Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.

Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: NSebastian Krahmer <krahmer@suse.de>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
[AF: Tighten upper bound check for posn in close_guest_eventfds()]
Cc: qemu-stable@nongnu.org
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field.  Fix this and
check we received enough bytes before accessing the buffer pointer.

Cc: Cam Macdonell <cam@cs.ualberta.ca>
Reported-by: NSebastian Krahmer <krahmer@suse.de>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
[AF: Handle partial reads via FIFO]
Reported-by: NPeter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This patch fixes instructions counting when execution is stopped on
breakpoint (e.g. set from gdb). Without a patch extra instruction is translated
and icount is incremented by invalid value (which equals to number of
executed instructions + 1).
Signed-off-by: NPavel Dovgalyuk <pavel.dovgaluk@ispras.ru>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NPavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>

Add support for powerpc platforms. We use uname -m, which allows us to
detect ppc, ppc64 and ppc64le/el.
Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Unfortunately ioctl numbers are platform specific, so abstract them out
of the code so they can be overridden. As it happens x86 and s390 share
the same values, so nothing needs to change yet.
Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The current platform detection is a little bit messy. We look for lines
in /proc/cpuinfo starting with 'flags' OR 'vendor-id', and scan both
for values we know will only occur in one or the other. We also keep
scanning once we've found a value, which could be a feature, but isn't
in this case.

We'd also like to add another platform, powerpc, which will just make it
worse. So clean it up in preparation.
Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

In kvm_stat we have a dictionary of exit reasons for s390. Firstly these
are not s390 specific, they are the generic exit reasons. So rename the
dictionary to reflect that, and add it separately to filters[].

Secondly, the values are defined using hex, but in the kernel header
they are decimal. That means values above 9 in kvm_stat are incorrect.

While we're there, fix the whitespace to match the rest of the file.
Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

In kvm_stat we grovel through /sys to find out how many cpus are in the
system. However if a cpu is offline it will still be present in /sys,
and the perf_event_open() will fail.

Modify the logic to only return online cpus. We need to be careful on
systems which don't support cpu hotplug, the online file will not be
present at all.
Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

We need to count the ctrlq and eventq, and also cleanup before
returning. Besides, the format string should be unsigned.

The number could never be less than zero.
Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

All implementations are the same.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Before, when a write protected iSCSI target is attached as scsi-disk
with BDRV_O_RDWR, we report it as writable, while in fact all writes
will fail.

One way to improve this is to report write protect flag as true to
guest, but a even better way is to refuse using a write protected LUN to
guest.

Target write protect flag is checked with a mode sense query.
Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

When QEMU works in icount mode cpu_restore_state function performs two actions:
restoring the program counter and updating icount to the correct value.
kvmvapic's patch_instruction function is called by cpu_report_tpr_access
function which also invokes cpu_restore_state. It results to calling
cpu_restore_state twice - in cpu_report_tpr_access and in patch_instruction.
When icount is disabled second call is safe. But when icount is enabled,
cpu_restore_state modifies instructions counter twice, which leads to incorrect
behavior. This patch removes useless cpu_restore_state call from kvmvapic.
Signed-off-by: NPavel Dovgalyuk <pavel.dovgaluk@ispras.ru>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NPavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>

commit abfd9ce3(migration: dump vmstate info as a json
file for static analysis) introduce a new command,
'-dump-vmstate', that takes a filename
as an argument.  When executed, QEMU will dump the vmstate information
for the machine type it's invoked with to the file, and quit.

However, only one instance of the -dump-vmstate option is supported.
If more were given, the vmstate_dump_file variable would be overwritten.

This fix also helps silence a Coverity error.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The PCI MMIO might be disabled or the device in the reset state.
Make sure we do not dump these memory regions.
Signed-off-by: NNikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Acked-by: NAlex Williamson <alex.williamson@redhat.com>
CC: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This is a pc & q35 only machine opt.

VMWare apparently doesn't like running under QEMU due to our
incomplete emulation of it's special IO Port.  This adds a
pc & q35 property to allow it to be turned off.
Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: NDon Slutz <dslutz@verizon.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

MSI-X works slightly different than INTx; the doorbell
registers are not necessarily used as MSI-X interrupts
are directed anyway. So the head pointer on the
reply queue needs to be updated as soon as a frame
is completed, and we can set the doorbell only
when in INTx mode.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Windows requires the frames to be unmapped, otherwise we run
into a race condition where the updated frame data is not
visible to the guest.
With that we can simplify the queue algorithm and use a bitmap
for tracking free frames.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Improve queue logging by displaying head and tail pointer
of the completion queue.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Some implementations use DCMD_CLUSTER_RESET_LD to simulate
a device reset.
Signed-off-by: NHannes Reinecke <hare@suse.de>
[Compare against id, not lun. - Paolo]
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The windows driver is sending several init_firmware commands
when in MSI-X mode. It is, however, using only the first
queue. So disregard any additional init_firmware commands
until the HBA is reset.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The EFI firmware doesn't handle unit attentions properly,
so we need to clear the Power On/Reset unit attention upon
initial reset.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

To ease debugging we should be decoding
the register names.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The check for a valid command buffer size was inverted.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The 2108 chip supports MSI and MSI-X, so update the emulation
to support both chips.
Signed-off-by: NHannes Reinecke <hare@suse.de>
[Make VMStateDescription const. - Paolo]
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Logical drives can only be addressed with the 'target_id' number;
LUN numbers cannot be selected.
Physical drives can be selected with both, target and LUN id.

