- 21 11月, 2014 2 次提交
-
-
由 Fam Zheng 提交于
This fixes a crash by just skipping the vte resize hack if cur is NULL. Reproducer: qemu-system-x86_64 -nodefaults Signed-off-by: NFam Zheng <famz@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 zhanghailiang 提交于
local_err in gd_vc_gfx_init() is not freed, and we don't use it, so remove it. Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 20 11月, 2014 7 次提交
-
-
由 Leif Lindholm 提交于
ePAPR 1.1 defines the stdout-path property, making the os-specific linux,stdout-path property redundant. Change the DT setup for ARM virt to use the generic property - supported by Linux since 3.15. The old QEMU behaviour was not present in any released version of QEMU, and was only added to QEMU after the kernel changed, so this should not break any existing setups. Signed-off-by: NLeif Lindholm <leif.lindholm@linaro.org> [PMM: add note to commit about the old behaviour never hving been in a released version of QEMU] Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
Patch queue for ppc - 2014-11-20 Hopefully the last few fixups for 2.2: - KVM memory slot fix (should usually only occur on PPC) - e300 fix - Altivec mtvscr instruction fix # gpg: Signature made Thu 20 Nov 2014 13:53:34 GMT using RSA key ID 03FEDC60 # gpg: Good signature from "Alexander Graf <agraf@suse.de>" # gpg: aka "Alexander Graf <alex@csgraf.de>" * remotes/agraf/tags/signed-ppc-for-upstream: target-ppc: Altivec's mtvscr Decodes Wrong Register kvm: Fix memory slot page alignment logic target-ppc: Fix breakpoint registers for e300 Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Tom Musta 提交于
The Move to Vector Status and Control Register (mtvscr) instruction uses VRB as the source register. Fix the code generator to correctly decode the VRB field. That is, use "rB(ctx->opcode)" instead of "rD(ctx->opcode)". Signed-off-by: NTom Musta <tommusta@gmail.com> Signed-off-by: NAlexander Graf <agraf@suse.de>
-
由 Alexander Graf 提交于
Memory slots have to be page aligned to get entered into KVM. There is existing logic that tries to ensure that we pad memory slots that are not page aligned to the biggest region that would still fit in the alignment requirements. Unfortunately, that logic is broken. It tries to calculate the start offset based on the region size. Fix up the logic to do the thing it was intended to do and document it properly in the comment above it. With this patch applied, I can successfully run an e500 guest with more than 3GB RAM (at which point RAM starts overlapping subpage memory regions). Cc: qemu-stable@nongnu.org Signed-off-by: NAlexander Graf <agraf@suse.de>
-
由 Fabien Chouteau 提交于
In the previous patch, the registers were added to init_proc_G2LE instead of init_proc_e300. Signed-off-by: NFabien Chouteau <chouteau@adacore.com> Signed-off-by: NAlexander Graf <agraf@suse.de>
-
由 Peter Maydell 提交于
Fix from a while back that unfortunately got ignored. Dave Gilbert says it may actually fix a case where autoconverge would break on a repeat migration (and not just fix stats). # gpg: Signature made Thu 20 Nov 2014 12:52:41 GMT using RSA key ID 854083B6 # gpg: Good signature from "Amit Shah <amit@amitshah.net>" # gpg: aka "Amit Shah <amit@kernel.org>" # gpg: aka "Amit Shah <amitshah@gmx.net>" * remotes/amit-migration/tags/for-2.2-2: migration: static variables will not be reset at second migration Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 ChenLiang 提交于
The static variables in migration_bitmap_sync will not be reset in the case of a second attempted migration. Signed-off-by: NChenLiang <chenliang88@huawei.com> Signed-off-by: NGonglei <arei.gonglei@huawei.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: NAmit Shah <amit.shah@redhat.com>
-
- 19 11月, 2014 3 次提交
-
-
由 Peter Maydell 提交于
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Don Slutz 提交于
The other callers to blk_set_enable_write_cache() in this file already check for s->blk == NULL. Signed-off-by: NDon Slutz <dslutz@verizon.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Message-id: 1416259239-13281-1-git-send-email-dslutz@verizon.com Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
# gpg: Signature made Tue 18 Nov 2014 15:04:53 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/net-pull-request: net: The third parameter of getsockname should be initialized Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 18 11月, 2014 19 次提交
-
-
由 Peter Maydell 提交于
# gpg: Signature made Tue 18 Nov 2014 15:04:14 GMT using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/tracing-pull-request: Tracing: Fix simpletrace.py error on tcg enabled binary traces Tracing docs fix configure option and description Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 zhanghailiang 提交于
Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Christoph Seifert 提交于
simpletrace.py does not recognize the tcg option while reading trace-events file. In result simpletrace does not work on binary traces and tcg enabled events. Moved transformation of tcg enabled events to _read_events() which is used by simpletrace. Signed-off-by: NChristoph Seifert <christoph.seifert@posteo.de> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Dr. David Alan Gilbert 提交于
Fix the example trace configure option. Update the text to say that multiple backends are allowed and what happens when multiple backends are enabled. Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Message-id: 1412691161-31785-1-git-send-email-dgilbert@redhat.com Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Peter Maydell 提交于
