Greg Kurz [Sun, 26 Feb 2017 22:42:34 +0000 (23:42 +0100)]
9pfs: local: llistxattr: don't follow symlinks
The local_llistxattr() callback is vulnerable to symlink attacks because
it calls llistxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing flistxattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to llistxattr().
local_llistxattr() is converted to use this helper and opendir_nofollow().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Greg Kurz [Sun, 26 Feb 2017 22:42:26 +0000 (23:42 +0100)]
9pfs: local: lgetxattr: don't follow symlinks
The local_lgetxattr() callback is vulnerable to symlink attacks because
it calls lgetxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing fgetxattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to lgetxattr().
local_lgetxattr() is converted to use this helper and opendir_nofollow().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Greg Kurz [Sun, 26 Feb 2017 22:42:18 +0000 (23:42 +0100)]
9pfs: local: open/opendir: don't follow symlinks
The local_open() and local_opendir() callbacks are vulnerable to symlink
attacks because they call:
(1) open(O_NOFOLLOW) which follows symbolic links in all path elements but
the rightmost one
(2) opendir() which follows symbolic links in all path elements
This patch converts both callbacks to use new helpers based on
openat_nofollow() to only open files and directories if they are
below the virtfs shared folder
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Greg Kurz [Sun, 26 Feb 2017 22:42:03 +0000 (23:42 +0100)]
9pfs: introduce relative_openat_nofollow() helper
When using the passthrough security mode, symbolic links created by the
guest are actual symbolic links on the host file system.
Since the resolution of symbolic links during path walk is supposed to
occur on the client side. The server should hence never receive any path
pointing to an actual symbolic link. This isn't guaranteed by the protocol
though, and malicious code in the guest can trick the server to issue
various syscalls on paths whose one or more elements are symbolic links.
In the case of the "local" backend using the "passthrough" or "none"
security modes, the guest can directly create symbolic links to arbitrary
locations on the host (as per spec). The "mapped-xattr" and "mapped-file"
security modes are also affected to a lesser extent as they require some
help from an external entity to create actual symbolic links on the host,
i.e. another guest using "passthrough" mode for example.
The current code hence relies on O_NOFOLLOW and "l*()" variants of system
calls. Unfortunately, this only applies to the rightmost path component.
A guest could maliciously replace any component in a trusted path with a
symbolic link. This could allow any guest to escape a virtfs shared folder.
This patch introduces a variant of the openat() syscall that successively
opens each path element with O_NOFOLLOW. When passing a file descriptor
pointing to a trusted directory, one is guaranteed to be returned a
file descriptor pointing to a path which is beneath the trusted directory.
This will be used by subsequent patches to implement symlink-safe path walk
for any access to the backend.
Symbolic links aren't the only threats actually: a malicious guest could
change a path element to point to other types of file with undesirable
effects:
- a named pipe or any other thing that would cause openat() to block
- a terminal device which would become QEMU's controlling terminal
These issues can be addressed with O_NONBLOCK and O_NOCTTY.
Two helpers are introduced: one to open intermediate path elements and one
to open the rightmost path element.
Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(renamed openat_nofollow() to relative_openat_nofollow(),
assert path is relative and doesn't contain '//',
fixed side-effect in assert, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org>
This patchset adds the throttle support for the 9p-local driver.
For now this functionality can be enabled only through qemu cli options.
QMP interface and support to other drivers need further extensions.
To make it simple for other 9p drivers, the throttle code has been put in
separate files.
Signed-off-by: Pradeep Jagadeesh <pradeep.jagadeesh@huawei.com> Reviewed-by: Alberto Garcia <berto@igalia.com>
(pass extra NULL CoMutex * argument to qemu_co_queue_wait(),
added options to qemu-options.hx, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org>
Paolo Bonzini [Tue, 28 Feb 2017 09:31:46 +0000 (10:31 +0100)]
9pfs: fix v9fs_lock error case
In this case, we are marshaling an error status instead of the errno value.
Reorganize the out and out_nofid labels to look like all the other cases.
Coverity reports this because the "err = -ENOENT" and "err = -EINVAL"
assignments above are dead, overwritten by the call to pdu_marshal.
(Coverity issues CID1348512 and CID1348513)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(also open-coded the success path since locking is a nop for us, Greg Kurz) Signed-off-by: Greg Kurz <groug@kaod.org>
Peter Maydell [Tue, 28 Feb 2017 08:46:03 +0000 (08:46 +0000)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
# gpg: Signature made Mon 27 Feb 2017 16:33:23 GMT
# gpg: using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha/tags/block-pull-request:
tests-aio-multithread: use atomic_read properly
iscsi: do not use aio_context_acquire/release
nfs: do not use aio_context_acquire/release
curl: do not use aio_context_acquire/release
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The current implementation of the mincore(2) syscall sets errno to
EFAULT when the region identified by the first two parameters is
invalid.
