- 15 6月, 2017 6 次提交
-
-
由 Paolo Bonzini 提交于
This ensures that the request is unref'ed properly, and avoids a segmentation fault in the new qtest testcase that is added. This is CVE-2017-9503. Reported-by: NZhangyanyu <zyy4013@stu.ouc.edu.cn> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Avoid TOC-TOU bugs by passing the frame_cmd down, and checking cmd->dcmd_opcode instead of cmd->frame->header.frame_cmd. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Avoid TOC-TOU bugs depending on how the compiler behaves. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Avoid TOC-TOU bugs depending on how the compiler behaves. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 05 5月, 2017 1 次提交
-
-
由 Prasad J Pandit 提交于
While reading magic sequence(MFI_SEQ) in megasas_mmio_write, an off-by-one error could occur as 's->adp_reset' index is not reset after reading the last sequence. Reported-by: NYY Z <bigbird475958471@gmail.com> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <20170424120634.12268-1-ppandit@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 24 3月, 2017 1 次提交
-
-
由 Eric Blake 提交于
hw/scsi/trace-events lists cmd as the first parameter for both megasas_iovec_overflow and megasas_iovec_underflow, but the caller was mistakenly passing cmd->iov_size twice instead of the command index. Also, trace_megasas_abort_invalid is called with parameters in the wrong order. Broken since its introduction in commit e8f943c3. Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NHannes Reinecke <hare@suse.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 21 2月, 2017 1 次提交
-
-
由 Markus Armbruster 提交于
The logic to create frontends for -drive if=scsi is in SCSI HBAs. For all other interface types, it's in machine initialization code. A few machine types create the SCSI HBAs necessary for that. That's also not done for other interface types. I'm going to deprecate these SCSI eccentricities. In preparation for that, create the frontends in main() instead of the SCSI HBAs, by calling new function scsi_legacy_handle_cmdline() there. Note that not all SCSI HBAs create frontends. Take care not to change that. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <1487161136-9018-2-git-send-email-armbru@redhat.com> Acked-By: NPaolo Bonzini <pbonzini@redhat.com>
-
- 01 2月, 2017 1 次提交
-
-
由 Cao jin 提交于
msix_init() reports errors with error_report(), which is wrong when it's used in realize(). The same issue was fixed for msi_init() in commit 1108b2f8. In order to make the API change as small as possible, leave the return value check to later patch. For some devices(like e1000e, vmxnet3, nvme) who won't fail because of msix_init's failure, suppress the error report by passing NULL error object. Bonus: add comment for msix_init. CC: Jiri Pirko <jiri@resnulli.us> CC: Gerd Hoffmann <kraxel@redhat.com> CC: Dmitry Fleytman <dmitry@daynix.com> CC: Jason Wang <jasowang@redhat.com> CC: Michael S. Tsirkin <mst@redhat.com> CC: Hannes Reinecke <hare@suse.de> CC: Paolo Bonzini <pbonzini@redhat.com> CC: Alex Williamson <alex.williamson@redhat.com> CC: Markus Armbruster <armbru@redhat.com> CC: Marcel Apfelbaum <marcel@redhat.com> Signed-off-by: NCao jin <caoj.fnst@cn.fujitsu.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 25 1月, 2017 1 次提交
-
-
由 Dr. David Alan Gilbert 提交于
The vmstate_pci_device and vmstate_pcie_devices differ just in the size of one buffer; combine the two using a _TEST macro. I think this is safe as long as everywhere which currently uses either of these two uses the right type. One thing that concerns me is that some places use pci_device_load/save which does some irq mangling, but others just use the VMSTATE_PCI_DEVICE macro - how are they getting the same irq mangling? This passes a smoke test migrate of: ./x86_64-softmmu/qemu-system-x86_64 -M pc,accel=kvm -m 1024 ./littlefed20.img -device e1000e -device virtio-net -device e1000 -device virtio-rng -device megasas -device megasas-gen2 -device ioh3420 -device nec-usb-xhci to an unmodified qemu. Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Message-Id: <20161214195829.18241-1-dgilbert@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
-
- 17 1月, 2017 1 次提交
-
-
由 Paolo Bonzini 提交于
If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. Avoid this by returning only the status from map_dcmd, and loading cmd->iov_size in the caller. Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 28 11月, 2016 2 次提交
