aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--arm-semi.c86
-rw-r--r--block/iscsi.c86
-rwxr-xr-xconfigure6
-rw-r--r--hmp.c2
-rw-r--r--hw/pc_sysfw.c3
-rw-r--r--hw/qdev-properties.c1
-rw-r--r--hw/qxl-logger.c51
-rw-r--r--hw/qxl-render.c14
-rw-r--r--hw/qxl.c145
-rw-r--r--hw/qxl.h6
-rw-r--r--hw/scsi-bus.c100
-rw-r--r--hw/scsi-defs.h1
-rw-r--r--hw/scsi-disk.c66
-rw-r--r--linux-user/syscall.c46
-rw-r--r--qapi-schema.json27
-rw-r--r--qemu-timer.c34
-rw-r--r--qom/container.c2
-rw-r--r--target-mips/op_helper.c6
-rw-r--r--ui/spice-core.c7
19 files changed, 473 insertions, 216 deletions
diff --git a/arm-semi.c b/arm-semi.c
index 8debd19..88ca9bb 100644
--- a/arm-semi.c
+++ b/arm-semi.c
@@ -37,26 +37,26 @@
#include "hw/arm-misc.h"
#endif
-#define SYS_OPEN 0x01
-#define SYS_CLOSE 0x02
-#define SYS_WRITEC 0x03
-#define SYS_WRITE0 0x04
-#define SYS_WRITE 0x05
-#define SYS_READ 0x06
-#define SYS_READC 0x07
-#define SYS_ISTTY 0x09
-#define SYS_SEEK 0x0a
-#define SYS_FLEN 0x0c
-#define SYS_TMPNAM 0x0d
-#define SYS_REMOVE 0x0e
-#define SYS_RENAME 0x0f
-#define SYS_CLOCK 0x10
-#define SYS_TIME 0x11
-#define SYS_SYSTEM 0x12
-#define SYS_ERRNO 0x13
-#define SYS_GET_CMDLINE 0x15
-#define SYS_HEAPINFO 0x16
-#define SYS_EXIT 0x18
+#define TARGET_SYS_OPEN 0x01
+#define TARGET_SYS_CLOSE 0x02
+#define TARGET_SYS_WRITEC 0x03
+#define TARGET_SYS_WRITE0 0x04
+#define TARGET_SYS_WRITE 0x05
+#define TARGET_SYS_READ 0x06
+#define TARGET_SYS_READC 0x07
+#define TARGET_SYS_ISTTY 0x09
+#define TARGET_SYS_SEEK 0x0a
+#define TARGET_SYS_FLEN 0x0c
+#define TARGET_SYS_TMPNAM 0x0d
+#define TARGET_SYS_REMOVE 0x0e
+#define TARGET_SYS_RENAME 0x0f
+#define TARGET_SYS_CLOCK 0x10
+#define TARGET_SYS_TIME 0x11
+#define TARGET_SYS_SYSTEM 0x12
+#define TARGET_SYS_ERRNO 0x13
+#define TARGET_SYS_GET_CMDLINE 0x15
+#define TARGET_SYS_HEAPINFO 0x16
+#define TARGET_SYS_EXIT 0x18
#ifndef O_BINARY
#define O_BINARY 0
@@ -138,11 +138,11 @@ static void arm_semi_cb(CPUARMState *env, target_ulong ret, target_ulong err)
} else {
/* Fixup syscalls that use nonstardard return conventions. */
switch (env->regs[0]) {
- case SYS_WRITE:
- case SYS_READ:
+ case TARGET_SYS_WRITE:
+ case TARGET_SYS_READ:
env->regs[0] = arm_semi_syscall_len - ret;
break;
- case SYS_SEEK:
+ case TARGET_SYS_SEEK:
env->regs[0] = 0;
break;
default:
@@ -190,7 +190,7 @@ uint32_t do_arm_semihosting(CPUARMState *env)
nr = env->regs[0];
args = env->regs[1];
switch (nr) {
- case SYS_OPEN:
+ case TARGET_SYS_OPEN:
if (!(s = lock_user_string(ARG(0))))
/* FIXME - should this error code be -TARGET_EFAULT ? */
return (uint32_t)-1;
@@ -211,14 +211,14 @@ uint32_t do_arm_semihosting(CPUARMState *env)
}
unlock_user(s, ARG(0), 0);
return ret;
- case SYS_CLOSE:
+ case TARGET_SYS_CLOSE:
if (use_gdb_syscalls()) {
gdb_do_syscall(arm_semi_cb, "close,%x", ARG(0));
return env->regs[0];
} else {
return set_swi_errno(ts, close(ARG(0)));
}
- case SYS_WRITEC:
+ case TARGET_SYS_WRITEC:
{
char c;
@@ -233,7 +233,7 @@ uint32_t do_arm_semihosting(CPUARMState *env)
return write(STDERR_FILENO, &c, 1);
}
}
- case SYS_WRITE0:
+ case TARGET_SYS_WRITE0:
if (!(s = lock_user_string(args)))
/* FIXME - should this error code be -TARGET_EFAULT ? */
return (uint32_t)-1;
@@ -246,7 +246,7 @@ uint32_t do_arm_semihosting(CPUARMState *env)
}
unlock_user(s, args, 0);
return ret;
- case SYS_WRITE:
+ case TARGET_SYS_WRITE:
len = ARG(2);
if (use_gdb_syscalls()) {
arm_semi_syscall_len = len;
@@ -262,7 +262,7 @@ uint32_t do_arm_semihosting(CPUARMState *env)
return -1;
return len - ret;
}
- case SYS_READ:
+ case TARGET_SYS_READ:
len = ARG(2);
if (use_gdb_syscalls()) {
arm_semi_syscall_len = len;
@@ -280,17 +280,17 @@ uint32_t do_arm_semihosting(CPUARMState *env)
return -1;
return len - ret;
}
- case SYS_READC:
+ case TARGET_SYS_READC:
/* XXX: Read from debug cosole. Not implemented. */
return 0;
- case SYS_ISTTY:
+ case TARGET_SYS_ISTTY:
if (use_gdb_syscalls()) {
gdb_do_syscall(arm_semi_cb, "isatty,%x", ARG(0));
return env->regs[0];
} else {
return isatty(ARG(0));
}
- case SYS_SEEK:
+ case TARGET_SYS_SEEK:
if (use_gdb_syscalls()) {
gdb_do_syscall(arm_semi_cb, "lseek,%x,%x,0", ARG(0), ARG(1));
return env->regs[0];
@@ -300,7 +300,7 @@ uint32_t do_arm_semihosting(CPUARMState *env)
return -1;
return 0;
}
- case SYS_FLEN:
+ case TARGET_SYS_FLEN:
if (use_gdb_syscalls()) {
gdb_do_syscall(arm_semi_flen_cb, "fstat,%x,%x",
ARG(0), env->regs[13]-64);
@@ -312,10 +312,10 @@ uint32_t do_arm_semihosting(CPUARMState *env)
return -1;
return buf.st_size;
}
- case SYS_TMPNAM:
+ case TARGET_SYS_TMPNAM:
/* XXX: Not implemented. */
return -1;
- case SYS_REMOVE:
+ case TARGET_SYS_REMOVE:
if (use_gdb_syscalls()) {
gdb_do_syscall(arm_semi_cb, "unlink,%s", ARG(0), (int)ARG(1)+1);
ret = env->regs[0];
@@ -327,7 +327,7 @@ uint32_t do_arm_semihosting(CPUARMState *env)
unlock_user(s, ARG(0), 0);
}
return ret;
- case SYS_RENAME:
+ case TARGET_SYS_RENAME:
if (use_gdb_syscalls()) {
gdb_do_syscall(arm_semi_cb, "rename,%s,%s",
ARG(0), (int)ARG(1)+1, ARG(2), (int)ARG(3)+1);
@@ -347,11 +347,11 @@ uint32_t do_arm_semihosting(CPUARMState *env)
unlock_user(s, ARG(0), 0);
return ret;
}
- case SYS_CLOCK:
+ case TARGET_SYS_CLOCK:
return clock() / (CLOCKS_PER_SEC / 100);
- case SYS_TIME:
+ case TARGET_SYS_TIME:
return set_swi_errno(ts, time(NULL));
- case SYS_SYSTEM:
+ case TARGET_SYS_SYSTEM:
if (use_gdb_syscalls()) {
gdb_do_syscall(arm_semi_cb, "system,%s", ARG(0), (int)ARG(1)+1);
return env->regs[0];
@@ -363,13 +363,13 @@ uint32_t do_arm_semihosting(CPUARMState *env)
unlock_user(s, ARG(0), 0);
return ret;
}
- case SYS_ERRNO:
+ case TARGET_SYS_ERRNO:
#ifdef CONFIG_USER_ONLY
return ts->swi_errno;
#else
return syscall_err;
#endif
- case SYS_GET_CMDLINE:
+ case TARGET_SYS_GET_CMDLINE:
{
/* Build a command-line from the original argv.
