1. 05 6月, 2012 12 次提交
  2. 04 6月, 2012 2 次提交
  3. 03 6月, 2012 2 次提交
    • A
      Merge remote-tracking branch 'qemu-kvm/uq/master' into staging · 74f4d227
      Anthony Liguori 提交于
      * qemu-kvm/uq/master:
        virtio/vhost: Add support for KVM in-kernel MSI injection
        msix: Add msix_nr_vectors_allocated
        kvm: Enable use of kvm_irqchip_in_kernel in hwlib code
        kvm: Introduce kvm_irqchip_add/remove_irqfd
        kvm: Make kvm_irqchip_commit_routes an internal service
        kvm: Publicize kvm_irqchip_release_virq
        kvm: Introduce kvm_irqchip_add_msi_route
        kvm: Rename kvm_irqchip_add_route to kvm_irqchip_add_irq_route
        msix: Introduce vector notifiers
        msix: Invoke msix_handle_mask_update on msix_mask_all
        msix: Factor out msix_get_message
        kvm: update vmxcap for EPT A/D, INVPCID, RDRAND, VMFUNC
        kvm: Enable in-kernel irqchip support by default
        kvm: Add support for direct MSI injections
        kvm: Update kernel headers
        kvm: x86: Wire up MSI support for in-kernel irqchip
        pc: Enable MSI support at APIC level
        kvm: Introduce basic MSI support for in-kernel irqchips
        Introduce MSIMessage structure
        kvm: Refactor KVMState::max_gsi to gsi_count
      74f4d227
    • A
      Merge remote-tracking branch 'kwolf/for-anthony' into staging · 2eb02f28
      Anthony Liguori 提交于
      * kwolf/for-anthony:
        ahci: SATA FIS is 20 bytes, not 0x20
        virtio-blk: Fix geometry sector calculation
        block: prevent snapshot mode $TMPDIR symlink attack
        sheepdog: fix return value of do_load_save_vm_state
        virtio: Fix compiler warning for non Linux hosts
      2eb02f28
  4. 01 6月, 2012 2 次提交
  5. 31 5月, 2012 3 次提交
  6. 30 5月, 2012 15 次提交
    • D
      ahci: SATA FIS is 20 bytes, not 0x20 · 4bb9c939
      Daniel Verkamp 提交于
      As in the SATA and AHCI specifications, a FIS is 5 Dwords of 4 bytes
      each, which comes to 20 bytes (decimal), not 0x20.
      Signed-off-by: NDaniel Verkamp <daniel@drv.nu>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      4bb9c939
    • C
      virtio-blk: Fix geometry sector calculation · 136be99e
      Christian Borntraeger 提交于
      Currently the sector value for the geometry is masked, even if the
      user usesa command line parameter that explicitely gives a number.
      This breaks dasd devices on s390. A dasd device can have
      a physical block size of 4096 (== same for logical block size)
      and a typcial geometry of 15 heads and 12 sectors per cyl.
      The ibm partition detection relies on a correct geometry
      reported by the device. Unfortunately the current code changes
      12 to 8. This would be necessary if the total size is
      not a multiple of logical sector size,  but for dasd this
      is not the case.
      
      This patch checks the device size and only applies sector
      mask if necessary.
      Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
      CC: Christoph Hellwig <hch@lst.de>
      Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      136be99e
    • J
      block: prevent snapshot mode $TMPDIR symlink attack · c2d76497
      Jim Meyering 提交于
      In snapshot mode, bdrv_open creates an empty temporary file without
      checking for mkstemp or close failure, and ignoring the possibility
      of a buffer overrun given a surprisingly long $TMPDIR.
      Change the get_tmp_filename function to return int (not void),
      so that it can inform its two callers of those failures.
      Also avoid the risk of buffer overrun and do not ignore mkstemp
      or close failure.
      Update both callers (in block.c and vvfat.c) to propagate
      temp-file-creation failure to their callers.
      
      get_tmp_filename creates and closes an empty file, while its
      callers later open that presumed-existing file with O_CREAT.
      The problem was that a malicious user could provoke mkstemp failure
      and race to create a symlink with the selected temporary file name,
      thus causing the qemu process (usually root owned) to open through
      the symlink, overwriting an attacker-chosen file.
      
