- 07 3月, 2017 15 次提交
-
-
由 Peter Maydell 提交于
When assembling 'given' from the instruction bytes, C's integer promotion rules mean we may promote an unsigned char to a signed integer before shifting it, and then sign extend to a 64-bit long, which can set the high bits of the long. The code doesn't in fact care about the high bits if the long is 64 bits, but this is surprising, so don't do it. (Spotted by Coverity, CID 1005404.) Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Message-id: 1488556233-31246-7-git-send-email-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
In the cris disassembler we were using 'unsigned long' to calculate addresses which are supposed to be 32 bits. This meant that we might accidentally sign extend or calculate a value that was outside the 32 bit range of the guest CPU. Use 'uint32_t' instead so we give the right answers on 64-bit hosts. (Spotted by Coverity, CID 1005402, 1005403.) Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1488556233-31246-6-git-send-email-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
In read_insn_microblaze() we assemble 4 bytes into an 'unsigned long'. If 'unsigned long' is 64 bits and the high byte has its top bit set, then C's implicit conversion from 'unsigned char' to 'int' for the shift will result in an unintended sign extension which sets the top 32 bits in 'inst'. Add casts to prevent this. (Spotted by Coverity, CID 10054016.) Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 1488556233-31246-5-git-send-email-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
In get_field(), we take an 'unsigned char' value and shift it left, which implicitly promotes it to 'signed int', before ORing it into an 'unsigned long' type. If 'unsigned long' is 64 bits then this will result in a sign extension and the top 32 bits of the result will be 1s. Add explicit casts to unsigned long before shifting to prevent this. (Spotted by Coverity, CID 715697.) Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NLaurent Vivier <laurent@vivier.eu> Message-id: 1488556233-31246-4-git-send-email-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
In a code path where we hit an internal disassembler error, execution would subsequently attempt to dereference a NULL pointer. This should never happen, but avoid the crash. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Message-id: 1488556233-31246-3-git-send-email-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
Coverity complains (CID 1302705) that the "fr0" part of the ?: in fput_fp_reg_r() is dead. This looks like cut-n-paste error from fput_fp_reg(); delete the dead code. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1488556233-31246-2-git-send-email-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
target/xtensa updates: - instantiate local memories in xtensa sim machine; - add two missing include files to xtensa core importing script. # gpg: Signature made Mon 06 Mar 2017 22:32:45 GMT # gpg: using RSA key 0x51F9CC91F83FA044 # gpg: Good signature from "Max Filippov <filippov@cadence.com>" # gpg: aka "Max Filippov <max.filippov@cogentembedded.com>" # gpg: aka "Max Filippov <jcmvbkbc@gmail.com>" # Primary key fingerprint: 2B67 854B 98E5 327D CDEB 17D8 51F9 CC91 F83F A044 * remotes/xtensa/tags/20170306-xtensa: target/xtensa: add two missing headers to core import script target/xtensa: sim: instantiate local memories Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
Fixes issues that got merged with the latest pull request: - missing O_NOFOLLOW flag for CVE-2016-960 - build break with older glibc that don't have O_PATH and AT_EMPTY_PATH - various bugs reported by Coverity # gpg: Signature made Mon 06 Mar 2017 17:51:29 GMT # gpg: using DSA key 0x02FC3AEB0101DBC2 # gpg: Good signature from "Greg Kurz <groug@kaod.org>" # gpg: aka "Greg Kurz <groug@free.fr>" # gpg: aka "Greg Kurz <gkurz@linux.vnet.ibm.com>" # gpg: aka "Gregory Kurz (Groug) <groug@free.fr>" # gpg: aka "[jpeg image of size 3330]" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2 * remotes/gkurz/tags/fixes-for-2.9: 9pfs: fix vulnerability in openat_dir() and local_unlinkat_common() 9pfs: fix O_PATH build break with older glibc versions 9pfs: don't use AT_EMPTY_PATH in local_set_cred_passthrough() 9pfs: fail local_statfs() earlier 9pfs: fix fd leak in local_opendir() 9pfs: fix bogus fd check in local_remove() Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