This goes against the man page specification, where mincore(2) should
only fail with EFAULT when the third parameter is an invalid address;
and fail with ENOMEM when the checked region does not point to mapped
memory.
Peter Maydell [Thu, 16 Feb 2017 17:26:48 +0000 (17:26 +0000)]
lm32: milkymist-tmu2: fix a third integer overflow
Don't truncate the multiplication and do a 64 bit one instead
because the result is stored in a 64 bit variable.
This fixes a similar coverity warning to commits 237a8650d640 and 4382fa655498, in a similar way, and is the final third of the fix for
coverity CID 1167561 (hopefully!).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Michael Walle <michael@walle.cc> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Thomas Huth [Fri, 10 Feb 2017 18:22:57 +0000 (19:22 +0100)]
tests/prom-env: Enable the test for the sun4u machine, too
The 32-bit TCG bug has been fixed a while ago, so we can enable
this test for sparc64 now, too. Unfortunately, OpenBIOS does not
work with the sun4v machine anymore (it needs to catch up with the
improved emulation), so we can only enable this test for the sun4u
machine right now.
Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
The register_read() and register_write() functions expect a bitmask argument.
To avoid duplicated code, a new inlined function register_enabled_mask() is
introduced.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Peter Maydell [Fri, 3 Feb 2017 17:58:42 +0000 (17:58 +0000)]
CODING_STYLE: Mention preferred comment form
Our defacto coding style strongly prefers /* */ style comments
over the single-line // style, and checkpatch enforces this,
but we don't actually document this. Mention it in CODING_STYLE.
Suggested-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Thomas Huth [Wed, 8 Feb 2017 17:57:38 +0000 (18:57 +0100)]
hw/core/register: Mark the device with cannot_instantiate_with_device_add_yet
The "qemu,register" device needs to be wired up in source code, there
is no way the user can make any real use of this device with the
"-device" parameter or the "device_add" monitor command yet.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Thomas Huth [Wed, 8 Feb 2017 17:57:49 +0000 (18:57 +0100)]
hw/core/or-irq: Mark the device with cannot_instantiate_with_device_add_yet
The "or-irq" device needs to be wired up in source code, there is no
way the user can make any real use of this device with the "-device"
parameter or the "device_add" monitor command yet.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Peter Maydell [Fri, 3 Feb 2017 18:59:31 +0000 (18:59 +0000)]
softfloat: Use correct type in float64_to_uint64_round_to_zero()
In float64_to_uint64_round_to_zero() a typo meant that we were
taking the uint64_t return value from float64_to_uint64() and
putting it into an int64_t variable before returning it as
uint64_t again. Use uint64_t instead of pointlessly casting it
back and forth to int64_t.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
The current implementation of the mincore(2) syscall sets errno to
EFAULT when the region identified by the first two parameters is
invalid.
This goes against the man page specification, where mincore(2) should
only fail with EFAULT when the third parameter is an invalid address;
and fail with ENOMEM when the checked region does not point to mapped
memory.
Michael Karcher [Sat, 25 Feb 2017 11:05:17 +0000 (12:05 +0100)]
linux-user: fix do_rt_sigreturn on m68k linux userspace emulation
do_rt_sigreturn uses an uninitialised local variable instead of fetching
the old signal mask directly from the signal frame when restoring the mask,
so the signal mask is undefined after do_rt_sigreturn. As the signal
frame data is in target-endian order, target_to_host_sigset instead of
target_to_host_sigset_internal is required.
do_sigreturn is correct in using target_to_host_sigset_internal, because
get_user already did the endianness conversion.
Signed-off-by: Michael Karcher <karcher@physik.fu-berlin.de> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20170225110517.2832-3-laurent@vivier.eu>
* remotes/kraxel/tags/pull-ui-20170227-1:
vnc: fix double free issues
spice: add display & head options
ui: Use XkbGetMap and XkbGetNames instead of XkbGetKeyboard
gtk-egl: add scanout_disable support
sdl2: add scanout_disable support
spice: add scanout_disable support
virtio-gpu: use dpy_gl_scanout_disable
console: add dpy_gl_scanout_disable
console: rename dpy_gl_scanout to dpy_gl_scanout_texture
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
John Snow [Mon, 27 Feb 2017 17:13:14 +0000 (12:13 -0500)]
block/mirror: fix broken sparseness detection
int64_t is in all likelihood the actual scalar type we want.
Yep, really.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1219541 Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Jeff Cody <jcody@redhat.com>
on startup when running under XWayland. Keymap handling is
however still broken after this commit, since Xwayland is
reporting a keymap we can't handle
"unknown keycodes `(unnamed)', please report to qemu-devel@nongnu.org"
NB, native Wayland support (which is the default under GTK3) is
not affected - only XWayland (which can be requested with GDK_BACKEND
on GTK3, and is the only option for GTK2).
