From 7423192912af36a2cdf4eb2066f17ca37904ef5e Mon Sep 17 00:00:00 2001 From: Dima Stepanov Date: Tue, 15 Jan 2019 13:08:47 +0300 Subject: virtio: add checks for the size of the indirect table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The virtqueue_pop() and virtqueue_get_avail_bytes() routines can use the INDIRECT table to get the data. It is possible to create a packet which will lead to the assert message like: include/exec/memory.h:1995: void address_space_read_cached(MemoryRegionCache *, hwaddr, void *, int): Assertion `addr < cache->len && len <= cache->len - addr' failed. Aborted To do it the first descriptor should have a link to the INDIRECT table and set the size of it to 0. It doesn't look good that the guest should be able to trigger the assert in qemu. Add additional check for the size of the INDIRECT table, which should not be 0. Signed-off-by: Dima Stepanov Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Cornelia Huck Reviewed-by: Stefan Hajnoczi --- hw/virtio/virtio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 22bd1ac..a1ff647 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -646,7 +646,7 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes, vring_desc_read(vdev, &desc, desc_cache, i); if (desc.flags & VRING_DESC_F_INDIRECT) { - if (desc.len % sizeof(VRingDesc)) { + if (!desc.len || (desc.len % sizeof(VRingDesc))) { virtio_error(vdev, "Invalid size for indirect buffer table"); goto err; } @@ -902,7 +902,7 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) desc_cache = &caches->desc; vring_desc_read(vdev, &desc, desc_cache, i); if (desc.flags & VRING_DESC_F_INDIRECT) { - if (desc.len % sizeof(VRingDesc)) { + if (!desc.len || (desc.len % sizeof(VRingDesc))) { virtio_error(vdev, "Invalid size for indirect buffer table"); goto done; } -- cgit v1.1 From 3f262b26b82cf5930f0c294d289f258a6d3d2528 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Sat, 3 Nov 2018 08:41:04 -0700 Subject: hw: virtio-pci: drop DO_UPCAST MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use VIRTIO_PCI MACRO instead. Signed-off-by: Li Qiang Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/virtio/virtio-pci.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c index b282109..e978bfe 100644 --- a/hw/virtio/virtio-pci.c +++ b/hw/virtio/virtio-pci.c @@ -591,7 +591,7 @@ virtio_address_space_read(VirtIOPCIProxy *proxy, hwaddr addr, static void virtio_write_config(PCIDevice *pci_dev, uint32_t address, uint32_t val, int len) { - VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev); + VirtIOPCIProxy *proxy = VIRTIO_PCI(pci_dev); VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); struct virtio_pci_cfg_cap *cfg; @@ -624,7 +624,7 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address, static uint32_t virtio_read_config(PCIDevice *pci_dev, uint32_t address, int len) { - VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev); + VirtIOPCIProxy *proxy = VIRTIO_PCI(pci_dev); struct virtio_pci_cfg_cap *cfg; if (proxy->config_cap && -- cgit v1.1 From 2a078b1080917dc6143783e1dd645e188d11dc8f Mon Sep 17 00:00:00 2001 From: Peter Xu Date: Wed, 16 Jan 2019 11:08:12 +0800 Subject: intel_iommu: fix operator in vtd_switch_address_space When calculating use_iommu, we wanted to first detect whether DMAR is enabled, then check whether PT is enabled if DMAR is enabled. However in the current code we used "&" rather than "&&" so the ordering requirement is lost (instead it'll be an "AND" operation). This could introduce errors dumped in QEMU console when rebooting a guest with both assigned device and vIOMMU, like: qemu-system-x86_64: vtd_dev_to_context_entry: invalid root entry: rsvd=0xf000ff53f000e2c3, val=0xf000ff53f000ff53 (reserved