux-user: Assert stack used for auxvec, envp, argv
linux-user: Add /proc/self/exe open forwarding
The page may not be inserted into cache after executing save_xbzrle_page.
In case of failure to insert, the original page should be sent rather
than the page in the cache.
Count used RAMBlock pages for migration_dirty_pages
This is a fix for a bug* triggered by a migration after hot unplugging
a few virtio-net NICs, that caused migration never to converge, because
'migration_dirty_pages' is incorrectly initialised.
'migration_dirty_pages' is used as a tally of the number of outstanding
dirty pages, to give the migration code an idea of how much more data
will need to be transferred, and thus whether it can end the iterative
phase.
It was initialised to the total size of the RAMBlock address space,
however hotunplug can leave this space sparse, and hence
migration_dirty_pages ended up too large.
Signed-off-by: Dr. David Alan Gilbert <[email protected]>
(* https://bugzilla.redhat.com/show_bug.cgi?id=1074913 )
Make qemu_peek_buffer loop until it gets it's data
Make qemu_peek_buffer repeatedly call fill_buffer until it gets
all the data it requires, or until there is an error.
At the moment, qemu_peek_buffer will try one qemu_fill_buffer if there
isn't enough data waiting, however the kernel is entitled to return
just a few bytes, and still leave qemu_peek_buffer with less bytes
than it needed. I've seen this fail in a dev world, and I think it
could theoretically fail in the peeking of the subsection headers in
the current world.
Comment qemu_peek_byte to point out it's not guaranteed to work for
non-continuous peeks
Disallow outward migration while awaiting incoming migration
QEMU will assert if you attempt to start an outgoing migration on
a QEMU that's sitting waiting for an incoming migration (started
with -incoming), so disallow it with a proper error.
(This is a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1086987 )
Michael Roth [Mon, 28 Apr 2014 13:08:17 +0000 (16:08 +0300)]
openpic: avoid buffer overrun on incoming migration
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Peter Maydell [Thu, 3 Apr 2014 16:52:28 +0000 (19:52 +0300)]
savevm: Ignore minimum_version_id_old if there is no load_state_old
At the moment we require vmstate definitions to set minimum_version_id_old
to the same value as minimum_version_id if they do not provide a
load_state_old handler. Since the load_state_old functionality is
required only for a handful of devices that need to retain migration
compatibility with a pre-vmstate implementation, this means the bulk
of devices have pointless boilerplate. Relax the definition so that
minimum_version_id_old is ignored if there is no load_state_old handler.
Note that under the old scheme we would segfault if the vmstate
specified a minimum_version_id_old that was less than minimum_version_id
but did not provide a load_state_old function, and the incoming state
specified a version number between minimum_version_id_old and
minimum_version_id. Under the new scheme this will just result in
our failing the migration.
usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
projects / qemu.git / log