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170227132343.30824-1-berrange@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Paolo Bonzini [Mon, 27 Feb 2017 11:17:26 +0000 (12:17 +0100)]
tests-aio-multithread: use atomic_read properly
nodes[id].next is written by other threads. If atomic_read is not used
(matching atomic_set in mcs_mutex_lock!) the compiler can optimize the
whole "if" away!
Reported-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Tested-by: Greg Kurz <groug@kaod.org>
Message-id: 20170227111726.9237-1-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Paolo Bonzini [Wed, 22 Feb 2017 18:07:25 +0000 (19:07 +0100)]
iscsi: do not use aio_context_acquire/release
Now that all bottom halves and callbacks take care of taking the
AioContext lock, we can migrate some users away from it and to a
specific QemuMutex or CoMutex.
Protect libiscsi calls with a QemuMutex. Callbacks are invoked
using bottom halves, so we don't even have to drop it around
callback invocations.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20170222180725.28611-4-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Paolo Bonzini [Wed, 22 Feb 2017 18:07:24 +0000 (19:07 +0100)]
nfs: do not use aio_context_acquire/release
Now that all bottom halves and callbacks take care of taking the
AioContext lock, we can migrate some users away from it and to a
specific QemuMutex or CoMutex.
Protect libnfs calls with a QemuMutex. Callbacks are invoked
using bottom halves, so we don't even have to drop it around
callback invocations.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20170222180725.28611-3-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Crypto routines 'qcrypto_cipher_get_block_len' and
'qcrypto_cipher_get_key_len' return non-zero cipher block and key
lengths from static arrays 'alg_block_len[]' and 'alg_key_len[]'
respectively. Returning 'zero(0)' value from either of them would
likely lead to an error condition.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Paolo Bonzini [Wed, 22 Feb 2017 18:07:23 +0000 (19:07 +0100)]
curl: do not use aio_context_acquire/release
Now that all bottom halves and callbacks take care of taking the
AioContext lock, we can migrate some users away from it and to a
specific QemuMutex or CoMutex.
Protect BDRVCURLState access with a QemuMutex.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20170222180725.28611-2-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Paolo Bonzini [Mon, 27 Feb 2017 11:17:26 +0000 (12:17 +0100)]
tests-aio-multithread: use atomic_read properly
nodes[id].next is written by other threads. If atomic_read is not used
(matching atomic_set in mcs_mutex_lock!) the compiler can optimize the
whole "if" away!
Reported-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Tested-by: Greg Kurz <groug@kaod.org>
Message-id: 20170227111726.9237-1-pbonzini@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sun, 26 Feb 2017 22:40:23 +0000 (22:40 +0000)]
Merge remote-tracking branch 'remotes/artyom/tags/pull-sun4v-20170226' into staging
Pull request for Niagara patches 2017 02 26
# gpg: Signature made Sun 26 Feb 2017 21:56:06 GMT
# gpg: using RSA key 0x3360C3F7411A125F
# gpg: Good signature from "Artyom Tarasenko <atar4qemu@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2AD8 6149 17F4 B2D7 05C0 BB12 3360 C3F7 411A 125F
* remotes/artyom/tags/pull-sun4v-20170226:
niagara: check if a serial port is available
niagara: fail if a firmware file is missing
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sun, 26 Feb 2017 16:38:40 +0000 (16:38 +0000)]
Merge remote-tracking branch 'remotes/thibault/tags/samuel-thibault' into staging
slirp updates
# gpg: Signature made Sun 26 Feb 2017 14:40:00 GMT
# gpg: using RSA key 0xB0A51BF58C9179C5
# gpg: Good signature from "Samuel Thibault <samuel.thibault@aquilenet.fr>"
# gpg: aka "Samuel Thibault <sthibault@debian.org>"
# gpg: aka "Samuel Thibault <samuel.thibault@gnu.org>"
# gpg: aka "Samuel Thibault <samuel.thibault@inria.fr>"
# gpg: aka "Samuel Thibault <samuel.thibault@labri.fr>"
# gpg: aka "Samuel Thibault <samuel.thibault@ens-lyon.org>"
# gpg: aka "Samuel Thibault <samuel.thibault@u-bordeaux.fr>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 900C B024 B679 31D4 0F82 304B D017 8C76 7D06 9EE6
# Subkey fingerprint: AEBF 7448 FAB9 453A 4552 390E B0A5 1BF5 8C91 79C5
* remotes/thibault/tags/samuel-thibault:
slirp: tcp_listen(): Don't try to close() an fd we never opened
slirp: Convert mbufs to use g_malloc() and g_free()
slirp: Check qemu_socket() return value in udp_listen()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sat, 4 Feb 2017 23:08:35 +0000 (23:08 +0000)]
slirp: tcp_listen(): Don't try to close() an fd we never opened
Coverity points out (CID 1005725) that an error-exit path in tcp_listen()
will try to close(s) even if the reason it got there was that the
qemu_socket() failed and s was never opened. Not only that, this isn't even
the right function to use, because we need closesocket() to do the right
thing on Windows. Change to using the right function and only calling it if
needed.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Peter Maydell [Sat, 4 Feb 2017 23:08:34 +0000 (23:08 +0000)]
slirp: Convert mbufs to use g_malloc() and g_free()
The mbuf code currently doesn't check the result of doing a malloc()
or realloc() of its data (spotted by Coverity, CID 1238946).