nonzero) Acked-by: Jason Wang Signed-off-by: Peter Xu Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/i386/intel_iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hw') diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c index 8b72735..6d5cc1d 100644 --- a/hw/i386/intel_iommu.c +++ b/hw/i386/intel_iommu.c @@ -1153,7 +1153,7 @@ static bool vtd_switch_address_space(VTDAddressSpace *as) assert(as); - use_iommu = as->iommu_state->dmar_enabled & !vtd_dev_pt_enabled(as); + use_iommu = as->iommu_state->dmar_enabled && !vtd_dev_pt_enabled(as); trace_vtd_switch_address_space(pci_bus_num(as->bus), VTD_PCI_SLOT(as->devfn), -- cgit v1.1 From d7bb469afa015e28a443faf1600a5a28b5fa483a Mon Sep 17 00:00:00 2001 From: Peter Xu Date: Wed, 16 Jan 2019 11:08:13 +0800 Subject: intel_iommu: reset intr_enabled when system reset This is found when I was debugging another problem. Until now no bug is reported with this but we'd better reset the IR status correctly after a system reset. Acked-by: Jason Wang Signed-off-by: Peter Xu Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/i386/intel_iommu.c | 1 + 1 file changed, 1 insertion(+) (limited to 'hw') diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c index 6d5cc1d..ee22e75 100644 --- a/hw/i386/intel_iommu.c +++ b/hw/i386/intel_iommu.c @@ -3138,6 +3138,7 @@ static void vtd_init(IntelIOMMUState *s) s->root = 0; s->root_extended = false; s->dmar_enabled = false; + s->intr_enabled = false; s->iq_head = 0; s->iq_tail = 0; s->iq = 0; -- cgit v1.1 From afa26ecc3010d2851a065edc7817d31e07d236ec Mon Sep 17 00:00:00 2001 From: Peter Xu Date: Wed, 16 Jan 2019 11:08:14 +0800 Subject: pci/msi: export msi_is_masked() It is going to be used later on outside MSI code to detect whether one MSI vector is masked out. Signed-off-by: Peter Xu Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/pci/msi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hw') diff --git a/hw/pci/msi.c b/hw/pci/msi.c index 5e05ce5..47d2b0f 100644 --- a/hw/pci/msi.c +++ b/hw/pci/msi.c @@ -286,7 +286,7 @@ void msi_reset(PCIDevice *dev) MSI_DEV_PRINTF(dev, "reset\n"); } -static bool msi_is_masked(const PCIDevice *dev, unsigned int vector) +bool msi_is_masked(const PCIDevice *dev, unsigned int vector) { uint16_t flags = pci_get_word(dev->config + msi_flags_off(dev)); uint32_t mask, data; -- cgit v1.1 From caa1ee43131c060347b32893abd41fe4865eaa2e Mon Sep 17 00:00:00 2001 From: Changpeng Liu Date: Wed, 16 Jan 2019 13:19:30 +0800 Subject: vhost-user-blk: add discard/write zeroes features support Linux commit 1f23816b8 "virtio_blk: add discard and write zeroes support" added the support in the Guest kernel, while here also enable the features support with vhost-user-blk driver. Also enable the test example utility with DISCARD and WRITE ZEROES commands. Signed-off-by: Changpeng Liu Reviewed-by: Stefan Hajnoczi Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/block/vhost-user-blk.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'hw') diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c index c3af28f..44ac814 100644 --- a/hw/block/vhost-user-blk.c +++ b/hw/block/vhost-user-blk.c @@ -38,6 +38,8 @@ static const int user_feature_bits[] = { VIRTIO_BLK_F_RO, VIRTIO_BLK_F_FLUSH, VIRTIO_BLK_F_CONFIG_WCE, + VIRTIO_BLK_F_DISCARD, + VIRTIO_BLK_F_WRITE_ZEROES, VIRTIO_F_VERSION_1, VIRTIO_RING_F_INDIRECT_DESC, VIRTIO_RING_F_EVENT_IDX, @@ -204,6 +206,8 @@ static uint64_t vhost_user_blk_get_features(VirtIODevice *vdev, virtio_add_feature(&features, VIRTIO_BLK_F_BLK_SIZE); virtio_add_feature(&features, VIRTIO_BLK_F_FLUSH); virtio_add_feature(&features, VIRTIO_BLK_F_RO); + virtio_add_feature(&features, VIRTIO_BLK_F_DISCARD); + virtio_add_feature(&features, VIRTIO_BLK_F_WRITE_ZEROES); if (s->config_wce) { virtio_add_feature(&features, VIRTIO_BLK_F_CONFIG_WCE); -- cgit v1.1 From 87593a4751c89993896ea534c59a9488d7963ae9 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Fri, 25 Jan 2019 13:56:00 +0100 Subject: hw/virtio: Use CONFIG_VIRTIO_PCI switch instead of CONFIG_PCI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For downstream s390x builds, we'd like to be able to build QEMU with CONFIG_VIRTIO_PCI disabled (since virtio-ccw is used here instead), but still with CONFIG_PCI enabled. This currently fails since the virtio-*-pci.o files are still included in the build, but virtio-pci.o is missing. Use the right config switch CONFIG_VIRTIO_PCI to exclude the virtio-*-pci.o files from the build. Reported-by: Miroslav Rezanina Signed-off-by: Thomas Huth Reviewed-by: Cornelia Huck Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/virtio/Makefile.objs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hw') diff --git a/hw/virtio/Makefile.objs b/hw/virtio/Makefile.objs index ea7913d..d335dd0 100644 --- a/hw/virtio/Makefile.objs +++ b/hw/virtio/Makefile.objs @@ -11,7 +11,7 @@ obj-$(call land,$(CONFIG_VIRTIO_CRYPTO),$(CONFIG_VIRTIO_PCI)) += virtio-crypto-p obj-$(CONFIG_LINUX) += vhost.o vhost-backend.o vhost-user.o obj-$(CONFIG_VHOST_VSOCK) += vhost-vsock.o -ifeq ($(CONFIG_PCI),y) +ifeq ($(CONFIG_VIRTIO_PCI),y) obj-$(CONFIG_VHOST_VSOCK) += vhost-vsock-pci.o obj-$(CONFIG_VHOST_USER_BLK) += vhost-user-blk-pci.o obj-$(CONFIG_VHOST_USER_SCSI) += vhost-user-scsi-pci.o -- cgit v1.1 From 24cf5413aa059f874c34e442802ce25cd1e72178 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Fri, 25 Jan 2019 16:00:58 -0500 Subject: acpi: Make TPM 2.0 with TIS available as MSFT0101 This patch makes the a TPM 2.0 with TIS interface available under the HID 'MSF0101'. This is supported by Linux and also Windows now recognizes the TPM 2.0 with TIS interface. Leave the TPM 1.2 as before. Signed-off-by: Stefan Berger Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Reviewed-by: Igor Mammedov --- hw/i386/acpi-build.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index d60603a..26cef4a 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -2141,8 +2141,16 @@ build_dsdt(GArray *table_data, BIOSLinker *linker, build_append_pci_bus_devices(scope, bus, pm->pcihp_bridge_en); if (TPM_IS_TIS(tpm)) { - dev = aml_device("ISA.TPM"); - aml_append(dev, aml_name_decl("_HID", aml_eisaid("PNP0C31"))); + if (misc->tpm_version == TPM_VERSION_2_0) { + dev = aml_device("TPM"); + aml_append(dev, aml_name_decl("_HID", + aml_string("MSFT0101"))); + } else { + dev = aml_device("ISA.TPM"); + aml_append(dev, aml_name_decl("_HID", + aml_eisaid("PNP0C31"))); + } + aml_append(dev, aml_name_decl("_STA", aml_int(0xF))); crs = aml_resource_template(); aml_append(crs, aml_memory32_fixed(TPM_TIS_ADDR_BASE, -- cgit v1.1 From 3b3df3e52dd6adff483d8626c8f0801fd0ac05df Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Fri, 18 Jan 2019 23:31:52 +0100 Subject: fw_cfg: fix the life cycle and the name of "qemu_extra_params_fw" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 19bcc4bc3213 ("fw_cfg: Make qemu_extra_params_fw locally", 2019-01-04) changed the storage duration of the "qemu_extra_params_fw" array from static to automatic. This broke the interface contract on the fw_cfg_add_file() function, which is documented as follows, in "include/hw/nvram/fw_cfg.h": > [...] The data referenced by the starting pointer is only linked, NOT > copied, into the data structure of the fw_cfg device. [...] As a result, when guest firmware fetches the "etc/boot-menu-wait" fw_cfg file, it now sees garbage. Fix the regression by changing the storage duration to allocated. (The call