*
@@ -452,7 +452,7 @@ uint32_t do_arm_semihosting(CPUARMState *env)
return status;
}
- case SYS_HEAPINFO:
+ case TARGET_SYS_HEAPINFO:
{
uint32_t *ptr;
uint32_t limit;
@@ -498,7 +498,7 @@ uint32_t do_arm_semihosting(CPUARMState *env)
#endif
return 0;
}
- case SYS_EXIT:
+ case TARGET_SYS_EXIT:
gdb_exit(env, 0);
exit(0);
default:
diff --git a/block/iscsi.c b/block/iscsi.c
index 5222726..d37c4ee 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -383,6 +383,65 @@ iscsi_aio_flush(BlockDriverState *bs,
return &acb->common;
}
+static void
+iscsi_unmap_cb(struct iscsi_context *iscsi, int status,
+ void *command_data, void *opaque)
+{
+ IscsiAIOCB *acb = opaque;
+
+ if (acb->canceled != 0) {
+ qemu_aio_release(acb);
+ scsi_free_scsi_task(acb->task);
+ acb->task = NULL;
+ return;
+ }
+
+ acb->status = 0;
+ if (status < 0) {
+ error_report("Failed to unmap data on iSCSI lun. %s",
+ iscsi_get_error(iscsi));
+ acb->status = -EIO;
+ }
+
+ iscsi_schedule_bh(iscsi_readv_writev_bh_cb, acb);
+ scsi_free_scsi_task(acb->task);
+ acb->task = NULL;
+}
+
+static BlockDriverAIOCB *
+iscsi_aio_discard(BlockDriverState *bs,
+ int64_t sector_num, int nb_sectors,
+ BlockDriverCompletionFunc *cb, void *opaque)
+{
+ IscsiLun *iscsilun = bs->opaque;
+ struct iscsi_context *iscsi = iscsilun->iscsi;
+ IscsiAIOCB *acb;
+ struct unmap_list list[1];
+
+ acb = qemu_aio_get(&iscsi_aio_pool, bs, cb, opaque);
+
+ acb->iscsilun = iscsilun;
+ acb->canceled = 0;
+
+ list[0].lba = sector_qemu2lun(sector_num, iscsilun);
+ list[0].num = nb_sectors * BDRV_SECTOR_SIZE / iscsilun->block_size;
+
+ acb->task = iscsi_unmap_task(iscsi, iscsilun->lun,
+ 0, 0, &list[0], 1,
+ iscsi_unmap_cb,
+ acb);
+ if (acb->task == NULL) {
+ error_report("iSCSI: Failed to send unmap command. %s",
+ iscsi_get_error(iscsi));
+ qemu_aio_release(acb);
+ return NULL;
+ }
+
+ iscsi_set_events(iscsilun);
+
+ return &acb->common;
+}
+
static int64_t
iscsi_getlength(BlockDriverState *bs)
{
@@ -396,11 +455,11 @@ iscsi_getlength(BlockDriverState *bs)
}
static void
-iscsi_readcapacity10_cb(struct iscsi_context *iscsi, int status,
+iscsi_readcapacity16_cb(struct iscsi_context *iscsi, int status,
void *command_data, void *opaque)
{
struct IscsiTask *itask = opaque;
- struct scsi_readcapacity10 *rc10;
+ struct scsi_readcapacity16 *rc16;
struct scsi_task *task = command_data;
if (status != 0) {
@@ -412,26 +471,25 @@ iscsi_readcapacity10_cb(struct iscsi_context *iscsi, int status,
return;
}
- rc10 = scsi_datain_unmarshall(task);
- if (rc10 == NULL) {
- error_report("iSCSI: Failed to unmarshall readcapacity10 data.");
+ rc16 = scsi_datain_unmarshall(task);
+ if (rc16 == NULL) {
+ error_report("iSCSI: Failed to unmarshall readcapacity16 data.");
itask->status = 1;
itask->complete = 1;
scsi_free_scsi_task(task);
return;
}
- itask->iscsilun->block_size = rc10->block_size;
- itask->iscsilun->num_blocks = rc10->lba;
- itask->bs->total_sectors = (uint64_t)rc10->lba *
- rc10->block_size / BDRV_SECTOR_SIZE ;
+ itask->iscsilun->block_size = rc16->block_length;
+ itask->iscsilun->num_blocks = rc16->returned_lba + 1;
+ itask->bs->total_sectors = itask->iscsilun->num_blocks *
+ itask->iscsilun->block_size / BDRV_SECTOR_SIZE ;
itask->status = 0;
itask->complete = 1;
scsi_free_scsi_task(task);
}
-
static void
iscsi_connect_cb(struct iscsi_context *iscsi, int status, void *command_data,
void *opaque)
@@ -445,10 +503,10 @@ iscsi_connect_cb(struct iscsi_context *iscsi, int status, void *command_data,
return;
}
- task = iscsi_readcapacity10_task(iscsi, itask->iscsilun->lun, 0, 0,
- iscsi_readcapacity10_cb, opaque);
+ task = iscsi_readcapacity16_task(iscsi, itask->iscsilun->lun,
+ iscsi_readcapacity16_cb, opaque);
if (task == NULL) {
- error_report("iSCSI: failed to send readcapacity command.");
+ error_report("iSCSI: failed to send readcapacity16 command.");
itask->status = 1;
itask->complete = 1;
return;
@@ -700,6 +758,8 @@ static BlockDriver bdrv_iscsi = {
.bdrv_aio_readv = iscsi_aio_readv,
.bdrv_aio_writev = iscsi_aio_writev,
.bdrv_aio_flush = iscsi_aio_flush,
+
+ .bdrv_aio_discard = iscsi_aio_discard,
};
static void iscsi_block_init(void)
diff --git a/configure b/configure
index 0111774..fd424ef 100755
--- a/configure
+++ b/configure
@@ -2546,10 +2546,13 @@ fi
##########################################
# Do we have libiscsi
+# We check for iscsi_unmap_sync() to make sure we have a
+# recent enough version of libiscsi.
