Compare commits
298 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
646ce0f5b5 | ||
|
4b48a789ef | ||
|
108c22f518 | ||
|
f0d2afbe43 | ||
|
fd795fc4d0 | ||
|
9d15b88230 | ||
|
e837494495 | ||
|
5ff8af4aaa | ||
|
0b61e57fbe | ||
|
3f5e1104a8 | ||
|
5bc1125531 | ||
|
28222ce611 | ||
|
581fcfe335 | ||
|
9fb824102c | ||
|
357c686a3e | ||
|
65b2a489f4 | ||
|
744e70f72e | ||
|
cd21b7f45d | ||
|
efaa1cda68 | ||
|
748c8c3268 | ||
|
d9af2bbdff | ||
|
f2839fea71 | ||
|
af50bf7b78 | ||
|
13e7c30edf | ||
|
4e321e2f5c | ||
|
458e07e8d7 | ||
|
3c0f9e810a | ||
|
dc03f389d3 | ||
|
3927dda118 | ||
|
3fa99d6aac | ||
|
9b60ebfd67 | ||
|
2b132a41aa | ||
|
a840dd697e | ||
|
884b734123 | ||
|
b35e952c0c | ||
|
25b0302679 | ||
|
a90ffcbc2c | ||
|
e84a93a247 | ||
|
d20fa70a4e | ||
|
c9c298d7a8 | ||
|
f4bee9e135 | ||
|
7ffd7f7fdf | ||
|
bdc5a0bca1 | ||
|
4269c70e28 | ||
|
0133142152 | ||
|
3da886a924 | ||
|
8c45437b3a | ||
|
9f833efd2d | ||
|
fa1d6ea0cd | ||
|
7e9fe41b78 | ||
|
76b4bc9d96 | ||
|
9f8e48750c | ||
|
e2b4e80d3c | ||
|
e1b832b513 | ||
|
17655806bf | ||
|
dd41f1a7ca | ||
|
8833af8dcd | ||
|
492d6c1fff | ||
|
377bb253e3 | ||
|
023288b71a | ||
|
1d442bb612 | ||
|
b98348b411 | ||
|
ba6f50c7d7 | ||
|
57a3231073 | ||
|
46ea403d2f | ||
|
e6e2c63c09 | ||
|
1d0e437ac8 | ||
|
6732563c65 | ||
|
46eefb217c | ||
|
ff9bb15b16 | ||
|
993f4157b6 | ||
|
41cffcfad7 | ||
|
b4072bd645 | ||
|
fddfbd9637 | ||
|
16769836d7 | ||
|
0038f84388 | ||
|
8e6758e973 | ||
|
fe24ece8af | ||
|
f4c127bbc1 | ||
|
918c70b1aa | ||
|
964eff6ae8 | ||
|
481596d7a6 | ||
|
c36918674f | ||
|
9db63cb5df | ||
|
5084436959 | ||
|
70269497f2 | ||
|
2a7146a2ca | ||
|
70b6670bdf | ||
|
28828da2e3 | ||
|
e4599b5e27 | ||
|
bd59499379 | ||
|
6acd45ea32 | ||
|
e0a72f8f2d | ||
|
160bf4b4d5 | ||
|
8e85e5e9aa | ||
|
419868beaf | ||
|
e5504b6ad4 | ||
|
40fbd86194 | ||
|
8a7ac9c97e | ||
29c3523ef3 | |||
|
17efd80578 | ||
|
70ef327d5f | ||
|
af6274808b | ||
|
c67ebc8192 | ||
|
cdc7e4ca72 | ||
|
e14a8ce4ef | ||
|
09f7c02959 | ||
|
4266c9b33e | ||
|
c9654a07d8 | ||
|
fd86380c5b | ||
|
1515438fd3 | ||
|
e3d6ad24ae | ||
|
9687314304 | ||
|
7da5fc303e | ||
|
f3518876c6 | ||
|
d3ff788791 | ||
|
941a4c0548 | ||
|
e1923c9eb5 | ||
|
a60ad61787 | ||
|
f1fa58e582 | ||
|
e24cbbb32e | ||
|
de10d8e08e | ||
|
2679bc30fc | ||
|
8e22bbd1e0 | ||
|
f1ea04bd67 | ||
|
e0155fb5be | ||
|
8433925433 | ||
|
61ad1f41fd | ||
|
5704646898 | ||
|
a4b3db7151 | ||
|
0af132aa98 | ||
|
007776f3e4 | ||
|
e4323bc8b2 | ||
|
a6f68877d0 | ||
|
91efacc572 | ||
|
748bb2f566 | ||
|
c90305980d | ||
|
13b2fd93a9 | ||
|
e4ec8b672d | ||
|
5bdb061bca | ||
|
d4c4507533 | ||
|
b12f5aef3a | ||
|
b91dae7a8f | ||
|
330481bc1c | ||
|
97eed6b145 | ||
|
6dab4a0cbd | ||
|
7b9b67b1ec | ||
|
0d2d5cc76d | ||
|
80404b03be | ||
|
a28cfa8216 | ||
|
e9e03fcd1c | ||
|
6269069f27 | ||
|
3930e8ff37 | ||
|
3758f8a137 | ||
|
e13261f947 | ||
|
3c6a0ca337 | ||
|
55054b88c9 | ||
|
6b1a7d80a5 | ||
|
a7e2480deb | ||
|
29249a79a8 | ||
|
52904050aa | ||
|
603dd9e50a | ||
|
28d4d1f5e7 | ||
|
34056732a5 | ||
|
1d16c17085 | ||
|
8253c01b09 | ||
|
ec520ba35e | ||
|
167a6b72c2 | ||
|
f81be8f026 | ||
|
f95699bf90 | ||
|
90a3c96cff | ||
|
a76e086590 | ||
|
e978b4fe84 | ||
|
bfe7b8124e | ||
|
700f126a07 | ||
|
2a2b49f85b | ||
|
59eb7ad892 | ||
|
b0a7742ccd | ||
|
8699737f6d | ||
|
ac5e33cbfe | ||
|
a8c6008b7d | ||
|
9acefb8589 | ||
|
4b7bd99c46 | ||
|
fd8ba3896b | ||
|
0fb2b27d3a | ||
|
0945e0bba3 | ||
|
98b428ff80 | ||
|
0b42e7fc18 | ||
|
3b6c813012 | ||
|
45cb87a59c | ||
|
5264c6a895 | ||
|
c2f33c885f | ||
|
c333713fea | ||
|
14cfc78b3c | ||
|
0323a03914 | ||
|
1a4355e536 | ||
|
26c1ceeaa3 | ||
|
6e16c07206 | ||
|
a3b9d99ab2 | ||
|
a949744f38 | ||
|
20b2275a19 | ||
|
22c2909bc1 | ||
|
f73c470a02 | ||
|
1e96c68c3d | ||
|
cf6afbb855 | ||
|
895ba8da7d | ||
|
335584f502 | ||
|
5eae33f189 | ||
|
faa9df96ad | ||
|
33f79e5eb1 | ||
|
514d6bc543 | ||
|
5dd6a73c80 | ||
|
74c0a82292 | ||
|
0db3257f1a | ||
|
996634350a | ||
|
1db5811d26 | ||
|
1c7073d8dd | ||
|
6a041ef569 | ||
|
c1f9c0e4d7 | ||
|
8b317f0917 | ||
|
50bb158a7a | ||
|
8288677cfa | ||
|
9074eea4bb | ||
|
17a6dacdca | ||
|
84eeb10ee8 | ||
|
151958b44b | ||
|
3bbbcdcb07 | ||
|
6f55752c5f | ||
|
b68b5fed43 | ||
|
0583426e3d | ||
|
820948cb49 | ||
|
ecbe006bda | ||
|
8a588691e2 | ||
|
b8878c0ca6 | ||
|
cf816402f7 | ||
|
d19693d908 | ||
|
8dd6b5e9c8 | ||
|
3a13ddd514 | ||
|
a2729a240b | ||
|
504e25420b | ||
|
57dbb7a5be | ||
|
435be3635e | ||
|
94ddf1cc6a | ||
|
d52607ebe6 | ||
|
4ff778e7b3 | ||
|
ef34be9e72 | ||
|
84e6ecadd9 | ||
|
51223f941f | ||
|
d0bc223280 | ||
|
9868109a5e | ||
|
ecee1eccfe | ||
|
a8a5dc38f8 | ||
|
9e71574671 | ||
|
0835325a86 | ||
|
cf91b1dfd9 | ||
|
f9730dab94 | ||
|
f0208c9e42 | ||
|
f8dc431e37 | ||
|
c3911a29b3 | ||
|
837eb7efa2 | ||
|
e200903264 | ||
|
35faab4c45 | ||
|
bc7ce050b0 | ||
|
b455e4b103 | ||
|
b0b55fdca8 | ||
|
6138a983a3 | ||
|
c752245c96 | ||
|
fa6cd1dad5 | ||
|
a503b12a16 | ||
|
4097206ab3 | ||
|
54cb1301c6 | ||
|
ae11374147 | ||
|
43821749cc | ||
|
73731f9ecd | ||
|
7d975d9810 | ||
|
95a588650f | ||
|
b24b7f1644 | ||
|
78f4db5d1d | ||
|
2a77992272 | ||
|
e8a6e4f833 | ||
|
205399c1ee | ||
|
c9396159e8 | ||
|
15489f4108 | ||
|
0d5e9f6618 | ||
|
dda6c386a5 | ||
|
6176f1d7e2 | ||
|
89aacd5f7a | ||
|
6baf84acf1 | ||
|
191c302918 | ||
|
7bf1a680e6 | ||
|
48e07c5c6e | ||
|
88b3793f29 | ||
|
4f68392c26 | ||
|
86d7b9f29b | ||
|
b448bfad34 | ||
|
1ae1f09f33 | ||
|
cf8819083b | ||
|
c5e57685f9 |
5
.gitignore
vendored
5
.gitignore
vendored
@ -1 +1,4 @@
|
||||
/qemu-*.tar.bz2
|
||||
/.build*.log
|
||||
/x86_64/
|
||||
/*.src.rpm
|
||||
/qemu-*.tar.xz
|
||||
|
@ -1,40 +0,0 @@
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 12 Oct 2015 11:50:27 +0200
|
||||
Subject: [PATCH] target-i386: fix pcmpxstrx equal-ordered (strstr) mode
|
||||
|
||||
In this mode, referring an invalid element of the source forces the
|
||||
result to false (table 4-7, last column) but referring an invalid
|
||||
element of the destination forces the result to true, so the outer
|
||||
loop should still be run even if some elements of the destination
|
||||
will be invalid. They will be avoided in the inner loop, which
|
||||
correctly bounds "i" to validd, but they will still contribute to a
|
||||
positive outcome of the search.
|
||||
|
||||
This fixes tst_strstr in glibc 2.17.
|
||||
|
||||
Reported-by: Florian Weimer <fweimer@redhat.com>
|
||||
Cc: Richard Henderson <rth@twiddle.net>
|
||||
Cc: Eduardo Habkost <ehabkost@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 54c54f8b56047d3c2420e1ae06a6a8890c220ac4)
|
||||
---
|
||||
target-i386/ops_sse.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/target-i386/ops_sse.h b/target-i386/ops_sse.h
|
||||
index bee134b..a9e1905 100644
|
||||
--- a/target-i386/ops_sse.h
|
||||
+++ b/target-i386/ops_sse.h
|
||||
@@ -2037,10 +2037,10 @@ static inline unsigned pcmpxstrx(CPUX86State *env, Reg *d, Reg *s,
|
||||
}
|
||||
break;
|
||||
case 3:
|
||||
- for (j = valids - validd; j >= 0; j--) {
|
||||
+ for (j = valids; j >= 0; j--) {
|
||||
res <<= 1;
|
||||
v = 1;
|
||||
- for (i = MIN(upper - j, validd); i >= 0; i--) {
|
||||
+ for (i = MIN(valids - j, validd); i >= 0; i--) {
|
||||
v &= (pcmp_val(s, ctrl, i + j) == pcmp_val(d, ctrl, i));
|
||||
}
|
||||
res |= v;
|
@ -1,60 +0,0 @@
|
||||
From: Stefan Weil <sw@weilnetz.de>
|
||||
Date: Fri, 20 Nov 2015 08:42:33 +0100
|
||||
Subject: [PATCH] eepro100: Prevent two endless loops
|
||||
|
||||
http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
|
||||
shows an example how an endless loop in function action_command can
|
||||
be achieved.
|
||||
|
||||
During my code review, I noticed a 2nd case which can result in an
|
||||
endless loop.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 00837731d254908a841d69298a4f9f077babaf24)
|
||||
---
|
||||
hw/net/eepro100.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
|
||||
index 60333b7..685a478 100644
|
||||
--- a/hw/net/eepro100.c
|
||||
+++ b/hw/net/eepro100.c
|
||||
@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
|
||||
#if 0
|
||||
uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
|
||||
#endif
|
||||
+ if (tx_buffer_size == 0) {
|
||||
+ /* Prevent an endless loop. */
|
||||
+ logout("loop in %s:%u\n", __FILE__, __LINE__);
|
||||
+ break;
|
||||
+ }
|
||||
tbd_address += 8;
|
||||
TRACE(RXTX, logout
|
||||
("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
|
||||
@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s)
|
||||
|
||||
static void action_command(EEPRO100State *s)
|
||||
{
|
||||
+ /* The loop below won't stop if it gets special handcrafted data.
|
||||
+ Therefore we limit the number of iterations. */
|
||||
+ unsigned max_loop_count = 16;
|
||||
+
|
||||
for (;;) {
|
||||
bool bit_el;
|
||||
bool bit_s;
|
||||
@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s)
|
||||
#if 0
|
||||
bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
|
||||
#endif
|
||||
+
|
||||
+ if (max_loop_count-- == 0) {
|
||||
+ /* Prevent an endless loop. */
|
||||
+ logout("loop in %s:%u\n", __FILE__, __LINE__);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
s->cu_offset = s->tx.link;
|
||||
TRACE(OTHER,
|
||||
logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
|
@ -1,47 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 20 Nov 2015 11:50:31 +0530
|
||||
Subject: [PATCH] net: pcnet: add check to validate receive data
|
||||
size(CVE-2015-7504)
|
||||
|
||||
In loopback mode, pcnet_receive routine appends CRC code to the
|
||||
receive buffer. If the data size given is same as the buffer size,
|
||||
the appended CRC code overwrites 4 bytes after s->buffer. Added a
|
||||
check to avoid that.
|
||||
|
||||
Reported by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
|
||||
(cherry picked from commit 837f21aacf5a714c23ddaadbbc5212f9b661e3f7)
|
||||
---
|
||||
hw/net/pcnet.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 3437376..4944444 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
||||
uint32_t fcs = ~0;
|
||||
uint8_t *p = src;
|
||||
|
||||
- while (p != &src[size-4])
|
||||
+ while (p != &src[size])
|
||||
CRC(fcs, *p++);
|
||||
crc_err = (*(uint32_t *)p != htonl(fcs));
|
||||
}
|
||||
@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s)
|
||||
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
||||
|
||||
/* if multi-tmd packet outsizes s->buffer then skip it silently.
|
||||
- Note: this is not what real hw does */
|
||||
- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
|
||||
+ * Note: this is not what real hw does.
|
||||
+ * Last four bytes of s->buffer are used to store CRC FCS code.
|
||||
+ */
|
||||
+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
|
||||
s->xmit_pos = -1;
|
||||
goto txdone;
|
||||
}
|
@ -1,34 +0,0 @@
|
||||
From: Jason Wang <jasowang@redhat.com>
|
||||
Date: Mon, 30 Nov 2015 15:00:06 +0800
|
||||
Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512)
|
||||
|
||||
Backends could provide a packet whose length is greater than buffer
|
||||
size. Check for this and truncate the packet to avoid rx buffer
|
||||
overflow in this case.
|
||||
|
||||
Cc: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 8b98a2f07175d46c3f7217639bd5e03f2ec56343)
|
||||
---
|
||||
hw/net/pcnet.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 4944444..27b7000 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1065,6 +1065,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
||||
int pktcount = 0;
|
||||
|
||||
if (!s->looptest) {
|
||||
+ if (size > 4092) {
|
||||
+#ifdef PCNET_DEBUG_RMD
|
||||
+ fprintf(stderr, "pcnet: truncates rx packet.\n");
|
||||
+#endif
|
||||
+ size = 4092;
|
||||
+ }
|
||||
memcpy(src, buf, size);
|
||||
/* no need to compute the CRC */
|
||||
src[size] = 0;
|
@ -1,41 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 3 Dec 2015 18:54:17 +0530
|
||||
Subject: [PATCH] ui: vnc: avoid floating point exception
|
||||
|
||||
While sending 'SetPixelFormat' messages to a VNC server,
|
||||
the client could set the 'red-max', 'green-max' and 'blue-max'
|
||||
values to be zero. This leads to a floating point exception in
|
||||
write_png_palette while doing frame buffer updates.
|
||||
|
||||
Reported-by: Lian Yihan <lianyihan@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3)
|
||||
---
|
||||
ui/vnc.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ui/vnc.c b/ui/vnc.c
|
||||
index caf82f5..52c6809 100644
|
||||
--- a/ui/vnc.c
|
||||
+++ b/ui/vnc.c
|
||||
@@ -2189,15 +2189,15 @@ static void set_pixel_format(VncState *vs,
|
||||
return;
|
||||
}
|
||||
|
||||
- vs->client_pf.rmax = red_max;
|
||||
+ vs->client_pf.rmax = red_max ? red_max : 0xFF;
|
||||
vs->client_pf.rbits = hweight_long(red_max);
|
||||
vs->client_pf.rshift = red_shift;
|
||||
vs->client_pf.rmask = red_max << red_shift;
|
||||
- vs->client_pf.gmax = green_max;
|
||||
+ vs->client_pf.gmax = green_max ? green_max : 0xFF;
|
||||
vs->client_pf.gbits = hweight_long(green_max);
|
||||
vs->client_pf.gshift = green_shift;
|
||||
vs->client_pf.gmask = green_max << green_shift;
|
||||
- vs->client_pf.bmax = blue_max;
|
||||
+ vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
|
||||
vs->client_pf.bbits = hweight_long(blue_max);
|
||||
vs->client_pf.bshift = blue_shift;
|
||||
vs->client_pf.bmask = blue_max << blue_shift;
|
@ -1,57 +0,0 @@
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 26 Jun 2015 14:25:29 +0200
|
||||
Subject: [PATCH] msix: implement pba write (but read-only)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
qpci_msix_pending() writes on pba region, causing qemu to SEGV:
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
[Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
|
||||
0x0000000000000000 in ?? ()
|
||||
(gdb) bt
|
||||
#0 0x0000000000000000 in ()
|
||||
#1 0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
|
||||
#2 0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e <memory_region_oldmmio_write_accessor>, mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
|
||||
#3 0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176
|
||||
#4 0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 <address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
|
||||
#5 0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
|
||||
#6 0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80
|
||||
#7 0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
|
||||
#8 0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
|
||||
#9 0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581
|
||||
#10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
|
||||
#11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
|
||||
#12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122
|
||||
|
||||
(without this patch, this can be reproduced with the ivshmem qtest)
|
||||
|
||||
Implement an empty mmio write to avoid the crash.
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 43b11a91dd861a946b231b89b7542856ade23d1b)
|
||||
---
|
||||
hw/pci/msix.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/hw/pci/msix.c b/hw/pci/msix.c
|
||||
index 7716bf3..e91b2cb 100644
|
||||
--- a/hw/pci/msix.c
|
||||
+++ b/hw/pci/msix.c
|
||||
@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr,
|
||||
return pci_get_long(dev->msix_pba + addr);
|
||||
}
|
||||
|
||||
+static void msix_pba_mmio_write(void *opaque, hwaddr addr,
|
||||
+ uint64_t val, unsigned size)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
static const MemoryRegionOps msix_pba_mmio_ops = {
|
||||
.read = msix_pba_mmio_read,
|
||||
+ .write = msix_pba_mmio_write,
|
||||
.endianness = DEVICE_LITTLE_ENDIAN,
|
||||
.valid = {
|
||||
.min_access_size = 4,
|
@ -1,45 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 14 Dec 2015 09:21:23 +0100
|
||||
Subject: [PATCH] ehci: make idt processing more robust
|
||||
|
||||
Make ehci_process_itd return an error in case we didn't do any actual
|
||||
iso transfer because we've found no active transaction. That'll avoid
|
||||
ehci happily run in circles forever if the guest builds a loop out of
|
||||
idts.
|
||||
|
||||
This is CVE-2015-8558.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Tested-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index 64a54c6..25c225a 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
{
|
||||
USBDevice *dev;
|
||||
USBEndpoint *ep;
|
||||
- uint32_t i, len, pid, dir, devaddr, endp;
|
||||
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
|
||||
uint32_t pg, off, ptr1, ptr2, max, mult;
|
||||
|
||||
ehci->periodic_sched_active = PERIODIC_ACTIVE;
|
||||
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
ehci_raise_irq(ehci, USBSTS_INT);
|
||||
}
|
||||
itd->transact[i] &= ~ITD_XACT_ACTIVE;
|
||||
+ xfers++;
|
||||
}
|
||||
}
|
||||
- return 0;
|
||||
+ return xfers ? 0 : -1;
|
||||
}
|
||||
|
||||
|
@ -1,42 +0,0 @@
|
||||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Thu, 19 Nov 2015 15:14:07 +0200
|
||||
Subject: [PATCH] acpi: fix buffer overrun on migration
|
||||
|
||||
ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
|
||||
ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
|
||||
ICH9_PMIO_GPE0_LEN bytes are migrated.
|
||||
|
||||
As a quick work-around, allocate twice the memory.
|
||||
We'll probably want to tweak code to avoid
|
||||
migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
|
||||
but that is a bit trickier to do without breaking
|
||||
migration compatibility.
|
||||
|
||||
Tested-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
|
||||
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
(cherry picked from commit d9a3b33d2c9f996537b7f1d0246dee2d0120cefb)
|
||||
---
|
||||
hw/acpi/core.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
|
||||
index fe6215a..21e113d 100644
|
||||
--- a/hw/acpi/core.c
|
||||
+++ b/hw/acpi/core.c
|
||||
@@ -625,8 +625,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar)
|
||||
void acpi_gpe_init(ACPIREGS *ar, uint8_t len)
|
||||
{
|
||||
ar->gpe.len = len;
|
||||
- ar->gpe.sts = g_malloc0(len / 2);
|
||||
- ar->gpe.en = g_malloc0(len / 2);
|
||||
+ /* Only first len / 2 bytes are ever used,
|
||||
+ * but the caller in ich9.c migrates full len bytes.
|
||||
+ * TODO: fix ich9.c and drop the extra allocation.
