Commit Graph

519 Commits

Author SHA1 Message Date
Mark Cave-Ayland 66dcabea47 tcx: remove page24 and cpage from tcx24_update_display()
Since all of the tcx_*_dirty() functions now calculate the 24-bit and
cplane offsets themselves from the base address, these variables are no
longer needed.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland 36180430ac tcx: alter tcx24_reset_dirty() to accept address and length parameters
This can now be used by both the 8-bit and 24-bit display code, so rename
to tcx_check_dirty().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland 427ee02bc9 tcx: alter tcx24_check_dirty() to accept address and length parameters
This can now be used by both the 8-bit and 24-bit display code, so rename
to tcx_check_dirty().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland 4b865c2809 tcx: ensure tcx_set_dirty() also invalidates the 24-bit plane and cplane
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland 9800b3c20e tcx: alter tcx_set_dirty() to accept address and length parameters
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland 8c95e1f20c cg3: switch to load_image_mr() and remove prom-addr hack
Previous to the existence of load_image_mr(), the only way to load in the
FCode ROM image was to pass in its physical address via qdev properties
and use load_image_targphys().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-04-21 09:01:49 +01:00
Mark Cave-Ayland be4221d993 cg3: fix up size parameter for memory_region_get_dirty()
The code was incorrectly calculating the end address rather than the size of
the required region.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 08:31:30 +01:00
Mark Cave-Ayland 66e2f304a3 cg3: remove TARGET_PAGE_SIZE rounding on dirty page detection
This was an artifact from very early versions of the code from before the
memory API and is no longer needed.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 08:31:15 +01:00
Gerd Hoffmann 86dbcdd9c7 qxl: add migration blocker to avoid pre-save assert
Cc: 1635339@bugs.launchpad.net
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170410113131.2585-1-kraxel@redhat.com
2017-04-11 08:38:17 +02:00
Marc-André Lureau a703d3aef5 qxl: switch display on entering VGA
Since commit cd958edb1f, same size console resize is skipped. This
change broke QXL incoming migration in VGA mode,
qemu_spice_display_switch() is no longer called during qxl_post_load(),
because default message surface is of the same size, and during
displaychangelistener registration, PCIQXLDevice.mode is
QXL_MODE_UNDEFINED. This triggers a later crash on refresh:

==2634== Invalid read of size 4
==3516== at 0x65F3050: pixman_image_get_data (in /usr/lib64/libpixman-1.so.0.34.0)
==3516== by 0x6F0CEB: qemu_spice_create_update (spice-display.c:215)
==3516== by 0x6F1CC7: qemu_spice_display_refresh (spice-display.c:502)
==3516== by 0x58CF77: display_refresh (qxl.c:1948)
==3516== by 0x6E8084: do_safe_dpy_refresh (console.c:1591)
==3516== by 0x6E80D5: dpy_refresh (console.c:1604)
==3516== by 0x6E4508: gui_update (console.c:201)
==3516== by 0x81898E: timerlist_run_timers (qemu-timer.c:536)
==3516== by 0x8189D6: qemu_clock_run_timers (qemu-timer.c:547)
==3516== by 0x818D98: qemu_clock_run_all_timers (qemu-timer.c:662)
==3516== by 0x81952A: main_loop_wait (main-loop.c:514)
==3516== by 0x4ADD29: main_loop (vl.c:1898)

One way to solve this is to explicitely call qemu_spice_display_switch()
on entering VGA mode, which is called during qxl_post_load().

Fixes:
"null pointer access on migration resume of systemrescuecd boot menu with qxl-vga"
https://bugs.launchpad.net/qemu/+bug/1679126
https://bugzilla.redhat.com/show_bug.cgi?id=1438566

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170406120513.638-4-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-07 12:31:46 +02:00
Gerd Hoffmann db6cd4c855 cirrus: fix PUTPIXEL macro
Should be "c" not "col".  The macro is used with "col" as third parameter
everywhere, so this tyops doesn't break something.

Fixes: 026aeffcb4
Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1490168303-24588-1-git-send-email-kraxel@redhat.com
2017-03-27 12:14:45 +02:00
Gerd Hoffmann cc720a5dc4 add opengl_cflags to QEMU_CFLAGS
... and drop OPENGL_CFLAGS from Makefiles.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1490079888-29029-1-git-send-email-kraxel@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-21 10:25:01 +00:00
Peter Maydell 940a8ce075 fixes for 2.9-rc1, plus removal of -mno-cygwin references
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQExBAABCAAbBQJYz7wTFBxwYm9uemluaUByZWRoYXQuY29tAAoJEL/70l94x66D
 AYwH/ip/ZIxsAEKMpQnGfwgHiLgGvFD+10wJECXLChyzcQLqqs4KingQEHMh6o9f
 Y1DTMyJBDk65k5zSEVx7nqisI82SUlvwOZJpVqCfF2AbY/HR+a+tUOp9njuz6EDh
 ZVSAnvIDfZC1P2BcXOPzEySXBNCZcZG0iHO9U4eobGAxRGVUs/8a8qHTuRVc2Mwg
 bT7lxLzE4chgQ1jFu2D7TzjwkFvAYeUHWdj2rl+U3KwEF9pUm0hAEfvymEP4d6hE
 hPqcE2X9W42n8wbxL7edI0EVZnc+bltfakioy+BxgrkxEZFLgMmKsUtNOuQ7sUdT
 VvQ3Zbw2solv6ltOqCbexLWueM4=
 =Vli2
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

fixes for 2.9-rc1, plus removal of -mno-cygwin references

# gpg: Signature made Mon 20 Mar 2017 11:25:07 GMT
# gpg:                using RSA key 0xBFFBD25F78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  hax: fix breakage in locking
  configure: remove Cygwin
  xen: do not build backends for targets that do not support xen
  qemu-ga: obey LISTEN_PID when using systemd socket activation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-20 16:34:26 +00:00
Stefano Stabellini 6b827cca9a xen: do not build backends for targets that do not support xen
Change Makefile.objs to use CONFIG_XEN instead of CONFIG_XEN_BACKEND, so
that the Xen backends are only built for targets that support Xen.

Set CONFIG_XEN in the toplevel Makefile to ensure that files that are
built only once pick up Xen support properly.

Signed-off-by: Stefano Stabellini <stefano@aporeto.com>
Tested-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Greg Kurz <groug@kaod.org>
CC: pbonzini@redhat.com
CC: peter.maydell@linaro.org
CC: rth@twiddle.net
CC: stefanha@redhat.com
Message-Id: <1489694518-16978-1-git-send-email-sstabellini@kernel.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-19 11:12:12 +01:00
Gerd Hoffmann f019722cbb cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
The switch from pointers to addresses (commit
026aeffcb4 and
ffaf857778) added
a off-by-one bug to 16bit backward blits.  Fix.

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 1489735296-19047-1-git-send-email-kraxel@redhat.com
2017-03-17 10:23:44 +01:00
Gerd Hoffmann ffaf857778 cirrus: stop passing around src pointers in the blitter
Does basically the same as "cirrus: stop passing around dst pointers in
the blitter", just for the src pointer instead of the dst pointer.

For the src we have to care about cputovideo blits though and fetch the
data from s->cirrus_bltbuf instead of vga memory.  The cirrus_src*()
helper functions handle that.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489584487-3489-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:16 +01:00
Gerd Hoffmann 026aeffcb4 cirrus: stop passing around dst pointers in the blitter
Instead pass around the address (aka offset into vga memory).  Calculate
the pointer in the rop_* functions, after applying the mask to the
address, to make sure the address stays within the valid range.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489574872-8679-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
Gerd Hoffmann e048dac616 cirrus: fix cirrus_invalidate_region
off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid.
Fix calculation to make sure to allow that, otherwise the assert added
by commit f153b563f8 can trigger for valid
blits.

Test case: boot windows nt 4.0

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489579606-26020-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
Gerd Hoffmann 827bd51726 cirrus: add option to disable blitter
Ok, we have this beast in the cirrus code which is not used at all by
modern guests, except when you try to find security holes in qemu.  So,
add an option to disable blitter altogether.  Guests released within
the last ten years should not show any rendering issues if you turn off
blitter support.

There are no known bugs in the cirrus blitter code.  But in the past we
hoped a few times already that we've finally nailed the last issue.  So
having some easy way to mitigate in case yet another blitter issue shows
up certainly makes me sleep a bit better at night.

For completeness:  The by far better way to mitigate is to switch away
from cirrus and use stdvga instead.  Or something more modern like
virtio-vga in case your guest has support for it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489494540-15745-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
Gerd Hoffmann 73c148130b cirrus: switch to 4 MB video memory by default
Quoting cirrus source code:
   Follow real hardware, cirrus card emulated has 4 MB video memory.
   Also accept 8 MB/16 MB for backward compatibility.

So just use 4MB by default.  We decided to leave that at 8MB by default
a while ago, for live migration compatibility reasons.  But we have
compat properties to handle that, so that isn't a compeling reason.

This also removes some sanity check inconsistencies in the cirrus code.
Some places check against the allocated video memory, some places check
against the 4MB physical hardware has.  Guest code can trigger asserts
because of that.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489494514-15606-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
Gerd Hoffmann 50628d3479 cirrus/vnc: zap bitblit support from console code.
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests.  It is supported by cirrus and vnc server.  The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.