-
-
由 Paolo Bonzini 提交于
megasas_command_cancel is a callback; it should report the abort in the frame, not try another abort! Compare for instance with mptsas_request_cancelled. So extract the common bits for request completion in a new function megasas_complete_command, call it from both the .complete and .cancel callbacks, and remove duplicate pieces from the DCMD path. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20161110152751.4267-2-pbonzini@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Commit 8cc46787 ("megasas: remove useless check for cmd->frame", 2016-07-17) was wrong because I trusted Coverity too much. It turns out that there _is_ a path through which cmd->frame can become NULL. After megasas_handle_frame's switch (md->frame->header.frame_cmd), megasas_init_firmware can be called. From there, megasas_reset_frames will call megasas_unmap_frame which resets cmd->frame = NULL. However, there is another bug to fix in there, because megasas_unmap_frame is called again after setting the command status. In this case QEMU should not do anything, instead it calls pci_dma_unmap again. Harmless, but better fix it. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 14 9月, 2016 1 次提交
-
-
由 Paolo Bonzini 提交于
This reverts commit 8cc46787. It turns out that cmd->frame can be NULL and thus the commit can cause a SIGSEGV Reported-by: NHolger Schranz <holger@fam-schranz.de> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 17 7月, 2016 1 次提交
-
-
由 Paolo Bonzini 提交于
megasas_enqueue_frame always returns with non-NULL cmd->frame. Remove the "else" part as it is dead code. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 05 7月, 2016 3 次提交
-
-
由 Cao jin 提交于
megasas overwrites user configuration when msi_init fail to flag internal msi state, which is unsuitable. megasa_use_msi() is unnecessary, we can call msi_uninit() directly when unrealize, even no need to call msi_enabled() first. cc: Hannes Reinecke <hare@suse.de> cc: Paolo Bonzini <pbonzini@redhat.com> cc: Markus Armbruster <armbru@redhat.com> cc: Marcel Apfelbaum <marcel@redhat.com> cc: Michael S. Tsirkin <mst@redhat.com> Acked-by: NHannes Reinecke <hare@suse.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NCao jin <caoj.fnst@cn.fujitsu.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Cao jin 提交于
msi_init() reports errors with error_report(), which is wrong when it's used in realize(). Fix by converting it to Error. Fix its callers to handle failure instead of ignoring it. For those callers who don't handle the failure, it might happen: when user want msi on, but he doesn't get what he want because of msi_init fails silently. cc: Gerd Hoffmann <kraxel@redhat.com> cc: John Snow <jsnow@redhat.com> cc: Dmitry Fleytman <dmitry@daynix.com> cc: Jason Wang <jasowang@redhat.com> cc: Michael S. Tsirkin <mst@redhat.com> cc: Hannes Reinecke <hare@suse.de> cc: Paolo Bonzini <pbonzini@redhat.com> cc: Alex Williamson <alex.williamson@redhat.com> cc: Markus Armbruster <armbru@redhat.com> cc: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NCao jin <caoj.fnst@cn.fujitsu.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NHannes Reinecke <hare@suse.com>
-
由 Cao jin 提交于
>From bit to enum OnOffAuto. cc: Hannes Reinecke <hare@suse.de> cc: Paolo Bonzini <pbonzini@redhat.com> cc: Michael S. Tsirkin <mst@redhat.com> cc: Markus Armbruster <armbru@redhat.com> cc: Marcel Apfelbaum <marcel@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NCao jin <caoj.fnst@cn.fujitsu.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NHannes Reinecke <hare@suse.com>
-
- 20 6月, 2016 1 次提交
-
-
由 Eduardo Habkost 提交于
Use Coccinelle script to replace 'ret = E; return ret' with 'return E'. The script will do the substitution only when the function return type and variable type are the same. Manual fixups: * audio/audio.c: coding style of "read (...)" and "write (...)" * block/qcow2-cluster.c: wrap line to make it shorter * block/qcow2-refcount.c: change indentation of wrapped line * target-tricore/op_helper.c: fix coding style of "remainder|quotient" * target-mips/dsp_helper.c: reverted changes because I don't want to argue about checkpatch.pl * ui/qemu-pixman.c: fix line indentation * block/rbd.c: restore blank line between declarations and statements Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> Message-Id: <1465855078-19435-4-git-send-email-ehabkost@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> [Unused Coccinelle rule name dropped along with a redundant comment; whitespace touched up in block/qcow2-cluster.c; stale commit message paragraph deleted] Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
