aurel32 [Sat, 1 Nov 2008 00:53:39 +0000 (00:53 +0000)]
CVE-2008-4539: fix a heap overflow in Cirrus emulation
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.
aliguori [Fri, 31 Oct 2008 18:49:55 +0000 (18:49 +0000)]
Move CharDriverState code out of vl.c
The motivating goal behind this is to allow other tools to use the CharDriver
code. This patch is pure code motion except for the Makefile changes and the
copyright/header in qemu-char.c.
aliguori [Fri, 31 Oct 2008 18:44:40 +0000 (18:44 +0000)]
Move some declarations around in the QEMU CharDriver code
The goal of this series is to move the CharDriverState code out of vl.c and
into its own file, qemu-char.c. This patch moves around some declarations so
the next patch can be pure code motion.
aliguori [Fri, 31 Oct 2008 18:40:25 +0000 (18:40 +0000)]
Increase default IO timeout from 10ms to 5s
With the recent changes to the main loop, we no longer have unconditional
polling. This means we can now sleep in select() for much longer than we
previously did. This patch increases our select() sleep time from 10ms to 5s
which is effectively unlimited since we're going to wake up sooner than that
in almost all circumstances.
With this patch, I see the number of wake-ups with an idle dynamic ticks guest
drop from 80 per second to about 15 times per second.
aliguori [Fri, 31 Oct 2008 17:31:29 +0000 (17:31 +0000)]
Implement "info chardev" command. (Gerd Hoffmann)
This patch makes qemu keep track of the character devices in use and
implements a "info chardev" monitor command to print a list.
qemu_chr_open() sticks the devices into a linked list now. It got a new
argument (label), so there is a name for each device. It also assigns a
filename to each character device. By default it just copyes the
filename passed in. Individual drivers can fill in something else
though. qemu_chr_open_pty() sets the filename to name of the pseudo tty
allocated.
aliguori [Fri, 31 Oct 2008 17:28:00 +0000 (17:28 +0000)]
fix bdrv_aio_read API breakage in qcow2 (Andrea Arcangeli)
I noticed the qemu_aio_flush was doing nothing at all. And a flood of
cmd_writeb commands leading to a noop-invocation of qemu_aio_flush
were executed.
In short all 'memset;goto redo' places must be fixed to use the bh and
not to call the callback in the context of bdrv_aio_read or the
bdrv_aio_read model falls apart. Reading from qcow2 holes is possible
with phyisical readahead (kind of breada in linux buffer cache).
This is needed at least for scsi, ide is lucky (or it has been
band-aided against this API breakage by fixing the symptom and not the
real bug).
Same bug exists in qcow of course, can be fixed later as it's less
urgent.
aliguori [Fri, 31 Oct 2008 17:25:56 +0000 (17:25 +0000)]
Make DMA bottom-half driven (v2)
The current DMA routines are driven by a call in main_loop_wait() after every
select.
This patch converts the DMA code to be driven by a constantly rescheduled
bottom half. The advantage of using a scheduled bottom half is that we can
stop scheduling the bottom half when there no DMA channels are runnable. This
means we can potentially detect this case and sleep longer in the main loop.
The only two architectures implementing DMA_run() are cris and i386. For cris,
I converted it to a simple repeating bottom half. I've only compile tested
this as cris does not seem to work on a 64-bit host. It should be functionally
identical to the previous implementation so I expect it to work.
For x86, I've made sure to only fire the DMA bottom half if there is a DMA
channel that is runnable. The effect of this is that unless you're using sb16
or a floppy disk, the DMA bottom half never fires.
You probably should test this malc. My own benchmarks actually show slight
improvement by it's possible the change in timing could affect your demos.
Since v1, I've changed the code to use a BH instead of a timer. cris at least
seems to depend on faster than 10ms polling.
aliguori [Fri, 31 Oct 2008 17:24:21 +0000 (17:24 +0000)]
Make bottom halves more robust
Bottom halves are supposed to not complete until the next iteration of the main
loop. This is very important to ensure that guests can not cause stack
overflows in the block driver code. Right now, if you attempt to schedule a
bottom half within a bottom half callback, you will enter an infinite loop.
This patch uses the same logic that we use for the IOHandler loop to make the
bottom half processing robust in list manipulation while in a callback.
