aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2016-06-01docker: Add quick testFam Zheng1-0/+19
Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1464755128-32490-9-git-send-email-famz@redhat.com
2016-06-01docker: Add common.rcFam Zheng1-0/+31
"requires" checks the "FEATURE" environment for specified prerequisits, and skip the execution of test if not found. "build_qemu" is the central routine to compile QEMU for tests to call. Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1464755128-32490-8-git-send-email-famz@redhat.com
2016-06-01docker: Add test runnerFam Zheng1-0/+58
It's better to have a launcher for all tests, to make it easier to initialize and manage the environment. If "DEBUG=1" a shell prompt will show up before the test runs. Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1464755128-32490-7-git-send-email-famz@redhat.com
2016-06-01docker: Add imagesFam Zheng3-0/+24
Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1464755128-32490-6-git-send-email-famz@redhat.com
2016-06-01Makefile: Rules for docker testingFam Zheng2-1/+126
This adds a group of make targets to run docker tests, all are available in source tree without running ./configure. The usage is shown with "make docker". Besides the fixed ones, dynamic targets for building each image and running each test in each image are generated automatically by make, scanning $(SRC_PATH)/tests/docker/ files with specific patterns. Alternative to manually list particular targets (docker-TEST@IMAGE) set, you can control which tests/images to run by filtering variables, TESTS= and IMAGES=, which are expressed in Makefile pattern syntax, "foo% %bar ...". For example: $ make docker-test IMAGES="ubuntu fedora" Unfortunately, it's impossible to propagate "-j $JOBS" into make in containers, however since each combination is made a first class target in the top Makefile, "make -j$N docker-test" still parallels the tests coarsely. Still, $J is made a magic variable to let all make invocations in containers to use -j$J. Instead of providing a live version of the source tree to the docker container we snapshot it with git-archive. This ensures the tree is in a pristine state for whatever operations the container is going to run on them. Uncommitted changes known to files known by the git index will be included in the snapshot if there are any. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-id: 1464755128-32490-5-git-send-email-famz@redhat.com
2016-06-01Makefile: Always include rules.makFam Zheng1-1/+2
When config-host.mak is not found it is safe to assume SRC_PATH is ".". So, it is okay to move inclusion of ruls.mak out of the ifeq condition. Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1464755128-32490-4-git-send-email-famz@redhat.com
2016-06-01rules.mak: Add "COMMA" constantFam Zheng1-0/+2
Using "," literal in $(call quiet-command, ...) arguments is awkward. Add this constant to make it at least doable. Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1464755128-32490-3-git-send-email-famz@redhat.com
2016-06-01tests: Add utilities for docker testingFam Zheng1-0/+194
docker.py is added with a number of useful subcommands to manager docker images and instances for QEMU docker testing. Subcommands are: run: A wrapper of "docker run" (or "sudo -n docker run" if necessary), which takes care of killing and removing the running container at SIGINT. clean: Tear down all the containers including inactive ones that are started by docker_run. build: Compare an image from given dockerfile and rebuild it if they're different. Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1464755128-32490-2-git-send-email-famz@redhat.com
2016-05-31Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.7-20160531' ↵Peter Maydell16-65/+337
into staging ppc patch queue for 2016-05-31 Here's another ppc patch queue. This batch is all preliminaries towards two significant features: 1) Full hypervisor-mode support for POWER8 Patches 1-8 start fixing various bugs with TCG's handling of hypervisor mode 2) CPU hotplug support Patches 9-12 make some preliminary fixes towards implementing CPU hotplug on ppc64 (and other non-x86 platforms). These patches are actually to generic code, not ppc, but are included here with Paolo's ACK. # gpg: Signature made Tue 31 May 2016 01:39:44 BST using RSA key ID 20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.7-20160531: cpu: Add a sync version of cpu_remove() cpu: Reclaim vCPU objects exec: Do vmstate unregistration from cpu_exec_exit() exec: Remove cpu from cpus list during cpu_exec_exit() ppc: Add PPC_64H instruction flag to POWER7 and POWER8 ppc: Get out of emulation on SMT "OR" ops ppc: Fix sign extension issue in mtmsr(d) emulation ppc: Change 'invalid' bit mask of tlbiel and tlbie ppc: tlbie, tlbia and tlbisync are HV only ppc: Do some batching of TCG tlb flushes ppc: Use split I/D mmu modes to avoid flushes on interrupts ppc: Remove MMU_MODEn_SUFFIX definitions Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-31Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell36-1242/+709
