Commit Graph

900 Commits

Author SHA1 Message Date
Stefan Hajnoczi
f465706e59 trivial patches for 2017-05-10
-----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlkSvwIPHG1qdEB0bHMu
 bXNrLnJ1AAoJEHAbT2saaT5Zys4IAMZLWicv1c7O3m1ajmmg7iGfRbsajcx9FSBi
 NxdrqG3zgV10gz8/R7goMYGkeFs8MAoDfagbBkXgwFgA31M+ecOe93XyoOQLpe9/
 43fx2u8exVdruIb60F5yDEd51RLwK2C4Iz7SVNRoVWMqDcMOCuC+WBog+AbTB0V+
 19RjhKStMyXMXPYVO0bLhQIcH+ixFLUljbpwDvz5FKor5NqGG+FzHjmwYciiTbr3
 o7Z3OIMWT7rDr9V5/553miiNP9ufG3fJreMyXDrTkFRVmDZaqRBp+tvdrYcb77ed
 /DDxC5vafgCRzwsrmCIsIQXV0janFGDQiqbR+hzBMBG1RTRoBiM=
 =AAfU
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'mjt/tags/trivial-patches-fetch' into staging

trivial patches for 2017-05-10

# gpg: Signature made Wed 10 May 2017 03:19:30 AM EDT
# gpg:                using RSA key 0x701B4F6B1A693E59
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg:                 aka "Michael Tokarev <mjt@corpit.ru>"
# gpg:                 aka "Michael Tokarev <mjt@debian.org>"
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
#      Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931  4B22 701B 4F6B 1A69 3E59

* mjt/tags/trivial-patches-fetch: (23 commits)
  tests: Remove redundant assignment
  MAINTAINERS: Update paths for AioContext implementation
  MAINTAINERS: Update paths for main loop
  jazz_led: fix bad snprintf
  tests: Ignore another built executable (test-hmp)
  scripts: Switch to more portable Perl shebang
  scripts/qemu-binfmt-conf.sh: Fix shell portability issue
  virtfs: allow a device id to be specified in the -virtfs option
  hw/core/generic-loader: Fix crash when running without CPU
  virtio-blk: Remove useless condition around g_free()
  qemu-doc: Fix broken URLs of amnhltm.zip and dosidle210.zip
  use _Static_assert in QEMU_BUILD_BUG_ON
  channel-file: fix wrong parameter comments
  block: Make 'replication_state' an enum
  util: Use g_malloc/g_free in envlist.c
  qga: fix compiler warnings (clang 5)
  device_tree: fix compiler warnings (clang 5)
  usb-ccid: make ccid_write_data_block() cope with null buffers
  tests: Ignore more test executables
  Add 'none' as type for drive's if option
  ...

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-05-10 12:31:19 -04:00
Paolo Bonzini
e9c6ab62c7 jazz_led: fix bad snprintf
Detected by GCC 7's -Wformat-truncation.  snprintf writes at most
2 bytes here including the terminating NUL, so the result is
truncated.  In addition, the newline at the end is pointless.
Fix the buffer size and the format string.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-05-10 10:19:24 +03:00
Mark Cave-Ayland
8eb57ae3f9 cg3: add explicit ram_addr_t cast to scanline page variable
Coverity warns that multiplying two 32-bit values gives a 32-bit result which
is assigned to a 64-bit variable. Add an explicit ram_addr_t cast to silence
the warning.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-05-05 09:49:00 +01:00
Mark Cave-Ayland
b290f3b12e tcx: fix cut/paste error in update_palette_entries()
Commit ee72bed0 "tcx: remove primitives for non-32-bit surfaces" accidentally
left a trailing break in update_palette_entries() causing the palette update
routine to exit after just one iteration. Remove it.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2017-05-05 09:48:32 +01:00
Peter Maydell
eab1e53cac fix display update races, part one.
add xres + yres properties to qxl and virtio.
 misc fixes and cleanups.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJY/ew5AAoJEEy22O7T6HE4sXIP/2UxIRxgqIG/Gj+WWp4hHI7L
 9IharsFTO2OvZmwko+FdX8EKTJrDUNkCclei8FpYXmL3xnSALwYSokEjJV5wJ9r3
 Owf+ymWgwLfr6k/pnHb4F6iBQk82m052ZXJB4nsAJV1RbCA2cEnyuF7IVA/uPZf7
 HCjkXwJcg53XyVy7OzDilgZkNxFeioc4I32pjTBtWKmqsFqZqsLMJMZ5pD3ubpRz
 7wfwBFvH910TjB7YVPfZN0l8b2X6dUiK1b+pQCqvogoDLhItxG6aN3J3sjDbOoSP
 6Bwm815oPWziVWXHvPEoMhdorGhkoGpJXBdkSTeiW/CCdl6zF1EUJZc6yDWh+2SS
 ZKjV/aY0qPOxNMlaN4gf2scKVbn8nrsB/NnH53uczAUaelfn1v8S0aRr01i0z43v
 TWu87OszG14cQNssVjI8v80G+29Dr2bw0tFN2JAjVB7ZrNWCOkOgelxFEOBPK4EU
 eBeH1fUN0/QrTvRi2JS9b4GOW94LyY20AQPvQo7aqV9PVY+5qbiVi6BSavwdhjbR
 IAh8A60xIOTm3gyM2riKi5/0YBpyUFB6dnTVn5fLwipD9pjpdT/jQyn4Kl7ZSq7T
 q8gDJ99A/zKfte0y/JyL+iJ0JPNhzQwviTpemupDa9hbrHEkpIy7LKE74JXVicEO
 zBzIa3b+I9iogSLf3V5v
 =1F5z
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20170424-1' into staging

fix display update races, part one.
add xres + yres properties to qxl and virtio.
misc fixes and cleanups.

# gpg: Signature made Mon 24 Apr 2017 13:14:49 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-vga-20170424-1:
  virtio-gpu: add xres and yres properties
  qxl: add xres and yres properties
  vmsvga: fix vmsvga_update_display
  g364fb: make display updates thread safe
  exynos: make display updates thread safe
  framebuffer: make display updates thread safe
  vga: make display updates thread safe.
  vga: add vga_scanline_invalidated helper
  memory: add support getting and using a dirty bitmap copy.
  bitmap: add bitmap_copy_and_clear_atomic
  virtio-gpu: replace PIXMAN_* by PIXMAN_BE_*
  console: add same displaychangelistener registration pre-condition
  console: add same surface replace pre-condition

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 15:37:30 +01:00
BALATON Zoltan
2edd6e4ac5 sm501: Add vmstate descriptor
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 86803c6f40cd678b61b3b1a1429683f60f0aa89a.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
b612a49db2 sm501: Add some more missing registers
This is to allow clients to initialise these without failing as long
as no 2D engine function is called that would use the written value.
Saved values are not used yet (may get used when more of 2D engine is
added sometimes) and clients normally only write to most of these
registers, nothing is known to ever read them but they are documented
as read/write so also implement read for these.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 80adf8e4d084ec6cc30d149f8e8215debb67314a.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
1ae5e6eb42 sm501: Add support for panel layer
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 2029a276362c0c3a14c78acb56baa9466848dd51.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
01d2d584c9 sm501: Misc clean ups
- Rename a variable
- Move variable declarations out of loop to the beginning in draw_hwc_line

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 187c9e4e09d9bc2967b2454b36bb088ceef0b8bc.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
6a2a5aae02 sm501: Fix hardware cursor
Rework HWC handling to simplify it and fix cursor not updating on
screen as needed. Previously cursor was not updated because checking
for changes in a line overrode the update flag set for the cursor but
fixing this is not enough because the cursor should also be updated if
its shape or location changes. Introduce hwc_invalidate() function to
handle that similar to other display controller models.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 6970a5e9868b7246656c1d02038dc5d5fa369507.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
afef2e1d53 sm501: Fix device endianness
We only emulate the sysbus device in its default LE mode and PCI is LE
as well so specify this for registers and framebuffer memory.

Note that though the Linux kernel driver has code which claims to
handle both big and little endian, it is obviously bogus for 16 bit
and cannot be trusted as a source of information on the framebuffer
pixel format. This is our best guess about device behaviour based on
the specs and testing with MorphOS that is known to work on real HW.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 8b9605a569f8bf54074e15903620b18cd9967c89.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
efae27848d sm501: Add emulation of chip connected via PCI
Only the display controller part is created automatically on PCI

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 647d292c6f5abba8b2a614687229949b5dcb864e.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
c795fa8447 sm501: Get rid of base address in draw_hwc_line
Do not use the base address to access data in local memory. This is in
preparation to allow chip connected via PCI where base address depends
on where the BAR is mapped so it will be unknown.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 79dab21bc6ec4d563aabf265c3bab40e2e95aae8.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
ca8a110470 sm501: QOMify
Adding vmstate saving is not in this patch because the state structure
will be changed in further patches, then another patch will add
vmstate descriptor after those changes.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: a32b7fc981a20205f96d530d8e958f12ace1104c.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
70e46ca887 sm501: Add missing arbitration control register
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: d1eaf3b19c40aeb32a343a211f2b56664a67f948.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
e2ee84760e sm501: Use defined constants instead of literal values where available
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 31205c2df623e7b133ef942ff4f5e95fff800a14.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
BALATON Zoltan
64f1603b07 sm501: Fixed code style and a few typos in comments
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Message-id: 36288b703e7d56822c818567193ff28cdc47377e.1492787889.git.balaton@eik.bme.hu
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-04-24 12:32:12 +01:00
Gerd Hoffmann
729abb6a92 virtio-gpu: add xres and yres properties
So the default resolution is configurable.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170421092214.8176-1-kraxel@redhat.com
2017-04-24 10:12:28 +02:00
Gerd Hoffmann
6f663d7be9 qxl: add xres and yres properties
Add properties for the default display resolution, pass
on that information to the guest so the driver can use it.

Also move up qxl_crc32() function so we don't need a
forward declaration.

Additionally guest driver updates are needed so the
guest driver will actually pick this up, which will
probably land in linux kernel 4.12.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421092234.8368-1-kraxel@redhat.com
2017-04-24 10:12:28 +02:00
Gerd Hoffmann
104bd1dc70 vmsvga: fix vmsvga_update_display
Fix standard vga mode check:  Both s->config and s->enabled must be set
to enable vmware command fifo processing.

Drop dirty tracking code from the fifo rendering code path, it isn't
used anyway because vmsvga turns off dirty tracking when leaving
standard vga mode.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-9-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-24 10:12:28 +02:00
Gerd Hoffmann
7fcf0c24e7 g364fb: make display updates thread safe
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-8-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-24 10:12:28 +02:00
Gerd Hoffmann
553bcce5ac exynos: make display updates thread safe
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-7-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-24 10:12:28 +02:00
Gerd Hoffmann
167e9c7982 framebuffer: make display updates thread safe
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-6-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-24 10:12:28 +02:00
Gerd Hoffmann
fec5e8c92b vga: make display updates thread safe.
The vga code clears the dirty bits *after* reading the framebuffer
memory.  So if the guest framebuffer updates hits the race window
between vga reading the framebuffer and vga clearing the dirty bits
vga will miss that update

Fix it by using the new memory_region_copy_and_clear_dirty()
memory_region_copy_get_dirty() functions.  That way we clear the
dirty bitmap before reading the framebuffer.  Any guest display
updates happening in parallel will be properly tracked in the
dirty bitmap then and the next display refresh will pick them up.

Problem triggers with mttcg only.  Before mttcg was merged tcg
never ran in parallel to vga emulation.  Using kvm will hide the
problem too, due to qemu operating on a userspace copy of the
kernel's dirty bitmap.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-5-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-24 10:12:28 +02:00
Gerd Hoffmann
f3289f6f0f vga: add vga_scanline_invalidated helper
Add vga_scanline_invalidated helper to check whenever a scanline was
invalidated.  Add a sanity check to fix OOB read access for display
heights larger than 2048.

Only cirrus uses this, for hardware cursor rendering, so having this
work properly for the first 2048 scanlines only shouldn't be a problem
as the cirrus can't handle large resolutions anyway.  Also changing the
invalidated_y_table size would break live migration.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-4-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-24 10:12:28 +02:00
Laurent Vivier
a27450ec04 virtio-gpu: replace PIXMAN_* by PIXMAN_BE_*
This avoids a "#ifdef HOST_WORDS_BIGENDIAN" and this is the purpose
of PIXMAN_BE_* macros.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@redhat.com>
Message-id: 20170403114044.15762-1-lvivier@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-24 10:12:28 +02:00
Mark Cave-Ayland
7497638642 tcx: switch to load_image_mr() and remove prom_addr hack
Previous to the existence of load_image_mr(), the only way to load in the
FCode ROM image was to pass in its physical address via qdev properties
and use load_image_targphys().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
973945804d tcx: use tcx_set_dirty() for accelerated ops
Rather than calling memory_region_set_dirty() directly, make sure that we call
tcx_set_dirty() instead. This ensures that the 24-bit plane and cplane are
also invalidated correctly.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
ee72bed08c tcx: remove primitives for non-32-bit surfaces
As all surfaces in QEMU are now either shared or 32-bit ARGB regardless of
the guest depth, remove all non-32-bit primitives from tcx_update_display()
and consequence their implementation which are no longer required.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
d18e101225 tcx: remove TARGET_PAGE_SIZE from tcx24_update_display()
Now that page alignment is handled by the memory API, there is no need to
duplicate the code 4 times (4 * 1024 == 4096 == TARGET_PAGE_SIZE).

Finally we have now removed all traces of TARGET_PAGE_SIZE.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
0a97c6c4f9 tcx: remove TARGET_PAGE_SIZE from tcx_update_display()
Now that page alignment is handled by the memory API, there is no need to
duplicate the code 4 times (4 * 1024 == 4096 == TARGET_PAGE_SIZE).

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
66dcabea47 tcx: remove page24 and cpage from tcx24_update_display()
Since all of the tcx_*_dirty() functions now calculate the 24-bit and
cplane offsets themselves from the base address, these variables are no
longer needed.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
36180430ac tcx: alter tcx24_reset_dirty() to accept address and length parameters
This can now be used by both the 8-bit and 24-bit display code, so rename
to tcx_check_dirty().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
427ee02bc9 tcx: alter tcx24_check_dirty() to accept address and length parameters
This can now be used by both the 8-bit and 24-bit display code, so rename
to tcx_check_dirty().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
4b865c2809 tcx: ensure tcx_set_dirty() also invalidates the 24-bit plane and cplane
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
9800b3c20e tcx: alter tcx_set_dirty() to accept address and length parameters
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 09:02:04 +01:00
Mark Cave-Ayland
8c95e1f20c cg3: switch to load_image_mr() and remove prom-addr hack
Previous to the existence of load_image_mr(), the only way to load in the
FCode ROM image was to pass in its physical address via qdev properties
and use load_image_targphys().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-04-21 09:01:49 +01:00
Mark Cave-Ayland
be4221d993 cg3: fix up size parameter for memory_region_get_dirty()
The code was incorrectly calculating the end address rather than the size of
the required region.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 08:31:30 +01:00
Mark Cave-Ayland
66e2f304a3 cg3: remove TARGET_PAGE_SIZE rounding on dirty page detection
This was an artifact from very early versions of the code from before the
memory API and is no longer needed.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-21 08:31:15 +01:00
Gerd Hoffmann
86dbcdd9c7 qxl: add migration blocker to avoid pre-save assert
Cc: 1635339@bugs.launchpad.net
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170410113131.2585-1-kraxel@redhat.com
2017-04-11 08:38:17 +02:00
Marc-André Lureau
a703d3aef5 qxl: switch display on entering VGA
Since commit cd958edb1f, same size console resize is skipped. This
change broke QXL incoming migration in VGA mode,
qemu_spice_display_switch() is no longer called during qxl_post_load(),
because default message surface is of the same size, and during
displaychangelistener registration, PCIQXLDevice.mode is
QXL_MODE_UNDEFINED. This triggers a later crash on refresh:

==2634== Invalid read of size 4
==3516== at 0x65F3050: pixman_image_get_data (in /usr/lib64/libpixman-1.so.0.34.0)
==3516== by 0x6F0CEB: qemu_spice_create_update (spice-display.c:215)
==3516== by 0x6F1CC7: qemu_spice_display_refresh (spice-display.c:502)
==3516== by 0x58CF77: display_refresh (qxl.c:1948)
==3516== by 0x6E8084: do_safe_dpy_refresh (console.c:1591)
==3516== by 0x6E80D5: dpy_refresh (console.c:1604)
==3516== by 0x6E4508: gui_update (console.c:201)
==3516== by 0x81898E: timerlist_run_timers (qemu-timer.c:536)
==3516== by 0x8189D6: qemu_clock_run_timers (qemu-timer.c:547)
==3516== by 0x818D98: qemu_clock_run_all_timers (qemu-timer.c:662)
==3516== by 0x81952A: main_loop_wait (main-loop.c:514)
==3516== by 0x4ADD29: main_loop (vl.c:1898)

One way to solve this is to explicitely call qemu_spice_display_switch()
on entering VGA mode, which is called during qxl_post_load().

Fixes:
"null pointer access on migration resume of systemrescuecd boot menu with qxl-vga"
https://bugs.launchpad.net/qemu/+bug/1679126
https://bugzilla.redhat.com/show_bug.cgi?id=1438566

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170406120513.638-4-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-04-07 12:31:46 +02:00
Gerd Hoffmann
db6cd4c855 cirrus: fix PUTPIXEL macro
Should be "c" not "col".  The macro is used with "col" as third parameter
everywhere, so this tyops doesn't break something.

Fixes: 026aeffcb4
Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1490168303-24588-1-git-send-email-kraxel@redhat.com
2017-03-27 12:14:45 +02:00
Gerd Hoffmann
cc720a5dc4 add opengl_cflags to QEMU_CFLAGS
... and drop OPENGL_CFLAGS from Makefiles.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1490079888-29029-1-git-send-email-kraxel@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-21 10:25:01 +00:00
Peter Maydell
940a8ce075 fixes for 2.9-rc1, plus removal of -mno-cygwin references
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQExBAABCAAbBQJYz7wTFBxwYm9uemluaUByZWRoYXQuY29tAAoJEL/70l94x66D
 AYwH/ip/ZIxsAEKMpQnGfwgHiLgGvFD+10wJECXLChyzcQLqqs4KingQEHMh6o9f
 Y1DTMyJBDk65k5zSEVx7nqisI82SUlvwOZJpVqCfF2AbY/HR+a+tUOp9njuz6EDh
 ZVSAnvIDfZC1P2BcXOPzEySXBNCZcZG0iHO9U4eobGAxRGVUs/8a8qHTuRVc2Mwg
 bT7lxLzE4chgQ1jFu2D7TzjwkFvAYeUHWdj2rl+U3KwEF9pUm0hAEfvymEP4d6hE
 hPqcE2X9W42n8wbxL7edI0EVZnc+bltfakioy+BxgrkxEZFLgMmKsUtNOuQ7sUdT
 VvQ3Zbw2solv6ltOqCbexLWueM4=
 =Vli2
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

fixes for 2.9-rc1, plus removal of -mno-cygwin references

# gpg: Signature made Mon 20 Mar 2017 11:25:07 GMT
# gpg:                using RSA key 0xBFFBD25F78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  hax: fix breakage in locking
  configure: remove Cygwin
  xen: do not build backends for targets that do not support xen
  qemu-ga: obey LISTEN_PID when using systemd socket activation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-20 16:34:26 +00:00
Stefano Stabellini
6b827cca9a xen: do not build backends for targets that do not support xen
Change Makefile.objs to use CONFIG_XEN instead of CONFIG_XEN_BACKEND, so
that the Xen backends are only built for targets that support Xen.

Set CONFIG_XEN in the toplevel Makefile to ensure that files that are
built only once pick up Xen support properly.

Signed-off-by: Stefano Stabellini <stefano@aporeto.com>
Tested-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Greg Kurz <groug@kaod.org>
CC: pbonzini@redhat.com
CC: peter.maydell@linaro.org
CC: rth@twiddle.net
CC: stefanha@redhat.com
Message-Id: <1489694518-16978-1-git-send-email-sstabellini@kernel.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-19 11:12:12 +01:00
Gerd Hoffmann
f019722cbb cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
The switch from pointers to addresses (commit
026aeffcb4 and
ffaf857778) added
a off-by-one bug to 16bit backward blits.  Fix.

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 1489735296-19047-1-git-send-email-kraxel@redhat.com
2017-03-17 10:23:44 +01:00
Gerd Hoffmann
ffaf857778 cirrus: stop passing around src pointers in the blitter
Does basically the same as "cirrus: stop passing around dst pointers in
the blitter", just for the src pointer instead of the dst pointer.

For the src we have to care about cputovideo blits though and fetch the
data from s->cirrus_bltbuf instead of vga memory.  The cirrus_src*()
helper functions handle that.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489584487-3489-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:16 +01:00
Gerd Hoffmann
026aeffcb4 cirrus: stop passing around dst pointers in the blitter
Instead pass around the address (aka offset into vga memory).  Calculate
the pointer in the rop_* functions, after applying the mask to the
address, to make sure the address stays within the valid range.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489574872-8679-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
Gerd Hoffmann
e048dac616 cirrus: fix cirrus_invalidate_region
off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid.
Fix calculation to make sure to allow that, otherwise the assert added
by commit f153b563f8 can trigger for valid
blits.

Test case: boot windows nt 4.0

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489579606-26020-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
Gerd Hoffmann
827bd51726 cirrus: add option to disable blitter
Ok, we have this beast in the cirrus code which is not used at all by
modern guests, except when you try to find security holes in qemu.  So,
add an option to disable blitter altogether.  Guests released within
the last ten years should not show any rendering issues if you turn off
blitter support.

There are no known bugs in the cirrus blitter code.  But in the past we
hoped a few times already that we've finally nailed the last issue.  So
having some easy way to mitigate in case yet another blitter issue shows
up certainly makes me sleep a bit better at night.

For completeness:  The by far better way to mitigate is to switch away
from cirrus and use stdvga instead.  Or something more modern like
virtio-vga in case your guest has support for it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489494540-15745-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
Gerd Hoffmann
73c148130b cirrus: switch to 4 MB video memory by default
Quoting cirrus source code:
   Follow real hardware, cirrus card emulated has 4 MB video memory.
   Also accept 8 MB/16 MB for backward compatibility.

So just use 4MB by default.  We decided to leave that at 8MB by default
a while ago, for live migration compatibility reasons.  But we have
compat properties to handle that, so that isn't a compeling reason.

This also removes some sanity check inconsistencies in the cirrus code.
Some places check against the allocated video memory, some places check
against the 4MB physical hardware has.  Guest code can trigger asserts
because of that.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489494514-15606-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
Gerd Hoffmann
50628d3479 cirrus/vnc: zap bitblit support from console code.
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests.  It is supported by cirrus and vnc server.  The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.

This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more.  Any linux guest using the cirrus drm
driver doesn't.  Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.

So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
which fixes a bug lingering in the code for almost a year, added by
commit "c7628bf vnc: only alloc server surface with clients connected".

Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full).  This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display.  So this dpy_gfx_copy "optimization" might even make things
worse on slow network links.

Lets kill it once for all.

Oh, and one more reason: Turns out (after writing the patch) we have a
security bug in that code path ...

Fixes: CVE-2016-9603
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489494419-14340-1-git-send-email-kraxel@redhat.com
2017-03-16 08:58:15 +01:00
hangaohuai
215902d7b6 fix :cirrus_vga fix OOB read case qemu Segmentation fault
check the validity of parameters in cirrus_bitblt_rop_fwd_transp_xxx
and cirrus_bitblt_rop_fwd_xxx to avoid the OOB read which causes qemu Segmentation fault.

After the fix, we will touch the assert in
cirrus_invalidate_region:
assert(off_cur_end >= off_cur);

Signed-off-by: fangying <fangying1@huawei.com>
Signed-off-by: hangaohuai <hangaohuai@huawei.com>
Message-id: 20170314063919.16200-1-hangaohuai@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-03-16 08:58:15 +01:00
Gerd Hoffmann
dbb5fb8d35 qxl: clear guest_cursor on QXL_CURSOR_HIDE
Make sure we don't leave guest_cursor pointing into nowhere.  This might
lead to (rare) live migration failures, due to target trying to restore
the cursor from the stale pointer.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1421788
Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1488789111-27340-1-git-send-email-kraxel@redhat.com
2017-03-09 09:47:26 +01:00
Peter Maydell
7d1730b7d9 trivial patches for 2017-02-28
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABCAAGBQJYtRwrAAoJEHAbT2saaT5ZQSQIAKWIXrxhIGO6hGEDc50YL6x6
 tQMOnPQOulLtS76rGDAZrJwc47wqpXUtBCuevgwwqbxraLHF4LRnMf0I+xSR+lTt
 PF9vmgDgB4BVDpSTqphjaCBccXPYPqXzUtYaDcT6xePy8aB+/40nqsnby5hf+BXT
 zNpZZrn23papmftS3LnZ5j/lKNIsIlS/v5WIy8xNK0pBTKx4W1ZzDWrYq8crqW+v
 NqQSoVbNOEHOt1+C+nEX6gxUnY6rJXAVB0ICT0fSY9NRhFjPeu1Fx6EtCRNaluXm
 zOZ7t4kTjpB7IcHy3lqDTaWV6VVwBFUym5pfwjRLcge4ln+a5O454+/i8mxerfo=
 =jvkw
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-fetch' into staging

trivial patches for 2017-02-28

# gpg: Signature made Tue 28 Feb 2017 06:43:55 GMT
# gpg:                using RSA key 0x701B4F6B1A693E59
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg:                 aka "Michael Tokarev <mjt@corpit.ru>"
# gpg:                 aka "Michael Tokarev <mjt@debian.org>"
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
#      Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931  4B22 701B 4F6B 1A69 3E59

* remotes/mjt/tags/trivial-patches-fetch:
  syscall: fixed mincore(2) not failing with ENOMEM
  hw/acpi/tco.c: fix tco timer stop
  lm32: milkymist-tmu2: fix a third integer overflow
  qemu-options.hx: add missing id=chr0 chardev argument in vhost-user example
  Update copyright year
  tests/prom-env: Enable the test for the sun4u machine, too
  cadence_gem: Remove unused parameter debug message
  register: fix incorrect read mask
  ide: remove undefined behavior in ide-test
  CODING_STYLE: Mention preferred comment form
  hw/core/register: Mark the device with cannot_instantiate_with_device_add_yet
  hw/core/or-irq: Mark the device with cannot_instantiate_with_device_add_yet
  softfloat: Use correct type in float64_to_uint64_round_to_zero()
  target/s390x: Fix typo

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-28 16:22:41 +00:00
Peter Maydell
3d74ee7dca lm32: milkymist-tmu2: fix a third integer overflow
Don't truncate the multiplication and do a 64 bit one instead
because the result is stored in a 64 bit variable.