Since the m_inc() API assumes that extending an mbuf must succeed,
just convert to g_malloc() and g_free().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Peter Maydell [Sat, 4 Feb 2017 23:08:33 +0000 (23:08 +0000)]
slirp: Check qemu_socket() return value in udp_listen()
Check the return value from qemu_socket() rather than trying to
pass it to bind() as an fd argument even if it's negative.
This wouldn't have caused any negative consequences, because
it won't be a valid fd number and the bind call will fail;
but Coverity complains (CID 1005723).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Peter Maydell [Sun, 26 Feb 2017 12:26:37 +0000 (12:26 +0000)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches
# gpg: Signature made Fri 24 Feb 2017 18:08:26 GMT
# gpg: using RSA key 0x7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* remotes/kevin/tags/for-upstream:
tests: Use opened block node for block job tests
vvfat: Use opened node as backing file
block: Add bdrv_new_open_driver()
block: Factor out bdrv_open_driver()
block: Use BlockBackend for image probing
block: Factor out bdrv_open_child_bs()
block: Attach bs->file only during .bdrv_open()
block: Pass BdrvChild to bdrv_truncate()
mirror: Resize active commit base in mirror_run()
qcow2: Use BB for resizing in qcow2_amend_options()
blockdev: Use BlockBackend to resize in qmp_block_resize()
iotests: Fix another race in 030
qemu-img: Improve documentation for PREALLOC_MODE_FALLOC
qemu-img: Truncate before full preallocation
qemu-img: Add tests for raw image preallocation
qemu-img: Do not truncate before preallocation
qemu-iotests: redirect nbd server stdout to /dev/null
qemu-iotests: add ability to exclude certain protocols from tests
qemu-iotests: Test 137 only supports 'file' protocol
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sun, 26 Feb 2017 11:47:00 +0000 (11:47 +0000)]
Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into staging
# gpg: Signature made Fri 24 Feb 2017 17:45:53 GMT
# gpg: using RSA key 0xBDBE7B27C0DE3057
# gpg: Good signature from "Jeffrey Cody <jcody@redhat.com>"
# gpg: aka "Jeffrey Cody <jeff@codyprime.org>"
# gpg: aka "Jeffrey Cody <codyprime@gmail.com>"
# Primary key fingerprint: 9957 4B4D 3474 90E7 9D98 D624 BDBE 7B27 C0DE 3057
* remotes/cody/tags/block-pull-request:
RBD: Add support readv,writev for rbd
block/nfs: try to avoid the bounce buffer in pwritev
block/nfs: convert to preadv / pwritev
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sat, 25 Feb 2017 21:15:14 +0000 (21:15 +0000)]
Merge remote-tracking branch 'remotes/yongbok/tags/mips-20170224-2' into staging
MIPS patches 2017-02-24-2
CHanges:
* Add the Boston board with fixing the make check issue on 32-bit hosts.
# gpg: Signature made Fri 24 Feb 2017 11:43:45 GMT
# gpg: using RSA key 0x2238EB86D5F797C2
# gpg: Good signature from "Yongbok Kim <yongbok.kim@imgtec.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 8600 4CF5 3415 A5D9 4CFA 2B5C 2238 EB86 D5F7 97C2
* remotes/yongbok/tags/mips-20170224-2:
hw/mips: MIPS Boston board support
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sat, 25 Feb 2017 18:43:52 +0000 (18:43 +0000)]
Merge remote-tracking branch 'remotes/stsquad/tags/pull-mttcg-240217-1' into staging
This is the MTTCG pull-request as posted yesterday.