      This addresses CVE-2012-2652.
      http://bugzilla.redhat.com/CVE-2012-2652Signed-off-by: NJim Meyering <meyering@redhat.com>
      Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      c2d76497
    • M
      sheepdog: fix return value of do_load_save_vm_state · 6f3c714e
      MORITA Kazutaka 提交于
      bdrv_save_vmstate and bdrv_load_vmstate should return the vmstate size
      on success, and -errno on error.
      Signed-off-by: NMORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      6f3c714e
    • S
      virtio: Fix compiler warning for non Linux hosts · 47ce9ef7
      Stefan Weil 提交于
      The local variables ret, i are only used if __linux__ is defined.
      Signed-off-by: NStefan Weil <sw@weilnetz.de>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      47ce9ef7
    • A
      Merge remote-tracking branch 'mdroth/qga-pull-5-29-12-v2' into staging · d6111501
      Anthony Liguori 提交于
      * mdroth/qga-pull-5-29-12-v2:
        qemu-ga: avoid blocking on atime update when reading /etc/mtab
        qemu-ga: Fix use of environ on Darwin
      d6111501
    • J
      block: prevent snapshot mode $TMPDIR symlink attack · eba25057
      Jim Meyering 提交于
      In snapshot mode, bdrv_open creates an empty temporary file without
      checking for mkstemp or close failure, and ignoring the possibility
      of a buffer overrun given a surprisingly long $TMPDIR.
      Change the get_tmp_filename function to return int (not void),
      so that it can inform its two callers of those failures.
      Also avoid the risk of buffer overrun and do not ignore mkstemp
      or close failure.
      Update both callers (in block.c and vvfat.c) to propagate
      temp-file-creation failure to their callers.
      
      get_tmp_filename creates and closes an empty file, while its
      callers later open that presumed-existing file with O_CREAT.
      The problem was that a malicious user could provoke mkstemp failure
      and race to create a symlink with the selected temporary file name,
      thus causing the qemu process (usually root owned) to open through
      the symlink, overwriting an attacker-chosen file.
      
      This addresses CVE-2012-2652.
      http://bugzilla.redhat.com/CVE-2012-2652Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
      Signed-off-by: NJim Meyering <meyering@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      eba25057
    • G
      xhci: add usage info to docs · e78bd5ab
      Gerd Hoffmann 提交于
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      e78bd5ab
    • G
      vnc: fix segfault in vnc_display_pw_expire() · 1643f2b2
      Gerd Hoffmann 提交于
      NULL pointer dereference in case no vnc server is configured.
      Catch this and return -EINVAL like vnc_display_password() does.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      1643f2b2
    • E
      Expose CPUID leaf 7 only for -cpu host · 13526728
      Eduardo Habkost 提交于
      Changes v2 -> v3;
        - Check for kvm_enabled() before setting cpuid_7_0_ebx_features
      
      Changes v1 -> v2:
        - Use kvm_arch_get_supported_cpuid() instead of host_cpuid() on
          cpu_x86_fill_host().
      
        We should use GET_SUPPORTED_CPUID for all bits on "-cpu host"
        eventually, but I am not changing all the other CPUID leaves because
        we may not be able to test such an intrusive change in time for 1.1.
      
      Description of the bug:
      
      Since QEMU 0.15, the CPUID information on CPUID[EAX=7,ECX=0] is being
      returned unfiltered to the guest, directly from the GET_SUPPORTED_CPUID
      return value.
      
      The problem is that this makes the resulting CPU feature flags
      unpredictable and dependent on the host CPU and kernel version. This
      breaks live-migration badly if migrating from a host CPU that supports
      some features on that CPUID leaf (running a recent kernel) to a kernel
      or host CPU that doesn't support it.
      
      Migration also is incorrect (the virtual CPU changes under the guest's
      feet) if you migrate in the opposite direction (from an old CPU/kernel
      to a new CPU/kernel), but with less serious consequences (guests
      normally query CPUID information only once on boot).
      