if test "$libiscsi" != "no" ; then
cat > $TMPC << EOF
+#include <stdio.h>
#include <iscsi/iscsi.h>
-int main(void) { iscsi_create_context(""); return 0; }
+int main(void) { iscsi_unmap_sync(NULL,0,0,0,NULL,0); return 0; }
EOF
if compile_prog "-Werror" "-liscsi" ; then
libiscsi="yes"
@@ -2592,6 +2595,7 @@ EOF
spice_cflags=$($pkg_config --cflags spice-protocol spice-server 2>/dev/null)
spice_libs=$($pkg_config --libs spice-protocol spice-server 2>/dev/null)
if $pkg_config --atleast-version=0.8.2 spice-server >/dev/null 2>&1 && \
+ $pkg_config --atleast-version=0.8.1 spice-protocol > /dev/null 2>&1 && \
compile_prog "$spice_cflags" "$spice_libs" ; then
spice="yes"
libs_softmmu="$libs_softmmu $spice_libs"
diff --git a/hmp.c b/hmp.c
index eb96618..1f9fe0e 100644
--- a/hmp.c
+++ b/hmp.c
@@ -350,6 +350,8 @@ void hmp_info_spice(Monitor *mon)
}
monitor_printf(mon, " auth: %s\n", info->auth);
monitor_printf(mon, " compiled: %s\n", info->compiled_version);
+ monitor_printf(mon, " mouse-mode: %s\n",
+ SpiceQueryMouseMode_lookup[info->mouse_mode]);
if (!info->has_channels || info->channels == NULL) {
monitor_printf(mon, "Channels: none\n");
diff --git a/hw/pc_sysfw.c b/hw/pc_sysfw.c
index fafdf9b..f0d7c21 100644
--- a/hw/pc_sysfw.c
+++ b/hw/pc_sysfw.c
@@ -85,6 +85,9 @@ static void pc_fw_add_pflash_drv(void)
filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
opts = drive_add(IF_PFLASH, -1, filename, "readonly=on");
+
+ g_free(filename);
+
if (opts == NULL) {
return;
}
diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 98dd06a..c5545dc 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -834,6 +834,7 @@ static void set_pci_devfn(Object *obj, Visitor *v, void *opaque,
visit_type_str(v, &str, name, &local_err);
if (local_err) {
+ error_free(local_err);
return set_int32(obj, v, opaque, name, errp);
}
diff --git a/hw/qxl-logger.c b/hw/qxl-logger.c
index 367aad1..fe2878c 100644
--- a/hw/qxl-logger.c
+++ b/hw/qxl-logger.c
@@ -100,12 +100,15 @@ static const char *qxl_v2n(const char *n[], size_t l, int v)
}
#define qxl_name(_list, _value) qxl_v2n(_list, ARRAY_SIZE(_list), _value)
-static void qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
+static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
{
QXLImage *image;
QXLImageDescriptor *desc;
image = qxl_phys2virt(qxl, addr, group_id);
+ if (!image) {
+ return 1;
+ }
desc = &image->descriptor;
fprintf(stderr, " (id %" PRIx64 " type %d flags %d width %d height %d",
desc->id, desc->type, desc->flags, desc->width, desc->height);
@@ -120,6 +123,7 @@ static void qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
break;
}
fprintf(stderr, ")");
+ return 0;
}
static void qxl_log_rect(QXLRect *rect)
@@ -130,17 +134,24 @@ static void qxl_log_rect(QXLRect *rect)
rect->left, rect->top);
}
-static void qxl_log_cmd_draw_copy(PCIQXLDevice *qxl, QXLCopy *copy, int group_id)
+static int qxl_log_cmd_draw_copy(PCIQXLDevice *qxl, QXLCopy *copy,
+ int group_id)
{
+ int ret;
+
fprintf(stderr, " src %" PRIx64,
copy->src_bitmap);
- qxl_log_image(qxl, copy->src_bitmap, group_id);
+ ret = qxl_log_image(qxl, copy->src_bitmap, group_id);
+ if (ret != 0) {
+ return ret;
+ }
fprintf(stderr, " area");
qxl_log_rect(&copy->src_area);
fprintf(stderr, " rop %d", copy->rop_descriptor);
+ return 0;
}
-static void qxl_log_cmd_draw(PCIQXLDevice *qxl, QXLDrawable *draw, int group_id)
+static int qxl_log_cmd_draw(PCIQXLDevice *qxl, QXLDrawable *draw, int group_id)
{
fprintf(stderr, ": surface_id %d type %s effect %s",
draw->surface_id,
@@ -148,13 +159,14 @@ static void qxl_log_cmd_draw(PCIQXLDevice *qxl, QXLDrawable *draw, int group_id)
qxl_name(qxl_draw_effect, draw->effect));
switch (draw->type) {
case QXL_DRAW_COPY:
- qxl_log_cmd_draw_copy(qxl, &draw->u.copy, group_id);
+ return qxl_log_cmd_draw_copy(qxl, &draw->u.copy, group_id);
break;
}
+ return 0;
}
-static void qxl_log_cmd_draw_compat(PCIQXLDevice *qxl, QXLCompatDrawable *draw,
- int group_id)
+static int qxl_log_cmd_draw_compat(PCIQXLDevice *qxl, QXLCompatDrawable *draw,
+ int group_id)
{
fprintf(stderr, ": type %s effect %s",
qxl_name(qxl_draw_type, draw->type),
@@ -166,9 +178,10 @@ static void qxl_log_cmd_draw_compat(PCIQXLDevice *qxl, QXLCompatDrawable *draw,
}
switch (draw->type) {
case QXL_DRAW_COPY:
- qxl_log_cmd_draw_copy(qxl, &draw->u.copy, group_id);
+ return qxl_log_cmd_draw_copy(qxl, &draw->u.copy, group_id);
break;
}
+ return 0;
}
static void qxl_log_cmd_surface(PCIQXLDevice *qxl, QXLSurfaceCmd *cmd)
@@ -189,7 +202,7 @@ static void qxl_log_cmd_surface(PCIQXLDevice *qxl, QXLSurfaceCmd *cmd)
}
}
-void qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
+int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
{
QXLCursor *cursor;
@@ -203,6 +216,9 @@ void qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
cmd->u.set.visible ? "yes" : "no",
cmd->u.set.shape);
cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id);
+ if (!cursor) {
+ return 1;
+ }
fprintf(stderr, " type %s size %dx%d hot-spot +%d+%d"
" unique 0x%" PRIx64 " data-size %d",
qxl_name(spice_cursor_type, cursor->header.type),
@@ -214,15 +230,17 @@ void qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
fprintf(stderr, " +%d+%d", cmd->u.position.x, cmd->u.position.y);
break;
}
+ return 0;
}
-void qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
{
bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT;
void *data;
+ int ret;
if (!qxl->cmdlog) {
- return;
+ return 0;
}
fprintf(stderr, "%" PRId64 " qxl-%d/%s:", qemu_get_clock_ns(vm_clock),
qxl->id, ring);
@@ -231,12 +249,18 @@ void qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
compat ? "(compat)" : "");
data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+ if (!data) {
+ return 1;
+ }
switch (ext->cmd.type) {
case QXL_CMD_DRAW:
if (!compat) {
- qxl_log_cmd_draw(qxl, data, ext->group_id);
+ ret = qxl_log_cmd_draw(qxl, data, ext->group_id);
} else {
- qxl_log_cmd_draw_compat(qxl, data, ext->group_id);
+ ret = qxl_log_cmd_draw_compat(qxl, data, ext->group_id);
+ }
+ if (ret) {
+ return ret;
}
break;
case QXL_CMD_SURFACE:
@@ -247,4 +271,5 @@ void qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
break;
}
fprintf(stderr, "\n");
+ return 0;
}
diff --git a/hw/qxl-render.c b/hw/qxl-render.c
index f7f1bfd..e2e3fe2 100644
--- a/hw/qxl-render.c
+++ b/hw/qxl-render.c
@@ -228,14 +228,18 @@ fail:
/* called from spice server thread context only */
-void qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
+int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
{
QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
QXLCursor *cursor;
QEMUCursor *c;
+ if (!cmd) {
+ return 1;
+ }
+
if (!qxl->ssd.ds->mouse_set || !qxl->ssd.ds->cursor_define) {
- return;
+ return 0;
}
if (qxl->debug > 1 && cmd->type != QXL_CURSOR_MOVE) {
@@ -246,9 +250,12 @@ void qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
switch (cmd->type) {
case QXL_CURSOR_SET:
cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
+ if (!cursor) {
+ return 1;
+ }
if (cursor->chunk.data_size != cursor->data_size) {
fprintf(stderr, "%s: multiple chunks\n", __FUNCTION__);
- return;
+ return 1;
}
c = qxl_cursor(qxl, cursor);
if (c == NULL) {
@@ -270,4 +277,5 @@ void qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
qemu_mutex_unlock(&qxl->ssd.lock);
break;
}
+ return 0;
}
diff --git a/hw/qxl.c b/hw/qxl.c
index c3540c3..6c11e70 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -27,28 +27,42 @@
#include "qxl.h"
+/*
+ * NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as
+ * such can be changed by the guest, so to avoid a guest trigerrable
+ * abort we just set qxl_guest_bug and set the return to NULL. Still
+ * it may happen as a result of emulator bug as well.