This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more.  Any linux guest using the cirrus drm
driver doesn't.  Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.

So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
which fixes a bug lingering in the code for almost a year, added by
commit "c7628bf vnc: only alloc server surface with clients connected".

Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full).  This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display.  So this dpy_gfx_copy "optimization" might even make things
worse on slow network links.

Lets kill it once for all.

Oh, and one more reason: Turns out (after writing the patch) we have a
security bug in that code path ...

Fixes: CVE-2016-9603
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489494419-14340-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
hangaohuai 215902d7b6 fix :cirrus_vga fix OOB read case qemu Segmentation fault
check the validity of parameters in cirrus_bitblt_rop_fwd_transp_xxx
and cirrus_bitblt_rop_fwd_xxx to avoid the OOB read which causes qemu Segmentation fault.

After the fix, we will touch the assert in
cirrus_invalidate_region:
assert(off_cur_end >= off_cur);

Signed-off-by: fangying <fangying1@huawei.com>
Signed-off-by: hangaohuai <hangaohuai@huawei.com>
Message-id: 20170314063919.16200-1-hangaohuai@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-03-16 08:58:15 +01:00
Gerd Hoffmann dbb5fb8d35 qxl: clear guest_cursor on QXL_CURSOR_HIDE
Make sure we don't leave guest_cursor pointing into nowhere.  This might
lead to (rare) live migration failures, due to target trying to restore
the cursor from the stale pointer.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1421788
Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1488789111-27340-1-git-send-email-kraxel@redhat.com
2017-03-09 09:47:26 +01:00
Peter Maydell 7d1730b7d9 trivial patches for 2017-02-28
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABCAAGBQJYtRwrAAoJEHAbT2saaT5ZQSQIAKWIXrxhIGO6hGEDc50YL6x6
 tQMOnPQOulLtS76rGDAZrJwc47wqpXUtBCuevgwwqbxraLHF4LRnMf0I+xSR+lTt
 PF9vmgDgB4BVDpSTqphjaCBccXPYPqXzUtYaDcT6xePy8aB+/40nqsnby5hf+BXT
 zNpZZrn23papmftS3LnZ5j/lKNIsIlS/v5WIy8xNK0pBTKx4W1ZzDWrYq8crqW+v
 NqQSoVbNOEHOt1+C+nEX6gxUnY6rJXAVB0ICT0fSY9NRhFjPeu1Fx6EtCRNaluXm
 zOZ7t4kTjpB7IcHy3lqDTaWV6VVwBFUym5pfwjRLcge4ln+a5O454+/i8mxerfo=
 =jvkw
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-fetch' into staging

trivial patches for 2017-02-28

# gpg: Signature made Tue 28 Feb 2017 06:43:55 GMT
# gpg:                using RSA key 0x701B4F6B1A693E59
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg:                 aka "Michael Tokarev <mjt@corpit.ru>"
# gpg:                 aka "Michael Tokarev <mjt@debian.org>"
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
#      Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931  4B22 701B 4F6B 1A69 3E59

* remotes/mjt/tags/trivial-patches-fetch:
  syscall: fixed mincore(2) not failing with ENOMEM
  hw/acpi/tco.c: fix tco timer stop
  lm32: milkymist-tmu2: fix a third integer overflow
  qemu-options.hx: add missing id=chr0 chardev argument in vhost-user example
  Update copyright year
  tests/prom-env: Enable the test for the sun4u machine, too
  cadence_gem: Remove unused parameter debug message
  register: fix incorrect read mask
  ide: remove undefined behavior in ide-test
  CODING_STYLE: Mention preferred comment form
  hw/core/register: Mark the device with cannot_instantiate_with_device_add_yet
  hw/core/or-irq: Mark the device with cannot_instantiate_with_device_add_yet
  softfloat: Use correct type in float64_to_uint64_round_to_zero()
  target/s390x: Fix typo

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-28 16:22:41 +00:00
Peter Maydell 3d74ee7dca lm32: milkymist-tmu2: fix a third integer overflow
Don't truncate the multiplication and do a 64 bit one instead
because the result is stored in a 64 bit variable.

This fixes a similar coverity warning to commits 237a8650d6 and
4382fa6554, in a similar way, and is the final third of the fix for
coverity CID 1167561 (hopefully!).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Michael Walle <michael@walle.cc>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-28 09:03:39 +03:00
Gerd Hoffmann 975896fc88 virtio-gpu: use dpy_gl_scanout_disable
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1487669841-13668-4-git-send-email-kraxel@redhat.com
2017-02-27 16:15:29 +01:00
Gerd Hoffmann f4c36bdab6 console: rename dpy_gl_scanout to dpy_gl_scanout_texture
We'll add a variant which accepts dmabufs soon.  Change
the name so we can easily disturgish the two variants.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1487669841-13668-2-git-send-email-kraxel@redhat.com
2017-02-27 16:15:28 +01:00
Gerd Hoffmann 92f2b88cea cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all.  Oops.  Fix it.

Security impact: high.

The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-24 14:35:50 +01:00
Halil Pasic 59046ec29a migration: consolidate VMStateField.start
The member VMStateField.start is used for two things, partial data
migration for VBUFFER data (basically provide migration for a
sub-buffer) and for locating next in QTAILQ.

The implementation of the VBUFFER feature is broken when VMSTATE_ALLOC
is used. This however goes unnoticed because actually partial migration
for VBUFFER is not used at all.

Let's consolidate the usage of VMStateField.start by removing support
for partial migration for VBUFFER.

Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>

Message-Id: <20170203175217.45562-1-pasic@linux.vnet.ibm.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2017-02-13 17:27:13 +00:00
Gerd Hoffmann 12e97ec399 Revert "cirrus: allow zero source pitch in pattern fill rops"
This reverts commit 5858dd1801.

Conflicts:
	hw/display/cirrus_vga.c

Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Gerd Hoffmann 95280c31cd cirrus: fix patterncopy checks
The blit_region_is_unsafe checks don't work correctly for the
patterncopy source.  It's a fixed-sized region, which doesn't
depend on cirrus_blt_{width,height}.  So go do the check in
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
it doesn't need to verify the source.  Also handle the case where we
blit from cirrus_bitbuf correctly.

This patch replaces 5858dd1801.

Security impact:  I think for the most part error on the safe side this
time, refusing blits which should have been allowed.

Only exception is placing the blit source at the end of the video ram,
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory.  But
even in that case I'm not fully sure this actually allows read access to
host memory.  To trick the commit 5858dd18 security checks one has to
pick very small cirrus_blt_{width,height} values, which in turn implies
only a fraction of the blit source will actually be used.

Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Gerd Hoffmann ec87f206d7 cirrus: replace debug printf with trace points
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1486561893-26470-2-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Gerd Hoffmann cf7dabeebc vga: replace debug printf with trace points
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1486561893-26470-1-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Gerd Hoffmann 5e8e3c4c75 virtio-gpu: fix resource leak in virgl_cmd_resource_unref
When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
we'll leak memory.

This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Li Qiang dd248ed7e2 virtio-gpu: fix memory leak in set scanout
In virtio_gpu_set_scanout function, when creating the 'rect'
its refcount is set to 2, by pixman_image_create_bits and
qemu_create_displaysurface_pixman function. This can lead
a memory leak issues. This patch avoid this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 5884626f.5b2f6b0a.1bfff.3037@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-10 16:49:45 +01:00
Peter Maydell 5b66d7ae89 cirrus: multiple bugfixes, including CVE-2017-2615 fix.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJYk0pHAAoJEEy22O7T6HE4jNEP/3wpFsWF+6nsLWKHJLweuEZh
 cuI/Nsr2b2Y53geug3GALcTujKAE0ZNiBvYqnf+7NB0Z6NRmAYMW7cYoPEbeQ9PN
 JvBMJahHpcqOeXjex05ZWrrMXHA0hHEXTfzcCyxV+45QlajLoJFDRBEp2vGQb71y
 UxKostXjH4YKzVVA5ApKlrl2HkpSqsyvqSRTknehRHguDtED/BIt5MSTuZYgc38A
 wvHMyF5CJO4K5TGl9KbYRl6fuUCZyPpsUh3+CBoPKid3V6D2JCW6E7hDrI3oUoEQ
 D+P4/Ugq+UagDlpg0vxWHk1P3eQM+SZfdsu7JOtP/OYbQV7h8Vg201yw5mZwru0f
 qyuv7Hio8eZfsxDLNJq8yO/bD1R76EYnO1ehtRljJcYfnk+wWnreysCSgRfFNj/M
 rZSXvjPkWy/4aDMF+6Vwbz/o3zt1791rVX1HSL9LCSXeHlPYZn0h8QTcE/6nJz97
 TDokZ0aLykoB37AhvL/tj4K/9Bv2RY/NAhj/5Q9VEv2O24fQz9J+EhrG9liBKfM8
 cORPJvbR8OIxttih8A1PCXcBiOfBJ1pEHrXHEHwM5O/YEAGJt5me9kPLdsBCqR3I
 Y1zi6aVTQyeKvIHa+Gq3KLlpJzAqJUiwuwfEvDeOg09ogM6m7g3+hruP16DJu+o3
 z9w3E9ZHUF0ayqvHjTtZ
 =HXaP
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20170202-2' into staging

cirrus: multiple bugfixes, including CVE-2017-2615 fix.