|
||||
+ */
|
||||
+ ar->gpe.sts = g_malloc0(len);
|
||||
+ ar->gpe.en = g_malloc0(len);
|
||||
}
|
||||
|
||||
void acpi_gpe_reset(ACPIREGS *ar)
|
@ -1,73 +0,0 @@
|
||||
From: Dana Rubin <dana.rubin@ravellosystems.com>
|
||||
Date: Tue, 18 Aug 2015 12:45:55 +0300
|
||||
Subject: [PATCH] net/vmxnet3: Refine l2 header validation
|
||||
|
||||
Validation of l2 header length assumed minimal packet size as
|
||||
eth_header + 2 * vlan_header regardless of the actual protocol.
|
||||
|
||||
This caused crash for valid non-IP packets shorter than 22 bytes, as
|
||||
'tx_pkt->packet_type' hasn't been assigned for such packets, and
|
||||
'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.
|
||||
|
||||
Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
|
||||
Check its return value during packet processing flow.
|
||||
|
||||
As a side effect, in case IPv4 and IPv6 header validation failure,
|
||||
corrupt packets will be dropped.
|
||||
|
||||
Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com>
|
||||
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit a7278b36fcab9af469563bd7b9dadebe2ae25e48)
|
||||
---
|
||||
hw/net/vmxnet3.c | 4 +---
|
||||
hw/net/vmxnet_tx_pkt.c | 19 ++++++++++++++++---
|
||||
2 files changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index 2504425..71e7657 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
|
||||
}
|
||||
|
||||
if (txd.eop) {
|
||||
- if (!s->skip_current_tx_pkt) {
|
||||
- vmxnet_tx_pkt_parse(s->tx_pkt);
|
||||
-
|
||||
+ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) {
|
||||
if (s->needs_vlan) {
|
||||
vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci);
|
||||
}
|
||||
diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
|
||||
index f7344c4..eb88ddf 100644
|
||||
--- a/hw/net/vmxnet_tx_pkt.c
|
||||
+++ b/hw/net/vmxnet_tx_pkt.c
|
||||
@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
|
||||
|
||||
bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base,
|
||||
ETH_MAX_L2_HDR_LEN);
|
||||
- if (bytes_read < ETH_MAX_L2_HDR_LEN) {
|
||||
+ if (bytes_read < sizeof(struct eth_header)) {
|
||||
+ l2_hdr->iov_len = 0;
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ l2_hdr->iov_len = sizeof(struct eth_header);
|
||||
+ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) {
|
||||
+ case ETH_P_VLAN:
|
||||
+ l2_hdr->iov_len += sizeof(struct vlan_header);
|
||||
+ break;
|
||||
+ case ETH_P_DVLAN:
|
||||
+ l2_hdr->iov_len += 2 * sizeof(struct vlan_header);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (bytes_read < l2_hdr->iov_len) {
|
||||
l2_hdr->iov_len = 0;
|
||||
return false;
|
||||
- } else {
|
||||
- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base);
|
||||
}
|
||||
|
||||
l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len);
|
@ -1,34 +0,0 @@
|
||||
From: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Date: Mon, 21 Sep 2015 17:09:02 +0300
|
||||
Subject: [PATCH] vmxnet3: Support reading IMR registers on bar0
|
||||
|
||||
Instead of asserting, return the actual IMR register value.
|
||||
This is aligned with what's returned on ESXi.
|
||||
|
||||
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Tested-by: Dana Rubin <dana.rubin@ravellosystems.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit c6048f849c7e3f009786df76206e895a69de032c)
|
||||
---
|
||||
hw/net/vmxnet3.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index 71e7657..d2be2ae 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -1163,9 +1163,13 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
|
||||
static uint64_t
|
||||
vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size)
|
||||
{
|
||||
+ VMXNET3State *s = opaque;
|
||||
+
|
||||
if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR,
|
||||
VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) {
|
||||
- g_assert_not_reached();
|
||||
+ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR,
|
||||
+ VMXNET3_REG_ALIGN);
|
||||
+ return s->interrupt_states[l].is_masked;
|
||||
}
|
||||
|
||||
VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size);
|
@ -1,90 +0,0 @@
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Tue, 15 Dec 2015 12:27:54 +0530
|
||||
Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
|
||||
|
||||
Vmxnet3 device emulator does not check if the device is active
|
||||
before activating it, also it did not free the transmit & receive
|
||||
buffers while deactivating the device, thus resulting in memory
|
||||
leakage on the host. This patch fixes both these issues to avoid
|
||||
host memory leakage.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit aa4a3dce1c88ed51b616806b8214b7c8428b7470)
|
||||
---
|
||||
hw/net/vmxnet3.c | 24 ++++++++++++++++--------
|
||||
1 file changed, 16 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index d2be2ae..25ca344 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
|
||||
|
||||
static void vmxnet3_deactivate_device(VMXNET3State *s)
|
||||
{
|
||||
- VMW_CBPRN("Deactivating vmxnet3...");
|
||||
- s->device_active = false;
|
||||
+ if (s->device_active) {
|
||||
+ VMW_CBPRN("Deactivating vmxnet3...");
|
||||
+ vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
+ vmxnet_tx_pkt_uninit(s->tx_pkt);
|
||||
+ vmxnet_rx_pkt_uninit(s->rx_pkt);
|
||||
+ s->device_active = false;
|
||||
+ }
|
||||
}
|
||||
|
||||
static void vmxnet3_reset(VMXNET3State *s)
|
||||
@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
|
||||
|
||||
vmxnet3_deactivate_device(s);
|
||||
vmxnet3_reset_interrupt_states(s);
|
||||
- vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
s->drv_shmem = 0;
|
||||
s->tx_sop = true;
|
||||
s->skip_current_tx_pkt = false;
|
||||
@@ -1427,6 +1431,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
|
||||
return;
|
||||
}
|
||||
|
||||
+ /* Verify if device is active */
|
||||
+ if (s->device_active) {
|
||||
+ VMW_CFPRN("Vmxnet3 device is active");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
vmxnet3_adjust_by_guest_type(s);
|
||||
vmxnet3_update_features(s);
|
||||
vmxnet3_update_pm_state(s);
|
||||
@@ -1623,7 +1633,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
|
||||
break;
|
||||
|
||||
case VMXNET3_CMD_QUIESCE_DEV:
|
||||
- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
|
||||
+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
|
||||
vmxnet3_deactivate_device(s);
|
||||
break;
|
||||
|
||||
@@ -1728,7 +1738,7 @@ vmxnet3_io_bar1_write(void *opaque,
|
||||
* shared address only after we get the high part
|
||||
*/
|
||||
if (val == 0) {
|
||||
- s->device_active = false;
|
||||
+ vmxnet3_deactivate_device(s);
|
||||
}
|
||||
s->temp_shared_guest_driver_memory = val;
|
||||
s->drv_shmem = 0;
|
||||
@@ -2009,9 +2019,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
|
||||
static void vmxnet3_net_uninit(VMXNET3State *s)
|
||||
{
|
||||
g_free(s->mcast_list);
|
||||
- vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
- vmxnet_tx_pkt_uninit(s->tx_pkt);
|
||||
- vmxnet_rx_pkt_uninit(s->rx_pkt);
|
||||
+ vmxnet3_deactivate_device(s);
|
||||
qemu_del_nic(s->nic);
|
||||
}
|
||||
|
@ -1,62 +0,0 @@
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Fri, 18 Dec 2015 11:35:07 +0530
|
||||
Subject: [PATCH] i386: avoid null pointer dereference
|
||||
|
||||
Hello,
|
||||
|
||||
A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
|
||||
occurs while doing I/O port write operations via hmp interface. In that,
|
||||
'current_cpu' remains null as it is not called from cpu_exec loop, which
|
||||
results in the said issue.
|
||||
|
||||
Below is a proposed (tested)patch to fix this issue; Does it look okay?
|
||||
|
||||
===
|
||||
From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 18 Dec 2015 11:16:07 +0530
|
||||
Subject: [PATCH] i386: avoid null pointer dereference
|
||||
|
||||
When I/O port write operation is called from hmp interface,
|
||||
'current_cpu' remains null, as it is not called from cpu_exec()
|
||||
loop. This leads to a null pointer dereference in vapic_write
|
||||
routine. Add check to avoid it.
|
||||
|
||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: P J P <ppandit@redhat.com>
|
||||
(cherry picked from commit 4c1396cb576c9b14425558b73de1584c7a9735d7)
|
||||
---
|
||||
hw/i386/kvmvapic.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
|
||||
index c6d34b2..f0922da 100644
|
||||
--- a/hw/i386/kvmvapic.c
|
||||
+++ b/hw/i386/kvmvapic.c
|
||||
@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
|
||||
static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
|
||||
unsigned int size)
|
||||
{
|
||||
- CPUState *cs = current_cpu;
|
||||
- X86CPU *cpu = X86_CPU(cs);
|
||||
- CPUX86State *env = &cpu->env;
|
||||
- hwaddr rom_paddr;
|
||||
VAPICROMState *s = opaque;
|
||||
+ X86CPU *cpu;
|
||||
+ CPUX86State *env;
|
||||
+ hwaddr rom_paddr;
|
||||
|
||||
- cpu_synchronize_state(cs);
|
||||
+ if (!current_cpu) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ cpu_synchronize_state(current_cpu);
|
||||
+ cpu = X86_CPU(current_cpu);
|
||||
+ env = &cpu->env;
|
||||
|
||||
/*
|
||||
* The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
|
@ -1,32 +0,0 @@
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Mon, 21 Dec 2015 15:13:13 +0530
|
||||
Subject: [PATCH] scsi: initialise info object with appropriate size
|
||||
|
||||
While processing controller 'CTRL_GET_INFO' command, the routine
|
||||
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
|
||||
appropriate size to null initialise it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: P J P <ppandit@redhat.com>
|
||||
(cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index a04369c..d9b99c0 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
BusChild *kid;
|
||||
int num_pd_disks = 0;
|
||||
|
||||
- memset(&info, 0x0, cmd->iov_size);
|
||||
+ memset(&info, 0x0, dcmd_size);
|
||||
if (cmd->iov_size < dcmd_size) {
|
||||
trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
|
||||
dcmd_size);
|
@ -1,44 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 28 Dec 2015 16:24:08 +0530
|
||||
Subject: [PATCH] net: rocker: fix an incorrect array bounds check
|
||||
|
||||
While processing transmit(tx) descriptors in 'tx_consume' routine
|
||||
the switch emulator suffers from an off-by-one error, if a
|
||||
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
|
||||
fragments. Fix an incorrect bounds check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 007cd223de527b5f41278f2d886c1a4beb3e67aa)
|
||||
---
|
||||
hw/net/rocker/rocker.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||
index 47d080f..7e4ec0a 100644
|
||||
--- a/hw/net/rocker/rocker.c
|
||||
+++ b/hw/net/rocker/rocker.c
|
||||
@@ -234,6 +234,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
||||
frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
|
||||
frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
|
||||
|
||||
+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
|
||||
+ goto err_too_many_frags;
|
||||
+ }
|
||||
iov[iovcnt].iov_len = frag_len;
|
||||
iov[iovcnt].iov_base = g_malloc(frag_len);
|
||||
if (!iov[iovcnt].iov_base) {
|
||||
@@ -246,10 +249,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
||||
err = -ROCKER_ENXIO;
|
||||
goto err_bad_io;
|
||||
}
|
||||
-
|
||||
- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
|
||||
- goto err_too_many_frags;
|
||||
- }
|
||||
+ iovcnt++;
|
||||
}
|
||||
|
||||
if (iovcnt) {
|
@ -1,45 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 31 Dec 2015 17:05:27 +0530
|
||||
Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
|
||||
|
||||
While doing ioport r/w operations, ne2000 device emulation suffers
|
||||
from OOB r/w errors. Update respective array bounds check to avoid
|
||||
OOB access.
|
||||
|
||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit aa7f9966dfdff500bbbf1956d9e115b1fa8987a6)
|
||||
---
|
||||
hw/net/ne2000.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index 2bdb4c9..364f226 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -476,8 +476,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
|
||||
uint32_t val)
|
||||
{
|
||||
addr &= ~1; /* XXX: check exact behaviour if not even */
|
||||
- if (addr < 32 ||
|
||||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
|
||||
+ if (addr < 32
|
||||
+ || (addr >= NE2000_PMEM_START
|
||||
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
|
||||
stl_le_p(s->mem + addr, val);
|
||||
}
|
||||
}
|
||||
@@ -506,8 +507,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
|
||||
static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
|
||||
{
|
||||
addr &= ~1; /* XXX: check exact behaviour if not even */
|
||||
- if (addr < 32 ||
|
||||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
|
||||
+ if (addr < 32
|
||||
+ || (addr >= NE2000_PMEM_START
|
||||
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
|
||||
return ldl_le_p(s->mem + addr);
|
||||
} else {
|
||||
return 0xffffffff;
|
@ -1,36 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 11 Jan 2016 14:10:42 -0500
|
||||
Subject: [PATCH] ide: ahci: reset ncq object to unused on error
|
||||
|
||||
When processing NCQ commands, AHCI device emulation prepares a
|
||||
NCQ transfer object; To which an aio control block(aiocb) object
|
||||
is assigned in 'execute_ncq_command'. In case, when the NCQ
|
||||
command is invalid, the 'aiocb' object is not assigned, and NCQ
|
||||
transfer object is left as 'used'. This leads to a use after
|
||||
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
|
||||
Reset NCQ transfer object to 'unused' to avoid it.
|
||||
|
||||
[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
(cherry picked from commit 4ab0359a8ae182a7ac5c99609667273167703fab)
|
||||
---
|
||||
hw/ide/ahci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
|
||||
index 378ad60..73948af 100644
|
||||
--- a/hw/ide/ahci.c
|
||||
+++ b/hw/ide/ahci.c
|
||||
@@ -897,6 +897,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
|
||||
ide_state->error = ABRT_ERR;
|
||||
ide_state->status = READY_STAT | ERR_STAT;
|
||||
ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
|
||||
+ ncq_tfs->used = 0;
|
||||
}
|
||||
|
||||
static void ncq_finish(NCQTransferState *ncq_tfs)
|
@ -1,120 +0,0 @@
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Wed, 13 Jan 2016 09:09:58 +0100
|
||||
Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
|
||||
|
||||
When processing 'sendkey' command, hmp_sendkey routine null
|
||||
terminates the 'keyname_buf' array. This results in an OOB
|
||||
write issue, if 'keyname_len' was to fall outside of
|
||||
'keyname_buf' array.
|
||||
|
||||
Since the keyname's length is known the keyname_buf can be
|
||||
removed altogether by adding a length parameter to
|
||||
index_from_key() and using it for the error output as well.
|
||||
|
||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Message-Id: <20160113080958.GA18934@olga>
|
||||
[Comparison with "<" dumbed down, test for junk after strtoul()
|
||||
tweaked]
|
||||
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
||||
|
||||
(cherry picked from commit 64ffbe04eaafebf4045a3ace52a360c14959d196)
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
---
|
||||
hmp.c | 18 ++++++++----------
|
||||
include/ui/console.h | 2 +-
|
||||
ui/input-legacy.c | 5 +++--
|
||||
3 files changed, 12 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/hmp.c b/hmp.c
|
||||
index dcc66f1..e3b6463 100644
|
||||
--- a/hmp.c
|
||||
+++ b/hmp.c
|
||||
@@ -1681,21 +1681,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
|
||||
int has_hold_time = qdict_haskey(qdict, "hold-time");
|
||||
int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
|
||||
Error *err = NULL;
|
||||
- char keyname_buf[16];
|
||||
char *separator;
|
||||
int keyname_len;
|
||||
|
||||
while (1) {
|
||||
separator = strchr(keys, '-');
|
||||
keyname_len = separator ? separator - keys : strlen(keys);
|
||||
- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
|
||||
|
||||
/* Be compatible with old interface, convert user inputted "<" */
|
||||
- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
|
||||
- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
|
||||
+ if (keys[0] == '<' && keyname_len == 1) {
|
||||
+ keys = "less";
|
||||
keyname_len = 4;
|
||||
}
|
||||
- keyname_buf[keyname_len] = 0;
|
||||
|
||||
keylist = g_malloc0(sizeof(*keylist));
|
||||
keylist->value = g_malloc0(sizeof(*keylist->value));
|
||||
@@ -1708,16 +1705,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
|
||||
}
|
||||
tmp = keylist;
|
||||
|
||||
- if (strstart(keyname_buf, "0x", NULL)) {
|
||||
+ if (strstart(keys, "0x", NULL)) {
|
||||
char *endp;
|
||||
- int value = strtoul(keyname_buf, &endp, 0);
|
||||
- if (*endp != '\0') {
|
||||
+ int value = strtoul(keys, &endp, 0);
|
||||
+ assert(endp <= keys + keyname_len);
|
||||
+ if (endp != keys + keyname_len) {
|
||||
goto err_out;
|
||||
}
|
||||
keylist->value->kind = KEY_VALUE_KIND_NUMBER;
|
||||
keylist->value->number = value;
|
||||
} else {
|
||||
- int idx = index_from_key(keyname_buf);
|
||||
+ int idx = index_from_key(keys, keyname_len);
|
||||
if (idx == Q_KEY_CODE_MAX) {
|
||||
goto err_out;
|
||||
}
|
||||
@@ -1739,7 +1737,7 @@ out:
|
||||
return;
|
||||
|
||||
err_out:
|
||||
- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
|
||||
+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
|
||||
goto out;
|
||||
}
|
||||
|
||||
diff --git a/include/ui/console.h b/include/ui/console.h
|
||||
index 047a2b4..f6e016f 100644
|
||||
--- a/include/ui/console.h
|
||||
+++ b/include/ui/console.h
|
||||
@@ -386,7 +386,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
|
||||
void curses_display_init(DisplayState *ds, int full_screen);
|
||||
|
||||
/* input.c */
|
||||
-int index_from_key(const char *key);
|
||||
+int index_from_key(const char *key, size_t key_length);
|
||||
|
||||
/* gtk.c */
|
||||
void early_gtk_display_init(int opengl);
|
||||
diff --git a/ui/input-legacy.c b/ui/input-legacy.c
|
||||
index e50f296..058bf8f 100644
|
||||
--- a/ui/input-legacy.c
|
||||
+++ b/ui/input-legacy.c
|
||||
@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
|
||||
static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
|
||||
QTAILQ_HEAD_INITIALIZER(led_handlers);
|
||||
|
||||
-int index_from_key(const char *key)
|
||||
+int index_from_key(const char *key, size_t key_length)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
|
||||
- if (!strcmp(key, QKeyCode_lookup[i])) {
|
||||
+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
|
||||
+ !QKeyCode_lookup[i][key_length]) {
|
||||
break;
|
||||
}
|
||||
}
|
@ -1,95 +0,0 @@
|
||||
From: Laszlo Ersek <lersek@redhat.com>
|
||||
Date: Tue, 19 Jan 2016 14:17:20 +0100
|
||||
Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
|
||||
start
|
||||
|
||||
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
|
||||
iterating over a set of descriptors that the guest's e1000 driver
|
||||
prepares:
|
||||
|
||||
- the TDLEN and RDLEN registers store the total size of the descriptor
|
||||
area,
|
||||
|
||||
- while the TDH and RDH registers store the offset (in whole tx / rx
|
||||
descriptors) into the area where the transfer is supposed to start.
|
||||
|
||||
Each time a descriptor is processed, the TDH and RDH register is bumped
|
||||
(as appropriate for the transfer direction).
|
||||
|
||||
QEMU already contains logic to deal with bogus transfers submitted by the
|
||||
guest:
|
||||
|
||||
- Normally, the transmit case wants to increase TDH from its initial value
|
||||
to TDT. (TDT is allowed to be numerically smaller than the initial TDH
|
||||
value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
|
||||
that QEMU currently has here is a check against reaching the original
|
||||
TDH value again -- a complete wraparound, which should never happen.
|
||||
|
||||
- In the receive case RDH is increased from its initial value until
|
||||
"total_size" bytes have been received; preferably in a single step, or
|
||||
in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
|
||||
RX descriptors are skipped without receiving data, while RDH is
|
||||
incremented just the same. QEMU tries to prevent an infinite loop
|
||||
(processing only null RX descriptors) by detecting whether RDH assumes
|
||||
its original value during the loop. (Again, wrapping from RDLEN to 0 is
|
||||
normal.)
|
||||
|
||||
What both directions miss is that the guest could program TDLEN and RDLEN
|
||||
so low, and the initial TDH and RDH so high, that these registers will
|
||||
immediately be truncated to zero, and then never reassume their initial
|
||||
values in the loop -- a full wraparound will never occur.
|
||||
|
||||
The condition that expresses this is:
|
||||
|
||||
xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
|
||||
|
||||
i.e., TDH or RDH start out after the last whole rx or tx descriptor that
|
||||
fits into the TDLEN or RDLEN sized area.
|
||||
|
||||
This condition could be checked before we enter the loops, but
|
||||
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
|
||||
bogus DMA addresses, so we just extend the existing failsafes with the
|
||||
above condition.
|
||||
|
||||
This is CVE-2016-1981.
|
||||
|
||||
Cc: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Cc: Petr Matousek <pmatouse@redhat.com>
|
||||
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
||||
Cc: Prasad Pandit <ppandit@redhat.com>
|
||||
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
|
||||
Cc: Jason Wang <jasowang@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
|
||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit dd793a74882477ca38d49e191110c17dfee51dcc)
|
||||
---
|
||||
hw/net/e1000.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
|
||||
index 09c9e9d..6eac66d 100644
|
||||
--- a/hw/net/e1000.c
|
||||
+++ b/hw/net/e1000.c
|
||||
@@ -819,7 +819,8 @@ start_xmit(E1000State *s)
|
||||
* bogus values to TDT/TDLEN.
|
||||
* there's nothing too intelligent we could do about this.
|
||||
*/
|
||||
- if (s->mac_reg[TDH] == tdh_start) {
|
||||
+ if (s->mac_reg[TDH] == tdh_start ||
|
||||
+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
|
||||
DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
|
||||
tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
|
||||
break;
|
||||
@@ -1065,7 +1066,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt)
|
||||
if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
|
||||
s->mac_reg[RDH] = 0;
|
||||
/* see comment in start_xmit; same here */
|
||||
- if (s->mac_reg[RDH] == rdh_start) {
|
||||
+ if (s->mac_reg[RDH] == rdh_start ||
|
||||
+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
|
||||
DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
|
||||
rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
|
||||
set_ics(s, 0, E1000_ICS_RXO);
|
@ -1,49 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 20 Jan 2016 01:26:46 +0530
|
||||
Subject: [PATCH] usb: check page select value while processing iTD
|
||||
|
||||
While processing isochronous transfer descriptors(iTD), the page
|
||||
select(PG) field value could lead to an OOB read access. Add
|
||||
check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 49d925ce50383a286278143c05511d30ec41a36e)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index 25c225a..d829901 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1404,21 +1404,23 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
if (itd->transact[i] & ITD_XACT_ACTIVE) {
|
||||
pg = get_field(itd->transact[i], ITD_XACT_PGSEL);
|
||||
off = itd->transact[i] & ITD_XACT_OFFSET_MASK;
|
||||
- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
|
||||
- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK);
|
||||
len = get_field(itd->transact[i], ITD_XACT_LENGTH);
|
||||
|
||||
if (len > max * mult) {
|
||||
len = max * mult;
|
||||
}
|
||||
-
|
||||
- if (len > BUFF_SIZE) {
|
||||
+ if (len > BUFF_SIZE || pg > 6) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
|
||||
qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
|
||||
if (off + len > 4096) {
|
||||
/* transfer crosses page border */
|
||||
+ if (pg == 6) {
|
||||
+ return -1; /* avoid page pg + 1 */
|
||||
+ }
|
||||
+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
||||
uint32_t len2 = off + len - 4096;
|
||||
uint32_t len1 = len - len2;
|
||||
qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);
|
@ -1,40 +0,0 @@
|
||||
From: John Snow <jsnow@redhat.com>
|
||||
Date: Wed, 10 Feb 2016 13:29:40 -0500
|
||||
Subject: [PATCH] ahci: Do not unmap NULL addresses
|
||||
|
||||
Definitely don't try to unmap a garbage address.
