| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
We assign ret with the error code, but then return 0 unconditionally.
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
The dynamic linker from the GNU C library v2.10+ uses the ELF
auxiliary vector AT_RANDOM [1] as a pointer to 16 bytes with random
values to initialize the stack protection mechanism. Technically the
emulated GNU dynamic linker crashes due to a NULL pointer
derefencement if it is built with stack protection enabled and if
AT_RANDOM is not defined by the QEMU ELF loader.
[1] This ELF auxiliary vector was introduced in Linux v2.6.29.
This patch can be tested with the code above:
#include <elf.h> /* Elf*_auxv_t, AT_RANDOM, */
#include <stdio.h> /* printf(3), */
#include <stdlib.h> /* exit(3), EXIT_*, */
#include <stdint.h> /* uint8_t, */
#include <string.h> /* memcpy(3), */
#if defined(__LP64__) || defined(__ILP64__) || defined(__LLP64__)
# define Elf_auxv_t Elf64_auxv_t
#else
# define Elf_auxv_t Elf32_auxv_t
#endif
main(int argc, char* argv[], char* envp[])
{
Elf_auxv_t *auxv;
/* *envp = NULL marks end of envp. */
while (*envp++ != NULL);
/* auxv->a_type = AT_NULL marks the end of auxv. */
for (auxv = (Elf_auxv_t *)envp; auxv->a_type != AT_NULL; auxv++) {
if (auxv->a_type == AT_RANDOM) {
int i;
uint8_t rand_bytes[16];
printf("AT_RANDOM is: 0x%x\n", auxv->a_un.a_val);
memcpy(rand_bytes, (const uint8_t *)auxv->a_un.a_val, sizeof(rand_bytes));
printf("it points to: ");
for (i = 0; i < 16; i++) {
printf("0x%02x ", rand_bytes[i]);
}
printf("\n");
exit(EXIT_SUCCESS);
}
}
exit(EXIT_FAILURE);
}
Changes introduced in v2 and v3:
* Fix typos + thinko (AT_RANDOM is used for stack canary, not for
ASLR)
* AT_RANDOM points to 16 random bytes stored inside the user
stack.
* Add a small test program.
Signed-off-by: Cédric VINCENT <cedric.vincent@st.com>
Signed-off-by: Laurent ALFONSI <laurent.alfonsi@st.com>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
Some architectures (like Blackfin) only implement pselect6 (and skip
select/newselect). So add support for it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
There were several remaining bugs in the previous implementation of
do_brk():
1. the value of "new_alloc_size" was one page too large when the
requested brk was aligned on a host page boundary.
2. no new pages should be (re-)allocated when the requested brk is
in the range of the pages that were already allocated
previsouly (for the same purpose). Technically these pages are
never unmapped in the current implementation.
The problem/fix can be reproduced/validated with the test-suite above:
#include <unistd.h> /* syscall(2), */
#include <sys/syscall.h> /* SYS_brk, */
#include <stdio.h> /* puts(3), */
#include <stdlib.h> /* exit(3), EXIT_*, */
#include <stdint.h> /* uint*_t, */
#include <sys/mman.h> /* mmap(2), MAP_*, */
#include <string.h> /* memset(3), */
int main()
{
int exit_status = EXIT_SUCCESS;
uint8_t *current_brk = 0;
uint8_t *initial_brk;
uint8_t *new_brk;
uint8_t *old_brk;
int failure = 0;
int i;
void test_brk(int increment, int expected_result) {
new_brk = (uint8_t *)syscall(SYS_brk, current_brk + increment);
if ((new_brk == current_brk) == expected_result)
failure = 1;
current_brk = (uint8_t *)syscall(SYS_brk, 0);
}
void test_result() {
if (!failure)
puts("OK");
else {
puts("failure");
exit_status = EXIT_FAILURE;
}
}
void test_title(const char *title) {
failure = 0;
printf("%-45s : ", title);
fflush(stdout);
}
test_title("Initialization");
test_brk(0, 1);
initial_brk = current_brk;
test_result();
test_title("Don't overlap \"brk\" pages");
test_brk(HOST_PAGE_SIZE, 1);
test_brk(HOST_PAGE_SIZE, 1);
test_result();
/* Preparation for the test "Re-allocated heap is initialized". */
old_brk = current_brk - HOST_PAGE_SIZE;
memset(old_brk, 0xFF, HOST_PAGE_SIZE);
test_title("Don't allocate the same \"brk\" page twice");
