- 31 5月, 2015 4 次提交
-
-
由 Jason Wang 提交于
VIRTIO_PCI_QUEUE_MAX is not only used for pci, so rename it be generic. Cc: Amit Shah <amit.shah@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Jason Wang 提交于
This patch introduces virtio_get_num_queues() which iterates the vqs array and return the number of virtqueues used by device. Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Jason Wang 提交于
This patch passes error pointer to transport specific device_plugged() callback. Through this way, device_plugged() can do some transport specific check and fail. This will be uesd by following patches that check the number of virtqueues against the transport limitation. Cc: Cornelia Huck <cornelia.huck@de.ibm.com> Cc: Christian Borntraeger <borntraeger@de.ibm.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Alexander Graf <agraf@suse.de> Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Cornelia Huck 提交于
Move host_features from the individual transport proxies into the virtio device. Transports may continue to add feature bits during device plugging. This should it make easier to offer different sets of host features for virtio-1/transitional support. Tested-by: NShannon Zhao <shannon.zhao@linaro.org> Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 28 4月, 2015 1 次提交
-
-
由 Jason Wang 提交于
Currently we will try to traverse all virtqueues to find a subset that using a specific vector. This is sub optimal when we will support hundreds or even thousands of virtqueues. So this patch introduces a method which could be used by transport to get all virtqueues that using a same vector. This is done through QLISTs and the number of QLISTs was queried through a transport specific method. When guest setting vectors, the virtqueue will be linked and helpers for traverse the list was also introduced. The first user will be virtio pci which will use this to speed up MSI-X masking and unmasking handling. Cc: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 16 3月, 2015 1 次提交
-
-
由 Jason Wang 提交于
We don't validate the existence of handle_output which may let a buggy guest to trigger a SIGSEV easily. E.g: 1) write 10 to queue_sel to a virtio net device with only 1 queue 2) setup an arbitrary pfn 3) then notify queue 10 Fixing this by validating the existence of handle_output before. Cc: qemu-stable@nongnu.org Cc: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NDon Koch <dkoch@verizon.com> Reviewed-by: NFam Zheng <famz@redhat.com>
-
- 26 2月, 2015 2 次提交
-
-
由 Cornelia Huck 提交于
Add a helper function for checking whether a bit is set in the guest features for a vdev as well as one that works on a feature bit set. Convert code that open-coded this: It cleans up the code and makes it easier to extend the guest feature bits. Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Michael S. Tsirkin 提交于
Drop a bunch of code duplicated from virtio_config.h and virtio_ring.h. This makes us rename event index accessors which conflict, as reusing the ones from virtio_ring.h isn't trivial. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NThomas Huth <thuth@linux.vnet.ibm.com>
-
- 06 2月, 2015 1 次提交
-
-
由 Alexander Graf 提交于
One of the annoyances of the current migration format is the fact that it's not self-describing. In fact, it's not properly describing at all. Some code randomly scattered throughout QEMU elaborates roughly how to read and write a stream of bytes. We discussed an idea during KVM Forum 2013 to add a JSON description of the migration protocol itself to the migration stream. This patch adds a section after the VM_END migration end marker that contains description data on what the device sections of the stream are composed of. This approach is backwards compatible with any QEMU version reading the stream, because QEMU just stops reading after the VM_END marker and ignores any data following it. With an additional external program this allows us to decipher the contents of any migration stream and hopefully make migration bugs easier to track down. Signed-off-by: NAlexander Graf <agraf@suse.de> Signed-off-by: NAmit Shah <amit.shah@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com>
-
- 02 11月, 2014 1 次提交
-
-
由 Bin Wu 提交于
The event idx in virtio is an effective way to reduce the number of interrupts and exits of the guest. When the guest puts an request into the virtio ring, it doesn't exit immediately to inform the backend. Instead, the guest checks the "avail" event idx to determine the notification. In virtqueue_pop, when a request is poped, the current avail event idx should be set to the number of vq->last_avail_idx. Signed-off-by: NBin Wu <wu.wubin@huawei.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 30 9月, 2014 1 次提交
-
-
由 Gonglei 提交于
For better code sharing, add a helper function that handles reference counting of the virtio backend for virtio proxy devices. Cc: Cornelia Huck <cornelia.huck@de.ibm.com> Cc: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: NGonglei <arei.gonglei@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 19 9月, 2014 1 次提交
-
-
由 Michael S. Tsirkin 提交于