|
||||
|
||||
Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com
|
||||
(cherry picked from commit 99b4cb71069f109b79b27bc629fc0cf0886dbc4b)
|
||||
---
|
||||
hw/ide/ahci.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
|
||||
index 73948af..4301a78 100644
|
||||
--- a/hw/ide/ahci.c
|
||||
+++ b/hw/ide/ahci.c
|
||||
@@ -647,6 +647,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
|
||||
|
||||
static void ahci_unmap_fis_address(AHCIDevice *ad)
|
||||
{
|
||||
+ if (ad->res_fis == NULL) {
|
||||
+ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n");
|
||||
+ return;
|
||||
+ }
|
||||
dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
|
||||
DMA_DIRECTION_FROM_DEVICE, 256);
|
||||
ad->res_fis = NULL;
|
||||
@@ -663,6 +667,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
|
||||
|
||||
static void ahci_unmap_clb_address(AHCIDevice *ad)
|
||||
{
|
||||
+ if (ad->lst == NULL) {
|
||||
+ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n");
|
||||
+ return;
|
||||
+ }
|
||||
dma_memory_unmap(ad->hba->as, ad->lst, 1024,
|
||||
DMA_DIRECTION_FROM_DEVICE, 1024);
|
||||
ad->lst = NULL;
|
@ -1,74 +0,0 @@
|
||||
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Date: Fri, 15 Jan 2016 16:00:18 +0100
|
||||
Subject: [PATCH] target-ppc: rename and export maybe_bswap_register()
|
||||
|
||||
This helper will be used to support FP, Altivec and VSX registers when
|
||||
the guest is little-endian.
|
||||
|
||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit 376dbce0e3abe456fb8c7a3cd40dc369f8b33d30)
|
||||
---
|
||||
target-ppc/cpu.h | 1 +
|
||||
target-ppc/gdbstub.c | 10 +++++-----
|
||||
2 files changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
|
||||
index 6f76674..a8b37ba 100644
|
||||
--- a/target-ppc/cpu.h
|
||||
+++ b/target-ppc/cpu.h
|
||||
@@ -2328,4 +2328,5 @@ int ppc_get_vcpu_dt_id(PowerPCCPU *cpu);
|
||||
*/
|
||||
PowerPCCPU *ppc_get_vcpu_by_dt_id(int cpu_dt_id);
|
||||
|
||||
+void ppc_maybe_bswap_register(CPUPPCState *env, uint8_t *mem_buf, int len);
|
||||
#endif /* !defined (__CPU_PPC_H__) */
|
||||
diff --git a/target-ppc/gdbstub.c b/target-ppc/gdbstub.c
|
||||
index 14675f4..b20bb0c 100644
|
||||
--- a/target-ppc/gdbstub.c
|
||||
+++ b/target-ppc/gdbstub.c
|
||||
@@ -88,7 +88,7 @@ static int ppc_gdb_register_len(int n)
|
||||
the proper ordering for the binary, and cannot be changed.
|
||||
For system mode, TARGET_WORDS_BIGENDIAN is always set, and we must check
|
||||
the current mode of the chip to see if we're running in little-endian. */
|
||||
-static void maybe_bswap_register(CPUPPCState *env, uint8_t *mem_buf, int len)
|
||||
+void ppc_maybe_bswap_register(CPUPPCState *env, uint8_t *mem_buf, int len)
|
||||
{
|
||||
#ifndef CONFIG_USER_ONLY
|
||||
if (!msr_le) {
|
||||
@@ -158,7 +158,7 @@ int ppc_cpu_gdb_read_register(CPUState *cs, uint8_t *mem_buf, int n)
|
||||
break;
|
||||
}
|
||||
}
|
||||
- maybe_bswap_register(env, mem_buf, r);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, r);
|
||||
return r;
|
||||
}
|
||||
|
||||
@@ -214,7 +214,7 @@ int ppc_cpu_gdb_read_register_apple(CPUState *cs, uint8_t *mem_buf, int n)
|
||||
break;
|
||||
}
|
||||
}
|
||||
- maybe_bswap_register(env, mem_buf, r);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, r);
|
||||
return r;
|
||||
}
|
||||
|
||||
@@ -227,7 +227,7 @@ int ppc_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n)
|
||||
if (!r) {
|
||||
return r;
|
||||
}
|
||||
- maybe_bswap_register(env, mem_buf, r);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, r);
|
||||
if (n < 32) {
|
||||
/* gprs */
|
||||
env->gpr[n] = ldtul_p(mem_buf);
|
||||
@@ -277,7 +277,7 @@ int ppc_cpu_gdb_write_register_apple(CPUState *cs, uint8_t *mem_buf, int n)
|
||||
if (!r) {
|
||||
return r;
|
||||
}
|
||||
- maybe_bswap_register(env, mem_buf, r);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, r);
|
||||
if (n < 32) {
|
||||
/* gprs */
|
||||
env->gpr[n] = ldq_p(mem_buf);
|
@ -1,45 +0,0 @@
|
||||
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Date: Fri, 15 Jan 2016 16:00:25 +0100
|
||||
Subject: [PATCH] target-ppc: gdbstub: fix float registers for little-endian
|
||||
guests
|
||||
|
||||
Let's reuse the ppc_maybe_bswap_register() helper, like we already do
|
||||
with the general registers.
|
||||
|
||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit 385abeb3e356452eace44f3fe15e18c2532dcaa7)
|
||||
---
|
||||
target-ppc/translate_init.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
|
||||
index 16d7b16..de6b618 100644
|
||||
--- a/target-ppc/translate_init.c
|
||||
+++ b/target-ppc/translate_init.c
|
||||
@@ -8758,10 +8758,12 @@ static int gdb_get_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
{
|
||||
if (n < 32) {
|
||||
stfq_p(mem_buf, env->fpr[n]);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 8);
|
||||
return 8;
|
||||
}
|
||||
if (n == 32) {
|
||||
stl_p(mem_buf, env->fpscr);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
return 4;
|
||||
}
|
||||
return 0;
|
||||
@@ -8770,10 +8772,12 @@ static int gdb_get_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
static int gdb_set_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
{
|
||||
if (n < 32) {
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 8);
|
||||
env->fpr[n] = ldfq_p(mem_buf);
|
||||
return 8;
|
||||
}
|
||||
if (n == 32) {
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
helper_store_fpscr(env, ldl_p(mem_buf), 0xffffffff);
|
||||
return 4;
|
||||
}
|
@ -1,79 +0,0 @@
|
||||
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Date: Fri, 15 Jan 2016 16:00:31 +0100
|
||||
Subject: [PATCH] target-ppc: gdbstub: introduce avr_need_swap()
|
||||
|
||||
This helper will be used to support Altivec registers in little-endian guests.
|
||||
This patch does not change functionnality.
|
||||
|
||||
Note: I had to put the helper some lines away from the gdb_*_avr_reg()
|
||||
routines to get a more readable patch.
|
||||
|
||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit 87601e2d5c22d9c1fef0e09978d377f46336c1db)
|
||||
---
|
||||
target-ppc/translate_init.c | 37 +++++++++++++++++++++++--------------
|
||||
1 file changed, 23 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
|
||||
index de6b618..78a9c0e 100644
|
||||
--- a/target-ppc/translate_init.c
|
||||
+++ b/target-ppc/translate_init.c
|
||||
@@ -8754,6 +8754,15 @@ static void dump_ppc_insns (CPUPPCState *env)
|
||||
}
|
||||
#endif
|
||||
|
||||
+static bool avr_need_swap(CPUPPCState *env)
|
||||
+{
|
||||
+#ifdef HOST_WORDS_BIGENDIAN
|
||||
+ return false;
|
||||
+#else
|
||||
+ return true;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
static int gdb_get_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
{
|
||||
if (n < 32) {
|
||||
@@ -8787,13 +8796,13 @@ static int gdb_set_float_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
static int gdb_get_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
{
|
||||
if (n < 32) {
|
||||
-#ifdef HOST_WORDS_BIGENDIAN
|
||||
- stq_p(mem_buf, env->avr[n].u64[0]);
|
||||
- stq_p(mem_buf+8, env->avr[n].u64[1]);
|
||||
-#else
|
||||
- stq_p(mem_buf, env->avr[n].u64[1]);
|
||||
- stq_p(mem_buf+8, env->avr[n].u64[0]);
|
||||
-#endif
|
||||
+ if (!avr_need_swap(env)) {
|
||||
+ stq_p(mem_buf, env->avr[n].u64[0]);
|
||||
+ stq_p(mem_buf+8, env->avr[n].u64[1]);
|
||||
+ } else {
|
||||
+ stq_p(mem_buf, env->avr[n].u64[1]);
|
||||
+ stq_p(mem_buf+8, env->avr[n].u64[0]);
|
||||
+ }
|
||||
return 16;
|
||||
}
|
||||
if (n == 32) {
|
||||
@@ -8810,13 +8819,13 @@ static int gdb_get_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
static int gdb_set_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
{
|
||||
if (n < 32) {
|
||||
-#ifdef HOST_WORDS_BIGENDIAN
|
||||
- env->avr[n].u64[0] = ldq_p(mem_buf);
|
||||
- env->avr[n].u64[1] = ldq_p(mem_buf+8);
|
||||
-#else
|
||||
- env->avr[n].u64[1] = ldq_p(mem_buf);
|
||||
- env->avr[n].u64[0] = ldq_p(mem_buf+8);
|
||||
-#endif
|
||||
+ if (!avr_need_swap(env)) {
|
||||
+ env->avr[n].u64[0] = ldq_p(mem_buf);
|
||||
+ env->avr[n].u64[1] = ldq_p(mem_buf+8);
|
||||
+ } else {
|
||||
+ env->avr[n].u64[1] = ldq_p(mem_buf);
|
||||
+ env->avr[n].u64[0] = ldq_p(mem_buf+8);
|
||||
+ }
|
||||
return 16;
|
||||
}
|
||||
if (n == 32) {
|
@ -1,76 +0,0 @@
|
||||
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Date: Fri, 15 Jan 2016 16:00:38 +0100
|
||||
Subject: [PATCH] target-ppc: gdbstub: fix altivec registers for little-endian
|
||||
guests
|
||||
|
||||
Altivec registers are 128-bit wide. They are stored in memory as two
|
||||
64-bit values that must be byteswapped when the guest is little-endian.
|
||||
Let's reuse the ppc_maybe_bswap_register() helper for this.
|
||||
|
||||
We also need to fix the ordering of the 64-bit elements according to
|
||||
the target endianness, for both system and user mode.
|
||||
|
||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit ea499e71506c91aa259a7fdccf1d6b2022f5b530)
|
||||
---
|
||||
target-ppc/translate_init.c | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
|
||||
index 78a9c0e..255f63f 100644
|
||||
--- a/target-ppc/translate_init.c
|
||||
+++ b/target-ppc/translate_init.c
|
||||
@@ -8757,9 +8757,9 @@ static void dump_ppc_insns (CPUPPCState *env)
|
||||
static bool avr_need_swap(CPUPPCState *env)
|
||||
{
|
||||
#ifdef HOST_WORDS_BIGENDIAN
|
||||
- return false;
|
||||
+ return msr_le;
|
||||
#else
|
||||
- return true;
|
||||
+ return !msr_le;
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -8803,14 +8803,18 @@ static int gdb_get_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
stq_p(mem_buf, env->avr[n].u64[1]);
|
||||
stq_p(mem_buf+8, env->avr[n].u64[0]);
|
||||
}
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 8);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf + 8, 8);
|
||||
return 16;
|
||||
}
|
||||
if (n == 32) {
|
||||
stl_p(mem_buf, env->vscr);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
return 4;
|
||||
}
|
||||
if (n == 33) {
|
||||
stl_p(mem_buf, (uint32_t)env->spr[SPR_VRSAVE]);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
return 4;
|
||||
}
|
||||
return 0;
|
||||
@@ -8819,6 +8823,8 @@ static int gdb_get_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
static int gdb_set_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
{
|
||||
if (n < 32) {
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 8);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf + 8, 8);
|
||||
if (!avr_need_swap(env)) {
|
||||
env->avr[n].u64[0] = ldq_p(mem_buf);
|
||||
env->avr[n].u64[1] = ldq_p(mem_buf+8);
|
||||
@@ -8829,10 +8835,12 @@ static int gdb_set_avr_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
return 16;
|
||||
}
|
||||
if (n == 32) {
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
env->vscr = ldl_p(mem_buf);
|
||||
return 4;
|
||||
}
|
||||
if (n == 33) {
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
env->spr[SPR_VRSAVE] = (target_ulong)ldl_p(mem_buf);
|
||||
return 4;
|
||||
}
|
@ -1,66 +0,0 @@
|
||||
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Date: Fri, 15 Jan 2016 16:00:44 +0100
|
||||
Subject: [PATCH] target-ppc: gdbstub: fix spe registers for little-endian
|
||||
guests
|
||||
|
||||
Let's reuse the ppc_maybe_bswap_register() helper, like we already do
|
||||
with the general registers.
|
||||
|
||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit 95f5b540abd964ac3bc9c63434d07681a5a175eb)
|
||||
---
|
||||
target-ppc/translate_init.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
|
||||
index 255f63f..a52bcf0 100644
|
||||
--- a/target-ppc/translate_init.c
|
||||
+++ b/target-ppc/translate_init.c
|
||||
@@ -8852,6 +8852,7 @@ static int gdb_get_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
if (n < 32) {
|
||||
#if defined(TARGET_PPC64)
|
||||
stl_p(mem_buf, env->gpr[n] >> 32);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
#else
|
||||
stl_p(mem_buf, env->gprh[n]);
|
||||
#endif
|
||||
@@ -8859,10 +8860,12 @@ static int gdb_get_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
}
|
||||
if (n == 32) {
|
||||
stq_p(mem_buf, env->spe_acc);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 8);
|
||||
return 8;
|
||||
}
|
||||
if (n == 33) {
|
||||
stl_p(mem_buf, env->spe_fscr);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
return 4;
|
||||
}
|
||||
return 0;
|
||||
@@ -8873,7 +8876,11 @@ static int gdb_set_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
if (n < 32) {
|
||||
#if defined(TARGET_PPC64)
|
||||
target_ulong lo = (uint32_t)env->gpr[n];
|
||||
- target_ulong hi = (target_ulong)ldl_p(mem_buf) << 32;
|
||||
+ target_ulong hi;
|
||||
+
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
+
|
||||
+ hi = (target_ulong)ldl_p(mem_buf) << 32;
|
||||
env->gpr[n] = lo | hi;
|
||||
#else
|
||||
env->gprh[n] = ldl_p(mem_buf);
|
||||
@@ -8881,10 +8888,12 @@ static int gdb_set_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
return 4;
|
||||
}
|
||||
if (n == 32) {
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 8);
|
||||
env->spe_acc = ldq_p(mem_buf);
|
||||
return 8;
|
||||
}
|
||||
if (n == 33) {
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 4);
|
||||
env->spe_fscr = ldl_p(mem_buf);
|
||||
return 4;
|
||||
}
|
@ -1,139 +0,0 @@
|
||||
From: Anton Blanchard <anton@samba.org>
|
||||
Date: Fri, 15 Jan 2016 16:00:51 +0100
|
||||
Subject: [PATCH] target-ppc: gdbstub: Add VSX support
|
||||
|
||||
Add the XML and functions to get and set VSX registers.
|
||||
|
||||
Signed-off-by: Anton Blanchard <anton@samba.org>
|
||||
(fixed little-endian guests)
|
||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
|
||||
(cherry picked from commit 1438eff302cbc6c85d477fd7181b8a9aeea2efd7)
|
||||
---
|
||||
configure | 6 +++---
|
||||
gdb-xml/power-vsx.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
target-ppc/translate_init.c | 24 ++++++++++++++++++++++++
|
||||
3 files changed, 71 insertions(+), 3 deletions(-)
|
||||
create mode 100644 gdb-xml/power-vsx.xml
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index cd219d8..773790c 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -5348,20 +5348,20 @@ case "$target_name" in
|
||||
ppc64)
|
||||
TARGET_BASE_ARCH=ppc
|
||||
TARGET_ABI_DIR=ppc
|
||||
- gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
|
||||
+ gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml power-vsx.xml"
|
||||
;;
|
||||
ppc64le)
|
||||
TARGET_ARCH=ppc64
|
||||
TARGET_BASE_ARCH=ppc
|
||||
TARGET_ABI_DIR=ppc
|
||||
- gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
|
||||
+ gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml power-vsx.xml"
|
||||
;;
|
||||
ppc64abi32)
|
||||
TARGET_ARCH=ppc64
|
||||
TARGET_BASE_ARCH=ppc
|
||||
TARGET_ABI_DIR=ppc
|
||||
echo "TARGET_ABI32=y" >> $config_target_mak
|
||||
- gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
|
||||
+ gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml power-vsx.xml"
|
||||
;;
|
||||
sh4|sh4eb)
|
||||
TARGET_ARCH=sh4
|
||||
diff --git a/gdb-xml/power-vsx.xml b/gdb-xml/power-vsx.xml
|
||||
new file mode 100644
|
||||
index 0000000..fd290e9
|
||||
--- /dev/null
|
||||
+++ b/gdb-xml/power-vsx.xml
|
||||
@@ -0,0 +1,44 @@
|
||||
+<?xml version="1.0"?>
|
||||
+<!-- Copyright (C) 2008-2015 Free Software Foundation, Inc.
|
||||
+
|
||||
+ Copying and distribution of this file, with or without modification,
|
||||
+ are permitted in any medium without royalty provided the copyright
|
||||
+ notice and this notice are preserved. -->
|
||||
+
|
||||
+<!-- POWER7 VSX registers that do not overlap existing FP and VMX
|
||||
+ registers. -->
|
||||
+<!DOCTYPE feature SYSTEM "gdb-target.dtd">
|
||||
+<feature name="org.gnu.gdb.power.vsx">
|
||||
+ <reg name="vs0h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs1h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs2h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs3h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs4h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs5h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs6h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs7h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs8h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs9h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs10h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs11h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs12h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs13h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs14h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs15h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs16h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs17h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs18h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs19h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs20h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs21h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs22h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs23h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs24h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs25h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs26h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs27h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs28h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs29h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs30h" bitsize="64" type="uint64"/>
|
||||
+ <reg name="vs31h" bitsize="64" type="uint64"/>
|
||||
+</feature>
|
||||
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
|
||||
index a52bcf0..7368eed 100644
|
||||
--- a/target-ppc/translate_init.c
|
||||
+++ b/target-ppc/translate_init.c
|
||||
@@ -8900,6 +8900,26 @@ static int gdb_set_spe_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int gdb_get_vsx_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
+{
|
||||
+ if (n < 32) {
|
||||
+ stq_p(mem_buf, env->vsr[n]);
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 8);
|
||||
+ return 8;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int gdb_set_vsx_reg(CPUPPCState *env, uint8_t *mem_buf, int n)
|
||||
+{
|
||||
+ if (n < 32) {
|
||||
+ ppc_maybe_bswap_register(env, mem_buf, 8);
|
||||
+ env->vsr[n] = ldq_p(mem_buf);
|
||||
+ return 8;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int ppc_fixup_cpu(PowerPCCPU *cpu)
|
||||
{
|
||||
CPUPPCState *env = &cpu->env;
|
||||
@@ -9005,6 +9025,10 @@ static void ppc_cpu_realizefn(DeviceState *dev, Error **errp)
|
||||
gdb_register_coprocessor(cs, gdb_get_spe_reg, gdb_set_spe_reg,
|
||||
34, "power-spe.xml", 0);
|
||||
}
|
||||
+ if (pcc->insns_flags2 & PPC2_VSX) {
|
||||
+ gdb_register_coprocessor(cs, gdb_get_vsx_reg, gdb_set_vsx_reg,
|
||||
+ 32, "power-vsx.xml", 0);
|
||||
+ }
|
||||
|
||||
qemu_init_vcpu(cs);
|
||||
|
@ -1,85 +0,0 @@
|
||||
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Date: Fri, 15 Jan 2016 16:00:12 +0100
|
||||
Subject: [PATCH] target-ppc: kvm: fix floating point registers sync on
|
||||
little-endian hosts
|
||||
|
||||
On VSX capable CPUs, the 32 FP registers are mapped to the high-bits
|
||||
of the 32 first VSX registers. So if you have:
|
||||
|
||||
VSR31 = (uint128) 0x0102030405060708090a0b0c0d0e0f00
|
||||
|
||||
then
|
||||
|
||||
FPR31 = (uint64) 0x0102030405060708
|
||||
|
||||
The kernel stores the VSX registers in the fp_state struct following the
|
||||
host endian element ordering.
|
||||
|
||||
On big-endian:
|
||||
|
||||
fp_state.fpr[31][0] = 0x0102030405060708
|
||||
fp_state.fpr[31][1] = 0x090a0b0c0d0e0f00
|
||||
|
||||
On little-endian:
|
||||
|
||||
fp_state.fpr[31][0] = 0x090a0b0c0d0e0f00
|
||||
fp_state.fpr[31][1] = 0x0102030405060708
|
||||
|
||||
The KVM_GET_ONE_REG and KVM_SET_ONE_REG ioctls preserve this ordering, but
|
||||
QEMU considers it as big-endian and always copies element [0] to the
|
||||
fpr[] array and element [1] to the vsr[] array. This does not work with
|
||||
little-endian hosts, and you will get:
|
||||
|
||||
(qemu) p $f31
|
||||
0x90a0b0c0d0e0f00
|
||||
|
||||
instead of:
|
||||
|
||||
(qemu) p $f31
|
||||
0x102030405060708
|
||||
|
||||
This patch fixes the element ordering for little-endian hosts.