# gpg: Signature made Thu 02 Feb 2017 15:03:35 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-vga-20170202-2:
  cirrus: fix oob access issue (CVE-2017-2615)
  cirrus: fix blit address mask handling
  cirrus: allow zero source pitch in pattern fill rops
  cirrus: handle negative pitch in cirrus_invalidate_region()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-03 09:52:51 +00:00
Peter Maydell 4e9f5244e1 -----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJYkeZAAAoJEJykq7OBq3PI6oUH/3qlRvQrWmhWLR+XCtwU0gON
 HRApL57Of+B1YbqJzb8wzjLMLfzZQYLoT7kf3FDRON751Iwpv2Qyl6j79kbmOQwy
 txvtgUTtPZrOZ9HMk6M1VboiKrkM1t0I1QiRYy/af2f1gD3KTqIt8YN1ic3xatKD
 Fgmx+oD+6EkrNilthemvDyaXtGsdTl4GC9ZbGcJB2VJzzWkksRUfeZWysIu9p2zP
 l6viegW/1+o5wYgBt6DxMalfNGbEiuBgXgx6PVFPbkw0xNURC52qDHhQ91xTSWt1
 pvFrIhYWR/ETN0twJh+jtmCjkawKWSsx2nrLlrSh4H0EpwFoRfFqH/ZrOFSg0wg=
 =QnCX
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging

# gpg: Signature made Wed 01 Feb 2017 13:44:32 GMT
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* remotes/stefanha/tags/tracing-pull-request:
  trace: clean up trace-events files
  qapi: add missing trace_visit_type_enum() call
  trace: improve error reporting when parsing simpletrace header
  trace: update docs to reflect new code generation approach
  trace: switch to modular code generation for sub-directories
  trace: move setting of group name into Makefiles
  trace: move hw/i386/xen events to correct subdir
  trace: move hw/xen events to correct subdir
  trace: move hw/block/dataplane events to correct subdir
  make: move top level dir to end of include search path

# Conflicts:
#	Makefile

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-02 16:08:28 +00:00
Li Qiang 62d4c6bd52 cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-02-02 15:58:23 +01:00
Gerd Hoffmann 60cd23e851 cirrus: fix blit address mask handling
Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
right after assigning them, in cirrus_bitblt_start(), instead of having
this all over the place in the cirrus code, and missing a few places.

Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
2017-02-01 09:47:22 +01:00
Wolfgang Bumiller 5858dd1801 cirrus: allow zero source pitch in pattern fill rops
The rops used by cirrus_bitblt_common_patterncopy only use
the destination pitch, so the source pitch shoul allowed to
be zero and the blit with used for the range check around the
source address.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-01 09:43:09 +01:00
Wolfgang Bumiller f153b563f8 cirrus: handle negative pitch in cirrus_invalidate_region()
cirrus_invalidate_region() calls memory_region_set_dirty()
on a per-line basis, always ranging from off_begin to
off_begin+bytesperline. With a negative pitch off_begin
marks the top most used address and thus we need to do an
initial shift backwards by a line for negative pitches of
backward blits, otherwise the first iteration covers the
line going from the start offset forwards instead of
backwards.
Additionally since the start address is inclusive, if we
shift by a full `bytesperline` we move to the first address
*not* included in the blit, so we only shift by one less
than bytesperline.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com

[ kraxel: codestyle fixes ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-01 09:41:53 +01:00
Stefan Hajnoczi 7f4076c1bb trace: clean up trace-events files
There are a number of unused trace events that
scripts/cleanup-trace-events.pl finds.  The "hw/vfio/pci-quirks.c"
filename was typoed and "qapi/qapi-visit-core.c" was missing the qapi/
directory prefix.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170126171613.1399-3-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-01-31 17:12:15 +00:00
Michael S. Tsirkin df45892c12 qxl: switch to constants within BUILD_BUG_ON
We are switching BUILD_BUG_ON to verify that it's parameter is a
compile-time constant, and it turns out that some gcc versions
(specifically gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609) are
not smart enough to figure it out for expressions involving local
variables. This is harmless but means that the check is ineffective for
these platforms.  To fix, replace variables with macros.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2017-01-31 15:57:27 +02:00
Marc-André Lureau 0ec7b3e7f2 char: rename CharDriverState Chardev
Pick a uniform chardev type name.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-01-27 18:07:59 +01:00
Peter Maydell ffb5a69c31 trivial patches for 2017-01-24
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABCAAGBQJYh7icAAoJEHAbT2saaT5ZixMH/2qr2TPaAARnTPFzf/mfpHvR
 jYKZary6L//DTCqjrys5zAVzKUg8rCPGwWI2T2FDsos7Ku4MKBBSfDmnabc+iu0P
 7Rkr18dPGi5ozAiHcGzNXivODVrXBqZT3KcJZ1aYo04Bl0xszxO+fWp2B6n9aXIs
 g4HFq98XGXut8Rs7wNcsUOGHTkIupnzxt+TYXFhezRPq/6bRWZj8pPjwiPReZJBP
 w6IhlVkIxsMdW1tpy+Im21aKCWO23mvQYj+ZiS2eb2F/jcSshL9xp1vqlbNU65H1
 w/zQaUE+m0yJhF7sVKM76101vnDJ1DPxiD/45BnF5p/xwiYcUwpS5UG53riFxAA=
 =B6et
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-fetch' into staging

trivial patches for 2017-01-24

# gpg: Signature made Tue 24 Jan 2017 20:27:08 GMT
# gpg:                using RSA key 0x701B4F6B1A693E59
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg:                 aka "Michael Tokarev <mjt@corpit.ru>"
# gpg:                 aka "Michael Tokarev <mjt@debian.org>"
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
#      Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931  4B22 701B 4F6B 1A69 3E59

* remotes/mjt/tags/trivial-patches-fetch: (31 commits)
  hw/isa/isa-bus: Set category of the "isabus-bridge" device
  usb: Set category and description of the MTP device
  gdbstub.c: update old error report statements
  gdbstub.c: fix GDB connection segfault caused by empty machines
  scsi-disk: add 'fall through' comment to switch VERIFY cases
  Drop duplicate display option documentation
  hw/display/framebuffer.c: Avoid overflow for framebuffers > 4GB
  win32: use glib gpoll if glib >= 2.50
  util/mmap-alloc: refactor a little bit for readability
  util/mmap-alloc: check parameter before using
  vfio: remove a duplicated word in comments
  docs: sync pci-ids.txt
  disas/cris.c: Fix Coverity warning about unchecked NULL
  lm32: milkymist-tmu2: fix another integer overflow
  hw/i386/kvmvapic: Remove dead code in patch_hypercalls()
  doc/usb2: fix typo
  qga: fix erroneous argument to strerror
  block: remove dead check
  pci-assign: avoid pointless stat
  qemu-img: remove dead check
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-01-25 10:42:26 +00:00
Peter Maydell ba56e4cad4 hw/display/framebuffer.c: Avoid overflow for framebuffers > 4GB
Coverity points out that calculating src_len by multiplying
src_width by rows could overflow. This can only happen in
the implausible case of a framebuffer larger than 4GB, but
we may as well fix it, placating Coverity. (CID1005515)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24 23:26:53 +03:00
Peter Maydell 4382fa6554 lm32: milkymist-tmu2: fix another integer overflow
Don't truncate the multiplication and do a 64 bit one instead
because the result is stored in a 64 bit variable.

This fixes a similar coverity warning to commit 237a8650d6,
in a similar way, and is the other half of the fix for
coverity CID 1167561.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Michael Walle <michael@walle.cc>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24 23:26:53 +03:00
Stefan Weil b12227afb1 hw: Fix typos found by codespell
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Acked-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24 23:26:52 +03:00
Ashijeet Acharya fe44dc9180 migration: disallow migrate_add_blocker during migration
If a migration is already in progress and somebody attempts
to add a migration blocker, this should rightly fail.

Add an errp parameter and a retcode return value to migrate_add_blocker.

Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Ashijeet Acharya <ashijeetacharya@gmail.com>
Message-Id: <1484566314-3987-5-git-send-email-ashijeetacharya@gmail.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Acked-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
  Merged with recent 'Allow invtsc migration' change
2017-01-24 18:00:30 +00:00
Jianjun Duan 2c21ee769e migration: extend VMStateInfo
Current migration code cannot handle some data structures such as
QTAILQ in qemu/queue.h. Here we extend the signatures of put/get
in VMStateInfo so that customized handling is supported. put now
will return int type.

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Signed-off-by: Jianjun Duan <duanj@linux.vnet.ibm.com>
Message-Id: <1484852453-12728-2-git-send-email-duanj@linux.vnet.ibm.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2017-01-24 17:54:47 +00:00
Gerd Hoffmann a2056e09b0 virtio-gpu: tag as not hotpluggable
qemu can't hotplug display devices.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1483970138-20360-1-git-send-email-kraxel@redhat.com
2017-01-11 09:19:05 +01:00
Peter Maydell c84f0f25db virtio-gpu: Fix memory leak in virtio_gpu_load()
Coverity points out that if we fail in the "creating resources"
loop in virtio_gpu_load() we will leak various resources (CID 1356431).
Failing a VM load is going to leave the simulation in a complete mess,
but we can tidy up to the point that a full system reset should
get us back to sanity.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483969123-14839-3-git-send-email-peter.maydell@linaro.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11 09:19:05 +01:00
Peter Maydell 039aa5db0e virtio-gpu: Recalculate VirtIOGPU::hostmem on VM load
The 'hostmem' field in VirtIOGPU is used to track the total memory
used in pixmaps so that we can impose a maximum limit on it.
However this field is neither migrated nor recalculated on
VM load, which means that after a migration it will be incorrectly
too low, which can allow the guest to use more pixmap memory
than it should. The per-resource hostmem fields are not filled
in either as we reallocate them in the load function.