This patch also introduces idle scheduling for bottom halves. qemu_bh_poll()
returns an indication of whether any bottom halves were successfully executed.
qemu_aio_wait() uses this to immediately return if a bottom half was executed
instead of waiting for a completion notification.
qemu_bh_schedule_idle() works around this by not reporting the callback has
run in the qemu_bh_poll loop. qemu_aio_wait() probably needs some refactoring
but that would require a larger code audit. idle scheduling seems like a good
compromise.
aliguori [Wed, 29 Oct 2008 14:16:31 +0000 (14:16 +0000)]
Fix restore of older snapshots for target-i386 on big endian hosts
A target_ulong may be 64-bit. Passing it to a function expecting a 32-bit
pointer is wrong and unfortunately happens to work for x86. It won't work on
big endian hosts though. Change the code to work properly on all hosts.
aliguori [Fri, 24 Oct 2008 21:55:17 +0000 (21:55 +0000)]
Live migration for Win32 (Hervé Poussineau)
This patch fixes migration so that it works on Win32. This requires using
socket specific calls since sockets cannot be treated like file descriptors
on win32.
aliguori [Fri, 24 Oct 2008 14:11:41 +0000 (14:11 +0000)]
Fix windows build after migration changes
The live migration code broke the windows build. As part of this
change, I've switched the BIOS path to C:\Program Files\Qemu instead of
/c/Program Files/Qemu. The later is only valid when launching from MSYS
but the former is always valid.
aurel32 [Fri, 24 Oct 2008 13:12:42 +0000 (13:12 +0000)]
hw/pc: don't register the memory hole as unassigned twice
Since revision 5228, we don't register the memory hole (0xa00000 to
0xfffff) anymore. As a consequence, we don't need to register it again
as unassigned.
pbrook [Wed, 22 Oct 2008 15:11:31 +0000 (15:11 +0000)]
* Use function pointers for symbol lookup (currently for elf32 and elf64,
could be expanded). This also fixes the bug with mips elf64 symbols
in current Qemu trunk.
* Use quicksort and binary search for symbol lookup.
* Remove unneeded entries from symbol table. This reduced a typical table
size (linux mips kernel) from 1764487 to 11656 entries.
aliguori [Tue, 21 Oct 2008 16:27:28 +0000 (16:27 +0000)]
Fix broken USB support for Linux host (Bjorn Danielsson)
Make "host:" usb devices work again on systems that have the
file /proc/bus/usb/devices. This was broken in r5441 due to
incorrect logic for the USB_FS_SYS case in usb_host_scan().
bellard [Fri, 17 Oct 2008 17:28:58 +0000 (17:28 +0000)]
allow SLIRP to make an ARP request to get the client MAC address. It is useful if an inbound connection is done to a VM which did not send outbound IP packets
aurel32 [Fri, 17 Oct 2008 08:08:56 +0000 (08:08 +0000)]
scsi-generic: correct error management
this patch allows to fully use a tape device connected to qemu through
the scsi-generic interface.
Previous patch introduced tape SCSI commands management, this one
improve error case management:
- the SCSI controller command completion must be called with the status
value, not the sense value. In the case of scsi-generic, the SCSI status
is given by the field status of sg_io_hdr_t (the value is left shifted
by one regarding status codes defined in /usr/include/scsi/scsi.h)
- when a read is aborted due to a mark/EOF/EOD/EOM, the len reported to
controller can be 0. LSI controller emulation doesn't know how to manage
this. A workaround found is to call the completion routine with
SCSI_REASON_DONE just after calling it with SCSI_REASON_DATA with len=0.
This patch also manages correctly the block size of the tape device.
This patch has been tested with a real tape device "HP C5683A", linux
guest (debian etch) and tools like "mt", "tar" and "btape".
Windows guest is not better supported than before...
aurel32 [Fri, 17 Oct 2008 08:08:48 +0000 (08:08 +0000)]
i386/SVM: return amount of ASIDs
With SVM the TLB supports tagging to distinguish TLB entries from
different virtual CPUs. This tag is called an ASID. The amount of ASIDs is
given in EBX of the SVM-CPUID-leaf. Currently we return 0, which might
break hypervisors. Let's better return something >0 here, say 0x10.
Since we're flushing the complete TLB on every VM entry and exit we're not
making use of the ASID information anyways.
projects / qemu.git / log