1. 30 1月, 2013 12 次提交
    • L
      PIIX3: reset the VM when the Reset Control Register's RCPU bit gets set · 1ec4ba74
      Laszlo Ersek 提交于
        Traditional PCI config space access is achieved by writing a 32 bit
        value to io port 0xcf8 to identify the bus, device, function and config
        register. Port 0xcfc then contains the register in question. But if you
        write the appropriate pair of magic values to 0xcf9, the machine will
        reboot. Spectacular! And not standardised in any way (certainly not part
        of the PCI spec), so different chipsets may have different requirements.
        Booo.
      
      In the PIIX3 spec, IO port 0xcf9 is specified as the Reset Control
      Register. Bit 1 (System Reset, SRST) would normally differentiate between
      soft reset and hard reset, but we ignore the difference beyond allowing
      the guest to read it back.
      
      RHBZ reference: 890459
      
      This patch introduces the following overlap between the preexistent
      "pci-conf-idx" region and the "piix3-reset-control" region just being
      added. Partial output from "info mtree":
      
        I/O
        0000000000000000-000000000000ffff (prio 0, RW): io
          0000000000000cf8-0000000000000cfb (prio 0, RW): pci-conf-idx
          0000000000000cf9-0000000000000cf9 (prio 1, RW): piix3-reset-control
      
      I sanity-checked the patch by booting a RHEL-6.3 guest and found no
      problems. I summoned gdb and set a breakpoint on rcr_write() in order to
      gather a bit more confidence. Relevant frames of the stack:
      
        kvm_handle_io (port=3321, data=0x7f3f5f3de000, direction=1, size=1,
                       count=1)                                 [kvm-all.c:1422]
          cpu_outb (addr=3321, val=6 '\006')                      [ioport.c:289]
            ioport_write (index=0, address=3321, data=6)           [ioport.c:83]
              ioport_writeb_thunk (opaque=0x7f3f622c4680, addr=3321, data=6)
                                                                  [ioport.c:212]
                memory_region_iorange_write (iorange=0x7f3f622c4680, offset=0,
                                             width=1, data=6)     [memory.c:439]
                  access_with_adjusted_size (addr=0, value=0x7f3f531fbac0,
                                             size=1, access_size_min=1,
                                             access_size_max=4,
                                             access=0x7f3f5f6e0f90
                                                 <memory_region_write_accessor>,
                                             opaque=0x7f3f6227b668)
                                                                  [memory.c:364]
                    memory_region_write_accessor (opaque=0x7f3f6227b668, addr=0,
                                                  value=0x7f3f531fbac0, size=1,
                                                  shift=0, mask=255)
                                                                  [memory.c:334]
                      rcr_write (opaque=0x7f3f6227afb0, addr=0, val=6, len=1)
                                                             [hw/piix_pci.c:498]
      
      The dispatch happens in ioport_write(); "index=0" means byte-wide access:
      
          static void ioport_write(int index, uint32_t address, uint32_t data)
          {
              static IOPortWriteFunc * const default_func[3] = {
                  default_ioport_writeb,
                  default_ioport_writew,
                  default_ioport_writel
              };
              IOPortWriteFunc *func = ioport_write_table[index][address];
              if (!func)
                  func = default_func[index];
              func(ioport_opaque[address], address, data);
          }
      
      The "ioport_write_table" and "ioport_opaque" arrays describe the flattened
      IO port space. The first array is less interesting (it selects a thunk
      function). The "ioport_opaque" array is interesting because it decides how
      writing to the port is implemented ultimately.
      
      4-byte wide access to 0xcf8 (pci-conf-idx):
      
        (gdb) print ioport_write_table[2][0xcf8]
        $1 = (IOPortWriteFunc *) 0x7f3f5f6d99ba <ioport_writel_thunk>
      
        (gdb) print \
              ((struct MemoryRegionIORange*)ioport_opaque[0xcf8])->mr->ops.write
        $2 = (void (*)(void *, hwaddr, uint64_t, unsigned int))
             0x7f3f5f5575cb <pci_host_config_write>
      
      1-byte wide access to 0xcf9 (piix3-reset-control):
      
        (gdb) print ioport_write_table[0][0xcf9]
        $3 = (IOPortWriteFunc *) 0x7f3f5f6d98d0 <ioport_writeb_thunk>
      
        (gdb) print \
              ((struct MemoryRegionIORange*)ioport_opaque[0xcf9])->mr->ops.write
        $4 = (void (*)(void *, hwaddr, uint64_t, unsigned int))
             0x7f3f5f6b42f1 <rcr_write>
      