* docs/atomics fixes and atomic_rcu_* optimization (Emilio) * NBD bugfix (Eric) * Memory fixes and cleanups (Paolo, Paul) * scsi-block support for SCSI status, including persistent reservations (Paolo) * kvm_stat moves to the Linux repository * SCSI bug fixes (Peter, Prasad) * Killing qemu_char_get_next_serial, non-ARM parts (Xiaoqiang) # gpg: Signature made Sun 29 May 2016 08:11:20 BST using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" * remotes/bonzini/tags/for-upstream: (30 commits) exec: hide mr->ram_addr from qemu_get_ram_ptr users memory: split memory_region_from_host from qemu_ram_addr_from_host exec: remove ram_addr argument from qemu_ram_block_from_host memory: remove qemu_get_ram_fd, qemu_set_ram_fd, qemu_ram_block_host_ptr scsi-generic: Merge block max xfer len in INQUIRY response scsi-block: always use SG_IO scsi-disk: introduce scsi_disk_req_check_error scsi-disk: add need_fua_emulation to SCSIDiskClass scsi-disk: introduce dma_readv and dma_writev scsi-disk: introduce a common base class xen-hvm: ignore background I/O sections docs/atomics: update comparison with Linux atomics: do not emit consume barrier for atomic_rcu_read atomics: emit an smp_read_barrier_depends() barrier only for Alpha and Thread Sanitizer docs/atomics: update atomic_read/set comparison with Linux bt: rewrite csrhci_write to avoid out-of-bounds writes block/iscsi: avoid potential overflow of acb->task->cdb scsi: megasas: check 'read_queue_head' index value scsi: megasas: initialise local configuration data buffer scsi: megasas: use appropriate property buffer size ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-30cpu: Add a sync version of cpu_remove()Bharata B Rao2-0/+20
This sync API will be used by the CPU hotplug code to wait for the CPU to completely get removed before flagging the failure to the device_add command. Sync version of this call is needed to correctly recover from CPU realization failures when ->plug() handler fails. Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30cpu: Reclaim vCPU objectsGu Zheng5-3/+109
In order to deal well with the kvm vcpus (which can not be removed without any protection), we do not close KVM vcpu fd, just record and mark it as stopped into a list, so that we can reuse it for the appending cpu hot-add request if possible. It is also the approach that kvm guys suggested: https://www.mail-archive.com/kvm@vger.kernel.org/msg102839.html Signed-off-by: Chen Fan <chen.fan.fnst@cn.fujitsu.com> Signed-off-by: Gu Zheng <guz.fnst@cn.fujitsu.com> Signed-off-by: Zhu Guihua <zhugh.fnst@cn.fujitsu.com> Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> [- Explicit CPU_REMOVE() from qemu_kvm/tcg_destroy_vcpu() isn't needed as it is done from cpu_exec_exit() - Use iothread mutex instead of global mutex during destroy - Don't cleanup vCPU object from vCPU thread context but leave it to the callers (device_add/device_del)] Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30exec: Do vmstate unregistration from cpu_exec_exit()Bharata B Rao1-0/+11
cpu_exec_init() does vmstate_register for the CPU device. This needs to be undone from cpu_exec_exit(). This change is needed to support CPU hot removal. Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Acked-by: Paolo Bonzini <pbonzini@redhat.com> [dwg: added missing include to fix compile on some archs] Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30exec: Remove cpu from cpus list during cpu_exec_exit()Bharata B Rao1-8/+24
CPUState *cpu gets added to the cpus list during cpu_exec_init(). It should be removed from cpu_exec_exit(). cpu_exec_exit() is called from generic CPU::instance_finalize and some archs like PowerPC call it from CPU unrealizefn. So ensure that we dequeue the cpu only once. Now -1 value for cpu->cpu_index indicates that we have already dequeued the cpu for CONFIG_USER_ONLY case also. Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Thomas Huth <thuth@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30ppc: Add PPC_64H instruction flag to POWER7 and POWER8Benjamin Herrenschmidt1-2/+2
This will enable decoding of hrfid Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30ppc: Get out of emulation on SMT "OR" opsBenjamin Herrenschmidt1-3/+18
Otherwise tight loops at smt_low for example, which OPAL does, eat so much CPU that we can't boot a kernel anymore. With that, I can boot 8 CPUs just fine with powernv. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30ppc: Fix sign extension issue in mtmsr(d) emulationMichael Neuling1-2/+2
Signed-off-by: Michael Neuling <mikey@neuling.org> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30ppc: Change 'invalid' bit mask of tlbiel and tlbieBenjamin Herrenschmidt1-2/+4
Otherwise it will trip on the forms used in recent architecture. Ideally, we should have different handlers for different architecture levels but our current implementation of TLB flushing is dumb enough that this will do for now. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30ppc: tlbie, tlbia and tlbisync are HV onlyBenjamin Herrenschmidt1-3/+3
Not that anything remotely recent supports tlbia but ... Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30ppc: Do some batching of TCG tlb flushesBenjamin Herrenschmidt8-15/+82