Recalculate the memory used for each pixmap and the total memory
used as we reallocate the pixmaps in virtio_gpu_load().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483969123-14839-2-git-send-email-peter.maydell@linaro.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11 09:19:05 +01:00
Bruce Rogers 913a87885f display: cirrus: ignore source pitch value as needed in blit_is_unsafe
Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch, we
noticed the SLES 11 SP4 guest gui failed to initialize properly.

Signed-off-by: Bruce Rogers <brogers@suse.com>
Message-id: 20170109203520.5619-1-brogers@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11 09:19:05 +01:00
Li Qiang 85d9d04447 virtio-gpu: fix information leak in capset get dispatch
In virgl_cmd_get_capset function, it uses g_malloc to allocate
a response struct to the guest. As the 'resp'struct hasn't been full
initialized it will lead the 'resp->padding' field to the guest.
Use g_malloc0 to avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com

[ kraxel: resolved conflict ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11 09:19:05 +01:00
Corey Minyard d307c28ca9 i2c: Allow I2C devices to NAK start events
Add a return value to the event handler.  Some I2C devices will
NAK if they have no data, so allow them to do this.  This required
the following changes:

Go through all the event handlers and change them to return int
and return 0.

Modify i2c_start_transfer to terminate the transaction on a NAK.

Modify smbus handing to not assert if a NAK occurs on a second
operation, and terminate the transaction and return -1 instead.

Add some information on semantics to I2CSlaveClass.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-01-09 11:40:20 +00:00
Li Qiang 204f01b309 virtio-gpu: fix memory leak in resource attach backing
In the resource attach backing function, everytime it will
allocate 'res->iov' thus can leading a memory leak. This
patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-03 15:47:21 +01:00
Li Qiang 33243031da virtio-gpu-3d: fix memory leak in resource attach backing
If the virgl_renderer_resource_attach_iov function fails the
'res_iovs' will be leaked. Add check of the return value to
free the 'res_iovs' when failing.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-03 15:47:21 +01:00
Li Qiang b8e23926c5 virtio-gpu: call cleanup mapping function in resource destroy
If the guest destroy the resource before detach banking, the 'iov'
and 'addrs' field in resource is not freed thus leading memory
leak issue. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-03 15:47:16 +01:00
Gerd Hoffmann 9b7621bca2 virtio-gpu: track and limit host memory allocations
This patch makes virtio-gpu track host memory allocations for ressources
and applies a limit (configurable 256M by default).  When exceeding the
limit virtio-gpu throws VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY errors (like
it already does today when pixman image allocations fail).

This patch covers 2d mode only.  For 3d mode we have to figure how we
are going to handle this best.  qemu doesn't track resources in case
virglrenderer is used, so I guess we should extend virglrenderer to
allow setting a limit, then let qemu set the limit and catch
virgl_renderer_resource_create failures.

Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1480423356-22255-1-git-send-email-kraxel@redhat.com
2016-12-20 14:19:08 +01:00
Prasad J Pandit abd7f08b23 display: virtio-gpu-3d: check virgl capabilities max_size
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.

Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20161214070156.23368-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-20 14:18:39 +01:00
Prasad J Pandit 4299b90e9b display: cirrus: check vga bits per pixel(bpp) value
In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
'cirrus_get_bpp' returns zero(0), which could lead to a divide
by zero error in while copying pixel data. The same could occur
via blit pitch values. Add check to avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 11:01:55 +01:00
Li Qiang 2d1cd6c7a9 virtio-gpu: fix memory leak in update_cursor_data_virgl
In update_cursor_data_virgl function, if the 'width'/ 'height'
is not equal to current cursor's width/height it will return
without free the 'data' allocated previously. This will lead
a memory leak issue. This patch fix this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 09:37:52 +01:00
Li Qiang 42a8dadc74 virtio-gpu: fix information leak in getting capset info dispatch
In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
been full initialized before writing to the guest. This will leak
the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
patch fix this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5818661e.0860240a.77264.7a56@mx.google.com
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 09:37:52 +01:00
Christophe Fergeau 6c7565028c qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config changes
Currently if the client keeps sending the same monitor config to
QEMU/spice-server, QEMU will always raise
a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a
change or not.
Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the
event to user-space without checking if there were actual changes.
Next in line are gnome-shell/mutter (on a default f25 install), which
will try to reconfigure everything without checking if there is anything
to do.
Where this gets ugly is that when applying the resolution changes,
gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and
drmModeSetCrtc, which will cause the primary surface to be destroyed and
recreated by the QXL KMS driver. This in turn will cause the client to
resend a client monitors config message, which will cause QEMU to reemit
an interrupt with an unchanged monitors configuration, ...
This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484

This commit makes sure that we only emit
QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
changes the guest should act on.

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Message-id: 20161028144840.18326-1-cfergeau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 09:37:52 +01:00
Peter Maydell 5ff06787d4 Xen 2016/10/28
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYE/VuAAoJEIlPj0hw4a6Q/qAP+gMhunO/OJRSwIlYSOt+fVKW
 LE17QUfdVe204IuWY3h9svTvJXj/pOsE1HtIrGAUwsJxMqMBHeZnKhVZvEbvL2Iy
 sKSxzQkkPa6qVn/+Nxr9ZxULJZPXWnl61FLbElelff4w46lTaBM3gBaWDekFEO64
 RbMvsMAUmav1x88KPvqY71Crbx5wbPhNmFqhbJNaQmm3zIQDK1TzGESv882mQKy2
 rKNapBUXq8XnUNN+lIHhnzU9kUjhZxu7uet3GHMVICeAYu3b9jkgomv2OcV/sfRg
 3o/NoXp4I7ZY3F0fkbtJOIFx0m+YlWnQhkBGsQoXJW+4lUdQR9ypMY4OdzjRa80e
 w9GrDt1//LOYrTpB0ZBkW0MIfnUK4TCqtL/aEQtRY9fdRFvcVpCjnqrYw+u9boZ1
 hVypTYmAbk/ece6aJ/dngDQVtGC9qMGlHtBqSBRajFxenvFdY+DK6/FhITpNmobU
 YPWTSwS6WPw/venfvrTMfCQudGW3Jg8iBzRbGPS+GYfYlTHFoO0lKFGWWeTuRFIw
 /4owDhMJr5hRMRWZxCAu+Z8Ymj1MFuK7zDKjvT9LgWOZORh+rz6Tfn9+oxSt/D9I
 1VKb/T9N9wBS3kreZ+Uz5+aQBoQSN5AQjay2ECZ16u9i63EL89CqXyyrJLlKlEGB
 cP3GzM9DlAtCQR943bys
 =Ao+X
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/sstabellini/tags/xen-20161028-tag' into staging

Xen 2016/10/28

# gpg: Signature made Sat 29 Oct 2016 02:03:42 BST
# gpg:                using RSA key 0x894F8F4870E1AE90
# gpg: Good signature from "Stefano Stabellini <sstabellini@kernel.org>"
# gpg:                 aka "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"
# Primary key fingerprint: D04E 33AB A51F 67BA 07D3  0AEA 894F 8F48 70E1 AE90

* remotes/sstabellini/tags/xen-20161028-tag:
  xen: Rename xen_be_del_xendev
  xen: Rename xen_be_find_xendev
  xen: Rename xen_be_evtchn_event
  xen: Rename xen_be_send_notify
  xen: Rename xen_be_unbind_evtchn
  xen: Rename xen_be_printf to xen_pv_printf
  xen: Move xenstore cleanup and mkdir functions
  xen: Prepare xendev qtail to be shared with frontends
  xen: Move evtchn functions to xen_pvdev.c
  xen: Move xenstore_update to xen_pvdev.c
  xen: Create a new file xen_pvdev.c
  xen: Fix coding style warnings
  xen: Fix coding style errors

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-10-31 12:35:39 +00:00
Emil Condrea fa0253d066 xen: Rename xen_be_find_xendev
Prepare xen_be_find_xendev to be shared with frontends:
 * xen_be_find_xendev -> xen_pv_find_xendev

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:54:39 -07:00
Emil Condrea ba18fa2a8c xen: Rename xen_be_send_notify
Prepare xen_be_send_notify to be shared with frontends:
 * xen_be_send_notify -> xen_pv_send_notify

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:54:21 -07:00
Emil Condrea 65807f4b6c xen: Rename xen_be_unbind_evtchn
Prepare xen_be_unbind_evtchn to be shared with frontends:
 * xen_be_unbind_evtchn -> xen_pv_unbind_evtchn

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:54:11 -07:00
Emil Condrea 96c77dba6f xen: Rename xen_be_printf to xen_pv_printf
Prepare xen_be_printf to be used by both backend and frontends:
 * xen_be_printf -> xen_pv_printf

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:53:50 -07:00
Emil Condrea b9730c5b4e xen: Fix coding style warnings
Fixes:
 * WARNING: line over 80 characters

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:52:39 -07:00
Emil Condrea c22e91b1d8 xen: Fix coding style errors
Fixes the following errors:
 * ERROR: line over 90 characters
 * ERROR: code indent should never use tabs
 * ERROR: space prohibited after that open square bracket '['
 * ERROR: do not initialise statics to 0 or NULL
 * ERROR: "(foo*)" should be "(foo *)"

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:52:29 -07:00
Michael Walle 237a8650d6 lm32: milkymist-tmu2: fix integer overflow
Don't truncate the multiplication and do a 64 bit one instead because
because the result is stored in a 64 bit variable.

