From 41a2635124117d1fac7e45b3cafa2c1ac68417fd Mon Sep 17 00:00:00 2001 From: Stefano Garzarella Date: Tue, 10 Sep 2019 16:22:23 +0200 Subject: elf-ops.h: fix int overflow in load_elf() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch fixes a possible integer overflow when we calculate the total size of ELF segments loaded. Reported-by: Coverity (CID 1405299) Reviewed-by: Alex Bennée Signed-off-by: Stefano Garzarella Message-Id: <20190910124828.39794-1-sgarzare@redhat.com> Signed-off-by: Paolo Bonzini --- include/hw/elf_ops.h | 5 +++++ include/hw/loader.h | 1 + 2 files changed, 6 insertions(+) (limited to 'include') diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h index 1496d7e..e07d276 100644 --- a/include/hw/elf_ops.h +++ b/include/hw/elf_ops.h @@ -485,6 +485,11 @@ static int glue(load_elf, SZ)(const char *name, int fd, } } + if (mem_size > INT_MAX - total_size) { + ret = ELF_LOAD_TOO_BIG; + goto fail; + } + /* address_offset is hack for kernel images that are linked at the wrong physical address. */ if (translate_fn) { diff --git a/include/hw/loader.h b/include/hw/loader.h index 07fd928..48a96cd 100644 --- a/include/hw/loader.h +++ b/include/hw/loader.h @@ -89,6 +89,7 @@ int load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz); #define ELF_LOAD_NOT_ELF -2 #define ELF_LOAD_WRONG_ARCH -3 #define ELF_LOAD_WRONG_ENDIAN -4 +#define ELF_LOAD_TOO_BIG -5 const char *load_elf_strerror(int error); /** load_elf_ram_sym: -- cgit v1.1 From 72d41eb4b8f923de91e8f06dc20aa86b0a9155fb Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Fri, 30 Aug 2019 10:30:56 +0100 Subject: memory: fetch pmem size in get_file_size() Neither stat(2) nor lseek(2) report the size of Linux devdax pmem character device nodes. Commit 314aec4a6e06844937f1677f6cba21981005f389 ("hostmem-file: reject invalid pmem file sizes") added code to hostmem-file.c to fetch the size from sysfs and compare against the user-provided size=NUM parameter: if (backend->size > size) { error_setg(errp, "size property %" PRIu64 " is larger than " "pmem file \"%s\" size %" PRIu64, backend->size, fb->mem_path, size); return; } It turns out that exec.c:qemu_ram_alloc_from_fd() already has an equivalent size check but it skips devdax pmem character devices because lseek(2) returns 0: if (file_size > 0 && file_size < size) { error_setg(errp, "backing store %s size 0x%" PRIx64 " does not match 'size' option 0x" RAM_ADDR_FMT, mem_path, file_size, size); return NULL; } This patch moves the devdax pmem file size code into get_file_size() so that we check the memory size in a single place: qemu_ram_alloc_from_fd(). This simplifies the code and makes it more general. This also fixes the problem that hostmem-file only checks the devdax pmem file size when the pmem=on parameter is given. An unchecked size=NUM parameter can lead to SIGBUS in QEMU so we must always fetch the file size for Linux devdax pmem character device nodes. Signed-off-by: Stefan Hajnoczi Message-Id: <20190830093056.12572-1-stefanha@redhat.com> Reviewed-by: Eduardo Habkost Signed-off-by: Paolo Bonzini --- include/qemu/osdep.h | 13 ------------- 1 file changed, 13 deletions(-) (limited to 'include') diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h index af2b91f..c7d242f 100644 --- a/include/qemu/osdep.h +++ b/include/qemu/osdep.h @@ -571,19 +571,6 @@ void