On ppc64 especially, we flush the tlb on any slbie or tlbie instruction. However, those instructions often come in bursts of 3 or more (context switch will favor a series of slbie's for example to an slbia if the SLB has less than a certain number of entries in it, and tlbie's can happen in a series, with PAPR, H_BULK_REMOVE can remove up to 4 entries at a time. Doing a tlb_flush() each time is a waste of time. We end up doing a memset of the whole TLB, reloading it for the next instruction, memset'ing again, etc... Those instructions don't have to take effect immediately. For slbie, they can wait for the next context synchronizing event. For tlbie, the next tlbsync. This implements batching by keeping a flag that indicates that we have a TLB in need of flushing. We check it on interrupts, rfi's, isync's and tlbsync and flush the TLB if needed. This reduces the number of tlb_flush() on a boot to a ubuntu installer first dialog screen from roughly 360K down to 36K. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> [clg: added a 'CPUPPCState *' variable in h_remove() and h_bulk_remove() ] Signed-off-by: Cédric Le Goater <clg@kaod.org> [dwg: removed spurious whitespace change, use 0/1 not true/false consistently, since tlb_need_flush has int type] Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30ppc: Use split I/D mmu modes to avoid flushes on interruptsBenjamin Herrenschmidt5-25/+63
We rework the way the MMU indices are calculated, providing separate indices for I and D side based on MSR:IR and MSR:DR respectively, and thus no longer need to flush the TLB on context changes. This also adds correct support for HV as a separate address space. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-30ppc: Remove MMU_MODEn_SUFFIX definitionsBenjamin Herrenschmidt1-3/+0
We don't use the resulting accessors and this gets in the way of the split I/D TLB work. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-05-29exec: hide mr->ram_addr from qemu_get_ram_ptr usersPaolo Bonzini4-54/+31
Let users of qemu_get_ram_ptr and qemu_ram_ptr_length pass in an address that is relative to the MemoryRegion. This basically means what address_space_translate returns. Because the semantics of the second parameter change, rename the function to qemu_map_ram_ptr. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29memory: split memory_region_from_host from qemu_ram_addr_from_hostPaolo Bonzini7-20/+51
Move the old qemu_ram_addr_from_host to memory_region_from_host and make it return an offset within the region. For qemu_ram_addr_from_host return the ram_addr_t directly, similar to what it was before commit 1b5ec23 ("memory: return MemoryRegion from qemu_ram_addr_from_host", 2013-07-04). Reviewed-by: Marc-André Lureau <marcandre.lureau@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29exec: remove ram_addr argument from qemu_ram_block_from_hostPaolo Bonzini3-10/+8
Of the two callers, one does not use it, and the other can compute it itself based on the other output argument (offset) and the RAMBlock. Reviewed-by: Marc-André Lureau <marcandre.lureau@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29memory: remove qemu_get_ram_fd, qemu_set_ram_fd, qemu_ram_block_host_ptrPaolo Bonzini6-52/+37
Remove direct uses of ram_addr_t and optimize memory_region_{get,set}_fd now that a MemoryRegion knows its RAMBlock directly. Reviewed-by: Marc-André Lureau <marcandre.lureau@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi-generic: Merge block max xfer len in INQUIRY responseFam Zheng1-0/+12
The rationale is similar to the above mode sense response interception: this is practically the only channel to communicate restraints from elsewhere such as host and block driver. The scsi bus we attach onto can have a larger max xfer len than what is accepted by the host file system (guarding between the host scsi LUN and QEMU), in which case the SG_IO we generate would get -EINVAL. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <1464243305-10661-3-git-send-email-famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi-block: always use SG_IOPaolo Bonzini1-18/+196
Using pread/pwrite or io_submit has the advantage of eliminating the bounce buffer, but drops the SCSI status. This keeps the guest from seeing unit attention codes, as well as statuses such as RESERVATION CONFLICT. Because we know scsi-block operates on an SBC device we can still use the DMA helpers with SG_IO; just remember to patch the CDBs if the transfer is split into multiple segments. This means that scsi-block will always use the thread-pool unfortunately, instead of respecting aio=native. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi-disk: introduce scsi_disk_req_check_errorPaolo Bonzini1-67/+22
Commonize all the checks for canceled requests and errors. The next patch will add another case to check for, in order to handle passthrough commands. There is no semantic change here; the only nontrivial modification is in scsi_write_do_fua, where cancellation has been checked earlier by both callers. Thus, the check is replaced with an assertion. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi-disk: add need_fua_emulation to SCSIDiskClassPaolo Bonzini1-2/+7