# gpg: Signature made Fri 24 Feb 2017 11:17:51 GMT
# gpg: using RSA key 0xFBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>"
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* remotes/stsquad/tags/pull-mttcg-240217-1: (24 commits)
tcg: enable MTTCG by default for ARM on x86 hosts
hw/misc/imx6_src: defer clearing of SRC_SCR reset bits
target-arm: ensure all cross vCPUs TLB flushes complete
target-arm: don't generate WFE/YIELD calls for MTTCG
target-arm/powerctl: defer cpu reset work to CPU context
cputlb: introduce tlb_flush_*_all_cpus[_synced]
cputlb: atomically update tlb fields used by tlb_reset_dirty
cputlb: add tlb_flush_by_mmuidx async routines
cputlb and arm/sparc targets: convert mmuidx flushes from varg to bitmap
cputlb: introduce tlb_flush_* async work.
cputlb: tweak qemu_ram_addr_from_host_nofail reporting
cputlb: add assert_cpu_is_self checks
tcg: handle EXCP_ATOMIC exception for system emulation
tcg: enable thread-per-vCPU
tcg: enable tb_lock() for SoftMMU
tcg: remove global exit_request
tcg: drop global lock during TCG code execution
tcg: rename tcg_current_cpu to tcg_current_rr_cpu
tcg: add kick timer for single-threaded vCPU emulation
tcg: add options for enabling MTTCG
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sat, 25 Feb 2017 17:48:49 +0000 (17:48 +0000)]
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20170224' into staging
A selection of s390x patches:
- cleanups, fixes and improvements
- program check loop detection (useful with the corresponding kernel
patch)
- wire up virtio-crypto for ccw
- and finally support many virtqueues for virtio-ccw
# gpg: Signature made Fri 24 Feb 2017 09:19:19 GMT
# gpg: using RSA key 0xDECF6B93C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF
* remotes/cohuck/tags/s390x-20170224:
s390x/css: handle format-0 TIC CCW correctly
s390x/arch_dump: pass cpuid into notes sections
s390x/arch_dump: use proper note name and note size
virtio-ccw: support VIRTIO_QUEUE_MAX virtqueues
s390x: bump ADAPTER_ROUTES_MAX_GSI
virtio-ccw: check flic->adapter_routes_max_batch
s390x: add property adapter_routes_max_batch
virtio-ccw: Check the number of vqs in CCW_CMD_SET_IND
virtio-ccw: add virtio-crypto-ccw device
virtio-ccw: handle virtio 1 only devices
s390x/flic: fail migration on source already
s390x/kvm: detect some program check loops
s390x/s390-virtio: get rid of DPRINTF
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sat, 25 Feb 2017 16:37:32 +0000 (16:37 +0000)]
Merge remote-tracking branch 'remotes/famz/tags/for-upstream' into staging
Docker testing and shippable patches
Hi Peter,
These are testing and build automation patches:
- Shippable.com powered CI config
- Docker cross build
- Fixes and MAINTAINERS tweaks.
# gpg: Signature made Fri 24 Feb 2017 06:31:10 GMT
# gpg: using RSA key 0xCA35624C6A9171C6
# gpg: Good signature from "Fam Zheng <famz@redhat.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 5003 7CB7 9706 0F76 F021 AD56 CA35 624C 6A91 71C6
* remotes/famz/tags/for-upstream:
docker: Install python2 explicitly in docker image
MAINTAINERS: merge Build and test automation with Docker tests
.shippable.yml: new CI provider
new: debian docker targets for cross-compiling
tests/docker: add basic user mapping support
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 24 Feb 2017 18:34:27 +0000 (18:34 +0000)]
Merge remote-tracking branch 'remotes/armbru/tags/pull-util-2017-02-23' into staging
option cutils: Fix and clean up number conversions
# gpg: Signature made Thu 23 Feb 2017 19:41:17 GMT
# gpg: using RSA key 0x3870B400EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>"
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
* remotes/armbru/tags/pull-util-2017-02-23: (24 commits)
option: Fix checking of sizes for overflow and trailing crap
util/cutils: Change qemu_strtosz*() from int64_t to uint64_t
util/cutils: Return qemu_strtosz*() error and value separately
util/cutils: Let qemu_strtosz*() optionally reject trailing crap
qemu-img: Wrap cvtnum() around qemu_strtosz()
test-cutils: Drop suffix from test_qemu_strtosz_simple()
test-cutils: Use qemu_strtosz() more often
util/cutils: Drop QEMU_STRTOSZ_DEFSUFFIX_* macros
util/cutils: New qemu_strtosz()
util/cutils: Rename qemu_strtosz() to qemu_strtosz_MiB()
util/cutils: New qemu_strtosz_metric()
test-cutils: Cover qemu_strtosz() around range limits
test-cutils: Cover qemu_strtosz() with trailing crap
test-cutils: Cover qemu_strtosz() invalid input
test-cutils: Add missing qemu_strtosz()... endptr checks
option: Fix to reject invalid and overflowing numbers
util/cutils: Clean up control flow around qemu_strtol() a bit
util/cutils: Clean up variable names around qemu_strtol()
util/cutils: Rename qemu_strtoll(), qemu_strtoull()
util/cutils: Rewrite documentation of qemu_strtol() & friends
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Lieven [Fri, 17 Feb 2017 16:39:01 +0000 (17:39 +0100)]
block/nfs: try to avoid the bounce buffer in pwritev
if the passed qiov contains exactly one iov we can
pass the buffer directly.