This fixes a similar coverity warning to commits 237a8650d6 and
4382fa6554, in a similar way, and is the final third of the fix for
coverity CID 1167561 (hopefully!).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Michael Walle <michael@walle.cc>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-28 09:03:39 +03:00
Gerd Hoffmann
975896fc88 virtio-gpu: use dpy_gl_scanout_disable
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1487669841-13668-4-git-send-email-kraxel@redhat.com
2017-02-27 16:15:29 +01:00
Gerd Hoffmann
f4c36bdab6 console: rename dpy_gl_scanout to dpy_gl_scanout_texture
We'll add a variant which accepts dmabufs soon.  Change
the name so we can easily disturgish the two variants.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1487669841-13668-2-git-send-email-kraxel@redhat.com
2017-02-27 16:15:28 +01:00
Gerd Hoffmann
92f2b88cea cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all.  Oops.  Fix it.

Security impact: high.

The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-24 14:35:50 +01:00
Halil Pasic
59046ec29a migration: consolidate VMStateField.start
The member VMStateField.start is used for two things, partial data
migration for VBUFFER data (basically provide migration for a
sub-buffer) and for locating next in QTAILQ.

The implementation of the VBUFFER feature is broken when VMSTATE_ALLOC
is used. This however goes unnoticed because actually partial migration
for VBUFFER is not used at all.

Let's consolidate the usage of VMStateField.start by removing support
for partial migration for VBUFFER.

Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>

Message-Id: <20170203175217.45562-1-pasic@linux.vnet.ibm.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2017-02-13 17:27:13 +00:00
Gerd Hoffmann
12e97ec399 Revert "cirrus: allow zero source pitch in pattern fill rops"
This reverts commit 5858dd1801.

Conflicts:
	hw/display/cirrus_vga.c

Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Gerd Hoffmann
95280c31cd cirrus: fix patterncopy checks
The blit_region_is_unsafe checks don't work correctly for the
patterncopy source.  It's a fixed-sized region, which doesn't
depend on cirrus_blt_{width,height}.  So go do the check in
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
it doesn't need to verify the source.  Also handle the case where we
blit from cirrus_bitbuf correctly.

This patch replaces 5858dd1801.

Security impact:  I think for the most part error on the safe side this
time, refusing blits which should have been allowed.

Only exception is placing the blit source at the end of the video ram,
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory.  But
even in that case I'm not fully sure this actually allows read access to
host memory.  To trick the commit 5858dd18 security checks one has to
pick very small cirrus_blt_{width,height} values, which in turn implies
only a fraction of the blit source will actually be used.

Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Gerd Hoffmann
ec87f206d7 cirrus: replace debug printf with trace points
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1486561893-26470-2-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Gerd Hoffmann
cf7dabeebc vga: replace debug printf with trace points
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1486561893-26470-1-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Gerd Hoffmann
5e8e3c4c75 virtio-gpu: fix resource leak in virgl_cmd_resource_unref
When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
we'll leak memory.

This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
Li Qiang
dd248ed7e2 virtio-gpu: fix memory leak in set scanout
In virtio_gpu_set_scanout function, when creating the 'rect'
its refcount is set to 2, by pixman_image_create_bits and
qemu_create_displaysurface_pixman function. This can lead
a memory leak issues. This patch avoid this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 5884626f.5b2f6b0a.1bfff.3037@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-10 16:49:45 +01:00
Peter Maydell
5b66d7ae89 cirrus: multiple bugfixes, including CVE-2017-2615 fix.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJYk0pHAAoJEEy22O7T6HE4jNEP/3wpFsWF+6nsLWKHJLweuEZh
 cuI/Nsr2b2Y53geug3GALcTujKAE0ZNiBvYqnf+7NB0Z6NRmAYMW7cYoPEbeQ9PN
 JvBMJahHpcqOeXjex05ZWrrMXHA0hHEXTfzcCyxV+45QlajLoJFDRBEp2vGQb71y
 UxKostXjH4YKzVVA5ApKlrl2HkpSqsyvqSRTknehRHguDtED/BIt5MSTuZYgc38A
 wvHMyF5CJO4K5TGl9KbYRl6fuUCZyPpsUh3+CBoPKid3V6D2JCW6E7hDrI3oUoEQ
 D+P4/Ugq+UagDlpg0vxWHk1P3eQM+SZfdsu7JOtP/OYbQV7h8Vg201yw5mZwru0f
 qyuv7Hio8eZfsxDLNJq8yO/bD1R76EYnO1ehtRljJcYfnk+wWnreysCSgRfFNj/M
 rZSXvjPkWy/4aDMF+6Vwbz/o3zt1791rVX1HSL9LCSXeHlPYZn0h8QTcE/6nJz97
 TDokZ0aLykoB37AhvL/tj4K/9Bv2RY/NAhj/5Q9VEv2O24fQz9J+EhrG9liBKfM8
 cORPJvbR8OIxttih8A1PCXcBiOfBJ1pEHrXHEHwM5O/YEAGJt5me9kPLdsBCqR3I
 Y1zi6aVTQyeKvIHa+Gq3KLlpJzAqJUiwuwfEvDeOg09ogM6m7g3+hruP16DJu+o3
 z9w3E9ZHUF0ayqvHjTtZ
 =HXaP
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20170202-2' into staging

cirrus: multiple bugfixes, including CVE-2017-2615 fix.

# gpg: Signature made Thu 02 Feb 2017 15:03:35 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-vga-20170202-2:
  cirrus: fix oob access issue (CVE-2017-2615)
  cirrus: fix blit address mask handling
  cirrus: allow zero source pitch in pattern fill rops
  cirrus: handle negative pitch in cirrus_invalidate_region()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-03 09:52:51 +00:00
Peter Maydell
4e9f5244e1 -----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJYkeZAAAoJEJykq7OBq3PI6oUH/3qlRvQrWmhWLR+XCtwU0gON
 HRApL57Of+B1YbqJzb8wzjLMLfzZQYLoT7kf3FDRON751Iwpv2Qyl6j79kbmOQwy
 txvtgUTtPZrOZ9HMk6M1VboiKrkM1t0I1QiRYy/af2f1gD3KTqIt8YN1ic3xatKD
 Fgmx+oD+6EkrNilthemvDyaXtGsdTl4GC9ZbGcJB2VJzzWkksRUfeZWysIu9p2zP
 l6viegW/1+o5wYgBt6DxMalfNGbEiuBgXgx6PVFPbkw0xNURC52qDHhQ91xTSWt1
 pvFrIhYWR/ETN0twJh+jtmCjkawKWSsx2nrLlrSh4H0EpwFoRfFqH/ZrOFSg0wg=
 =QnCX
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging

# gpg: Signature made Wed 01 Feb 2017 13:44:32 GMT
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* remotes/stefanha/tags/tracing-pull-request:
  trace: clean up trace-events files
  qapi: add missing trace_visit_type_enum() call
  trace: improve error reporting when parsing simpletrace header
  trace: update docs to reflect new code generation approach
  trace: switch to modular code generation for sub-directories
  trace: move setting of group name into Makefiles
  trace: move hw/i386/xen events to correct subdir
  trace: move hw/xen events to correct subdir
  trace: move hw/block/dataplane events to correct subdir
  make: move top level dir to end of include search path

# Conflicts:
#	Makefile

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-02 16:08:28 +00:00
Li Qiang
62d4c6bd52 cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-02-02 15:58:23 +01:00
Gerd Hoffmann
60cd23e851 cirrus: fix blit address mask handling
Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
right after assigning them, in cirrus_bitblt_start(), instead of having
this all over the place in the cirrus code, and missing a few places.

Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
2017-02-01 09:47:22 +01:00
Wolfgang Bumiller
5858dd1801 cirrus: allow zero source pitch in pattern fill rops
The rops used by cirrus_bitblt_common_patterncopy only use
the destination pitch, so the source pitch shoul allowed to
be zero and the blit with used for the range check around the
source address.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-01 09:43:09 +01:00
Wolfgang Bumiller
f153b563f8 cirrus: handle negative pitch in cirrus_invalidate_region()
cirrus_invalidate_region() calls memory_region_set_dirty()
on a per-line basis, always ranging from off_begin to
off_begin+bytesperline. With a negative pitch off_begin
marks the top most used address and thus we need to do an
initial shift backwards by a line for negative pitches of
backward blits, otherwise the first iteration covers the
line going from the start offset forwards instead of
backwards.
Additionally since the start address is inclusive, if we
shift by a full `bytesperline` we move to the first address
*not* included in the blit, so we only shift by one less
than bytesperline.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com

[ kraxel: codestyle fixes ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-01 09:41:53 +01:00
Stefan Hajnoczi
7f4076c1bb trace: clean up trace-events files
There are a number of unused trace events that
scripts/cleanup-trace-events.pl finds.  The "hw/vfio/pci-quirks.c"
filename was typoed and "qapi/qapi-visit-core.c" was missing the qapi/
directory prefix.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170126171613.1399-3-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-01-31 17:12:15 +00:00
Michael S. Tsirkin
df45892c12 qxl: switch to constants within BUILD_BUG_ON
We are switching BUILD_BUG_ON to verify that it's parameter is a
compile-time constant, and it turns out that some gcc versions
(specifically gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609) are
not smart enough to figure it out for expressions involving local
variables. This is harmless but means that the check is ineffective for
these platforms.  To fix, replace variables with macros.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2017-01-31 15:57:27 +02:00
Marc-André Lureau
0ec7b3e7f2 char: rename CharDriverState Chardev
Pick a uniform chardev type name.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-01-27 18:07:59 +01:00
Peter Maydell
ffb5a69c31 trivial patches for 2017-01-24
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABCAAGBQJYh7icAAoJEHAbT2saaT5ZixMH/2qr2TPaAARnTPFzf/mfpHvR
 jYKZary6L//DTCqjrys5zAVzKUg8rCPGwWI2T2FDsos7Ku4MKBBSfDmnabc+iu0P
 7Rkr18dPGi5ozAiHcGzNXivODVrXBqZT3KcJZ1aYo04Bl0xszxO+fWp2B6n9aXIs
 g4HFq98XGXut8Rs7wNcsUOGHTkIupnzxt+TYXFhezRPq/6bRWZj8pPjwiPReZJBP
 w6IhlVkIxsMdW1tpy+Im21aKCWO23mvQYj+ZiS2eb2F/jcSshL9xp1vqlbNU65H1
 w/zQaUE+m0yJhF7sVKM76101vnDJ1DPxiD/45BnF5p/xwiYcUwpS5UG53riFxAA=
 =B6et
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-fetch' into staging

trivial patches for 2017-01-24

# gpg: Signature made Tue 24 Jan 2017 20:27:08 GMT
# gpg:                using RSA key 0x701B4F6B1A693E59
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg:                 aka "Michael Tokarev <mjt@corpit.ru>"
# gpg:                 aka "Michael Tokarev <mjt@debian.org>"
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
#      Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931  4B22 701B 4F6B 1A69 3E59

* remotes/mjt/tags/trivial-patches-fetch: (31 commits)
  hw/isa/isa-bus: Set category of the "isabus-bridge" device
  usb: Set category and description of the MTP device
  gdbstub.c: update old error report statements
  gdbstub.c: fix GDB connection segfault caused by empty machines
  scsi-disk: add 'fall through' comment to switch VERIFY cases
  Drop duplicate display option documentation
  hw/display/framebuffer.c: Avoid overflow for framebuffers > 4GB
  win32: use glib gpoll if glib >= 2.50
  util/mmap-alloc: refactor a little bit for readability
  util/mmap-alloc: check parameter before using
  vfio: remove a duplicated word in comments
  docs: sync pci-ids.txt
  disas/cris.c: Fix Coverity warning about unchecked NULL
  lm32: milkymist-tmu2: fix another integer overflow
  hw/i386/kvmvapic: Remove dead code in patch_hypercalls()
  doc/usb2: fix typo
  qga: fix erroneous argument to strerror
  block: remove dead check
  pci-assign: avoid pointless stat
  qemu-img: remove dead check
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-01-25 10:42:26 +00:00
Peter Maydell
ba56e4cad4 hw/display/framebuffer.c: Avoid overflow for framebuffers > 4GB
Coverity points out that calculating src_len by multiplying
src_width by rows could overflow. This can only happen in
the implausible case of a framebuffer larger than 4GB, but
we may as well fix it, placating Coverity. (CID1005515)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24 23:26:53 +03:00
Peter Maydell
4382fa6554 lm32: milkymist-tmu2: fix another integer overflow
Don't truncate the multiplication and do a 64 bit one instead
because the result is stored in a 64 bit variable.

This fixes a similar coverity warning to commit 237a8650d6,
in a similar way, and is the other half of the fix for
coverity CID 1167561.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Michael Walle <michael@walle.cc>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24 23:26:53 +03:00
Stefan Weil
b12227afb1 hw: Fix typos found by codespell
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Acked-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24 23:26:52 +03:00
Ashijeet Acharya
fe44dc9180 migration: disallow migrate_add_blocker during migration
If a migration is already in progress and somebody attempts
to add a migration blocker, this should rightly fail.

Add an errp parameter and a retcode return value to migrate_add_blocker.

Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Ashijeet Acharya <ashijeetacharya@gmail.com>
Message-Id: <1484566314-3987-5-git-send-email-ashijeetacharya@gmail.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Acked-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
  Merged with recent 'Allow invtsc migration' change
2017-01-24 18:00:30 +00:00
Jianjun Duan
2c21ee769e migration: extend VMStateInfo
Current migration code cannot handle some data structures such as
QTAILQ in qemu/queue.h. Here we extend the signatures of put/get
in VMStateInfo so that customized handling is supported. put now
will return int type.

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Signed-off-by: Jianjun Duan <duanj@linux.vnet.ibm.com>
Message-Id: <1484852453-12728-2-git-send-email-duanj@linux.vnet.ibm.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2017-01-24 17:54:47 +00:00
Gerd Hoffmann
a2056e09b0 virtio-gpu: tag as not hotpluggable
qemu can't hotplug display devices.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1483970138-20360-1-git-send-email-kraxel@redhat.com
2017-01-11 09:19:05 +01:00
Peter Maydell
c84f0f25db virtio-gpu: Fix memory leak in virtio_gpu_load()
Coverity points out that if we fail in the "creating resources"
loop in virtio_gpu_load() we will leak various resources (CID 1356431).
Failing a VM load is going to leave the simulation in a complete mess,
but we can tidy up to the point that a full system reset should
get us back to sanity.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483969123-14839-3-git-send-email-peter.maydell@linaro.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11 09:19:05 +01:00
Peter Maydell
039aa5db0e virtio-gpu: Recalculate VirtIOGPU::hostmem on VM load
The 'hostmem' field in VirtIOGPU is used to track the total memory
used in pixmaps so that we can impose a maximum limit on it.
However this field is neither migrated nor recalculated on
VM load, which means that after a migration it will be incorrectly
too low, which can allow the guest to use more pixmap memory
than it should. The per-resource hostmem fields are not filled
in either as we reallocate them in the load function.

Recalculate the memory used for each pixmap and the total memory
used as we reallocate the pixmaps in virtio_gpu_load().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483969123-14839-2-git-send-email-peter.maydell@linaro.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11 09:19:05 +01:00
Bruce Rogers
913a87885f display: cirrus: ignore source pitch value as needed in blit_is_unsafe
Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch, we
noticed the SLES 11 SP4 guest gui failed to initialize properly.

Signed-off-by: Bruce Rogers <brogers@suse.com>
Message-id: 20170109203520.5619-1-brogers@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11 09:19:05 +01:00
Li Qiang
85d9d04447 virtio-gpu: fix information leak in capset get dispatch
In virgl_cmd_get_capset function, it uses g_malloc to allocate
a response struct to the guest. As the 'resp'struct hasn't been full
initialized it will lead the 'resp->padding' field to the guest.
Use g_malloc0 to avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com

[ kraxel: resolved conflict ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11 09:19:05 +01:00
Corey Minyard
d307c28ca9 i2c: Allow I2C devices to NAK start events
Add a return value to the event handler.  Some I2C devices will
NAK if they have no data, so allow them to do this.  This required
the following changes:

Go through all the event handlers and change them to return int
and return 0.

Modify i2c_start_transfer to terminate the transaction on a NAK.

Modify smbus handing to not assert if a NAK occurs on a second
operation, and terminate the transaction and return -1 instead.

Add some information on semantics to I2CSlaveClass.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-01-09 11:40:20 +00:00
Li Qiang
204f01b309 virtio-gpu: fix memory leak in resource attach backing
In the resource attach backing function, everytime it will
allocate 'res->iov' thus can leading a memory leak. This
patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-03 15:47:21 +01:00
Li Qiang
33243031da virtio-gpu-3d: fix memory leak in resource attach backing
If the virgl_renderer_resource_attach_iov function fails the
'res_iovs' will be leaked. Add check of the return value to
free the 'res_iovs' when failing.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-03 15:47:21 +01:00
Li Qiang
b8e23926c5 virtio-gpu: call cleanup mapping function in resource destroy
If the guest destroy the resource before detach banking, the 'iov'
and 'addrs' field in resource is not freed thus leading memory
leak issue. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-03 15:47:16 +01:00
Gerd Hoffmann
9b7621bca2 virtio-gpu: track and limit host memory allocations
This patch makes virtio-gpu track host memory allocations for ressources
and applies a limit (configurable 256M by default).  When exceeding the
limit virtio-gpu throws VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY errors (like
it already does today when pixman image allocations fail).

This patch covers 2d mode only.  For 3d mode we have to figure how we
are going to handle this best.  qemu doesn't track resources in case
virglrenderer is used, so I guess we should extend virglrenderer to
allow setting a limit, then let qemu set the limit and catch
virgl_renderer_resource_create failures.

Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1480423356-22255-1-git-send-email-kraxel@redhat.com
2016-12-20 14:19:08 +01:00
Prasad J Pandit
abd7f08b23 display: virtio-gpu-3d: check virgl capabilities max_size
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.

Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20161214070156.23368-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-20 14:18:39 +01:00
Prasad J Pandit
4299b90e9b display: cirrus: check vga bits per pixel(bpp) value
In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
'cirrus_get_bpp' returns zero(0), which could lead to a divide
by zero error in while copying pixel data. The same could occur
via blit pitch values. Add check to avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 11:01:55 +01:00
Li Qiang
2d1cd6c7a9 virtio-gpu: fix memory leak in update_cursor_data_virgl
In update_cursor_data_virgl function, if the 'width'/ 'height'
is not equal to current cursor's width/height it will return
without free the 'data' allocated previously. This will lead
a memory leak issue. This patch fix this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 09:37:52 +01:00
Li Qiang
42a8dadc74 virtio-gpu: fix information leak in getting capset info dispatch
In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
been full initialized before writing to the guest. This will leak
the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
patch fix this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5818661e.0860240a.77264.7a56@mx.google.com
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 09:37:52 +01:00
Christophe Fergeau
6c7565028c qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config changes
Currently if the client keeps sending the same monitor config to
QEMU/spice-server, QEMU will always raise
a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a
change or not.
Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the
event to user-space without checking if there were actual changes.
Next in line are gnome-shell/mutter (on a default f25 install), which
will try to reconfigure everything without checking if there is anything
to do.
Where this gets ugly is that when applying the resolution changes,
gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and
drmModeSetCrtc, which will cause the primary surface to be destroyed and
recreated by the QXL KMS driver. This in turn will cause the client to
resend a client monitors config message, which will cause QEMU to reemit
an interrupt with an unchanged monitors configuration, ...
This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484

This commit makes sure that we only emit
QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
changes the guest should act on.

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Message-id: 20161028144840.18326-1-cfergeau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 09:37:52 +01:00
Peter Maydell
5ff06787d4 Xen 2016/10/28
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYE/VuAAoJEIlPj0hw4a6Q/qAP+gMhunO/OJRSwIlYSOt+fVKW
 LE17QUfdVe204IuWY3h9svTvJXj/pOsE1HtIrGAUwsJxMqMBHeZnKhVZvEbvL2Iy
 sKSxzQkkPa6qVn/+Nxr9ZxULJZPXWnl61FLbElelff4w46lTaBM3gBaWDekFEO64
 RbMvsMAUmav1x88KPvqY71Crbx5wbPhNmFqhbJNaQmm3zIQDK1TzGESv882mQKy2
 rKNapBUXq8XnUNN+lIHhnzU9kUjhZxu7uet3GHMVICeAYu3b9jkgomv2OcV/sfRg
 3o/NoXp4I7ZY3F0fkbtJOIFx0m+YlWnQhkBGsQoXJW+4lUdQR9ypMY4OdzjRa80e
 w9GrDt1//LOYrTpB0ZBkW0MIfnUK4TCqtL/aEQtRY9fdRFvcVpCjnqrYw+u9boZ1
 hVypTYmAbk/ece6aJ/dngDQVtGC9qMGlHtBqSBRajFxenvFdY+DK6/FhITpNmobU
 YPWTSwS6WPw/venfvrTMfCQudGW3Jg8iBzRbGPS+GYfYlTHFoO0lKFGWWeTuRFIw
 /4owDhMJr5hRMRWZxCAu+Z8Ymj1MFuK7zDKjvT9LgWOZORh+rz6Tfn9+oxSt/D9I
 1VKb/T9N9wBS3kreZ+Uz5+aQBoQSN5AQjay2ECZ16u9i63EL89CqXyyrJLlKlEGB
 cP3GzM9DlAtCQR943bys
 =Ao+X
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/sstabellini/tags/xen-20161028-tag' into staging

Xen 2016/10/28

# gpg: Signature made Sat 29 Oct 2016 02:03:42 BST
# gpg:                using RSA key 0x894F8F4870E1AE90
# gpg: Good signature from "Stefano Stabellini <sstabellini@kernel.org>"
# gpg:                 aka "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"
# Primary key fingerprint: D04E 33AB A51F 67BA 07D3  0AEA 894F 8F48 70E1 AE90

* remotes/sstabellini/tags/xen-20161028-tag:
  xen: Rename xen_be_del_xendev
  xen: Rename xen_be_find_xendev
  xen: Rename xen_be_evtchn_event
  xen: Rename xen_be_send_notify
  xen: Rename xen_be_unbind_evtchn
  xen: Rename xen_be_printf to xen_pv_printf
  xen: Move xenstore cleanup and mkdir functions
  xen: Prepare xendev qtail to be shared with frontends
  xen: Move evtchn functions to xen_pvdev.c
  xen: Move xenstore_update to xen_pvdev.c
  xen: Create a new file xen_pvdev.c
  xen: Fix coding style warnings
  xen: Fix coding style errors

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-10-31 12:35:39 +00:00
Emil Condrea
fa0253d066 xen: Rename xen_be_find_xendev
Prepare xen_be_find_xendev to be shared with frontends:
 * xen_be_find_xendev -> xen_pv_find_xendev

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:54:39 -07:00
Emil Condrea
ba18fa2a8c xen: Rename xen_be_send_notify
Prepare xen_be_send_notify to be shared with frontends:
 * xen_be_send_notify -> xen_pv_send_notify

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:54:21 -07:00
Emil Condrea
65807f4b6c xen: Rename xen_be_unbind_evtchn
Prepare xen_be_unbind_evtchn to be shared with frontends:
 * xen_be_unbind_evtchn -> xen_pv_unbind_evtchn

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:54:11 -07:00
Emil Condrea
96c77dba6f xen: Rename xen_be_printf to xen_pv_printf
Prepare xen_be_printf to be used by both backend and frontends:
 * xen_be_printf -> xen_pv_printf

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:53:50 -07:00
Emil Condrea
b9730c5b4e xen: Fix coding style warnings
Fixes:
 * WARNING: line over 80 characters

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:52:39 -07:00
Emil Condrea
c22e91b1d8 xen: Fix coding style errors
Fixes the following errors:
 * ERROR: line over 90 characters
 * ERROR: code indent should never use tabs
 * ERROR: space prohibited after that open square bracket '['
 * ERROR: do not initialise statics to 0 or NULL
 * ERROR: "(foo*)" should be "(foo *)"

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Quan Xu <xuquan8@huawei.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28 17:52:29 -07:00
Michael Walle
237a8650d6 lm32: milkymist-tmu2: fix integer overflow
Don't truncate the multiplication and do a 64 bit one instead because
because the result is stored in a 64 bit variable.

Spotted by coverity, CID 1167561.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-10-28 18:17:23 +03:00
Li Qiang
cb3a0522b6 virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d
In virtio gpu resource create dispatch, if the pixman format is zero
it doesn't free the resource object allocated previously. Thus leading
a host memory leak issue. This patch avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-10-26 14:52:21 +02:00
xiaoqiang zhao
caae8032d3 hw/display: QOM'ify pl110.c
Drop the old Sysbus init and use instance_init and
DeviceClass::realize instead

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 20161023091816.3839-5-zxq_yx_007@163.com
[PMM: added accidentally dropped blank line]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-10-24 16:26:56 +01:00
Peter Maydell
627eae7d72 virtio, pc: fixes and features
more guest error handling for virtio devices
 virtio migration rework
 pc fixes
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJX+tUfAAoJECgfDbjSjVRpIGMH/Ri+bnKF9zD6jQXfzYY+neSF
 SqR0BsFUqR+8C1Yxx45tFRC/kMpJy3n5PZunoDwAXcSlN/uoWvzp05/s44praFDc
 5FDcj3SvFhvOpBFnO5sTMBTkmGOCG/f/lnej+Fea0X8KjtOvVE6Yxek8CS+/dS3K
 t70hxLaTO93Z63olOxhAZSVX9wYKLovB0PXAu9Uj9LsnXl8o8gQLxM9WgKnI/0vD
 1V/ZGZY0lfFaHrvIgkgKy3/L7QJ91A/jU9jypNJOEdV52EDfkV97hA2ibcIQ+7Y1
 w/S3gzVmKM3dtxdS9DiQJ3riBT8XcPUWI6sIEjpfKGFGoOjazai3m9e3bcEx3Rg=
 =f//+
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio, pc: fixes and features

more guest error handling for virtio devices
virtio migration rework
pc fixes

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon 10 Oct 2016 00:39:11 BST
# gpg:                using RSA key 0x281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (33 commits)
  intel-iommu: Check IOAPIC's Trigger Mode against the one in IRTE
  virtio: cleanup VMSTATE_VIRTIO_DEVICE
  vhost-vsock: convert VMSTATE_VIRTIO_DEVICE
  virtio-rng: convert VMSTATE_VIRTIO_DEVICE
  virtio-balloon: convert VMSTATE_VIRTIO_DEVICE
  virtio-scsi: convert VMSTATE_VIRTIO_DEVICE
  virtio-input: convert VMSTATE_VIRTIO_DEVICE
  virtio-gpu: convert VMSTATE_VIRTIO_DEVICE
  virtio-serial: convert VMSTATE_VIRTIO_DEVICE
  virtio-9p: convert VMSTATE_VIRTIO_DEVICE
  virtio-net: convert VMSTATE_VIRTIO_DEVICE
  virtio-blk: convert VMSTATE_VIRTIO_DEVICE
  virtio: prepare change VMSTATE_VIRTIO_DEVICE macro
  net: don't poke at chardev internal QemuOpts
  virtio-scsi: handle virtio_scsi_set_config() error
  virtio-scsi: convert virtio_scsi_bad_req() to use virtio_error()
  virtio-net: handle virtio_net_flush_tx() errors
  virtio-net: handle virtio_net_receive() errors
  virtio-net: handle virtio_net_handle_ctrl() error
  virtio-blk: handle virtio_blk_handle_request() errors
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-10-10 16:23:40 +01:00
Halil Pasic
5705653ff8 virtio: cleanup VMSTATE_VIRTIO_DEVICE
Now all the usages of the old version of VMSTATE_VIRTIO_DEVICE are gone,
so we can get rid of the conditionals, and the old macro.

Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-10-10 02:21:43 +03:00
Halil Pasic
8a502efd0c virtio-gpu: convert VMSTATE_VIRTIO_DEVICE
Use the new VMSTATE_VIRTIO_DEVICE macro. The device virtio-gpu is
special because it actually does not adhere to the virtio migration
schema, because device state is last.

Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-10-10 02:21:43 +03:00
Chen Fan
7a25126d8a virtio: rename the bar index field name in VirtIOPCIProxy
the bar index names are much similar to the bar memory regions,
distinguish them to improve the code readability.

Signed-off-by: Chen Fan <fan.chen@easystack.cn>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-10-08 11:25:29 +03:00
Dr. David Alan Gilbert
e7f76c521f vmstateify ssd0323 display
Bumps version number because we now use the VMSTATE_SSI_SLAVE that
only uses a byte rather than a 32bit (for saving a bool 'cs').

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1472035246-12483-2-git-send-email-dgilbert@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-09-22 18:13:08 +01:00
Gerd Hoffmann
c2843e9390 virtio-vga: adapt to page-per-vq=off
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1473319012-27560-1-git-send-email-kraxel@redhat.com
2016-09-13 09:28:10 +02:00
Gerd Hoffmann
597966d110 virtio-gpu-pci: tag as not hotpluggable
We can't hotplug display adapters in qemu, tag virtio-gpu-pci
accordingly (virtio-vga already has this).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1473319037-27645-1-git-send-email-kraxel@redhat.com
2016-09-13 09:26:58 +02:00
Prasad J Pandit
167d97a3de vmsvga: correct bitmap and pixmap size checks
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
the computed BITMAP and PIXMAP size are checked against the
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
Correct these checks to avoid OOB memory access.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-09-13 09:24:35 +02:00
Marc-André Lureau
e305a16510 portio: keep references on portio
The isa_register_portio_list() function allocates ioports
data/state. Let's keep the reference to this data on some owner.  This
isn't enough to fix leaks, but at least, ASAN stops complaining of
direct leaks. Further cleanup would require calling
portio_list_del/destroy().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2016-09-08 18:05:21 +04:00
Laurent Vivier
e723b87103 trace-events: fix first line comment in trace-events
Documentation is docs/tracing.txt instead of docs/trace-events.txt.

find . -name trace-events -exec \
     sed -i "s?See docs/trace-events.txt for syntax documentation.?See docs/tracing.txt for syntax documentation.?" \
     {} \;

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 1470669081-17860-1-git-send-email-lvivier@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-08-12 10:36:01 +01:00
Marcel Apfelbaum
9a4c0e220d hw/virtio-pci: fix virtio behaviour
Enable transitional virtio devices by default.
Enable virtio-1.0 for devices plugged into
PCIe ports (Root ports or Downstream ports).

Using the virtio-1 mode will remove the limitation
of the number of devices that can be attached to a machine
by removing the need for the IO BAR.

Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-07-29 00:07:10 +03:00
Peter Maydell
206d0c2436 pc, pci, virtio: new features, cleanups, fixes
- interrupt remapping for intel iommus
 - a bunch of virtio cleanups
 - fixes all over the place
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXkQsqAAoJECgfDbjSjVRpanoIAJ9JVlc1aEjt9sa0cSBcs+NQ
 J7JmgU9FqFsj+4FrNTouO3AxTjHurd1UAULP1WMPD+V3JpbnHct8r6SCBLQ5EBMN
 VOjYo4DwWs1g+DqnQ9WZmbadu06XvYi/yiAKNUzWfZk0MR11D0D/S5hmarNKw0Kq
 tGHeTWjGeY4WqFLV7m+qB4+cqkAByn6um99UtUvgLL05RgIEIP2IEMKYZ+rXvAa9
 iGUvzqlO7mbq/+LbL18kaWywa4TCwbbd2eSGWaqhX4CuB62Rl33mWTXFcfaYhkyp
 Z3FgwaJ09h0lAjSVEbyAuLFMfO/BnMcsoKqwl4xc4vkn/xBCqFtgH9JcEVm3O8U=
 =ge2D
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

pc, pci, virtio: new features, cleanups, fixes

- interrupt remapping for intel iommus
- a bunch of virtio cleanups
- fixes all over the place

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Thu 21 Jul 2016 18:49:30 BST
# gpg:                using RSA key 0x281F0DB8D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream: (57 commits)
  intel_iommu: avoid unnamed fields
  virtio: Update migration docs
  virtio-gpu: Wrap in vmstate
  virtio-gpu: Use migrate_add_blocker for virgl migration blocking
  virtio-input: Wrap in vmstate
  9pfs: Wrap in vmstate
  virtio-serial: Wrap in vmstate
  virtio-net: Wrap in vmstate
  virtio-balloon: Wrap in vmstate
  virtio-rng: Wrap in vmstate
  virtio-blk: Wrap in vmstate
  virtio-scsi: Wrap in vmstate
  virtio: Migration helper function and macro
  virtio-serial: Remove old migration version support
  virtio-net: Remove old migration version support
  virtio-scsi: Replace HandleOutput typedef
  Revert "mirror: Workaround for unexpected iohandler events during completion"
  virtio-scsi: Call virtio_add_queue_aio
  virtio-blk: Call virtio_add_queue_aio
  virtio: Introduce virtio_add_queue_aio
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-07-21 20:12:37 +01:00
Dr. David Alan Gilbert
0fc07498da virtio-gpu: Wrap in vmstate
Forcibly convert it to a vmstate wrapper;  proper conversion
comes later.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-21 20:44:20 +03:00
Dr. David Alan Gilbert
de8892215e virtio-gpu: Use migrate_add_blocker for virgl migration blocking
virgl conditionally registers a vmstate as unmigratable when virgl
is enabled; instead use the migrate_add_blocker mechanism.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-21 20:44:20 +03:00
Gerd Hoffmann
e0127d2eec qxl: fix qxl_set_dirty call in qxl_dirty_one_surface
qxl_set_dirty() expects start and end as range specification.
qxl_dirty_one_surface passes 'size' instead of 'offset + size' as end
parameter.  Fix that.  Also use uint64_t everywhere while being at it.

Bug was added by "e25139b qxl: set only off-screen surfaces dirty instead
of the whole vram" and carried forward unnoticed by "5cdc402 qxl: fix
surface migration".

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1468413187-22071-1-git-send-email-kraxel@redhat.com
2016-07-20 12:08:14 +02:00
Markus Armbruster
175de52487 Clean up decorations and whitespace around header guards
Cleaned up with scripts/clean-header-guards.pl.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12 16:20:46 +02:00
Markus Armbruster
2a6a4076e1 Clean up ill-advised or unusual header guards
Cleaned up with scripts/clean-header-guards.pl.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12 16:20:46 +02:00
Markus Armbruster
a9c94277f0 Use #include "..." for our own headers, <...> for others
Tracked down with an ugly, brittle and probably buggy Perl script.

Also move includes converted to <...> up so they get included before
ours where that's obviously okay.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
2016-07-12 16:19:16 +02:00
Peter Maydell
e0dadc1e9e aux: Rename aux.[ch] to auxbus.[ch] for the benefit of Windows
On Windows 'aux.*' is a reserved name and cannot be used for
filenames; see
  https://msdn.microsoft.com/en-gb/library/windows/desktop/aa365247(v=vs.85).aspx

This prevents cloning the QEMU git repo on Windows:

C:\Java\sources\kvm> git clone https://github.com/qemu/qemu.git
Cloning into 'qemu'...
remote: Counting objects: 279563, done.
remote: Total 279563 (delta 0), reused 0 (delta 0), pack-reused 279563R
Receiving objects: 100% (279563/279563), 122.45 MiB | 3.52 MiB/s, done.
Resolving deltas: 100% (221942/221942), done.
Checking connectivity... done.
error: unable to create file hw/misc/aux.c (No such file or directory)
error: unable to create file include/hw/misc/aux.h (No such file or directory)
Checking out files: 100% (4795/4795), done.
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry the checkout with 'git checkout -f HEAD'

(bug https://bugs.launchpad.net/bugs/1595240)

Rename the offending files for the benefit of Windows.

Reported-by: Алексей Курган <akurgan@yandex.ru>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Wei Huang <wei@redhat.com>
Tested-by: KONRAD Frederic <fred.konrad@greensocs.com>
Message-id: 1467377145-32385-1-git-send-email-peter.maydell@linaro.org
2016-07-07 13:47:01 +01:00
Paolo Bonzini
bb14a1eda0 xlnx_dp: fix iffy xlnx_dp_aux_push_tx_fifo
xlnx_dp_aux_push_tx_fifo takes an immediate uint8_t and a buffer length,
which must be 1 because that is how many uint8_t's fit in a uint8_t.
Sure enough, that is what xlnx_dp_write passes to it, but the function
is just weird.  Therefore, make xlnx_dp_aux_push_tx_fifo look like
xlnx_dp_aux_push_rx_fifo, taking a pointer to the buffer.

Reported by Coverity.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-07-07 13:47:00 +01:00
Marc-André Lureau
9d8256ebc0 virgl: pass whole GL scanout dimensions
Spice client needs the whole GL texture dimension to be able to show a
scanout with a monitor offset (different than +0+0).

Furthermore, this fixes a crash when calling surface_{width,height}()
after dpy_gfx_replace_surface(con, NULL) was called in
virgl_cmd_set_scanout()

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1465911849-30423-4-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-06 10:32:14 +02:00
Marc-André Lureau
c540128f93 virgl: count the calls to gl_block
In virgl_cmd_resource_flush(), when several consoles are updated, it
needs to keep blocking until all spice gl draws are done. This fixes an
assert() in spice when using multiple monitors with virgl.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1465911849-30423-2-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-06 10:32:14 +02:00
John Snow
015e02f880 spice: avoid .set_mm_time on >= 0.12.6
Spice deprecated this callback in 0.12.6.
It's not a problem yet, but it will cause Clang to fail in a -Werror
build due to the deprecated tag.

Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 1467240095-12507-2-git-send-email-jsnow@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-07-06 10:31:57 +02:00
Gerd Hoffmann
1331eab216 qxl: fix surface migration
Create a helper function qxl_dirty_one_surface() to mark a single qxl
surface as dirty.  Use the new qxl_get_check_slot_offset function and
lookup the memory region from the slot instead of assuming the surface
is stored in vram.

Use the new helper function in qxl_dirty_surfaces, for both primary and
off-screen surfaces.  For off-screen surfaces this is no functional
change.  For primary surfaces this will dirty only the memory actually
used instead of the whole surface0 region.  It will also work correctly
in case the guest places the primary surface in vram instead of the
surface0 region (linux kms driver does that).

https://bugzilla.redhat.com/show_bug.cgi?id=1235732

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1466597244-5938-3-git-send-email-kraxel@redhat.com
2016-07-06 10:31:11 +02:00
Gerd Hoffmann
3cb5158f15 qxl: store memory region and offset instead of pointer for guest slots
Store MemoryRegion and offset instead of a pointer for each qxl memory
slot, so we can easily figure in which memory region an qxl object
stored.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1466597244-5938-2-git-send-email-kraxel@redhat.com
2016-07-06 10:31:11 +02:00
Gerd Hoffmann
726bdf653a qxl: factor out qxl_get_check_slot_offset
New helper function which translates a qxl physical address into
memory slot and offset.  Also applies sanity checks.  Factored out
from qxl_phys2virt.  No functional change.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1466597244-5938-1-git-send-email-kraxel@redhat.com
2016-07-06 10:31:11 +02:00
Gerd Hoffmann
2f5ae772c6 qxl: handle no updates in interface_update_area_complete
Simply return early in case there are no updated rects.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1465395101-13580-1-git-send-email-kraxel@redhat.com
2016-07-06 10:31:02 +02:00
Gerd Hoffmann
de1b9b85ef qxl: use uint64_t for vram size
This allows for the 64bit vram bar to become larger than 2G
(try -device qxl-vga,vram64_size_mb=8192).

https://bugzilla.redhat.com/show_bug.cgi?id=1340439

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1465389648-5179-1-git-send-email-kraxel@redhat.com
2016-07-06 10:30:50 +02:00
Cédric Le Goater
7673bb4cd3 ssi: change ssi_slave_init to be a realize ops
This enables qemu to handle late inits and report errors. All the SSI
slave routine names were changed accordingly. Code was modified to
handle errors when possible (m25p80 and ssi-sd)

Tested with the m25p80 slave object.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 1467138270-32481-2-git-send-email-clg@kaod.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-07-04 13:15:22 +01:00
Gerd Hoffmann
55543e7623 milkymist: fix tmu2.c build failure (missing error.h include)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael Walle <michael@walle.cc>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-21 13:25:09 +01:00
Peter Maydell
b0ad00b8c9 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJXaFInAAoJEJykq7OBq3PI6VsH/0Sfgbdo1RksYuQwb/y92sCW
 EN+lxUZ+OLfgrc8PYgNZwfSM3rsfYhznL0MAXOeEe7Ahabi07w7DhGR8WvwfAOlI
 G96FRuvrIPfv5u6U6fwS4CvG3TIHVLxfHKCsTpPUmH8U5CNx/x/tpjNiWN1dj6t+
 sXybSjYHfZfiZy2tI9MFIFWCdxnF/pl0QAPhbRqc8Y/RQTDrPKRjLpz+nitN/u96
 5TS7KlELyQuP91YMmLceYSmIkHbxW703h+iE2n4hov0uZCP8Jil+2Jsd3ziQSRlL
 j6LqexQ2ViBGdDSfiZGYES2VPlsHOCwb4G+IgWBStfZg1ppaXENvcDzPrgrB+L4=
 =eUnF
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging

# gpg: Signature made Mon 20 Jun 2016 21:29:27 BST
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* remotes/stefanha/tags/tracing-pull-request: (42 commits)
  trace: split out trace events for linux-user/ directory
  trace: split out trace events for qom/ directory
  trace: split out trace events for target-ppc/ directory
  trace: split out trace events for target-s390x/ directory
  trace: split out trace events for target-sparc/ directory
  trace: split out trace events for net/ directory
  trace: split out trace events for audio/ directory
  trace: split out trace events for ui/ directory
  trace: split out trace events for hw/alpha/ directory
  trace: split out trace events for hw/arm/ directory
  trace: split out trace events for hw/acpi/ directory
  trace: split out trace events for hw/vfio/ directory
  trace: split out trace events for hw/s390x/ directory
  trace: split out trace events for hw/pci/ directory
  trace: split out trace events for hw/ppc/ directory
  trace: split out trace events for hw/9pfs/ directory
  trace: split out trace events for hw/i386/ directory
  trace: split out trace events for hw/isa/ directory
  trace: split out trace events for hw/sd/ directory
  trace: split out trace events for hw/sparc/ directory
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-20 22:30:34 +01:00
Peter Maydell
7e13ea57f4 lm32/milkymist: some qomifying
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXaBmJAAoJELRYq7DY03jj6osP/Az+8Rkb8eL3hVzqDso6JZhx
 QMmp48ipNe7xWlTGjKrf6yUWyuehp7Hr2dlXkz6KG/Y/PQg15uMfH3ZlS0HzWuyO
 cSeRQsvNY759Wk7bnAzzuRK9eVxXJaSytodaA+swGo/7maDbMMXdv0gFa/qP6k1e
 4vc4mLoi3PX6GHuFsfWUaDkOkZpuhzsj3MxEEqDJd1TpiJzZIbJokk4bLUF89kCz
 tRGNUoUXJnWLigJYjOqXjg15Cue70ztiX3VE6LoI+TRe/RsJPLd+oCtij40Gah/S
 cOZUeuxIgLGDdkGoax+H/ymTjpTrHB4Mo8E7rtlwT/HYFti4ZzWeA9T3mJ9Zwc2F
 q4xU/St7dJYEOH37qNXKzyIWmQZxJKJOpOaOzasPbo76Bvt1X9d5+HuDOtf9ftWo
 LR/U+1MFxGId7TMM2/j+ziHKZcZWkGkpK7K0tScB6dM/yCxv1Qs5HuioqMNIvAgc
 Pe0bNAI5zSGX5ldqR/tPxL9b27PkqFs0a6itLOIv4tvashmnBfcDiaDMXmRc+hsb
 jJ7apWyEF3JOw9dKSpwgspPJHavYuRhohgfhuEpuwkcwc2QD3QdDrtlV6bxRhJoj
 yMZ5905B99LNCCGOszol1yMlzHLbGTmZVyhu8bL9930oxHgZzfOCQMFVtMMxaAp1
 0yEVhlbZ0JE7zpetAHeF
 =ggrO
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mwalle/tags/lm32-queue/20160620' into staging

lm32/milkymist: some qomifying

# gpg: Signature made Mon 20 Jun 2016 17:27:53 BST
# gpg:                using RSA key 0xB458ABB0D8D378E3
# gpg: Good signature from "Michael Walle <michael@walle.cc>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2190 3E48 4537 A7C2 90CE  3EB2 B458 ABB0 D8D3 78E3

* remotes/mwalle/tags/lm32-queue/20160620:
  milkymist: update specification URLs
  hw/intc: QOM'ify lm32_pic.c
  hw/display: QOM'ify milkymist-vgafb.c
  hw/display: QOM'ify milkymist-tmu2.c
  hw/timer: QOM'ify milkymist_sysctl
  hw/timer: QOM'ify lm32_timer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-20 18:14:26 +01:00
Daniel P. Berrange
14750ef1b5 trace: split out trace events for hw/display/ directory
Move all trace-events for files in the hw/display/ directory to
their own file.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 1466066426-16657-18-git-send-email-berrange@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2016-06-20 17:22:15 +01:00
Michael Walle
6dbbe24337 milkymist: update specification URLs
The old milkymist.org domain just forwards to mm-labs.hk nowadays. I've
created a mirror of the documents.

Signed-off-by: Michael Walle <michael@walle.cc>
2016-06-20 18:12:04 +02:00
xiaoqiang zhao
165b244b98 hw/display: QOM'ify milkymist-vgafb.c
* Drop the old SysBus init function and use instance_init
* Move graphic_console_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Michael Walle <michael@walle.cc>
Tested-by: Michael Walle <michael@walle.cc>
Signed-off-by: Michael Walle <michael@walle.cc>
2016-06-20 18:11:59 +02:00
xiaoqiang zhao
cf79c64d58 hw/display: QOM'ify milkymist-tmu2.c
* Drop the old SysBus init function and use instance_init
* Move tmu2_glx_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Michael Walle <michael@walle.cc>
Tested-by: Michael Walle <michael@walle.cc>
Signed-off-by: Michael Walle <michael@walle.cc>
2016-06-20 18:11:06 +02:00
Eduardo Habkost
9be385980d coccinelle: Remove unnecessary variables for function return value
Use Coccinelle script to replace 'ret = E; return ret' with
'return E'. The script will do the substitution only when the
function return type and variable type are the same.

Manual fixups:

* audio/audio.c: coding style of "read (...)" and "write (...)"
* block/qcow2-cluster.c: wrap line to make it shorter
* block/qcow2-refcount.c: change indentation of wrapped line
* target-tricore/op_helper.c: fix coding style of
  "remainder|quotient"
* target-mips/dsp_helper.c: reverted changes because I don't
  want to argue about checkpatch.pl
* ui/qemu-pixman.c: fix line indentation
* block/rbd.c: restore blank line between declarations and
  statements

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <1465855078-19435-4-git-send-email-ehabkost@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
[Unused Coccinelle rule name dropped along with a redundant comment;
whitespace touched up in block/qcow2-cluster.c; stale commit message
paragraph deleted]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-06-20 16:38:13 +02:00
Paolo Bonzini
02d0e09503 os-posix: include sys/mman.h
qemu/osdep.h checks whether MAP_ANONYMOUS is defined, but this check
is bogus without a previous inclusion of sys/mman.h.  Include it in
sysemu/os-posix.h and remove it from everywhere else.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-06-16 18:39:03 +02:00
KONRAD Frederic
58ac482a66 introduce xlnx-dp
This is the implementation of the DisplayPort.
It has an aux-bus to access dpcd and edid.

Graphic plane is connected to the channel 3.
Video plane is connected to the channel 0.
Audio stream are connected to the channels 4 and 5.

Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com>
Tested-By: Hyun Kwon <hyun.kwon@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1465833014-21982-9-git-send-email-fred.konrad@greensocs.com
[PMM: fixed format strings]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-14 16:01:03 +01:00
KONRAD Frederic
e27ed1bdd3 introduce dpcd module
This introduces dpcd module.
It wires on a aux-bus and can be accessed by the driver to get lane-speed, etc.

Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Tested-By: Hyun Kwon <hyun.kwon@xilinx.com>
Message-id: 1465833014-21982-6-git-send-email-fred.konrad@greensocs.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-06-14 15:59:15 +01:00
Laurent Vivier
d0448de7f6 xen: Use DIV_ROUND_UP
Replace (((n) + (d) - 1) /(d)) by DIV_ROUND_UP(n,d).

This patch is the result of coccinelle script
scripts/coccinelle/round.cocci

CC: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-06-07 18:19:24 +03:00
Gerd Hoffmann
0c244e50ee virtio-gpu: add live migration support
Store some additional state for cursor and resource backing storage,
so we can write out and reload things.  Implement vmsave+vmload for
2d mode.  Continue blocking live migration in 3d/virgl mode.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464009727-7753-1-git-send-email-kraxel@redhat.com
2016-06-06 09:04:34 +02:00
Gerd Hoffmann
4e68a0ee17 vmsvga: don't process more than 1024 fifo commands at once
vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off.  So we can simply exit the loop,
without having to worry about how processing will continue.

Fixes: CVE-2016-4453
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
2016-06-06 09:04:29 +02:00
Gerd Hoffmann
7e486f7577 vmsvga: shadow fifo registers
The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization.  Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us.  So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
2016-06-06 09:04:24 +02:00
Gerd Hoffmann
c2e3c54d39 vmsvga: add more fifo checks
Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
2016-06-06 09:04:19 +02:00
Gerd Hoffmann
5213602678 vmsvga: move fifo sanity checks to vmsvga_fifo_length
Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
changes the fifo registers afterwards.  Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
2016-06-06 09:03:51 +02:00
Gerd Hoffmann
fa06e5cb7b virtio-gpu: fix scanout rectangles
Commit "ca58b45 ui/virtio-gpu: add and use qemu_create_displaysurface_pixman"
breaks scanouts which use a region of the underlying resource only.

So, we need another way to handle the underlying issue.  Lets create a
new pixman image, grab a reference on the pixman providing the
underlying storage, hook up a destroy callback which releases the
reference.  That way regions work again and releasing the backing
storage should still be impossible thanks to the extra reference we are
holding.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1464597655-26341-1-git-send-email-kraxel@redhat.com
2016-06-03 09:05:28 +02:00
Gerd Hoffmann
94ef4f337f vga: add sr_vbe register set
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.

This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[].  Normal vga register reads and
writes go to sr[].  Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.

This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.

Cc: qemu-stable@nongnu.org
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
2016-05-23 14:28:25 +02:00
Marc-André Lureau
6b860806c0 virtio-gpu: fix ui idx check
Fix off-by-one value check (0 is the first scanout).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-7-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
acfc484650 virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS
The value is defined in virtio_gpu.h already (changing from 4 to 16).

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-6-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
2fe760554e virtio-gpu: check max_outputs only
The scanout id should not be above the configured num_scanouts.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-5-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
5e3d741c6a virtio-gpu: check max_outputs value
The value must be less than VIRTIO_GPU_MAX_SCANOUT.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-4-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
d0f0c8654a virtio-vga: propagate on gpu realized error
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-3-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Marc-André Lureau
fe89fdebca virtio-gpu: check early scanout id
Before accessing the g->scanout array, in order to avoid potential
out-of-bounds access.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-2-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-23 13:30:03 +02:00
Paolo Bonzini
03dd024ff5 hw: explicitly include qemu/log.h
Move the inclusion out of hw/hw.h, most files do not need it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:29 +02:00
Paolo Bonzini
33c11879fd qemu-common: push cpu.h inclusion out of qemu-common.h
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:29 +02:00
Paolo Bonzini
87776ab72b qemu-common: stop including qemu/host-utils.h from qemu-common.h
Move it to the actual users.  There are some inclusions of
qemu/host-utils.h in headers, but they are all necessary.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-19 16:42:28 +02:00
Peter Maydell
14fccfa91e MIPS patches 2016-05-13
Changes:
 * fix zeroing CP0.WatchLo registers in soft reset
 * QOMify Jazz led
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJXNaaUAAoJEFIRjjwLKdpre/sIAIhtHFxtzlNEBq27CG0Rsp2l
 7EN8O/NqVmhiq2NU5Xt6wJ100GjKftMM9f49aRhz05q7kgKIs+M0PC3RB2wvIYzQ
 lk4zbreiBdZYWA/m38SBSU2CJvEs+8FpthBtfNi/gN701lQ45K9oJdzl0jsURIh/
 /dLQhzPmHrf4NImQzxqybhX8ta80TUXLWOv/ZbuGEFEEXnp+db7+eajIw4kgqCT+
 J/XpqeFrZ/aJfT3Ag7LLsAimmTP439JIO1goIei8POvEXgkm1AmxpvIk6Aq1bGiz
 BnTm80lj5JSHImbObOu4WKIu8wRcWZb5rEIl2oMfnzAx6iPhRPOS8JNP+565Tes=
 =0B4r
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/lalrae/tags/mips-20160513' into staging

MIPS patches 2016-05-13

Changes:
* fix zeroing CP0.WatchLo registers in soft reset
* QOMify Jazz led

# gpg: Signature made Fri 13 May 2016 11:04:04 BST using RSA key ID 0B29DA6B
# gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"

* remotes/lalrae/tags/mips-20160513:
  hw/display: QOM'ify jazz_led.c
  target-mips: fix call to memset in soft reset code

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-13 11:50:42 +01:00
xiaoqiang.zhao
7fe91a5b33 hw/display: QOM'ify jazz_led.c
* Drop the old SysBus init function and use instance_init
* Move graphic_console_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2016-05-13 09:33:38 +01:00
Peter Maydell
4274d821ff hw/display/blizzard: Remove blizzard_template.h
We no longer need to do the "multiply include this header" trick with
blizzard_template.h, and it is only used in a single .c file, so just
put its contents inline in blizzard.c.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1462371352-21498-3-git-send-email-peter.maydell@linaro.org
2016-05-12 13:22:30 +01:00
Peter Maydell
5c8759087d hw/display/blizzard: Expand out macros
Now that we can assume that only depth 32 is possible, there's no need
for the COPY_PIXEL1 and PIXEL_TYPE macros, and the SKIP_PIXEL, COPY_PIXEL
and SWAP_WORDS macros aren't used at all. Expand out COPY_PIXEL1 and
PIXEL_TYPE where they are used, delete the unused macro definitions, and
expand out the uses of glue(name_prefix, DEPTH).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1462371352-21498-2-git-send-email-peter.maydell@linaro.org
2016-05-12 13:22:29 +01:00
xiaoqiang zhao
3c09d6caad hw/display: QOM'ify exynos4210_fimd.c
* Drop the old SysBus init function and use instance_init
* Move graphic_console_init into realize stage

Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com>
Message-id: 1462417489-28603-2-git-send-email-zxq_yx_007@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:27 +01:00
Pooja Dhannawat
ea644cf343 omap_lcdc: Remove support for DEPTH != 32
surface_bits_per_pixel() always returns 32
so, removing other dead code which is
based on DEPTH !== 32

Signed-off-by: Pooja Dhannawat <dhannawatpooja1@gmail.com>
Message-id: 1459260142-9144-1-git-send-email-dhannawatpooja1@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
Pooja Dhannawat
5c87c4089a blizzard: Remove support for DEPTH != 32
Removing support for DEPTH != 32 from blizzard template header
and file that includes it, as macro DEPTH == 32 only used.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Pooja Dhannawat <dhannawatpooja1@gmail.com>
Message-id: 1458971873-2768-1-git-send-email-dhannawatpooja1@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-05-12 13:22:24 +01:00
Gerd Hoffmann
fd3c136b3e vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
registers, to make sure the vga registers will always have the
values needed by vbe mode.  This makes sure the sanity checks
applied by vbe_fixup_regs() are effective.