This reverts commit a1bc7b827e422e1ff065640d8ec5347c4aadfcd8. virtio: don't call device on !vm_running It turns out that virtio net assumes that vm_running is updated before device status callback in many places, so this change leads to asserts. Previous commit fixes the root issue that motivated a1bc7b827e422e1ff065640d8ec5347c4aadfcd8 differently, so there's no longer a need for this change. In the future, we might be able to drop checking vm_running completely, and check vm state directly. Reported-by: NDietmar Maurer <dietmar@proxmox.com> Cc: qemu-stable@nongnu.org Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 05 9月, 2014 1 次提交
-
-
由 Michael S. Tsirkin 提交于
On vm stop, virtio changes vm_running state too soon, so callbacks can get envoked with vm_running = false; Cc: qemu-stable@nongnu.org Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 30 6月, 2014 4 次提交
-
-
由 Rusty Russell 提交于
Quoting original text from Rusty: "This is based on a simpler patch by Anthony Liguouri". Signed-off-by: NRusty Russell <rusty@rustcorp.com.au> [ add VirtIODevice * argument to most helpers, Greg Kurz <gkurz@linux.vnet.ibm.com> ] Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NThomas Huth <thuth@linux.vnet.ibm.com> Reviewed-by: NAlexander Graf <agraf@suse.de> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Greg Kurz 提交于
Some CPU families can dynamically change their endianness. This means we can have little endian ppc or big endian arm guests for example. This has an impact on legacy virtio data structures since they are target endian. We hence introduce a new property to track the endianness of each virtio device. It is reasonnably assumed that endianness won't change while the device is in use : we hence capture the device endianness when it gets reset. We migrate this property in a subsection, after the device descriptor. This means the load code must not rely on it until it is restored. As a consequence, the vring sanity checks had to be moved after the call to vmstate_load_state(). We enforce paranoia by poisoning the property at the begining of virtio_load(). Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Greg Kurz 提交于
There is a need to add some more fields to VirtIODevice that should be migrated (broken status, endianness). The problem is that we do not want to break compatibility while adding a new feature... This issue has been addressed in the generic VMState code with the use of optional subsections. As a *temporary* alternative to port the whole virtio migration code to VMState, this patch mimics a similar subsectionning ability for virtio, using the VMState code. Since each virtio device is streamed in its own section, the idea is to stream subsections between the end of the device section and the start of the next sections. This allows an older QEMU to complain and exit when fed with subsections: Unknown savevm section type 5 load of migration failed Suggested-by: NAlexander Graf <agraf@suse.de> Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NAlexander Graf <agraf@suse.de> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Greg Kurz 提交于
In order to migrate virtio subsections, they should be streamed after the device itself. We need the device specific code to be called from the common migration code to achieve this. This patch introduces load and save methods for this purpose. Suggested-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NAlexander Graf <agraf@suse.de> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 29 6月, 2014 1 次提交
-
-
由 Dr. David Alan Gilbert 提交于
Commit 'virtio: validate config_len on load' restricted config_len loaded from the wire to match the config_len that the device had. Unfortunately, there are cases where this isn't true, the one we found it on was the wce addition in virtio-blk. Allow mismatched config-lengths: *) If the version on the wire is shorter then fine *) If the version on the wire is longer, load what we have space for and skip the rest. (This is mst@redhat.com's rework of what I originally posted) Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 19 6月, 2014 2 次提交
-
-
由 Markus Armbruster 提交于
Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Markus Armbruster 提交于
Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
- 11 6月, 2014 1 次提交
-
-
由 Michael Tokarev 提交于
Suggested-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
-
- 12 5月, 2014 1 次提交
-
-
由 Michael S. Tsirkin 提交于
It's a loop from i < num_sg and the array is VIRTQUEUE_MAX_SIZE - so it's OK if the value read is VIRTQUEUE_MAX_SIZE. Not a big problem in practice as people don't use such big queues, but it's inelegant. Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 06 5月, 2014 4 次提交
-
-
由 Michael S. Tsirkin 提交于
Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: NJuan Quintela <quintela@redhat.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4535 CVE-2013-4536 Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE. To fix, validate num_sg. Reported-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Cc: Amit Shah <amit.shah@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com>