|
||||
|
||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit 3a4b791b4c13e02537a5cc572fa3de70bc5f68da)
|
||||
---
|
||||
target-ppc/kvm.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
|
||||
index a307a13..b12db25 100644
|
||||
--- a/target-ppc/kvm.c
|
||||
+++ b/target-ppc/kvm.c
|
||||
@@ -641,8 +641,13 @@ static int kvm_put_fp(CPUState *cs)
|
||||
for (i = 0; i < 32; i++) {
|
||||
uint64_t vsr[2];
|
||||
|
||||
+#ifdef HOST_WORDS_BIGENDIAN
|
||||
vsr[0] = float64_val(env->fpr[i]);
|
||||
vsr[1] = env->vsr[i];
|
||||
+#else
|
||||
+ vsr[0] = env->vsr[i];
|
||||
+ vsr[1] = float64_val(env->fpr[i]);
|
||||
+#endif
|
||||
reg.addr = (uintptr_t) &vsr;
|
||||
reg.id = vsx ? KVM_REG_PPC_VSR(i) : KVM_REG_PPC_FPR(i);
|
||||
|
||||
@@ -712,10 +717,17 @@ static int kvm_get_fp(CPUState *cs)
|
||||
vsx ? "VSR" : "FPR", i, strerror(errno));
|
||||
return ret;
|
||||
} else {
|
||||
+#ifdef HOST_WORDS_BIGENDIAN
|
||||
env->fpr[i] = vsr[0];
|
||||
if (vsx) {
|
||||
env->vsr[i] = vsr[1];
|
||||
}
|
||||
+#else
|
||||
+ env->fpr[i] = vsr[1];
|
||||
+ if (vsx) {
|
||||
+ env->vsr[i] = vsr[0];
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
}
|
@ -1,34 +0,0 @@
|
||||
From: Fam Zheng <famz@redhat.com>
|
||||
Date: Thu, 17 Sep 2015 13:04:10 +0800
|
||||
Subject: [PATCH] vmdk: Create streamOptimized as version 3
|
||||
|
||||
VMware products accept only version 3 for streamOptimized, let's bump
|
||||
the version.
|
||||
|
||||
Reported-by: Radoslav Gerganov <rgerganov@vmware.com>
|
||||
Signed-off-by: Fam Zheng <famz@redhat.com>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
(cherry picked from commit d62d9dc4b814950dcc8bd261a3e2e9300d9065e6)
|
||||
---
|
||||
block/vmdk.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/block/vmdk.c b/block/vmdk.c
|
||||
index fbaab67..6f6fd88 100644
|
||||
--- a/block/vmdk.c
|
||||
+++ b/block/vmdk.c
|
||||
@@ -1647,7 +1647,13 @@ static int vmdk_create_extent(const char *filename, int64_t filesize,
|
||||
}
|
||||
magic = cpu_to_be32(VMDK4_MAGIC);
|
||||
memset(&header, 0, sizeof(header));
|
||||
- header.version = zeroed_grain ? 2 : 1;
|
||||
+ if (compress) {
|
||||
+ header.version = 3;
|
||||
+ } else if (zeroed_grain) {
|
||||
+ header.version = 2;
|
||||
+ } else {
|
||||
+ header.version = 1;
|
||||
+ }
|
||||
header.flags = VMDK4_FLAG_RGD | VMDK4_FLAG_NL_DETECT
|
||||
| (compress ? VMDK4_FLAG_COMPRESS | VMDK4_FLAG_MARKER : 0)
|
||||
| (zeroed_grain ? VMDK4_FLAG_ZERO_GRAIN : 0);
|
@ -1,48 +0,0 @@
|
||||
From: Fam Zheng <famz@redhat.com>
|
||||
Date: Mon, 25 Jan 2016 10:26:23 +0800
|
||||
Subject: [PATCH] vmdk: Fix converting to streamOptimized
|
||||
|
||||
Commit d62d9dc4b8 lifted streamOptimized images's version to 3, but we
|
||||
now refuse to open version 3 images read-write. We need to make
|
||||
streamOptimized an exception to allow converting to it. This fixes the
|
||||
accidentally broken iotests case 059 for the same reason.
|
||||
|
||||
Signed-off-by: Fam Zheng <famz@redhat.com>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Signed-off-by: Max Reitz <mreitz@redhat.com>
|
||||
(cherry picked from commit 3db1d98a20262228373bb973ca62b1ab64b29af4)
|
||||
---
|
||||
block/vmdk.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/block/vmdk.c b/block/vmdk.c
|
||||
index 6f6fd88..653261c 100644
|
||||
--- a/block/vmdk.c
|
||||
+++ b/block/vmdk.c
|
||||
@@ -569,6 +569,7 @@ static int vmdk_open_vmdk4(BlockDriverState *bs,
|
||||
VmdkExtent *extent;
|
||||
BDRVVmdkState *s = bs->opaque;
|
||||
int64_t l1_backup_offset = 0;
|
||||
+ bool compressed;
|
||||
|
||||
ret = bdrv_pread(file, sizeof(magic), &header, sizeof(header));
|
||||
if (ret < 0) {
|
||||
@@ -643,6 +644,8 @@ static int vmdk_open_vmdk4(BlockDriverState *bs,
|
||||
header = footer.header;
|
||||
}
|
||||
|
||||
+ compressed =
|
||||
+ le16_to_cpu(header.compressAlgorithm) == VMDK4_COMPRESSION_DEFLATE;
|
||||
if (le32_to_cpu(header.version) > 3) {
|
||||
char buf[64];
|
||||
snprintf(buf, sizeof(buf), "VMDK version %" PRId32,
|
||||
@@ -650,7 +653,8 @@ static int vmdk_open_vmdk4(BlockDriverState *bs,
|
||||
error_setg(errp, QERR_UNKNOWN_BLOCK_FORMAT_FEATURE,
|
||||
bdrv_get_device_or_node_name(bs), "vmdk", buf);
|
||||
return -ENOTSUP;
|
||||
- } else if (le32_to_cpu(header.version) == 3 && (flags & BDRV_O_RDWR)) {
|
||||
+ } else if (le32_to_cpu(header.version) == 3 && (flags & BDRV_O_RDWR) &&
|
||||
+ !compressed) {
|
||||
/* VMware KB 2064959 explains that version 3 added support for
|
||||
* persistent changed block tracking (CBT), and backup software can
|
||||
* read it as version=1 if it doesn't care about the changed area
|
@ -1,61 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 17 Feb 2016 00:23:40 +0530
|
||||
Subject: [PATCH] usb: check RNDIS message length
|
||||
|
||||
When processing remote NDIS control message packets, the USB Net
|
||||
device emulator uses a fixed length(4096) data buffer. The incoming
|
||||
packet length could exceed this limit. Add a check to avoid it.
|
||||
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1455648821-17340-2-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 64c9bc181fc78275596649f591302d72df2d3071)
|
||||
---
|
||||
hw/usb/core.c | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/core.c b/hw/usb/core.c
|
||||
index d0025db..7f46370 100644
|
||||
--- a/hw/usb/core.c
|
||||
+++ b/hw/usb/core.c
|
||||
@@ -128,9 +128,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
|
||||
}
|
||||
|
||||
usb_packet_copy(p, s->setup_buf, p->iov.size);
|
||||
+ s->setup_index = 0;
|
||||
p->actual_length = 0;
|
||||
s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
|
||||
- s->setup_index = 0;
|
||||
+ if (s->setup_len > sizeof(s->data_buf)) {
|
||||
+ fprintf(stderr,
|
||||
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
|
||||
+ s->setup_len, sizeof(s->data_buf));
|
||||
+ p->status = USB_RET_STALL;
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
request = (s->setup_buf[0] << 8) | s->setup_buf[1];
|
||||
value = (s->setup_buf[3] << 8) | s->setup_buf[2];
|
||||
@@ -151,13 +158,6 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
|
||||
}
|
||||
s->setup_state = SETUP_STATE_DATA;
|
||||
} else {
|
||||
- if (s->setup_len > sizeof(s->data_buf)) {
|
||||
- fprintf(stderr,
|
||||
- "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
|
||||
- s->setup_len, sizeof(s->data_buf));
|
||||
- p->status = USB_RET_STALL;
|
||||
- return;
|
||||
- }
|
||||
if (s->setup_len == 0)
|
||||
s->setup_state = SETUP_STATE_ACK;
|
||||
else
|
||||
@@ -176,7 +176,7 @@ static void do_token_in(USBDevice *s, USBPacket *p)
|
||||
request = (s->setup_buf[0] << 8) | s->setup_buf[1];
|
||||
value = (s->setup_buf[3] << 8) | s->setup_buf[2];
|
||||
index = (s->setup_buf[5] << 8) | s->setup_buf[4];
|
||||
-
|
||||
+
|
||||
switch(s->setup_state) {
|
||||
case SETUP_STATE_ACK:
|
||||
if (!(s->setup_buf[0] & USB_DIR_IN)) {
|
@ -1,56 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 17 Feb 2016 00:23:41 +0530
|
||||
Subject: [PATCH] usb: check RNDIS buffer offsets & length
|
||||
|
||||
When processing remote NDIS control message packets,
|
||||
the USB Net device emulator uses a fixed length(4096) data buffer.
|
||||
The incoming informationBufferOffset & Length combination could
|
||||
overflow and cross that range. Check control message buffer
|
||||
offsets and length to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit fe3c546c5ff2a6210f9a4d8561cc64051ca8603e)
|
||||
---
|
||||
hw/usb/dev-network.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
|
||||
index 7800cee..ba3c7a7 100644
|
||||
--- a/hw/usb/dev-network.c
|
||||
+++ b/hw/usb/dev-network.c
|
||||
@@ -914,8 +914,9 @@ static int rndis_query_response(USBNetState *s,
|
||||
|
||||
bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
|
||||
buflen = le32_to_cpu(buf->InformationBufferLength);
|
||||
- if (bufoffs + buflen > length)
|
||||
+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
|
||||
return USB_RET_STALL;
|
||||
+ }
|
||||
|
||||
infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
|
||||
bufoffs + (uint8_t *) buf, buflen, infobuf,
|
||||
@@ -960,8 +961,9 @@ static int rndis_set_response(USBNetState *s,
|
||||
|
||||
bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
|
||||
buflen = le32_to_cpu(buf->InformationBufferLength);
|
||||
- if (bufoffs + buflen > length)
|
||||
+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
|
||||
return USB_RET_STALL;
|
||||
+ }
|
||||
|
||||
ret = ndis_set(s, le32_to_cpu(buf->OID),
|
||||
bufoffs + (uint8_t *) buf, buflen);
|
||||
@@ -1211,8 +1213,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p)
|
||||
if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
|
||||
uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
|
||||
uint32_t size = le32_to_cpu(msg->DataLength);
|
||||
- if (offs + size <= len)
|
||||
+ if (offs < len && size < len && offs + size <= len) {
|
||||
qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
|
||||
+ }
|
||||
}
|
||||
s->out_ptr -= len;
|
||||
memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
|
@ -1,34 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 24 Feb 2016 11:41:33 +0530
|
||||
Subject: [PATCH] net: ne2000: check ring buffer control registers
|
||||
|
||||
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
|
||||
bytes to process network packets. Registers PSTART & PSTOP
|
||||
define ring buffer size & location. Setting these registers
|
||||
to invalid values could lead to infinite loop or OOB r/w
|
||||
access issues. Add check to avoid it.
|
||||
|
||||
Reported-by: Yang Hongke <yanghongke@huawei.com>
|
||||
Tested-by: Yang Hongke <yanghongke@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 415ab35a441eca767d033a2702223e785b9d5190)
|
||||
---
|
||||
hw/net/ne2000.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index 364f226..d196be6 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s)
|
||||
{
|
||||
int avail, index, boundary;
|
||||
|
||||
+ if (s->stop <= s->start) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
index = s->curpag << 8;
|
||||
boundary = s->boundary << 8;
|
||||
if (index < boundary)
|
@ -1,44 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 2 Mar 2016 17:29:58 +0530
|
||||
Subject: [PATCH] net: check packet payload length
|
||||
|
||||
While computing IP checksum, 'net_checksum_calculate' reads
|
||||
payload length from the packet. It could exceed the given 'data'
|
||||
buffer size. Add a check to avoid it.
|
||||
|
||||
Reported-by: Liu Ling <liuling-it@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 362786f14a753d8a5256ef97d7c10ed576d6572b)
|
||||
---
|
||||
net/checksum.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/checksum.c b/net/checksum.c
|
||||
index 14c0855..0942437 100644
|
||||
--- a/net/checksum.c
|
||||
+++ b/net/checksum.c
|
||||
@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length)
|
||||
int hlen, plen, proto, csum_offset;
|
||||
uint16_t csum;
|
||||
|
||||
+ /* Ensure data has complete L2 & L3 headers. */
|
||||
+ if (length < 14 + 20) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if ((data[14] & 0xf0) != 0x40)
|
||||
return; /* not IPv4 */
|
||||
hlen = (data[14] & 0x0f) * 4;
|
||||
@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (plen < csum_offset+2)
|
||||
- return;
|
||||
+ if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
data[14+hlen+csum_offset] = 0;
|
||||
data[14+hlen+csum_offset+1] = 0;
|
@ -1,32 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 11 Feb 2016 16:31:20 +0530
|
||||
Subject: [PATCH] usb: check USB configuration descriptor object
|
||||
|
||||
When processing remote NDIS control message packets, the USB Net
|
||||
device emulator checks to see if the USB configuration descriptor
|
||||
object is of RNDIS type(2). But it does not check if it is null,
|
||||
which leads to a null dereference error. Add check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 80eecda8e5d09c442c24307f340840a5b70ea3b9)
|
||||
---
|
||||
hw/usb/dev-network.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
|
||||
index ba3c7a7..180adce 100644
|
||||
--- a/hw/usb/dev-network.c
|
||||
+++ b/hw/usb/dev-network.c
|
||||
@@ -653,7 +653,8 @@ typedef struct USBNetState {
|
||||
|
||||
static int is_rndis(USBNetState *s)
|
||||
{
|
||||
- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
|
||||
+ return s->dev.config ?
|
||||
+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
|
||||
}
|
||||
|
||||
static int ndis_query(USBNetState *s, uint32_t oid,
|
@ -1,104 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 26 Apr 2016 08:49:10 +0200
|
||||
Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710)
|
||||
|
||||
vga allows banked access to video memory using the window at 0xa00000
|
||||
and it supports a different access modes with different address
|
||||
calculations.
|
||||
|
||||
The VBE bochs extentions support banked access too, using the
|
||||
VBE_DISPI_INDEX_BANK register. The code tries to take the different
|
||||
address calculations into account and applies different limits to
|
||||
VBE_DISPI_INDEX_BANK depending on the current access mode.
|
||||
|
||||
Which is probably effective in stopping misprogramming by accident.
|
||||
But from a security point of view completely useless as an attacker
|
||||
can easily change access modes after setting the bank register.
|
||||
|
||||
Drop the bogus check, add range checks to vga_mem_{readb,writeb}
|
||||
instead.
|
||||
|
||||
Fixes: CVE-2016-3710
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e)
|
||||
---
|
||||
hw/display/vga.c | 24 ++++++++++++++++++------
|
||||
1 file changed, 18 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
||||
index b35d523..49b246c 100644
|
||||
--- a/hw/display/vga.c
|
||||
+++ b/hw/display/vga.c
|
||||
@@ -177,6 +177,7 @@ static void vga_update_memory_access(VGACommonState *s)
|
||||
size = 0x8000;
|
||||
break;
|
||||
}
|
||||
+ assert(offset + size <= s->vram_size);
|
||||
memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram),
|
||||
"vga.chain4", &s->vram, offset, size);
|
||||
memory_region_add_subregion_overlap(s->legacy_address_space, base,
|
||||
@@ -714,11 +715,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
|
||||
vbe_fixup_regs(s);
|
||||
break;
|
||||
case VBE_DISPI_INDEX_BANK:
|
||||
- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
|
||||
- val &= (s->vbe_bank_mask >> 2);
|
||||
- } else {
|
||||
- val &= s->vbe_bank_mask;
|
||||
- }
|
||||
+ val &= s->vbe_bank_mask;
|
||||
s->vbe_regs[s->vbe_index] = val;
|
||||
s->bank_offset = (val << 16);
|
||||
vga_update_memory_access(s);
|
||||
@@ -817,13 +814,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
|
||||
|
||||
if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
/* chain 4 mode : simplest access */
|
||||
+ assert(addr < s->vram_size);
|
||||
ret = s->vram_ptr[addr];
|
||||
} else if (s->gr[VGA_GFX_MODE] & 0x10) {
|
||||
/* odd/even mode (aka text mode mapping) */
|
||||
plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
|
||||
- ret = s->vram_ptr[((addr & ~1) << 1) | plane];
|
||||
+ addr = ((addr & ~1) << 1) | plane;
|
||||
+ if (addr >= s->vram_size) {
|
||||
+ return 0xff;
|
||||
+ }
|
||||
+ ret = s->vram_ptr[addr];
|
||||
} else {
|
||||
/* standard VGA latched access */
|
||||
+ if (addr * sizeof(uint32_t) >= s->vram_size) {
|
||||
+ return 0xff;
|
||||
+ }
|
||||
s->latch = ((uint32_t *)s->vram_ptr)[addr];
|
||||
|
||||
if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
|
||||
@@ -880,6 +885,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
plane = addr & 3;
|
||||
mask = (1 << plane);
|
||||
if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
|
||||
+ assert(addr < s->vram_size);
|
||||
s->vram_ptr[addr] = val;
|
||||
#ifdef DEBUG_VGA_MEM
|
||||
printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
|
||||
@@ -893,6 +899,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
mask = (1 << plane);
|
||||
if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
|
||||
addr = ((addr & ~1) << 1) | plane;
|
||||
+ if (addr >= s->vram_size) {
|
||||
+ return;
|
||||
+ }
|
||||
s->vram_ptr[addr] = val;
|
||||
#ifdef DEBUG_VGA_MEM
|
||||
printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
|
||||
@@ -966,6 +975,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
mask = s->sr[VGA_SEQ_PLANE_WRITE];
|
||||
s->plane_updated |= mask; /* only used to detect font change */
|
||||
write_mask = mask16[mask];
|
||||
+ if (addr * sizeof(uint32_t) >= s->vram_size) {
|
||||
+ return;
|
||||
+ }
|
||||
((uint32_t *)s->vram_ptr)[addr] =
|
||||
(((uint32_t *)s->vram_ptr)[addr] & ~write_mask) |
|
||||
(val & write_mask);
|
@ -1,64 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 26 Apr 2016 14:11:34 +0200
|
||||
Subject: [PATCH] vga: add vbe_enabled() helper
|
||||
|
||||
Makes code a bit easier to read.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit bfa0f151a564a83b5a26f3e917da98674bf3cf62)
|
||||
---
|
||||
hw/display/vga.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
||||
index 49b246c..461a614 100644
|
||||
--- a/hw/display/vga.c
|
||||
+++ b/hw/display/vga.c
|
||||
@@ -140,6 +140,11 @@ static uint32_t expand4[256];
|
||||
static uint16_t expand2[256];
|
||||
static uint8_t expand4to8[16];
|
||||
|
||||
+static inline bool vbe_enabled(VGACommonState *s)
|
||||
+{
|
||||
+ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
|
||||
+}
|
||||
+
|
||||
static void vga_update_memory_access(VGACommonState *s)
|
||||
{
|
||||
hwaddr base, offset, size;
|
||||
@@ -562,7 +567,7 @@ static void vbe_fixup_regs(VGACommonState *s)
|
||||
uint16_t *r = s->vbe_regs;
|
||||
uint32_t bits, linelength, maxy, offset;
|
||||
|
||||
- if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
|
||||
+ if (!vbe_enabled(s)) {
|
||||
/* vbe is turned off -- nothing to do */
|
||||
return;
|
||||
}
|
||||
@@ -1056,7 +1061,7 @@ static void vga_get_offsets(VGACommonState *s,
|
||||
{
|
||||
uint32_t start_addr, line_offset, line_compare;
|
||||
|
||||
- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
|
||||
+ if (vbe_enabled(s)) {
|
||||
line_offset = s->vbe_line_offset;
|
||||
start_addr = s->vbe_start_addr;
|
||||
line_compare = 65535;
|
||||
@@ -1381,7 +1386,7 @@ static int vga_get_bpp(VGACommonState *s)
|
||||
{
|
||||
int ret;
|
||||
|
||||
- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
|
||||
+ if (vbe_enabled(s)) {
|
||||
ret = s->vbe_regs[VBE_DISPI_INDEX_BPP];
|
||||
} else {
|
||||
ret = 0;
|
||||
@@ -1393,7 +1398,7 @@ static void vga_get_resolution(VGACommonState *s, int *pwidth, int *pheight)
|
||||
{
|
||||
int width, height;
|
||||
|
||||
- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
|
||||
+ if (vbe_enabled(s)) {
|
||||
width = s->vbe_regs[VBE_DISPI_INDEX_XRES];
|
||||
height = s->vbe_regs[VBE_DISPI_INDEX_YRES];
|
||||
} else {
|
@ -1,123 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 26 Apr 2016 15:24:18 +0200
|
||||
Subject: [PATCH] vga: factor out vga register setup
|
||||
|
||||
When enabling vbe mode qemu will setup a bunch of vga registers to make
|
||||
sure the vga emulation operates in correct mode for a linear
|
||||
framebuffer. Move that code to a separate function so we can call it
|
||||
from other places too.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 7fa5c2c5dc9f9bf878c1e8669eb9644d70a71e71)
|
||||
---
|
||||
hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------
|
||||
1 file changed, 44 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
||||
index 461a614..ad524d4 100644
|
||||
--- a/hw/display/vga.c
|
||||
+++ b/hw/display/vga.c
|
||||
@@ -642,6 +642,49 @@ static void vbe_fixup_regs(VGACommonState *s)
|
||||
s->vbe_start_addr = offset / 4;
|
||||
}
|
||||
|
||||
+/* we initialize the VGA graphic mode */
|
||||
+static void vbe_update_vgaregs(VGACommonState *s)
|
||||
+{
|
||||
+ int h, shift_control;
|
||||
+
|
||||
+ if (!vbe_enabled(s)) {
|
||||
+ /* vbe is turned off -- nothing to do */
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /* graphic mode + memory map 1 */
|
||||
+ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
|
||||
+ VGA_GR06_GRAPHICS_MODE;
|
||||
+ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
|
||||
+ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
|
||||
+ /* width */
|
||||
+ s->cr[VGA_CRTC_H_DISP] =
|
||||
+ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
|
||||
+ /* height (only meaningful if < 1024) */
|
||||
+ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
|
||||
+ s->cr[VGA_CRTC_V_DISP_END] = h;
|
||||
+ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
|
||||
+ ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
|
||||
+ /* line compare to 1023 */
|
||||
+ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
|
||||
+ s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
|
||||
+ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
|
||||
+
|
||||
+ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
|
||||
+ shift_control = 0;
|
||||
+ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
|
||||
+ } else {
|
||||
+ shift_control = 2;
|
||||
+ /* set chain 4 mode */
|
||||
+ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
|
||||
+ /* activate all planes */
|
||||
+ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
|
||||
+ }
|
||||
+ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
|
||||
+ (shift_control << 5);
|
||||
+ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
|
||||
+}
|
||||
+
|
||||
static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr)
|
||||
{
|
||||
VGACommonState *s = opaque;
|
||||
@@ -728,52 +771,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
|
||||
case VBE_DISPI_INDEX_ENABLE:
|
||||
if ((val & VBE_DISPI_ENABLED) &&
|
||||
!(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
|
||||
- int h, shift_control;
|
||||
|
||||
s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0;
|
||||
s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0;
|
||||
s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0;
|
||||
s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED;
|
||||
vbe_fixup_regs(s);
|
||||
+ vbe_update_vgaregs(s);
|
||||
|
||||
/* clear the screen */
|
||||
if (!(val & VBE_DISPI_NOCLEARMEM)) {
|
||||
memset(s->vram_ptr, 0,
|
||||
s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset);
|
||||
}
|
||||
-
|
||||
- /* we initialize the VGA graphic mode */
|
||||
- /* graphic mode + memory map 1 */
|
||||
- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
|
||||
- VGA_GR06_GRAPHICS_MODE;
|
||||
- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
|
||||
- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
|
||||
- /* width */
|
||||
- s->cr[VGA_CRTC_H_DISP] =
|
||||
- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
|
||||
- /* height (only meaningful if < 1024) */
|
||||
- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
|
||||
- s->cr[VGA_CRTC_V_DISP_END] = h;
|
||||
- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
|
||||
- ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
|
||||
- /* line compare to 1023 */
|
||||
- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
|
||||
- s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
|
||||
- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
|
||||
-
|
||||
- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
|
||||
- shift_control = 0;
|
||||
- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
|
||||
- } else {
|
||||
- shift_control = 2;
|
||||
- /* set chain 4 mode */
|
||||
- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
|
||||
- /* activate all planes */
|
||||
- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
|
||||
- }
|
||||
- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
|
||||
- (shift_control << 5);
|
||||
- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
|
||||
} else {
|
||||
s->bank_offset = 0;
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 26 Apr 2016 15:39:22 +0200
|
||||
Subject: [PATCH] vga: update vga register setup on vbe changes
|
||||
|
||||
Call the new vbe_update_vgaregs() function on vbe configuration
|
||||
changes, to make sure vga registers are up-to-date.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 2068192dcccd8a80dddfcc8df6164cf9c26e0fc4)
|
||||
---
|
||||
hw/display/vga.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
||||
index ad524d4..3875538 100644
|
||||
--- a/hw/display/vga.c
|
||||
+++ b/hw/display/vga.c
|
||||
@@ -761,6 +761,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
|
||||
case VBE_DISPI_INDEX_Y_OFFSET:
|
||||
s->vbe_regs[s->vbe_index] = val;
|
||||
vbe_fixup_regs(s);
|
||||
+ vbe_update_vgaregs(s);
|
||||
break;
|
||||
case VBE_DISPI_INDEX_BANK:
|
||||
val &= s->vbe_bank_mask;
|
@ -1,71 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 26 Apr 2016 14:48:06 +0200
|
||||
Subject: [PATCH] vga: make sure vga register setup for vbe stays intact
|
||||
(CVE-2016-3712).