Spotted by coverity, CID 1167561.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-10-28 18:17:23 +03:00
Li Qiang cb3a0522b6 virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d
In virtio gpu resource create dispatch, if the pixman format is zero
it doesn't free the resource object allocated previously. Thus leading
a host memory leak issue. This patch avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-10-26 14:52:21 +02:00
xiaoqiang zhao caae8032d3 hw/display: QOM'ify pl110.c
Drop the old Sysbus init and use instance_init and
DeviceClass::realize instead

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 20161023091816.3839-5-zxq_yx_007@163.com
[PMM: added accidentally dropped blank line]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-10-24 16:26:56 +01:00
Peter Maydell 627eae7d72 virtio, pc: fixes and features
more guest error handling for virtio devices
 virtio migration rework
 pc fixes
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJX+tUfAAoJECgfDbjSjVRpIGMH/Ri+bnKF9zD6jQXfzYY+neSF
 SqR0BsFUqR+8C1Yxx45tFRC/kMpJy3n5PZunoDwAXcSlN/uoWvzp05/s44praFDc
 5FDcj3SvFhvOpBFnO5sTMBTkmGOCG/f/lnej+Fea0X8KjtOvVE6Yxek8CS+/dS3K
 t70hxLaTO93Z63olOxhAZSVX9wYKLovB0PXAu9Uj9LsnXl8o8gQLxM9WgKnI/0vD
 1V/ZGZY0lfFaHrvIgkgKy3/L7QJ91A/jU9jypNJOEdV52EDfkV97hA2ibcIQ+7Y1
 w/S3gzVmKM3dtxdS9DiQJ3riBT8XcPUWI6sIEjpfKGFGoOjazai3m9e3bcEx3Rg=
 =f//+
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio, pc: fixes and features

more guest error handling for virtio devices
virtio migration rework
pc fixes

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon 10 Oct 2016 00:39:11 BST
# gpg:                using RSA key 0x281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (33 commits)
  intel-iommu: Check IOAPIC's Trigger Mode against the one in IRTE
  virtio: cleanup VMSTATE_VIRTIO_DEVICE
  vhost-vsock: convert VMSTATE_VIRTIO_DEVICE
  virtio-rng: convert VMSTATE_VIRTIO_DEVICE
  virtio-balloon: convert VMSTATE_VIRTIO_DEVICE
  virtio-scsi: convert VMSTATE_VIRTIO_DEVICE
  virtio-input: convert VMSTATE_VIRTIO_DEVICE
  virtio-gpu: convert VMSTATE_VIRTIO_DEVICE
  virtio-serial: convert VMSTATE_VIRTIO_DEVICE
  virtio-9p: convert VMSTATE_VIRTIO_DEVICE
  virtio-net: convert VMSTATE_VIRTIO_DEVICE
  virtio-blk: convert VMSTATE_VIRTIO_DEVICE
  virtio: prepare change VMSTATE_VIRTIO_DEVICE macro
  net: don't poke at chardev internal QemuOpts
  virtio-scsi: handle virtio_scsi_set_config() error
  virtio-scsi: convert virtio_scsi_bad_req() to use virtio_error()
  virtio-net: handle virtio_net_flush_tx() errors
  virtio-net: handle virtio_net_receive() errors
  virtio-net: handle virtio_net_handle_ctrl() error
  virtio-blk: handle virtio_blk_handle_request() errors
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-10-10 16:23:40 +01:00
Halil Pasic 5705653ff8 virtio: cleanup VMSTATE_VIRTIO_DEVICE
Now all the usages of the old version of VMSTATE_VIRTIO_DEVICE are gone,
so we can get rid of the conditionals, and the old macro.

Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-10-10 02:21:43 +03:00
Halil Pasic 8a502efd0c virtio-gpu: convert VMSTATE_VIRTIO_DEVICE
Use the new VMSTATE_VIRTIO_DEVICE macro. The device virtio-gpu is
special because it actually does not adhere to the virtio migration
schema, because device state is last.

Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-10-10 02:21:43 +03:00
Chen Fan 7a25126d8a virtio: rename the bar index field name in VirtIOPCIProxy
the bar index names are much similar to the bar memory regions,
distinguish them to improve the code readability.

Signed-off-by: Chen Fan <fan.chen@easystack.cn>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-10-08 11:25:29 +03:00
Dr. David Alan Gilbert e7f76c521f vmstateify ssd0323 display
Bumps version number because we now use the VMSTATE_SSI_SLAVE that
only uses a byte rather than a 32bit (for saving a bool 'cs').

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1472035246-12483-2-git-send-email-dgilbert@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-09-22 18:13:08 +01:00
Gerd Hoffmann c2843e9390 virtio-vga: adapt to page-per-vq=off
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1473319012-27560-1-git-send-email-kraxel@redhat.com
2016-09-13 09:28:10 +02:00
Gerd Hoffmann 597966d110 virtio-gpu-pci: tag as not hotpluggable
We can't hotplug display adapters in qemu, tag virtio-gpu-pci
accordingly (virtio-vga already has this).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1473319037-27645-1-git-send-email-kraxel@redhat.com
2016-09-13 09:26:58 +02:00
Prasad J Pandit 167d97a3de vmsvga: correct bitmap and pixmap size checks
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
the computed BITMAP and PIXMAP size are checked against the
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
Correct these checks to avoid OOB memory access.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-09-13 09:24:35 +02:00
Marc-André Lureau e305a16510 portio: keep references on portio
The isa_register_portio_list() function allocates ioports
data/state. Let's keep the reference to this data on some owner.  This
isn't enough to fix leaks, but at least, ASAN stops complaining of
direct leaks. Further cleanup would require calling
portio_list_del/destroy().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-08 18:05:21 +04:00
Laurent Vivier e723b87103 trace-events: fix first line comment in trace-events
Documentation is docs/tracing.txt instead of docs/trace-events.txt.

find . -name trace-events -exec \
     sed -i "s?See docs/trace-events.txt for syntax documentation.?See docs/tracing.txt for syntax documentation.?" \
     {} \;

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 1470669081-17860-1-git-send-email-lvivier@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-08-12 10:36:01 +01:00
Marcel Apfelbaum 9a4c0e220d hw/virtio-pci: fix virtio behaviour
Enable transitional virtio devices by default.
Enable virtio-1.0 for devices plugged into
PCIe ports (Root ports or Downstream ports).

Using the virtio-1 mode will remove the limitation
of the number of devices that can be attached to a machine
by removing the need for the IO BAR.

Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-07-29 00:07:10 +03:00
Peter Maydell 206d0c2436 pc, pci, virtio: new features, cleanups, fixes
- interrupt remapping for intel iommus
 - a bunch of virtio cleanups
 - fixes all over the place
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXkQsqAAoJECgfDbjSjVRpanoIAJ9JVlc1aEjt9sa0cSBcs+NQ
 J7JmgU9FqFsj+4FrNTouO3AxTjHurd1UAULP1WMPD+V3JpbnHct8r6SCBLQ5EBMN
 VOjYo4DwWs1g+DqnQ9WZmbadu06XvYi/yiAKNUzWfZk0MR11D0D/S5hmarNKw0Kq
 tGHeTWjGeY4WqFLV7m+qB4+cqkAByn6um99UtUvgLL05RgIEIP2IEMKYZ+rXvAa9
 iGUvzqlO7mbq/+LbL18kaWywa4TCwbbd2eSGWaqhX4CuB62Rl33mWTXFcfaYhkyp
 Z3FgwaJ09h0lAjSVEbyAuLFMfO/BnMcsoKqwl4xc4vkn/xBCqFtgH9JcEVm3O8U=
 =ge2D
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

pc, pci, virtio: new features, cleanups, fixes

- interrupt remapping for intel iommus
- a bunch of virtio cleanups
- fixes all over the place

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Thu 21 Jul 2016 18:49:30 BST
# gpg:                using RSA key 0x281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (57 commits)
  intel_iommu: avoid unnamed fields
  virtio: Update migration docs
  virtio-gpu: Wrap in vmstate
  virtio-gpu: Use migrate_add_blocker for virgl migration blocking
  virtio-input: Wrap in vmstate
  9pfs: Wrap in vmstate
  virtio-serial: Wrap in vmstate
  virtio-net: Wrap in vmstate
  virtio-balloon: Wrap in vmstate
  virtio-rng: Wrap in vmstate
  virtio-blk: Wrap in vmstate
  virtio-scsi: Wrap in vmstate
  virtio: Migration helper function and macro
  virtio-serial: Remove old migration version support
  virtio-net: Remove old migration version support
  virtio-scsi: Replace HandleOutput typedef
  Revert "mirror: Workaround for unexpected iohandler events during completion"
  virtio-scsi: Call virtio_add_queue_aio
  virtio-blk: Call virtio_add_queue_aio
  virtio: Introduce virtio_add_queue_aio
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-07-21 20:12:37 +01:00
Dr. David Alan Gilbert 0fc07498da virtio-gpu: Wrap in vmstate
Forcibly convert it to a vmstate wrapper;  proper conversion
comes later.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-21 20:44:20 +03:00
Dr. David Alan Gilbert de8892215e virtio-gpu: Use migrate_add_blocker for virgl migration blocking
virgl conditionally registers a vmstate as unmigratable when virgl
is enabled; instead use the migrate_add_blocker mechanism.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-21 20:44:20 +03:00
Gerd Hoffmann e0127d2eec qxl: fix qxl_set_dirty call in qxl_dirty_one_surface
qxl_set_dirty() expects start and end as range specification.
qxl_dirty_one_surface passes 'size' instead of 'offset + size' as end
parameter.  Fix that.  Also use uint64_t everywhere while being at it.