      Fortunately, the bug affects only users using cpudefs with level >= 7.
      
      The right behavior should be to explicitly enable those features on
      [cpudef] config sections or on the "-cpu" command-line arguments. Right
      now there is no predefined CPU model on QEMU that has those features:
      the latest Intel model we have is Sandy Bridge.
      
      I would like to get this fixed on 1.1, so I am submitting this patch,
      that enables those features only if "-cpu host" is being used (as we
      don't have any pre-defined CPU model that actually have those features).
      After 1.1 is released, we can make those features properly configurable
      on [cpudef] and -cpu configuration.
      
      One problem is: with this patch, users with the following setup:
      - Running QEMU 1.0;
      - Using a cpudef having level >= 7;
      - Running a kernel that supports the features on CPUID leaf 7; and
      - Running on a CPU that supports some features on CPUID leaf 7
      won't be able to live-migrate to QEMU 1.1. But for these users
      live-migration is already broken (they can't live-migrate to hosts with
      older CPUs or older kernels, already), I don't see how to avoid this
      problem.
      Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      13526728
    • M
      qemu-ga: avoid blocking on atime update when reading /etc/mtab · 9e2fa418
      Michael Roth 提交于
      Currently we re-read/re-process /etc/mtab to get an updated list of
      mounts when guest-fsfreeze-thaw is called. This can cause an atime
      update on /etc/mtab, which will block if we're in a frozen state.
      
      Instead, use /proc's version of mtab, which may not be up-to-date with
      options passed via -o remount, but is compatible for our use cases since
      we only care about the filesystem type.
      Reported-by: NMatsuda, Daiki <matsudadik@intellilink.co.jp>
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      9e2fa418
    • A
      qemu-ga: Fix use of environ on Darwin · eecae147
      Andreas Färber 提交于
      Use _NSGetEnviron() helper to access the environment.
      Signed-off-by: NAndreas Färber <andreas.faerber@web.de>
      Cc: Charlie Somerville <charlie@charliesomerville.com>
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      eecae147
    • Amos_沧海桑田's avatar
      pci: call object_unparent() before free_qdev() · a6de8ed8
      Amos_沧海桑田 提交于
      Start VM with 8 multiple-function block devs, hot-removing
      those block devs by 'device_del ...' would cause qemu abort.
      
      | (qemu) device_del virti0-0-0
      | (qemu) **
      |ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
      
      It's a regression introduced by commit 57c9fafe
      
      The whole PCI slot should be removed once. Currently only one func
      is cleaned in pci_unplug_device(), if you try to remove a single
      func by monitor cmd.
      
      free_qdev() are called for all functions in slot,
      but unparent_delete() is only called for one
      function.
      
      Signed-off-by: XXXX
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      a6de8ed8
    • S
      fix multiboot loading if load_end_addr == 0 · 9c3a596a
      Scott Moser 提交于
      The previous multiboot load code did not treat the case where
      load_end_addr was 0 specially.  The multiboot specification says the
      following:
       * load_end_addr
         Contains the physical address of the end of the data segment.
         (load_end_addr - load_addr) specifies how much data to load. This
         implies that the text and data segments must be consecutive in the
         OS image; this is true for existing a.out executable formats. If
         this field is zero, the boot loader assumes that the text and data
         segments occupy the whole OS image file.
      Signed-off-by: NScott Moser <smoser@ubuntu.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      9c3a596a
    • A
      vga: fix vram double-mapping with -vga std and -M pc-0.12 · 8294a64d
      Avi Kivity 提交于
      With pc-0.12, we map the video RAM both through the PCI BAR (the guest does
      this) and through a fixed mapping at 0xe0000000.  The memory API doesn't allow
      this double map, and aborts.
      
      Fix by using an alias.
      Reported-by: NMichael Tokarev <mjt@tls.msk.ru>
      Signed-off-by: NAvi Kivity <avi@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      8294a64d
  7. 29 5月, 2012 4 次提交