+ */
#undef SPICE_RING_PROD_ITEM
-#define SPICE_RING_PROD_ITEM(r, ret) { \
+#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \
typeof(r) start = r; \
typeof(r) end = r + 1; \
uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \
typeof(&(r)->items[prod]) m_item = &(r)->items[prod]; \
if (!((uint8_t*)m_item >= (uint8_t*)(start) && (uint8_t*)(m_item + 1) <= (uint8_t*)(end))) { \
- abort(); \
+ qxl_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \
+ "! %p <= %p < %p", (uint8_t *)start, \
+ (uint8_t *)m_item, (uint8_t *)end); \
+ ret = NULL; \
+ } else { \
+ ret = &m_item->el; \
} \
- ret = &m_item->el; \
}
#undef SPICE_RING_CONS_ITEM
-#define SPICE_RING_CONS_ITEM(r, ret) { \
+#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \
typeof(r) start = r; \
typeof(r) end = r + 1; \
uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \
typeof(&(r)->items[cons]) m_item = &(r)->items[cons]; \
if (!((uint8_t*)m_item >= (uint8_t*)(start) && (uint8_t*)(m_item + 1) <= (uint8_t*)(end))) { \
- abort(); \
+ qxl_guest_bug(qxl, "SPICE_RING_CONS_ITEM indices mismatch " \
+ "! %p <= %p < %p", (uint8_t *)start, \
+ (uint8_t *)m_item, (uint8_t *)end); \
+ ret = NULL; \
+ } else { \
+ ret = &m_item->el; \
} \
- ret = &m_item->el; \
}
#undef ALIGN
@@ -343,7 +357,8 @@ static void init_qxl_ram(PCIQXLDevice *d)
SPICE_RING_INIT(&d->ram->cmd_ring);
SPICE_RING_INIT(&d->ram->cursor_ring);
SPICE_RING_INIT(&d->ram->release_ring);
- SPICE_RING_PROD_ITEM(&d->ram->release_ring, item);
+ SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item);
+ assert(item);
*item = 0;
qxl_ring_set_dirty(d);
}
@@ -383,14 +398,22 @@ static void qxl_ring_set_dirty(PCIQXLDevice *qxl)
* keep track of some command state, for savevm/loadvm.
* called from spice server thread context only
*/
-static void qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
+static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
{
switch (le32_to_cpu(ext->cmd.type)) {
case QXL_CMD_SURFACE:
{
QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+
+ if (!cmd) {
+ return 1;
+ }
uint32_t id = le32_to_cpu(cmd->surface_id);
- PANIC_ON(id >= NUM_SURFACES);
+
+ if (id >= NUM_SURFACES) {
+ qxl_guest_bug(qxl, "QXL_CMD_SURFACE id %d >= %d", id, NUM_SURFACES);
+ return 1;
+ }
qemu_mutex_lock(&qxl->track_lock);
if (cmd->type == QXL_SURFACE_CMD_CREATE) {
qxl->guest_surfaces.cmds[id] = ext->cmd.data;
@@ -408,6 +431,10 @@ static void qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
case QXL_CMD_CURSOR:
{
QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+
+ if (!cmd) {
+ return 1;
+ }
if (cmd->type == QXL_CURSOR_SET) {
qemu_mutex_lock(&qxl->track_lock);
qxl->guest_cursor = ext->cmd.data;
@@ -416,6 +443,7 @@ static void qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
break;
}
}
+ return 0;
}
/* spice display interface callbacks */
@@ -546,8 +574,10 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext)
if (SPICE_RING_IS_EMPTY(ring)) {
return false;
}
- trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode));
- SPICE_RING_CONS_ITEM(ring, cmd);
+ SPICE_RING_CONS_ITEM(qxl, ring, cmd);
+ if (!cmd) {
+ return false;
+ }
ext->cmd = *cmd;
ext->group_id = MEMSLOT_GROUP_GUEST;
ext->flags = qxl->cmdflags;
@@ -559,6 +589,7 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext)
qxl->guest_primary.commands++;
qxl_track_command(qxl, ext);
qxl_log_command(qxl, "cmd", ext);
+ trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode));
return true;
default:
return false;
@@ -617,7 +648,10 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
if (notify) {
qxl_send_events(d, QXL_INTERRUPT_DISPLAY);
}
- SPICE_RING_PROD_ITEM(ring, item);
+ SPICE_RING_PROD_ITEM(d, ring, item);
+ if (!item) {
+ return;
+ }
*item = 0;
d->num_free_res = 0;
d->last_release = NULL;
@@ -643,7 +677,10 @@ static void interface_release_resource(QXLInstance *sin,
* pci bar 0, $command.release_info
*/
ring = &qxl->ram->release_ring;
- SPICE_RING_PROD_ITEM(ring, item);
+ SPICE_RING_PROD_ITEM(qxl, ring, item);
+ if (!item) {
+ return;
+ }
if (*item == 0) {
/* stick head into the ring */
id = ext.info->id;
@@ -682,7 +719,10 @@ static int interface_get_cursor_command(QXLInstance *sin, struct QXLCommandExt *
if (SPICE_RING_IS_EMPTY(ring)) {
return false;
}
- SPICE_RING_CONS_ITEM(ring, cmd);
+ SPICE_RING_CONS_ITEM(qxl, ring, cmd);
+ if (!cmd) {
+ return false;
+ }
ext->cmd = *cmd;
ext->group_id = MEMSLOT_GROUP_GUEST;
ext->flags = qxl->cmdflags;
@@ -728,8 +768,13 @@ static int interface_req_cursor_notification(QXLInstance *sin)
/* called from spice server thread context */
static void interface_notify_update(QXLInstance *sin, uint32_t update_id)
{
- fprintf(stderr, "%s: abort()\n", __FUNCTION__);
- abort();
+ /*
+ * Called by spice-server as a result of a QXL_CMD_UPDATE which is not in
+ * use by xf86-video-qxl and is defined out in the qxl windows driver.
+ * Probably was at some earlier version that is prior to git start (2009),
+ * and is still guest trigerrable.