Bug was added by "e25139b qxl: set only off-screen surfaces dirty instead
of the whole vram" and carried forward unnoticed by "5cdc402 qxl: fix
surface migration".

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1468413187-22071-1-git-send-email-kraxel@redhat.com
2016-07-20 12:08:14 +02:00
Markus Armbruster 175de52487 Clean up decorations and whitespace around header guards
Cleaned up with scripts/clean-header-guards.pl.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12 16:20:46 +02:00
Markus Armbruster 2a6a4076e1 Clean up ill-advised or unusual header guards
Cleaned up with scripts/clean-header-guards.pl.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12 16:20:46 +02:00
Markus Armbruster a9c94277f0 Use #include "..." for our own headers, <...> for others
Tracked down with an ugly, brittle and probably buggy Perl script.

Also move includes converted to <...> up so they get included before
ours where that's obviously okay.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12 16:19:16 +02:00
Peter Maydell e0dadc1e9e aux: Rename aux.[ch] to auxbus.[ch] for the benefit of Windows
On Windows 'aux.*' is a reserved name and cannot be used for
filenames; see
  https://msdn.microsoft.com/en-gb/library/windows/desktop/aa365247(v=vs.85).aspx

This prevents cloning the QEMU git repo on Windows:

C:\Java\sources\kvm> git clone https://github.com/qemu/qemu.git
Cloning into 'qemu'...
remote: Counting objects: 279563, done.
remote: Total 279563 (delta 0), reused 0 (delta 0), pack-reused 279563R
Receiving objects: 100% (279563/279563), 122.45 MiB | 3.52 MiB/s, done.
Resolving deltas: 100% (221942/221942), done.
Checking connectivity... done.
error: unable to create file hw/misc/aux.c (No such file or directory)
error: unable to create file include/hw/misc/aux.h (No such file or directory)
Checking out files: 100% (4795/4795), done.
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry the checkout with 'git checkout -f HEAD'

(bug https://bugs.launchpad.net/bugs/1595240)

Rename the offending files for the benefit of Windows.

Reported-by: Алексей Курган <akurgan@yandex.ru>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Wei Huang <wei@redhat.com>
Tested-by: KONRAD Frederic <fred.konrad@greensocs.com>
Message-id: 1467377145-32385-1-git-send-email-peter.maydell@linaro.org
2016-07-07 13:47:01 +01:00
Paolo Bonzini bb14a1eda0 xlnx_dp: fix iffy xlnx_dp_aux_push_tx_fifo
xlnx_dp_aux_push_tx_fifo takes an immediate uint8_t and a buffer length,
which must be 1 because that is how many uint8_t's fit in a uint8_t.
Sure enough, that is what xlnx_dp_write passes to it, but the function
is just weird.  Therefore, make xlnx_dp_aux_push_tx_fifo look like
xlnx_dp_aux_push_rx_fifo, taking a pointer to the buffer.

Reported by Coverity.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-07-07 13:47:00 +01:00
Marc-André Lureau 9d8256ebc0 virgl: pass whole GL scanout dimensions
Spice client needs the whole GL texture dimension to be able to show a
scanout with a monitor offset (different than +0+0).

Furthermore, this fixes a crash when calling surface_{width,height}()
after dpy_gfx_replace_surface(con, NULL) was called in
virgl_cmd_set_scanout()

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1465911849-30423-4-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-06 10:32:14 +02:00
Marc-André Lureau c540128f93 virgl: count the calls to gl_block
In virgl_cmd_resource_flush(), when several consoles are updated, it
needs to keep blocking until all spice gl draws are done. This fixes an
assert() in spice when using multiple monitors with virgl.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1465911849-30423-2-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-06 10:32:14 +02:00
John Snow 015e02f880 spice: avoid .set_mm_time on >= 0.12.6
Spice deprecated this callback in 0.12.6.
It's not a problem yet, but it will cause Clang to fail in a -Werror
build due to the deprecated tag.

Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 1467240095-12507-2-git-send-email-jsnow@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-06 10:31:57 +02:00
Gerd Hoffmann 1331eab216 qxl: fix surface migration
Create a helper function qxl_dirty_one_surface() to mark a single qxl
surface as dirty.  Use the new qxl_get_check_slot_offset function and
lookup the memory region from the slot instead of assuming the surface
is stored in vram.

Use the new helper function in qxl_dirty_surfaces, for both primary and
off-screen surfaces.  For off-screen surfaces this is no functional
change.  For primary surfaces this will dirty only the memory actually
used instead of the whole surface0 region.  It will also work correctly
in case the guest places the primary surface in vram instead of the
surface0 region (linux kms driver does that).

https://bugzilla.redhat.com/show_bug.cgi?id=1235732

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1466597244-5938-3-git-send-email-kraxel@redhat.com
2016-07-06 10:31:11 +02:00
Gerd Hoffmann 3cb5158f15 qxl: store memory region and offset instead of pointer for guest slots
Store MemoryRegion and offset instead of a pointer for each qxl memory
slot, so we can easily figure in which memory region an qxl object
stored.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1466597244-5938-2-git-send-email-kraxel@redhat.com
2016-07-06 10:31:11 +02:00
Gerd Hoffmann 726bdf653a qxl: factor out qxl_get_check_slot_offset
New helper function which translates a qxl physical address into
memory slot and offset.  Also applies sanity checks.  Factored out
from qxl_phys2virt.  No functional change.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1466597244-5938-1-git-send-email-kraxel@redhat.com
2016-07-06 10:31:11 +02:00
Gerd Hoffmann 2f5ae772c6 qxl: handle no updates in interface_update_area_complete
Simply return early in case there are no updated rects.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1465395101-13580-1-git-send-email-kraxel@redhat.com
2016-07-06 10:31:02 +02:00
Gerd Hoffmann de1b9b85ef qxl: use uint64_t for vram size
This allows for the 64bit vram bar to become larger than 2G
(try -device qxl-vga,vram64_size_mb=8192).

https://bugzilla.redhat.com/show_bug.cgi?id=1340439

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1465389648-5179-1-git-send-email-kraxel@redhat.com
2016-07-06 10:30:50 +02:00
Cédric Le Goater 7673bb4cd3 ssi: change ssi_slave_init to be a realize ops
This enables qemu to handle late inits and report errors. All the SSI
slave routine names were changed accordingly. Code was modified to
handle errors when possible (m25p80 and ssi-sd)

Tested with the m25p80 slave object.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 1467138270-32481-2-git-send-email-clg@kaod.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-07-04 13:15:22 +01:00
Gerd Hoffmann 55543e7623 milkymist: fix tmu2.c build failure (missing error.h include)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael Walle <michael@walle.cc>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-21 13:25:09 +01:00
Peter Maydell b0ad00b8c9 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJXaFInAAoJEJykq7OBq3PI6VsH/0Sfgbdo1RksYuQwb/y92sCW
 EN+lxUZ+OLfgrc8PYgNZwfSM3rsfYhznL0MAXOeEe7Ahabi07w7DhGR8WvwfAOlI
 G96FRuvrIPfv5u6U6fwS4CvG3TIHVLxfHKCsTpPUmH8U5CNx/x/tpjNiWN1dj6t+
 sXybSjYHfZfiZy2tI9MFIFWCdxnF/pl0QAPhbRqc8Y/RQTDrPKRjLpz+nitN/u96
 5TS7KlELyQuP91YMmLceYSmIkHbxW703h+iE2n4hov0uZCP8Jil+2Jsd3ziQSRlL
 j6LqexQ2ViBGdDSfiZGYES2VPlsHOCwb4G+IgWBStfZg1ppaXENvcDzPrgrB+L4=
 =eUnF
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging

# gpg: Signature made Mon 20 Jun 2016 21:29:27 BST
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* remotes/stefanha/tags/tracing-pull-request: (42 commits)
  trace: split out trace events for linux-user/ directory
  trace: split out trace events for qom/ directory
  trace: split out trace events for target-ppc/ directory
  trace: split out trace events for target-s390x/ directory
  trace: split out trace events for target-sparc/ directory
  trace: split out trace events for net/ directory
  trace: split out trace events for audio/ directory
  trace: split out trace events for ui/ directory
  trace: split out trace events for hw/alpha/ directory
  trace: split out trace events for hw/arm/ directory
  trace: split out trace events for hw/acpi/ directory
  trace: split out trace events for hw/vfio/ directory
  trace: split out trace events for hw/s390x/ directory
  trace: split out trace events for hw/pci/ directory
  trace: split out trace events for hw/ppc/ directory
  trace: split out trace events for hw/9pfs/ directory
  trace: split out trace events for hw/i386/ directory
  trace: split out trace events for hw/isa/ directory
  trace: split out trace events for hw/sd/ directory
  trace: split out trace events for hw/sparc/ directory
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-20 22:30:34 +01:00
Peter Maydell 7e13ea57f4 lm32/milkymist: some qomifying
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXaBmJAAoJELRYq7DY03jj6osP/Az+8Rkb8eL3hVzqDso6JZhx
 QMmp48ipNe7xWlTGjKrf6yUWyuehp7Hr2dlXkz6KG/Y/PQg15uMfH3ZlS0HzWuyO
 cSeRQsvNY759Wk7bnAzzuRK9eVxXJaSytodaA+swGo/7maDbMMXdv0gFa/qP6k1e
 4vc4mLoi3PX6GHuFsfWUaDkOkZpuhzsj3MxEEqDJd1TpiJzZIbJokk4bLUF89kCz
 tRGNUoUXJnWLigJYjOqXjg15Cue70ztiX3VE6LoI+TRe/RsJPLd+oCtij40Gah/S
 cOZUeuxIgLGDdkGoax+H/ymTjpTrHB4Mo8E7rtlwT/HYFti4ZzWeA9T3mJ9Zwc2F
 q4xU/St7dJYEOH37qNXKzyIWmQZxJKJOpOaOzasPbo76Bvt1X9d5+HuDOtf9ftWo
 LR/U+1MFxGId7TMM2/j+ziHKZcZWkGkpK7K0tScB6dM/yCxv1Qs5HuioqMNIvAgc
 Pe0bNAI5zSGX5ldqR/tPxL9b27PkqFs0a6itLOIv4tvashmnBfcDiaDMXmRc+hsb
 jJ7apWyEF3JOw9dKSpwgspPJHavYuRhohgfhuEpuwkcwc2QD3QdDrtlV6bxRhJoj
 yMZ5905B99LNCCGOszol1yMlzHLbGTmZVyhu8bL9930oxHgZzfOCQMFVtMMxaAp1
 0yEVhlbZ0JE7zpetAHeF
 =ggrO
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mwalle/tags/lm32-queue/20160620' into staging

lm32/milkymist: some qomifying

# gpg: Signature made Mon 20 Jun 2016 17:27:53 BST
# gpg:                using RSA key 0xB458ABB0D8D378E3
# gpg: Good signature from "Michael Walle <michael@walle.cc>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2190 3E48 4537 A7C2 90CE  3EB2 B458 ABB0 D8D3 78E3

* remotes/mwalle/tags/lm32-queue/20160620:
  milkymist: update specification URLs
  hw/intc: QOM'ify lm32_pic.c
  hw/display: QOM'ify milkymist-vgafb.c
  hw/display: QOM'ify milkymist-tmu2.c
  hw/timer: QOM'ify milkymist_sysctl
  hw/timer: QOM'ify lm32_timer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-20 18:14:26 +01:00
Daniel P. Berrange 14750ef1b5 trace: split out trace events for hw/display/ directory
Move all trace-events for files in the hw/display/ directory to
their own file.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 1466066426-16657-18-git-send-email-berrange@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-06-20 17:22:15 +01:00
Michael Walle 6dbbe24337 milkymist: update specification URLs
The old milkymist.org domain just forwards to mm-labs.hk nowadays. I've
created a mirror of the documents.

Signed-off-by: Michael Walle <michael@walle.cc>
2016-06-20 18:12:04 +02:00
xiaoqiang zhao 165b244b98 hw/display: QOM'ify milkymist-vgafb.c
* Drop the old SysBus init function and use instance_init
* Move graphic_console_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Michael Walle <michael@walle.cc>
Tested-by: Michael Walle <michael@walle.cc>
Signed-off-by: Michael Walle <michael@walle.cc>
2016-06-20 18:11:59 +02:00
xiaoqiang zhao cf79c64d58 hw/display: QOM'ify milkymist-tmu2.c
* Drop the old SysBus init function and use instance_init
* Move tmu2_glx_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Michael Walle <michael@walle.cc>
Tested-by: Michael Walle <michael@walle.cc>
Signed-off-by: Michael Walle <michael@walle.cc>
2016-06-20 18:11:06 +02:00
Eduardo Habkost 9be385980d coccinelle: Remove unnecessary variables for function return value
Use Coccinelle script to replace 'ret = E; return ret' with
'return E'. The script will do the substitution only when the
function return type and variable type are the same.

Manual fixups:

* audio/audio.c: coding style of "read (...)" and "write (...)"
* block/qcow2-cluster.c: wrap line to make it shorter
* block/qcow2-refcount.c: change indentation of wrapped line
* target-tricore/op_helper.c: fix coding style of
  "remainder|quotient"
* target-mips/dsp_helper.c: reverted changes because I don't
  want to argue about checkpatch.pl
* ui/qemu-pixman.c: fix line indentation
* block/rbd.c: restore blank line between declarations and
  statements

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <1465855078-19435-4-git-send-email-ehabkost@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
[Unused Coccinelle rule name dropped along with a redundant comment;
whitespace touched up in block/qcow2-cluster.c; stale commit message
paragraph deleted]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-06-20 16:38:13 +02:00
Paolo Bonzini 02d0e09503 os-posix: include sys/mman.h
qemu/osdep.h checks whether MAP_ANONYMOUS is defined, but this check
is bogus without a previous inclusion of sys/mman.h.  Include it in
sysemu/os-posix.h and remove it from everywhere else.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-06-16 18:39:03 +02:00
KONRAD Frederic 58ac482a66 introduce xlnx-dp
This is the implementation of the DisplayPort.
It has an aux-bus to access dpcd and edid.

Graphic plane is connected to the channel 3.
Video plane is connected to the channel 0.
Audio stream are connected to the channels 4 and 5.

Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com>
Tested-By: Hyun Kwon <hyun.kwon@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1465833014-21982-9-git-send-email-fred.konrad@greensocs.com
[PMM: fixed format strings]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-14 16:01:03 +01:00
KONRAD Frederic e27ed1bdd3 introduce dpcd module
This introduces dpcd module.
It wires on a aux-bus and can be accessed by the driver to get lane-speed, etc.

Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Tested-By: Hyun Kwon <hyun.kwon@xilinx.com>
Message-id: 1465833014-21982-6-git-send-email-fred.konrad@greensocs.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-14 15:59:15 +01:00
Laurent Vivier d0448de7f6 xen: Use DIV_ROUND_UP
Replace (((n) + (d) - 1) /(d)) by DIV_ROUND_UP(n,d).

This patch is the result of coccinelle script
scripts/coccinelle/round.cocci

CC: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-06-07 18:19:24 +03:00
Gerd Hoffmann 0c244e50ee virtio-gpu: add live migration support
Store some additional state for cursor and resource backing storage,
so we can write out and reload things.  Implement vmsave+vmload for
2d mode.  Continue blocking live migration in 3d/virgl mode.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464009727-7753-1-git-send-email-kraxel@redhat.com
2016-06-06 09:04:34 +02:00
Gerd Hoffmann 4e68a0ee17 vmsvga: don't process more than 1024 fifo commands at once
vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off.  So we can simply exit the loop,
without having to worry about how processing will continue.

Fixes: CVE-2016-4453
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
2016-06-06 09:04:29 +02:00
Gerd Hoffmann 7e486f7577 vmsvga: shadow fifo registers
The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization.  Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us.  So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
2016-06-06 09:04:24 +02:00
Gerd Hoffmann c2e3c54d39 vmsvga: add more fifo checks
Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
2016-06-06 09:04:19 +02:00
Gerd Hoffmann 5213602678 vmsvga: move fifo sanity checks to vmsvga_fifo_length
Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
changes the fifo registers afterwards.  Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
2016-06-06 09:03:51 +02:00
Gerd Hoffmann fa06e5cb7b virtio-gpu: fix scanout rectangles
Commit "ca58b45 ui/virtio-gpu: add and use qemu_create_displaysurface_pixman"
breaks scanouts which use a region of the underlying resource only.

So, we need another way to handle the underlying issue.  Lets create a
new pixman image, grab a reference on the pixman providing the
underlying storage, hook up a destroy callback which releases the
reference.  That way regions work again and releasing the backing
storage should still be impossible thanks to the extra reference we are
holding.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1464597655-26341-1-git-send-email-kraxel@redhat.com
2016-06-03 09:05:28 +02:00
Gerd Hoffmann 94ef4f337f vga: add sr_vbe register set
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.

This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[].  Normal vga register reads and
writes go to sr[].  Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.

This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.