|
||||
|
||||
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
|
||||
registers, to make sure the vga registers will always have the
|
||||
values needed by vbe mode. This makes sure the sanity checks
|
||||
applied by vbe_fixup_regs() are effective.
|
||||
|
||||
Without this guests can muck with shift_control, can turn on planar
|
||||
vga modes or text mode emulation while VBE is active, making qemu
|
||||
take code paths meant for CGA compatibility, but with the very
|
||||
large display widths and heigts settable using VBE registers.
|
||||
|
||||
Which is good for one or another buffer overflow. Not that
|
||||
critical as they typically read overflows happening somewhere
|
||||
in the display code. So guests can DoS by crashing qemu with a
|
||||
segfault, but it is probably not possible to break out of the VM.
|
||||
|
||||
Fixes: CVE-2016-3712
|
||||
Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
|
||||
Reported-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7)
|
||||
---
|
||||
hw/display/vga.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
||||
index 3875538..e721b2d 100644
|
||||
--- a/hw/display/vga.c
|
||||
+++ b/hw/display/vga.c
|
||||
@@ -140,6 +140,8 @@ static uint32_t expand4[256];
|
||||
static uint16_t expand2[256];
|
||||
static uint8_t expand4to8[16];
|
||||
|
||||
+static void vbe_update_vgaregs(VGACommonState *s);
|
||||
+
|
||||
static inline bool vbe_enabled(VGACommonState *s)
|
||||
{
|
||||
return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
|
||||
@@ -482,6 +484,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
|
||||
#endif
|
||||
s->sr[s->sr_index] = val & sr_mask[s->sr_index];
|
||||
+ vbe_update_vgaregs(s);
|
||||
if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
|
||||
s->update_retrace_info(s);
|
||||
}
|
||||
@@ -513,6 +516,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
|
||||
#endif
|
||||
s->gr[s->gr_index] = val & gr_mask[s->gr_index];
|
||||
+ vbe_update_vgaregs(s);
|
||||
vga_update_memory_access(s);
|
||||
break;
|
||||
case VGA_CRT_IM:
|
||||
@@ -531,10 +535,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
if (s->cr_index == VGA_CRTC_OVERFLOW) {
|
||||
s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |
|
||||
(val & 0x10);
|
||||
+ vbe_update_vgaregs(s);
|
||||
}
|
||||
return;
|
||||
}
|
||||
s->cr[s->cr_index] = val;
|
||||
+ vbe_update_vgaregs(s);
|
||||
|
||||
switch(s->cr_index) {
|
||||
case VGA_CRTC_H_TOTAL:
|
@ -1,37 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 21 Oct 2015 09:44:22 +0200
|
||||
Subject: [PATCH] ehci: clear suspend bit on detach
|
||||
|
||||
When a device is detached, clear the suspend bit (PORTSC_SUSPEND)
|
||||
in the port status register.
|
||||
|
||||
The specs are not *that* clear what is supposed to happen in case
|
||||
a suspended device is unplugged. But the enable bit (PORTSC_PED)
|
||||
is cleared, and the specs mention setting suspend with enable being
|
||||
unset is undefined behavior. So clearing them both looks reasonable,
|
||||
and it actually fixes the reported bug.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1268879
|
||||
|
||||
Cc: Hans de Goede <hdegoede@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Message-id: 1445413462-18004-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit cbf82fa01e6fd4ecb234b235b10ffce548154a95)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index d829901..c40013e 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -726,7 +726,7 @@ static void ehci_detach(USBPort *port)
|
||||
ehci_queues_rip_device(s, port->dev, 0);
|
||||
ehci_queues_rip_device(s, port->dev, 1);
|
||||
|
||||
- *portsc &= ~(PORTSC_CONNECT|PORTSC_PED);
|
||||
+ *portsc &= ~(PORTSC_CONNECT|PORTSC_PED|PORTSC_SUSPEND);
|
||||
*portsc |= PORTSC_CSC;
|
||||
|
||||
ehci_raise_irq(s, USBSTS_PCD);
|
@ -1,59 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 18 Apr 2016 09:11:38 +0200
|
||||
Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
|
||||
DoS by the guest (create a circular iTD queue and let qemu ehci
|
||||
emulation run in circles forever). Unfortunately this has two problems:
|
||||
First it misses the case of siTDs, and second it reportedly breaks
|
||||
FreeBSD.
|
||||
|
||||
So lets go for a different approach: just count the number of iTDs and
|
||||
siTDs we have seen per frame and apply a limit. That should really
|
||||
catch all cases now.
|
||||
|
||||
Reported-by: 杜少博 <dushaobo@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 1ae3f2f178087711f9591350abad133525ba93f2)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index c40013e..b75488b 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -2003,6 +2003,7 @@ static int ehci_state_writeback(EHCIQueue *q)
|
||||
static void ehci_advance_state(EHCIState *ehci, int async)
|
||||
{
|
||||
EHCIQueue *q = NULL;
|
||||
+ int itd_count = 0;
|
||||
int again;
|
||||
|
||||
do {
|
||||
@@ -2027,10 +2028,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
|
||||
|
||||
case EST_FETCHITD:
|
||||
again = ehci_state_fetchitd(ehci, async);
|
||||
+ itd_count++;
|
||||
break;
|
||||
|
||||
case EST_FETCHSITD:
|
||||
again = ehci_state_fetchsitd(ehci, async);
|
||||
+ itd_count++;
|
||||
break;
|
||||
|
||||
case EST_ADVANCEQUEUE:
|
||||
@@ -2079,7 +2082,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (again < 0) {
|
||||
+ if (again < 0 || itd_count > 16) {
|
||||
+ /* TODO: notify guest (raise HSE irq?) */
|
||||
fprintf(stderr, "processing error - resetting ehci HC\n");
|
||||
ehci_reset(ehci);
|
||||
again = 0;
|
@ -1,39 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 18 Apr 2016 09:20:54 +0200
|
||||
Subject: [PATCH] Revert "ehci: make idt processing more robust"
|
||||
|
||||
This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254.
|
||||
|
||||
Breaks FreeBSD.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit a49923d2837d20510d645d3758f1ad87c32d0730)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index b75488b..7ea6f5e 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
{
|
||||
USBDevice *dev;
|
||||
USBEndpoint *ep;
|
||||
- uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
|
||||
+ uint32_t i, len, pid, dir, devaddr, endp;
|
||||
uint32_t pg, off, ptr1, ptr2, max, mult;
|
||||
|
||||
ehci->periodic_sched_active = PERIODIC_ACTIVE;
|
||||
@@ -1481,10 +1481,9 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
ehci_raise_irq(ehci, USBSTS_INT);
|
||||
}
|
||||
itd->transact[i] &= ~ITD_XACT_ACTIVE;
|
||||
- xfers++;
|
||||
}
|
||||
}
|
||||
- return xfers ? 0 : -1;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
|
@ -1,44 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 8 Apr 2016 11:33:48 +0530
|
||||
Subject: [PATCH] net: stellaris_enet: check packet length against receive
|
||||
buffer
|
||||
|
||||
When receiving packets over Stellaris ethernet controller, it
|
||||
uses receive buffer of size 2048 bytes. In case the controller
|
||||
accepts large(MTU) packets, it could lead to memory corruption.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 3a15cc0e1ee7168db0782133d2607a6bfa422d66)
|
||||
---
|
||||
hw/net/stellaris_enet.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
|
||||
index 21a4773..fc48ba8 100644
|
||||
--- a/hw/net/stellaris_enet.c
|
||||
+++ b/hw/net/stellaris_enet.c
|
||||
@@ -235,8 +235,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
|
||||
n = s->next_packet + s->np;
|
||||
if (n >= 31)
|
||||
n -= 31;
|
||||
- s->np++;
|
||||
|
||||
+ if (size >= sizeof(s->rx[n].data) - 6) {
|
||||
+ /* If the packet won't fit into the
|
||||
+ * emulated 2K RAM, this is reported
|
||||
+ * as a FIFO overrun error.
|
||||
+ */
|
||||
+ s->ris |= SE_INT_FOV;
|
||||
+ stellaris_enet_update(s);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ s->np++;
|
||||
s->rx[n].len = size + 6;
|
||||
p = s->rx[n].data;
|
||||
*(p++) = (size + 6);
|
@ -1,95 +0,0 @@
|
||||
From: Ladi Prosek <lprosek@redhat.com>
|
||||
Date: Thu, 3 Mar 2016 09:37:15 +0100
|
||||
Subject: [PATCH] rng: remove the unused request cancellation code
|
||||
|
||||
rng_backend_cancel_requests had no callers and none of the code
|
||||
deleted in this commit ever ran.
|
||||
|
||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
||||
Reviewed-by: Amit Shah <amit.shah@redhat.com>
|
||||
Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com>
|
||||
Signed-off-by: Amit Shah <amit.shah@redhat.com>
|
||||
(cherry picked from commit 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750)
|
||||
---
|
||||
backends/rng-egd.c | 12 ------------
|
||||
backends/rng.c | 9 ---------
|
||||
include/sysemu/rng.h | 11 -----------
|
||||
3 files changed, 32 deletions(-)
|
||||
|
||||
diff --git a/backends/rng-egd.c b/backends/rng-egd.c
|
||||
index 6c13409..3c6362e 100644
|
||||
--- a/backends/rng-egd.c
|
||||
+++ b/backends/rng-egd.c
|
||||
@@ -124,17 +124,6 @@ static void rng_egd_free_requests(RngEgd *s)
|
||||
s->requests = NULL;
|
||||
}
|
||||
|
||||
-static void rng_egd_cancel_requests(RngBackend *b)
|
||||
-{
|
||||
- RngEgd *s = RNG_EGD(b);
|
||||
-
|
||||
- /* We simply delete the list of pending requests. If there is data in the
|
||||
- * queue waiting to be read, this is okay, because there will always be
|
||||
- * more data than we requested originally
|
||||
- */
|
||||
- rng_egd_free_requests(s);
|
||||
-}
|
||||
-
|
||||
static void rng_egd_opened(RngBackend *b, Error **errp)
|
||||
{
|
||||
RngEgd *s = RNG_EGD(b);
|
||||
@@ -212,7 +201,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data)
|
||||
RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
|
||||
|
||||
rbc->request_entropy = rng_egd_request_entropy;
|
||||
- rbc->cancel_requests = rng_egd_cancel_requests;
|
||||
rbc->opened = rng_egd_opened;
|
||||
}
|
||||
|
||||
diff --git a/backends/rng.c b/backends/rng.c
|
||||
index 5065fdc..5d1876c 100644
|
||||
--- a/backends/rng.c
|
||||
+++ b/backends/rng.c
|
||||
@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
|
||||
}
|
||||
}
|
||||
|
||||
-void rng_backend_cancel_requests(RngBackend *s)
|
||||
-{
|
||||
- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
|
||||
-
|
||||
- if (k->cancel_requests) {
|
||||
- k->cancel_requests(s);
|
||||
- }
|
||||
-}
|
||||
-
|
||||
static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
|
||||
{
|
||||
RngBackend *s = RNG_BACKEND(obj);
|
||||
diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
|
||||
index 0a27c9b..c7da17d 100644
|
||||
--- a/include/sysemu/rng.h
|
||||
+++ b/include/sysemu/rng.h
|
||||
@@ -38,7 +38,6 @@ struct RngBackendClass
|
||||
|
||||
void (*request_entropy)(RngBackend *s, size_t size,
|
||||
EntropyReceiveFunc *receive_entropy, void *opaque);
|
||||
- void (*cancel_requests)(RngBackend *s);
|
||||
|
||||
void (*opened)(RngBackend *s, Error **errp);
|
||||
};
|
||||
@@ -69,14 +68,4 @@ struct RngBackend
|
||||
void rng_backend_request_entropy(RngBackend *s, size_t size,
|
||||
EntropyReceiveFunc *receive_entropy,
|
||||
void *opaque);
|
||||
-
|
||||
-/**
|
||||
- * rng_backend_cancel_requests:
|
||||
- * @s: the backend to cancel all pending requests in
|
||||
- *
|
||||
- * Cancels all pending requests submitted by @rng_backend_request_entropy. This
|
||||
- * should be used by a device during reset or in preparation for live migration
|
||||
- * to stop tracking any request.
|
||||
- */
|
||||
-void rng_backend_cancel_requests(RngBackend *s);
|
||||
#endif
|
@ -1,132 +0,0 @@
|
||||
From: Ladi Prosek <lprosek@redhat.com>
|
||||
Date: Thu, 3 Mar 2016 09:37:16 +0100
|
||||
Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
|
||||
|
||||
The 'requests' field now lives in the RngBackend parent class.
|
||||
There are no functional changes in this commit.
|
||||
|
||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
||||
Reviewed-by: Amit Shah <amit.shah@redhat.com>
|
||||
Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com>
|
||||
Signed-off-by: Amit Shah <amit.shah@redhat.com>
|
||||
(cherry picked from commit 74074e8a7c60592cf1cc6469dbc2550d24aeded3)
|
||||
---
|
||||
backends/rng-egd.c | 28 +++++++++-------------------
|
||||
include/sysemu/rng.h | 11 +++++++++++
|
||||
2 files changed, 20 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/backends/rng-egd.c b/backends/rng-egd.c
|
||||
index 3c6362e..19eee70 100644
|
||||
--- a/backends/rng-egd.c
|
||||
+++ b/backends/rng-egd.c
|
||||
@@ -24,19 +24,8 @@ typedef struct RngEgd
|
||||
|
||||
CharDriverState *chr;
|
||||
char *chr_name;
|
||||
-
|
||||
- GSList *requests;
|
||||
} RngEgd;
|
||||
|
||||
-typedef struct RngRequest
|
||||
-{
|
||||
- EntropyReceiveFunc *receive_entropy;
|
||||
- uint8_t *data;
|
||||
- void *opaque;
|
||||
- size_t offset;
|
||||
- size_t size;
|
||||
-} RngRequest;
|
||||
-
|
||||
static void rng_egd_request_entropy(RngBackend *b, size_t size,
|
||||
EntropyReceiveFunc *receive_entropy,
|
||||
void *opaque)
|
||||
@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
|
||||
size -= len;
|
||||
}
|
||||
|
||||
- s->requests = g_slist_append(s->requests, req);
|
||||
+ s->parent.requests = g_slist_append(s->parent.requests, req);
|
||||
}
|
||||
|
||||
static void rng_egd_free_request(RngRequest *req)
|
||||
@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *opaque)
|
||||
GSList *i;
|
||||
int size = 0;
|
||||
|
||||
- for (i = s->requests; i; i = i->next) {
|
||||
+ for (i = s->parent.requests; i; i = i->next) {
|
||||
RngRequest *req = i->data;
|
||||
size += req->size - req->offset;
|
||||
}
|
||||
@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
|
||||
RngEgd *s = RNG_EGD(opaque);
|
||||
size_t buf_offset = 0;
|
||||
|
||||
- while (size > 0 && s->requests) {
|
||||
- RngRequest *req = s->requests->data;
|
||||
+ while (size > 0 && s->parent.requests) {
|
||||
+ RngRequest *req = s->parent.requests->data;
|
||||
int len = MIN(size, req->size - req->offset);
|
||||
|
||||
memcpy(req->data + req->offset, buf + buf_offset, len);
|
||||
@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
|
||||
size -= len;
|
||||
|
||||
if (req->offset == req->size) {
|
||||
- s->requests = g_slist_remove_link(s->requests, s->requests);
|
||||
+ s->parent.requests = g_slist_remove_link(s->parent.requests,
|
||||
+ s->parent.requests);
|
||||
|
||||
req->receive_entropy(req->opaque, req->data, req->size);
|
||||
|
||||
@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd *s)
|
||||
{
|
||||
GSList *i;
|
||||
|
||||
- for (i = s->requests; i; i = i->next) {
|
||||
+ for (i = s->parent.requests; i; i = i->next) {
|
||||
rng_egd_free_request(i->data);
|
||||
}
|
||||
|
||||
- g_slist_free(s->requests);
|
||||
- s->requests = NULL;
|
||||
+ g_slist_free(s->parent.requests);
|
||||
+ s->parent.requests = NULL;
|
||||
}
|
||||
|
||||
static void rng_egd_opened(RngBackend *b, Error **errp)
|
||||
diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
|
||||
index c7da17d..084164c 100644
|
||||
--- a/include/sysemu/rng.h
|
||||
+++ b/include/sysemu/rng.h
|
||||
@@ -25,6 +25,7 @@
|
||||
#define RNG_BACKEND_CLASS(klass) \
|
||||
OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
|
||||
|
||||
+typedef struct RngRequest RngRequest;
|
||||
typedef struct RngBackendClass RngBackendClass;
|
||||
typedef struct RngBackend RngBackend;
|
||||
|
||||
@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
|
||||
const void *data,
|
||||
size_t size);
|
||||
|
||||
+struct RngRequest
|
||||
+{
|
||||
+ EntropyReceiveFunc *receive_entropy;
|
||||
+ uint8_t *data;
|
||||
+ void *opaque;
|
||||
+ size_t offset;
|
||||
+ size_t size;
|
||||
+};
|
||||
+
|
||||
struct RngBackendClass
|
||||
{
|
||||
ObjectClass parent_class;
|
||||
@@ -48,6 +58,7 @@ struct RngBackend
|
||||
|
||||
/*< protected >*/
|
||||
bool opened;
|
||||
+ GSList *requests;
|
||||
};
|
||||
|
||||
/**
|
@ -1,160 +0,0 @@
|
||||
From: Ladi Prosek <lprosek@redhat.com>
|
||||
Date: Thu, 3 Mar 2016 09:37:17 +0100
|
||||
Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
|
||||
|
||||
RngBackend is now in charge of cleaning up the linked list on
|
||||
instance finalization. It also exposes a function to finalize
|
||||
individual RngRequest instances, called by its child classes.