Without this guests can muck with shift_control, can turn on planar
vga modes or text mode emulation while VBE is active, making qemu
take code paths meant for CGA compatibility, but with the very
large display widths and heigts settable using VBE registers.

Which is good for one or another buffer overflow.  Not that
critical as they typically read overflows happening somewhere
in the display code.  So guests can DoS by crashing qemu with a
segfault, but it is probably not possible to break out of the VM.

Fixes: CVE-2016-3712
Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
Reported-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann
2068192dcc vga: update vga register setup on vbe changes
Call the new vbe_update_vgaregs() function on vbe configuration
changes, to make sure vga registers are up-to-date.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann
7fa5c2c5dc vga: factor out vga register setup
When enabling vbe mode qemu will setup a bunch of vga registers to make
sure the vga emulation operates in correct mode for a linear
framebuffer.  Move that code to a separate function so we can call it
from other places too.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann
bfa0f151a5 vga: add vbe_enabled() helper
Makes code a bit easier to read.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Gerd Hoffmann
3bf1817079 vga: fix banked access bounds checking (CVE-2016-3710)
vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.

The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register.  The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.

Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.

Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.

Fixes: CVE-2016-3710
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-02 16:02:59 +02:00
Wei Liu
4df26e88ee xenfb: use the correct condition to avoid excessive looping
In commit ac0487e1 ("xenfb.c: avoid expensive loops when prod <=
out_cons"), ">=" was used. In fact, a full ring is a legit state.
Correct the test to use ">".

Reported-by: "Hao, Xudong" <xudong.hao@intel.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Tested-by: "Hao, Xudong" <xudong.hao@intel.com>
Acked-by: Anthony Perard <anthony.perard@citrix.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
2016-04-12 10:16:08 -07:00
Gerd Hoffmann
fa49e4656a virtio-gpu: block live migration
Feeling a bit nervous putting the full live migration support
patch (https://patchwork.ozlabs.org/patch/606902/) in that
late in the 2.6 devel cycle as it carries some non-trivial
changes.  So disable migration in case virtio-gpu is present
for now.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-04-11 12:36:34 +02:00
Gerd Hoffmann
ca58b45fbe ui/virtio-gpu: add and use qemu_create_displaysurface_pixman
Add a the new qemu_create_displaysurface_pixman function, to create
a DisplaySurface backed by an existing pixman image.  In that case
there is no need to create a new pixman image pointing to the same
backing storage.  We can just use the existing image directly.

This does not only simplify things a bit, but most importantly it
gets the reference counting right, so the backing storage for the
pixman image wouldn't be released underneath us.

Use new function in virtio-gpu, where using it actually fixes
use-after-free crashes.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1459499240-742-1-git-send-email-kraxel@redhat.com
2016-04-11 12:32:01 +02:00
Rutuja Shah
73bcb24d93 Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND
This patch replaces get_ticks_per_sec() calls with the macro
NANOSECONDS_PER_SECOND. Also, as there are no callers, get_ticks_per_sec()
is then removed.  This replacement improves the readability and
understandability of code.

For example,

    timer_mod(fdctrl->result_timer,
	      qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (get_ticks_per_sec() / 50));

NANOSECONDS_PER_SECOND makes it obvious that qemu_clock_get_ns
matches the unit of the expression on the right side of the plus.

Signed-off-by: Rutuja Shah <rutu.shah.26@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-22 22:20:17 +01:00
Paolo Bonzini
4771d756f4 hw: explicitly include qemu-common.h and cpu.h
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-22 22:20:17 +01:00
Markus Armbruster
da34e65cb4 include/qemu/osdep.h: Don't include qapi/error.h
Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the
Error typedef.  Since then, we've moved to include qemu/osdep.h
everywhere.  Its file comment explains: "To avoid getting into
possible circular include dependencies, this file should not include
any other QEMU headers, with the exceptions of config-host.h,
compiler.h, os-posix.h and os-win32.h, all of which are doing a
similar job to this file and are under similar constraints."
qapi/error.h doesn't do a similar job, and it doesn't adhere to
similar constraints: it includes qapi-types.h.  That's in excess of
100KiB of crap most .c files don't actually need.

Add the typedef to qemu/typedefs.h, and include that instead of
qapi/error.h.  Include qapi/error.h in .c files that need it and don't
get it now.  Include qapi-types.h in qom/object.h for uint16List.

Update scripts/clean-includes accordingly.  Update it further to match
reality: replace config.h by config-target.h, add sysemu/os-posix.h,
sysemu/os-win32.h.  Update the list of includes in the qemu/osdep.h
comment quoted above similarly.

This reduces the number of objects depending on qapi/error.h from "all
of them" to less than a third.  Unfortunately, the number depending on
qapi-types.h shrinks only a little.  More work is needed for that one.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
[Fix compilation without the spice devel packages. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-22 22:20:15 +01:00
Grégory ESTRADE
5e9c2a8dac bcm2835_fb: add framebuffer device for Raspberry Pi
The framebuffer occupies the upper portion of memory (64MiB by
default), but it can only be controlled/configured via a system
mailbox or property channel (to be added by a subsequent patch).

Signed-off-by: Grégory ESTRADE <gregory.estrade@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Message-id: 1457467526-8840-4-git-send-email-Andrew.Baumann@microsoft.com
[AB: added Windows (BGR) support and cleanup/refactoring for upstream submission]
Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-03-16 17:42:18 +00:00
Gerd Hoffmann
05fa1c742f qxl: lock current_async update in qxl_soft_reset
This should fix a defect report from Coverity.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-01 07:51:32 +01:00
Paolo Bonzini
d2ba7ecb34 cirrus_vga: fix off-by-one in blit_region_is_unsafe
The "max" value is being compared with >=, but addr + width points to
the first byte that will _not_ be copied.  Laszlo suggested using a
"greater than" comparison, instead of subtracting one like it is
already done above for the height, so that max remains always positive.

The mistake is "safe"---it will reject some blits, but will never cause
out-of-bounds writes.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 1455121059-18280-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-03-01 07:51:32 +01:00
Peter Maydell
30456d5ba3 all: Clean up includes
Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
2016-02-23 12:43:05 +00:00
Ian Campbell
47d3df2387 xen: Drop __XEN_LATEST_INTERFACE_VERSION__ checks from prior to Xen 4.2
We assume (and check for in configure) 4.2 or later now. In reality
all of the removed checks are for far older versions.

FMT_ioreq_size is no longer needed.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2016-02-10 12:01:32 +00:00
Paolo Bonzini
51b19ebe43 virtio: move allocation to virtqueue_pop/vring_pop
The return code of virtqueue_pop/vring_pop is unused except to check for
errors or 0.  We can thus easily move allocation inside the functions
and just return a pointer to the VirtQueueElement.

The advantage is that we will be able to allocate only the space that
is needed for the actual size of the s/g list instead of the full
VIRTQUEUE_MAX_SIZE items.  Currently VirtQueueElement takes about 48K
of memory, and this kind of allocation puts a lot of stress on malloc.
By cutting the size by two or three orders of magnitude, malloc can
use much more efficient algorithms.

The patch is pretty large, but changes to each device are testable
more or less independently.  Splitting it would mostly add churn.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-02-06 20:39:07 +02:00
Gerd Hoffmann
321c9adba5 virtio-gpu: block any rendering until client (ui) is done
Wire up gl_block callback, so ui code can request to stop
virtio-gpu rendering.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-02-03 10:41:36 +01:00
Gerd Hoffmann
0c55a1cfd3 virtio-gpu: add support to enable/disable command processing
So we can stop rendering for a while in case we have to.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2016-02-03 10:41:36 +01:00
Gerd Hoffmann
3eb769fd1c virtio-gpu: maintain command queue
We'll go take out the commands we receive out of the virt queue and put
them into a linked list, to decouple virtio queue handling from actual
command processing.

Also move cmd processing to new virtio_gpu_handle_ctrl func, so we can
easily kick it from different places.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-02-03 10:41:36 +01:00
Gerd Hoffmann
8d94c1ca53 virtio-gpu: fix memory leak in error path
Found by Coverity Scan, buf not freed on error.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2016-02-03 10:41:36 +01:00
Peter Maydell
47df5154c3 hw/display: Clean up includes
Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1453832250-766-21-git-send-email-peter.maydell@linaro.org
2016-01-29 15:07:24 +00:00
Peter Maydell
9b8bfe21be virtio: Clean up includes
Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1453832250-766-15-git-send-email-peter.maydell@linaro.org
2016-01-29 15:07:23 +00:00
Peter Maydell
21cbfe5f37 xen: Clean up includes
Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1453832250-766-14-git-send-email-peter.maydell@linaro.org
2016-01-29 15:07:23 +00:00
Peter Maydell
8ef94f0bc9 arm: Clean up includes
Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1453832250-766-13-git-send-email-peter.maydell@linaro.org
2016-01-29 15:07:23 +00:00
Peter Maydell
ea99dde191 lm32: Clean up includes
Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1453832250-766-5-git-send-email-peter.maydell@linaro.org
2016-01-29 15:07:22 +00:00
Ian Campbell
e0cb42ae4b xen: Switch uses of xc_map_foreign_{pages,bulk} to use libxenforeignmemory API.
In Xen 4.7 we are refactoring parts libxenctrl into a number of
separate libraries which will provide backward and forward API and ABI
compatiblity.

One such library will be libxenforeignmemory which provides access to
privileged foreign mappings and which will provide an interface
equivalent to xc_map_foreign_{pages,bulk}.

The new xenforeignmemory_map() function behaves like
xc_map_foreign_pages() when the err argument is NULL and like
xc_map_foreign_bulk() when err is non-NULL, which maps into the shim
here onto checking err == NULL and calling the appropriate old
function.

Note that xenforeignmemory_map() takes the number of pages before the
arrays themselves, in order to support potentially future use of
variable-length-arrays in the prototype (in the future, when Xen's
baseline toolchain requirements are new enough to ensure VLAs are
supported).

In preparation for adding support for libxenforeignmemory add support
to the <=4.0 and <=4.6 compat code in xen_common.h to allow us to
switch to using the new API. These shims will disappear for versions
of Xen which include libxenforeignmemory.

Since libxenforeignmemory will have its own handle type but for <= 4.6
the functionality is provided by using a libxenctrl handle we
introduce a new global xen_fmem alongside the existing xen_xc. In fact
we make xen_fmem a pointer to the existing xen_xc, which then works
correctly with both <=4.0 (xc handle is an int) and <=4.6 (xc handle
is a pointer). In the latter case xen_fmem is actually a double
indirect pointer, but it all falls out in the wash.

Unlike libxenctrl libxenforeignmemory has an explicit unmap function,
rather than just specifying that munmap should be used, so the unmap
paths are updated to use xenforeignmemory_unmap, which is a shim for
munmap on these versions of xen. The mappings in xen-hvm.c do not
appear to be unmapped (which makes sense for a qemu-dm process)

In fb_disconnect this results in a change from simply mmap over the
existing mapping (with an implicit munmap) to expliclty unmapping with
xenforeignmemory_unmap and then mapping the required anonymous memory
in the same hole. I don't think this is a problem since any other
thread which was racily touching this region would already be running
the risk of hitting the mapping halfway through the call. If this is
thought to be a problem then we could consider adding an extra API to
the libxenforeignmemory interface to replace a foreign mapping with
anonymous shared memory, but I'd prefer not to.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2016-01-26 17:19:35 +00:00
Ian Campbell
9ed257d1d1 xen: Switch uses of xc_map_foreign_range into xc_map_foreign_pages
In Xen 4.7 we are refactoring parts libxenctrl into a number of
separate libraries which will provide backward and forward API and ABI
compatiblity.

One such library will be libxenforeignmemory which provides access to
privileged foreign mappings and which will provide an interface
equivalent to xc_map_foreign_{pages,bulk}.

In preparation for this switch all uses of xc_map_foreign_range to
xc_map_foreign_pages. This is trivial because size was always
XC_PAGE_SIZE so the necessary adjustments are trivial:

  * Pass &mfn (an array of length 1) instead of mfn. The function
    takes a pointer to const, so there is no possibily of mfn changing
    due to this change.
  * Pass nr_pages=1 instead of size=XC_PAGE_SIZE

There is one wrinkle in xen_console.c:con_initialise() where
con->ring_ref is an int but can in some code paths (when !xendev->dev)
be treated as an mfn. I think this is an existing latent truncation
hazard on platforms where xen_pfn_t is 64-bit and int is 32-bit (e.g.
amd64, both arm* variants). I'm unsure under what circumstances
xendev->dev can be NULL or if anything elsewhere ensures the value
fits into an int. For now I just use a temporary xen_pfn_t to in
effect upcast the pointer from int* to xen_pfn_t*.

In xenfb.c:common_bind we now explicitly launder the mfn into a
xen_pfn_t, so it has the correct type to be passed to
xc_map_foreign_pages and doesn't provoke warnings on 32-bit x86.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2016-01-26 17:19:32 +00:00
Peter Maydell
0b0571dd24 Xen 2016/01/21
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJWoQ5KAAoJEIlPj0hw4a6QP6sP/01U66Fv7ZzqxnV6U/6hJkOG
 X11S6KUHVdNoLyMB4RCyOV/zsF16ODZ9A1PI+qeq/1Po4zNLASWYAdWR7OinCiis
 ad5QGmHY2JmzLm2x8ivWZR1ZqQ+PTRWFH7eEFEROaI/IEyG1wL4bTkMLB0L6Ih74
 SMnMJg3Rkl8XhxdvVuE5JZ4f4ZTyPIk+0daMXIH9Q58XspblVNRjKAbotjte/zrj
 XmCIxVfu29NOIKD3F1n0Cw29OqCuyofbxWHk+SwT68fM8M8KcdnX1WGmfOXylXod
 JP0j2NRN07LgMfJv1K+QXPSNlFOZAMlzzXpOAnbb2AJceTTMMwTdkQb6aahFfMEL
 eyWabU+ZI8gemFePgWWdOipkrqtWlGvdyFLKLv42CR9jhVGNck8SBt01njLcOEsf
 TZjsuzPVxMmQvSYr7xcZgIFKwWkt3yUpOAKl6KS5PlerIezpJ1MtmB1ZmFF+Caui
 kGpC1tfIgdu3VHdlqASlc50BsAeqTdGzXI+KxTE/6raOnn+aUVIXrUzcdgV+Tgby
 52Fd9y83X65RXIgasNIvNpUEX+jc7FYdrBaO2graSBzpCWAzituyypOk4WEpHxIn
 da64hN9Z3i4BzLDZtaC05B8A0iWpckLOwbVWK1zblsdiJJAaOFVAU9cNl2Plxm8j
 cy8WC0FdEqLZxXpU0deB
 =+hRh
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/sstabellini/tags/xen-20160121' into staging

Xen 2016/01/21

# gpg: Signature made Thu 21 Jan 2016 16:58:50 GMT using RSA key ID 70E1AE90
# gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"

* remotes/sstabellini/tags/xen-20160121:
  Xen PCI passthru: convert to realize()
  Add Error **errp for xen_pt_config_init()
  Add Error **errp for xen_pt_setup_vga()
  Add Error **errp for xen_host_pci_device_get()
  Xen: use qemu_strtoul instead of strtol
  Change xen_host_pci_sysfs_path() to return void
  xen-pvdevice: convert to realize()
  xen-hvm: Clean up xen_ram_alloc() error handling
  xen-hvm: Clean up xen_hvm_init() error handling
  xenfb.c: avoid expensive loops when prod <= out_cons
  MAINTAINERS: update Xen files

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-01-21 17:21:08 +00:00
Alistair Francis
8fd06719e7 ssi: Move ssi.h into a separate directory
Move the ssi.h include file into the ssi directory.

While touching the code also fix the typdef lines as
checkpatch complains.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-01-21 14:15:03 +00:00
Stefano Stabellini
ac0487e1d2 xenfb.c: avoid expensive loops when prod <= out_cons
If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reported-by: Ling Liu <liuling-it@360.cn>
2016-01-14 16:49:11 +00:00
OGAWA Hirofumi
4083733db5 ui/curses: Fix color attribute of monitor for curses
Current text_console_update() writes totally broken color attributes
to console_write_ch(). The format now is writing,

[WRONG]
	bold << 21 | fg << 12 | bg << 8 | char
	fg == 3bits curses color number
	bg == 3bits curses color number

I can't see this format is where come from. Anyway, this doesn't work
at all.

What curses expects is actually (and vga.c is using),

[RIGHT]
	bold << 21 | bg << 11 | fg << 8 | char
	fg == 3bits vga color number
	bg == 3bits vga color number

And curses set COLOR_PAIR() up to match this format, and curses's
chtype. I.e,

	bold | color_pair | char
	color_pair == (bg << 3 | fg)

To fix, this simply uses VGA color number everywhere except curses.c
internal. Then, convert it to above [RIGHT] format to write by
console_write_ch(). And as bonus, this reduces to expose curses define
to other parts (removes COLOR_* from console.c).

[Tested the first line is displayed as white on blue back for monitor
in curses console]

Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Message-id: 87r3j95407.fsf@mail.parknet.co.jp
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-01-08 12:20:07 +01:00
Stefano Stabellini
7ea11bf376 xenfb: avoid reading twice the same fields from the shared page
Reading twice the same field could give the guest an attack of
opportunity. In the case of event->type, gcc could compile the switch
statement into a jump table, effectively ending up reading the type
field multiple times.

This is part of XSA-155.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-12-18 15:10:09 +00:00
Paolo Bonzini
fff02bc00b linux-headers: update from kvm/next
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-12-17 15:24:34 +01:00
Paolo Bonzini
58f6d82fc4 arm: explicitly mark device loads as little-endian
Behaviour of emulated devices should not depend on the endianness
of the CPU, so avoid using the endian-dependent load and store
functions in the PXA2xx and OMAP display devices. These devices
are little endian when they do DMA access.

(Since ARM softmmu is always compiled as little endian, this means
that the endian-dependent load and store functions are always little
endian, so this commit makes no functionally visible change.)

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: rewrote commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-17 13:37:13 +00:00
Markus Armbruster
9de68637df qxl: Use g_new() & friends where that makes obvious sense
g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
for two reasons.  One, it catches multiplication overflowing size_t.
Two, it returns T * rather than void *, which lets the compiler catch
more type errors.

This commit only touches allocations with size arguments of the form
sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-11-06 15:42:38 +03:00
Thomas Huth
b21de19992 hw/display/tcx: Remove superfluous OBJECT() typecasts
The tcx_initfn() function is already supplied with an
Object *obj pointer, so there is no need to cast the
state pointer back to an Object pointer all over the
place. And while we're at it, also remove the superfluous
"return;" statement in this function.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-11-06 15:42:38 +03:00
OGAWA Hirofumi
fb71956367 ui/opengl: Reduce build required libraries for opengl
We now use epoxy to load opengl libraries. This means we don't need to
link opengl libraries directly if interfaces handled by epoxy. With
this, we just need epoxy headers and epoxy's *.so to build.

Tested with epoxy-1.3.1.

- sdl2/gtk/console egl stuff doesn't require other than epoxy
- milkymist-tmu2 glx stuff doesn't require other than epoxy

(lm32 test is limited, because can't find mmone-bios.bin, so just test
to load libGL with "./lm32-softmmu/qemu-system-lm32 -M milkymist,accel=qtest")

Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

[ lm32 tested by kraxel ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-11-03 10:13:42 +01:00
Gerd Hoffmann
5829b09720 vmsvga: more cursor checks
Check the cursor size more carefully.  Also switch to unsigned while
being at it, so they can't be negative.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-10-20 09:26:36 +02:00
Peter Maydell
7684922390 Fix device introspection regressions
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJWF8SNAAoJEDhwtADrkYZTSaUQAJdIB2CiO6COT0T36ZNU/yi8
 wkFdmBt6Ejks1v8OBhoz+NEwMomj55uyeG+ck4BfvNAZJqpYPSKeZdviu/U/UDHw
 BJmUBk5beMcTay66DhQ+0bASfn+3nldM6vXExZEsxi43dLAxyksOd6WZ7L3LieDI
 V7mXJ02y/E8tcwuQqiAutU4N/6JlF2PIJpPgDZaPEJIFbW/LBBUoFneYmK4Mv8sZ
 SMjgEulE4JZ/WDeZJYxwWHmNFzrUgTwikq2ydPxawBK6zkoC3JdlkjHdOKWhkQfV
 tMbnRjHmlN9uO3zoF/aIZgFVy4pbnb+f4bnWPqLG55U5z8WXmXao8LlThlzkRdjw
 xrqW8yvwMk1owRLlhjxVR4iyxTXPnp/S76QlEVJbokGFW/MhWhctQoIH0C2lfcgG
 t0A642Xy6NXy+vZqJLJxzigBGn8zT98BXfKptWLHr9aun2U5Vpou0ylf5nsiojL+
 5HR+bB4J/ZVbxIW1OIJqR/cnSKzZqSLCqBB3jnCP60dIgaD7/JeUSz91AFZDPRcb
 PmGsSCa1rjPC66R/QmxYwZ3YGuz0imKWDALqkudsNJnklBVMLxfC+Gp5Sg4D475K
 qzwgRAcXv9wsSPumwoxaQBZxHd4Xuj91e7QmMO+z1un6oOb07fh2Wt5Ib/UoqYM7
 +Ry+yGwO5sRkwZhxdaxM
 =QXLe
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2015-10-09' into staging

Fix device introspection regressions

# gpg: Signature made Fri 09 Oct 2015 14:43:41 BST using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>"

* remotes/armbru/tags/pull-monitor-2015-10-09:
  Revert "qdev: Use qdev_get_device_class() for -device <type>,help"
  qdev: Protect device-list-properties against broken devices
  qmp: Fix device-list-properties not to crash for abstract device
  device-introspect-test: New, covering device introspection
  libqtest: New hmp() & friends
  libqtest: Clean up unused QTestState member sigact_old
  tests: Fix how qom-test is run
  macio: move DBDMA_init from instance_init to realize
  hw: do not pass NULL to memory_region_init from instance_init
  memory: allow destroying a non-empty MemoryRegion
  virtio-input: Fix device introspection on non-Linux hosts
  update-linux-headers: Rename SW_MAX to SW_MAX_

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-10-12 11:07:38 +01:00
Paolo Bonzini
81e0ab48dd hw: do not pass NULL to memory_region_init from instance_init
This causes the region to outlive the object, because it attaches the
region to /machine.  This is not nice for the "realize" method, but
much worse for "instance_init" because it can cause dangling pointers
after a simple object_new/object_unref pair.

Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1443689999-12182-3-git-send-email-armbru@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
2015-10-09 15:25:56 +02:00
Gerd Hoffmann
e9c1b459f2 virtio-gpu: add cursor update tracepoint
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2015-10-08 10:33:21 +02:00
Gerd Hoffmann
9d9e152136 virtio-gpu: add 3d mode and virgl rendering support.
Add virglrenderer library detection.  Add 3d mode to virtio-gpu,
wire up virglrenderer library.  When in 3d mode render using the
new context management and texture scanout callbacks.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
2015-10-08 10:31:35 +02:00
Gerd Hoffmann
2e2521452e virtio-gpu: change licence from GPLv2 to GPLv2+
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-10-08 10:31:35 +02:00
Gerd Hoffmann
7f3be0f20f virtio-gpu: move iov free to virtio_gpu_cleanup_mapping_iov
For symmetry reasons: virtio_gpu_create_mapping_iov() allocates it so
virtio_gpu_cleanup_mapping_iov() should free it, otherwise it's easy to
miss a free() needed and leak memory.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
2015-10-08 10:31:35 +02:00
Markus Armbruster
f8ed85ac99 Fix bad error handling after memory_region_init_ram()
Symptom:

    $ qemu-system-x86_64 -m 10000000
    Unexpected error in ram_block_add() at /work/armbru/qemu/exec.c:1456:
    upstream-qemu: cannot set up guest memory 'pc.ram': Cannot allocate memory
    Aborted (core dumped)

Root cause: commit ef701d7 screwed up handling of out-of-memory
conditions.  Before the commit, we report the error and exit(1), in
one place, ram_block_add().  The commit lifts the error handling up
the call chain some, to three places.  Fine.  Except it uses
&error_abort in these places, changing the behavior from exit(1) to
abort(), and thus undoing the work of commit 3922825 "exec: Don't
abort when we can't allocate guest memory".

