- 29 4月, 2020 33 次提交
-
-
由 Masahiro Yamada 提交于
The second argument 'id' is a pointer. Pass NULL rather than 0. Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org> Message-Id: <20200427005704.2475782-1-masahiroy@kernel.org> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
-
由 Markus Armbruster 提交于
Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200424071142.3525-4-armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
-
由 Markus Armbruster 提交于
apply_to_qlist(), apply_to_node() work with QObjects. This is designed for use by tests/qtest/qos-test.c, which gets the data in that form via QMP. Goes back to commit fc281c80 "tests: qgraph API for the qtest driver framework". Commit 275ab39d "fuzz: add support for qos-assisted fuzz targets" added another user: qtest/fuzz/qos_fuzz.c. To get the data as QObjects, it uses qmp_marshal_query_machines() and qmp_marshal_qom_list_types(). All this code is rather cumbersome. Switch to working with generated QAPI types instead: * Replace apply_to_qlist() & friends by machines_apply_to_node() and types_apply_to_node(). * Have qos_fuzz.c use qmp_query_machines() and qmp_qom_list_types() instead. * Have qos_test.c convert from QObject to the QAPI types. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200424071142.3525-3-armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NAlexander Bulekov <alxndr@bu.edu>
-
由 Markus Armbruster 提交于
Target recurse-fuzz depends on pc-bios/optionrom/fuzz, which can't be made. It's not used anywhere. Added in commit c621dc3e, looks like cargo cult. Delete. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200424071142.3525-2-armbru@redhat.com> Reviewed-by: NAlexander Bulekov <alxndr@bu.edu>
-
由 Markus Armbruster 提交于
spd_data_generate() splits @ram_size bytes into @nbanks RAM banks of 1 << sz_log2 MiB each, like this: size = ram_size >> 20; /* work in terms of megabytes */ [...] nbanks = 1; while (sz_log2 > max_log2 && nbanks < 8) { sz_log2--; nbanks++; } Each iteration halves the size of a bank, and increments the number of banks. Wrong: it should double the number of banks. The bug goes back all the way to commit b296b664 "smbus: Add a helper to generate SPD EEPROM data". It can't bite because spd_data_generate()'s current users pass only @ram_size that result in *zero* iterations: machine RAM size #banks type bank size fulong2e 256 MiB 1 DDR 256 MiB sam460ex 2048 MiB 1 DDR2 2048 MiB 1024 MiB 1 DDR2 1024 MiB 512 MiB 1 DDR2 512 MiB 256 MiB 1 DDR2 256 MiB 128 MiB 1 SDR 128 MiB 64 MiB 1 SDR 64 MiB 32 MiB 1 SDR 32 MiB Apply the obvious, minimal fix. I admit I'm tempted to rip out the unused (and obviously untested) feature instead, because YAGNI. Note that this is not the final result, as spd_data_generate() next increases #banks from 1 to 2 if possible. This is done "to avoid a bug in MIPS Malta firmware". We don't even use this function with machine type malta. *Shrug* Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422134815.1584-5-armbru@redhat.com>
-
由 Markus Armbruster 提交于
Improve $ ppc-softmmu/qemu-system-ppc -M sam460ex -m 4096 qemu-system-ppc: Max 1 banks of 2048 ,1024 ,512 ,256 ,128 ,64 ,32 MB DIMM/bank supported qemu-system-ppc: Possible valid RAM size: 2048 to qemu-system-ppc: at most 1 bank of 2048, 1024, 512, 256, 128, 64, 32 MiB each supported Possible valid RAM size: 1024 MiB Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422134815.1584-4-armbru@redhat.com> Reviewed-by: NBALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. spd_data_generate() can pass @errp to error_setg() more than once when it adjusts both memory size and type. Harmless, because no caller passes anything that needs adjusting. Until the previous commit, sam460ex passed types that needed adjusting, but not sizes. spd_data_generate()'s contract is rather awkward: If everything's fine, return non-null and don't set an error. Else, if memory size or type need adjusting, return non-null and set an error describing the adjustment. Else, return null and set an error reporting why no data can be generated. Its callers treat the error as a warning even when null is returned. They don't create the "smbus-eeprom" device then. Suspicious. Since the previous commit, only "everything's fine" can actually happen. Drop the unused code and simplify the callers. This gets rid of the error API violation. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422134815.1584-3-armbru@redhat.com>
-
由 Markus Armbruster 提交于