|
||||
|
||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
||||
Reviewed-by: Amit Shah <amit.shah@redhat.com>
|
||||
Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com>
|
||||
Signed-off-by: Amit Shah <amit.shah@redhat.com>
|
||||
(cherry picked from commit 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9)
|
||||
---
|
||||
backends/rng-egd.c | 25 +------------------------
|
||||
backends/rng.c | 32 ++++++++++++++++++++++++++++++++
|
||||
include/sysemu/rng.h | 12 ++++++++++++
|
||||
3 files changed, 45 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/backends/rng-egd.c b/backends/rng-egd.c
|
||||
index 19eee70..08301a7 100644
|
||||
--- a/backends/rng-egd.c
|
||||
+++ b/backends/rng-egd.c
|
||||
@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
|
||||
s->parent.requests = g_slist_append(s->parent.requests, req);
|
||||
}
|
||||
|
||||
-static void rng_egd_free_request(RngRequest *req)
|
||||
-{
|
||||
- g_free(req->data);
|
||||
- g_free(req);
|
||||
-}
|
||||
-
|
||||
static int rng_egd_chr_can_read(void *opaque)
|
||||
{
|
||||
RngEgd *s = RNG_EGD(opaque);
|
||||
@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
|
||||
size -= len;
|
||||
|
||||
if (req->offset == req->size) {
|
||||
- s->parent.requests = g_slist_remove_link(s->parent.requests,
|
||||
- s->parent.requests);
|
||||
-
|
||||
req->receive_entropy(req->opaque, req->data, req->size);
|
||||
|
||||
- rng_egd_free_request(req);
|
||||
+ rng_backend_finalize_request(&s->parent, req);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
-static void rng_egd_free_requests(RngEgd *s)
|
||||
-{
|
||||
- GSList *i;
|
||||
-
|
||||
- for (i = s->parent.requests; i; i = i->next) {
|
||||
- rng_egd_free_request(i->data);
|
||||
- }
|
||||
-
|
||||
- g_slist_free(s->parent.requests);
|
||||
- s->parent.requests = NULL;
|
||||
-}
|
||||
-
|
||||
static void rng_egd_opened(RngBackend *b, Error **errp)
|
||||
{
|
||||
RngEgd *s = RNG_EGD(b);
|
||||
@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj)
|
||||
}
|
||||
|
||||
g_free(s->chr_name);
|
||||
-
|
||||
- rng_egd_free_requests(s);
|
||||
}
|
||||
|
||||
static void rng_egd_class_init(ObjectClass *klass, void *data)
|
||||
diff --git a/backends/rng.c b/backends/rng.c
|
||||
index 5d1876c..0d9978b 100644
|
||||
--- a/backends/rng.c
|
||||
+++ b/backends/rng.c
|
||||
@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp)
|
||||
s->opened = true;
|
||||
}
|
||||
|
||||
+static void rng_backend_free_request(RngRequest *req)
|
||||
+{
|
||||
+ g_free(req->data);
|
||||
+ g_free(req);
|
||||
+}
|
||||
+
|
||||
+static void rng_backend_free_requests(RngBackend *s)
|
||||
+{
|
||||
+ GSList *i;
|
||||
+
|
||||
+ for (i = s->requests; i; i = i->next) {
|
||||
+ rng_backend_free_request(i->data);
|
||||
+ }
|
||||
+
|
||||
+ g_slist_free(s->requests);
|
||||
+ s->requests = NULL;
|
||||
+}
|
||||
+
|
||||
+void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
|
||||
+{
|
||||
+ s->requests = g_slist_remove(s->requests, req);
|
||||
+ rng_backend_free_request(req);
|
||||
+}
|
||||
+
|
||||
static void rng_backend_init(Object *obj)
|
||||
{
|
||||
object_property_add_bool(obj, "opened",
|
||||
@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj)
|
||||
NULL);
|
||||
}
|
||||
|
||||
+static void rng_backend_finalize(Object *obj)
|
||||
+{
|
||||
+ RngBackend *s = RNG_BACKEND(obj);
|
||||
+
|
||||
+ rng_backend_free_requests(s);
|
||||
+}
|
||||
+
|
||||
static void rng_backend_class_init(ObjectClass *oc, void *data)
|
||||
{
|
||||
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
|
||||
@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info = {
|
||||
.parent = TYPE_OBJECT,
|
||||
.instance_size = sizeof(RngBackend),
|
||||
.instance_init = rng_backend_init,
|
||||
+ .instance_finalize = rng_backend_finalize,
|
||||
.class_size = sizeof(RngBackendClass),
|
||||
.class_init = rng_backend_class_init,
|
||||
.abstract = true,
|
||||
diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
|
||||
index 084164c..c2c9035 100644
|
||||
--- a/include/sysemu/rng.h
|
||||
+++ b/include/sysemu/rng.h
|
||||
@@ -61,6 +61,7 @@ struct RngBackend
|
||||
GSList *requests;
|
||||
};
|
||||
|
||||
+
|
||||
/**
|
||||
* rng_backend_request_entropy:
|
||||
* @s: the backend to request entropy from
|
||||
@@ -79,4 +80,15 @@ struct RngBackend
|
||||
void rng_backend_request_entropy(RngBackend *s, size_t size,
|
||||
EntropyReceiveFunc *receive_entropy,
|
||||
void *opaque);
|
||||
+
|
||||
+/**
|
||||
+ * rng_backend_free_request:
|
||||
+ * @s: the backend that created the request
|
||||
+ * @req: the request to finalize
|
||||
+ *
|
||||
+ * Used by child rng backend classes to finalize requests once they've been
|
||||
+ * processed. The request is removed from the list of active requests and
|
||||
+ * deleted.
|
||||
+ */
|
||||
+void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
|
||||
#endif
|
@ -1,176 +0,0 @@
|
||||
From: Ladi Prosek <lprosek@redhat.com>
|
||||
Date: Thu, 3 Mar 2016 09:37:18 +0100
|
||||
Subject: [PATCH] rng: add request queue support to rng-random
|
||||
|
||||
Requests are now created in the RngBackend parent class and the
|
||||
code path is shared by both rng-egd and rng-random.
|
||||
|
||||
This commit fixes the rng-random implementation which processed
|
||||
only one request at a time and simply discarded all but the most
|
||||
recent one. In the guest this manifested as delayed completion
|
||||
of reads from virtio-rng, i.e. a read was completed only after
|
||||
another read was issued.
|
||||
|
||||
By switching rng-random to use the same request queue as rng-egd,
|
||||
the unsafe stack-based allocation of the entropy buffer is
|
||||
eliminated and replaced with g_malloc.
|
||||
|
||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
||||
Reviewed-by: Amit Shah <amit.shah@redhat.com>
|
||||
Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com>
|
||||
Signed-off-by: Amit Shah <amit.shah@redhat.com>
|
||||
(cherry picked from commit 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956)
|
||||
---
|
||||
backends/rng-egd.c | 16 ++--------------
|
||||
backends/rng-random.c | 43 +++++++++++++++++++------------------------
|
||||
backends/rng.c | 13 ++++++++++++-
|
||||
include/sysemu/rng.h | 3 +--
|
||||
4 files changed, 34 insertions(+), 41 deletions(-)
|
||||
|
||||
diff --git a/backends/rng-egd.c b/backends/rng-egd.c
|
||||
index 08301a7..de6c8d4 100644
|
||||
--- a/backends/rng-egd.c
|
||||
+++ b/backends/rng-egd.c
|
||||
@@ -26,20 +26,10 @@ typedef struct RngEgd
|
||||
char *chr_name;
|
||||
} RngEgd;
|
||||
|
||||
-static void rng_egd_request_entropy(RngBackend *b, size_t size,
|
||||
- EntropyReceiveFunc *receive_entropy,
|
||||
- void *opaque)
|
||||
+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
|
||||
{
|
||||
RngEgd *s = RNG_EGD(b);
|
||||
- RngRequest *req;
|
||||
-
|
||||
- req = g_malloc(sizeof(*req));
|
||||
-
|
||||
- req->offset = 0;
|
||||
- req->size = size;
|
||||
- req->receive_entropy = receive_entropy;
|
||||
- req->opaque = opaque;
|
||||
- req->data = g_malloc(req->size);
|
||||
+ size_t size = req->size;
|
||||
|
||||
while (size > 0) {
|
||||
uint8_t header[2];
|
||||
@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
|
||||
|
||||
size -= len;
|
||||
}
|
||||
-
|
||||
- s->parent.requests = g_slist_append(s->parent.requests, req);
|
||||
}
|
||||
|
||||
static int rng_egd_chr_can_read(void *opaque)
|
||||
diff --git a/backends/rng-random.c b/backends/rng-random.c
|
||||
index 4e51f46..c2d8c03 100644
|
||||
--- a/backends/rng-random.c
|
||||
+++ b/backends/rng-random.c
|
||||
@@ -21,10 +21,6 @@ struct RndRandom
|
||||
|
||||
int fd;
|
||||
char *filename;
|
||||
-
|
||||
- EntropyReceiveFunc *receive_func;
|
||||
- void *opaque;
|
||||
- size_t size;
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -37,36 +33,35 @@ struct RndRandom
|
||||
static void entropy_available(void *opaque)
|
||||
{
|
||||
RndRandom *s = RNG_RANDOM(opaque);
|
||||
- uint8_t buffer[s->size];
|
||||
- ssize_t len;
|
||||
|
||||
- len = read(s->fd, buffer, s->size);
|
||||
- if (len < 0 && errno == EAGAIN) {
|
||||
- return;
|
||||
- }
|
||||
- g_assert(len != -1);
|
||||
+ while (s->parent.requests != NULL) {
|
||||
+ RngRequest *req = s->parent.requests->data;
|
||||
+ ssize_t len;
|
||||
+
|
||||
+ len = read(s->fd, req->data, req->size);
|
||||
+ if (len < 0 && errno == EAGAIN) {
|
||||
+ return;
|
||||
+ }
|
||||
+ g_assert(len != -1);
|
||||
|
||||
- s->receive_func(s->opaque, buffer, len);
|
||||
- s->receive_func = NULL;
|
||||
+ req->receive_entropy(req->opaque, req->data, len);
|
||||
|
||||
+ rng_backend_finalize_request(&s->parent, req);
|
||||
+ }
|
||||
+
|
||||
+ /* We've drained all requests, the fd handler can be reset. */
|
||||
qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
|
||||
}
|
||||
|
||||
-static void rng_random_request_entropy(RngBackend *b, size_t size,
|
||||
- EntropyReceiveFunc *receive_entropy,
|
||||
- void *opaque)
|
||||
+static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
|
||||
{
|
||||
RndRandom *s = RNG_RANDOM(b);
|
||||
|
||||
- if (s->receive_func) {
|
||||
- s->receive_func(s->opaque, NULL, 0);
|
||||
+ if (s->parent.requests == NULL) {
|
||||
+ /* If there are no pending requests yet, we need to
|
||||
+ * install our fd handler. */
|
||||
+ qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
|
||||
}
|
||||
-
|
||||
- s->receive_func = receive_entropy;
|
||||
- s->opaque = opaque;
|
||||
- s->size = size;
|
||||
-
|
||||
- qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
|
||||
}
|
||||
|
||||
static void rng_random_opened(RngBackend *b, Error **errp)
|
||||
diff --git a/backends/rng.c b/backends/rng.c
|
||||
index 0d9978b..4066268 100644
|
||||
--- a/backends/rng.c
|
||||
+++ b/backends/rng.c
|
||||
@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
|
||||
void *opaque)
|
||||
{
|
||||
RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
|
||||
+ RngRequest *req;
|
||||
|
||||
if (k->request_entropy) {
|
||||
- k->request_entropy(s, size, receive_entropy, opaque);
|
||||
+ req = g_malloc(sizeof(*req));
|
||||
+
|
||||
+ req->offset = 0;
|
||||
+ req->size = size;
|
||||
+ req->receive_entropy = receive_entropy;
|
||||
+ req->opaque = opaque;
|
||||
+ req->data = g_malloc(req->size);
|
||||
+
|
||||
+ k->request_entropy(s, req);
|
||||
+
|
||||
+ s->requests = g_slist_append(s->requests, req);
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
|
||||
index c2c9035..a7ed580 100644
|
||||
--- a/include/sysemu/rng.h
|
||||
+++ b/include/sysemu/rng.h
|
||||
@@ -46,8 +46,7 @@ struct RngBackendClass
|
||||
{
|
||||
ObjectClass parent_class;
|
||||
|
||||
- void (*request_entropy)(RngBackend *s, size_t size,
|
||||
- EntropyReceiveFunc *receive_entropy, void *opaque);
|
||||
+ void (*request_entropy)(RngBackend *s, RngRequest *req);
|
||||
|
||||
void (*opened)(RngBackend *s, Error **errp);
|
||||
};
|
@ -1,96 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 22 Feb 2016 09:50:11 +0100
|
||||
Subject: [PATCH] ohci: allocate timer only once.
|
||||
|
||||
Allocate timer once, at init time, instead of allocating/freeing
|
||||
it all the time when starting/stopping the bus. Simplifies the
|
||||
code, also fixes bugs (memory leak) due to missing checks whenever
|
||||
the time is already allocated or not.
|
||||
|
||||
Cc: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit fa1298c2d623522eda7b4f1f721fcb935abb7360)
|
||||
---
|
||||
hw/usb/hcd-ohci.c | 34 ++++++++--------------------------
|
||||
1 file changed, 8 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
|
||||
index 7d65818..9936a35 100644
|
||||
--- a/hw/usb/hcd-ohci.c
|
||||
+++ b/hw/usb/hcd-ohci.c
|
||||
@@ -1331,16 +1331,6 @@ static void ohci_frame_boundary(void *opaque)
|
||||
*/
|
||||
static int ohci_bus_start(OHCIState *ohci)
|
||||
{
|
||||
- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
|
||||
- ohci_frame_boundary,
|
||||
- ohci);
|
||||
-
|
||||
- if (ohci->eof_timer == NULL) {
|
||||
- trace_usb_ohci_bus_eof_timer_failed(ohci->name);
|
||||
- ohci_die(ohci);
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
trace_usb_ohci_start(ohci->name);
|
||||
|
||||
ohci_sof(ohci);
|
||||
@@ -1352,11 +1342,7 @@ static int ohci_bus_start(OHCIState *ohci)
|
||||
static void ohci_bus_stop(OHCIState *ohci)
|
||||
{
|
||||
trace_usb_ohci_stop(ohci->name);
|
||||
- if (ohci->eof_timer) {
|
||||
- timer_del(ohci->eof_timer);
|
||||
- timer_free(ohci->eof_timer);
|
||||
- }
|
||||
- ohci->eof_timer = NULL;
|
||||
+ timer_del(ohci->eof_timer);
|
||||
}
|
||||
|
||||
/* Sets a flag in a port status register but only set it if the port is
|
||||
@@ -1883,6 +1869,9 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
|
||||
usb_packet_init(&ohci->usb_packet);
|
||||
|
||||
ohci->async_td = 0;
|
||||
+
|
||||
+ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
|
||||
+ ohci_frame_boundary, ohci);
|
||||
}
|
||||
|
||||
#define TYPE_PCI_OHCI "pci-ohci"
|
||||
@@ -1952,6 +1941,9 @@ static void usb_ohci_exit(PCIDevice *dev)
|
||||
if (!ohci->masterbus) {
|
||||
usb_bus_release(&s->bus);
|
||||
}
|
||||
+
|
||||
+ timer_del(s->eof_timer);
|
||||
+ timer_free(s->eof_timer);
|
||||
}
|
||||
|
||||
static void usb_ohci_reset_pci(DeviceState *d)
|
||||
@@ -2017,23 +2009,13 @@ static bool ohci_eof_timer_needed(void *opaque)
|
||||
{
|
||||
OHCIState *ohci = opaque;
|
||||
|
||||
- return ohci->eof_timer != NULL;
|
||||
-}
|
||||
-
|
||||
-static int ohci_eof_timer_pre_load(void *opaque)
|
||||
-{
|
||||
- OHCIState *ohci = opaque;
|
||||
-
|
||||
- ohci_bus_start(ohci);
|
||||
-
|
||||
- return 0;
|
||||
+ return timer_pending(ohci->eof_timer);
|
||||
}
|
||||
|
||||
static const VMStateDescription vmstate_ohci_eof_timer = {
|
||||
.name = "ohci-core/eof-timer",
|
||||
.version_id = 1,
|
||||
.minimum_version_id = 1,
|
||||
- .pre_load = ohci_eof_timer_pre_load,
|
||||
.needed = ohci_eof_timer_needed,
|
||||
.fields = (VMStateField[]) {
|
||||
VMSTATE_TIMER_PTR(eof_timer, OHCIState),
|
@ -1,43 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 29 Jan 2016 18:30:34 +0530
|
||||
Subject: [PATCH] usb: ehci: add capability mmio write function
|
||||
|
||||
USB Ehci emulation supports host controller capability registers.
|
||||
But its mmio '.write' function was missing, which lead to a null
|
||||
pointer dereference issue. Add a do nothing 'ehci_caps_write'
|
||||
definition to avoid it; Do nothing because capability registers
|
||||
are Read Only(RO).
|
||||
|
||||
Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1454072434-16045-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit dff0367cf66f489aa772320fa2937a8cac1ca30d)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index 7ea6f5e..78e92a1 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
|
||||
return s->caps[addr];
|
||||
}
|
||||
|
||||
+static void ehci_caps_write(void *ptr, hwaddr addr,
|
||||
+ uint64_t val, unsigned size)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
|
||||
unsigned size)
|
||||
{
|
||||
@@ -2316,6 +2321,7 @@ static void ehci_frame_timer(void *opaque)
|
||||
|
||||
static const MemoryRegionOps ehci_mmio_caps_ops = {
|
||||
.read = ehci_caps_read,
|
||||
+ .write = ehci_caps_write,
|
||||
.valid.min_access_size = 1,
|
||||
.valid.max_access_size = 4,
|
||||
.impl.min_access_size = 1,
|
@ -1,41 +0,0 @@
|
||||
From: Igor Mammedov <imammedo@redhat.com>
|
||||
Date: Fri, 8 Apr 2016 13:23:13 +0200
|
||||
Subject: [PATCH] pc: acpi: tpm: add missing MMIO resource to PCI0._CRS
|
||||
|
||||
Windows will fail initialize TMP driver with the reason:
|
||||
'device cannot find enough free resources'
|
||||
That happens because parent BUS doesn't describe
|
||||
MMIO resources used by TPM child device.
|
||||
Fix it by describing it in top-most parent bus scope PCI0.
|
||||
|
||||
It was 'regressed' by commit
|
||||
5cb18b3d TPM2 ACPI table support
|
||||
with following fixup
|
||||
9e472263 acpi: add missing ssdt
|
||||
which did the right thing by moving TPM to BUS
|
||||
it belongs to but lacked a proper resource declaration.
|
||||
|
||||
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
(cherry picked from commit 2b1c2e8e5f1990f0a201a8cbf9d366fca60f4aa8)
|
||||
---
|
||||
hw/i386/acpi-build.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
|
||||
index 46eddb8..9c406a5 100644
|
||||
--- a/hw/i386/acpi-build.c
|
||||
+++ b/hw/i386/acpi-build.c
|
||||
@@ -1005,6 +1005,11 @@ build_ssdt(GArray *table_data, GArray *linker,
|
||||
0, pci->w64.begin, pci->w64.end - 1, 0,
|
||||
pci->w64.end - pci->w64.begin));
|
||||
}
|
||||
+
|
||||
+ if (misc->tpm_version != TPM_VERSION_UNSPEC) {
|
||||
+ aml_append(crs, aml_memory32_fixed(TPM_TIS_ADDR_BASE,
|
||||
+ TPM_TIS_ADDR_SIZE, AML_READ_WRITE));
|
||||
+ }
|
||||
aml_append(scope, aml_name_decl("_CRS", crs));
|
||||
|
||||
/* reserve GPE0 block resources */
|
@ -1,47 +0,0 @@
|
||||
From: Igor Mammedov <imammedo@redhat.com>
|
||||
Date: Fri, 8 Apr 2016 13:23:14 +0200
|
||||
Subject: [PATCH] tpm: acpi: remove IRQ from TPM's CRS to make Windows not see
|
||||
conflict
|
||||
|
||||
IRQ 5 used by TPM conflicts with PNP0C0F IRQs,
|
||||
as result Windows fails driver initialization with reason
|
||||
'device cannot find enough free resources'
|
||||
But if TPM._CRS.IRQ entry is commented out, Windows
|
||||
seems to initialize driver without errors as it doesn't
|
||||
notice possible conflict and it seems to work
|
||||
probably due to a link with IRQ 5 being unused/disabled.
|
||||
|
||||
So temporary comment out TPM._CRS.IRQ to 'fix'
|
||||
regression in TPM, with intent to fix it correctly
|
||||
later i.e.:
|
||||
1. pick unused IRQ as default one for TPM
|
||||
2. fetch IRQ value from device model so that user
|
||||
could override default one if it conflicts with
|
||||
some other device.
|
||||
|
||||
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
(cherry picked from commit 52e38eb0512585a5fadb431a65997b602d44874b)
|
||||
---
|
||||
hw/i386/acpi-build.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
|
||||
index 9c406a5..7678bbd 100644
|
||||
--- a/hw/i386/acpi-build.c
|
||||
+++ b/hw/i386/acpi-build.c
|
||||
@@ -1338,7 +1338,12 @@ build_ssdt(GArray *table_data, GArray *linker,
|
||||
crs = aml_resource_template();
|
||||
aml_append(crs, aml_memory32_fixed(TPM_TIS_ADDR_BASE,
|
||||
TPM_TIS_ADDR_SIZE, AML_READ_WRITE));
|
||||
- aml_append(crs, aml_irq_no_flags(TPM_TIS_IRQ));
|
||||
+ /*
|
||||
+ FIXME: TPM_TIS_IRQ=5 conflicts with PNP0C0F irqs,
|
||||
+ Rewrite to take IRQ from TPM device model and
|
||||
+ fix default IRQ value there to use some unused IRQ
|
||||
+ */
|
||||
+ /* aml_append(crs, aml_irq_no_flags(TPM_TIS_IRQ)); */
|
||||
aml_append(dev, aml_name_decl("_CRS", crs));
|
||||
aml_append(scope, dev);
|
||||
}
|
@ -1,46 +0,0 @@
|
||||
From: John Snow <jsnow@redhat.com>
|
||||
Date: Wed, 28 Oct 2015 13:56:40 -0400
|
||||
Subject: [PATCH] configure: disallow ccache during compile tests
|
||||
|
||||
If the user is using ccache during the configuration step,
|
||||
it may interfere with some of the configuration tests,
|
||||
particularly the "Is ccache interfering with macro analysis" step,
|
||||
which is a bit of a poetic problem.
|
||||
|
||||
1) Disallow ccache from reading from the cache during configure,
|
||||
but don't disable it entirely to allow us to see if it causes other
|
||||
problems.
|
||||
|
||||
2) Force off CCACHE_CPP2 during the ccache test to get a deterministic
|
||||
answer over whether or not we need to enable that feature later.
|
||||
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
Message-Id: <1446055000-29150-1-git-send-email-jsnow@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 5e4dfd3d4e87e0464d599ecef06aa8fe78420a9b)
|
||||
---
|
||||
configure | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index 773790c..f888c58 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -8,6 +8,9 @@
|
||||
CLICOLOR_FORCE= GREP_OPTIONS=
|
||||
unset CLICOLOR_FORCE GREP_OPTIONS
|
||||
|
||||
+# Don't allow CCACHE, if present, to use cached results of compile tests!
|
||||
+export CCACHE_RECACHE=yes
|
||||
+
|
||||
# Temporary directory used for files created while
|
||||
# configure runs. Since it is in the build directory
|
||||
# we can safely blow away any previous version of it
|
||||
@@ -4279,6 +4282,7 @@ fi
|
||||
# check if ccache is interfering with
|
||||
# semantic analysis of macros
|
||||
|
||||
+unset CCACHE_CPP2
|
||||
ccache_cpp2=no
|
||||
cat > $TMPC << EOF
|
||||
static const int Z = 1;
|
@ -1,32 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 7 Apr 2016 12:50:08 +0530
|
||||
Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
|
||||
|
||||
When processing Task Priorty Register(TPR) access, it could leak
|
||||
automatic stack variable 'imm32' in patch_instruction().
|
||||
Initialise the variable to avoid it.
|
||||
|
||||
Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
|
||||
(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
|
||||
---
|
||||
hw/i386/kvmvapic.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
|
||||
index f0922da..97f3646 100644
|
||||
--- a/hw/i386/kvmvapic.c
|
||||
+++ b/hw/i386/kvmvapic.c
|
||||
@@ -393,7 +393,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
|
||||
CPUX86State *env = &cpu->env;
|
||||
VAPICHandlers *handlers;
|
||||
uint8_t opcode[2];
|
||||
- uint32_t imm32;
|
||||
+ uint32_t imm32 = 0;
|
||||
target_ulong current_pc = 0;
|
||||
target_ulong current_cs_base = 0;
|
||||
int current_flags = 0;
|
@ -1,39 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 19 May 2016 16:09:30 +0530
|
||||
Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer. While
|
||||
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
|
||||
was missing to validate input length. Add check to avoid OOB write
|
||||
access.