The three places are:

* memory_region_init_ram()

  Commit 4994653 (right after commit ef701d7) lifted the error
  handling further, through memory_region_init_ram(), multiplying the
  incorrect use of &error_abort.  Later on, imitation of existing
  (bad) code may have created more.

* memory_region_init_ram_ptr()

  The &error_abort is still there.

* memory_region_init_rom_device()

  Doesn't need fixing, because commit 33e0eb5 (soon after commit
  ef701d7) lifted the error handling further, and in the process
  changed it from &error_abort to passing it up the call chain.
  Correct, because the callers are realize() methods.

Fix the error handling after memory_region_init_ram() with a
Coccinelle semantic patch:

    @r@
    expression mr, owner, name, size, err;
    position p;
    @@
            memory_region_init_ram(mr, owner, name, size,
    (
    -                              &error_abort
    +                              &error_fatal
    |
                                   err@p
    )
                                  );
    @script:python@
        p << r.p;
    @@
    print "%s:%s:%s" % (p[0].file, p[0].line, p[0].column)

When the last argument is &error_abort, it gets replaced by
&error_fatal.  This is the fix.

If the last argument is anything else, its position is reported.  This
lets us check the fix is complete.  Four positions get reported:

* ram_backend_memory_alloc()

  Error is passed up the call chain, ultimately through
  user_creatable_complete().  As far as I can tell, it's callers all
  handle the error sanely.

* fsl_imx25_realize(), fsl_imx31_realize(), dp8393x_realize()

  DeviceClass.realize() methods, errors handled sanely further up the
  call chain.

We're good.  Test case again behaves:

    $ qemu-system-x86_64 -m 10000000
    qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate memory
    [Exit 1 ]

The next commits will repair the rest of commit ef701d7's damage.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1441983105-26376-3-git-send-email-armbru@redhat.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
2015-09-18 14:39:29 +02:00
Veres Lajos
67cc32ebfd typofixes - v4
Signed-off-by: Veres Lajos <vlajos@gmail.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:45:43 +03:00
Daniel P. Berrange
ef1e1e0782 maint: avoid useless "if (foo) free(foo)" pattern
The free() and g_free() functions both happily accept
NULL on any platform QEMU builds on. As such putting a
conditional 'if (foo)' check before calls to 'free(foo)'
merely serves to bloat the lines of code.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Markus Armbruster
b45c03f585 arm: Use g_new() & friends where that makes obvious sense
g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
for two reasons.  One, it catches multiplication overflowing size_t.
Two, it returns T * rather than void *, which lets the compiler catch
more type errors.

This commit only touches allocations with size arguments of the form
sizeof(T).

Coccinelle semantic patch:

    @@
    type T;
    @@
    -g_malloc(sizeof(T))
    +g_new(T, 1)
    @@
    type T;
    @@
    -g_try_malloc(sizeof(T))
    +g_try_new(T, 1)
    @@
    type T;
    @@
    -g_malloc0(sizeof(T))
    +g_new0(T, 1)
    @@
    type T;
    @@
    -g_try_malloc0(sizeof(T))
    +g_try_new0(T, 1)
    @@
    type T;
    expression n;
    @@
    -g_malloc(sizeof(T) * (n))
    +g_new(T, n)
    @@
    type T;
    expression n;
    @@
    -g_try_malloc(sizeof(T) * (n))
    +g_try_new(T, n)
    @@
    type T;
    expression n;
    @@
    -g_malloc0(sizeof(T) * (n))
    +g_new0(T, n)
    @@
    type T;
    expression n;
    @@
    -g_try_malloc0(sizeof(T) * (n))
    +g_try_new0(T, n)
    @@
    type T;
    expression p, n;
    @@
    -g_realloc(p, sizeof(T) * (n))
    +g_renew(T, p, n)
    @@
    type T;
    expression p, n;
    @@
    -g_try_realloc(p, sizeof(T) * (n))
    +g_try_renew(T, p, n)
    @@
    type T;
    expression n;
    @@
    -(T *)g_new(T, n)
    +g_new(T, n)
    @@
    type T;
    expression n;
    @@
    -(T *)g_new0(T, n)
    +g_new0(T, n)
    @@
    type T;
    expression p, n;
    @@
    -(T *)g_renew(T, p, n)
    +g_renew(T, p, n)

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1440524394-15640-1-git-send-email-armbru@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-09-07 10:39:27 +01:00
Peter Maydell
170f209d78 virtio fixes for 2.4
Mostly virtio 1 spec compliance fixes.
 We are unlikely to make it perfectly compliant in
 the first release, but it seems worth it to try.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJVtprUAAoJECgfDbjSjVRpgu4H/AljqEXBYIS/+7aZBGO4UnK/
 LSyxiOfw/sQPwYr8xqhYtoITVPQqkBnCajBFuDw3IaGrTDQ1pHfG8z5qt3Fri+yC
 RtiqiFg1LVR/AI8W/dUDuLAf8xq1GukZr1o59mi3hAA0pcPxUtVjPkZcaq63d0P+
 uzCgRw0qlg8nbT7SN2O9HZz7AT2emaUkaJBF2eRBb7r1kg3ZzM0FOtmCWaRhtS5s
 8AuHS+038BWA0J/S7yd5YooQh7NfvmWFpRNukMttJrtOmi7f5LCJJF9rxcXAnzOn
 Soc0afauCtUTfxJ4gkLqxQ586eKpREQ+7lzkJDQ62g1oD/+VatOMcbu3jdnJEtQ=
 =AoJS
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio fixes for 2.4

Mostly virtio 1 spec compliance fixes.
We are unlikely to make it perfectly compliant in
the first release, but it seems worth it to try.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon Jul 27 21:55:48 2015 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  virtio: minor cleanup
  acpi: fix pvpanic device is not shown in ui
  virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device
  virtio-blk: fail get_features when both scsi and 1.0 were set
  virtio: get_features() can fail
  virtio-pci: fix memory MR cleanup for modern
  virtio: set any_layout in virtio core
  virtio-9p: fix any_layout
  virtio-serial: fix ANY_LAYOUT
  virtio: hide legacy features from modern guests

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28 17:09:56 +01:00
Jason Wang
9d5b731dd2 virtio: get_features() can fail
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-27 18:11:53 +03:00
Peter Maydell
f793d97e45 * qemu-char fixes
* SCSI fixes (including CVE-2015-5158)
 * RCU fixes
 * Framebuffer logic to set DIRTY_MEMORY_VGA
 * Fix compiler warning for --disable-vnc
 * qemu-doc fixes
 * x86 TCG pasto fix
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJVsihAAAoJEL/70l94x66DXccIAJqoO5t7b8nA3W1gkJBJxgUy
 OPAEP7N+v1qZNtYtbmC0p29JaaMPiauNnOQGYQ/hRj3Ccv3bcWg4gbhlxHdjZT5e
 fh5aYxZr4K0D8dWbnFhGuvATiaiddfwRB3YCDx2CW1DPgL2xwzdwmYNXPvpnA2hj
 3LDqC74v3lppCRpKPa4//xvpkwz0SJrJjbxvKBPRdVSAi8ovRJF27ArM2bVXYpYS
 uWhXxhqw0Sx6nqZoz+EpfRsHHirGtsj8iGxGgRre3kqFTLYmjtg0wSBrSvCU3Eaw
 1kmceS7ggJq82mIOFnjYE1Sf+JPOySSieHdKEPDEWezsQkBzBsQ9KaSQJnmLCa8=
 =0FIR
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

* qemu-char fixes
* SCSI fixes (including CVE-2015-5158)
* RCU fixes
* Framebuffer logic to set DIRTY_MEMORY_VGA
* Fix compiler warning for --disable-vnc
* qemu-doc fixes
* x86 TCG pasto fix

# gpg: Signature made Fri Jul 24 12:57:52 2015 BST using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  target-i386/FPU: a misprint in helper_fistll_ST0
  qemu-doc: fix typos
  framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer
  memory: count number of active VGA logging clients
  vl: Fix compiler warning for builds without VNC
  scsi: Handle no media case for scsi_get_configuration
  rcu: actually register threads that have RCU read-side critical sections
  scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
  vnc: fix memory leak
  qemu-char: Fix missed data on unix socket
  qemu-char: handle EINTR for TCP character devices
  exec.c: Use atomic_rcu_read() to access dispatch in memory_region_section_get_iotlb()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-24 13:07:10 +01:00
Paolo Bonzini
c1076c3e13 framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer
The MemoryRegionSection contains enough information to access the
RAM region underlying the framebuffer, and can be cached inside the
display device.

By doing this, the new framebuffer_update_memory_section function can
enable dirty memory logging on the relevant RAM region.  The function
must be called whenever the stride or base of the framebuffer changes;
a simple way to cover these cases is to call it on every full frame
invalidation, which is a rare case.

framebuffer_update_display now works entirely on a MemoryRegionSection,
without going through cpu_physical_memory_map/unmap.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-24 13:57:45 +02:00
Frediano Ziglio
a52b2cbf21 qxl: Fix new function name for spice-server library
The new spice-server function to limit the number of monitors (0.12.6)
changed while development from spice_qxl_set_monitors_config_limit to
spice_qxl_max_monitors (accepted upstream).
By mistake I post patch with former name.
This patch fix the function name.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Acked-by: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2015-07-22 16:38:42 +02:00
Frediano Ziglio
567161fdd4 qxl: allow to specify head limit to qxl driver
This patch allow to limit number of heads using qxl driver. By default
qxl driver is not limited on any kind on head use so can decide to use
as much heads.

libvirt has this as a video card parameter (actually set to 1 but not
used). This parameter will allow to limit setting a use can do (which
could be confusing).

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-07-16 17:31:05 +02:00
Gerd Hoffmann
b3409a3100 virtio-gpu: use virtio_instance_init_common, fixup properties
Switch over to virtio_instance_init_common.  Drop duplicate properties
in virtio-gpu-pci and virtio-vga as they are properly aliased now.  Also
drop the indirection via DEFINE_VIRTIO_GPU_PROPERTIES, we don't need it
any more as the properties are defined in a single place now.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-07-07 11:23:18 +02:00
Gerd Hoffmann
e18882952e virtio-gpu: update console device property.
Update the device link of the QemuConsole, so it points to the
virtio-gpu-pci or virtio-vga device instead of virtio-gpu-device.

This is needed because we want to find the device by id, for
example for input routing, and the id specified on the command
line is attached to the pci proxy, not the virtio device.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-07-07 11:23:17 +02:00
Shannon Zhao
8684e85ca9 hw/display/tcx.c: Fix memory leak
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-06-23 20:23:39 +03:00
Shannon Zhao
22b2aeb82c hw/display/cg3.c: Fix memory leak
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-06-23 20:23:39 +03:00
Frediano Ziglio
a91e21186f hw/display/qxl-logger.c: Constify some variable
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-06-23 20:23:39 +03:00
Markus Armbruster
a0b1a66ea3 Include monitor/monitor.h exactly where needed
In particular, don't include it into headers.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
2015-06-22 18:20:41 +02:00
Markus Armbruster
d49b683644 qerror: Move #include out of qerror.h
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
2015-06-22 18:20:40 +02:00
Peter Maydell
93f6d1c160 virtio-gpu: pci support bits and virtio-vga.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJVfss3AAoJEEy22O7T6HE4gw8P/Az+6M0I6RRGoavyfC+Um1sy
 hD1VVFI34eLKxAgUupuwDMxnyXuZBbV0BZvyz46GucfcpsC038WCclIAQU50coF+
 CiVlFY2pAlwp1/wS0k+MeDa5cypsCik9Jl1vaDhgNsDlRhLgztOrgTk+fe+AFVoH
 iiLb0baENGWrgMDd8ZN9hcNbJCzBBUQ7MMkuFHZkdRx829L8yuTbCoP0tNXAuQDz
 DCcAtdt6Xm4h0NUDLFSf7CnpaWzV5WgpSPkGCYaWtmJNpxNshrkm+vFRdBHvWnhN
 Vz/2E9q1aMoSbfmnj36RhGeS37g1gAO73souDJd/LRtrk5aF1aPeWN9DGEMTTYWn
 6FNIo63v86V4kcuYxNzup5+d0A+t0aqkTFHcNrKAIvtGNTDmaCIBso1HGJud3rcA
 Rujgytbr3PpxZcJFxIzXZtTlNAHE+wwzzbdS9zaQy1l//oNIXswboJBMTHbJq6Ql
 eit+MDVrILiRcd+DviRmsTQBMRs/VlW2bHHfmgw3DvgxreyTGbR8qZKKzvGuF8Dn
 b6ODQ7Y12uUZJaytiB2SyiPNx/u7Axg1IP1w+9TVrtNONx1VSKn2aGpILYqmH1CG
 zTdgTTlWtYwLEs/tZxKHxeVZK6wlzKkc+jT259Ah57bJchzndoKCrnQ80GirdZfL
 bnMgCL2ju6Xv3A3Yn3wY
 =jnEv
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150615-1' into staging

virtio-gpu: pci support bits and virtio-vga.

# gpg: Signature made Mon Jun 15 13:55:19 2015 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-20150615-1:
  virtio-vga: add vgabios configuration
  virtio-vga: add '-vga virtio' support
  virtio-vga: add virtio gpu device with vga compatibility
  virtio-gpu-pci: add virtio pci support
  virtio-gpu: fix error message

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-06-16 10:35:43 +01:00
Peter Maydell
644ead5be1 hw/display/exynos4210_fimd: Fix bit-swapping code
fimd_swap_data() includes code to reverse the bits in a
64-bit integer, but an off-by-one error meant that it would
try to shift off the top of the integer. Correct the bug
(spotted by Coverity).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1432912615-23107-1-git-send-email-peter.maydell@linaro.org
2015-06-15 18:06:08 +01:00
Gerd Hoffmann
c5d4dac86b virtio-vga: add virtio gpu device with vga compatibility
This patch adds a virtio-vga device.  It is simliar to virtio-gpu-pci,
but it also adds in vga compatibility, so guests without native
virtio-gpu support can drive the device in vga mode.  It is compatible
with stdvga.

Written by Dave Airlie and Gerd Hoffmann.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-06-12 10:13:23 +02:00
Gerd Hoffmann
9eafb62d47 virtio-gpu-pci: add virtio pci support
This patch adds virtio-gpu-pci, which is the pci proxy for the virtio
gpu device.  With this patch in place virtio-gpu is functional.  You
need a linux guest with a virtio-gpu driver though, and output will
appear pretty late in boot, once the kernel initialized drm and fbcon.

Written by Dave Airlie and Gerd Hoffmann.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-06-12 10:13:23 +02:00
Gerd Hoffmann
2c84167b4e virtio-gpu: fix error message
iov limit was raised, but the error message still has the old limit ...

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-06-12 10:13:23 +02:00
Juan Quintela
5cd8cadae8 migration: Use normal VMStateDescriptions for Subsections
We create optional sections with this patch.  But we already have
optional subsections.  Instead of having two mechanism that do the
same, we can just generalize it.

For subsections we just change:

- Add a needed function to VMStateDescription
- Remove VMStateSubsection (after removal of the needed function
  it is just a VMStateDescription)
- Adjust the whole tree, moving the needed function to the corresponding
  VMStateDescription

Signed-off-by: Juan Quintela <quintela@redhat.com>
2015-06-12 06:53:57 +02:00
Gerd Hoffmann
62232bf484 virtio-gpu/2d: add virtio gpu core code
This patch adds the core code for virtio gpu emulation,
covering 2d support.

Written by Dave Airlie and Gerd Hoffmann.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-06-10 11:02:00 +02:00
Gerd Hoffmann
220869e12d stdvga: factor out mmio subregion init
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-06-10 11:02:00 +02:00
Gerd Hoffmann
cf45ec6a52 stdvga: pass VGACommonState instead of PCIVGAState
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-06-10 11:01:59 +02:00
Gerd Hoffmann
24cdff7c82 stdvga: fix offset in pci_vga_ioport_read
Simliar to pci_vga_ioport_write.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-06-10 11:01:59 +02:00
Paolo Bonzini
d55d42078b framebuffer: check memory_region_is_logging
framebuffer.c expects DIRTY_MEMORY_VGA logging to be always on, but that
will not be the case soon.  Because framebuffer.c computes the memory
region on the fly for every update (with memory_region_find), it cannot
enable/disable logging by itself.

Instead, always treat updates as invalidations if dirty logging is
not enabled, assuming that the board will enable logging on the
RAM region that includes the framebuffer.

Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05 17:09:59 +02:00
Paolo Bonzini
2d1a35bef0 memory: differentiate memory_region_is_logging and memory_region_get_dirty_log_mask
For now memory regions only track DIRTY_MEMORY_VGA individually, but
this will change soon.  To support this, split memory_region_is_logging
in two functions: one that returns a given bit from dirty_log_mask,
and one that returns the entire mask.  memory_region_is_logging gets an
extra parameter so that the compiler flags misuse.

While VGA-specific users (including the Xen listener!) will want to keep
checking that bit, KVM and vhost check for "any bit except migration"
(because migration is handled via the global start/stop listener
callbacks).

Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05 17:09:58 +02:00
Paolo Bonzini
5299c0f2cf display: add memory_region_sync_dirty_bitmap calls
These are strictly speaking only needed for KVM and Xen, but it's still
nice to be consistent.

Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05 17:09:58 +02:00
Paolo Bonzini
74259ae55b display: enable DIRTY_MEMORY_VGA tracking explicitly
This will be required soon by the memory core.

Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05 17:09:58 +02:00
Paolo Bonzini
086f90e890 g364fb: remove pointless call to memory_region_set_coalescing
Coalescing work on MMIO, not RAM, thus this call has no effect.

Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-05 17:09:58 +02:00
Shannon Zhao
26c8acb3f3 hw/display/tc6393xb.c: Fix misusing qemu_allocate_irqs for single irq
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-06-03 14:21:24 +03:00
Gerd Hoffmann
641381c1fc spice: don't update mm_time when spice-server is stopped.
Skip mm_time updates (in qxl device memory) in case the guest is stopped.
Guest isn't able to look anyway, and it causes problems with migration.

Also make sure the initial state for spice server is stopped.

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-29 09:56:01 +02:00
Gonglei
176c324feb vga-pci: QOMify
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-19 11:40:01 +02:00
Gonglei
c69f6c7dcf qxl: QOMify
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-19 11:40:01 +02:00
Gonglei
d338bae33a cirrus_vga: QOMify
QOMify pci-cirrus-vga like isa-cirrus-vga device.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-19 11:40:01 +02:00
Chih-Min Chao
c9f88ce330 hw/display : remove 'struct' from 'typedef QXL struct'
Signed-off-by: Chih-Min Chao <cmchao@gmail.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-04-30 16:05:48 +03:00
Peter Maydell
06feaacfb4 - miscellaneous cleanups for TCG (Emilio) and NBD (Bogdan)
- next part in the thread-safe address_space_* saga: atomic access
   to the bounce buffer and the map_clients list, from Fam
 - optional support for linking with tcmalloc, also from Fam
 - reapplying Peter Crosthwaite's "Respect as_translate_internal
   length clamp" after fixing the SPARC fallout.
 - build system fix from Wei Liu
 - small acpi-build and ioport cleanup by myself
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJVQJd4AAoJEL/70l94x66DYFYH/3ifhqWZsd4dfJri0CGAHI4i
 SpPmNeouc8W+F/3lwf6Inrh5NnTgd5QzoUBMQaWVkQKwUiWls8g2mXkT3jo0iDqT
 /B40YXnZjNm20MixNaZmk9AsOF6OqPM8EMufau874k5zTlx3tCGAW1QD+I1N7WK7
 DfsFsIUD1svo2prn55fSoitMG1TIVPnpcklb4YGJRbAacQYUDhr5KAIhT1quDR2R
 93BvToyQmPqRQ4YKqnJLp8HAkL4FaJumfFZVvyh2cZvyaYGN/RVdi2Dw985dJDPX
 /z4enE4GCAs4RDw3lZ1RDbiZDqpT2ibFgASg/arX3SxzqHirOGvMdkOjO99r9j4=
 =aLjh
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

- miscellaneous cleanups for TCG (Emilio) and NBD (Bogdan)
- next part in the thread-safe address_space_* saga: atomic access
  to the bounce buffer and the map_clients list, from Fam
- optional support for linking with tcmalloc, also from Fam
- reapplying Peter Crosthwaite's "Respect as_translate_internal
  length clamp" after fixing the SPARC fallout.
- build system fix from Wei Liu
- small acpi-build and ioport cleanup by myself

# gpg: Signature made Wed Apr 29 09:34:00 2015 BST using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream: (22 commits)
  nbd/trivial: fix type cast for ioctl
  translate-all: use bitmap helpers for PageDesc's bitmap
  target-i386: disable LINT0 after reset
  Makefile.target: prepend $libs_softmmu to $LIBS
  milkymist: do not modify libs-softmmu
  configure: Add support for tcmalloc
  exec: Respect as_translate_internal length clamp
  ioport: reserve the whole range of an I/O port in the AddressSpace
  ioport: loosen assertions on emulation of 16-bit ports
  ioport: remove wrong comment
  ide: there is only one data port
  gus: clean up MemoryRegionPortio
  sb16: remove useless mixer_write_indexw
  sun4m: fix slavio sysctrl and led register sizes
  acpi-build: remove dependency from ram_addr.h
  memory: add memory_region_ram_resize
  dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel
  exec: Notify cpu_register_map_client caller if the bounce buffer is available
  exec: Protect map_client_list with mutex
  linux-user, bsd-user: Remove two calls to cpu_exec_init_all
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-04-30 12:04:11 +01:00
Paolo Bonzini
738e4171de milkymist: do not modify libs-softmmu
This is better and prepares for the next patch.  When we copy
libs_softmmu's value into LIBS with a := assignment, we cannot
anymore modify libs_softmmu in the Makefiles.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-04-28 22:14:14 +02:00
Stefan Hajnoczi
786a4ea82e Convert (ffs(val) - 1) to ctz32(val)
This commit was generated mechanically by coccinelle from the following
semantic patch:

@@
expression val;
@@
- (ffs(val) - 1)
+ ctz32(val)

The call sites have been audited to ensure the ffs(0) - 1 == -1 case
never occurs (due to input validation, asserts, etc).  Therefore we
don't need to worry about the fact that ctz32(0) == 32.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1427124571-28598-5-git-send-email-stefanha@redhat.com
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2015-04-28 15:36:08 +02:00
Stefan Weil
e7ae771f6d Fix remaining warnings from Sparse (void return)
Sparse report:

hw/display/vga.c:2000:5: warning: returning void-valued expression
hw/intc/arm_gic.c:707:9: warning: returning void-valued expression
hw/intc/etraxfs_pic.c:138:9: warning: returning void-valued expression
hw/nvram/fw_cfg.c:475:5: warning: returning void-valued expression
hw/timer/a9gtimer.c:124:5: warning: returning void-valued expression
hw/tpm/tpm_tis.c:794:5: warning: returning void-valued expression
hw/usb/hcd-musb.c:558:9: warning: returning void-valued expression
hw/usb/hcd-musb.c:776:13: warning: returning void-valued expression
hw/usb/hcd-musb.c:867:5: warning: returning void-valued expression
hw/usb/hcd-musb.c:932:5: warning: returning void-valued expression
include/qom/cpu.h:584:5: warning: returning void-valued expression
monitor.c:4686:13: warning: returning void-valued expression
monitor.c:4690:13: warning: returning void-valued expression

Cc: Edgar E. Iglesias <edgar.iglesias@gmail.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Andreas Färber <afaerber@suse.de>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-03-19 11:11:55 +03:00
Stefan Weil
77a8257ed7 omap: Fix warnings from Sparse
Sparse report:

arm/omap1.c:1015:9: warning: returning void-valued expression
arm/omap1.c:1084:9: warning: returning void-valued expression
arm/omap1.c:1178:9: warning: returning void-valued expression
arm/omap1.c:1287:9: warning: returning void-valued expression
arm/omap1.c:1382:9: warning: returning void-valued expression
arm/omap1.c:1650:9: warning: returning void-valued expression
arm/omap1.c:1778:9: warning: returning void-valued expression
arm/omap1.c:1985:9: warning: returning void-valued expression
arm/omap1.c:210:9: warning: returning void-valued expression
arm/omap1.c:2213:9: warning: returning void-valued expression
arm/omap1.c:2352:9: warning: returning void-valued expression
arm/omap1.c:2447:9: warning: returning void-valued expression
arm/omap1.c:2640:9: warning: returning void-valued expression
arm/omap1.c:317:9: warning: returning void-valued expression
arm/omap1.c:3413:13: warning: returning void-valued expression
arm/omap1.c:3414:13: warning: returning void-valued expression
arm/omap1.c:3415:14: warning: returning void-valued expression
arm/omap1.c:3589:9: warning: returning void-valued expression
arm/omap1.c:443:9: warning: returning void-valued expression
arm/omap1.c:588:9: warning: returning void-valued expression
arm/omap1.c:860:9: warning: returning void-valued expression
arm/omap2.c:1362:9: warning: returning void-valued expression
arm/omap2.c:450:9: warning: returning void-valued expression
arm/omap2.c:695:9: warning: returning void-valued expression
arm/omap2.c:760:9: warning: returning void-valued expression
hw/char/omap_uart.c:115:9: warning: returning void-valued expression
hw/display/omap_dss.c:1019:9: warning: returning void-valued expression
hw/display/omap_dss.c:215:9: warning: returning void-valued expression
hw/display/omap_dss.c:380:9: warning: returning void-valued expression
hw/display/omap_dss.c:739:9: warning: returning void-valued expression
hw/display/omap_dss.c:931:9: warning: returning void-valued expression
hw/dma/omap_dma.c:139:5: warning: returning void-valued expression
hw/dma/omap_dma.c:1505:9: warning: returning void-valued expression
hw/dma/omap_dma.c:1860:9: warning: returning void-valued expression
hw/gpio/omap_gpio.c:116:9: warning: returning void-valued expression
hw/misc/omap_gpmc.c:627:9: warning: returning void-valued expression
hw/misc/omap_l4.c:85:9: warning: returning void-valued expression
hw/misc/omap_sdrc.c:95:9: warning: returning void-valued expression
hw/misc/omap_tap.c:98:9: warning: returning void-valued expression
hw/sd/omap_mmc.c:409:9: warning: returning void-valued expression
hw/ssi/omap_spi.c:229:9: warning: returning void-valued expression
hw/timer/omap_gptimer.c:447:9: warning: returning void-valued expression

Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-03-19 11:11:55 +03:00
Jeremy White
f676c67e4b Allow the use of X11 from a non standard location.
Signed-off-by: Jeremy White <jwhite@codeweavers.com>

[ kraxel: solve opengl patch conflicts ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
2015-03-12 15:50:11 +01:00
Gerd Hoffmann
da076ffed6 configure: opengl overhaul
Rename config option from "glx" to "opengl", glx will not be the only
option for opengl in near future.  Also switch over to pkg-config for
opengl support detection.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
2015-03-12 15:49:57 +01:00
David Gibson
3c2784fc86 vga: Expose framebuffer byteorder as a QOM property
The VGA device model now supports having the framebuffer in either endian,
and can be switched between these by the guest via a register in the qext
region.