      The higher priority of "piix3-reset-control" ensures that the 0xcf9
      entries in ioport_write_table / ioport_opaque will always belong to it,
      independently of its relative registration order versus "pci-conf-idx".
      Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      1ec4ba74
    • J
      ich9: add support for pci assignment · 91c3f2f0
      Jason Baron 提交于
      Fills out support for the pci assignment API.  Added:
      
      PCIINTxRoute ich9_route_intx_pin_to_irq(void *opaque, int pirq_pin)
      
      Add calls to pci_bus_fire_intx_routing_notifier() when routing changes
      are made.
      Signed-off-by: NJason Baron <jbaron@redhat.com>
      Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      91c3f2f0
    • A
      virtio-net: rename ctrl rx commands · dd23454b
      Amos Kong 提交于
      This patch makes rx commands consistent with specification.
      Signed-off-by: NAmos Kong <akong@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      dd23454b
    • A
      virtio-net: introduce a new macaddr control · c1943a3f
      Amos Kong 提交于
      In virtio-net guest driver, currently we write MAC address to
      pci config space byte by byte, this means that we have an
      intermediate step where mac is wrong. This patch introduced
      a new control command to set MAC address, it's atomic.
      
      VIRTIO_NET_F_CTRL_MAC_ADDR is a new feature bit for compatibility.
      
      "mac" field will be set to read-only when VIRTIO_NET_F_CTRL_MAC_ADDR
      is acked.
      Signed-off-by: NAmos Kong <akong@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      c1943a3f
    • M
      virtio-net: remove layout assumptions for ctrl vq · 921ac5d0
      Michael S. Tsirkin 提交于
      Virtio-net code makes assumption about virtqueue descriptor layout
      (e.g. sg[0] is the header, sg[1] is the data buffer).
      
      This patch makes code not rely on the layout of descriptors.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NAmos Kong <akong@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      921ac5d0
    • M
      virtio-net: revert mac on reset · 41dc8a67
      Michael S. Tsirkin 提交于
      Once guest overrides virtio net primary mac,
      it retains the value set until qemu exit.
      This is inconsistent with standard nic behaviour.
      To fix, revert the mac to the original value on reset.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      41dc8a67
    • M
      rules/mak: make clean should blow away timestamp files · 7586317b
      Michael S. Tsirkin 提交于
      Using a global pattern makes it easier to clean out
      old generated files.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      7586317b
    • M
      Makefile: clean timestamp generation rule · 6f329a55
      Michael S. Tsirkin 提交于
      create timestamp by rule without sideeffects.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      6f329a55
    • M
      rules.mak: cleanup config generation rules · 4b25966a
      Michael S. Tsirkin 提交于
      This addresses two issues with config generation
      1. rule generating timestamp has side effect.
      Thus cleanup on error does not work.
      2. rule for handling timestamp is too generic.
      It can create any missing .h file.
      As a result when .h file is removed, build
      might try to create it using this rule which
      results in build errors.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      4b25966a
    • M
      e1000: document ICS read behaviour · a52a8841
      Michael S. Tsirkin 提交于
      Add code comment to clarify the reason we set ICS with ICR:
      the reason was previously undocumented and git
      log confused rather than clarified the comments.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      a52a8841
    • A
      Merge remote-tracking branch 'qemu-kvm/uq/master' into staging · 0893d460
      Anthony Liguori 提交于
      * qemu-kvm/uq/master:
        target-i386: kvm: prevent buffer overflow if -cpu foo, [x]level is too big
        vmxcap: bit 9 of VMX_PROCBASED_CTLS2 is 'virtual interrupt delivery'
      
      Conflicts:
      	target-i386/kvm.c
      
      Trivial merge resolution due to lack of context.
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      0893d460
    • A
      Merge remote-tracking branch 'mdroth/qga-pull-1-28-13' into staging · 0c770679
      Anthony Liguori 提交于
      # By Markus Armbruster
      # Via Michael Roth
      * mdroth/qga-pull-1-28-13:
        qemu-ga: Plug leaks on qmp_guest_network_get_interfaces() error paths
        qemu-ga: Plug memory leak in guest_fsfreeze_cleanup()
      0c770679
  2. 29 1月, 2013 6 次提交
    • I
      target-i386: kvm: prevent buffer overflow if -cpu foo, [x]level is too big · f8bb0565
      Igor Mammedov 提交于
      Stack corruption may occur if too big 'level' or 'xlevel' values passed
      on command line with KVM enabled, due to limited size of cpuid_data
      in kvm_arch_init_vcpu().
      