|
||||
|
||||
Fixes CVE-2016-4439.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
|
||||
---
|
||||
hw/scsi/esp.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 272d13d..cda9755 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -446,7 +446,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
|
||||
break;
|
||||
case ESP_FIFO:
|
||||
if (s->do_cmd) {
|
||||
- s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
+ if (s->cmdlen < TI_BUFSZ) {
|
||||
+ s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
+ } else {
|
||||
+ trace_esp_error_fifo_overrun();
|
||||
+ }
|
||||
} else if (s->ti_size == TI_BUFSZ - 1) {
|
||||
trace_esp_error_fifo_overrun();
|
||||
} else {
|
@ -1,73 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 19 May 2016 16:09:31 +0530
|
||||
Subject: [PATCH] esp: check dma length before reading scsi
|
||||
command(CVE-2016-4441)
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer.
|
||||
Routine get_cmd() uses DMA to read scsi commands into this buffer.
|
||||
Add check to validate DMA length against buffer size to avoid any
|
||||
overrun.
|
||||
|
||||
Fixes CVE-2016-4441.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
|
||||
---
|
||||
hw/scsi/esp.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index cda9755..63a2a01 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -80,7 +80,7 @@ void esp_request_cancelled(SCSIRequest *req)
|
||||
}
|
||||
}
|
||||
|
||||
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
|
||||
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
|
||||
{
|
||||
uint32_t dmalen;
|
||||
int target;
|
||||
@@ -90,6 +90,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
|
||||
dmalen = s->rregs[ESP_TCLO];
|
||||
dmalen |= s->rregs[ESP_TCMID] << 8;
|
||||
dmalen |= s->rregs[ESP_TCHI] << 16;
|
||||
+ if (dmalen > buflen) {
|
||||
+ return 0;
|
||||
+ }
|
||||
s->dma_memory_read(s->dma_opaque, buf, dmalen);
|
||||
} else {
|
||||
dmalen = s->ti_size;
|
||||
@@ -164,7 +167,7 @@ static void handle_satn(ESPState *s)
|
||||
s->dma_cb = handle_satn;
|
||||
return;
|
||||
}
|
||||
- len = get_cmd(s, buf);
|
||||
+ len = get_cmd(s, buf, sizeof(buf));
|
||||
if (len)
|
||||
do_cmd(s, buf);
|
||||
}
|
||||
@@ -178,7 +181,7 @@ static void handle_s_without_atn(ESPState *s)
|
||||
s->dma_cb = handle_s_without_atn;
|
||||
return;
|
||||
}
|
||||
- len = get_cmd(s, buf);
|
||||
+ len = get_cmd(s, buf, sizeof(buf));
|
||||
if (len) {
|
||||
do_busid_cmd(s, buf, 0);
|
||||
}
|
||||
@@ -190,7 +193,7 @@ static void handle_satn_stop(ESPState *s)
|
||||
s->dma_cb = handle_satn_stop;
|
||||
return;
|
||||
}
|
||||
- s->cmdlen = get_cmd(s, s->cmdbuf);
|
||||
+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
|
||||
if (s->cmdlen) {
|
||||
trace_esp_handle_satn_stop(s->cmdlen);
|
||||
s->do_cmd = 1;
|
@ -1,233 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 17 May 2016 10:54:54 +0200
|
||||
Subject: [PATCH] vga: add sr_vbe register set
|
||||
|
||||
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
|
||||
(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
|
||||
because it can't freely modify vga registers any more while in vbe mode.
|
||||
|
||||
This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
|
||||
will fill sr_vbe[] instead of sr[]. Normal vga register reads and
|
||||
writes go to sr[]. Any sr register read access happens through a new
|
||||
sr() helper function which will read from sr_vbe[] with vbe active and
|
||||
from sr[] otherwise.
|
||||
|
||||
This way we can allow guests update sr[] registers as they want, without
|
||||
allowing them disrupt vbe video modes that way.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
|
||||
---
|
||||
hw/display/vga.c | 50 ++++++++++++++++++++++++++++----------------------
|
||||
hw/display/vga_int.h | 1 +
|
||||
2 files changed, 29 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
||||
index e721b2d..fac17e8 100644
|
||||
--- a/hw/display/vga.c
|
||||
+++ b/hw/display/vga.c
|
||||
@@ -147,6 +147,11 @@ static inline bool vbe_enabled(VGACommonState *s)
|
||||
return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
|
||||
}
|
||||
|
||||
+static inline uint8_t sr(VGACommonState *s, int idx)
|
||||
+{
|
||||
+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
|
||||
+}
|
||||
+
|
||||
static void vga_update_memory_access(VGACommonState *s)
|
||||
{
|
||||
hwaddr base, offset, size;
|
||||
@@ -161,8 +166,8 @@ static void vga_update_memory_access(VGACommonState *s)
|
||||
s->has_chain4_alias = false;
|
||||
s->plane_updated = 0xf;
|
||||
}
|
||||
- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
|
||||
- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
|
||||
+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
offset = 0;
|
||||
switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
|
||||
case 0:
|
||||
@@ -232,7 +237,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
|
||||
((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
|
||||
vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
|
||||
|
||||
- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
|
||||
+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
|
||||
clock_sel = (s->msr >> 2) & 3;
|
||||
dots = (s->msr & 1) ? 8 : 9;
|
||||
|
||||
@@ -484,7 +489,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
|
||||
#endif
|
||||
s->sr[s->sr_index] = val & sr_mask[s->sr_index];
|
||||
- vbe_update_vgaregs(s);
|
||||
if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
|
||||
s->update_retrace_info(s);
|
||||
}
|
||||
@@ -678,13 +682,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
|
||||
|
||||
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
|
||||
shift_control = 0;
|
||||
- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
|
||||
+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
|
||||
} else {
|
||||
shift_control = 2;
|
||||
/* set chain 4 mode */
|
||||
- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
|
||||
+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
|
||||
/* activate all planes */
|
||||
- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
|
||||
+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
|
||||
}
|
||||
s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
|
||||
(shift_control << 5);
|
||||
@@ -834,7 +838,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
/* chain 4 mode : simplest access */
|
||||
assert(addr < s->vram_size);
|
||||
ret = s->vram_ptr[addr];
|
||||
@@ -902,11 +906,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
/* chain 4 mode : simplest access */
|
||||
plane = addr & 3;
|
||||
mask = (1 << plane);
|
||||
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
|
||||
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
|
||||
assert(addr < s->vram_size);
|
||||
s->vram_ptr[addr] = val;
|
||||
#ifdef DEBUG_VGA_MEM
|
||||
@@ -919,7 +923,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
/* odd/even mode (aka text mode mapping) */
|
||||
plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
|
||||
mask = (1 << plane);
|
||||
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
|
||||
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
|
||||
addr = ((addr & ~1) << 1) | plane;
|
||||
if (addr >= s->vram_size) {
|
||||
return;
|
||||
@@ -994,7 +998,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
|
||||
do_write:
|
||||
/* mask data according to sr[2] */
|
||||
- mask = s->sr[VGA_SEQ_PLANE_WRITE];
|
||||
+ mask = sr(s, VGA_SEQ_PLANE_WRITE);
|
||||
s->plane_updated |= mask; /* only used to detect font change */
|
||||
write_mask = mask16[mask];
|
||||
if (addr * sizeof(uint32_t) >= s->vram_size) {
|
||||
@@ -1150,10 +1154,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
|
||||
/* total width & height */
|
||||
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
|
||||
cwidth = 8;
|
||||
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
cwidth = 9;
|
||||
}
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
|
||||
cwidth = 16; /* NOTE: no 18 pixel wide */
|
||||
}
|
||||
width = (s->cr[VGA_CRTC_H_DISP] + 1);
|
||||
@@ -1195,7 +1199,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
|
||||
int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
|
||||
|
||||
/* compute font data address (in plane 2) */
|
||||
- v = s->sr[VGA_SEQ_CHARACTER_MAP];
|
||||
+ v = sr(s, VGA_SEQ_CHARACTER_MAP);
|
||||
offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
|
||||
if (offset != s->font_offsets[0]) {
|
||||
s->font_offsets[0] = offset;
|
||||
@@ -1504,11 +1508,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
}
|
||||
|
||||
if (shift_control == 0) {
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
disp_width <<= 1;
|
||||
}
|
||||
} else if (shift_control == 1) {
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
disp_width <<= 1;
|
||||
}
|
||||
}
|
||||
@@ -1572,7 +1576,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
|
||||
if (shift_control == 0) {
|
||||
full_update |= update_palette16(s);
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
v = VGA_DRAW_LINE4D2;
|
||||
} else {
|
||||
v = VGA_DRAW_LINE4;
|
||||
@@ -1580,7 +1584,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
bits = 4;
|
||||
} else if (shift_control == 1) {
|
||||
full_update |= update_palette16(s);
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
v = VGA_DRAW_LINE2D2;
|
||||
} else {
|
||||
v = VGA_DRAW_LINE2;
|
||||
@@ -1627,7 +1631,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
#if 0
|
||||
printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
|
||||
width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
|
||||
- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
|
||||
+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
|
||||
#endif
|
||||
addr1 = (s->start_addr * 4);
|
||||
bwidth = (width * bits + 7) / 8;
|
||||
@@ -1779,6 +1783,7 @@ void vga_common_reset(VGACommonState *s)
|
||||
{
|
||||
s->sr_index = 0;
|
||||
memset(s->sr, '\0', sizeof(s->sr));
|
||||
+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
|
||||
s->gr_index = 0;
|
||||
memset(s->gr, '\0', sizeof(s->gr));
|
||||
s->ar_index = 0;
|
||||
@@ -1881,10 +1886,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
|
||||
/* total width & height */
|
||||
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
|
||||
cw = 8;
|
||||
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
cw = 9;
|
||||
}
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
|
||||
cw = 16; /* NOTE: no 18 pixel wide */
|
||||
}
|
||||
width = (s->cr[VGA_CRTC_H_DISP] + 1);
|
||||
@@ -2050,6 +2055,7 @@ static int vga_common_post_load(void *opaque, int version_id)
|
||||
|
||||
/* force refresh */
|
||||
s->graphic_mode = -1;
|
||||
+ vbe_update_vgaregs(s);
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
|
||||
index 40ba6a4..103cac2 100644
|
||||
--- a/hw/display/vga_int.h
|
||||
+++ b/hw/display/vga_int.h
|
||||
@@ -99,6 +99,7 @@ typedef struct VGACommonState {
|
||||
MemoryRegion chain4_alias;
|
||||
uint8_t sr_index;
|
||||
uint8_t sr[256];
|
||||
+ uint8_t sr_vbe[256];
|
||||
uint8_t gr_index;
|
||||
uint8_t gr[256];
|
||||
uint8_t ar_index;
|
@ -1,32 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 7 Apr 2016 15:56:02 +0530
|
||||
Subject: [PATCH] net: mipsnet: check packet length against buffer
|
||||
|
||||
When receiving packets over MIPSnet network device, it uses
|
||||
receive buffer of size 1514 bytes. In case the controller
|
||||
accepts large(MTU) packets, it could lead to memory corruption.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
|
||||
(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
|
||||
---
|
||||
hw/net/mipsnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
|
||||
index f261011..e134b31 100644
|
||||
--- a/hw/net/mipsnet.c
|
||||
+++ b/hw/net/mipsnet.c
|
||||
@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
|
||||
if (!mipsnet_can_receive(nc))
|
||||
return 0;
|
||||
|
||||
+ if (size >= sizeof(s->rx_buffer)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
s->busy = 1;
|
||||
|
||||
/* Just accept everything. */
|
@ -1,100 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 23 May 2016 16:18:05 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
|
||||
(CVE-2016-4952)
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the ring buffer size to an arbitrary
|
||||
value leading to OOB access issue. Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
|
||||
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
|
||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 9c71f31..a6c5cc4 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -126,7 +126,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -134,6 +134,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -165,15 +169,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
||||
{
|
||||
int i;
|
||||
uint32_t len_log2;
|
||||
uint32_t ring_size;
|
||||
|
||||
+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
||||
+ return -1;
|
||||
+ }
|
||||
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
|
||||
len_log2 = pvscsi_log2(ring_size - 1);
|
||||
|
||||
@@ -193,6 +202,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -743,7 +754,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- pvscsi_ring_init_data(&s->rings, rc);
|
||||
+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
+ }
|
||||
+
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
}
|
||||
@@ -823,7 +837,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
|
||||
}
|
||||
|
||||
if (s->rings_info_valid) {
|
||||
- pvscsi_ring_init_msg(&s->rings, rc);
|
||||
+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
|
||||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
+ }
|
||||
s->msg_ring_info_valid = TRUE;
|
||||
}
|
||||
return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
|
@ -1,31 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 16:01:29 +0530
|
||||
Subject: [PATCH] scsi: megasas: use appropriate property buffer size
|
||||
|
||||
When setting MegaRAID SAS controller properties via MegaRAID
|
||||
Firmware Interface(MFI) commands, a user supplied size parameter
|
||||
is used to set property value. Use appropriate size value to avoid
|
||||
OOB access issues.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index d9b99c0..85fdf3d 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -1445,7 +1445,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
|
||||
dcmd_size);
|
||||
return MFI_STAT_INVALID_PARAMETER;
|
||||
}
|
||||
- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
|
||||
+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
|
||||
trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
|
||||
return MFI_STAT_OK;
|
||||
}
|
@ -1,31 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 17:41:44 +0530
|
||||
Subject: [PATCH] scsi: megasas: initialise local configuration data buffer
|
||||
|
||||
When reading MegaRAID SAS controller configuration via MegaRAID
|
||||
Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
|
||||
uses an uninitialised local data buffer. Initialise this buffer
|
||||
to avoid stack information leakage.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index 85fdf3d..855e889 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -1292,7 +1292,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
|
||||
static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
|
||||
{
|
||||
- uint8_t data[4096];
|
||||
+ uint8_t data[4096] = { 0 };
|
||||
struct mfi_config_data *info;
|
||||
int num_pd_disks = 0, array_offset, ld_offset;
|
||||
BusChild *kid;
|
@ -1,33 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 17:55:10 +0530
|
||||
Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
|
||||
|
||||
While doing MegaRAID SAS controller command frame lookup, routine
|
||||
'megasas_lookup_frame' uses 'read_queue_head' value as an index
|
||||
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
|
||||
within array bounds to avoid any OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
|
||||
Reviewed-by: Alexander Graf <agraf@suse.de>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index 855e889..fafdddd 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -649,7 +649,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
|
||||
pa_hi = le32_to_cpu(initq->pi_addr_hi);
|
||||
s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
|
||||
s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
|
||||
+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
|
||||
s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
|
||||
+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
|
||||
flags = le32_to_cpu(initq->flags);
|
||||
if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
|
||||
s->flags |= MEGASAS_MASK_USE_QUEUE64;
|
@ -1,70 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:18 +0200
|
||||
Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Sanity checks are applied when the fifo is enabled by the guest
|
||||
(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
|
||||
changes the fifo registers afterwards. Move the checks to
|
||||
vmsvga_fifo_length so they are done each time qemu is about to read
|
||||
from the fifo.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
|
||||
---
|
||||
hw/display/vmware_vga.c | 28 +++++++++++++++-------------
|
||||
1 file changed, 15 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 7f397d3..14eb2f7 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -553,6 +553,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
if (!s->config || !s->enable) {
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ /* Check range and alignment. */
|
||||
+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
num = CMD(next_cmd) - CMD(stop);
|
||||
if (num < 0) {
|
||||
num += CMD(max) - CMD(min);
|
||||
@@ -1000,19 +1015,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
|
||||
case SVGA_REG_CONFIG_DONE:
|
||||
if (value) {
|
||||
s->fifo = (uint32_t *) s->fifo_ptr;
|
||||
- /* Check range and alignment. */
|
||||
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
- break;
|
||||
- }
|
||||
vga_dirty_log_stop(&s->vga);
|
||||
}
|
||||
s->config = !!value;
|
@ -1,36 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:19 +0200
|
||||
Subject: [PATCH] vmsvga: add more fifo checks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Make sure all fifo ptrs are within range.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
|
||||
---
|
||||
hw/display/vmware_vga.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 14eb2f7..a8181b0 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -561,7 +561,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
+ if (CMD(max) > SVGA_FIFO_SIZE ||
|
||||
+ CMD(min) >= SVGA_FIFO_SIZE ||
|
||||
+ CMD(stop) >= SVGA_FIFO_SIZE ||
|
||||
+ CMD(next_cmd) >= SVGA_FIFO_SIZE) {
|
||||
return 0;
|
||||
}
|
||||
if (CMD(max) < CMD(min) + 10 * 1024) {
|
@ -1,143 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:20 +0200
|
||||
Subject: [PATCH] vmsvga: shadow fifo registers
|
||||
|
||||
The fifo is normal ram. So kvm vcpu threads and qemu iothread can
|
||||
access the fifo in parallel without syncronization. Which in turn
|
||||
implies we can't use the fifo pointers in-place because the guest
|
||||
can try changing them underneath us. So add shadows for them, to
|
||||
make sure the guest can't modify them after we've applied sanity
|
||||
checks.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
|
||||
---
|
||||
hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
|
||||
1 file changed, 28 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index a8181b0..904a722 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -64,17 +64,11 @@ struct vmsvga_state_s {
|
||||
uint8_t *fifo_ptr;
|
||||
unsigned int fifo_size;
|
||||
|
||||
- union {
|
||||
- uint32_t *fifo;
|
||||
- struct QEMU_PACKED {
|
||||
- uint32_t min;
|
||||
- uint32_t max;
|
||||
- uint32_t next_cmd;
|
||||
- uint32_t stop;
|
||||
- /* Add registers here when adding capabilities. */
|
||||
- uint32_t fifo[0];
|
||||
- } *cmd;
|
||||
- };
|
||||
+ uint32_t *fifo;
|
||||
+ uint32_t fifo_min;
|
||||
+ uint32_t fifo_max;
|
||||
+ uint32_t fifo_next;
|
||||
+ uint32_t fifo_stop;
|
||||
|
||||
#define REDRAW_FIFO_LEN 512
|
||||
struct vmsvga_rect_s {
|
||||
@@ -196,7 +190,7 @@ enum {
|
||||
*/
|
||||
SVGA_FIFO_MIN = 0,
|
||||
SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */
|
||||
- SVGA_FIFO_NEXT_CMD,
|
||||
+ SVGA_FIFO_NEXT,
|
||||
SVGA_FIFO_STOP,
|
||||
|
||||
/*
|
||||
@@ -544,8 +538,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
|
||||
}
|
||||
#endif
|
||||
|
||||
-#define CMD(f) le32_to_cpu(s->cmd->f)
|
||||
-
|
||||
static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
{
|
||||
int num;
|
||||
@@ -554,38 +546,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
|
||||
+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
|
||||
+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
|
||||
+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
|
||||
+
|
||||
/* Check range and alignment. */
|
||||
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
+ if (s->fifo_min < sizeof(uint32_t) * 4) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE ||
|
||||
- CMD(min) >= SVGA_FIFO_SIZE ||
|
||||
- CMD(stop) >= SVGA_FIFO_SIZE ||
|
||||
- CMD(next_cmd) >= SVGA_FIFO_SIZE) {
|
||||
+ if (s->fifo_max > SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_min >= SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_stop >= SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_next >= SVGA_FIFO_SIZE) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
+ if (s->fifo_max < s->fifo_min + 10 * 1024) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
- num = CMD(next_cmd) - CMD(stop);
|
||||
+ num = s->fifo_next - s->fifo_stop;
|
||||
if (num < 0) {
|
||||
- num += CMD(max) - CMD(min);
|
||||
+ num += s->fifo_max - s->fifo_min;
|
||||
}
|
||||
return num >> 2;
|
||||
}
|
||||
|
||||
static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
|
||||
{
|
||||
- uint32_t cmd = s->fifo[CMD(stop) >> 2];
|
||||
+ uint32_t cmd = s->fifo[s->fifo_stop >> 2];
|
||||
|
||||
- s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
|
||||
- if (CMD(stop) >= CMD(max)) {
|
||||
- s->cmd->stop = s->cmd->min;
|
||||
+ s->fifo_stop += 4;
|
||||
+ if (s->fifo_stop >= s->fifo_max) {
|
||||
+ s->fifo_stop = s->fifo_min;
|
||||
}
|
||||
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
|
||||
return cmd;
|
||||
}
|
||||
|
||||
@@ -605,7 +603,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
len = vmsvga_fifo_length(s);
|
||||
while (len > 0) {
|
||||
/* May need to go back to the start of the command if incomplete */
|
||||
- cmd_start = s->cmd->stop;
|
||||
+ cmd_start = s->fifo_stop;
|
||||
|
||||
switch (cmd = vmsvga_fifo_read(s)) {
|
||||
case SVGA_CMD_UPDATE:
|
||||
@@ -761,7 +759,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
break;
|
||||
|
||||
rewind:
|
||||
- s->cmd->stop = cmd_start;
|
||||
+ s->fifo_stop = cmd_start;
|
||||
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
|
||||
break;
|
||||
}
|
||||
}
|
@ -1,42 +0,0 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:21 +0200
|
||||
Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
vmsvga_fifo_run is called in regular intervals (on each display update)
|
||||
and will resume where it left off. So we can simply exit the loop,
|
||||
without having to worry about how processing will continue.
|
||||
|
||||
Fixes: CVE-2016-4453
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
|
||||
---
|
||||
hw/display/vmware_vga.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 904a722..890cc90 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -595,13 +595,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
|
||||
static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
{
|
||||
uint32_t cmd, colour;
|
||||
- int args, len;
|
||||
+ int args, len, maxloop = 1024;
|
||||
int x, y, dx, dy, width, height;
|
||||
struct vmsvga_cursor_definition_s cursor;
|
||||
uint32_t cmd_start;
|
||||
|
||||
len = vmsvga_fifo_length(s);
|
||||
- while (len > 0) {
|
||||
+ while (len > 0 && --maxloop > 0) {
|
||||
/* May need to go back to the start of the command if incomplete */
|
||||
cmd_start = s->fifo_stop;
|
||||
|
@ -1,33 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 31 May 2016 23:23:27 +0530
|
||||
Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer.
|
||||
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
|
||||
command into a buffer. Add check to validate command length against
|
||||
buffer size to avoid any overrun.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
|
||||
---
|
||||
hw/scsi/esp.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 63a2a01..e1a8090 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -96,6 +96,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
|
||||
s->dma_memory_read(s->dma_opaque, buf, dmalen);
|
||||
} else {
|
||||
dmalen = s->ti_size;
|
||||
+ if (dmalen > TI_BUFSZ) {
|
||||
+ return 0;
|
||||
+ }
|
||||
memcpy(buf, s->ti_buf, dmalen);
|
||||
buf[0] = buf[2] >> 5;
|
||||
}
|
@ -1,26 +0,0 @@
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 14 Jun 2016 15:10:24 +0200
|
||||
Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
|
||||
|
||||
The FIFO contains two bytes; hence the write ptr should be two bytes ahead
|
||||
of the read pointer.