So we should disallow LUN numbers not equal to 0 when in
RAID mode.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The trace events already contain the function name, so the actual
message doesn't need to contain any of these informations.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The MFI_DCMD_LD_LIST_QUERY function is using a different format than
MFI_DCMD_LD_LIST, so we need to implement it differently.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

scsi_cdb_length() does not return the length of the cdb, but
the transfersize encoded in the cdb. So rename it to scsi_cdb_xfer()
and also rename all other related functions to end with _xfer.

We can then add a new scsi_cdb_length() which actually does return the
length of the cdb.  With that DEBUG_SCSI can now display the correct
CDB buffer.
Signed-off-by: NHannes Reinecke <hare@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Expand %.mo-objs in -y nested objects, so that we can write combined
object -cflags rules like what will be done in the coming patch.
Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

vmware-vga: add rectangle verification (CVE-2014-3689)

# gpg: Signature made Wed 29 Oct 2014 11:45:29 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-cve-2014-3689-20141029-1:
  vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
  vmware-vga: add vmsvga_verify_rect
  vmware-vga: CVE-2014-3689: turn off hw accel
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

vnc: return directly if no vnc client connected
vnc: sanitize bits_per_pixel from the client (CVE-2014-7815)

# gpg: Signature made Tue 28 Oct 2014 10:52:31 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20141028-1:
  vnc: return directly if no vnc client connected
  vnc: sanitize bits_per_pixel from the client
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Fixes for libcacard (usb smartcard emulation), xhci and uhci.

# gpg: Signature made Tue 28 Oct 2014 10:39:52 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20141028-1:
  uhci: remove useless DEBUG
  xhci: add property to turn on/off streams support
  libcacard: don't free sign buffer while sign op is pending
  libcacard: Lock NSS cert db when selecting an applet on an emulated card
  libcacard: introduce new vcard_emul_logout
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

gtk: fix two warnings with gtk 3.14+

# gpg: Signature made Tue 28 Oct 2014 10:25:52 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-20141028-1:
  gtk: avoid gd_widget_reparent with gtk 3.14+
  gtk: drop gtk_widget_set_double_buffered call
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

virtio-scsi fixes, the first part of dynamic sysbus devices,
MAINTAINERS updates, and AVX512 support.

# gpg: Signature made Mon 27 Oct 2014 15:12:13 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream: (28 commits)
  aio / timers: De-document -clock
  hw/scsi/virtio-scsi.c: fix the "type" use error in virtio_scsi_handle_ctrl
  virtio-scsi: sense in virtio_scsi_command_complete
  target-i386: add Intel AVX-512 support
  get_maintainer.pl: restrict cases where it falls back to --git
  get_maintainer.pl: move git loop under "if ($email) {"
  qtest: fix qtest log fd should be initialized before qtest chardev
  MAINTAINERS: avoid M entries that point to mailing lists
  MAINTAINERS: add some tests directories
  MAINTAINERS: Add more TCG files
  MAINTAINERS: add myself for X86
  MAINTAINERS: add Samuel Thibault as usb-serial.c and baum.c maintainer
  MAINTAINERS: grab more files from Anthony's pile
  target-i386: warns users when CPU threads>1 for non-Intel CPUs
  sysbus: Use TYPE_DEVICE GPIO functionality
  qdev: gpio: Define qdev_pass_gpios()
  qdev: gpio: Remove qdev_init_gpio_out x1 restriction
  qdev: gpio: delete NamedGPIOList::out
  irq: Remove qemu_irq_intercept_out
  qtest/irq: Rework IRQ interception
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The virtio-rng backend is currently linked twice, once in the proxy
device (e.g. virtio-rng-pci) and once in virtio-rng-device.  This causes
a double unref of the backend when the parent device is unplugged.

To fix this, make the proxy device use an alias, similar to what is
already being done for the iothread link.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>
Message-id: 1414577839-18695-1-git-send-email-pbonzini@redhat.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDon Koch <dkoch@verizon.com>

Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDon Koch <dkoch@verizon.com>

graphic_hw_update and vnc_refresh_server_surface aren't
need to do when no vnc client connected. It can reduce
lock contention, because vnc_refresh will hold global big
lock two millisecond every three seconds.
Signed-off-by: NChenLiang <chenliang88@huawei.com>
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>