Requesting 32 or 64 MiB of RAM with the sam460ex machine type produces a useless warning: qemu-system-ppc: warning: Memory size is too small for SDRAM type, adjusting type This is because sam460ex_init() asks spd_data_generate() for DDR2, which is impossible, so spd_data_generate() corrects it to DDR. The warning goes back to commit 08fd9917 "sam460ex: Clean up SPD EEPROM creation". Make sam460ex_init() pass the correct SDRAM type to get rid of the warning. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422134815.1584-2-armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second qmp_guest_suspend_disk() and qmp_guest_suspend_ram() pass @local_err first to check_suspend_mode(), then to acquire_privilege(), then to execute_async(). Continuing after errors here can only end in tears. For instance, we risk tripping error_setv()'s assertion. Fixes: aa59637e Fixes: f54603b6 Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422130719.28225-15-armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. qmp_guest_get_memory_blocks() passes &local_err to transfer_memory_block() in a loop. If this fails in more than one iteration, it can trip error_setv()'s assertion. Fix it to break the loop. Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422130719.28225-14-armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Markus Armbruster 提交于
Fixes: 58e19e6eSigned-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422130719.28225-13-armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. qmp_xen_colo_do_checkpoint() passes @errp first to replication_do_checkpoint_all(), and then to colo_notify_filters_event(). If both fail, this will trip the assertion in error_setv(). Similar code in secondary_vm_do_failover() calls colo_notify_filters_event() only after replication_do_checkpoint_all() succeeded. Do the same here. Fixes: 0e8818f0 Cc: Zhang Chen <chen.zhang@intel.com> Cc: zhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NZhang Chen <chen.zhang@intel.com> Message-Id: <20200422130719.28225-12-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. qio_channel_socket_close() passes @errp first to socket_listen_cleanup(), and then, if closesocket() fails, to error_setg_errno(). If socket_listen_cleanup() failed, this will trip the assertion in error_setv(). Fix by ignoring a second error. Fixes: 73564c40 Cc: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com> Message-Id: <20200422130719.28225-11-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The conversion of xen_pt_initfn() to xen_pt_realize() blindly replaced XEN_PT_ERR() by error_setg(). Several error conditions that did not fail xen_pt_initfn() now fail xen_pt_realize(). Unsurprisingly, the cleanup on these errors looks highly suspicious. Revert the inappropriate replacements. Fixes: 5a11d0f7 Cc: Stefano Stabellini <sstabellini@kernel.org> Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Paul Durrant <paul@xen.org> Cc: xen-devel@lists.xenproject.org Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPaul Durrant <paul@xen.org> Message-Id: <20200422130719.28225-10-armbru@redhat.com>
-
由 Markus Armbruster 提交于
virtio_net_device_realize() rejects invalid duplex and speed values. The error handling is broken: $ ../qemu/bld-sani/x86_64-softmmu/qemu-system-x86_64 -S -display none -monitor stdio QEMU 4.2.93 monitor - type 'help' for more information (qemu) device_add virtio-net,duplex=x Error: 'duplex' must be 'half' or 'full' (qemu) c ================================================================= ==15654==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000014590 at pc 0x560b75c8dc13 bp 0x7fffdf1a6950 sp 0x7fffdf1a6940 READ of size 8 at 0x62e000014590 thread T0 #0 0x560b75c8dc12 in object_dynamic_cast_assert /work/armbru/qemu/qom/object.c:826 #1 0x560b74c38ac0 in virtio_vmstate_change /work/armbru/qemu/hw/virtio/virtio.c:3210 #2 0x560b74d9765e in vm_state_notify /work/armbru/qemu/softmmu/vl.c:1271 #3 0x560b7494ba72 in vm_prepare_start /work/armbru/qemu/cpus.c:2156 #4 0x560b7494bacd in vm_start /work/armbru/qemu/cpus.c:2162 #5 0x560b75a7d890 in qmp_cont /work/armbru/qemu/monitor/qmp-cmds.c:160 #6 0x560b75a8d70a in hmp_cont /work/armbru/qemu/monitor/hmp-cmds.c:1043 #7 0x560b75a799f2 in handle_hmp_command /work/armbru/qemu/monitor/hmp.c:1082 [...] 0x62e000014590 is located 33168 bytes inside of 42288-byte region [0x62e00000c400,0x62e000016930) freed by thread T1 here: #0 0x7feadd39491f in __interceptor_free (/lib64/libasan.so.5+0x10d91f) #1 0x7feadcebcd7c in g_free (/lib64/libglib-2.0.so.0+0x55d7c) #2 0x560b75c8fd40 in object_unref /work/armbru/qemu/qom/object.c:1128 #3 0x560b7498a625 in memory_region_unref /work/armbru/qemu/memory.c:1762 #4 0x560b74999fa4 in do_address_space_destroy /work/armbru/qemu/memory.c:2788 #5 0x560b762362fc in call_rcu_thread /work/armbru/qemu/util/rcu.c:283 #6 0x560b761c8884 in qemu_thread_start /work/armbru/qemu/util/qemu-thread-posix.c:519 #7 0x7fead9be34bf in start_thread (/lib64/libpthread.so.0+0x84bf) previously allocated by thread T0 here: #0 0x7feadd394d18 in __interceptor_malloc (/lib64/libasan.so.5+0x10dd18) #1 0x7feadcebcc88 in g_malloc (/lib64/libglib-2.0.so.0+0x55c88) #2 0x560b75c8cf8a in object_new /work/armbru/qemu/qom/object.c:699 #3 0x560b75010ad9 in qdev_device_add /work/armbru/qemu/qdev-monitor.c:654 #4 0x560b750120c2 in qmp_device_add /work/armbru/qemu/qdev-monitor.c:805 #5 0x560b75012c1b in hmp_device_add /work/armbru/qemu/qdev-monitor.c:905 [...] ==15654==ABORTING Cause: virtio_net_device_realize() neglects to bail out after setting the error. Fix that. Fixes: 9473939e Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200422130719.28225-9-armbru@redhat.com> Acked-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Markus Armbruster 提交于