+ */
+ fprintf(stderr, "%s: deprecated\n", __func__);
}
/* called from spice server thread context only */
@@ -764,8 +809,8 @@ static void interface_async_complete_io(PCIQXLDevice *qxl, QXLCookie *cookie)
}
if (cookie && current_async != cookie->io) {
fprintf(stderr,
- "qxl: %s: error: current_async = %d != %" PRId64 " = cookie->io\n",
- __func__, current_async, cookie->io);
+ "qxl: %s: error: current_async = %d != %"
+ PRId64 " = cookie->io\n", __func__, current_async, cookie->io);
}
switch (current_async) {
case QXL_IO_MEMSLOT_ADD_ASYNC:
@@ -993,8 +1038,8 @@ static const MemoryRegionPortio qxl_vga_portio_list[] = {
PORTIO_END_OF_LIST(),
};
-static void qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
- qxl_async_io async)
+static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
+ qxl_async_io async)
{
static const int regions[] = {
QXL_RAM_RANGE_INDEX,
@@ -1015,8 +1060,16 @@ static void qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end);
- PANIC_ON(slot_id >= NUM_MEMSLOTS);
- PANIC_ON(guest_start > guest_end);
+ if (slot_id >= NUM_MEMSLOTS) {
+ qxl_guest_bug(d, "%s: slot_id >= NUM_MEMSLOTS %d >= %d", __func__,
+ slot_id, NUM_MEMSLOTS);
+ return 1;
+ }
+ if (guest_start > guest_end) {
+ qxl_guest_bug(d, "%s: guest_start > guest_end 0x%" PRIx64
+ " > 0x%" PRIx64, __func__, guest_start, guest_end);
+ return 1;
+ }
for (i = 0; i < ARRAY_SIZE(regions); i++) {
pci_region = regions[i];
@@ -1037,7 +1090,10 @@ static void qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
/* passed */
break;
}
- PANIC_ON(i == ARRAY_SIZE(regions)); /* finished loop without match */
+ if (i == ARRAY_SIZE(regions)) {
+ qxl_guest_bug(d, "%s: finished loop without match", __func__);
+ return 1;
+ }
switch (pci_region) {
case QXL_RAM_RANGE_INDEX:
@@ -1049,7 +1105,8 @@ static void qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
break;
default:
/* should not happen */
- abort();
+ qxl_guest_bug(d, "%s: pci_region = %d", __func__, pci_region);
+ return 1;
}
memslot.slot_id = slot_id;
@@ -1065,6 +1122,7 @@ static void qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
d->guest_slots[slot_id].size = memslot.virt_end - memslot.virt_start;
d->guest_slots[slot_id].delta = delta;
d->guest_slots[slot_id].active = 1;
+ return 0;
}
static void qxl_del_memslot(PCIQXLDevice *d, uint32_t slot_id)
@@ -1097,15 +1155,28 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
case MEMSLOT_GROUP_HOST:
return (void *)(intptr_t)offset;
case MEMSLOT_GROUP_GUEST:
- PANIC_ON(slot >= NUM_MEMSLOTS);
- PANIC_ON(!qxl->guest_slots[slot].active);
- PANIC_ON(offset < qxl->guest_slots[slot].delta);
+ if (slot >= NUM_MEMSLOTS) {
+ qxl_guest_bug(qxl, "slot too large %d >= %d", slot, NUM_MEMSLOTS);
+ return NULL;
+ }
+ if (!qxl->guest_slots[slot].active) {
+ qxl_guest_bug(qxl, "inactive slot %d\n", slot);
+ return NULL;
+ }
+ if (offset < qxl->guest_slots[slot].delta) {
+ qxl_guest_bug(qxl, "slot %d offset %"PRIu64" < delta %"PRIu64"\n",
+ slot, offset, qxl->guest_slots[slot].delta);
+ return NULL;
+ }
offset -= qxl->guest_slots[slot].delta;
- PANIC_ON(offset > qxl->guest_slots[slot].size)
+ if (offset > qxl->guest_slots[slot].size) {
+ qxl_guest_bug(qxl, "slot %d offset %"PRIu64" > size %"PRIu64"\n",
+ slot, offset, qxl->guest_slots[slot].size);
+ return NULL;
+ }
return qxl->guest_slots[slot].ptr + offset;
- default:
- PANIC_ON(1);
}
+ return NULL;
}
static void qxl_create_guest_primary_complete(PCIQXLDevice *qxl)
@@ -1120,7 +1191,10 @@ static void qxl_create_guest_primary(PCIQXLDevice *qxl, int loadvm,
QXLDevSurfaceCreate surface;
QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
- assert(qxl->mode != QXL_MODE_NATIVE);
+ if (qxl->mode == QXL_MODE_NATIVE) {
+ qxl_guest_bug(qxl, "%s: nop since already in QXL_MODE_NATIVE",
+ __func__);
+ }
qxl_exit_vga_mode(qxl);
surface.format = le32_to_cpu(sc->format);
@@ -1192,7 +1266,7 @@ static void qxl_set_mode(PCIQXLDevice *d, int modenr, int loadvm)
}
d->guest_slots[0].slot = slot;
- qxl_add_memslot(d, 0, devmem, QXL_SYNC);
+ assert(qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0);
d->guest_primary.surface = surface;
qxl_create_guest_primary(d, 0, QXL_SYNC);
@@ -1393,8 +1467,7 @@ async_common:
qxl_spice_destroy_surfaces(d, async);
break;
default:
- fprintf(stderr, "%s: ioport=0x%x, abort()\n", __FUNCTION__, io_port);
- abort();
+ qxl_guest_bug(d, "%s: unexpected ioport=0x%x\n", __func__, io_port);
}
return;
cancel_async:
@@ -1450,7 +1523,7 @@ static void qxl_send_events(PCIQXLDevice *d, uint32_t events)
qxl_update_irq(d);
} else {
if (write(d->pipe[1], d, 1) != 1) {
- dprint(d, 1, "%s: write to pipe failed\n", __FUNCTION__);
+ dprint(d, 1, "%s: write to pipe failed\n", __func__);
}
}
}
@@ -1555,10 +1628,12 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl)
cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i],
MEMSLOT_GROUP_GUEST);
+ assert(cmd);
assert(cmd->type == QXL_SURFACE_CMD_CREATE);
surface_offset = (intptr_t)qxl_phys2virt(qxl,
cmd->u.surface_create.data,
MEMSLOT_GROUP_GUEST);
+ assert(surface_offset);
surface_offset -= vram_start;
surface_size = cmd->u.surface_create.height *
abs(cmd->u.surface_create.stride);
diff --git a/hw/qxl.h b/hw/qxl.h
index cbb1e2d..3102950 100644
--- a/hw/qxl.h
+++ b/hw/qxl.h
@@ -142,12 +142,12 @@ void qxl_spice_reset_image_cache(PCIQXLDevice *qxl);
void qxl_spice_reset_cursor(PCIQXLDevice *qxl);
/* qxl-logger.c */
-void qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id);
-void qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext);
+int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id);
+int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext);
/* qxl-render.c */
void qxl_render_resize(PCIQXLDevice *qxl);
void qxl_render_update(PCIQXLDevice *qxl);
-void qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext);
+int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext);
void qxl_render_update_area_done(PCIQXLDevice *qxl, QXLCookie *cookie);
void qxl_render_update_area_bh(void *opaque);
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index dbdb99c..8ab9bcd 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -239,6 +239,18 @@ int scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
return res;
}
+static int32_t scsi_invalid_field(SCSIRequest *req, uint8_t *buf)
+{
+ scsi_req_build_sense(req, SENSE_CODE(INVALID_FIELD));
+ scsi_req_complete(req, CHECK_CONDITION);
+ return 0;
+}
+
+static const struct SCSIReqOps reqops_invalid_field = {
+ .size = sizeof(SCSIRequest),
+ .send_command = scsi_invalid_field
+};
+
/* SCSIReqOps implementation for invalid commands. */
static int32_t scsi_invalid_command(SCSIRequest *req, uint8_t *buf)
@@ -355,10 +367,6 @@ static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
if (r->req.cmd.buf[1] & 0x1) {
/* Vital product data */
uint8_t page_code = r->req.cmd.buf[2];
- if (r->req.cmd.xfer < 4) {
- return false;
- }
-
r->buf[r->len++] = page_code ; /* this page */
r->buf[r->len++] = 0x00;
@@ -386,10 +394,6 @@ static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
}
/* PAGE CODE == 0 */
- if (r->req.cmd.xfer < 5) {
- return false;
- }
-
r->len = MIN(r->req.cmd.xfer, 36);
memset(r->buf, 0, r->len);
if (r->req.lun != 0) {
@@ -423,9 +427,6 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
}
break;
case REQUEST_SENSE:
- if (req->cmd.xfer < 4) {
- goto illegal_request;
- }
r->len = scsi_device_get_sense(r->req.dev, r->buf,
MIN(req->cmd.xfer, sizeof r->buf),
(req->cmd.buf[1] & 1) == 0);
@@ -517,23 +518,25 @@ SCSIRequest *scsi_req_new(SCSIDevice *d, uint32_t tag, uint32_t lun,
cmd.lba);
}
- if ((d->unit_attention.key == UNIT_ATTENTION ||
- bus->unit_attention.key == UNIT_ATTENTION) &&
- (buf[0] != INQUIRY &&
- buf[0] != REPORT_LUNS &&
- buf[0] != GET_CONFIGURATION &&
- buf[0] != GET_EVENT_STATUS_NOTIFICATION &&
-
- /*
- * If we already have a pending unit attention condition,
- * report this one before triggering another one.