os_mem_prealloc(int fd, char *area, size_t sz, int smp_cpus, Error **errp); /** - * qemu_get_pmem_size: - * @filename: path to a pmem file - * @errp: pointer to a NULL-initialized error object - * - * Determine the size of a persistent memory file. Besides supporting files on - * DAX file systems, this function also supports Linux devdax character - * devices. - * - * Returns: the size or 0 on failure - */ -uint64_t qemu_get_pmem_size(const char *filename, Error **errp); - -/** * qemu_get_pid_name: * @pid: pid of a process * -- cgit v1.1 From 7a3df11c2a647cf889f6ede8b7d5f81438bb5cc9 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Thu, 12 Sep 2019 16:02:42 +0200 Subject: memory: inline and optimize devend_memop devend_memop can rely on the fact that the result is always either 0 or MO_BSWAP, corresponding respectively to host endianness and the opposite. Native (target) endianness in turn can be either the host endianness, in which case MO_BSWAP is only returned for host-opposite endianness, or the opposite, in which case 0 is only returned for host endianness. With this in mind, devend_memop can be compiled as a setcond+shift for every target. Do this and, while at it, move it to include/exec/memory.h since !NEED_CPU_H files do not (and should not) need it. Reviewed-by: Richard Henderson Signed-off-by: Paolo Bonzini --- include/exec/memory.h | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/exec/memory.h b/include/exec/memory.h index 2dd8102..a30245c 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -2201,8 +2201,25 @@ address_space_write_cached(MemoryRegionCache *cache, hwaddr addr, } } +#ifdef NEED_CPU_H /* enum device_endian to MemOp. */ -MemOp devend_memop(enum device_endian end); +static inline MemOp devend_memop(enum device_endian end) +{ + QEMU_BUILD_BUG_ON(DEVICE_HOST_ENDIAN != DEVICE_LITTLE_ENDIAN && + DEVICE_HOST_ENDIAN != DEVICE_BIG_ENDIAN); + +#if defined(HOST_WORDS_BIGENDIAN) != defined(TARGET_WORDS_BIGENDIAN) + /* Swap if non-host endianness or native (target) endianness */ + return (end == DEVICE_HOST_ENDIAN) ? 0 : MO_BSWAP; +#else + const int non_host_endianness = + DEVICE_LITTLE_ENDIAN ^ DEVICE_BIG_ENDIAN ^ DEVICE_HOST_ENDIAN; + + /* In this case, native (target) endianness needs no swap. */ + return (end == non_host_endianness) ? MO_BSWAP : 0; +#endif +} +#endif #endif -- cgit v1.1 From 3dcc9c6ec4ea60fd1464b35aa82199483f24ba75 Mon Sep 17 00:00:00 2001 From: Yury Kotov Date: Mon, 9 Sep 2019 16:13:33 +0300 Subject: qemu-thread: Add qemu_cond_timedwait The new function is needed to implement conditional sleep for CPU throttling. It's possible to reuse qemu_sem_timedwait, but it's more difficult than just add qemu_cond_timedwait. Also moved compute_abs_deadline function up the code to reuse it in qemu_cond_timedwait_impl win32. Signed-off-by: Yury Kotov Message-Id: <20190909131335.16848-2-yury-kotov@yandex-team.ru> Signed-off-by: Paolo Bonzini --- include/qemu/thread.