test_brk(-HOST_PAGE_SIZE, 1);
test_brk(HOST_PAGE_SIZE, 1);
test_result();
test_title("Re-allocated \"brk\" pages are initialized");
for (i = 0; i < HOST_PAGE_SIZE; i++) {
if (old_brk[i] != 0) {
printf("(index = %d, value = 0x%x) ", i, old_brk[i]);
failure = 1;
break;
}
}
test_result();
test_title("Don't allocate \"brk\" pages over \"mmap\" pages");
new_brk = mmap(current_brk, HOST_PAGE_SIZE / 2, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
if (new_brk == (void *) -1)
puts("unknown");
else {
test_brk(HOST_PAGE_SIZE, 0);
test_result();
}
test_title("All \"brk\" pages are writable (please wait)");
if (munmap(current_brk, HOST_PAGE_SIZE / 2) != 0)
puts("unknown");
else {
while (current_brk - initial_brk < 2*1024*1024*1024UL) {
old_brk = current_brk;
test_brk(HOST_PAGE_SIZE, -1);
if (old_brk == current_brk)
break;
for (i = 0; i < HOST_PAGE_SIZE; i++)
old_brk[i] = 0xAA;
}
puts("OK");
}
test_title("Maximum size of the heap > 16MB");
failure = (current_brk - initial_brk) < 16*1024*1024;
test_result();
exit(exit_status);
}
Changes introduced in patch v2:
* extend the "brk" test-suite embedded within the commit message;
* heap contents have to be initialized to zero, this bug was
exposed by "tst-calloc.c" from the GNU C library;
* don't [try to] allocate a new host page if the new "brk" is
equal to the latest allocated host page ("brk_page"); and
* print some debug information when DEBUGF_BRK is defined.
Signed-off-by: Cédric VINCENT <cedric.vincent@st.com>
Reviewed-by: Christophe Guillon <christophe.guillon@st.com>
Cc: Riku Voipio <riku.voipio@iki.fi>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
In the m68k semihosting implementation of HOSTED_INIT_SIM, use the correct
check for whether do_brk() has failed -- it does not return -1 but the
previous value of the break limit.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
In the ARM semihosting implementation of SYS_HEAPINFO, use the correct
check for whether do_brk() has failed -- it does not return -1 but the
previous value of the break limit.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
Since mmap() with MAP_FIXED will map over the top of existing mappings,
it's a bad idea to use it to implement brk(), because brk() with a
large size is likely to overwrite important things like qemu itself
or the host libc. So we drop MAP_FIXED and handle "mapped but at
different address" as an error case instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
Fix a bug in the linux-user ELF loader code where it was not correctly
handling images where the lowest vaddr to be loaded was not page aligned.
The problem was that the code to probe for a suitable guest base address
was changing the 'loaddr' variable (by rounding it to a page boundary),
which meant that the load bias would then be incorrectly calculated
unless loaddr happened to already be page-aligned.
Binaries generated by gcc with the default linker script do start with
a loadable segment at a page-aligned vaddr, so were unaffected. This
bug was noticed with a binary created by the Google Go toolchain for ARM.
We fix the bug by refactoring the "probe for guest base" code out into
its own self-contained function.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
This patch fixes a "double free()" due to "realloc(syms, 0)" in the
loader when the ELF file has no "useful" symbol, as with the following
example (compiled with "sh4-linux-gcc -nostdlib"):
.text
.align 1
.global _start
_start:
mov #1, r3
trapa #40 // syscall(__NR_exit)
nop
The bug appears when the log (option "-d") is enabled.
Signed-off-by: Cédric VINCENT <cedric.vincent@st.com>
Signed-off-by: Yves JANIN <yves.janin@st.com>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
Reviewed-by: Richard Henderson <rth@twiddle.net>
|
|
Fixes crash in i386 when user emulation base address is non-zero.