      reproduces with:
       qemu -enable-kvm -cpu qemu64,level=4294967295
      or
       qemu -enable-kvm -cpu qemu64,xlevel=4294967295
      
      Check if there is space in cpuid_data before passing it to cpu_x86_cpuid()
      or abort() if there is not space.
      Reviewed-by: NLaszlo Ersek <lersek@redhat.com>
      Reviewed-by: NAndreas Faerber <afaerber@suse.de>
      Signed-off-by: NIgor Mammedov <imammedo@redhat.com>
      Signed-off-by: NGleb Natapov <gleb@redhat.com>
      f8bb0565
    • A
      Merge remote-tracking branch 'afaerber/qom-cpu' into staging · ec9466ff
      Anthony Liguori 提交于
      * afaerber/qom-cpu: (37 commits)
        kvm: Pass CPUState to kvm_on_sigbus_vcpu()
        cpu: Unconditionalize CPUState fields
        target-m68k: Use type_register() instead of type_register_static()
        target-unicore32: Use type_register() instead of type_register_static()
        target-openrisc: Use type_register() instead of type_register_static()
        target-unicore32: Catch attempt to instantiate abstract type in cpu_init()
        target-openrisc: Catch attempt to instantiate abstract type in cpu_init()
        target-m68k: Catch attempt to instantiate abstract type in cpu_init()
        target-arm: Catch attempt to instantiate abstract type in cpu_init()
        target-alpha: Catch attempt to instantiate abstract type in cpu_init()
        qom: Introduce object_class_is_abstract()
        target-unicore32: Detect attempt to instantiate non-CPU type in cpu_init()
        target-openrisc: Detect attempt to instantiate non-CPU type in cpu_init()
        target-m68k: Detect attempt to instantiate non-CPU type in cpu_init()
        target-alpha: Detect attempt to instantiate non-CPU type in cpu_init()
        target-arm: Detect attempt to instantiate non-CPU type in cpu_init()
        cpu: Add model resolution support to CPUClass
        target-i386: Remove setting tsc-frequency from x86_def_t
        target-i386: Set custom features/properties without intermediate x86_def_t
        target-i386: Remove vendor_override field from CPUX86State
        ...
      
      Conflicts:
      	tests/Makefile
      
      Resolved simple conflict caused by lack of context in Makefile
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      ec9466ff
    • A
      Merge remote-tracking branch 'kwolf/for-anthony' into staging · 503cb22e
      Anthony Liguori 提交于
      # By Paolo Bonzini (14) and others
      # Via Kevin Wolf
      * kwolf/for-anthony: (24 commits)
        ide: Add fall through annotations
        block: Create proper size file for disk mirror
        ahci: Add migration support
        ahci: Change data types in preparation for migration
        ahci: Remove unused AHCIDevice fields
        hbitmap: add assertion on hbitmap_iter_init
        mirror: do nothing on zero-sized disk
        block/vdi: Check for bad signature
        block/vdi: Improved return values from vdi_open
        block/vdi: Improve debug output for signature
        block: Use error code EMEDIUMTYPE for wrong format in some block drivers
        block: Add special error code for wrong format
        mirror: support arbitrarily-sized iterations
        mirror: support more than one in-flight AIO operation
        mirror: add buf-size argument to drive-mirror
        mirror: switch mirror_iteration to AIO
        mirror: allow customizing the granularity
        block: allow customizing the granularity of the dirty bitmap
        block: return count of dirty sectors, not chunks
        mirror: perform COW if the cluster size is bigger than the granularity
        ...
      503cb22e
    • A
      Merge remote-tracking branch 'luiz/queue/qmp' into staging · 6cebf7af
      Anthony Liguori 提交于
      # By Lei Li (3) and others
      # Via Luiz Capitulino
      * luiz/queue/qmp:
        QAPI: Introduce memchar-read QMP command
        QAPI: Introduce memchar-write QMP command
        qemu-char: Add new char backend CirMemCharDriver
        docs: document virtio-balloon stats
        balloon: re-enable balloon stats
        balloon: drop old stats code & API
        block: Monitor command commit neglects to report some errors
      6cebf7af
    • M
    • M
      qemu-ga: Plug memory leak in guest_fsfreeze_cleanup() · 6f686749
      Markus Armbruster 提交于
      Neglects to free errors allocated by qmp_guest_fsfreeze_thaw().
      Spotted by Coverity.
      
      While there, drop the test whether return value is negative (it's
      never true), and improve logging.
      Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      6f686749
  3. 28 1月, 2013 12 次提交
  4. 27 1月, 2013 10 次提交