bochs_display_realize() rejects out-of-range vgamem. The error handling is broken: $ qemu-system-x86_64 -S -display none -monitor stdio QEMU 4.2.93 monitor - type 'help' for more information (qemu) device_add bochs-display,vgamem=1 Error: bochs-display: video memory too small (qemu) device_add bochs-display,vgamem=1 RAMBlock "0000:00:04.0/bochs-display-vram" already registered, abort! Aborted (core dumped) Cause: bochs_display_realize() neglects to bail out after setting the error. Fix that. Fixes: 765c9429 Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200422130719.28225-8-armbru@redhat.com> Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Markus Armbruster 提交于
fdctrl_realize_common() rejects fallback=auto. Used by devices "isa-fdc", "sysbus-fdc", "SUNW,fdtwo". The error handling is broken: $ qemu-system-x86_64 -nodefaults -device isa-fdc,fallback=auto,driveA=fd0 -drive if=none,id=fd0 ** ERROR:/work/armbru/qemu/hw/block/fdc.c:434:pick_drive_type: assertion failed: (drv->drive != FLOPPY_DRIVE_TYPE_AUTO) Aborted (core dumped) Cause: fdctrl_realize_common() neglects to bail out after setting the error. Fix that. Fixes: a73275dd Cc: John Snow <jsnow@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200422130719.28225-7-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. virt_machine_device_plug_cb() passes @errp to cryptodev_builtin_sym_close_session() in a loop. Harmless, because cryptodev_builtin_sym_close_session() can't actually fail. Fix by dropping its Error ** parameter. Cc: Peter Maydell <peter.maydell@linaro.org> Cc: qemu-arm@nongnu.org Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200422130719.28225-6-armbru@redhat.com>
-
由 Markus Armbruster 提交于
timers_state.icount_time_shift must be in [0,63] to avoid undefined behavior when shifting by it, e.g. in cpu_icount_to_ns(). icount_adjust() clamps it to [0,MAX_ICOUNT_SHIFT], with MAX_ICOUNT_SHIFT = 10. configure_icount() doesn't. Fix that. Fixes: a8bfac37 Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422130719.28225-5-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. configure_icount() is wrong that way. Harmless, because its @errp is always &error_abort or &error_fatal. Just as wrong (and just as harmless): when it fails, it can still update global state. Fix all that. Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422130719.28225-4-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. check_cache_dropped() calls error_setg() in a loop. It fails to break the loop in one instance. If a subsequent iteration error_setg()s again, it trips error_setv()'s assertion. Fix it to break the loop. Fixes: 31be8a2a Cc: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Message-Id: <20200422130719.28225-3-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. cryptodev_builtin_cleanup() passes @errp to cryptodev_builtin_sym_close_session() in a loop. Harmless, because cryptodev_builtin_sym_close_session() can't actually fail. Fix it anyway. Cc: Gonglei <arei.gonglei@huawei.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200422130719.28225-2-armbru@redhat.com>
-
由 Markus Armbruster 提交于
qemu-img create, convert, amend, and measure use accumulate_options() to merge multiple -o options. This is broken for -o "": $ qemu-img create -f qcow2 -o backing_file=a -o "" -o backing_fmt=raw,size=1M new.qcow2 qemu-img: warning: Could not verify backing image. This may become an error in future versions. Could not open 'a,backing_fmt=raw': No such file or directory Formatting 'new.qcow2', fmt=qcow2 size=1048576 backing_file=a,,backing_fmt=raw cluster_size=65536 lazy_refcounts=off refcount_bits=16 $ qemu-img info new.qcow2 image: new.qcow2 file format: qcow2 virtual size: 1 MiB (1048576 bytes) disk size: 196 KiB cluster_size: 65536 --> backing file: a,backing_fmt=raw Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 corrupt: false Merging these three -o the obvious way is wrong, because it results in an unwanted ',' escape: backing_file=a,,backing_fmt=raw,size=1M ~~ We could silently drop -o "", but Kevin asked me to reject it instead. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200415074927.19897-10-armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Markus Armbruster 提交于
is_valid_option_list()'s purpose is ensuring qemu-img.c's can safely join multiple parameter strings separated by ',' like this: g_strdup_printf("%s,%s", params1, params2); How it does that is anything but obvious. A close reading of the code reveals that it fails exactly when its argument starts with ',' or ends with an odd number of ','. Makes sense, actually, because when the argument starts with ',', a separating ',' preceding it would get escaped, and when it ends with an odd number of ',', a separating ',' following it would get escaped. Move it to qemu-img.c and rewrite it the obvious way. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Message-Id: <20200415074927.19897-9-armbru@redhat.com>
-
由 Markus Armbruster 提交于
Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NKevin Wolf <kwolf@redhat.com> Message-Id: <20200415074927.19897-8-armbru@redhat.com>