scsi-block will be able to do FUA just by passing the request through to the LUN (which is also more efficient); there is no need to emulate it like we do for scsi-disk. Add a new method to distinguish this. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi-disk: introduce dma_readv and dma_writevPaolo Bonzini1-15/+52
These are replacements for blk_aio_readv and blk_aio_writev that allow customization of the data path. They reuse the DMA helpers' DMAIOFunc callback type, so that the same function can be used in either the QEMUSGList or the bounce-buffered case. This customization will be needed in the next patch to do zero-copy SG_IO on scsi-block. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi-disk: introduce a common base classPaolo Bonzini1-14/+22
This will be the place to add DMAIOFuncs in the next patch. There are also a couple DeviceClass members that can be moved to the abstract class's initialization function. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29xen-hvm: ignore background I/O sectionsPaul Durrant1-2/+12
Since Xen will correctly handle accesses to unimplemented I/O ports (by returning all 1's for reads and ignoring writes) there is no need for QEMU to register backgroud I/O sections. This patch therefore adds checks to xen_io_add/del so that sections with memory-region ops pointing at 'unassigned_io_ops' are ignored. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Cc: Stefano Stabellini <sstabellini@kernel.org> Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1462811480-16295-1-git-send-email-paul.durrant@citrix.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29docs/atomics: update comparison with LinuxPaolo Bonzini1-5/+15
Over time, some differences between QEMU and Linux atomics are getting smoothed. In particular, Linux grew atomic_fetch_or (and in general the differences regarding RMW operations were not described accurately) and smp_load_acquire/smp_store_release. Also, set_mb was renamed to smp_store_mb(). Include these changes in the documentation. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29atomics: do not emit consume barrier for atomic_rcu_readEmilio G. Cota1-2/+12
Currently we emit a consume-load in atomic_rcu_read. Because of limitations in current compilers, this is overkill for non-Alpha hosts and it is only useful to make Thread Sanitizer work. This patch leaves the consume-load in atomic_rcu_read when compiling with Thread Sanitizer enabled, and resorts to a relaxed load + smp_read_barrier_depends otherwise. On an RMO host architecture, such as aarch64, the performance improvement of this change is easily measurable. For instance, qht-bench performs an atomic_rcu_read on every lookup. Performance before and after applying this patch: $ tests/qht-bench -d 5 -n 1 Before: 9.78 MT/s After: 10.96 MT/s Signed-off-by: Emilio G. Cota <cota@braap.org> Message-Id: <1464120374-8950-4-git-send-email-cota@braap.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29atomics: emit an smp_read_barrier_depends() barrier only for Alpha and ↵Emilio G. Cota1-0/+11
Thread Sanitizer For correctness, smp_read_barrier_depends() is only required to emit a barrier on Alpha hosts. However, we are currently emitting a consume fence unconditionally, and most compilers currently treat consume and acquire fences as equivalent. Fix it by keeping the consume fence if we're compiling with Thread Sanitizer, since this might help prevent false warnings. Otherwise, only emit the barrier for Alpha hosts. Note that we still guarantee that smp_read_barrier_depends() is a compiler barrier. Signed-off-by: Emilio G. Cota <cota@braap.org> Message-Id: <1464120374-8950-3-git-send-email-cota@braap.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29docs/atomics: update atomic_read/set comparison with LinuxEmilio G. Cota1-3/+13
Recently Linux did a mass conversion of its atomic_read/set calls so that they at least are READ/WRITE_ONCE. See Linux's commit 62e8a325 ("atomic, arch: Audit atomic_{read,set}()"). It seems though that their documentation hasn't been updated to reflect this. The appended updates our documentation to reflect the change, which means there is effectively no difference between our atomic_read/set and the current Linux implementation. While at it, fix the statement that a barrier is implied by atomic_read/set, which is incorrect. Volatile/atomic semantics prevent transformations pertaining the variable they apply to; this, however, has no effect on surrounding statements like barriers do. For more details on this, see: https://gcc.gnu.org/onlinedocs/gcc/Volatiles.html Signed-off-by: Emilio G. Cota <cota@braap.org> Message-Id: <1464120374-8950-2-git-send-email-cota@braap.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29bt: rewrite csrhci_write to avoid out-of-bounds writesPaolo Bonzini1-21/+46