- */
- !(buf[0] == REQUEST_SENSE && d->sense_is_ua))) {
+ if (cmd.xfer > INT32_MAX) {
+ req = scsi_req_alloc(&reqops_invalid_field, d, tag, lun, hba_private);
+ } else if ((d->unit_attention.key == UNIT_ATTENTION ||
+ bus->unit_attention.key == UNIT_ATTENTION) &&
+ (buf[0] != INQUIRY &&
+ buf[0] != REPORT_LUNS &&
+ buf[0] != GET_CONFIGURATION &&
+ buf[0] != GET_EVENT_STATUS_NOTIFICATION &&
+
+ /*
+ * If we already have a pending unit attention condition,
+ * report this one before triggering another one.
+ */
+ !(buf[0] == REQUEST_SENSE && d->sense_is_ua))) {
req = scsi_req_alloc(&reqops_unit_attention, d, tag, lun,
hba_private);
} else if (lun != d->lun ||
- buf[0] == REPORT_LUNS ||
- (buf[0] == REQUEST_SENSE && (d->sense_len || cmd.xfer < 4))) {
+ buf[0] == REPORT_LUNS ||
+ (buf[0] == REQUEST_SENSE && d->sense_len)) {
req = scsi_req_alloc(&reqops_target_command, d, tag, lun,
hba_private);
} else {
@@ -646,7 +649,7 @@ void scsi_req_build_sense(SCSIRequest *req, SCSISense sense)
trace_scsi_req_build_sense(req->dev->id, req->lun, req->tag,
sense.key, sense.asc, sense.ascq);
memset(req->sense, 0, 18);
- req->sense[0] = 0xf0;
+ req->sense[0] = 0x70;
req->sense[2] = sense.key;
req->sense[7] = 10;
req->sense[12] = sense.asc;
@@ -721,10 +724,6 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
case 0:
cmd->xfer = buf[4];
cmd->len = 6;
- /* length 0 means 256 blocks */
- if (cmd->xfer == 0) {
- cmd->xfer = 256;
- }
break;
case 1:
case 2:
@@ -777,7 +776,8 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
case MODE_SENSE:
break;
case WRITE_SAME_10:
- cmd->xfer = 1;
+ case WRITE_SAME_16:
+ cmd->xfer = dev->blocksize;
break;
case READ_CAPACITY_10:
cmd->xfer = 8;
@@ -793,18 +793,26 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
cmd->xfer = buf[9] | (buf[8] << 8);
}
break;
+ case WRITE_6:
+ /* length 0 means 256 blocks */
+ if (cmd->xfer == 0) {
+ cmd->xfer = 256;
+ }
case WRITE_10:
case WRITE_VERIFY_10:
- case WRITE_6:
case WRITE_12:
case WRITE_VERIFY_12:
case WRITE_16:
case WRITE_VERIFY_16:
cmd->xfer *= dev->blocksize;
break;
- case READ_10:
case READ_6:
case READ_REVERSE:
+ /* length 0 means 256 blocks */
+ if (cmd->xfer == 0) {
+ cmd->xfer = 256;
+ }
+ case READ_10:
case RECOVER_BUFFERED_DATA:
case READ_12:
case READ_16:
@@ -872,6 +880,16 @@ static int scsi_req_stream_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *bu
cmd->xfer *= dev->blocksize;
}
break;
+ case READ_16:
+ case READ_REVERSE_16:
+ case VERIFY_16:
+ case WRITE_16:
+ cmd->len = 16;
+ cmd->xfer = buf[14] | (buf[13] << 8) | (buf[12] << 16);
+ if (buf[1] & 0x01) { /* fixed */
+ cmd->xfer *= dev->blocksize;
+ }
+ break;
case REWIND:
case START_STOP:
cmd->len = 6;
@@ -895,6 +913,10 @@ static int scsi_req_stream_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *bu
static void scsi_cmd_xfer_mode(SCSICommand *cmd)
{
+ if (!cmd->xfer) {
+ cmd->mode = SCSI_XFER_NONE;
+ return;
+ }
switch (cmd->buf[0]) {
case WRITE_6:
case WRITE_10:
@@ -920,6 +942,8 @@ static void scsi_cmd_xfer_mode(SCSICommand *cmd)
case UPDATE_BLOCK:
case WRITE_LONG_10:
case WRITE_SAME_10:
+ case WRITE_SAME_16:
+ case UNMAP:
case SEARCH_HIGH_12:
case SEARCH_EQUAL_12:
case SEARCH_LOW_12:
@@ -929,14 +953,11 @@ static void scsi_cmd_xfer_mode(SCSICommand *cmd)
case SEND_DVD_STRUCTURE:
case PERSISTENT_RESERVE_OUT:
case MAINTENANCE_OUT:
+ case ATA_PASSTHROUGH:
cmd->mode = SCSI_XFER_TO_DEV;
break;
default:
- if (cmd->xfer)
- cmd->mode = SCSI_XFER_FROM_DEV;
- else {
- cmd->mode = SCSI_XFER_NONE;
- }
+ cmd->mode = SCSI_XFER_FROM_DEV;
break;
}
}
@@ -1127,7 +1148,7 @@ int scsi_build_sense(uint8_t *in_buf, int in_len,
memset(buf, 0, len);
if (fixed) {
/* Return fixed format sense buffer */
- buf[0] = 0xf0;
+ buf[0] = 0x70;
buf[2] = sense.key;
buf[7] = 10;
buf[12] = sense.asc;
@@ -1270,6 +1291,7 @@ SCSIRequest *scsi_req_ref(SCSIRequest *req)
void scsi_req_unref(SCSIRequest *req)
{
+ assert(req->refcount > 0);
if (--req->refcount == 0) {
if (req->ops->free_req) {
req->ops->free_req(req);
diff --git a/hw/scsi-defs.h b/hw/scsi-defs.h
index ca24192..219c84d 100644
--- a/hw/scsi-defs.h
+++ b/hw/scsi-defs.h
@@ -92,6 +92,7 @@
#define PERSISTENT_RESERVE_OUT 0x5f
#define VARLENGTH_CDB 0x7f
#define WRITE_FILEMARKS_16 0x80
+#define READ_REVERSE_16 0x81
#define ALLOW_OVERWRITE 0x82
#define EXTENDED_COPY 0x83
#define ATA_PASSTHROUGH 0x85
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index a029ab6..045c764 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -28,9 +28,6 @@ do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
#define DPRINTF(fmt, ...) do {} while(0)
#endif
-#define BADF(fmt, ...) \
-do { fprintf(stderr, "scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
-
#include "qemu-common.h"
#include "qemu-error.h"
#include "scsi.h"
@@ -61,10 +58,13 @@ typedef struct SCSIDiskReq {
BlockAcctCookie acct;
} SCSIDiskReq;
+#define SCSI_DISK_F_REMOVABLE 0
+#define SCSI_DISK_F_DPOFUA 1
+
struct SCSIDiskState
{
SCSIDevice qdev;
- uint32_t removable;
+ uint32_t features;
bool media_changed;
bool media_event;
bool eject_request;
@@ -296,6 +296,13 @@ static void scsi_do_read(void *opaque, int ret)
}
}
+ if (r->req.io_canceled) {
+ return;
+ }
+
+ /* The request is used as the AIO opaque value, so add a ref. */
+ scsi_req_ref(&r->req);
+
if (r->req.sg) {
dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_READ);
r->req.resid -= r->req.sg->size;
@@ -505,20 +512,9 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
int buflen = 0;
- if (req->cmd.buf[1] & 0x2) {
- /* Command support data - optional, not implemented */
- BADF("optional INQUIRY command support request not implemented\n");
- return -1;
- }
-
if (req->cmd.buf[1] & 0x1) {
/* Vital product data */
uint8_t page_code = req->cmd.buf[2];
- if (req->cmd.xfer < 4) {
- BADF("Error: Inquiry (EVPD[%02X]) buffer size %zd is "