qemu-ga patch queue for 2.9 * fix fsfreeze for filesystems mounted in multiple locations * fix test failure when running in a chroot * support for socket-based activation # gpg: Signature made Mon 06 Mar 2017 07:54:17 GMT # gpg: using RSA key 0x3353C9CEF108B584 # gpg: Good signature from "Michael Roth <flukshun@gmail.com>" # gpg: aka "Michael Roth <mdroth@utexas.edu>" # gpg: aka "Michael Roth <mdroth@linux.vnet.ibm.com>" # Primary key fingerprint: CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584 * remotes/mdroth/tags/qga-pull-2017-03-06-tag: tests: check path to avoid a failing qga/get-vcpus test qga: ignore EBUSY when freezing a filesystem qga: add systemd socket activation support Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Greg Kurz 提交于
We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make QEMU vulnerable. While here, we also fix local_unlinkat_common() to use openat_dir() for the same reasons (it was a leftover in the original patchset actually). This fixes CVE-2016-9602. Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NDaniel P. Berrange <berrange@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Greg Kurz 提交于
When O_PATH is used with O_DIRECTORY, it only acts as an optimization: the openat() syscall simply finds the name in the VFS, and doesn't trigger the underlying filesystem. On systems that don't define O_PATH, because they have glibc version 2.13 or older for example, we can safely omit it. We don't want to deactivate O_PATH globally though, in case it is used without O_DIRECTORY. The is done with a dedicated macro. Systems without O_PATH may thus fail to resolve names that involve unreadable directories, compared to newer systems succeeding, but such corner case failure is our only option on those older systems to avoid the security hole of chasing symlinks inappropriately. Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NEric Blake <eblake@redhat.com> (added last paragraph to changelog as suggested by Eric Blake) Signed-off-by: NGreg Kurz <groug@kaod.org>
-
由 Greg Kurz 提交于
The name argument can never be an empty string, and dirfd always point to the containing directory of the file name. AT_EMPTY_PATH is hence useless here. Also it breaks build with glibc version 2.13 and older. It is actually an oversight of a previous tentative patch to implement this function. We can safely drop it. Reported-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: NGreg Kurz <groug@kaod.org> Tested-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Greg Kurz 提交于
If we cannot open the given path, we can return right away instead of passing -1 to fstatfs() and close(). This will make Coverity happy. (Coverity issue CID1371729) Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NDaniel P. berrange <berrange@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
-
由 Greg Kurz 提交于
Coverity issue CID1371731 Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NDaniel P. Berrange <berrange@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
-
由 Greg Kurz 提交于
This was spotted by Coverity as a fd leak. This is certainly true, but also local_remove() would always return without doing anything, unless the fd is zero, which is very unlikely. (Coverity issue CID1371732) Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NEric Blake <eblake@redhat.com>
-
- 06 3月, 2017 25 次提交
-
-
由 Peter Maydell 提交于
# gpg: Signature made Mon 06 Mar 2017 04:15:17 GMT # gpg: using RSA key 0xEF04965B398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: net/filter-mirror: Follow CODING_STYLE COLO-compare: Fix icmp and udp compare different packet always dump bug COLO-compare: Optimize compare_common and compare_tcp COLO-compare: Rename compare function and remove duplicate codes filter-rewriter: skip net_checksum_calculate() while offset = 0 net/colo: fix memory double free error vmxnet3: VMStatify rx/tx q_descr and int_state vmxnet3: Convert ring values to uint32_t's net/colo-compare: Fix memory free error colo-compare: Fix removing fds been watched incorrectly in finalization char: remove the right fd been watched in qemu_chr_fe_set_handlers() colo-compare: kick compare thread to exit after some cleanup in finalization colo-compare: use g_timeout_source_new() to process the stale packets NetRxPkt: Remove code duplication in net_rx_pkt_pull_data() NetRxPkt: Account buffer with ETH header in IOV length NetRxPkt: Do not try to pull more data than present NetRxPkt: Fix memory corruption on VLAN header stripping eth: Extend vlan stripping functions net: Remove useless local var pkt Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
ppc patch queue for 2017-03-06 Looks like my previous batch wasn't quite the last before hard freeze. This has a handful of bugfixes to go in. They're all genuine bugfixes, though not regressions in some cases. # gpg: Signature made Mon 06 Mar 2017 04:07:48 GMT # gpg: using RSA key 0x6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.9-20170306: target/ppc: use helper for excp handling target/ppc: fmadd: add macro for updating flags target/ppc: fmadd check for excp independently spapr: ensure that all threads within core are on the same NUMA node ppc/xics: register reset handlers for the ICP and ICS objects Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