Cc: qemu-stable@nongnu.org
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
2016-05-23 14:28:25 +02:00
Marc-André Lureau 6b860806c0 virtio-gpu: fix ui idx check
Fix off-by-one value check (0 is the first scanout).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-7-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau acfc484650 virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS
The value is defined in virtio_gpu.h already (changing from 4 to 16).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-6-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau 2fe760554e virtio-gpu: check max_outputs only
The scanout id should not be above the configured num_scanouts.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-5-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau 5e3d741c6a virtio-gpu: check max_outputs value
The value must be less than VIRTIO_GPU_MAX_SCANOUT.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-4-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau d0f0c8654a virtio-vga: propagate on gpu realized error
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-3-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau fe89fdebca virtio-gpu: check early scanout id
Before accessing the g->scanout array, in order to avoid potential
out-of-bounds access.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-2-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Paolo Bonzini 03dd024ff5 hw: explicitly include qemu/log.h
Move the inclusion out of hw/hw.h, most files do not need it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:29 +02:00
Paolo Bonzini 33c11879fd qemu-common: push cpu.h inclusion out of qemu-common.h
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:29 +02:00
Paolo Bonzini 87776ab72b qemu-common: stop including qemu/host-utils.h from qemu-common.h
Move it to the actual users.  There are some inclusions of
qemu/host-utils.h in headers, but they are all necessary.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Peter Maydell 14fccfa91e MIPS patches 2016-05-13
Changes:
 * fix zeroing CP0.WatchLo registers in soft reset
 * QOMify Jazz led
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJXNaaUAAoJEFIRjjwLKdpre/sIAIhtHFxtzlNEBq27CG0Rsp2l
 7EN8O/NqVmhiq2NU5Xt6wJ100GjKftMM9f49aRhz05q7kgKIs+M0PC3RB2wvIYzQ
 lk4zbreiBdZYWA/m38SBSU2CJvEs+8FpthBtfNi/gN701lQ45K9oJdzl0jsURIh/
 /dLQhzPmHrf4NImQzxqybhX8ta80TUXLWOv/ZbuGEFEEXnp+db7+eajIw4kgqCT+
 J/XpqeFrZ/aJfT3Ag7LLsAimmTP439JIO1goIei8POvEXgkm1AmxpvIk6Aq1bGiz
 BnTm80lj5JSHImbObOu4WKIu8wRcWZb5rEIl2oMfnzAx6iPhRPOS8JNP+565Tes=
 =0B4r
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/lalrae/tags/mips-20160513' into staging

MIPS patches 2016-05-13

Changes:
* fix zeroing CP0.WatchLo registers in soft reset
* QOMify Jazz led

# gpg: Signature made Fri 13 May 2016 11:04:04 BST using RSA key ID 0B29DA6B
# gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"

* remotes/lalrae/tags/mips-20160513:
  hw/display: QOM'ify jazz_led.c
  target-mips: fix call to memset in soft reset code

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-13 11:50:42 +01:00
xiaoqiang.zhao 7fe91a5b33 hw/display: QOM'ify jazz_led.c
* Drop the old SysBus init function and use instance_init
* Move graphic_console_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2016-05-13 09:33:38 +01:00
Peter Maydell 4274d821ff hw/display/blizzard: Remove blizzard_template.h
We no longer need to do the "multiply include this header" trick with
blizzard_template.h, and it is only used in a single .c file, so just
put its contents inline in blizzard.c.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1462371352-21498-3-git-send-email-peter.maydell@linaro.org
2016-05-12 13:22:30 +01:00
Peter Maydell 5c8759087d hw/display/blizzard: Expand out macros
Now that we can assume that only depth 32 is possible, there's no need
for the COPY_PIXEL1 and PIXEL_TYPE macros, and the SKIP_PIXEL, COPY_PIXEL
and SWAP_WORDS macros aren't used at all. Expand out COPY_PIXEL1 and
PIXEL_TYPE where they are used, delete the unused macro definitions, and
expand out the uses of glue(name_prefix, DEPTH).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1462371352-21498-2-git-send-email-peter.maydell@linaro.org
2016-05-12 13:22:29 +01:00
xiaoqiang zhao 3c09d6caad hw/display: QOM'ify exynos4210_fimd.c
* Drop the old SysBus init function and use instance_init
* Move graphic_console_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1462417489-28603-2-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:27 +01:00
Pooja Dhannawat ea644cf343 omap_lcdc: Remove support for DEPTH != 32
surface_bits_per_pixel() always returns 32
so, removing other dead code which is
based on DEPTH !== 32

Signed-off-by: Pooja Dhannawat <dhannawatpooja1@gmail.com>
Message-id: 1459260142-9144-1-git-send-email-dhannawatpooja1@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
Pooja Dhannawat 5c87c4089a blizzard: Remove support for DEPTH != 32
Removing support for DEPTH != 32 from blizzard template header
and file that includes it, as macro DEPTH == 32 only used.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Pooja Dhannawat <dhannawatpooja1@gmail.com>
Message-id: 1458971873-2768-1-git-send-email-dhannawatpooja1@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
Gerd Hoffmann fd3c136b3e vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
registers, to make sure the vga registers will always have the
values needed by vbe mode.  This makes sure the sanity checks
applied by vbe_fixup_regs() are effective.

Without this guests can muck with shift_control, can turn on planar
vga modes or text mode emulation while VBE is active, making qemu
take code paths meant for CGA compatibility, but with the very
large display widths and heigts settable using VBE registers.

Which is good for one or another buffer overflow.  Not that
critical as they typically read overflows happening somewhere
in the display code.  So guests can DoS by crashing qemu with a
segfault, but it is probably not possible to break out of the VM.

Fixes: CVE-2016-3712
Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
Reported-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann 2068192dcc vga: update vga register setup on vbe changes
Call the new vbe_update_vgaregs() function on vbe configuration
changes, to make sure vga registers are up-to-date.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann 7fa5c2c5dc vga: factor out vga register setup
When enabling vbe mode qemu will setup a bunch of vga registers to make
sure the vga emulation operates in correct mode for a linear
framebuffer.  Move that code to a separate function so we can call it
from other places too.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann bfa0f151a5 vga: add vbe_enabled() helper
Makes code a bit easier to read.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann 3bf1817079 vga: fix banked access bounds checking (CVE-2016-3710)
vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.

The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register.  The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.

Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.

Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.

Fixes: CVE-2016-3710
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Wei Liu 4df26e88ee xenfb: use the correct condition to avoid excessive looping
In commit ac0487e1 ("xenfb.c: avoid expensive loops when prod <=
out_cons"), ">=" was used. In fact, a full ring is a legit state.
Correct the test to use ">".

Reported-by: "Hao, Xudong" <xudong.hao@intel.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Tested-by: "Hao, Xudong" <xudong.hao@intel.com>
Acked-by: Anthony Perard <anthony.perard@citrix.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
2016-04-12 10:16:08 -07:00
Gerd Hoffmann fa49e4656a virtio-gpu: block live migration
Feeling a bit nervous putting the full live migration support
patch (https://patchwork.ozlabs.org/patch/606902/) in that
late in the 2.6 devel cycle as it carries some non-trivial
changes.  So disable migration in case virtio-gpu is present
for now.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-11 12:36:34 +02:00
Gerd Hoffmann ca58b45fbe ui/virtio-gpu: add and use qemu_create_displaysurface_pixman
Add a the new qemu_create_displaysurface_pixman function, to create
a DisplaySurface backed by an existing pixman image.  In that case
there is no need to create a new pixman image pointing to the same
backing storage.  We can just use the existing image directly.

This does not only simplify things a bit, but most importantly it
gets the reference counting right, so the backing storage for the
pixman image wouldn't be released underneath us.

Use new function in virtio-gpu, where using it actually fixes
use-after-free crashes.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1459499240-742-1-git-send-email-kraxel@redhat.com
2016-04-11 12:32:01 +02:00
Rutuja Shah 73bcb24d93 Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND
This patch replaces get_ticks_per_sec() calls with the macro
NANOSECONDS_PER_SECOND. Also, as there are no callers, get_ticks_per_sec()
is then removed.  This replacement improves the readability and
understandability of code.

For example,

    timer_mod(fdctrl->result_timer,
	      qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (get_ticks_per_sec() / 50));

NANOSECONDS_PER_SECOND makes it obvious that qemu_clock_get_ns
matches the unit of the expression on the right side of the plus.

Signed-off-by: Rutuja Shah <rutu.shah.26@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-22 22:20:17 +01:00
Paolo Bonzini 4771d756f4 hw: explicitly include qemu-common.h and cpu.h
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-22 22:20:17 +01:00
Markus Armbruster da34e65cb4 include/qemu/osdep.h: Don't include qapi/error.h
Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the
Error typedef.  Since then, we've moved to include qemu/osdep.h
everywhere.  Its file comment explains: "To avoid getting into
possible circular include dependencies, this file should not include
any other QEMU headers, with the exceptions of config-host.h,
compiler.h, os-posix.h and os-win32.h, all of which are doing a
similar job to this file and are under similar constraints."
qapi/error.h doesn't do a similar job, and it doesn't adhere to
similar constraints: it includes qapi-types.h.  That's in excess of
100KiB of crap most .c files don't actually need.

Add the typedef to qemu/typedefs.h, and include that instead of
qapi/error.h.  Include qapi/error.h in .c files that need it and don't
get it now.  Include qapi-types.h in qom/object.h for uint16List.

Update scripts/clean-includes accordingly.  Update it further to match
reality: replace config.h by config-target.h, add sysemu/os-posix.h,
sysemu/os-win32.h.  Update the list of includes in the qemu/osdep.h
comment quoted above similarly.

This reduces the number of objects depending on qapi/error.h from "all
of them" to less than a third.  Unfortunately, the number depending on
qapi-types.h shrinks only a little.  More work is needed for that one.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
[Fix compilation without the spice devel packages. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-22 22:20:15 +01:00