Signed-off-by: Peter Lieven <pl@kamp.de> Reviewed-by: Jeff Cody <jcody@redhat.com>
Message-id: 1487349541-10201-3-git-send-email-pl@kamp.de Signed-off-by: Jeff Cody <jcody@redhat.com>
Peter Lieven [Fri, 17 Feb 2017 16:39:00 +0000 (17:39 +0100)]
block/nfs: convert to preadv / pwritev
Signed-off-by: Peter Lieven <pl@kamp.de> Reviewed-by: Jeff Cody <jcody@redhat.com>
Message-id: 1487349541-10201-2-git-send-email-pl@kamp.de Signed-off-by: Jeff Cody <jcody@redhat.com>
Kevin Wolf [Mon, 16 Jan 2017 16:17:38 +0000 (17:17 +0100)]
tests: Use opened block node for block job tests
blk_insert_bs() and block job related functions will soon require an
opened block node (permission calculations will involve the block
driver), so let our tests be consistent with the real users in this
respect.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Kevin Wolf [Wed, 15 Feb 2017 19:51:58 +0000 (20:51 +0100)]
vvfat: Use opened node as backing file
We should not try to assign a not yet opened node as the backing file,
because as soon as the permission system is added it will fail. The
just added bdrv_new_open_driver() function is the right tool to open a
file with an internal driver, use it.
In case anyone wonders whether that magic fake backing file to trigger a
special action on 'commit' actually works today: No, not for me. One
reason is that we've been adding a raw format driver on top for several
years now and raw doesn't support commit. Other reasons include that the
backing file isn't writable and the driver doesn't support reopen, and
it's also size 0 and the driver doesn't support bdrv_truncate. All of
these are easily fixable, but then 'commit' ended up in an infinite loop
deep in the vvfat code for me, so I thought I'd best leave it alone. I'm
not really sure what it was supposed to do anyway.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Kevin Wolf [Wed, 18 Jan 2017 16:16:41 +0000 (17:16 +0100)]
block: Add bdrv_new_open_driver()
This function allows to create more or less normal BlockDriverStates
even for BlockDrivers that aren't globally registered (e.g. helper
filters for block jobs).
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Kevin Wolf [Wed, 18 Jan 2017 14:51:56 +0000 (15:51 +0100)]
block: Factor out bdrv_open_driver()
This is a function that doesn't do any option parsing, but just does
some basic BlockDriverState setup and calls the .bdrv_open() function of
the block driver.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Kevin Wolf [Fri, 17 Feb 2017 17:39:24 +0000 (18:39 +0100)]
block: Use BlockBackend for image probing
This fixes the use of a parent-less BdrvChild in bdrv_open_inherit() by
converting it into a BlockBackend. Which is exactly what it should be,
image probing is an external, standalone user of a node. The requests
can't be considered to originate from the format driver node because
that one isn't even opened yet.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Kevin Wolf [Fri, 16 Dec 2016 17:52:37 +0000 (18:52 +0100)]
block: Attach bs->file only during .bdrv_open()
The way that attaching bs->file worked was a bit unusual in that it was
the only child that would be attached to a node which is not opened yet.
Because of this, the block layer couldn't know yet which permissions the
driver would eventually need.
This patch moves the point where bs->file is attached to the beginning
of the individual .bdrv_open() implementations, so drivers already know
what they are going to do with the child. This is also more consistent
with how driver-specific children work.
For a moment, bdrv_open() gets its own BdrvChild to perform image
probing, but instead of directly assigning this BdrvChild to the BDS, it
becomes a temporary one and the node name is passed as an option to the
drivers, so that they can simply use bdrv_open_child() to create another
reference for their own use.
This duplicated child for (the not opened yet) bs is not the final
state, a follow-up patch will change the image probing code to use a
BlockBackend, which is completely independent of bs.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Kevin Wolf [Fri, 17 Feb 2017 10:11:28 +0000 (11:11 +0100)]
mirror: Resize active commit base in mirror_run()
This is more consistent with the commit block job, and it moves the code
to a place where we already have the necessary BlockBackends to resize
the base image when bdrv_truncate() is changed to require a BdrvChild.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Kevin Wolf [Fri, 17 Feb 2017 09:58:25 +0000 (10:58 +0100)]
qcow2: Use BB for resizing in qcow2_amend_options()
In order to able to convert bdrv_truncate() to take a BdrvChild and
later to correctly check the resize permission here, we need to use a
BlockBackend for resizing the image.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Kevin Wolf [Fri, 17 Feb 2017 10:23:33 +0000 (11:23 +0100)]
blockdev: Use BlockBackend to resize in qmp_block_resize()
In order to be able to do permission checking and to keep working with
the BdrvChild based bdrv_truncate() that this involves, we need to
create a temporary BlockBackend to resize the image.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
Nir Soffer [Fri, 17 Feb 2017 00:51:27 +0000 (02:51 +0200)]
qemu-img: Improve documentation for PREALLOC_MODE_FALLOC
Now that we are truncating the file in both PREALLOC_MODE_FULL and
PREALLOC_MODE_OFF, not truncating in PREALLOC_MODE_FALLOC looks odd.