-
由 Markus Armbruster 提交于
When opts_parse() sets @invalidp to true, qemu_opts_parse_noisily() uses has_help_option() to decide whether to print help. This parses the input string a second time. Easy to avoid: replace @invalidp by @help_wanted. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Message-Id: <20200415074927.19897-7-armbru@redhat.com>
-
由 Markus Armbruster 提交于
Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NKevin Wolf <kwolf@redhat.com> Message-Id: <20200415074927.19897-6-armbru@redhat.com>
-
由 Markus Armbruster 提交于
has_help_option() uses its own parser. It's inconsistent with qemu_opts_parse(), as demonstrated by test-qemu-opts case /qemu-opts/has_help_option. Fix by reusing the common parser. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200415074927.19897-5-armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Markus Armbruster 提交于
Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NKevin Wolf <kwolf@redhat.com> Message-Id: <20200415074927.19897-4-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The next commits will put it to use. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NKevin Wolf <kwolf@redhat.com> Message-Id: <20200415074927.19897-3-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The two turn out to be inconsistent for "a,b,,help". Test case marked /* BUG */. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200415074927.19897-2-armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
Fixes the following coccinelle warnings: $ spatch --sp-file --verbose-parsing ... \ scripts/coccinelle/remove_local_err.cocci ... SUSPICIOUS: a \ character appears outside of a #define at ./target/ppc/translate_init.inc.c:5213 SUSPICIOUS: a \ character appears outside of a #define at ./target/ppc/translate_init.inc.c:5261 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:166 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:167 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:169 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:170 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:171 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:172 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:173 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5787 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5789 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5800 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5801 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5802 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5804 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5805 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5806 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:6329 SUSPICIOUS: a \ character appears outside of a #define at ./hw/sd/sdhci.c:1133 SUSPICIOUS: a \ character appears outside of a #define at ./hw/scsi/scsi-disk.c:3081 SUSPICIOUS: a \ character appears outside of a #define at ./hw/net/virtio-net.c:1529 SUSPICIOUS: a \ character appears outside of a #define at ./hw/riscv/sifive_u.c:468 SUSPICIOUS: a \ character appears outside of a #define at ./dump/dump.c:1895 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2209 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2215 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2221 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2222 SUSPICIOUS: a \ character appears outside of a #define at ./block/replication.c:172 SUSPICIOUS: a \ character appears outside of a #define at ./block/replication.c:173 Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200412223619.11284-2-f4bug@amsat.org> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Acked-by: NDavid Gibson <david@gibson.dropbear.id.au> Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
-
由 Peter Maydell 提交于
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 23 4月, 2020 1 次提交
-
-
由 Peter Maydell 提交于
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 22 4月, 2020 2 次提交
-
-
由 Peter Maydell 提交于
In commit 41a4bf1f the added code to set the CNP field in ID_MMFR4 for the AArch64 'max' CPU had a typo where it used the wrong variable name, resulting in ID_MMFR4 fields AC2, XNX and LSM being wrong. Fix the typo. Fixes: 41a4bf1fReported-by: NLaurent Desnogues <laurent.desnogues@gmail.com> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: NLaurent Desnogues <laurent.desnogues@gmail.com> Message-id: 20200422124501.28015-1-peter.maydell@linaro.org
-
由 Marc-André Lureau 提交于
This is an update on the stable-4.2 branch of libslirp.git: git shortlog 55ab21c9a3..2faae0f778f81 Marc-André Lureau (1): Fix use-afte-free in ip_reass() (CVE-2020-1983) CVE-2020-1983 is actually a follow up fix for commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 ("Fix heap overflow in ip_reass on big packet input") which was was included in qemu v4.1 (commit e1a4a24d "slirp: update with CVE-2019-14378 fix"). Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20200421170227.843555-1-marcandre.lureau@redhat.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 21 4月, 2020 2 次提交
-
-
由 Philippe Mathieu-Daudé 提交于