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'include') diff --git a/include/qemu/thread.h b/include/qemu/thread.h index 55d83a9..047db03 100644 --- a/include/qemu/thread.h +++ b/include/qemu/thread.h @@ -34,6 +34,8 @@ typedef void (*QemuRecMutexLockFunc)(QemuRecMutex *m, const char *f, int l); typedef int (*QemuRecMutexTrylockFunc)(QemuRecMutex *m, const char *f, int l); typedef void (*QemuCondWaitFunc)(QemuCond *c, QemuMutex *m, const char *f, int l); +typedef bool (*QemuCondTimedWaitFunc)(QemuCond *c, QemuMutex *m, int ms, + const char *f, int l); extern QemuMutexLockFunc qemu_bql_mutex_lock_func; extern QemuMutexLockFunc qemu_mutex_lock_func; @@ -41,6 +43,7 @@ extern QemuMutexTrylockFunc qemu_mutex_trylock_func; extern QemuRecMutexLockFunc qemu_rec_mutex_lock_func; extern QemuRecMutexTrylockFunc qemu_rec_mutex_trylock_func; extern QemuCondWaitFunc qemu_cond_wait_func; +extern QemuCondTimedWaitFunc qemu_cond_timedwait_func; /* convenience macros to bypass the profiler */ #define qemu_mutex_lock__raw(m) \ @@ -63,6 +66,8 @@ extern QemuCondWaitFunc qemu_cond_wait_func; qemu_rec_mutex_trylock_impl(m, __FILE__, __LINE__); #define qemu_cond_wait(c, m) \ qemu_cond_wait_impl(c, m, __FILE__, __LINE__); +#define qemu_cond_timedwait(c, m, ms) \ + qemu_cond_wait_impl(c, m, ms, __FILE__, __LINE__); #else #define qemu_mutex_lock(m) ({ \ QemuMutexLockFunc _f = atomic_read(&qemu_mutex_lock_func); \ @@ -89,6 +94,11 @@ extern QemuCondWaitFunc qemu_cond_wait_func; QemuCondWaitFunc _f = atomic_read(&qemu_cond_wait_func); \ _f(c, m, __FILE__, __LINE__); \ }) + +#define qemu_cond_timedwait(c, m, ms) ({ \ + QemuCondTimedWaitFunc _f = atomic_read(&qemu_cond_timedwait_func); \ + _f(c, m, ms, __FILE__, __LINE__); \ + }) #endif #define qemu_mutex_unlock(mutex) \ @@ -134,12 +144,21 @@ void qemu_cond_signal(QemuCond *cond); void qemu_cond_broadcast(QemuCond *cond); void qemu_cond_wait_impl(QemuCond *cond, QemuMutex *mutex, const char *file, const int line); +bool qemu_cond_timedwait_impl(QemuCond *cond, QemuMutex *mutex, int ms, + const char *file, const int line); static inline void (qemu_cond_wait)(QemuCond *cond, QemuMutex *mutex) { qemu_cond_wait(cond, mutex); } +/* Returns true if timeout has not expired, and false otherwise */ +static inline bool (qemu_cond_timedwait)(QemuCond *cond, QemuMutex *mutex, + int ms) +{ + return qemu_cond_timedwait(cond, mutex, ms); +} + void qemu_sem_init(QemuSemaphore *sem, int init); void qemu_sem_post(QemuSemaphore *sem); void qemu_sem_wait(QemuSemaphore *sem); -- cgit v1.1 From d6d059ca07ae907b8945f88c382fb54d43f9f03a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 19 Aug 2019 00:54:01 +0200 Subject: hw/i386/pc: Extract e820 memory layout code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Samuel Ortiz Reviewed-by: Li Qiang Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20190818225414.22590-3-philmd@redhat.com> Signed-off-by: Paolo Bonzini --- include/hw/i386/pc.h | 11 ----------- 1 file changed, 11 deletions(-) (limited to 'include') diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h index 19a8378..062feeb 100644 --- a/include/hw/i386/pc.h +++ b/include/hw/i386/pc.h @@ -291,17 +291,6 @@ void pc_system_firmware_init(PCMachineState *pcms, MemoryRegion *rom_memory); void pc_madt_cpu_entry(AcpiDeviceIf *adev, int uid, const CPUArchIdList *apic_ids, GArray *entry); -/* e820 types */ -#define E820_RAM 1 -#define E820_RESERVED 2 -#define E820_ACPI 3 -#define E820_NVS 4 -#define E820_UNUSABLE 5 - -int e820_add_entry(uint64_t, uint64_t, uint32_t); -int e820_get_num_entries(void); -bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *); - extern GlobalProperty pc_compat_4_1[]; extern const size_t pc_compat_4_1_len; -- cgit v1.1