Block patches for 2.2.0-rc2 # gpg: Signature made Tue 18 Nov 2014 11:32:55 GMT using RSA key ID C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" * remotes/kevin/tags/for-upstream: block/raw-posix: Catch fsync() errors block/raw-posix: Only sync after successful preallocation block/raw-posix: Fix preallocating write() loop raw-posix: The SEEK_HOLE code is flawed, rewrite it raw-posix: SEEK_HOLE suffices, get rid of FIEMAP raw-posix: Fix comment for raw_co_get_block_status() Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
Fix for CVE-2014-7840, avoiding arbitrary qemu memory overwrite for migration by Michael S. Tsirkin. # gpg: Signature made Tue 18 Nov 2014 11:23:00 GMT using RSA key ID 854083B6 # gpg: Good signature from "Amit Shah <amit@amitshah.net>" # gpg: aka "Amit Shah <amit@kernel.org>" # gpg: aka "Amit Shah <amitshah@gmx.net>" * remotes/amit-migration/tags/for-2.2: migration: fix parameter validation on ram load Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Ard Biesheuvel 提交于
This updates the Linux header to version 3.18-rc5, adding support for (among other things) read-only memslots on ARM and arm64. Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org> Message-id: 1416248898-6302-1-git-send-email-ard.biesheuvel@linaro.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Michael S. Tsirkin 提交于
During migration, the values read from migration stream during ram load are not validated. Especially offset in host_from_stream_offset() and also the length of the writes in the callers of said function. To fix this, we need to make sure that the [offset, offset + length] range fits into one of the allocated memory regions. Validating addr < len should be sufficient since data seems to always be managed in TARGET_PAGE_SIZE chunks. Fixes: CVE-2014-7840 Note: follow-up patches add extra checks on each block->host access. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: NAmit Shah <amit.shah@redhat.com>
-
由 Max Reitz 提交于
fsync() may fail, and that case should be handled. Reported-by: NLászló Érsek <lersek@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com>
-
由 Max Reitz 提交于
The loop which filled the file with zeroes may have been left early due to an error. In that case, the fsync() should be skipped. Signed-off-by: NMax Reitz <mreitz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com>
-
由 Max Reitz 提交于
write() may write less bytes than requested; in this case, the number of bytes written is returned. This is the byte count we should be subtracting from the number of bytes still to be written, and not the byte count we requested to write. Reported-by: NLászló Érsek <lersek@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com>
-
由 Peter Maydell 提交于
The code in invalidate_and_set_dirty() needs to handle addr/length combinations which cross guest physical page boundaries. This can happen, for example, when disk I/O reads large blocks into guest RAM which previously held code that we have cached translations for. Unfortunately we were only checking the clean/dirty status of the first page in the range, and then were calling a tb_invalidate function which only handles ranges that don't cross page boundaries. Fix the function to deal with multipage ranges. The symptoms of this bug were that guest code would misbehave (eg segfault), in particular after a guest reboot but potentially any time the guest reused a page of its physical RAM for new code. Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-id: 1416167061-13203-1-git-send-email-peter.maydell@linaro.org
-
由 Kevin Wolf 提交于
* mreitz/block: raw-posix: The SEEK_HOLE code is flawed, rewrite it raw-posix: SEEK_HOLE suffices, get rid of FIEMAP raw-posix: Fix comment for raw_co_get_block_status()
-
由 Markus Armbruster 提交于
On systems where SEEK_HOLE in a trailing hole seeks to EOF (Solaris, but not Linux), try_seek_hole() reports trailing data instead. Additionally, unlikely lseek() failures are treated badly: * When SEEK_HOLE fails, try_seek_hole() reports trailing data. For -ENXIO, there's in fact a trailing hole. Can happen only when something truncated the file since we opened it. * When SEEK_HOLE succeeds, SEEK_DATA fails, and SEEK_END succeeds, then try_seek_hole() reports a trailing hole. This is okay only when SEEK_DATA failed with -ENXIO (which means the non-trailing hole found by SEEK_HOLE has since become trailing somehow). For other failures (unlikely), it's wrong. * When SEEK_HOLE succeeds, SEEK_DATA fails, SEEK_END fails (unlikely), then try_seek_hole() reports bogus data [-1,start), which its caller raw_co_get_block_status() turns into zero sectors of data. Could theoretically lead to infinite loops in code that attempts to scan data vs. hole forward. Rewrite from scratch, with very careful comments. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com>
-
由 Markus Armbruster 提交于