This fixes: $ qemu-system-ppc64 \ -machine pseries-4.1 -cpu power9 \ -smp 4 -m 12G -accel tcg ... ... Quiescing Open Firmware ... Booting Linux via __start() @ 0x0000000002000000 ... Opcode 1f 12 0f 00 (7ce003e4) leaked temporaries Opcode 1f 12 0f 00 (7ce003e4) leaked temporaries Opcode 1f 12 0f 00 (7ce003e4) leaked temporaries [*] https://www.mail-archive.com/qemu-discuss@nongnu.org/msg05400.html Fixes: 0418bf78 ("Fix ISA v3.0 (POWER9) slbia implementation") Reported-by: NDennis Clarke <dclarke@blastwave.org> Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: NNicholas Piggin <npiggin@gmail.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Message-id: 20200417090749.14310-1-f4bug@amsat.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
ppc patch queue for 2020-04-17 Here are a few late bugfixes for qemu-5.0 in the ppc target code. Unless some really nasty last minute bug shows up, I expect this to be the last ppc pull request for qemu-5.0. # gpg: Signature made Fri 17 Apr 2020 06:02:13 BST # gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full] # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full] # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full] # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown] # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-5.0-20200417: target/ppc: Fix mtmsr(d) L=1 variant that loses interrupts target/ppc: Fix wrong interpretation of the disposition flag. linux-user/ppc: Fix padding in mcontext_t for ppc64 Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 20 4月, 2020 2 次提交
-
-
由 Peter Maydell 提交于
Fix epoll_create1() for qemu-alpha # gpg: Signature made Thu 16 Apr 2020 16:28:15 BST # gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C # gpg: issuer "laurent@vivier.eu" # gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full] # gpg: aka "Laurent Vivier <laurent@vivier.eu>" [full] # gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full] # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C * remotes/vivier2/tags/linux-user-for-5.0-pull-request: linux-user/syscall.c: add target-to-host mapping for epoll_create1() Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Chen Qun 提交于
There is an overflow, the source 'datain.data[2]' is 100 bytes, but the 'ss' is 252 bytes.This may cause a security issue because we can access a lot of unrelated memory data. The len for sbp copy data should take the minimum of mx_sb_len and sb_len_wr, not the maximum. If we use iscsi device for VM backend storage, ASAN show stack: READ of size 252 at 0xfffd149dcfc4 thread T0 #0 0xaaad433d0d34 in __asan_memcpy (aarch64-softmmu/qemu-system-aarch64+0x2cb0d34) #1 0xaaad45f9d6d0 in iscsi_aio_ioctl_cb /qemu/block/iscsi.c:996:9 #2 0xfffd1af0e2dc (/usr/lib64/iscsi/libiscsi.so.8+0xe2dc) #3 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174) #4 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac) #5 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5 #6 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9 #7 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20 #8 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520 #9 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5 #10 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4) #11 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9 #12 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242 #13 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518 #14 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9 #15 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5 #16 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c) #17 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740) 0xfffd149dcfc4 is located 0 bytes to the right of 100-byte region [0xfffd149dcf60,0xfffd149dcfc4) allocated by thread T0 here: #0 0xaaad433d1e70 in __interceptor_malloc (aarch64-softmmu/qemu-system-aarch64+0x2cb1e70) #1 0xfffd1af0e254 (/usr/lib64/iscsi/libiscsi.so.8+0xe254) #2 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174) #3 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac) #4 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5 #5 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9 #6 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20 #7 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520 #8 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5 #9 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4) #10 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9 #11 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242 #12 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518 #13 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9 #14 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5 #15 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c) #16 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740) Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NChen Qun <kuhn.chenqun@huawei.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Message-id: 20200418062602.10776-1-kuhn.chenqun@huawei.com Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-