21797 rt_sigreturn(8,1082124603,1,0,1082126048,1082126248)Exit reason and status: signal 11
Signed-off-by: Mike McCormack <mj.mccormack@samsung.com>
Signed-off-by: Riku Voipio <riku.voipio@iki.fi>
|
|
The 9118 ethernet controller interrupt line is active low unless
the IRQ config register is programmed to set both the IRQ_POL
(polarity: active-high) and IRQ_TYPE (type: push-pull) bits:
implement support for inverting the irq output in other configurations.
This also requires that we support setting the bits in the first
place, and that we correctly preserve them across software reset.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
|
|
BeOS and Haiku on i386 use long for 32-bit types, including pid_t.
Using %d with pid_t therefore results in a warning.
Unfortunately POSIX:2008 does not define a PRId* string for pid_t.
In some places pid_t was previously casted to long and %ld hardcoded.
The predecessor of this patch added another upcast for the simpletrace
filename but was not applied to date.
Since new uses of pid_t with %d keep creeping in, let's instead define
an OS-dependent format string and use that consistently.
Cc: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Ingo Weinhold <ingo_weinhold@gmx.de>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andreas Färber <andreas.faerber@web.de>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
|
|
Register the smc91c111 reset function as a qdev reset function.
Signed-off-by: Juha Riihimäki <juha.riihimaki@nokia.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
|
|
* 'cocoa-for-upstream' of git://repo.or.cz/qemu/afaerber:
Darwin: Fix compilation warning regarding the deprecated daemon() function
cocoa: Avoid warning related to multiple handleEvent: definitions
cocoa: Revert dependency on VNC
cocoa: Provide central qemu_main() prototype
Fix libfdt warnings on Darwin
configure: Fix check for fdatasync()
Remove warning in printf due to type mismatch
Cocoa: avoid displaying window when command-line contains '-h' or '-help'
Fix compilation warning due to incorrectly specified type
cocoa: do not create a spurious window for -version
|
|
Add command line support for logging to a location other than /tmp/qemu.log.
With logging enabled (command line option -d), the log is written to
the hard-coded path /tmp/qemu.log. This patch adds support for writing
the log to a different location by passing the -D option.
Signed-off-by: Matthew Fernandez <matthew.fernandez@gmail.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
|
|
|
|
|
|
|
|
|
|
Without this, qemu segfaults when a BH handler first deletes its BH and
then calls another function which involves a nested qemu_bh_poll() call.
This can be reproduced by generating an I/O error (e.g. with blkdebug) on
an IDE device and using rerror/werror=stop to stop the VM. When continuing
the VM, qemu segfaults.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
|
|
Clearing the error status flag was missing for restarting flushes. Now that the
error status is separate from the BM status register, we can simply set it to 0
after restarting the request. This ensures that we never forget to clear a bit.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Add support for TRIM sub function of the data set management command,
and wire it up to the qemu discard infrastructure.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Replace the is_read flag with a dma_cmd flag to allow the dma and
restart logic to handler other commands like TRIM.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Make dma_bdrv_io available for drivers, and pass an explicit I/O function
instead of hardcoding bdrv_aio_readv/bdrv_aio_writev. This is required
to implement non-READ/WRITE dma commands in the ide driver, e.g. the
upcoming TRIM support.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
When a failed PIO request caused the VM to stop, we still need to transfer the
PIO state even though DRQ=0 at this point.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
When adding the werror=stop mode, some flags were added to s->status
which are used to determine what kind of operation should be restarted
when the VM is continued.
Unfortunately, it turns out that s->status is in fact a device register
and as such is visible to the guest (some of the abused bits are even
writable for the guest).
For migration we keep on using the old VMState field (renamed to
migration_compat_status) if the status register doesn't use any of the
previously abused bits. If it does, we use a subsection with a clean copy of
the status register.
The error status is always sent in a subsection if there is any error. It can't
use the old field because errors happen even without PCI.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
If qcow2_cache_put returns an error during cluster allocation and the
allocation fails, it must be removed from the list of in-flight allocations.
Otherwise we'd get a loop in the list when the ACB is used for the next
allocation.