-
- 07 6月, 2016 1 次提交
-
-
由 Prasad J Pandit 提交于
While reading information via 'megasas_ctrl_get_info' routine, a local bios version buffer isn't null terminated. Add the terminating null byte to avoid any OOB access. Reported-by: NLi Qiang <liqiang6-s@360.cn> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 29 5月, 2016 3 次提交
-
-
由 Prasad J Pandit 提交于
While doing MegaRAID SAS controller command frame lookup, routine 'megasas_lookup_frame' uses 'read_queue_head' value as an index into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value within array bounds to avoid any OOB access. Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com> Reviewed-by: NAlexander Graf <agraf@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Prasad J Pandit 提交于
When reading MegaRAID SAS controller configuration via MegaRAID Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read uses an uninitialised local data buffer. Initialise this buffer to avoid stack information leakage. Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Prasad J Pandit 提交于
When setting MegaRAID SAS controller properties via MegaRAID Firmware Interface(MFI) commands, a user supplied size parameter is used to set property value. Use appropriate size value to avoid OOB access issues. Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 29 1月, 2016 1 次提交
-
-
由 Peter Maydell 提交于
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-24-git-send-email-peter.maydell@linaro.org
-
- 16 1月, 2016 2 次提交
-
-
由 Cao jin 提交于
Signed-off-by: NCao jin <caoj.fnst@cn.fujitsu.com> Acked-by: NMichael S. Tsirkin <mst@redhat.com> Message-Id: <1452073066-28319-1-git-send-email-caoj.fnst@cn.fujitsu.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 P J P 提交于
While processing controller 'CTRL_GET_INFO' command, the routine 'megasas_ctrl_get_info' overflows the '&info' object size. Use its appropriate size to null initialise it. Reported-by: NQinghao Tang <luodalongde@gmail.com> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NP J P <ppandit@redhat.com>
-
- 04 11月, 2015 1 次提交
-
-
由 Eduardo Habkost 提交于
Guest visible data shouldn't change with a simple QEMU upgrade, so use qemu_hw_version() to ensure it won't change (as long as the machine class being used has hw_version set). Cc: Hannes Reinecke <hare@suse.de> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-block@nongnu.org Reviewed-by: NHannes Reinecke <hare@suse.com> Acked-by: NLaszlo Ersek <lersek@redhat.com> Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> Message-Id: <1446233769-7892-4-git-send-email-ehabkost@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 13 10月, 2015 1 次提交
-
-
由 Paolo Bonzini 提交于
There are two bugs here. First, the 16-bit id loses the high 8 bits when shifted left by 24. Second, the address must be combined with an "or" or we just get zero. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 28 7月, 2015 1 次提交
-
-
由 Salva Peiró 提交于
This patch fixes a QEMU SEGFAULT when a write operation is performed on the memory region of the PCI BAR 3 (base address space). When a writeb(0xe0000000) is performed the .write function is invoked to handle the write access, however, since the .write is not initialised, the call to 0, causes QEMU to SEGFAULT. Signed-off-by: NSalva Peiró <speirofr@gmail.com> Acked-by: NHannes Reinecke <hare@suse.com> Message-Id: <1437987112-24744-1-git-send-email-speirofr@gmail.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 19 6月, 2015 1 次提交
-
-
由 Shmulik Ladkani 提交于
Few devices have their specialized 'config_write' methods which simply call 'pci_default_write_config' followed by a 'msix_write_config' or 'msi_write_config' calls, using exact same arguments. This is unnecessary as 'pci_default_write_config' already invokes 'msi_write_config' and 'msix_write_config'. Also, since 'pci_default_write_config' is the default 'config_write' handler, we can simply avoid the registration of these specialized versions. Cc: Leonid Shatz <leonid.shatz@ravellosystems.com> Signed-off-by: NShmulik Ladkani <shmulik.ladkani@ravellosystems.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 28 4月, 2015 1 次提交
-
-