The usage of INT_MAX in this function confuses Coverity. I think the defect is bogus, however there is no protection against getting more than sizeof(s->inpkt) bytes from the character device backend. Rewrite the function to only fill in as much data as needed from buf into s->inpkt. The plen variable is replaced by a simple state machine and there is no need anymore to shift contents to the beginning of s->inpkt. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29block/iscsi: avoid potential overflow of acb->task->cdbPeter Lieven1-0/+7
at least in the path via virtio-blk the maximum size is not restricted. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Lieven <pl@kamp.de> Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi: megasas: check 'read_queue_head' index valuePrasad J Pandit1-0/+2
While doing MegaRAID SAS controller command frame lookup, routine 'megasas_lookup_frame' uses 'read_queue_head' value as an index into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value within array bounds to avoid any OOB access. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com> Reviewed-by: Alexander Graf <agraf@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi: megasas: initialise local configuration data bufferPrasad J Pandit1-1/+1
When reading MegaRAID SAS controller configuration via MegaRAID Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read uses an uninitialised local data buffer. Initialise this buffer to avoid stack information leakage. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi: megasas: use appropriate property buffer sizePrasad J Pandit1-1/+1
When setting MegaRAID SAS controller properties via MegaRAID Firmware Interface(MFI) commands, a user supplied size parameter is used to set property value. Use appropriate size value to avoid OOB access issues. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi: mptsas: infinite loop while fetching requestsPrasad J Pandit1-5/+4
The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically looks for requests and fetches them. A loop doing that in mptsas_fetch_requests() could run infinitely if 's->state' was not operational. Move check to avoid such a loop. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)Prasad J Pandit1-4/+20
Vmware Paravirtual SCSI emulation uses command descriptors to process SCSI commands. These descriptors come with their ring buffers. A guest could set the ring buffer size to an arbitrary value leading to OOB access issue. Add check to avoid it. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com> Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29kvm_stat: RemovePaolo Bonzini3-889/+0
The source has moved to the Linux kernel tree. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29nbd: Don't trim unrequested bytesEric Blake1-6/+14
Similar to commit df7b97ff, we are mishandling clients that give an unaligned NBD_CMD_TRIM request, and potentially trimming bytes that occur before their request; which in turn can cause potential unintended data loss (unlikely in practice, since most clients are sane and issue aligned trim requests). However, while we fixed read and write by switching to the byte interfaces of blk_, we don't yet have a byte interface for discard. On the other hand, trim is advisory, so rounding the user's request to simply ignore the first and last unaligned sectors (or the entire request, if it is sub-sector in length) is just fine. CC: qemu-stable@nongnu.org Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1464173965-9694-1-git-send-email-eblake@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29hw/char: QOM'ify milkymist-uart.cxiaoqiang zhao3-6/+10
drop the qemu_char_get_next_serial and use chardev prop instead Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-Id: <1464158344-12266-6-git-send-email-zxq_yx_007@163.com> Tested-by: Michael Walle <michael@walle.cc> Acked-by: Michael Walle <michael@walle.cc> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29hw/char: QOM'ify lm32_uart.cxiaoqiang zhao3-13/+35
* Drop the old SysBus init function and use instance_init * Call qemu_chr_add_handlers in the realize callback * Use qdev chardev prop instead of qemu_char_get_next_serial * Add lm32_uart_create function to create lm32 uart device Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-Id: <1464158344-12266-5-git-send-email-zxq_yx_007@163.com> Tested-by: Michael Walle <michael@walle.cc> Acked-by: Michael Walle <michael@walle.cc> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29hw/char: QOM'ify lm32_juart.cxiaoqiang zhao4-13/+14
* Drop the old SysBus init function * Call qemu_chr_add_handlers in the realize callback * Use qdev chardev prop instead of qemu_char_get_next_serial Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-Id: <1464158344-12266-4-git-send-email-zxq_yx_007@163.com> Tested-by: Michael Walle <michael@walle.cc> Acked-by: Michael Walle <michael@walle.cc> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-29hw/char: QOM'ify etraxfs_ser.cxiaoqiang zhao3-12/+35
* Drop the old SysBus init function and use instance_init * Call qemu_chr_add_handlers in the realize callback * Use qdev chardev prop instead of qemu_char_get_next_serial * Add etraxfs_ser_create function to create etraxfs serial device Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Message-Id: <1464158344-12266-3-git-send-email-zxq_yx_007@163.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>