Luckily, this qcow2_cache_put shouldn't fail anyway because the L2 table is
only read, so that qcow2_cache_put doesn't even involve I/O.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
|
|
Signed-off-by: Devin Nakamura <devin122@gmail.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
bdrv_aio_* must not call the callback before returning to its caller. In vdi,
this could happen in some error cases. This starts the real requests processing
in a BH to avoid this situation.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
bdrv_aio_* must not call the callback before returning to its caller. In qcow,
this could happen in some error cases. This starts the real requests processing
in a BH to avoid this situation.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
bdrv_aio_* must not call the callback before returning to its caller. In qcow2,
this could happen in some error cases. This starts the real requests processing
in a BH to avoid this situation.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
This patchset enables a new CPU feature SMEP (Supervisor Mode Execution
Protection) in QEMU-KVM. SMEP prevents kernel from executing code in application.
Updated Intel SDM describes this CPU feature. The document will be published soon.
SMEP is identified by CPUID leaf 7 EBX[7], which is 0 before. Get the right value by query KVM kernel module, so that guest can get SMEP through CPUID.
Signed-off-by: Yang, Wei <wei.y.yang@intel.com>
Singed-off-by: Shan, Haitao <haitao.shan@intel.com>
Singed-off-by: Li, Xin <xin.li@intel.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
When KVM is running on VIA CPU with host cpu's model, the
feautures of VIA CPU will be passed into kvm guest by calling
the CPUID instruction for Centaur.
Signed-off-by: BrillyWu<brillywu@viatech.com.cn>
Signed-off-by: KaryJin<karyjin@viatech.com.cn>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
ccid_initfn() allocates CCIDBus dynamically, but there is no exit
callback to free it.
Fix by getting rid of the allocation.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
No flag to configure is required. Instead, added a libcacard.la target that
is not built by default, only when requested explicitly via:
mkdir build
cd build
../configure
make libcacard.la
make install-libcacard
Uses libtool to do actual linking of object files and shared library, and
installing. Tested only under linux, but supposed to work on other systems as
well.
If libtool isn't found you get a message complaining about that, only at build
time (since it is not a default target I did not add a message at configure
time).
New build artifacts:
.libs subdirectories (at <buildroot> and <buildroot>/libcacard)
*.lo files (at same locations as the respective o files)
Added %.lo : %.c rule that uses libtool.
Updated clean rule to clean up those artifacts.
Added specific rule to call dtrace with libtool wrapper (note that because of
a current upstream dtrace bug fixed by systemtap b1568fd85 commit the -fPIC flag
isn't actually passed on. still current dtrace+libtool produced object links fine).
If libtool is missing any of the following targets will complain and exit 1:
any subdir: *.lo
root and libcacard: libcacard.la, libcacard-instsall
Tested to link and load with all tracing backends.
|
|
|
|
expire_time must be initialited when the guest activates the
usb scheduler, not at device creation time.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Implement the wakeup callback in the OHCI USBPortOps, so that when
a downstream device wakes up it correctly causes the OHCI controller
to come out of suspend.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
HcPeriodCurrentED is read-only, but Linux writes to it anyway; silently
ignore this rather than printing a warning message.
(Specifically, drivers/usb/host/ohci-hub.c:ohci_rh_resume() writes a
0, in at least kernels 2.6.25 through 2.6.39.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Brad Hards <bradh@frogmouth.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Brad Hards <bradh@frogmouth.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Brad Hards <bradh@frogmouth.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
This causes an "Error: tried to detach unattached usb device " to be printed,
this can happen when deleting ie a usb host qdev, which did not
get attached (because a device matching the filter never got plugged in).
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
1024 bytes is way to small, one hd UVC webcam I have over here has so
many resolutions its descriptors take op close to 4k. Hopefully 8k will
be enough for all devices.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Not needed any more, usb-host is qdev-ified these days.
Well, at least the linux version ...
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
|
If a user wants to redirect 2 identical usb sticks, in theory this is
possible by doing:
usb_add host:1234:5678
usb_add host:1234:5678
But this will lead to us trying to open the first stick twice, since we
don't break the loop after having found a match in our filter list, so the next'
filter list entry will result in us trying to open the same device again.
Fix this by adding the missing break.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