|
||||
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
|
||||
---
|
||||
hw/scsi/esp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index e1a8090..65d1830 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -220,7 +220,7 @@ static void write_response(ESPState *s)
|
||||
} else {
|
||||
s->ti_size = 2;
|
||||
s->ti_rptr = 0;
|
||||
- s->ti_wptr = 0;
|
||||
+ s->ti_wptr = 2;
|
||||
s->rregs[ESP_RFLAGS] = 2;
|
||||
}
|
||||
esp_raise_irq(s);
|
@ -1,76 +0,0 @@
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Wed, 15 Jun 2016 14:29:33 +0200
|
||||
Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
|
||||
|
||||
Avoid duplicated code between esp_do_dma and handle_ti. esp_do_dma
|
||||
has the same code that handle_ti contains after the call to esp_do_dma;
|
||||
but the code in handle_ti is never reached because it is in an "else if".
|
||||
Remove the else and also the pointless return.
|
||||
|
||||
esp_do_dma also has a partially dead assignment of the to_device
|
||||
variable. Sink it to the point where it's actually used.
|
||||
|
||||
Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
|
||||
only transfers data and not a command. This is true because get_cmd
|
||||
cancels the old request synchronously before its caller handle_satn_stop
|
||||
sets do_cmd to 1.
|
||||
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
|
||||
---
|
||||
hw/scsi/esp.c | 11 ++++-------
|
||||
1 file changed, 4 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 65d1830..7337d27 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -243,15 +243,10 @@ static void esp_do_dma(ESPState *s)
|
||||
uint32_t len;
|
||||
int to_device;
|
||||
|
||||
- to_device = (s->ti_size < 0);
|
||||
len = s->dma_left;
|
||||
if (s->do_cmd) {
|
||||
trace_esp_do_dma(s->cmdlen, len);
|
||||
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
|
||||
- s->ti_size = 0;
|
||||
- s->cmdlen = 0;
|
||||
- s->do_cmd = 0;
|
||||
- do_cmd(s, s->cmdbuf);
|
||||
return;
|
||||
}
|
||||
if (s->async_len == 0) {
|
||||
@@ -261,6 +256,7 @@ static void esp_do_dma(ESPState *s)
|
||||
if (len > s->async_len) {
|
||||
len = s->async_len;
|
||||
}
|
||||
+ to_device = (s->ti_size < 0);
|
||||
if (to_device) {
|
||||
s->dma_memory_read(s->dma_opaque, s->async_buf, len);
|
||||
} else {
|
||||
@@ -316,6 +312,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len)
|
||||
{
|
||||
ESPState *s = req->hba_private;
|
||||
|
||||
+ assert(!s->do_cmd);
|
||||
trace_esp_transfer_data(s->dma_left, s->ti_size);
|
||||
s->async_len = len;
|
||||
s->async_buf = scsi_req_get_buf(req);
|
||||
@@ -356,13 +353,13 @@ static void handle_ti(ESPState *s)
|
||||
s->dma_left = minlen;
|
||||
s->rregs[ESP_RSTAT] &= ~STAT_TC;
|
||||
esp_do_dma(s);
|
||||
- } else if (s->do_cmd) {
|
||||
+ }
|
||||
+ if (s->do_cmd) {
|
||||
trace_esp_handle_ti_cmd(s->cmdlen);
|
||||
s->ti_size = 0;
|
||||
s->cmdlen = 0;
|
||||
s->do_cmd = 0;
|
||||
do_cmd(s, s->cmdbuf);
|
||||
- return;
|
||||
}
|
||||
}
|
||||
|
@ -1,70 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 16 Jun 2016 00:22:35 +0200
|
||||
Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
|
||||
|
||||
While doing DMA read into ESP command buffer 's->cmdbuf', it could
|
||||
write past the 's->cmdbuf' area, if it was transferring more than 16
|
||||
bytes. Increase the command buffer size to 32, which is maximum when
|
||||
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
|
||||
---
|
||||
hw/scsi/esp.c | 6 ++++--
|
||||
include/hw/scsi/esp.h | 3 ++-
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 7337d27..a5f1095 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -246,6 +246,8 @@ static void esp_do_dma(ESPState *s)
|
||||
len = s->dma_left;
|
||||
if (s->do_cmd) {
|
||||
trace_esp_do_dma(s->cmdlen, len);
|
||||
+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
|
||||
+ len <= sizeof(s->cmdbuf) - s->cmdlen);
|
||||
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
|
||||
return;
|
||||
}
|
||||
@@ -343,7 +345,7 @@ static void handle_ti(ESPState *s)
|
||||
s->dma_counter = dmalen;
|
||||
|
||||
if (s->do_cmd)
|
||||
- minlen = (dmalen < 32) ? dmalen : 32;
|
||||
+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
|
||||
else if (s->ti_size < 0)
|
||||
minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
|
||||
else
|
||||
@@ -449,7 +451,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
|
||||
break;
|
||||
case ESP_FIFO:
|
||||
if (s->do_cmd) {
|
||||
- if (s->cmdlen < TI_BUFSZ) {
|
||||
+ if (s->cmdlen < ESP_CMDBUF_SZ) {
|
||||
s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
} else {
|
||||
trace_esp_error_fifo_overrun();
|
||||
diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
|
||||
index 6c79527..d2c4886 100644
|
||||
--- a/include/hw/scsi/esp.h
|
||||
+++ b/include/hw/scsi/esp.h
|
||||
@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
|
||||
|
||||
#define ESP_REGS 16
|
||||
#define TI_BUFSZ 16
|
||||
+#define ESP_CMDBUF_SZ 32
|
||||
|
||||
typedef struct ESPState ESPState;
|
||||
|
||||
@@ -31,7 +32,7 @@ struct ESPState {
|
||||
SCSIBus bus;
|
||||
SCSIDevice *current_dev;
|
||||
SCSIRequest *current_req;
|
||||
- uint8_t cmdbuf[TI_BUFSZ];
|
||||
+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
|
||||
uint32_t cmdlen;
|
||||
uint32_t do_cmd;
|
||||
|
@ -1,29 +0,0 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 7 Jun 2016 16:44:03 +0530
|
||||
Subject: [PATCH] scsi: megasas: null terminate bios version buffer
|
||||
|
||||
While reading information via 'megasas_ctrl_get_info' routine,
|
||||
a local bios version buffer isn't null terminated. Add the
|
||||
terminating null byte to avoid any OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
|
||||
---
|
||||
hw/scsi/megasas.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index fafdddd..5dd1030 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -772,6 +772,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
|
||||
ptr = memory_region_get_ram_ptr(&pci_dev->rom);
|
||||
memcpy(biosver, ptr + 0x41, 31);
|
||||
+ biosver[31] = 0;
|
||||
memcpy(info.image_component[1].name, "BIOS", 4);
|
||||
memcpy(info.image_component[1].version, biosver,
|
||||
strlen((const char *)biosver));
|
@ -1,3 +0,0 @@
|
||||
# KVM S390 VM creation fails without this set
|
||||
# https://www.mail-archive.com/kvm@vger.kernel.org/msg115576.html
|
||||
vm.allocate_pgste = 1
|
@ -1 +0,0 @@
|
||||
KERNEL=="kvm", GROUP="kvm", MODE="0666"
|
12
95-kvm-ppc64-memlock.conf
Normal file
12
95-kvm-ppc64-memlock.conf
Normal file
@ -0,0 +1,12 @@
|
||||
# The KVM HV implementation on Power can require a significant amount
|
||||
# of unswappable memory (about half of which also needs to be host
|
||||
# physically contiguous) to hold the guest's Hash Page Table (HPT) -
|
||||
# roughly 1/64th of the guest's RAM size, minimum 16MiB.
|
||||
#
|
||||
# These limits allow unprivileged users to start smallish VMs, such as
|
||||
# those used by libguestfs.
|
||||
#
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1293024
|
||||
#
|
||||
* hard memlock 65536
|
||||
* soft memlock 65536
|
14
ksm.service
14
ksm.service
@ -1,14 +0,0 @@
|
||||
[Unit]
|
||||
Description=Kernel Samepage Merging
|
||||
ConditionPathExists=/sys/kernel/mm/ksm
|
||||
ConditionVirtualization=no
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/ksm
|
||||
ExecStart=/usr/libexec/ksmctl start
|
||||
ExecStop=/usr/libexec/ksmctl stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,4 +0,0 @@
|
||||
# The maximum number of unswappable kernel pages
|
||||
# which may be allocated by ksm (0 for unlimited)
|
||||
# If unset, defaults to half of total memory
|
||||
# KSM_MAX_KERNEL_PAGES=
|
77
ksmctl.c
77
ksmctl.c
@ -1,77 +0,0 @@
|
||||
/* Start/stop KSM, for systemd.
|
||||
* Copyright (C) 2009, 2011 Red Hat, Inc.
|
||||
* Written by Paolo Bonzini <pbonzini@redhat.com>.
|
||||
* Based on the original sysvinit script by Dan Kenigsberg <danken@redhat.com>
|
||||
* This file is distributed under the GNU General Public License, version 2
|
||||
* or later. */
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#define KSM_MAX_KERNEL_PAGES_FILE "/sys/kernel/mm/ksm/max_kernel_pages"
|
||||
#define KSM_RUN_FILE "/sys/kernel/mm/ksm/run"
|
||||
|
||||
char *program_name;
|
||||
|
||||
int usage(void)
|
||||
{
|
||||
fprintf(stderr, "Usage: %s {start|stop}\n", program_name);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int write_value(uint64_t value, char *filename)
|
||||
{
|
||||
FILE *fp;
|
||||
if (!(fp = fopen(filename, "w")) ||
|
||||
fprintf(fp, "%llu\n", (unsigned long long) value) == EOF ||
|
||||
fflush(fp) == EOF ||
|
||||
fclose(fp) == EOF)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
uint64_t ksm_max_kernel_pages()
|
||||
{
|
||||
char *var = getenv("KSM_MAX_KERNEL_PAGES");
|
||||
char *endptr;
|
||||
uint64_t value;
|
||||
if (var && *var) {
|
||||
value = strtoll(var, &endptr, 0);
|
||||
if (value < LLONG_MAX && !*endptr)
|
||||
return value;
|
||||
}
|
||||
/* Unless KSM_MAX_KERNEL_PAGES is set, let KSM munch up to half of
|
||||
* total memory. */
|
||||
return sysconf(_SC_PHYS_PAGES) / 2;
|
||||
}
|
||||
|
||||
int start(void)
|
||||
{
|
||||
if (access(KSM_MAX_KERNEL_PAGES_FILE, R_OK) >= 0)
|
||||
write_value(ksm_max_kernel_pages(), KSM_MAX_KERNEL_PAGES_FILE);
|
||||
return write_value(1, KSM_RUN_FILE);
|
||||
}
|
||||
|
||||
int stop(void)
|
||||
{
|
||||
return write_value(0, KSM_RUN_FILE);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
program_name = argv[0];
|
||||
if (argc < 2) {
|
||||
return usage();
|
||||
} else if (!strcmp(argv[1], "start")) {
|
||||
return start();
|
||||
} else if (!strcmp(argv[1], "stop")) {
|
||||
return stop();
|
||||
} else {
|
||||
return usage();
|
||||
}
|
||||
}
|
139
ksmtuned
139
ksmtuned
@ -1,139 +0,0 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright 2009 Red Hat, Inc. and/or its affiliates.
|
||||
# Released under the GPL
|
||||
#
|
||||
# Author: Dan Kenigsberg <danken@redhat.com>
|
||||
#
|
||||
# ksmtuned - a simple script that controls whether (and with what vigor) ksm
|
||||
# should search for duplicated pages.
|
||||
#
|
||||
# starts ksm when memory commited to qemu processes exceeds a threshold, and
|
||||
# make ksm work harder and harder untill memory load falls below that
|
||||
# threshold.
|
||||
#
|
||||
# send SIGUSR1 to this process right after a new qemu process is started, or
|
||||
# following its death, to retune ksm accordingly
|
||||
#
|
||||
# needs testing and ironing. contact danken@redhat.com if something breaks.
|
||||
|
||||
if [ -f /etc/ksmtuned.conf ]; then
|
||||
. /etc/ksmtuned.conf
|
||||
fi
|
||||
|
||||
debug() {
|
||||
if [ -n "$DEBUG" ]; then
|
||||
s="`/bin/date`: $*"
|
||||
[ -n "$LOGFILE" ] && echo "$s" >> "$LOGFILE" || echo "$s"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
KSM_MONITOR_INTERVAL=${KSM_MONITOR_INTERVAL:-60}
|
||||
KSM_NPAGES_BOOST=${KSM_NPAGES_BOOST:-300}
|
||||
KSM_NPAGES_DECAY=${KSM_NPAGES_DECAY:--50}
|
||||
|
||||
KSM_NPAGES_MIN=${KSM_NPAGES_MIN:-64}
|
||||
KSM_NPAGES_MAX=${KSM_NPAGES_MAX:-1250}
|
||||
# millisecond sleep between ksm scans for 16Gb server. Smaller servers sleep
|
||||
# more, bigger sleep less.
|
||||
KSM_SLEEP_MSEC=${KSM_SLEEP_MSEC:-10}
|
||||
|
||||
KSM_THRES_COEF=${KSM_THRES_COEF:-20}
|
||||
KSM_THRES_CONST=${KSM_THRES_CONST:-2048}
|
||||
|
||||
total=`awk '/^MemTotal:/ {print $2}' /proc/meminfo`
|
||||
debug total $total
|
||||
|
||||
npages=0
|
||||
sleep=$[KSM_SLEEP_MSEC * 16 * 1024 * 1024 / total]
|
||||
[ $sleep -le 10 ] && sleep=10
|
||||
debug sleep $sleep
|
||||
thres=$[total * KSM_THRES_COEF / 100]
|
||||
if [ $KSM_THRES_CONST -gt $thres ]; then
|
||||
thres=$KSM_THRES_CONST
|
||||
fi
|
||||
debug thres $thres
|
||||
|
||||
KSMCTL () {
|
||||
case x$1 in
|
||||
xstop)
|
||||
echo 0 > /sys/kernel/mm/ksm/run
|
||||
;;
|
||||
xstart)
|
||||
echo $2 > /sys/kernel/mm/ksm/pages_to_scan
|
||||
echo $3 > /sys/kernel/mm/ksm/sleep_millisecs
|
||||
echo 1 > /sys/kernel/mm/ksm/run
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
committed_memory () {
|
||||
# calculate how much memory is committed to running qemu processes
|
||||
local pidlist
|
||||
pidlist=$(pgrep -d ' ' -- '^qemu(-(kvm|system-.+)|:.{1,11})$')
|
||||
if [ -n "$pidlist" ]; then
|
||||
ps -p "$pidlist" -o rsz=
|
||||
fi | awk '{ sum += $1 }; END { print 0+sum }'
|
||||
}
|
||||
|
||||
free_memory () {
|
||||
awk '/^(MemFree|Buffers|Cached):/ {free += $2}; END {print free}' \
|
||||
/proc/meminfo
|
||||
}
|
||||
|
||||
increase_npages() {
|
||||
local delta
|
||||
delta=${1:-0}
|
||||
npages=$[npages + delta]
|
||||
if [ $npages -lt $KSM_NPAGES_MIN ]; then
|
||||
npages=$KSM_NPAGES_MIN
|
||||
elif [ $npages -gt $KSM_NPAGES_MAX ]; then
|
||||
npages=$KSM_NPAGES_MAX
|
||||
fi
|
||||
echo $npages
|
||||
}
|
||||
|
||||
|
||||
adjust () {
|
||||
local free committed
|
||||
free=`free_memory`
|
||||
committed=`committed_memory`
|
||||
debug committed $committed free $free
|
||||
if [ $[committed + thres] -lt $total -a $free -gt $thres ]; then
|
||||
KSMCTL stop
|
||||
debug "$[committed + thres] < $total and free > $thres, stop ksm"
|
||||
return 1
|
||||
fi
|
||||
debug "$[committed + thres] > $total, start ksm"
|
||||
if [ $free -lt $thres ]; then
|
||||
npages=`increase_npages $KSM_NPAGES_BOOST`
|
||||
debug "$free < $thres, boost"
|
||||
else
|
||||
npages=`increase_npages $KSM_NPAGES_DECAY`
|
||||
debug "$free > $thres, decay"
|
||||
fi
|
||||
KSMCTL start $npages $sleep
|
||||
debug "KSMCTL start $npages $sleep"
|
||||
return 0
|
||||
}
|
||||
|
||||
function nothing () {
|
||||
:
|
||||
}
|
||||
|
||||
loop () {
|
||||
trap nothing SIGUSR1
|
||||
while true
|
||||
do
|
||||
sleep $KSM_MONITOR_INTERVAL &
|
||||
wait $!
|
||||
adjust
|
||||
done
|
||||
}
|
||||
|
||||
PIDFILE=${PIDFILE-/var/run/ksmtune.pid}
|
||||
if touch "$PIDFILE"; then
|
||||
loop &
|
||||
echo $! > "$PIDFILE"
|
||||
fi
|
@ -1,21 +0,0 @@
|
||||
# Configuration file for ksmtuned.
|
||||
|
||||
# How long ksmtuned should sleep between tuning adjustments
|
||||
# KSM_MONITOR_INTERVAL=60
|
||||
|
||||
# Millisecond sleep between ksm scans for 16Gb server.
|
||||
# Smaller servers sleep more, bigger sleep less.
|
||||
# KSM_SLEEP_MSEC=10
|
||||
|
||||
# KSM_NPAGES_BOOST=300
|
||||
# KSM_NPAGES_DECAY=-50
|
||||
# KSM_NPAGES_MIN=64
|
||||
# KSM_NPAGES_MAX=1250
|
||||
|
||||
# KSM_THRES_COEF=20
|
||||
# KSM_THRES_CONST=2048
|
||||
|
||||
# uncomment the following if you want ksmtuned debug info
|
||||
|
||||
# LOGFILE=/var/log/ksmtuned
|
||||
# DEBUG=1
|
@ -1,13 +0,0 @@
|
||||
[Unit]
|
||||
Description=Kernel Samepage Merging (KSM) Tuning Daemon
|
||||
After=ksm.service
|
||||
Requires=ksm.service
|
||||
ConditionVirtualization=no
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/ksmtuned
|
||||
ExecReload=/bin/kill -USR1 $MAINPID
|
||||
Type=forking
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
18
kvm.modules
18
kvm.modules
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
case $(uname -m) in
|
||||
ppc64)
|
||||
grep OPAL /proc/cpuinfo >/dev/null 2>&1 && opal=1
|
||||
|
||||
modprobe -b kvm >/dev/null 2>&1
|
||||
modprobe -b kvm-pr >/dev/null 2>&1 && kvm=1
|
||||
if [ "$opal" ]; then
|
||||
modprobe -b kvm-hv >/dev/null 2>&1
|
||||
fi
|
||||
;;
|
||||
s390x)
|
||||
modprobe -b kvm >/dev/null 2>&1 && kvm=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
19
qemu-ga.sysconfig
Normal file
19
qemu-ga.sysconfig
Normal file
@ -0,0 +1,19 @@
|
||||
# This is a systemd environment file, not a shell script.
|
||||
# It provides settings for "/lib/systemd/system/qemu-guest-agent.service".
|
||||
|
||||
# Comma-separated blacklist of RPCs to disable, or empty list to enable all.
|
||||
#
|
||||
# You can get the list of RPC commands using "qemu-ga --blacklist='?'".
|
||||
# There should be no spaces between commas and commands in the blacklist.
|
||||
#BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status
|
||||
|
||||
# Fsfreeze hook script specification.
|
||||
#
|
||||
# FSFREEZE_HOOK_PATHNAME=/dev/null : disables the feature.
|
||||
#
|
||||
# FSFREEZE_HOOK_PATHNAME=/path/to/executable : enables the feature with the
|
||||
# specified binary or shell script.
|
||||
#
|
||||
# FSFREEZE_HOOK_PATHNAME= : enables the feature with the
|
||||
# default value (invoke "qemu-ga --help" to interrogate).
|
||||
FSFREEZE_HOOK_PATHNAME=/etc/qemu-ga/fsfreeze-hook
|
@ -1,11 +1,19 @@
|
||||
[Unit]
|
||||
Description=QEMU Guest Agent
|
||||
BindTo=dev-virtio\x2dports-org.qemu.guest_agent.0.device
|
||||
BindsTo=dev-virtio\x2dports-org.qemu.guest_agent.0.device
|
||||
After=dev-virtio\x2dports-org.qemu.guest_agent.0.device
|
||||
IgnoreOnIsolate=True
|
||||
|
||||
[Service]
|
||||
ExecStart=-/usr/bin/qemu-ga
|
||||
UMask=0077
|
||||
EnvironmentFile=/etc/sysconfig/qemu-ga
|
||||
ExecStart=/usr/bin/qemu-ga \
|
||||
--method=virtio-serial \
|
||||
--path=/dev/virtio-ports/org.qemu.guest_agent.0 \
|
||||
--blacklist=${BLACKLIST_RPC} \
|
||||
-F${FSFREEZE_HOOK_PATHNAME}
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
|
||||
[Install]
|
||||
WantedBy=dev-virtio\x2dports-org.qemu.guest_agent.0.device
|
||||
|
@ -1,3 +1,10 @@
|
||||
#!/bin/sh
|
||||
|
||||
exec /usr/bin/qemu-system-x86_64 -machine accel=kvm "$@"
|
||||
# Libvirt introspects the binary using -M none. In that case, don't try
|
||||
# to init KVM, which will fail and be noisy if the host has kvm disabled
|
||||
opts="-machine accel=kvm"
|
||||
if echo "$@" | grep -q " -M none "; then
|
||||
opts=
|
||||
fi
|
||||
|
||||
exec /usr/bin/qemu-system-x86_64 $opts "$@"
|
||||
|
22
qemu.binfmt
22
qemu.binfmt
@ -1,22 +0,0 @@
|
||||
:qemu-alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:
|
||||
:qemu-armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:
|
||||
:qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:
|
||||
:qemu-cris:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x4c\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-cris:
|
||||
:qemu-i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
|
||||
:qemu-i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:
|
||||
:qemu-m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:
|
||||
:qemu-microblazeel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xab\xba:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-microblazeel:
|
||||
:qemu-microblaze:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xba\xab:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-microblaze:
|
||||
:qemu-mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:
|
||||
:qemu-mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:
|
||||
:qemu-mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:
|
||||
:qemu-mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:
|
||||
:qemu-ppc64abi32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64abi32:
|
||||
:qemu-ppc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc64:
|
||||
:qemu-ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:
|
||||
:qemu-s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:
|
||||
:qemu-sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:
|
||||
:qemu-sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:
|
||||
:qemu-sparc32plus:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x12:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc32plus:
|
||||
:qemu-sparc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2b:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc64:
|
||||
:qemu-sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:
|
Loading…
Reference in New Issue
Block a user