- "less than 4\n", page_code, req->cmd.xfer);
- return -1;
- }
outbuf[buflen++] = s->qdev.type & 0x1f;
outbuf[buflen++] = page_code ; // this page
@@ -633,8 +629,6 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
break;
}
default:
- BADF("Error: unsupported Inquiry (EVPD[%02X]) "
- "buffer size %zd\n", page_code, req->cmd.xfer);
return -1;
}
/* done with EVPD */
@@ -643,18 +637,10 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
/* Standard INQUIRY data */
if (req->cmd.buf[2] != 0) {
- BADF("Error: Inquiry (STANDARD) page or code "
- "is non-zero [%02X]\n", req->cmd.buf[2]);
return -1;
}
/* PAGE CODE == 0 */
- if (req->cmd.xfer < 5) {
- BADF("Error: Inquiry (STANDARD) buffer size %zd "
- "is less than 5\n", req->cmd.xfer);
- return -1;
- }
-
buflen = req->cmd.xfer;
if (buflen > SCSI_MAX_INQUIRY_LEN) {
buflen = SCSI_MAX_INQUIRY_LEN;
@@ -662,7 +648,7 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
memset(outbuf, 0, buflen);
outbuf[0] = s->qdev.type & 0x1f;
- outbuf[1] = s->removable ? 0x80 : 0;
+ outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
if (s->qdev.type == TYPE_ROM) {
memcpy(&outbuf[16], "QEMU CD-ROM ", 16);
} else {
@@ -1094,7 +1080,7 @@ static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
p = outbuf;
if (s->qdev.type == TYPE_DISK) {
- dev_specific_param = 0x10; /* DPOFUA */
+ dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
if (bdrv_is_read_only(s->qdev.conf.bs)) {
dev_specific_param |= 0x80; /* Readonly. */
}
@@ -1559,8 +1545,11 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
}
break;
case WRITE_SAME_10:
+ len = lduw_be_p(&buf[7]);
+ goto write_same;
case WRITE_SAME_16:
- len = r->req.cmd.xfer / s->qdev.blocksize;
+ len = ldl_be_p(&buf[10]) & 0xffffffffULL;
+ write_same:
DPRINTF("WRITE SAME() (sector %" PRId64 ", count %d)\n",
r->req.cmd.lba, len);
@@ -1700,7 +1689,8 @@ static int scsi_initfn(SCSIDevice *dev)
return -1;
}
- if (!s->removable && !bdrv_is_inserted(s->qdev.conf.bs)) {
+ if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
+ !bdrv_is_inserted(s->qdev.conf.bs)) {
error_report("Device needs media, but drive is empty");
return -1;
}
@@ -1722,7 +1712,7 @@ static int scsi_initfn(SCSIDevice *dev)
return -1;
}
- if (s->removable) {
+ if (s->features & (1 << SCSI_DISK_F_REMOVABLE)) {
bdrv_set_dev_ops(s->qdev.conf.bs, &scsi_cd_block_ops, s);
}
bdrv_set_buffer_alignment(s->qdev.conf.bs, s->qdev.blocksize);
@@ -1745,7 +1735,7 @@ static int scsi_cd_initfn(SCSIDevice *dev)
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
s->qdev.blocksize = 2048;
s->qdev.type = TYPE_ROM;
- s->removable = true;
+ s->features |= 1 << SCSI_DISK_F_REMOVABLE;
return scsi_initfn(&s->qdev);
}
@@ -1818,7 +1808,9 @@ static int get_device_type(SCSIDiskState *s)
return -1;
}
s->qdev.type = buf[0];
- s->removable = (buf[1] & 0x80) != 0;
+ if (buf[1] & 0x80) {
+ s->features |= 1 << SCSI_DISK_F_REMOVABLE;
+ }
return 0;
}
@@ -1918,7 +1910,10 @@ static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
static Property scsi_hd_properties[] = {
DEFINE_SCSI_DISK_PROPERTIES(),
- DEFINE_PROP_BIT("removable", SCSIDiskState, removable, 0, false),
+ DEFINE_PROP_BIT("removable", SCSIDiskState, features,
+ SCSI_DISK_F_REMOVABLE, false),
+ DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
+ SCSI_DISK_F_DPOFUA, false),
DEFINE_PROP_END_OF_LIST(),
};
@@ -2020,7 +2015,10 @@ static TypeInfo scsi_block_info = {
static Property scsi_disk_properties[] = {
DEFINE_SCSI_DISK_PROPERTIES(),
- DEFINE_PROP_BIT("removable", SCSIDiskState, removable, 0, false),
+ DEFINE_PROP_BIT("removable", SCSIDiskState, features,
+ SCSI_DISK_F_REMOVABLE, false),
+ DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
+ SCSI_DISK_F_DPOFUA, false),
DEFINE_PROP_END_OF_LIST(),
};
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7128618..20d2a74 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4866,13 +4866,53 @@ int get_osversion(void)
static int open_self_maps(void *cpu_env, int fd)
{
+#if defined(TARGET_ARM) || defined(TARGET_M68K) || defined(TARGET_UNICORE32)
TaskState *ts = ((CPUArchState *)cpu_env)->opaque;
+#endif
+ FILE *fp;
+ char *line = NULL;
+ size_t len = 0;
+ ssize_t read;
+
+ fp = fopen("/proc/self/maps", "r");
+ if (fp == NULL) {
+ return -EACCES;
+ }
+
+ while ((read = getline(&line, &len, fp)) != -1) {
+ int fields, dev_maj, dev_min, inode;
+ uint64_t min, max, offset;
+ char flag_r, flag_w, flag_x, flag_p;
+ char path[512] = "";
+ fields = sscanf(line, "%"PRIx64"-%"PRIx64" %c%c%c%c %"PRIx64" %x:%x %d"
+ " %512s", &min, &max, &flag_r, &flag_w, &flag_x,
+ &flag_p, &offset, &dev_maj, &dev_min, &inode, path);
+ if ((fields < 10) || (fields > 11)) {
+ continue;
+ }
+ if (!strncmp(path, "[stack]", 7)) {
+ continue;
+ }
+ if (h2g_valid(min) && h2g_valid(max)) {
+ dprintf(fd, TARGET_ABI_FMT_lx "-" TARGET_ABI_FMT_lx
+ " %c%c%c%c %08" PRIx64 " %02x:%02x %d%s%s\n",
+ h2g(min), h2g(max), flag_r, flag_w,
+ flag_x, flag_p, offset, dev_maj, dev_min, inode,
+ path[0] ? " " : "", path);
+ }
+ }
+
+ free(line);
+ fclose(fp);
+
+#if defined(TARGET_ARM) || defined(TARGET_M68K) || defined(TARGET_UNICORE32)
dprintf(fd, "%08llx-%08llx rw-p %08llx 00:00 0 [stack]\n",
(unsigned long long)ts->info->stack_limit,
(unsigned long long)(ts->stack_base + (TARGET_PAGE_SIZE - 1))
& TARGET_PAGE_MASK,
- (unsigned long long)ts->stack_base);
+ (unsigned long long)0);
+#endif
return 0;
}
@@ -5045,11 +5085,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
NULL, NULL, 0);
}
thread_env = NULL;
-#ifdef ENV_GET_CPU
object_delete(OBJECT(ENV_GET_CPU(cpu_env)));
-#else
- g_free(cpu_env);
-#endif
g_free(ts);
pthread_exit(NULL);
}
diff --git a/qapi-schema.json b/qapi-schema.json
index 9193fb9..4279259 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -634,6 +634,25 @@
'tls': 'bool'} }
##
+# @SpiceQueryMouseMode
+#
+# An enumation of Spice mouse states.