由 Stefan Hajnoczi 提交于
This commit was generated mechanically by coccinelle from the following semantic patch: @@ expression val; @@ - (ffs(val) - 1) + ctz32(val) The call sites have been audited to ensure the ffs(0) - 1 == -1 case never occurs (due to input validation, asserts, etc). Therefore we don't need to worry about the fact that ctz32(0) == 32. Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Message-id: 1427124571-28598-5-git-send-email-stefanha@redhat.com Signed-off-by: NKevin Wolf <kwolf@redhat.com>
-
- 25 3月, 2015 1 次提交
-
-
由 Paolo Bonzini 提交于
It is wrong to use address_space_memory directly, because there could be an IOMMU in the middle. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 10 3月, 2015 2 次提交
-
-
由 Markus Armbruster 提交于
These are "am53c974", "dc390", "lsi53c895a", "lsi53c810", "megasas", "megasas-gen2". Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com> Message-Id: <1425925048-15482-5-git-send-email-armbru@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Markus Armbruster 提交于
Commit a818a4b6 changed scsi_bus_legacy_handle_cmdline() to report errors from scsi_bus_legacy_add_drive() with error_report() in addition to returning them. That's inappropriate. Two kinds of callers: 1. realize methods (devices "esp", "virtio-scsi-device" and "spapr-vscsi") The error object gets passed up the call chain until it gets reported again and freed. Example: $ qemu-system-arm -M virt -S -display none \ > -drive if=scsi,id=foo,bus=1,file=tmp.qcow2 \ > -device nec-usb-xhci -device usb-storage,drive=foo \ > -device virtio-scsi-pci qemu-system-arm: -drive if=scsi,id=foo,bus=1,file=tmp.qcow2: Property 'scsi-disk.drive' can't take value 'foo', it's in use qemu-system-arm: -drive if=scsi,id=foo,bus=1,file=tmp.qcow2: Setting drive property failed qemu-system-arm: -device virtio-scsi-pci: Setting drive property failed qemu-system-arm: -device virtio-scsi-pci: Device initialization failed qemu-system-arm: -device virtio-scsi-pci: Device 'virtio-scsi-pci' could not be initialized The second message in this error cascade comes from scsi_bus_legacy_handle_cmdline(). The error object then gets passed up to the qdev_init() called from virtio_scsi_pci_init_pci(), which reports it again. 2. init methods (devices "am53c974", "dc390", "lsi53c895a", "lsi53c810", "megasas", "megasas-gen2") init methods need to report their errors with qerror_report(). These don't. The inappropriate error_report() papers over the bug. error_report() isn't the same as qerror_report() in QMP context, but this can't actually happen: QMP can still only hot-plug, and callers call scsi_bus_legacy_handle_cmdline() only on cold-plug. Except for sysbus_esp_realize(), but that can't be hot-plugged at all, as far as I can tell. Fix the init methods and drop the inappropriate error_report() in scsi_bus_legacy_handle_cmdline(). Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com> Message-Id: <1425925048-15482-2-git-send-email-armbru@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 15 12月, 2014 1 次提交
-
-
由 Markus Armbruster 提交于
Coccinelle semantic patch: @@ expression LHS, SZ; @@ - LHS = g_malloc(SZ); - memset(LHS, 0, SZ); + LHS = g_malloc0(SZ); Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NFam Zheng <famz@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 31 10月, 2014 4 次提交
-
-
由 Hannes Reinecke 提交于
MSI-X works slightly different than INTx; the doorbell registers are not necessarily used as MSI-X interrupts are directed anyway. So the head pointer on the reply queue needs to be updated as soon as a frame is completed, and we can set the doorbell only when in INTx mode. Signed-off-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Hannes Reinecke 提交于
Windows requires the frames to be unmapped, otherwise we run into a race condition where the updated frame data is not visible to the guest. With that we can simplify the queue algorithm and use a bitmap for tracking free frames. Signed-off-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Hannes Reinecke 提交于
Improve queue logging by displaying head and tail pointer of the completion queue. Signed-off-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Hannes Reinecke 提交于
Some implementations use DCMD_CLUSTER_RESET_LD to simulate a device reset. Signed-off-by: NHannes Reinecke <hare@suse.de> [Compare against id, not lun. - Paolo] Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-