QAPI patches for 2017-02-28 # gpg: Signature made Sun 05 Mar 2017 08:21:51 GMT # gpg: using RSA key 0x3870B400EB918653 # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-qapi-2017-02-28: (27 commits) qapi: Improve qobject visitor documentation qapi: Fix object input visit beyond end of list tests: Cover input visit beyond end of list qapi: Make input visitors detect unvisited list tails test-qobject-input-visitor: Cover missing nested struct member tests: Cover partial input visit of list test-string-input-visitor: Improve list coverage test-string-input-visitor: Tear down existing test automatically tests-qobject-input-strict: Merge into test-qobject-input-visitor qapi: Drop unused non-strict qobject input visitor test-qobject-input-visitor: Use strict visitor qom: Make object_property_set_qobject()'s input visitor strict qapi: Make string input and opts visitor require non-null input qapi: Drop string input visitor method optional() qapi: Improve qobject input visitor error reporting qapi: Make QObject input visitor set *list reliably qapi: Clean up after commit 3d344c2a qapi: Improve a QObject input visitor error message qmp: Eliminate silly QERR_QMP_* macros qmp: Drop duplicated QMP command object checks ... Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Bruce Rogers 提交于
The qga/get-vcpus test fails in a simple chroot environment, as used in an openSUSE Build Service local build, so first check that the sysfs based path exists in order to avoid calling this test in an environment where it won't work right. Signed-off-by: NBruce Rogers <brogers@suse.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Lieven 提交于
the current implementation fails if we try to freeze an already frozen filesystem. This can happen if a filesystem is mounted more than once (e.g. with a bind mount). Suggested-by: NChristian Theune <ct@flyingcircus.io> Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Lieven <pl@kamp.de> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Hajnoczi 提交于
AF_UNIX and AF_VSOCK listen sockets can be passed in by systemd on startup. This allows systemd to manage the listen socket until the first client connects and between restarts. Advantages of socket activation are that parallel startup of network services becomes possible and that unused daemons do not consume memory. The key to achieving this is the LISTEN_FDS environment variable, which is a stable ABI as shown here: https://www.freedesktop.org/wiki/Software/systemd/InterfacePortabilityAndStabilityChart/ We could link against libsystemd and use sd_listen_fds(3) but it's easy to implement the tiny LISTEN_FDS ABI so that qemu-ga does not depend on libsystemd. Some systems may not have systemd installed and wish to avoid the dependency. Other init systems or socket activation servers may implement the same ABI without systemd involvement. Test as follows: $ cat ~/.config/systemd/user/qga.service [Unit] Description=qga [Service] WorkingDirectory=/tmp ExecStart=/path/to/qemu-ga --logfile=/tmp/qga.log --pidfile=/tmp/qga.pid --statedir=/tmp $ cat ~/.config/systemd/user/qga.socket [Socket] ListenStream=/tmp/qga.sock [Install] WantedBy=default.target $ systemctl --user daemon-reload $ systemctl --user start qga.socket $ nc -U /tmp/qga.sock Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDaniel P. Berrange <berrange@redhat.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Zhang Chen 提交于
Signed-off-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Zhang Chen 提交于
Signed-off-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Zhang Chen 提交于
Add offset args for colo_packet_compare_common, optimize colo_packet_compare_icmp() and colo_packet_compare_udp() just compare the IP payload. Before compare all tcp packet, we compare tcp checksum firstly, this function can get better performance. Signed-off-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Zhang Chen 提交于
Rename colo_packet_compare() to colo_packet_compare_common() that make tcp_compare udp_compare icmp_compare reuse this function. Remove minimum packet size check in icmp_compare, because we have check this in parse_packet_early(). Signed-off-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 zhanghailiang 提交于
While the offset of packets's sequence for primary side and secondary side is zero, it is unnecessary to call net_checksum_calculate() to recalculate the checksume value of packets. Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 zhanghailiang 提交于