Add a comment explaining why we do not truncate in this case.
Signed-off-by: Nir Soffer <nirsof@gmail.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Nir Soffer [Fri, 17 Feb 2017 00:51:26 +0000 (02:51 +0200)]
qemu-img: Truncate before full preallocation
In a previous commit (qemu-img: Do not truncate before preallocation) we
moved truncate to the PREALLOC_MODE_OFF branch to avoid slowdown in
posix_fallocate().
However this change is not optimal when using PREALLOC_MODE_FULL, since
knowing the final size from the beginning could allow the file system
driver to do less allocations and possibly avoid fragmentation of the
file.
Now we truncate also before doing full preallocation.
Signed-off-by: Nir Soffer <nirsof@gmail.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Nir Soffer [Fri, 3 Feb 2017 19:50:37 +0000 (21:50 +0200)]
qemu-img: Do not truncate before preallocation
When using file system that does not support fallocate() (e.g. NFS <
4.2), truncating the file only when preallocation=OFF speeds up creating
raw file.
Here is example run, tested on Fedora 24 machine, creating raw file on
NFS version 3 server.
$ time ./qemu-img-master create -f raw -o preallocation=falloc mnt/test 1g
Formatting 'mnt/test', fmt=raw size=1073741824 preallocation=falloc
real 0m21.185s
user 0m0.022s
sys 0m0.574s
$ time ./qemu-img-fix create -f raw -o preallocation=falloc mnt/test 1g
Formatting 'mnt/test', fmt=raw size=1073741824 preallocation=falloc
real 0m11.601s
user 0m0.016s
sys 0m0.525s
$ time dd if=/dev/zero of=mnt/test bs=1M count=1024 oflag=direct
1024+0 records in
1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 15.6627 s, 68.6 MB/s
real 0m16.104s
user 0m0.009s
sys 0m0.220s
Running with strace we can see that without this change we do one
pread() and one pwrite() for each block. With this change, we do only
one pwrite() per block.
This happens because posix_fallocate is checking if each block is
allocated before writing a byte to the block, and when truncating the
file before preallocation, all blocks are unallocated.
Signed-off-by: Nir Soffer <nirsof@gmail.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Jeff Cody [Tue, 14 Feb 2017 18:15:07 +0000 (13:15 -0500)]
qemu-iotests: redirect nbd server stdout to /dev/null
Some iotests (e.g. 174) try to filter the output of _make_test_image by
piping the stdout. Pipe the server stdout to /dev/null, so that filter
pipe does not need to wait until process completion.
Signed-off-by: Jeff Cody <jcody@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Jeff Cody [Tue, 14 Feb 2017 16:21:17 +0000 (11:21 -0500)]
qemu-iotests: add ability to exclude certain protocols from tests
Add the ability for shell script tests to exclude specific
protocols. This is useful to allow all protocols except ones known to
not support a feature used in the test (e.g. .bdrv_create).
Signed-off-by: Jeff Cody <jcody@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Peter Maydell [Fri, 24 Feb 2017 15:00:51 +0000 (15:00 +0000)]
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2017-02-22' into staging
QAPI patches for 2017-02-22
# gpg: Signature made Wed 22 Feb 2017 19:12:27 GMT
# gpg: using RSA key 0x3870B400EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>"
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
* remotes/armbru/tags/pull-qapi-2017-02-22:
block: Don't bother asserting type of output visitor's output
monitor: Clean up handle_hmp_command() a bit
tests: Don't check qobject_type() before qobject_to_qbool()
tests: Don't check qobject_type() before qobject_to_qfloat()
tests: Don't check qobject_type() before qobject_to_qint()
tests: Don't check qobject_type() before qobject_to_qstring()
tests: Don't check qobject_type() before qobject_to_qlist()
Don't check qobject_type() before qobject_to_qdict()
test-qmp-event: Simplify and tighten event_test_emit()
libqtest: Clean up qmp_response() a bit
check-qjson: Simplify around compare_litqobj_to_qobj()
check-qdict: Tighten qdict_crumple_test_recursive() some
check-qdict: Simplify qdict_crumple_test_recursive()
qdict: Make qdict_get_qlist() safe like qdict_get_qdict()
net: Flatten simple union NetLegacyOptions
numa: Flatten simple union NumaOptions
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paul Burton [Thu, 8 Sep 2016 14:51:58 +0000 (15:51 +0100)]
hw/mips: MIPS Boston board support
Introduce support for emulating the MIPS Boston development board. The
Boston board is built around an FPGA & 3 PCIe controllers, one of which
is connected to an Intel EG20T Platform Controller Hub. It is used
during the development & debug of new CPUs and the software intended to
run on them, and is essentially the successor to the older MIPS Malta
board.