However, in some cases (e.g. LE OS on the pseries machine) we have
existing guest that don't know about the endian switch register, but other
parts of the qemu code have better information to set a default endianness
than the VGA code does of itself.

In order to allow them to set a correct default endianness in these cases,
without breaking abstraction walls, this patch exposes the VGA framebuffer
endianness via a writable QOM property.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
[agraf: use instance_init for property exposure]
Signed-off-by: Alexander Graf <agraf@suse.de>
2015-03-09 15:00:02 +01:00
Peter Maydell
0048fa6c80 pci, pc, virtio fixes and cleanups
A bunch of fixes all over the place.
 All of ACPI refactoring has been merged.
 Legacy pci commands have been dropped.
 virtio header cleanup
 initial patches from virtio-1.0 branch
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJU/CoXAAoJECgfDbjSjVRpX7EH/RMmgtsDO4wvqJu++lHvkB/q
 kSaXZYTpJTo0i5JE7n2brwuXA4902tTg9g5TMUpGPh9Pt2QRg7RTgGC1vqZyOBos
 MPw+4BO2v66S6qgX7bOf222z7r64cHTY7pLkQlrfD4usPlu2eusZ64UTW6Ru51fW
 WF9E9aunbl+HnuCGq6Iez3sCLscTBJpU/lEr6oSyHhuq3aa0CjjraEeV0E/QcwJG
 HTUeFymL8NFvlXZblsLI++VOv7Mxpi6yiCQ5XoKpFgGMvidwo41Aso6gB3ySGxOd
 w8O3Nbu77Iw/StDRNCg/5/GapabMKh2bE4UCsYY5OS63ZtD0fl0CCblhzm/ZFPw=
 =LY/j
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

pci, pc, virtio fixes and cleanups

A bunch of fixes all over the place.
All of ACPI refactoring has been merged.
Legacy pci commands have been dropped.
virtio header cleanup
initial patches from virtio-1.0 branch

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

* remotes/mst/tags/for_upstream: (130 commits)
  acpi: drop unused code
  aml-build: comment fix
  acpi-build: fix typo in comment
  acpi: update generated files
  vhost user:support vhost user nic for non msi guests
  aml-build: fix build for glib < 2.22
  acpi: update generated files
  Makefile.target: binary depends on config-devices
  acpi-test-data: update after pci rewrite
  acpi, mem-hotplug: use PC_DIMM_SLOT_PROP in acpi_memory_plug_cb().
  pci-hotplug-old: Has been dead for five major releases, bury
  pci: Give a few helpers internal linkage
  acpi: make build_*() routines static to aml-build.c
  pc: acpi: remove not used anymore ssdt-[misc|pcihp].hex.generated blobs
  pc: acpi-build: drop template patching and create PCI bus tree dynamically
  tests: ACPI: update pc/SSDT.bridge due to new alg of PCI tree creation
  pc: acpi-build: simplify PCI bus tree generation
  tests: add ACPI blobs for qemu with bridge cases
  tests: bios-tables-test: add support for testing bridges
  tests: ACPI test blobs update due to PCI0._CRS changes
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Conflicts:
	hw/pci/pci-hotplug-old.c
2015-03-09 09:14:28 +00:00
Gerd Hoffmann
20ca3763ab qxl: drop update_displaychangelistener call for secondary qxl devices
Commit 3dcadce507 added three
update_displaychangelistener call sites:

Two for primary qxl cards, when entering/leaving vga mode, which are
correct.

One for secondary qxl cards, which is wrong because we don't register
a displaychangelistener in the first place for secondary cards.

Remove it.

Reported-by: Brad Campbell <lists2009@fnarfbargle.com>
Tested-by: Brad Campbell <lists2009@fnarfbargle.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-03 08:33:08 +01:00
Radim Krčmář
619616ce31 vga: refactor vram_size clamping and rounding
Make the code a bit more obvious.

We don't have min/max, so a general helper for clamp probably isn't
acceptable either.

Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-03 08:33:08 +01:00
Radim Krčmář
bb7443f6d6 qxl: refactor rounding up to a nearest power of 2
We already have pow2floor, mirror it and use instead of a function with
similar results (same in used domain), to clarify our intent.

Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-03 08:33:08 +01:00
Radim Krčmář
876d516311 spice: fix invalid memory access to vga.vram
vga_common_init() doesn't allow more than 256 MiB vram size and silently
shrinks any larger value.  qxl_dirty_surfaces() used the unshrinked size
via qxl->shadow_rom.surface0_area_size when accessing the memory, which
resulted in segfault.

Add a workaround for this case and an assert if it happens again.

We have to bump the vga memory limit too, because 256 MiB wouldn't have
allowed 8k (it requires more than 128 MiB).
1024 MiB doesn't work, but 512 MiB seems fine.

Proposed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-03 08:33:08 +01:00
Radim Krčmář
03d9825d15 qxl: document minimal video memory for new modes
The alternative to removing existing comments.

Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-03 08:33:08 +01:00
Markus Armbruster
042a24db0a qxl: Convert to realize
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-02-26 12:42:17 +01:00
Markus Armbruster
f409edf743 cirrus-vga: Convert to realize
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-02-26 12:42:17 +01:00
Markus Armbruster
9af21dbee1 pci: Trivial device model conversions to realize
Convert the device models where initialization obviously can't fail.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-02-26 12:42:16 +01:00
Hervé Poussineau
b19c1c08de isa: remove isa_mem_base variable
Now that isa_mem_base variable is always 0, we can remove its usage.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-02-13 14:09:28 +00:00
Stefan Weil
73d22cafca vga: Fix warning caused by missing 'static' attribute
Warning from the Sparse static analysis tool:

hw/display/vga.c:2012:26: warning:
 symbol 'vmstate_vga_endian' was not declared. Should it be static?

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-02-10 10:26:05 +03:00
Don Koch
91043dadc4 Add tracing to xenfb.
Signed-off-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-02-10 09:27:19 +03:00
Benjamin Herrenschmidt
49743df399 ui: Add dpy_gfx_check_format() to check backend shared surface support
This allows VGA to decide whether to use a shared surface based on
whether the UI backend supports the format or not. Backends that
don't provide the new callback fallback to native 32 bpp which
is equivalent to what was supported before.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>

[ kraxel: fix console check, allow only 32 bpp as fallback ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-01-19 13:33:26 +01:00
Paolo Bonzini
31fc97c314 blizzard: do not depend on VGA internals
There is nothing that is used by this ARM-specific device.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-01-15 10:44:13 +03:00
Peter Maydell
b574f60268 cirrus hwcursor fixes.
set secondary-vga category.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUkEU5AAoJEEy22O7T6HE4zzYQAMcwGnfwzLzWRXtSqPAkwJpP
 2SWLZfrSJE2x4Jh19sVX1T8vQa2bPm5Rye2C3/LpqsK5lcBozXkzXBxr9b7Ps/lc
 1E4SJxekNmKpqSN6xwboXwrXo1du0ekOyOLDlMOTAIcUmUPTTn4qLhlCEdMaXwyB
 IAU9+3ZkjciPZ4bZLC9nz3kyZrRAXOkQ7XE3QcXIEAIxC6xVtkEu6ktEBiAEE09o
 +NLIgyZ0dwZeRQCueIhrvpaDfQXAFfR8HbvNNE3QQGZm+4424snt4JNFSOwuQ3Ny
 0cVQ02VaAmrUGO3l7GukKZwkXV9JCZBQL0cLUG74bOxQCnt/QAI+MyjZbtjF0FAR
 YzTgE05yIFRa6KNRujjrfBheq9xfz6BBQQaZPECy6XNd//NDGbm/nqk2JXGHxiYr
 Z2oSsxhXLVgV2Wznl95OasxrPzgTfSTMSYHsGAZEPCpJhfHIWqGTZnqpVcpyvsU7
 yHJtbzbv3n7EpD13LHPXkXBtH/ls23I+OQOfQWOLNDQ3OUOGxCMjuxIQbkNwnjVc
 RTI/qOKHuGvAIzZgZHNsBS6+5VMu20nhcbo6xT8OxFhEPb+hNfJEgOXppcU2baYA
 mpYvibnADjiWrR+/8Pf6Zn4PMRe6lV3wWRbBwzyK0DpnTFdQ2d/vqHaCz1f9YHME
 PsekZP7WAQxSg/pK9d9a
 =/o3d
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20141216-1' into staging

cirrus hwcursor fixes.
set secondary-vga category.

# gpg: Signature made Tue 16 Dec 2014 14:44:09 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vga-20141216-1:
  vga: set catagory bit for secondary vga device
  move hw cursor pos from cirrus to vga
  cirrus: Force use of shadow pixmap when HW cursor is enabled
  vga: Add mechanism to force the use of a shadow surface

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-12-17 19:22:42 +00:00
Gonglei
46817e86fc vga: set catagory bit for secondary vga device
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-12-16 15:14:42 +01:00
Gerd Hoffmann
22382bb96c move hw cursor pos from cirrus to vga 2014-12-16 15:14:42 +01:00
Benjamin Herrenschmidt
b9fd11b867 cirrus: Force use of shadow pixmap when HW cursor is enabled
The HW cursor cannot be painted on a shared surface. This fixes HW
cursor display in Windows NT 4.0 and Windows 98.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-12-16 15:14:42 +01:00
Benjamin Herrenschmidt
5508099397 vga: Add mechanism to force the use of a shadow surface
This prevents surface sharing which will be necessary to
fix cirrus HW cursor support.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-12-16 15:14:42 +01:00
Gerd Hoffmann
3dcadce507 spice: reduce refresh rate in native mode
Now that cursor updates are out of the way qxl needs the refresh timer
only when when running in vga mode, for dirty bitmap checking.  In
native qxl mode the guest will notify us, so we don't need to poll and
can use the idle interval (one refresh wakeup every few seconds).

Cc: Marc-André Lureau <marcandre.lureau@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-12-16 14:15:29 +01:00
Gerd Hoffmann
0b2824e5e4 spice: use bottom half instead of refresh timer for cursor updates
Calling directly doesn't work due to the qxl-render code running in
spice server thread context.  Meanwhile bottom half scheduling is
thread-safe though, so we can use that to kick a cursor update in
main i/o thread context.

Cc: Marc-André Lureau <marcandre.lureau@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-12-16 14:15:29 +01:00
Gerd Hoffmann
bf25983345 cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
This is CVE-2014-8106.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-12-01 10:25:46 +01:00
Gerd Hoffmann
d3532a0db0 cirrus: fix blit region check
Issues:
 * Doesn't check pitches correctly in case it is negative.
 * Doesn't check width at all.

Turn macro into functions while being at it, also factor out the check
for one region which we then can simply call twice for src + dst.

This is CVE-2014-8106.

Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2014-12-01 10:25:12 +01:00
Gerd Hoffmann
bd9ccd8517 vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-29 12:01:30 +01:00
Gerd Hoffmann
61b41b4c20 vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-29 12:01:26 +01:00
Gerd Hoffmann
1735fe1edb vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
in behavior:  We don't try to automatically fixup rectangles any more.
In case we find invalid update requests we'll do a full-screen update
instead.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:40:08 +01:00
Gerd Hoffmann
07258900fd vmware-vga: add vmsvga_verify_rect
Add verification function for rectangles, returning
true if verification passes and false otherwise.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:40:04 +01:00
Gerd Hoffmann
83afa38eb2 vmware-vga: CVE-2014-3689: turn off hw accel
Quick & easy stopgap for CVE-2014-3689:  We just compile out the
hardware acceleration functions which lack sanity checks.  Thankfully
we have capability bits for them (SVGA_CAP_RECT_COPY and
SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.

Subsequent patches will add the missing checks and re-enable the
hardware acceleration emulation.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
2014-10-28 10:39:58 +01:00
Peter Maydell
8f4699d873 Block patches
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJURPo5AAoJEH8JsnLIjy/WK1gP/2PhKD4lsjQ0O9TYlwu2aWCc
 eej/z2wp47996KAkhRgS4mf/E0FnPSh80cHV1wobPJfRSTPPNuGgrmhX+HLcjlPz
 fWb3qN6Ikneou1TYCO/r1wMwhPpE1GKjZmuHQcH3B27GW5cqx/s1sPCxqwDJJnYq
 oBbbcIGZGNYLHlyJvl88gBTkIHBs5/nxhzVnPnpQi6JqtGz8CAbo6e36A5RQCqyV
 RoYEe5Lif81lZpaTpYFsoUhOcH9YtQnKoUSdAnqtXtLO9fOHsn7/75hnmT4bs5CR
 p6UAiutN+jiUcRrlF//TK5TNlS7KvOAf+LirEURAY0j5IJNXh30/5x8hXzHJxb60
 eY6ePrhnbkPeLfg1Qh/7LJyi/W0cl2YN6I2oslnMUfcumu9Ns1FfsFrFpKtgT/yM
 fkjQEo7w9khKT+iZaOm1XaNDliUKZiG2wLhni6KYAGM2edmE8W7VCkjSTFcz/4eQ
 vn7G3T1OnglW1cSt0onTAKNWn2swh0lXOXv7iBupmiNoy+hafNwTa1eHw+jjvXeF
 3WdfMxT6fRKAQUC/hwVlvyeJcZyBMG11BuovX9gNgdx5/UpWJFjxHsEmbiP9TtkO
 CJ5dGi+PgM/fxLJj4IW0zSVSL+mnhQmQdtzksU+l4GBHuErXdkt9W61sOHHQJGTf
 NGIkh6DwV4VfFZd6bzf0
 =8BaC
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches

# gpg: Signature made Mon 20 Oct 2014 13:04:09 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream: (28 commits)
  block: Make device model's references to BlockBackend strong
  block: Lift device model API into BlockBackend
  blockdev: Convert qmp_eject(), qmp_change_blockdev() to BlockBackend
  block/qapi: Convert qmp_query_block() to BlockBackend
  blockdev: Fix blockdev-add not to create DriveInfo
  blockdev: Drop superfluous DriveInfo member id
  pc87312: Drop unused members of PC87312State
  ide: Complete conversion from BlockDriverState to BlockBackend
  hw: Convert from BlockDriverState to BlockBackend, mostly
  virtio-blk: Rename VirtIOBlkConf variables to conf
  virtio-blk: Drop redundant VirtIOBlock member conf
  block: Rename BlockDriverCompletionFunc to BlockCompletionFunc
  block: Rename BlockDriverAIOCB* to BlockAIOCB*
  block: Eliminate DriveInfo member bdrv, use blk_by_legacy_dinfo()
  block: Merge BlockBackend and BlockDriverState name spaces
  block: Eliminate BlockDriverState member device_name[]
  block: Eliminate bdrv_iterate(), use bdrv_next()
  blockdev: Eliminate drive_del()
  block: Make BlockBackend own its BlockDriverState
  block: Code motion to get rid of stubs/blockdev.c
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-22 16:39:49 +01:00
Peter Maydell
19f3772995 qxl: keep going if reaching guest bug on empty area
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUPlBRAAoJEEy22O7T6HE4JsUP/2h5qgXitZCQGuc3p4pR08IQ
 LGIAWKNVuCKJXexd4EqYaAeQBC6u49WyfTviyoFKEoKE2A4/1vQ447zrnkCNhHyX
 rngLT6QDUrMX2lSUvhohl1EIaXmfEB7Fhwb8yTRFnTDrN3KYASSmoIklo7L3kx7R
 z1LHRY04hyOqUtOUY4jYBXko0pQwA+wpX9LC1ZisLUCW6/VHctdYYF/rRPHrC5EH
 yRxRn6g0vfcgdZt583mrxJLZ8pVz6wBbveoIZ0R7ThIFI33PVFTwTZ4u4Q8Rb+gS
 +0pDwwfUFUazfK64Si2KKaeFxInTcelKrN45dVbukf0grHIbR1u+5JEo5+2ofVKJ
 h3BcDyJOBVny2lwxwW+jQdBaq8ARn9/6E6jB3vf947/DWwB71okkxWA8HeqWmlI6
 6M+8DczxmaZ6l5glpcnNKsY/RYYOVP9GyvoFomVQHnmFPozVlzzZDpuFDgnEJgSS
 PK4BZd8VvLLTpWD+8f4kIiY0wdpTuiloQO126zIar5jHfw/JT4/DFh2PuJObfmLd
 WugQ0v3j/CB0dQAi5eGHAv5eZp4H7ZsjwoKiTgpPLFjXFfntfU9cr0EFsyKX5sz4
 5mxcsjAEXs6/1z46PPZE98SDyNKubnKKsr85RyTEa7Jee0ou3oK+ATBRpDJsIyH8
 YxE3Zd/wYj0pmvqOhh4w
 =tb6i
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20141015-1' into staging

qxl: keep going if reaching guest bug on empty area

# gpg: Signature made Wed 15 Oct 2014 11:45:37 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/spice/tags/pull-spice-20141015-1:
  qxl: keep going if reaching guest bug on empty area

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-22 14:49:37 +01:00
Markus Armbruster
4be746345f hw: Convert from BlockDriverState to BlockBackend, mostly
Device models should access their block backends only through the
block-backend.h API.  Convert them, and drop direct includes of
inappropriate headers.

Just four uses of BlockDriverState are left:

* The Xen paravirtual block device backend (xen_disk.c) opens images
  itself when set up via xenbus, bypassing blockdev.c.  I figure it
  should go through qmp_blockdev_add() instead.

* Device model "usb-storage" prompts for keys.  No other device model
  does, and this one probably shouldn't do it, either.

* ide_issue_trim_cb() uses bdrv_aio_discard() instead of
  blk_aio_discard() because it fishes its backend out of a BlockAIOCB,
  which has only the BlockDriverState.

* PC87312State has an unused BlockDriverState[] member.

The next two commits take care of the latter two.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-20 14:02:25 +02:00
Markus Armbruster
fa1d36df74 block: Eliminate DriveInfo member bdrv, use blk_by_legacy_dinfo()
The patch is big, but all it really does is replacing

    dinfo->bdrv

by

    blk_bs(blk_by_legacy_dinfo(dinfo))

The replacement is repetitive, but the conversion of device models to
BlockBackend is imminent, and will shorten it to just
blk_legacy_dinfo(dinfo).

Line wrapping muddies the waters a bit.  I also omit tests whether
dinfo->bdrv is null, because it never is.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Benoît Canet <benoit.canet@nodalink.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-20 13:41:27 +02:00
Peter Maydell
9879232543 hw/display/vga: Remove unused arrays dmask4 and dmask16
Following cleanup of the vga device code in commit d2e043a804,
the arrays dmask4 and dmask16 are now unused. gcc doesn't warn
about this, but clang does; remove them.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-15 11:10:50 +02:00
Gerd Hoffmann
b5682aa4ca vga-pci: add qext region to mmio
Add a qemu extented register range to the standard vga mmio bar.
Right nowe there are two registers:  One readonly register returning the
size of the region (so we can easily add more registers there if needed)
and one endian control register, so guests (especially ppc) can flip
the framebuffer endianness as they need it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-10-15 11:08:35 +02:00
Marc-André Lureau
9e5a25f1c2 qxl: keep going if reaching guest bug on empty area
Xorg server hangs when using xfig and typing a text with space:
 #0  qxl_wait_for_io_command (qxl=<value optimized out>) at qxl_io.c:47
 #1  0x00007f826a49a299 in qxl_download_box (surface=0x221d030, x1=231, y1=259,
     x2=<value optimized out>, y2=<value optimized out>) at qxl_surface.c:143

       while (!(ram_header->int_pending & QXL_INTERRUPT_IO_CMD))
         usleep (1);

The QXL driver is calling QXL_IO_UPDATE_AREA with an empty area. This
is a guest bug. The call is async and no ack is sent back on guest
bug, so the X server will hang. The driver should be improved to avoid
this situation and also to abort on QXL_INTERRUPT_ERROR. This will be
a different patch series for the driver. However, it is simple enough
to keep qemu running on empty areas update, which is what this patch
provides.

https://bugzilla.redhat.com/show_bug.cgi?id=1151363

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-15 11:08:34 +02:00
Benjamin Herrenschmidt
c3b1060514 vga: Add endian to vmstate
Include the endian state in the migration stream as an optional
subsection which we only include when the endian isn't the default,
thus enabling backward compatibility of the common case.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>

Changes by kraxel:
 * Remove bochs dispi interface changes.  We'll do that in
   a different way to make sure we don't conflict with
   possible future bochs dispi interface changes.
 * keep live migration bits.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
2c7d8736af vga: Make fb endian a common state variable
And initialize it based on target endian

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
e657d8ef3c vga: Rename vga_template.h to vga-helpers.h
It's no longer a template, we only instanciate the file once.

Keep it a #included file so the functions remain static.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
ace89b8ff2 vga: Remove some "should be done in BIOS" comments
Not all platforms have a VGA BIOS, powerpc typically relies on
using the DISPI interface to initialize the card.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
70a041fe2c cirrus: Remove non-32bpp cursor drawing
We only draw cursor on non-shared surfaces (so it seems...) and
these are always 32bpp

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
2c79f2a2ec vga: Simplify vga_draw_blank() a bit
The test for surface_bits_per_pixel() isn't necessary anymore,
the 8bpp case never happens.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
d3c2343af0 vga: Remove rgb_to_pixel indirection
We always use rgb_to_pixel32 nowadays.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
46c3a8c8eb vga: Separate LE and BE conversion functions
Provide different functions for converting from an LE vs a BE
framebuffer. We cannot rely on the simple cases always being
shared surfaces since cirrus will need to always shadow for
cursor emulation, so we need the full set of functions to
be able to later handle runtime switching.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>\
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
d2e043a804 vga: Remove remainder of old conversion cruft
All the macros used to generate different versions of vga_template.h
are now unnecessary, take them all out and remove the _32 suffix from
most functions.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Benjamin Herrenschmidt
9e057c0b09 vga: Start cutting out non-32bpp conversion support
Nowadays, we either share a surface with the host, or we create
a 32bpp ARGB console surface.

So we only need to draw/convert to 32bpp, enabling us to remove
all but one instance of vga_template.h inclusion (to be further
cleaned up), rgb_to_pixel_* etc...

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
2014-09-30 13:34:09 +02:00
Peter Maydell
29429c7244 target-arm:
* more EL2/EL3 preparation work
  * don't handle c15_cpar changes via tb_flush()
  * fix some unused function warnings in ARM devices
  * build the GDB XML for 32 bit CPUs into qemu-*-aarch64
  * implement guest breakpoint support
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJUKaQhAAoJEDwlJe0UNgzeDcQQAKwLgp/Z3G+uZ8r3eh/J1iJ7
 RRfkiM9WqM92sZ6VvS6bJ48Q8ESiSF1csk2PKW1tuDx2pbpAG6MDJvFs//YLZWx2
 gsSGZJ8grlvEZ/Tv10iJ5ttU1vOWicbw5FgvIrdel/94wr/gChvu64p2DIrXDslD
 GPbr5wVNb/XXa3HuUNX66L2soxpf+YJc2fGunycp0aRRbBL8G+4dnPAt89iVFN2R
 PGo/VL2qSGmyTpUk7JSQK12YBE/4BFNu+8KUgiUqVS1rIan8NkVU97VVKRlcd6e9
 wl5s0Bb1sAow6hZMoNpnXPnDD8LF3w1SCXPM3mLUq4/iO8t2uuITq89UCNsjFrYy
 QRkSq6PC0MLry+31Bfw9loDbEHMxs2fMwCQCJEdtVfZgHY/bRXAPLU/0luwvnPRU
 gofqBtypakRzJpaDjA/y0KapaMtJr0KOrlcbntNztPFOf4X9QtGZaQ2fzrAfxtSR
 7VbHdXKAwmWN2Q4r4GE0ixA0eCZWS9ji87LHv380pPkuOaYnoRq+A1KQlypkRnNr
 ifR/Iz6QXB1GPFpbUiyh9WIltIIS4mwsOi/Y0rS7dGc40okItceb+ezulCNDPKNZ
 IX+XDR5YFEKxWzoklMgLLZPFPjxSRKMNG6Grpowl+PH+fFsBz4hObkFMn2zajn8g
 zp0lcq++iyjIE/GNkBXw
 =LA6N
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140929' into staging

target-arm:
 * more EL2/EL3 preparation work
 * don't handle c15_cpar changes via tb_flush()
 * fix some unused function warnings in ARM devices
 * build the GDB XML for 32 bit CPUs into qemu-*-aarch64
 * implement guest breakpoint support

# gpg: Signature made Mon 29 Sep 2014 19:25:37 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"

* remotes/pmaydell/tags/pull-target-arm-20140929:
  target-arm: Add support for VIRQ and VFIQ
  target-arm: Add IRQ and FIQ routing to EL2 and 3
  target-arm: A64: Emulate the SMC insn
  target-arm: Add a Hypervisor Trap exception type
  target-arm: A64: Emulate the HVC insn
  target-arm: A64: Correct updates to FAR and ESR on exceptions
  target-arm: Don't take interrupts targeting lower ELs
  target-arm: Break out exception masking to a separate func
  target-arm: A64: Refactor aarch64_cpu_do_interrupt
  target-arm: Add SCR_EL3
  target-arm: Add HCR_EL2
  target-arm: Don't handle c15_cpar changes via tb_flush()
  hw/input/tsc210x.c: Delete unused array tsc2101_rates
  hw/display/pxa2xx_lcd.c: Remove unused function pxa2xx_dma_rdst_set
  hw/intc/imx_avic.c: Remove unused function imx_avic_set_prio()
  hw/display/blizzard.c: Delete unused function blizzard_rgb2yuv
  configure: Build GDB XML for 32 bit ARM CPUs into qemu aarch64 binaries
  target-arm: Implement handling of breakpoint firing
  target-arm: Implement setting guest breakpoints

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-09-30 11:02:06 +01:00
Peter Maydell
6ac285b824 hw/display/pxa2xx_lcd.c: Remove unused function pxa2xx_dma_rdst_set
The function pxa2xx_dma_rdst_set() is unused; delete it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1410723223-17711-4-git-send-email-peter.maydell@linaro.org
2014-09-29 18:48:47 +01:00
Peter Maydell
65731d1c3e hw/display/blizzard.c: Delete unused function blizzard_rgb2yuv
The function blizzard_rgb2yuv() is unused; delete it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1410723223-17711-2-git-send-email-peter.maydell@linaro.org
2014-09-29 18:48:47 +01:00
Gerd Hoffmann
151623353f qxl: use graphic_console_set_hwops
Simply switch function pointers when entering/leaving vga mode.
Allows to remove wrapper functions which do nothing but dispatch
calls depending on the current qxl mode.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-09-29 10:20:09 +02:00
Mark Cave-Ayland
55d7bfe229 tcx: Implement hardware acceleration
The S24/TCX framebuffer is a mildly accelerated video card with
blitter, stippler and hardware cursor.