is reached at most once, on the realize path of the board-specific fw_cfg sysbus device.) While at it, clean up the name and the assignment of the object as well. Cc: Gerd Hoffmann Cc: Markus Armbruster Cc: Philippe Mathieu-Daudé Fixes: 19bcc4bc3213e78c303ad480a7a578f62258252d Signed-off-by: Laszlo Ersek Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Reviewed-by: Gerd Hoffmann Reviewed-by: Li Qiang Reviewed-by: Stefano Garzarella Reviewed-by: Philippe Mathieu-Daudé --- hw/nvram/fw_cfg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'hw') diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c index 53e8e01..7fdf04a 100644 --- a/hw/nvram/fw_cfg.c +++ b/hw/nvram/fw_cfg.c @@ -118,7 +118,6 @@ static void fw_cfg_bootsplash(FWCfgState *s) { const char *boot_splash_filename = NULL; const char *boot_splash_time = NULL; - uint8_t qemu_extra_params_fw[2]; char *filename, *file_data; gsize file_size; int file_type; @@ -132,6 +131,8 @@ static void fw_cfg_bootsplash(FWCfgState *s) /* insert splash time if user configurated */ if (boot_splash_time) { int64_t bst_val = qemu_opt_get_number(opts, "splash-time", -1); + uint16_t bst_le16; + /* validate the input */ if (bst_val < 0 || bst_val > 0xffff) { error_report("splash-time is invalid," @@ -139,9 +140,9 @@ static void fw_cfg_bootsplash(FWCfgState *s) exit(1); } /* use little endian format */ - qemu_extra_params_fw[0] = (uint8_t)(bst_val & 0xff); - qemu_extra_params_fw[1] = (uint8_t)((bst_val >> 8) & 0xff); - fw_cfg_add_file(s, "etc/boot-menu-wait", qemu_extra_params_fw, 2); + bst_le16 = cpu_to_le16(bst_val); + fw_cfg_add_file(s, "etc/boot-menu-wait", + g_memdup(&bst_le16, sizeof bst_le16), sizeof bst_le16); } /* insert splash file if user configurated */ -- cgit v1.1 From 009180bd49ad8851258acecfb109fc3aa2f480ad Mon Sep 17 00:00:00 2001 From: Wei Yang Date: Wed, 30 Jan 2019 11:02:07 +0800 Subject: i386, acpi: cleanup build_facs by removing second unused argument MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The second argument of build_facs() is not used, just remove it. Signed-off-by: Wei Yang Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Reviewed-by: Igor Mammedov Reviewed-by: Philippe Mathieu-Daudé Tested-by: Philippe Mathieu-Daudé --- hw/i386/acpi-build.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index 26cef4a..9ecc96d 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -298,7 +298,7 @@ static void acpi_align_size(GArray *blob, unsigned align) /* FACS */ static void -build_facs(GArray *table_data, BIOSLinker *linker) +build_facs(GArray *table_data) { AcpiFacsDescriptorRev1 *facs = acpi_data_push(table_data, sizeof *facs); memcpy(&facs->signature, "FACS", 4); @@ -2637,7 +2637,7 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine) * requirements. */ facs = tables_blob->len; - build_facs(tables_blob, tables->linker); + build_facs(tables_blob); /* DSDT is pointed to by FADT */ dsdt = tables_blob->len; -- cgit v1.1 From 7de7b6087ef0443c7eef7b8b618ef9a8254a452e Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Fri, 1 Feb 2019 17:57:42 -0500 Subject: r2d: fix build on mingw Comment near strncpy explains kernel_cmdline does not need to be 0-terminated. Accordingly mark it as QEMU_NONSTRING. Without this, gcc warns: 'strncpy' specified bound 256 equals destination size Signed-off-by: Michael S. Tsirkin --- hw/sh4/r2d.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hw') diff --git a/hw/sh4/r2d.c b/hw/sh4/r2d.c index 5b399e7..dcdb372 100644 --- a/hw/sh4/r2d.c +++ b/hw/sh4/r2d.c @@ -220,7 +220,7 @@ static struct QEMU_PACKED char pad[232]; - char kernel_cmdline[256]; + char kernel_cmdline[256] QEMU_NONSTRING; } boot_params; static void r2d_init(MachineState *machine) -- cgit v1.1