This patch does not implement the EG20T, instead connecting an already
supported ICH-9 AHCI controller. Whilst this isn't accurate it's enough
for typical stock Boston software (eg. Linux kernels) to work with hard
disks given that both the ICH-9 & EG20T implement the AHCI
specification.
Boston boards typically boot kernels in the FIT image format, and this
patch will treat kernels provided to QEMU as such. When loading a kernel
directly, the board code will generate minimal firmware much as the
Malta board code does. This firmware will set up the CM, CPC & GIC
register base addresses then set argument registers & jump to the kernel
entry point. Alternatively, bootloader code may be loaded using the bios
argument in which case no firmware will be generated & execution will
proceed from the start of the boot code at the default MIPS boot
exception vector (offset 0x1fc00000 into (c)kseg1).
Currently real Boston boards are always used with FPGA bitfiles that
include a Global Interrupt Controller (GIC), so the interrupt
configuration is only defined for such cases. Therefore the board will
only allow use of CPUs which implement the CPS components, including the
GIC, and will otherwise exit with a message.
Signed-off-by: Paul Burton <paul.burton@imgtec.com> Reviewed-by: Yongbok Kim <yongbok.kim@imgtec.com>
[yongbok.kim@imgtec.com:
isolated boston machine support for mips64el.
updated for recent Chardev changes.
ignore missing bios/kernel for qtest.
added default -drive to if=ide explicitly.
changed default memory size into 1G due to make check failure
on 32-bit hosts] Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
Alex Bennée [Thu, 23 Feb 2017 18:29:27 +0000 (18:29 +0000)]
tcg: enable MTTCG by default for ARM on x86 hosts
This enables the multi-threaded system emulation by default for ARMv7
and ARMv8 guests using the x86_64 TCG backend. This is because on the
guest side:
- The ARM translate.c/translate-64.c have been converted to
- use MTTCG safe atomic primitives
- emit the appropriate barrier ops
- The ARM machine has been updated to
- hold the BQL when modifying shared cross-vCPU state
- defer powerctl changes to async safe work
All the host backends support the barrier and atomic primitives but
need to provide same-or-better support for normal load/store
operations.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Acked-by: Peter Maydell <peter.maydell@linaro.org> Tested-by: Pranith Kumar <bobby.prani@gmail.com> Reviewed-by: Pranith Kumar <bobby.prani@gmail.com>
Alex Bennée [Thu, 23 Feb 2017 18:29:26 +0000 (18:29 +0000)]
hw/misc/imx6_src: defer clearing of SRC_SCR reset bits
The arm_reset_cpu/set_cpu_on/set_cpu_off() functions do their work
asynchronously in the target vCPUs context. As a result we need to
ensure the SRC_SCR reset bits correctly report the reset status at the
right time. To do this we defer the clearing of the bit with an async
job which will run after the work queued by ARM powerctl functions.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Thu, 23 Feb 2017 18:29:25 +0000 (18:29 +0000)]
target-arm: ensure all cross vCPUs TLB flushes complete
Previously flushes on other vCPUs would only get serviced when they
exited their TranslationBlocks. While this isn't overly problematic it
violates the semantics of TLB flush from the point of view of source
vCPU.
To solve this we call the cputlb *_all_cpus_synced() functions to do
the flushes which ensures all flushes are completed by the time the
vCPU next schedules its own work. As the TLB instructions are modelled
as CP writes the TB ends at this point meaning cpu->exit_request will
be checked before the next instruction is executed.
Deferring the work until the architectural sync point is a possible
future optimisation.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Thu, 23 Feb 2017 18:29:24 +0000 (18:29 +0000)]
target-arm: don't generate WFE/YIELD calls for MTTCG
The WFE and YIELD instructions are really only hints and in TCG's case
they were useful to move the scheduling on from one vCPU to the next. In
the parallel context (MTTCG) this just causes an unnecessary cpu_exit
and contention of the BQL.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Thu, 23 Feb 2017 18:29:23 +0000 (18:29 +0000)]
target-arm/powerctl: defer cpu reset work to CPU context
When switching a new vCPU on we want to complete a bunch of the setup
work before we start scheduling the vCPU thread. To do this cleanly we
defer vCPU setup to async work which will run the vCPUs execution
context as the thread is woken up. The scheduling of the work will kick
the vCPU awake.
This avoids potential races in MTTCG system emulation.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
projects / mirror_qemu.git / log