* Solaris and NetBSD 6.x use all the hardware acceleration features
* The Xorg driver (used by Linux) can use the hardware cursor only

This patch implements hardware acceleration in both 8 bit and 24 bit
modes. It is based on the NetBSD driver sources and from tests with
Solaris.

Signed-off-by: Olivier Danet <odanet@caramail.com>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2014-09-23 22:23:14 +01:00
Peter Maydell
2b31cd4e08 - Memory: improve error reporting and avoid crashes on hotplug
- Build: fixing block/iscsi.so and ranlib warnings on Mac OS X
 - Migration fixes for x86
 - The odd KVM patch.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJUEXeWAAoJEBvWZb6bTYby4AwP/0Hh55A7QzkkzZ66y65zM+G5
 dsgRcLjufHSRQHoNQqm6LOcicV3Ygc/X644EY6jnZCZxFh/fsWuTPqUDGxLAnxEc
 2V0PkLRIScAMOPezzxvRy6/9hkG+UYM3ZOL5D9yxA9pGuBtttw7tkts19Vqf9WZc
 NYG5TBDuEGM1c596Zpo7t10m+Oiw+Jyi5luLXsb4lh5ikdFPDrtJaf0AnFvR+ym0
 HXlj2K/0vHNowUeLoo+oWnZsW8mLE6OyJhgfo1tJtsH1BR+lQJnBnQ4moq4Sl/Wz
 +iht/4gtz34XwLILokFR6yiNrPe+MIryyv+FYxOD5loIdGVDtKMx30UkIE2/D933
 6/n5i3GBLi9JapeT9gkKTxk/UVRPzJ1PK07RWevgNZNQyTGKAUGp+p48nSzMYX7V
 7GFSy3Q8uqOR8g9n+t+RURxkoMNbhhw7v53Z3PPXPCALCMDzg9RARlW/nkfiExcZ
 oThUjE/8xfMTQlN1SO5HTyQXEkYjtknZhfC7/KFvkWYMbCG0KBTf212Md0zlTNkj
 +C6r8Gq4ZWVIc07QyKkoCMxB+a9Uhvy4T1PKuSlm6iu94zUgZRhdf/PlOXimhFqH
 9GL67Tv15kpj05xCS6jDXjeMZ416/UKw91OcsiT1UUHcq7/rc+GBycd0ngV1UgnQ
 di5V12IVt8JwdzFxMeCT
 =GIKW
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

- Memory: improve error reporting and avoid crashes on hotplug
- Build: fixing block/iscsi.so and ranlib warnings on Mac OS X
- Migration fixes for x86
- The odd KVM patch.

# gpg: Signature made Thu 11 Sep 2014 11:21:10 BST using RSA key ID 9B4D86F2
# gpg: Good signature from "Paolo Bonzini <pbonzini@redhat.com>"
# gpg:                 aka "Paolo Bonzini <bonzini@gnu.org>"

* remotes/bonzini/tags/for-upstream: (21 commits)
  gdbstub: init mon_chr through qemu_chr_alloc
  pckbd: adding new fields to vmstate
  mc146818rtc: add missed field to vmstate
  piix: do not set irq while loading vmstate
  serial: fixing vmstate for save/restore
  parallel: adding vmstate for save/restore
  fdc: adding vmstate for save/restore
  cpu: init vmstate for ticks and clock offset
  apic_common: vapic_paddr synchronization fix
  vl: use QLIST_FOREACH_SAFE to visit change state handlers
  exec: add parameter errp to gethugepagesize
  exec: report error when memory < hpagesize
  hostmem-ram: don't exit qemu if size of memory-backend-ram is way too big
  memory: add parameter errp to memory_region_init_rom_device
  memory: add parameter errp to memory_region_init_ram
  exec: add parameter errp to qemu_ram_alloc and qemu_ram_alloc_from_ptr
  rules.mak: Fix DSO build by pulling in archive symbols
  util: Don't link host-utils.o if it's empty
  util: Move general qemu_getauxval to util/getauxval.c
  trace: Only link generated-tracers.o with "simple" backend
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-09-12 16:55:49 +01:00
Peter Maydell
0dfa7e3012 console: pixman switchover continued, add some infrastructure to make it
easier using pixman in display device emulation.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJUCbzxAAoJEEy22O7T6HE4NVIP/1Yw+ieyOxFmWZXFM0JA1EFq
 GP3CUWiu9RTVQXwDeOGwavRlC+feX4iNuyQVmhrLbKkrraWTxaz4qE/wdLzSTptR
 JngyGa6lC2rwFYIenEvRRHu//uemow3sGWLCvaADZeeJfm10BKA6qDu7KaaoAxUH
 DcfycPZH8lbJc8TFUhGQs98VWYG1jFLnmprgeSwrC5YuqjhXDFAMZ+coV7WbZQ8X
 x7HOHe7gPLDUscezhsEuhZM670ZBtuaRGHUQO88ugXUp2+W37aJym4g9ZURw8Q7E
 At9mzF051M09WLgRLNf96RjFdCoMwfXkUqhqi4pOsRGkJ3vMdcBQAB6CEtIkeLfH
 iiO4jf4oNclhYxZcPRnfSW0LkSpk65LPTUCsVyi2V49S2QGosll8WtvZ8s2EQ0PU
 dnnBxvphy9m/HSkUwWwuoDnIYoivaWqU4O0w9qX+F9N9Ndy62Ay8FP46rir/XpnK
 ZmHWOl/jYJ2SkyjugoPlLnTUySPxcQ7PA/rKIqCQi6v2Swpf12JKqNMywt5mEata
 fV4eDZrvmQY63j/zuZE0bUZL2IYqlgLEWvkqy9qhSMySDs9X4qaE+hOyGTipM7EI
 oeYdZsBCPZP8SpVsC9SaHX8a+ONr2Ajb3Wa5uwyQjcHmMpq7DzmjDKdageTodYQz
 p8b42rujs1wCqk47/8Ka
 =TZHU
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-console-20140905-2' into staging

console: pixman switchover continued, add some infrastructure to make it
         easier using pixman in display device emulation.

# gpg: Signature made Fri 05 Sep 2014 14:38:57 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-console-20140905-2:
  console: Remove unused QEMU_BIG_ENDIAN_FLAG
  console: add qemu_pixman_linebuf_copy
  console: add dpy_gfx_update_dirty
  console: add qemu_create_displaysurface_guestmem
  console: stop using PixelFormat
  console: reimplement qemu_default_pixelformat
  console: add qemu_default_pixman_format
  console: add qemu_pixelformat_from_pixman

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-09-11 11:44:17 +01:00
Hu Tao
49946538d2 memory: add parameter errp to memory_region_init_ram
Add parameter errp to memory_region_init_ram and update all call sites
to pass in &error_abort.

Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-09-09 13:41:43 +02:00
Gerd Hoffmann
30f1e661b6 console: stop using PixelFormat
With this patch the qemu console core stops using PixelFormat and pixman
format codes side-by-side, pixman format code is the primary way to
specify the DisplaySurface format:

 * DisplaySurface stops carrying a PixelFormat field.
 * qemu_create_displaysurface_from() expects a pixman format now.

Functions to convert PixelFormat to pixman_format_code_t (and back)
exist for those who still use PixelFormat.   As PixelFormat allows
easy access to masks and shifts it will probably continue to exist.

[ xenfb added by Benjamin Herrenschmidt ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-09-05 13:27:11 +02:00
Gerd Hoffmann
c1b886c45d vbe: rework sanity checks
Plug a bunch of holes in the bochs dispi interface parameter checking.
Add a function doing verification on all registers.  Call that
unconditionally on every register write.  That way we should catch
everything, even changing one register affecting the valid range of
another register.

Some of the holes have been added by commit
e9c6149f6a.  Before that commit the
maximum possible framebuffer (VBE_DISPI_MAX_XRES * VBE_DISPI_MAX_YRES *
32 bpp) has been smaller than the qemu vga memory (8MB) and the checking
for VBE_DISPI_MAX_XRES + VBE_DISPI_MAX_YRES + VBE_DISPI_MAX_BPP was ok.

Some of the holes have been there forever, such as
VBE_DISPI_INDEX_X_OFFSET and VBE_DISPI_INDEX_Y_OFFSET register writes
lacking any verification.

Security impact:

(1) Guest can make the ui (gtk/vnc/...) use memory rages outside the vga
frame buffer as source  ->  host memory leak.  Memory isn't leaked to
the guest but to the vnc client though.

(2) Qemu will segfault in case the memory range happens to include
unmapped areas  ->  Guest can DoS itself.

The guest can not modify host memory, so I don't think this can be used
by the guest to escape.

CVE-2014-3615

Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2014-09-04 08:23:14 +02:00
Gerd Hoffmann
54a85d4624 vbe: make bochs dispi interface return the correct memory size with qxl
VgaState->vram_size is the size of the pci bar.  In case of qxl not the
whole pci bar can be used as vga framebuffer.  Add a new variable
vbe_size to handle that case.  By default (if unset) it equals
vram_size, but qxl can set vbe_size to something else.

This makes sure VBE_DISPI_INDEX_VIDEO_MEMORY_64K returns correct results
and sanity checks are done with the correct size too.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2014-09-04 08:22:48 +02:00
Gerd Hoffmann
503b3b33fe qxl-render: add more sanity checks
Damn, the dirty rectangle values are signed integers.  So the checks
added by commit 788fbf042f are not good
enough, we also have to make sure they are not negative.

[ Note: There must be something broken in spice-server so we get
  negative values in the first place.  Bug opened:
  https://bugzilla.redhat.com/show_bug.cgi?id=1135372 ]

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2014-09-01 10:19:03 +02:00
Paolo Bonzini
d8d9581460 memory: convert memory_region_destroy to object_unparent
Explicitly call object_unparent in the few places where we
will re-create the memory region.  If the memory region is
simply being destroyed as part of device teardown, let QOM
handle it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-08-18 12:06:20 +02:00
Paolo Bonzini
ad37168cbd vga: do not dynamically allocate chain4_alias
Instead, add a boolean variable to indicate the presence of the region.
This avoids a repeated malloc/free (later we can also avoid the
add_child/unparent by changing the offset/size of the alias).

Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-08-17 23:25:24 +02:00
Benjamin Herrenschmidt
d16136d22a cirrus: Fix host CPU blits
Commit b2eb849d4b
"CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow" broke
cpu to video blits.

When the ROP function is called from cirrus_bitblt_cputovideo_next(),
we pass 0 for the pitch but only operate on one line at a time. The
added test was tripping because after the initial substraction, the
pitch becomes negative. Make the test only trip when the height is
larger than one (ie. the pitch is actually used).

This fixes HW cursor support in Windows NT4.0 (which otherwise was
a white rectangle) and general display of icons in that OS when using
8bpp mode.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-07-11 10:17:02 +02:00
Benjamin Herrenschmidt
e8ee4b68be cirrus: Fix build of debug code
Use PRIu64 to print uint64_t

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-07-11 10:17:01 +02:00
Gonglei
f61d82c2df cirrus_vga: adding sanity check for vram size
when configure a invalid vram size for cirrus card, such as less
2 MB, which will crash qemu. Follow the real hardware, the cirrus
card has 4 MB video memory. Also for backward compatibility, accept
8 MB and 16 MB vram size.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-07-11 10:17:01 +02:00
Stefano Stabellini
643f593224 xen: build on ARM
Collection of fixes to build QEMU with Xen support on ARM:
- use xenstore_read_fe_uint64 to retrieve the page-ref (xenfb);
- use xen_pfn_t instead of unsigned long in xenfb;
- unsigned long/xenpfn_t in xen_remove_from_physmap;
- in xen-mapcache.c use HOST_LONG_BITS to check for QEMU's address space
size.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2014-07-07 10:37:40 +00:00
Gerd Hoffmann
e8e23b7dcf spice: fix 32bit build
Tested-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1403244764-8622-1-git-send-email-kraxel@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-06-20 16:22:07 +01:00
Juan Quintela
d49805aeea savevm: Remove all the unneeded version_minimum_id_old (x86)
After previous Peter patch, they are redundant.  This way we don't
assign them except when needed.  Once there, there were lots of case
where the ".fields" indentation was wrong:

     .fields = (VMStateField []) {
and
     .fields =      (VMStateField []) {

Change all the combinations to:

     .fields = (VMStateField[]){

The biggest problem (appart from aesthetics) was that checkpatch complained
when we copy&pasted the code from one place to another.

Signed-off-by: Juan Quintela <quintela@redhat.com>
Acked-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2014-06-16 04:55:26 +02:00
Gerd Hoffmann
788fbf042f qxl-render: add sanity check
Verify dirty rectangle is completely within the primary surface,
just ignore it in case it isn't.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-06-13 12:34:57 +02:00
Gerd Hoffmann
5643fc012c spice: add mouse cursor support
So you'll have a mouse pointer when running non-qxl gfx cards with
mouse pointer support (virtio-gpu, IIRC vmware too).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-06-13 12:34:57 +02:00
Nicolas Owens
e2bb4ae746 hw: vmware_vga: don't return cursorx when the driver asks for cursory register
hello qemu-*@nongnu.org, this is my first contribution. apologies if
something is incorrect.

this patch fixes vmware_vga.c so that it actually returns the cursory
register when asked for, instead of cursorx.

Signed-off-by: Nicolas Owens <mischief@offblast.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-10 20:06:48 +04:00
Peter Maydell
50809c8b92 Merge remote-tracking branch 'remotes/mcayland/qemu-sparc' into staging
* remotes/mcayland/qemu-sparc:
  apb: implement IOMMU translation for PCI host bridge
  apb: handle reading/writing of IOMMU control registers
  apb: fix IOMMU register sizes
  apb: Move IOMMU registers into a separate IOMMUState struct
  tcx: move initialisation from realizefn to initfn
  tcx: move initialisation from SysBusDevice class to TCX class realizefn
  cg3: add extra check to prevent CG3 register array overflow
  cg3: move initialisation from realizefn to initfn

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-06-05 23:05:07 +01:00
Mark Cave-Ayland
01b91ac2be tcx: move initialisation from realizefn to initfn
Initialisation cleanup as suggested by Andreas.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Andreas Färber <afaerber@suse.de>
2014-06-05 20:51:57 +01:00
Mark Cave-Ayland
d4ad9dec14 tcx: move initialisation from SysBusDevice class to TCX class realizefn
This is an intermediate step to bring TCX in line with CG3.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Andreas Färber <afaerber@suse.de>
2014-06-05 20:51:45 +01:00
Mark Cave-Ayland
366d4f7e00 cg3: add extra check to prevent CG3 register array overflow
The case statements in the CG3 read and write register routines have a maximum
value of CG3_REG_SIZE, so if a value were written to this offset then it
would overflow the register array.

Currently this cannot be exploited since the MemoryRegion restricts accesses
to the range 0 ... CG3_REG_SIZE - 1, but it seems worth clarifying this for
future review and/or static analysis.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Paolo Bonzini <pbonzini@redhat.com>
2014-06-05 20:51:30 +01:00
Mark Cave-Ayland
e09c49f40d cg3: move initialisation from realizefn to initfn
Initialisation cleanup as suggested by Andreas.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Andreas Färber <afaerber@suse.de>
2014-06-05 20:51:19 +01:00
Paolo Bonzini
0983979b3a hw: use ld_p/st_p instead of ld_raw/st_raw
The ld_raw and st_raw definitions are only needed in code that
must compile for both user-mode and softmmu emulation.  Device
models can use the equivalent ld_p/st_p which are simple
pointer accessors.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-06-05 16:04:17 +02:00
Peter Maydell
052367ba85 target-arm:
* Preliminary restructuring for EL2/EL3 support
  * improve CPACR handling
  * fix pxa2xx_lcd palette formats
  * update highbank/midway maintainer
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABCAAGBQJThLyzAAoJEDwlJe0UNgze9JMP/3Lh+Y9nv78cBgyJJkvv2i/q
 H536WftDQarcBEHFf7aFqIMWWkDiDPAwMrB8SCn7zpLW/yBEAulo5e2mO4QLOUm6
 JZMflGqDM1l0nz2XgJPW8y9ySPjxbmZISA+DB1QrNeG6n1HMRiBPCnnYTWIh9ju7
 QiBRUW50GWQpWzWUyVQl4cWfHmHfjZCt+1GBUX2znsZplTzK7CvMot2qIxata+jn
 8PaXbkE/GQp+0tmPgQ8lF4j2OEhVqRbIqzCM0R23aQVl9SLi4ZyudPsBFEtStj82
 gezCF3Xv9zHvCy72+h+u///Wu+uh/PtMCxPUlTATLDF0W8jjJvFf/6n1G09Qo6Qa
 qIsFm9gJ1aW9iqE/H96HzGKK3f1k8dOTw1XDHyC7Xr4E8RAVeBOQVKC41PjZ/GKE
 BTDNeD6jJkyBvZsePIz8C+Km3XZYkndn6EAR13itwOls1yKHzV0IzG/NLHAQNxoj
 4UbsvaED4H9Hn925y8DrQqhfrkj0+KjwF+Ggi0AT8rOJnmDKJCEc3oz6+A1yiIEt
 BcHW4HJ13uyKz8bbOk4ikxNUysiMwLfXwxFLw3kpbjtS33QmYauO56Q/ju/vogC+
 Aali9VtrUmirpVVJi3ZmSjj4y8LyoaHOzzbsVFjuzajstxK1fy51SmNg4NIBcMnK
 1DUOZBmoktKhaobawWtA
 =oYff
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140527' into staging

target-arm:
 * Preliminary restructuring for EL2/EL3 support
 * improve CPACR handling
 * fix pxa2xx_lcd palette formats
 * update highbank/midway maintainer

# gpg: Signature made Tue 27 May 2014 17:26:27 BST using RSA key ID 14360CDE
# gpg: Can't check signature: public key not found

* remotes/pmaydell/tags/pull-target-arm-20140527: (26 commits)
  target-arm: A64: Register VBAR_EL3
  target-arm: A64: Register VBAR_EL2
  target-arm: Make vbar_write writeback to any CPREG
  target-arm: A64: Generalize update_spsel for the various ELs
  target-arm: A64: Generalize ERET to various ELs
  target-arm: A64: Trap ERET from EL0 at translation time
  target-arm: A64: Forbid ERET to higher or unimplemented ELs
  target-arm: Register EL3 versions of ELR and SPSR
  target-arm: Register EL2 versions of ELR and SPSR
  target-arm: Add a feature flag for EL3
  target-arm: Add a feature flag for EL2
  target-arm: A64: Introduce aarch64_banked_spsr_index()
  target-arm: Add SPSR entries for EL2/HYP and EL3/MON
  target-arm: A64: Add ELR entries for EL2 and 3
  target-arm: A64: Add SP entries for EL2 and 3
  target-arm: c12_vbar -> vbar_el[]
  target-arm: Make esr_el1 an array
  target-arm: Make elr_el1 an array
  target-arm: Use a 1:1 mapping between EL and MMU index
  target-arm: A32: Use get_mem_index for load/stores
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-28 15:00:33 +01:00
Peter Maydell
fc37b7a0b0 hw/display/pxa2xx_lcd: Fix 16bpp+alpha and 18bpp+alpha palette formats
The pxa2xx palette entry "16bpp plus transparency" format is
xxxxxxxTRRRRR000GGGGGG00BBBBB000, and "18bpp plus transparency" is
xxxxxxxTRRRRRR00GGGGGG00BBBBBB00.

Correct errors in the code for reading these and converting
them to the internal format. In particular, the buggy code
was attempting to mask out bit 24 of a uint16_t, which
Coverity spotted as an error.

Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1400233901-31785-1-git-send-email-peter.maydell@linaro.org
2014-05-27 17:09:49 +01:00
Saravanakumar
e35f29ded3 jazz_led: Add missing break in switch case
Signed-off-by: Saravanakumar <saravanakumar.punith@gmail.com>
Reviewed-by: Paolo Bonizni <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-24 00:07:56 +04:00
Peter Maydell
895527eea5 migration/next for 20140515
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJTdBkpAAoJEPSH7xhYctcj5jAQAJKiJ/43TBk0S0wlpoPjw1yA
 WSC/oJ2yvf+i6EndJPdnxIA/3K3s7suRFBJVYwLVnGJTUZ6gwGcI7cc/EX/iK0vf
 1Ffv/RAuh3nkohFw1ZMLQGqACFskSer0K1wZgQg+YjiJRPzzpVOpaAVm3+c04LRN
 AjO9LTqudi2pFaDHfGQMFES3j/5+h2srdad7YLMu4h/17SLtcowO7Yf7GT+GHRyD
 c3OHcL6vNoCKkIJQULC8X5czh6zapQZG3SRZ/nLt58yjEyVuq4L2cNRA/614K+5b
 1YLz4dX6slj8y17tg8On60emU0Sdu4mOws9HtYSytfmEu045iuF+Wr4kNjO74UGd
 NnnjD1pdnuF7356pz87PiVBf7qer5yrv+Bog1KRUwn3ETFqpSOMiKJo0JAGBMKdN
 w6Mbkg9C7IR62OfmM5157Mj2Xd681GImNiYzerBMfuFAWk5XsMxuz9Xh03I7WpzS
 ASow6SCBIr7bsiKENV7twuz1mIQclsYWXaVt8ldH8bMsTCqiefVeDs4o6A3Na+WC
 LztUHzlhVLZU92uJDiIsyQnwmsw032RjhKY9sV/NMa5HLAhF/zZLcn1OfXshrv8t
 mVnWngGbY185kml0GmLu9TSnSCBSD8lcwZlRA9JVyxfusxElJUOrQzKzvu69Rn6U
 XBWPBwppnDQ0MjOgSZD+
 =gg8m
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140515' into staging

migration/next for 20140515

# gpg: Signature made Thu 15 May 2014 02:32:25 BST using RSA key ID 5872D723
# gpg: Can't check signature: public key not found

* remotes/juanquintela/tags/migration/20140515:
  usb: fix up post load checks
  migration: show average throughput when migration finishes
  savevm: Remove all the unneeded version_minimum_id_old (rest)
  savevm: Remove all the unneeded version_minimum_id_old (usb)
  Split ram_save_block
  arch_init: Simplify code for load_xbzrle()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-15 17:29:03 +01:00
Juan Quintela
35d08458a9 savevm: Remove all the unneeded version_minimum_id_old (rest)
After previous Peter patch, they are redundant.  This way we don't
assign them except when needed.  Once there, there were lots of case
where the ".fields" indentation was wrong:

     .fields = (VMStateField []) {
and
     .fields =      (VMStateField []) {

Change all the combinations to:

     .fields = (VMStateField[]){

The biggest problem (appart from aesthetics) was that checkpatch complained
when we copy&pasted the code from one place to another.

Signed-off-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-14 15:24:51 +02:00
Juan Quintela
8f1e884b38 savevm: Remove all the unneeded version_minimum_id_old (arm)
After commit 767adce2d, they are redundant.  This way we don't assign them
except when needed.  Once there, there were lots of cases where the ".fields"
indentation was wrong:

     .fields = (VMStateField []) {
and
     .fields =      (VMStateField []) {

Change all the combinations to:

     .fields = (VMStateField[]){

The biggest problem (apart from aesthetics) was that checkpatch complained
when we copy&pasted the code from one place to another.

Signed-off-by: Juan Quintela <quintela@redhat.com>
[PMM: fixed minor conflict, corrected commit message typos]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-13 16:09:35 +01:00
Peter Maydell
c9541f67df migration/next for 20140505
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJTZ/QsAAoJEPSH7xhYctcjJ4wP/31lNMpPLxdRpxpUoTPK39L0
 zEoBTUH5dzG2FG34p8/znNH0Lbmc3GALqP9UzyM0sL3QU0EDwqAP0idLJ/8zHrYN
 ZNJnNH6wexlpEypAsyQiayAFYAq6bc3hYtnEurN56dQgPVgb6jCicuOAt26JafLg
 xuGIuencgaEFZaIb8iobxloqDX9raoq0+JfnoV8r02+ES+PG+HHfZsAlbDiWpj/Z
 o06WBq9Xvf8X/zvuGHb9PCLGK36+kxPJ2G2531TJGZ6BjjewDExF2xlQH+PQ8pQB
 d2OKCP0In66JfyLu6JBz21APrks7DJxsuenvoqPhxhtlIcBSm+grZElNLbccDMLQ
 3fteWOCcri5WSwKNAkZ138D5SzIArZFBlqD9qW0GQsiaj3tCxfy162JAmzRPa94i
 R5OJCTDclwjCH6JvRsOs8NrQyYcXHcEl2rfeymfr68YOH5XBMeRPhcR91tVr03ow
 ZVgvwC/TJHntKnW+qtGIOa9Wfq4KghjddD37ayPAqKM/GQ0TV2sAPEr2htDaBZ0l
 5O/YGsAZPKax72OnMR2ObqoIMokympeanQLxG3Q8VKQSU2c+aU3rGVQrG1juiVYw
 NiC/nzarFzFWU8UYToXIu2QBDTde2vuRLX/myzL7L4OLavOcv8EXZBp60DP/bktE
 Pd+jdeLMh9kWu1tFrE8F
 =VoYL
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140505' into staging

migration/next for 20140505

# gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723
# gpg: Can't check signature: public key not found

* remotes/juanquintela/tags/migration/20140505: (36 commits)
  migration: expose xbzrle cache miss rate
  migration: expose the bitmap_sync_count to the end
  migration: Add counts of updating the dirty bitmap
  XBZRLE: Fix one XBZRLE corruption issues
  migration: remove duplicate code
  Coverity: Fix failure path for qemu_accept in migration
  Init the XBZRLE.lock in ram_mig_init
  Provide init function for ram migration
  Count used RAMBlock pages for migration_dirty_pages
  Make qemu_peek_buffer loop until it gets it's data
  Disallow outward migration while awaiting incoming migration
  virtio: validate config_len on load
  virtio-net: out-of-bounds buffer write on load
  openpic: avoid buffer overrun on incoming migration
  ssi-sd: fix buffer overrun on invalid state load
  savevm: Ignore minimum_version_id_old if there is no load_state_old
  usb: sanity check setup_index+setup_len in post_load
  vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
  virtio-scsi: fix buffer overrun on invalid state load
  zaurus: fix buffer overrun on invalid state load
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07 14:51:21 +01:00
Michael S. Tsirkin
ead7a57df3 ssd0323: fix buffer overun on invalid state load
CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.