+#
+# @client: Mouse cursor position is determined by the client.
+#
+# @server: Mouse cursor position is determined by the server.
+#
+# @unknown: No information is available about mouse mode used by
+# the spice server.
+#
+# Note: spice/enums.h has a SpiceMouseMode already, hence the name.
+#
+# Since: 1.1
+##
+{ 'enum': 'SpiceQueryMouseMode',
+ 'data': [ 'client', 'server', 'unknown' ] }
+
+##
# @SpiceInfo
#
# Information about the SPICE session.
@@ -654,6 +673,12 @@
# 'spice' uses SASL or direct TLS authentication, depending on command
# line options
#
+# @mouse-mode: The mode in which the mouse cursor is displayed currently. Can
+# be determined by the client or the server, or unknown if spice
+# server doesn't provide this information.
+#
+# Since: 1.1
+#
# @channels: a list of @SpiceChannel for each active spice channel
#
# Since: 0.14.0
@@ -661,7 +686,7 @@
{ 'type': 'SpiceInfo',
'data': {'enabled': 'bool', '*host': 'str', '*port': 'int',
'*tls-port': 'int', '*auth': 'str', '*compiled-version': 'str',
- '*channels': ['SpiceChannel']} }
+ 'mouse-mode': 'SpiceQueryMouseMode', '*channels': ['SpiceChannel']} }
##
# @query-spice
diff --git a/qemu-timer.c b/qemu-timer.c
index 8eadd16..b9fd75d 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -611,7 +611,7 @@ static void unix_stop_timer(struct qemu_alarm_timer *t)
#ifdef _WIN32
static MMRESULT mm_timer;
-static unsigned mm_period;
+static TIMECAPS mm_tc;
static void CALLBACK mm_alarm_handler(UINT uTimerID, UINT uMsg,
DWORD_PTR dwUser, DWORD_PTR dw1,
@@ -628,16 +628,12 @@ static void CALLBACK mm_alarm_handler(UINT uTimerID, UINT uMsg,
static int mm_start_timer(struct qemu_alarm_timer *t)
{
- TIMECAPS tc;
+ timeGetDevCaps(&mm_tc, sizeof(mm_tc));
- memset(&tc, 0, sizeof(tc));
- timeGetDevCaps(&tc, sizeof(tc));
+ timeBeginPeriod(mm_tc.wPeriodMin);
- mm_period = tc.wPeriodMin;
- timeBeginPeriod(mm_period);
-
- mm_timer = timeSetEvent(1, /* interval (ms) */
- mm_period, /* resolution */
+ mm_timer = timeSetEvent(mm_tc.wPeriodMin, /* interval (ms) */
+ mm_tc.wPeriodMin, /* resolution */
mm_alarm_handler, /* function */
(DWORD_PTR)t, /* parameter */
TIME_ONESHOT | TIME_CALLBACK_FUNCTION);
@@ -645,7 +641,7 @@ static int mm_start_timer(struct qemu_alarm_timer *t)
if (!mm_timer) {
fprintf(stderr, "Failed to initialize win32 alarm timer: %ld\n",
GetLastError());
- timeEndPeriod(mm_period);
+ timeEndPeriod(mm_tc.wPeriodMin);
return -1;
}
@@ -655,23 +651,21 @@ static int mm_start_timer(struct qemu_alarm_timer *t)
static void mm_stop_timer(struct qemu_alarm_timer *t)
{
timeKillEvent(mm_timer);
- timeEndPeriod(mm_period);
+ timeEndPeriod(mm_tc.wPeriodMin);
}
static void mm_rearm_timer(struct qemu_alarm_timer *t, int64_t delta)
{
int64_t nearest_delta_ms = delta / 1000000;
- if (nearest_delta_ms < 1) {
- nearest_delta_ms = 1;
- }
- /* UINT_MAX can be 32 bit */
- if (nearest_delta_ms > UINT_MAX) {
- nearest_delta_ms = UINT_MAX;
+ if (nearest_delta_ms < mm_tc.wPeriodMin) {
+ nearest_delta_ms = mm_tc.wPeriodMin;
+ } else if (nearest_delta_ms > mm_tc.wPeriodMax) {
+ nearest_delta_ms = mm_tc.wPeriodMax;
}
timeKillEvent(mm_timer);
- mm_timer = timeSetEvent((unsigned int) nearest_delta_ms,
- mm_period,
+ mm_timer = timeSetEvent((UINT)nearest_delta_ms,
+ mm_tc.wPeriodMin,
mm_alarm_handler,
(DWORD_PTR)t,
TIME_ONESHOT | TIME_CALLBACK_FUNCTION);
@@ -680,7 +674,7 @@ static void mm_rearm_timer(struct qemu_alarm_timer *t, int64_t delta)
fprintf(stderr, "Failed to re-arm win32 alarm timer %ld\n",
GetLastError());
- timeEndPeriod(mm_period);
+ timeEndPeriod(mm_tc.wPeriodMin);
exit(1);
}
}
diff --git a/qom/container.c b/qom/container.c
index c9940ab..4ca8b5c 100644
--- a/qom/container.c
+++ b/qom/container.c
@@ -43,6 +43,8 @@ Object *container_get(Object *root, const char *path)
}
}
+ g_strfreev(parts);
+
return obj;
}
diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c
index 5627447..66037ac 100644
--- a/target-mips/op_helper.c
+++ b/target-mips/op_helper.c
@@ -192,12 +192,6 @@ static inline uint64_t get_HILO (void)
return ((uint64_t)(env->active_tc.HI[0]) << 32) | (uint32_t)env->active_tc.LO[0];
}
-static inline void set_HILO (uint64_t HILO)
-{
- env->active_tc.LO[0] = (int32_t)HILO;
- env->active_tc.HI[0] = (int32_t)(HILO >> 32);
-}
-
static inline void set_HIT0_LO (target_ulong arg1, uint64_t HILO)
{
env->active_tc.LO[0] = (int32_t)(HILO & 0xFFFFFFFF);
diff --git a/ui/spice-core.c b/ui/spice-core.c
index a468524..4fc48f8 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -462,6 +462,13 @@ SpiceInfo *qmp_query_spice(Error **errp)
info->tls_port = tls_port;
}
+#if SPICE_SERVER_VERSION >= 0x000a03 /* 0.10.3 */
+ info->mouse_mode = spice_server_is_server_mouse(spice_server) ?
+ SPICE_QUERY_MOUSE_MODE_SERVER :
+ SPICE_QUERY_MOUSE_MODE_CLIENT;
+#else
+ info->mouse_mode = SPICE_QUERY_MOUSE_MODE_UNKNOWN;
+#endif
/* for compatibility with the original command */
info->has_channels = true;
info->channels = qmp_query_spice_channels();