Introduce pci_config_read/write_common helpers to prevent passing
accesses down the callback chain that go beyond the config space limits.
Adjust length assertions as they are no longer correct (cutting may
generate valid 3 byte accesses).
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

qemu_find_netdev() looks up members of non_vlan_clients by name.  It
happily returns the first match.  Trouble is the names need not be
unique.

non_vlan_clients contains host parts (netdevs) and guest parts (NICs).

Netdevs have unique names: a netdev's name is a (mandatory)
qemu_netdev_opts ID, and these are unique.

NIC names are not unique.  If a NIC has a qdev ID (which is unique),
that's its name.  Else, we make up a name.  The made-up names are
unique, but they can clash with qdev IDs.  Even if NICs had unique
names, they could still clash with netdev names.

Callers of qemu_find_netdev():

* net_init_nic() wants a netdev.  It happens to work because it runs
  before NICs get added to non_vlan_clients.

* do_netdev_del() wants a netdev.  If it gets a NIC, it complains and
  fails.  Bug: a netdev with the same name that comes later in
  non_vlan_clients can't be deleted:

    $ qemu-system-x86_64 -nodefaults -vnc :0 -S -monitor stdio -netdev user,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=virtio1
    [...]
    (qemu) netdev_add user,id=virtio1
    (qemu) info network
    Devices not on any VLAN:
      hostnet0: net=10.0.2.0, restricted=n peer=virtio1
      virtio1: model=virtio-net-pci,macaddr=52:54:00:12:34:56 peer=hostnet0
      virtio1: net=10.0.2.0, restricted=n
    (qemu) netdev_del virtio1
    Device 'virtio1' not found

* parse_netdev() wants a netdev.  If it gets a NIC, it gets confused.
  With the test setup above:

    (qemu) device_add virtio-net-pci,netdev=virtio1
    Property 'virtio-net-pci.netdev' can't take value 'virtio1', it's in use

  You can even connect two NICs to each other:

    $ qemu-system-x86_64 -nodefaults -vnc :0 -S -monitor stdio -device virtio-net-pci,id=virtio1 -device e1000,netdev=virtio1
    [...]
    Devices not on any VLAN:
      virtio1: model=virtio-net-pci,macaddr=52:54:00:12:34:56 peer=e1000.0
      e1000.0: model=e1000,macaddr=52:54:00:12:34:57 peer=virtio1
    (qemu) q
    Segmentation fault (core dumped)

* do_set_link() works fine for both netdevs and NICs.  Whether it
  really makes sense for netdevs is debatable, but that's outside this
  patch's scope.

Change qemu_find_netdev() to return only netdevs.  This fixes the
netdev_del and device_add/-device bugs demonstrated above.

To avoid changing set_link, make do_set_link() search non_vlan_clients
by hand instead of calling qemu_find_netdev().
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

If a network client doesn't have a name, we make one up, with
assign_name().  assign_name() creates a name MODEL.NUM, where MODEL is
the client's model, and NUM is the number of MODELs that already
exist.

Bug: it misses clients that are not on a VLAN, i.e. netdevs and the
NICs using them:

    $ qemu-system-x86_64 -nodefaults -vnc :0 -S -monitor stdio -netdev user,id=hostnet0 -net nic,netdev=hostnet0 -netdev user,id=hostnet1 -net nic,netdev=hostnet1
    QEMU 0.14.50 monitor - type 'help' for more information
    (qemu) info network
    Devices not on any VLAN:
      hostnet0: net=10.0.2.0, restricted=n peer=e1000.0
      hostnet1: net=10.0.2.0, restricted=n peer=e1000.0
      e1000.0: model=e1000,macaddr=52:54:00:12:34:56 peer=hostnet0
      e1000.0: model=e1000,macaddr=52:54:00:12:34:57 peer=hostnet1

Fix that.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

We were previously allowing arbitrarily-long indirect descriptors, which
could lead to a buffer overflow in qemu-kvm process.

CVE-2011-2212
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

move ids to pci info structure
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Signed-off-by: NAnthony PERARD <anthony.perard@citrix.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Sync xen names to ones used by linux. Add
xen platform device id as well.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

vhost dev stop failed to clear the log field.
Typically not an issue as dev start overwrites this field,
but if logging gets disabled before the following start,
it doesn't so this causes a double free.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Both the signal thread (via sigwait()) and the cpu thread (via
a normal signal handler) were attempting to catch SIG_IPI.

This resulted in random freezes under Darwin.

This patch separates SIG_IPI from the rest of the signals handled
by the signal thread, because it is independently caught by the cpu
thread.
Signed-off-by: NAlexandre Raymond <cerbere@gmail.com>
Acked-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Changes since v1:
- take pthread_sigmask() out of the ifdef as it is now common
to both parts.

This fix effectively blocks, in the main thread, the signals handled
by signalfd or the compatibility signal thread.