Commit 5500316d (May 2012) implemented raw_co_is_allocated() as follows: 1. If defined(CONFIG_FIEMAP), use the FS_IOC_FIEMAP ioctl 2. Else if defined(SEEK_HOLE) && defined(SEEK_DATA), use lseek() 3. Else pretend there are no holes Later on, raw_co_is_allocated() was generalized to raw_co_get_block_status(). Commit 4f11aa8a (May 2014) changed it to try the three methods in order until success, because "there may be implementations which support [SEEK_HOLE/SEEK_DATA] but not [FIEMAP] (e.g., NFSv4.2) as well as vice versa." Unfortunately, we used FIEMAP incorrectly: we lacked FIEMAP_FLAG_SYNC. Commit 38c4d0ae (Sep 2014) added it. Because that's a significant speed hit, the next commit 7c159037 put SEEK_HOLE/SEEK_DATA first. As you see, the obvious use of FIEMAP is wrong, and the correct use is slow. I guess this puts it somewhere between -7 "The obvious use is wrong" and -10 "It's impossible to get right" on Rusty Russel's Hard to Misuse scale[*]. "Fortunately", the FIEMAP code is used only when * SEEK_HOLE/SEEK_DATA aren't defined, but CONFIG_FIEMAP is Uncommon. SEEK_HOLE had no XFS implementation between 2011 (when it was introduced for ext4 and btrfs) and 2012. * SEEK_HOLE/SEEK_DATA and CONFIG_FIEMAP are defined, but lseek() fails Unlikely. Thus, the FIEMAP code executes rarely. Makes it a nice hidey-hole for bugs. Worse, bugs hiding there can theoretically bite even on a host that has SEEK_HOLE/SEEK_DATA. I don't want to worry about this crap, not even theoretically. Get rid of it. [*] http://ozlabs.org/~rusty/index.cgi/tech/2008-04-01.htmlSigned-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com>
-
由 Markus Armbruster 提交于
Missed in commit 705be728. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NFam Zheng <famz@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com>
-
由 Peter Maydell 提交于
The ARMv8 address translation system defines that a page table walk starts at a level which depends on the translation granule size and the number of bits of virtual address that need to be resolved. Where the translation granule is 64KB and the guest sets the TCR.TxSZ field to between 35 and 39, it's actually possible to start at level 3 (the final level). QEMU's implementation failed to handle this case, and so we would set level to 2 and behave incorrectly (including invoking the C undefined behaviour of shifting left by a negative number). Correct the code that determines the starting level to deal with the start-at-3 case, by replacing the if-else ladder with an expression derived from the ARM ARM pseudocode version. This error was detected by the Coverity scan, which spotted the potential shift by a negative number. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Message-id: 1415890569-7454-1-git-send-email-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
A smattering of fixes for problems that Coverity reported. # gpg: Signature made Mon 17 Nov 2014 17:03:25 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: hcd-musb: fix dereference null return value target-cris/translate.c: fix out of bounds read shpc: fix error propaagation qemu-char: fix MISSING_COMMA acl: fix memory leak nvme: remove superfluous check loader: fix NEGATIVE_RETURNS qga: fix false negative argument passing mips_mipssim: fix use-after-free for filename l2tpv3: fix fd leak l2tpv3: fix possible double free libcacard: fix resource leak Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Paolo Bonzini 提交于
usb_ep_get and usb_handle_packet can deal with a NULL device, but we have to avoid dereferencing NULL pointers when building the id. Thanks to Gonglei for an initial stab at fixing this. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 17 11月, 2014 9 次提交
-
-
由 Peter Maydell 提交于
Update OpenBIOS images # gpg: Signature made Sat 15 Nov 2014 13:12:02 GMT using RSA key ID AE0F321F # gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>" * remotes/mcayland/tags/qemu-openbios-signed: Update OpenBIOS images Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 zhanghailiang 提交于
In function t_gen_mov_TN_preg and t_gen_mov_preg_TN, The begin check about the validity of in-parameter 'r' is useless. We still access cpu_PR[r] in the follow code if it is invalid. Which will be an out-of-bounds read error. Fix it by using assert() to ensure it is valid before using it. Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Gonglei 提交于
Signed-off-by: NGonglei <arei.gonglei@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Gonglei 提交于
Signed-off-by: NGonglei <arei.gonglei@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Gonglei 提交于
If 'i != index' for all acl->entries, variable entry leaks the storage it points to. Signed-off-by: NGonglei <arei.gonglei@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Gonglei 提交于
Operands don't affect result (CONSTANT_EXPRESSION_RESULT) ((n->bar.aqa >> AQA_ASQS_SHIFT) & AQA_ASQS_MASK) > 4095 is always false regardless of the values of its operands. This occurs as the logical second operand of '||'. Signed-off-by: NGonglei <arei.gonglei@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Gonglei 提交于
lseek will return -1 on error, g_malloc0(size) and read(,,size) paramenters cannot be negative. We should add a check for return value of lseek(). Signed-off-by: NGonglei <arei.gonglei@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Gonglei 提交于
Function send_response(s, &qdict->base) returns a negative number when any failures occured. But strerror()'s parameter cannot be negative. Let's change the testing condition and pass '-ret' to strerr(). Signed-off-by: NGonglei <arei.gonglei@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Gonglei 提交于
May pass freed pointer filename as an argument to error_report. Signed-off-by: NGonglei <arei.gonglei@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-