The 'primary_list' and 'secondary_list' members of struct Connection is not allocated through dynamically g_queue_new(), but we free it by using g_queue_free(), which will lead to a double-free bug. Reviewed-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com> Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Dr. David Alan Gilbert 提交于
Fairly simple mechanical conversion of all fields. TODO!!!! The problem is vmxnet3-ring size/cell_size/next are declared as size_t but written as 32bit. Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Acked-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Dr. David Alan Gilbert 提交于
The index's in the Vmxnet3Ring were migrated as 32bit ints yet are declared as size_t's. They appear to be derived from 32bit values loaded from guest memory, so actually store them as that. Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Acked-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Zhang Chen 提交于
We use g_queue_init() to init s->conn_list, so we should use g_queue_clear() to instead of g_queue_free(). Signed-off-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com> Reviewed-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 zhanghailiang 提交于
We will catch the bellow error report while try to delete compare object by qmp command: chardev/char-io.c:91: io_watch_poll_finalize: Assertion `iwp->src == ((void *)0)' failed. This is caused by failing to remove the right fd been watched while call qemu_chr_fe_set_handlers(); Fix it by pass the worker_context parameter to qemu_chr_fe_set_handlers(). Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Reviewed-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 zhanghailiang 提交于
We can call qemu_chr_fe_set_handlers() to add/remove fd been watched in 'context' which can be either default main context or other explicit context. But the original logic is not correct, we didn't remove the right fd because we call g_main_context_find_source_by_id(NULL, tag) which always try to find the Gsource from default context. Fix it by passing the right context to g_main_context_find_source_by_id(). Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 zhanghailiang 提交于
We should call g_main_loop_quit() to notify colo compare thread to exit, Or it will run in g_main_loop_run() forever. Besides, the finalizing process can't happen in context of colo thread, it is reasonable to remove the 'if (qemu_thread_is_self(&s->thread))' branch. Before compare thead exits, some cleanup works need to be done, All unhandled packets need to be released and connection_track_table needs to be freed, or there will be memory leak. Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Reviewed-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 zhanghailiang 提交于
Instead of using qemu timer to process the stale packets, We re-use the colo compare thread to process these packets by creating a new timeout coroutine. Besides, since we process all the same vNIC's net connection/packets in one thread, it is safe to remove the timer_check_lock. Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Dmitry Fleytman 提交于
This is a refactoring commit that does not change behavior. Signed-off-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Dmitry Fleytman 提交于
In case of VLAN stripping ETH header is stored in a separate chunk and length of IOV should take this into account. This patch fixes checksum validation for RX packets with VLAN header. Devices affected by this problem: e1000e and vmxnet3. Cc: qemu-stable@nongnu.org Signed-off-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Dmitry Fleytman 提交于
In case of VLAN stripping, ETH header put into a separate buffer, therefore amont of data copied from original IOV should be smaller. Cc: qemu-stable@nongnu.org Signed-off-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Dmitry Fleytman 提交于
This patch fixed a problem that was introduced in commit eb700029. When net_rx_pkt_attach_iovec() calls eth_strip_vlan() this can result in pkt->ehdr_buf being overflowed, because ehdr_buf is only sizeof(struct eth_header) bytes large but eth_strip_vlan() can write sizeof(struct eth_header) + sizeof(struct vlan_header) bytes into it. Devices affected by this problem: vmxnet3. Cc: qemu-stable@nongnu.org Reported-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Dmitry Fleytman 提交于
Make VLAN stripping functions return number of bytes copied to given Ethernet header buffer. This information should be used to re-compose packet IOV after VLAN stripping. Cc: qemu-stable@nongnu.org Signed-off-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Fam Zheng 提交于
This has been pointless since commit 605d52e6, which was a search-and-replace, overlooked the redundancy. Signed-off-by: NFam Zheng <famz@redhat.com> Reviewed-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-