This way, such signals are received synchronously in the main thread
through sigfd_handler() instead of triggering the signal handler
directly, asynchronously.
Signed-off-by: NAlexandre Raymond <cerbere@gmail.com>
Acked-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Expand the note on the number of TCG ops generated per target insn,
to be clearer about the range of applicability of the 20 op rule
of thumb. Also add a note about the hard MAX_OP_PER_INSTR limit.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

setting ELF_HWCAP fixes dynamic library loading for Linux/sparc64
This patch allows loading busybox from Debian 6 initrd
Signed-off-by: NArtyom Tarasenko <atar4qemu@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Translation used incorrectly CPUState fields directly to check
for FPU enable state and 32 bit address masking on Sparc64.

Fix by using TB flags instead.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Fixed C99 comments on block-tranfer ASIs.
Signed-off-by: NTsuneo Saito <tsnsaito@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Support JPS1 little endian block transfer ASIs.
Signed-off-by: NTsuneo Saito <tsnsaito@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Support UA2007 block store ASIs for stfa instructions.
Signed-off-by: NTsuneo Saito <tsnsaito@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Support UA2007 block load ASIs for ldfa instructions.
Signed-off-by: NTsuneo Saito <tsnsaito@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

stfa/stdfa/stqfa instructions should raise fp_disabled exceptions
if %pstate.PEF==0 or %fprs.FEF==0.
Signed-off-by: NTsuneo Saito <tsnsaito@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

This patch implements sparcv9 stfa/stdfa/stqfa instructions
with non block-store ASIs.
Signed-off-by: NTsuneo Saito <tsnsaito@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

ldfa/lddfa/ldqfa instructions should raise fp_disabled exceptions
if %pstate.PEF==0 or %fprs.FEF==0.
Signed-off-by: NTsuneo Saito <tsnsaito@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

This patch implements sparcv9 ldfa/lddfa/ldqfa instructions
with non block-load ASIs.
Signed-off-by: NTsuneo Saito <tsnsaito@gmail.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Andrew Griffiths reports that -runas does not set supplementary group
IDs.  This means that gid 0 (root) is not dropped when switching to an
unprivileged user.

Add an initgroups(3) call to use the -runas user's /etc/groups
membership to update the supplementary group IDs.
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Acked-by: NChris Wright <chrisw@sous-sol.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

This bug was introduced in 94d3f98a:
scsi_cancel_io was checking if some request was pending before trying
to cancel it, while scsi_req_cancel always cancels the request.

This may lead to a crash of Qemu due to dereferencing a NULL pointer,
as exhibited by NetBSD 5.1 installer on MIPS Magnum emulation.
Signed-off-by: NHervé Poussineau <hpoussin@reactos.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Remove the include of setjmp.h from the cpu.h of target-alpha
and target-ppc. This is unnecessary because cpu-defs.h already
includes this header; this change brings these two targets
into line with all the rest.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Some versions of png.h cannot be included after setjmp.h,
even when PNG_SKIP_SETJMP_CHECK was defined.

setjmp.h was included from qemu-common.h and is not needed there.
Removing the include statement fixes compilation of ui/vnc-enc-tight.c
with CONFIG_VNC_PNG defined.
Signed-off-by: NStefan Weil <weil@mail.berlios.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Recent compilers look deep into cpu_exec, find longjmp as a noreturn
function and decide to smash some stack variables as they won't be used
again. This may lead to env becoming invalid after return from setjmp,
causing crashes. Fix it by reloading env from cpu_single_env in that
case.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The target-arm frontend's worst-case TCG ops per instr is 194 (and in
general many of the "load multiple registers" ARM instructions generate
more than 100 TCG ops). Raise MAX_OP_PER_INSTR accordingly to avoid
possible buffer overruns.

Since it doesn't make any sense for the "64 bit guest on 32 bit host"
case to have a smaller limit than the normal case, we collapse the
two cases back into each other again.

(This increase costs us about 14K in extra static buffer space and
21K of extra margin at the end of a 32MB codegen buffer.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

When calculating the point at which we should not try to put another
TB into the code gen buffer, we have to allow not just for OPC_MAX_SIZE
but OPC_BUF_SIZE. This is because the target translate.c will only
stop when an instruction has put it past the OPC_MAX_SIZE limit, so
we have to include the MAX_OP_PER_INSTR margin which that final insn
might have used.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Device code some times needs to access physical memory and does that
through the ld./st._phys functions. However, these are the exact same
functions that the CPU uses to access memory, which means they will
be endianness swapped depending on the target CPU.

However, devices don't know about the CPU's endianness, but instead
access memory directly using their own interface to the memory bus,
so they need some way to read data with their native endianness.

This patch adds _le and _be functions to ld./st._phys.
Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Just in case there's still a way how a guest can read out buffers when it's not
supposed to, let's zero the buffers during initialisation so that we don't leak
information to the guest.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>

This fixes https://bugs.launchpad.net/qemu/+bug/786209:

    When the DRQ_STAT bit is set, the IDE core permits both data reads
    and data writes, regardless of whether the current transfer was
    initiated as a read or write.

    This potentially leaks uninitialized host memory into the guest,
    if, before doing anything else to an IDE device, the guest begins a
    write transaction (e.g. WIN_WRITE), but then *reads* from the IO
    port instead of writing to it.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>

The current message doesn't clearly communicate the error cause.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>