-
由 Michael Roth 提交于
CVE-2013-6399 vdev->queue_sel is read from the wire, and later used in the emulation code as an index into vdev->vq[]. If the value of vdev->queue_sel exceeds the length of vdev->vq[], currently allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun the buffer with arbitrary data originating from the source. Fix this by failing migration if the value from the wire exceeds VIRTIO_PCI_QUEUE_MAX. Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NJuan Quintela <quintela@redhat.com>
-
由 Michael S. Tsirkin 提交于
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in virtio_load@hw/virtio/virtio.c So we have this code since way back when: num = qemu_get_be32(f); for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); array of vqs has size VIRTIO_PCI_QUEUE_MAX, so on invalid input this will write beyond end of buffer. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NJuan Quintela <quintela@redhat.com>
-
- 11 2月, 2014 5 次提交
-
-
由 Edgar E. Iglesias 提交于
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
-
由 Edgar E. Iglesias 提交于
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
-
由 Edgar E. Iglesias 提交于
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
-
由 Edgar E. Iglesias 提交于
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
-
由 Edgar E. Iglesias 提交于
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
-
- 24 12月, 2013 1 次提交
-
-
由 Paolo Bonzini 提交于
This got lost in a rebase. Reported-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 10 12月, 2013 4 次提交
-
-
由 Andreas Färber 提交于
Signed-off-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Andreas Färber 提交于
Drop VirtioDeviceClass::init. Signed-off-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Andreas Färber 提交于
Temporarily allow either VirtioDeviceClass::init or VirtioDeviceClass::realize. Introduce VirtioDeviceClass::unrealize for symmetry. Signed-off-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Right now we have these pairs: - virtio_bus_plug_device/virtio_bus_destroy_device. The first takes a VirtIODevice, the second takes a VirtioBusState - device_plugged/device_unplug callbacks in the VirtioBusClass (here it's just the naming that is inconsistent) - virtio_bus_destroy_device is not called by anyone (and since it calls qdev_free, it would be called by the proxies---but then the callback is useless since the proxies can do whatever they want before calling virtio_bus_destroy_device) And there is a k->init but no k->exit, hence virtio_device_exit is overwritten by subclasses (except virtio-9p). This cleans it up by: - renaming the device_unplug callback to device_unplugged - renaming virtio_bus_plug_device to virtio_bus_device_plugged, matching the callback name - renaming virtio_bus_destroy_device to virtio_bus_device_unplugged, removing the qdev_free, making it take a VirtIODevice and calling it from virtio_device_exit - adding a k->exit callback virtio_device_exit is still overwritten, the next patches will fix that. Cc: qemu-stable@nongnu.org Acked-by: NAndreas Faerber <afaerber@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 25 8月, 2013 1 次提交
-
-
由 yinyin 提交于
virtqueue_get_avail_bytes: when found a indirect desc, we need loop over it. /* loop over the indirect descriptor table */ indirect = 1; max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); num_bufs = i = 0; desc_pa = vring_desc_addr(desc_pa, i); But, It init i to 0, then use i to update desc_pa. so we will always get: desc_pa = vring_desc_addr(desc_pa, 0); the last two line should swap. Cc: qemu-stable@nongnu.org Signed-off-by: NYin Yin <yin.yin@cs2c.com.cn> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 12 8月, 2013 1 次提交
-
-
由 Stefan Hajnoczi 提交于
When the dataplane thread stops, its vring.c implementation synchronizes vring state back to virtio.c so we can continue emulating the virtio device. This patch ensures that virtio.c's signalled_used_valid flag is reset so that we do not suppress guest notifications due to stale signalled_used values. Suggested-by: NKevin Wolf <kwolf@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 09 8月, 2013 1 次提交
-
-
由 Peter Maydell 提交于
A queue size of 0 is used to indicate a nonexistent queue, so don't allow the guest to flip a queue between zero-size and non-zero-size. Don't permit setting of negative queue sizes either. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Message-id: 1374853288-9912-2-git-send-email-peter.maydell@linaro.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 19 7月, 2013 1 次提交
-
-
由 Peter Maydell 提交于
Support virtio transports which can specify the vring alignment (ie where the guest communicates this to the host) by providing a new virtio_queue_set_align() function. (The default alignment remains as before.) Transports which wish to make use of this must set the has_variable_vring_alignment field in their VirtioBusClass struct to true; they can then change the alignment via virtio_queue_set_align(). Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Message-id: 1373977512-28932-5-git-send-email-peter.maydell@linaro.org
-