For completeness, validate mode as well.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
Kirill Batuzov
848696bf35 PortioList: Store PortioList in device state
PortioList is an abstraction used for construction of MemoryRegionPortioList
from MemoryRegionPortio. It can be used later to unmap created memory regions.
It also requires proper cleanup because some of the memory inside is allocated
dynamically.

By moving PortioList ot device state we make it possible to cleanup later and
avoid leaking memory.

This change spans several target platforms.  The following testcases cover all
changed lines:
  qemu-system-ppc -M prep
  qemu-system-i386 -vga qxl
  qemu-system-i386 -M isapc -soundhw adlib -device ib700,id=watchdog0,bus=isa.0

Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05 20:58:33 +02:00
Gerd Hoffmann
63e3e24db2 vga: add secondary stdvga variant
Add a standard vga variant which doesn't occupy any legacy
resources and thus can easily be used as secondary (or legacy-free)
graphics adapter.  Programming must be done using the MMIO bar.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-28 11:03:32 +02:00
Gerd Hoffmann
e2bbfc8ee2 vga: allow non-global vmstate
Need a way to opt-out from vga.vram being global vmstate, for
secondary vga cards.  Add a bool parameter to vga_common_init
to support this.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-04-28 10:21:55 +02:00
Peter Lieven
2f487a3d40 ui/vnc: fix vmware VGA incompatiblities
this fixes invalid rectangle updates observed after commit 12b316d
with the vmware VGA driver. The issues occured because the server
and client surface update seems to be out of sync at some points
and the max width of the surface is not dividable by
VNC_DIRTY_BITS_PER_PIXEL (16).

Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-03-18 08:21:24 +01:00
Peter Crosthwaite
1a7d9ee6dd ssi: Convert legacy SSI_SLAVE -> DEVICE casts
Convert legacy ->qdev style casts from TYPE_SSI_SLAVE to TYPE_DEVICE.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
[AF: Introduce local DeviceState variable for transition to QOM realize]
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-03-12 20:13:02 +01:00
Andreas Färber
80aaa0741f xenfb: Fix graphic_console_init() build failure
In commit 5643706a09 (console: add head
to index to qemu consoles.) graphic_console_init() was extended to take
an additional argument, but xenfb was not updated accordingly. Fix it.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Don Slutz <dslutz@verizon.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1394228528-31625-1-git-send-email-afaerber@suse.de
2014-03-08 11:27:00 +00:00
Gerd Hoffmann
5643706a09 console: add head to index to qemu consoles.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-03-05 09:52:04 +01:00
Mark Cave-Ayland
9eb08a435a sun4m: Add Sun CG3 framebuffer and corresponding OpenBIOS FCode ROM
The CG3 framebuffer is a simple 8-bit framebuffer for use with operating
systems such as early Solaris that do not have drivers for TCX.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Blue Swirl <blauwirbel@gmail.com>
CC: Anthony Liguori <aliguori@amazon.com>
CC: Peter Maydell <peter.maydell@linaro.org>
CC: Bob Breuer <breuerr@mc.net>
CC: Artyom Tarasenko <atar4qemu@gmail.com>
2014-02-27 10:01:41 +00:00
Gerd Hoffmann
9c70434f82 qxl: add sanity check
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2014-02-24 13:00:52 +01:00
Peter Maydell
61e8a92364 QOM infrastructure fixes and device conversions
* QTest cleanups and test cases for PCI NICs
 * NAND fix for "info qtree"
 * Cleanup and extension of QOM machine tests
 * IndustryPack test cases and conversion to QOM realize
 * I2C cleanups
 * Cleanups of legacy qdev properties
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTAooJAAoJEPou0S0+fgE/SuQQALW3zvra4ZLRAQV0e8kFoyj1
 vVtmLkDhnCe4cYfxxfOX91NA0rH1ts2EO1+UcnaCHJlptNWfA+8qJW69XgYpHE3c
 DKQlKPL/9pV5ywY5uUw/t1UJHg2BfrLBDDM4lP+vrpwiQYq4kp24JffnhfY3l9MA
 9qdkXu1HrlWoLRVGnMyGDXI8cb+5bTL+FEc6UuHl3P89/gj5BV+LDWn0QOFbAkxq
 4wk+Xh6sHKcfOdq6vMCNGlTjlJnpbY43D1a8+q6hFGG8JBlpne7Oer7bse9k4uTK
 q/CzyNzC0lnjjcULpa4ptRlycH0ruD9DPY7Lco9XqYd3l/c9742PmTEqN5TZseKD
 XD7+hwT1tk7W8rihm8KETCP6sKlXz4w8tJiWe6IT3zwRzvXIolxxK93heQuaX73Z
 HFDmvTPVLUiWF8ftKTyWZM3w+jsbSH0QSrMCIHKJrPTRWTKphx0DUP74lWjNsvGs
 FFBjpAgrflLihxiuRrcLmekGn0xCTjhQWIo2GoiWTgLSEHNQQQUNO+15/kcU/vlI
 hh3DJpiBKeSnUapHHL0OEK6ryeHoG95akiRjImwWVthNLk4KEuWtlhFPYBtulO5A
 PA02trE4Ah769effX0ZYdNl23KbW4VxpZ8VZv+kp7RTrDKxw551HoEFJ5ja0nkvB
 O1CfsE7x0GH/Rbi/Hxhu
 =KRcc
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' into staging

QOM infrastructure fixes and device conversions

* QTest cleanups and test cases for PCI NICs
* NAND fix for "info qtree"
* Cleanup and extension of QOM machine tests
* IndustryPack test cases and conversion to QOM realize
* I2C cleanups
* Cleanups of legacy qdev properties

# gpg: Signature made Mon 17 Feb 2014 22:15:37 GMT using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qom-devices-for-peter: (49 commits)
  qtest: Include system headers before user headers
  qapi: Refine human printing of sizes
  qdev: Use QAPI type names for properties
  qdev: Add enum property types to QAPI schema
  block: Handle "rechs" and "large" translation options
  qdev: Remove hex8/32/64 property types
  qdev: Remove most legacy printers
  qdev: Use human mode in "info qtree"
  qapi: Add human mode to StringOutputVisitor
  qdev: Inline qdev_prop_parse()
  qdev: Legacy properties are just strings
  qdev: Legacy properties are now read-only
  qdev: Remove legacy parsers for hex8/32/64
  qdev: Sizes are now parsed by StringInputVisitor
  qapi: Add size parser to StringInputVisitor
  qtest: Don't segfault with invalid -qtest option
  ipack: Move IndustryPack out of hw/char/
  ipoctal232: QOM parent field cleanup
  ipack: QOM parent field cleanup for IPackDevice
  ipack: QOM parent field cleanup for IPackBus
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-02-20 13:05:48 +00:00
Paolo Bonzini
c7bcc85d66 qdev: Remove hex8/32/64 property types
Replace them with uint8/32/64.

Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-02-14 21:12:04 +01:00
Andreas Färber
b1be45153e ssd0303: QOM'ify
Replace usages of FROM_I2C_SLAVE() with QOM cast macro.
Rename parent field.

Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-02-14 16:22:32 +01:00
Peter Maydell
0888a29caa acpi,pc,pci fixes and enhancements
Most changes here are hotplug related:
 
 This merges hotplug infrastructure changes by Igor,
 some acpi related fixes, and PC fixes.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJS+Jg2AAoJECgfDbjSjVRp2hIH/3PezOqYAJlp1LzHPYgTII5R
 ZWdlHWJODB5QKGuDnJ0rKTZn+9n4f27Q7ynwqrodrLNtzglfmPUwtjTb52vbd1yh
 qJ7BtvGIewUEjTPVs2feipb75jFZFhvIU46F1jPJAiaNKG0nl6zwVHn5XfFqesv2
 4TlHAoqYvpUUuFcG7Qu+hREUrjb/tdxwP8EYM4qDPOSxguS2R2+3/17BVlPDQGia
 bKl6j5EmnmmbQ0h8Sepy3YKh9d1rZnKFsolMFrL8ITjzEzzyKjpE284GNe/5eY25
 HR25dY5eYTb0d3QPeH2O5sOrZgOFpTZc8WOo9Kxi0OTjWxFoZstZ1AOM3A2DAoY=
 =EtLZ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

acpi,pc,pci fixes and enhancements

Most changes here are hotplug related:

This merges hotplug infrastructure changes by Igor,
some acpi related fixes, and PC fixes.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon 10 Feb 2014 09:13:26 GMT using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* remotes/mst/tags/for_upstream:
  ACPI: Remove commented-out code from HPET._CRS
  hw/pci: switch to a generic hotplug handling for PCIDevice
  pci/pcie: convert PCIE hotplug to use hotplug-handler API
  pci/shpc: convert SHPC hotplug to use hotplug-handler API
  acpi/piix4pm: convert ACPI PCI hotplug to use hotplug-handler API
  qdev:pci: refactor PCIDevice to use generic "hotpluggable" property
  hw/acpi: move typeinfo to the file end
  qdev: add "hotpluggable" property to Device
  qdev: add to BusState "hotplug-handler" link
  define hotplug interface
  loader: document that errno is set
  pc.c: better error message on initrd sizing failure
  pc_piix: enable legacy hotplug for Xen
  qtest: don't report signals if qtest driver enabled
  hw:piix4:acpi: reuse pcihp code for legacy PCI hotplug
  pcihp: remove unused AcpiPciHpPciStatus.device_present field
  pcihp: make pci_read() mmio calback compatible with legacy ACPI hotplug
  pcihp: make PCI hotplug mmio handlers indifferent to PCI_HOTPLUG_ADDR
  pcihp: replace enable|disable_device() with oneliners
  pcihp: reduce number of device check events

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-02-13 15:02:04 +00:00
Edgar E. Iglesias
2c17449b30 exec: Make ldq/ldub_*_phys input an AddressSpace
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
2014-02-11 22:57:00 +10:00
Igor Mammedov
2897ae0267 qdev:pci: refactor PCIDevice to use generic "hotpluggable" property
Get rid of PCIDevice specific PCIDeviceClass.no_hotplug and use
generic DeviceClass.hotpluggable field instead.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-02-10 10:26:56 +02:00
Peter Maydell
1f6b12f75f target-lm32: fixes
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iEYEABECAAYFAlLxNdwACgkQEdFA3D+Yo3h0MQCgkqd4o4LdamOYxQqP0CgD+ET8
 QFgAn19l7zj69bPiYEsl1kPxinIduZnd
 =ff/s
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mwalle/tags/lm32-fixes/20140204' into staging

target-lm32: fixes

# gpg: Signature made Tue 04 Feb 2014 18:47:56 GMT using DSA key ID 3F98A378
# gpg: Can't check signature: public key not found

* remotes/mwalle/tags/lm32-fixes/20140204:
  hw/lm32: print error if cpu model is not found
  target-lm32: stop VM on illegal or unknown instruction
  lm32_sys: dump cpu state if test case fails
  lm32_sys: print test result on stderr
  target-lm32: add breakpoint/watchpoint support
  target-lm32: move model features to LM32CPU
  target-lm32: kill cpu_abort() calls
  milkymist-vgafb: swap pixel data in source buffer
  lm32_uart/lm32_juart: use qemu_chr_fe_write_all()
  milkymist-uart: use qemu_chr_fe_write_all() instead of qemu_chr_fe_write()
  tests: lm32: new rule for single test cases
  lm32_sys: increase test case name length limit

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-02-08 15:57:51 +00:00
Michael Walle
2f45356427 milkymist-vgafb: swap pixel data in source buffer
In commit fc97bb5ba3 the lduw_raw() call was
eliminated. But we are reading from the target buffer a 16-bit value, which
is in big-endian format. Therefore, use lduw_be_p() to read the value.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Walle <michael@walle.cc>
2014-02-04 19:34:30 +01:00
Alon Levy
3761abb167 hw/display/qxl: fix signed to unsigned comparison
Several small signedness / overflow corrections to qxl_create_guest_primary:
1. use 64 bit unsigned for size to avoid overflow possible from two 32
bit multiplicants.
2. correct sign for requested_height
3. add a more verbose error message when setting guest bug state (which
causes a complete guess blackout until reset, so it helps if it is
verbose).

Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-02-03 11:05:15 +01:00
Alon Levy
f06b85218a qxl: clear irq on reset
Without this we occasionally trigger an assert at
hw/pci/pci.c:pcibus_reset that asserts the irq_count is zero on reset.

This has become a problem with the new drm driver for linux, since doing
a reboot from console causes a race between console updates that set the
irq and the reset assertion that the irq is clear.

Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-02-03 11:05:15 +01:00
Paolo Bonzini
2cdaca90dd display: avoid multi-statement macro
For blizzard, pl110 and tc6393xb this is harmless, but for pxa2xx
Coverity noticed that it is used inside an "if" statement.
Fix it because it's the file with the highest number of defects
in the whole QEMU tree!  Use "do...while (0)", or just remove the
semicolon if there's a single statement in the macro.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-01-31 14:47:33 +00:00
Stefano Stabellini
0193c62c94 xenfb: map framebuffer read-only and handle unmap errors
The framebuffer is needlessly mapped (PROT_READ | PROT_WRITE), map it
PROT_READ instead.

The framebuffer is unmapped by replacing the framebuffer pages with
anonymous shared memory, calling mmap. Check for return errors and print
a warning.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-01-17 15:28:18 +00:00
Markus Armbruster
837d37167d sysbus: Set cannot_instantiate_with_device_add_yet
device_add plugs devices into suitable bus.  For "real" buses, that
actually connects the device.  For sysbus, the connections need to be
made separately, and device_add can't do that.  The device would be
left unconnected, and could not possibly work.

Quite a few, but not all sysbus devices already set
cannot_instantiate_with_device_add_yet in their class init function.

Set it in their abstract base's class init function
sysbus_device_class_init(), and remove the now redundant assignments
from device class init functions.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-12-23 00:27:22 +01:00
Markus Armbruster
efec3dd631 qdev: Replace no_user by cannot_instantiate_with_device_add_yet
In an ideal world, machines can be built by wiring devices together
with configuration, not code.  Unfortunately, that's not the world we
live in right now.  We still have quite a few devices that need to be
wired up by code.  If you try to device_add such a device, it'll fail
in sometimes mysterious ways.  If you're lucky, you get an
unmysterious immediate crash.

To protect users from such badness, DeviceClass member no_user used to
make device models unavailable with -device / device_add, but that
regressed in commit 18b6dad.  The device model is still omitted from
help, but is available anyway.

Attempts to fix the regression have been rejected with the argument
that the purpose of no_user isn't clear, and it's prone to misuse.

This commit clarifies no_user's purpose.  Anthony suggested to rename
it cannot_instantiate_with_device_add_yet_due_to_internal_bugs, which
I shorten somewhat to keep checkpatch happy.  While there, make it
bool.

Every use of cannot_instantiate_with_device_add_yet gets a FIXME
comment asking for rationale.  The next few commits will clean them
all up, either by providing a rationale, or by getting rid of the use.

With that done, the regression fix is hopefully acceptable.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-12-23 00:27:22 +01:00
Gerd Hoffmann
75c70e37bc spice: stop server for qxl hard reset
Hard reset can happen at any time.  We should be able to put qxl into a
known-good state no matter what.  Stop spice server thread for reset so
it can't be confused by fetching stale commands lingering around in the
rings while we reset is ongoing.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-12-16 10:12:20 +01:00
Stefan Weil
b1829cdebe qxl: Add missing trace.h (fix broken build)
Commit ac86048bcd removed trace.h from
console.h and ignored the fact that qxl-render.c needs this file
(it includes qxl.h which includes console.h which included trace.h).

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-12-07 22:26:07 +04:00
Stefan Weil
ac86048bcd trace: Remove trace.h from console.h (less dependencies)
This reduces the dependencies on trace.h.
Only two source files which need console.h also need trace.h.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-12-02 21:02:00 +04:00
Mark Cave-Ayland
da87dd7bd7 sun4m: Add FCode ROM for TCX framebuffer
Upstream OpenBIOS now implements SBus probing in order to determine the
contents of a physical bus slot, which is required to allow OpenBIOS to
identify the framebuffer without help from the fw_cfg interface.

SBus probing works by detecting the presence of an FCode program
(effectively tokenised Forth) at the base address of each slot, and if
present executes it so that it creates its own device node in the
OpenBIOS device tree.

The FCode ROM is generated as part of the OpenBIOS build and should
generally be updated at the same time.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Blue Swirl <blauwirbel@gmail.com>
CC: Bob Breuer <breuerr@mc.net>
CC: Artyom Tarasenko <atar4qemu@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-11-21 17:38:52 +01:00
Marc-André Lureau
2c8ebac7cc vga: fix invalid read after free
After calling dpy_gfx_replace_surface(s->con, surface), the outer
surface is invalid.

==5370== Invalid read of size 4
==5370==    at 0x460229: surface_bits_per_pixel (console.h:250)
==5370==    by 0x466A81: get_depth_index (vga.c:1173)
==5370==    by 0x467EC2: vga_draw_graphic (vga.c:1718)
==5370==    by 0x4687A5: vga_update_display (vga.c:1914)
==5370==    by 0x2A782E: qxl_hw_update (qxl.c:1766)
==5370==    by 0x3EB83B: graphic_hw_update (console.c:254)
==5370==    by 0x3FBE31: qemu_spice_display_refresh (spice-display.c:418)
==5370==    by 0x2A7D01: display_refresh (qxl.c:1886)
==5370==    by 0x3EEE1C: dpy_refresh (console.c:1436)
==5370==    by 0x3EB543: gui_update (console.c:192)
==5370==    by 0x3C43B3: timerlist_run_timers (qemu-timer.c:488)
==5370==    by 0x3C4416: qemu_clock_run_timers (qemu-timer.c:499)
==5370==  Address 0x22ffb1e0 is 0 bytes inside a block of size 56 free'd
==5370==    at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==5370==    by 0x4245FC: free_and_trace (vl.c:2771)
==5370==    by 0x50899AE: g_free (gmem.c:252)
==5370==    by 0x3EE8D3: qemu_free_displaysurface (console.c:1332)
==5370==    by 0x3EEDB7: dpy_gfx_replace_surface (console.c:1427)
==5370==    by 0x467EB6: vga_draw_graphic (vga.c:1714)
==5370==    by 0x4687A5: vga_update_display (vga.c:1914)
==5370==    by 0x2A782E: qxl_hw_update (qxl.c:1766)
==5370==    by 0x3EB83B: graphic_hw_update (console.c:254)
==5370==    by 0x3FBE31: qemu_spice_display_refresh (spice-display.c:418)
==5370==    by 0x2A7D01: display_refresh (qxl.c:1886)
==5370==    by 0x3EEE1C: dpy_refresh (console.c:1436)

Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1383664554-15248-1-git-send-email-marcandre.lureau@gmail.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
2013-11-05 20:01:11 -08:00
Peter Maydell
7d579514a5 bswap.h: Remove cpu_to_32wu()
Replace the legacy cpu_to_32wu() with stl_p().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-10-git-send-email-peter.maydell@linaro.org
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
2013-11-05 19:57:47 -08:00
Gerd Hoffmann
4a46c99c81 qxl: replace pipe signaling with bottom half
qxl creates a pipe, then writes something to it to wake up the iothread
from the spice server thread to raise an irq.  These days qemu bottom
halves can be scheduled from threads and signals, so there is no reason
to do this any more.  Time to clean it up.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-11-04 12:31:42 +01:00
Anthony Liguori
b0eb759fb2 pci, pc, acpi fixes, enhancements
This includes some pretty big changes:
 - pci master abort support by Marcel
 - pci IRQ API rework by Marcel
 - acpi generation support by myself
 
 Everything has gone through several revisions, latest versions have been on
 list for a while without any more comments, tested by several
 people.
 
 Please pull for 1.7.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.15 (GNU/Linux)
 
 iQEcBAABAgAGBQJSXNO8AAoJECgfDbjSjVRp7VAH/0B73mCOiyVACGx7fazK3SGK
 X8TxZWVtG5A77ISqKyrtjLAhK9DCQjEzQTbMNhXHM3Ar6crwo7nJZnQvH2Gh1X2p
 34BOQSVc4rtXz5pwDIr48dBLrxeslwXub79chUs+IK1/4RSn3h3nuS3k6JVkmLJN
 rcHMj4ljJmi4Hd9vOpmS1jo/a61usi36hhU7CMgcrsXzStZycBBzCozOB3VW8p1X
 /iwyf91YjmNPkn9gA3/aViGjszu8jE91dkA0C+ljwvcGbs2yEl3LCWEJfsMvoh5P
 2M+k0XXbHwq/P9PFMa/2/lWOo4EO4Oxa+G/6QvovJrteYnktr+E9DqjU8pCT7yI=
 =CVfs
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'mst/tags/for_anthony' into staging

pci, pc, acpi fixes, enhancements

This includes some pretty big changes:
- pci master abort support by Marcel
- pci IRQ API rework by Marcel
- acpi generation support by myself

Everything has gone through several revisions, latest versions have been on
list for a while without any more comments, tested by several
people.

Please pull for 1.7.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Tue 15 Oct 2013 07:33:48 AM CEST using RSA key ID D28D5469
# gpg: Can't check signature: public key not found

* mst/tags/for_anthony: (39 commits)
  ssdt-proc: update generated file
  ssdt: fix PBLK length
  i386: ACPI table generation code from seabios
  pc: use new api to add builtin tables
  acpi: add interface to access user-installed tables
  hpet: add API to find it
  pvpanic: add API to access io port
  ich9: APIs for pc guest info
  piix: APIs for pc guest info
  acpi/piix: add macros for acpi property names
  i386: define pc guest info
  loader: allow adding ROMs in done callbacks
  i386: add bios linker/loader
  loader: use file path size from fw_cfg.h
  acpi: ssdt pcihp: updat generated file
  acpi: pre-compiled ASL files
  acpi: add rules to compile ASL source
  i386: add ACPI table files from seabios
  q35: expose mmcfg size as a property
  q35: use macro for MCFG property name
  ...

Message-id: 1381818560-18367-1-git-send-email-mst@redhat.com
Signed-off-by: Anthony Liguori <anthony@codemonkey.ws>
2013-10-31 16:58:32 +01:00
Anthony Liguori
989644915c Merge remote-tracking branch 'bonzini/iommu-for-anthony' into staging
# By Paolo Bonzini (10) and others
# Via Paolo Bonzini
* bonzini/iommu-for-anthony:
  exec: remove qemu_safe_ram_ptr
  icount: make it thread-safe
  icount: document (future) locking rules for icount
  icount: prepare the code for future races in calling qemu_clock_warp
  icount: reorganize icount_warp_rt
  icount: use cpu_get_icount() directly
  timer: add timer_mod_anticipate and timer_mod_anticipate_ns
  timer: extract timer_mod_ns_locked and timerlist_rearm
  timer: make qemu_clock_enable sync between disable and timer's cb
  qemu-thread: add QemuEvent
  timer: protect timers_state's clock with seqlock
  seqlock: introduce read-write seqlock
  vga: Mark relevant portio lists regions as coalesced MMIO flushing
  cirrus: Mark vga io region as coalesced MMIO flushing
  portio: Allow to mark portio lists as coalesced MMIO flushing
  compatfd: switch to QemuThread
  memory: fix 128 arithmetic in info mtree

Message-id: 1382024935-28297-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
2013-10-18 10:01:49 -07:00
Jan Kiszka
c46860ea53 vga: Mark relevant portio lists regions as coalesced MMIO flushing
This allows to remove the explicit qemu_flush_coalesced_mmio_buffer
calls.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-10-17 17:24:15 +02:00
Jan Kiszka
eb25a1d9d4 cirrus: Mark vga io region as coalesced MMIO flushing
This allows to remove the explicit qemu_flush_coalesced_mmio_buffer
calls - the memory core will invoke them now.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-10-17 17:24:15 +02:00
Gerd Hoffmann
9fa032866d spice: fix multihead support
This patch fixes spice display initialization to handle
multihead properly.

spice-core now keeps track of which QemuConsole has a spice
display channel attached to it and which has not.  It also
manages display channel ids.

spice-display looks at all QemuConsoles and will pick up any
graphic console not yet bound to a spice channel (which in practice
are all non-qxl graphic devices).

Result is that
 (a) you'll get a spice client window for each graphical device
     now (first only without this patch), and
 (b) mixing qxl and non-qxl vga cards works properly.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-10-17 12:42:54 +02:00
Marc-André Lureau
26defe81f6 spice: replace use of deprecated API
hose API are deprecated since 0.11, and qemu depends on 0.12 already.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-10-17 12:25:25 +02:00
Marcel Apfelbaum
9e64f8a3fc hw: set interrupts using pci irq wrappers
pci_set_irq and the other pci irq wrappers use
PCI_INTERRUPT_PIN config register to compute device
INTx pin to assert/deassert.

An irq is allocated using pci_allocate_irq wrapper
only if is needed by non pci devices.

Removed irq related fields from state if not used anymore.

Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2013-10-14 17:11:45 +03:00
Gerd Hoffmann
521e759cf1 qxl: compile only once
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-09-18 11:13:29 +02:00
Gerd Hoffmann
b0297b4a82 qxl: simplify page dirtying
No need to do target page size calculations here,
memory_region_set_dirty will care for us.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-09-18 11:13:29 +02:00
Gerd Hoffmann
60b3b2a55f qxl: simplify qxl_rom_size
Nowdays rom size is fixed at 8192 for live migration compat reasons.
So we can ditch the pointless math trying to calculate the size needed.
Also make the size sanity check fail at compile time not runtime.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-09-18 11:13:29 +02:00
Gerd Hoffmann
9efc2d8d81 qxl: define qxl operating on 4k pages
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-09-18 11:13:29 +02:00
Anthony Liguori
2d1fe1873a ARM queue:
* aarch64 preparation patchset (excluding the defconfigs, so this
    doesn't actually enable the new targets yet)
  * minor bugfixes and cleanups
  * disable "-cpu any" in system emulation mode
  * fix ARMv7M stack alignment on reset
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABCAAGBQJSL2jzAAoJEDwlJe0UNgzesqIP/0pn2qoSv6BXSjVHAlbGvOtC
 n4ZF6Aeoc+S9vvWbKk/2mCGNyf2ewokVCrekMSjWeD4i0WQwLPAIbwZ4RTmketCt
 KqJQQ2JrFQyu5xTlooc4NrAuO8XllEtFIdIl/Aob9HyZvlNQR+l81GP0LqipiTLz
 Dto1Cxack8BpOopy8hxBnR4xcE3yz9e+9b2P7iONJ4TYzs7vheu0j4qMOZtNyw/T
 mf7yKrv+YzvlbJJgM3tK9sgBShtGqyxgW6YO5OHrsM/D/9wc+ML6k3iMpf7Sr2RF
 1/P0xUZBkaXht3ZDBU/EOG5Gi+AqoPS2K/Quu/NFADn7dpV+qAeukiCHnhhCtPHc
 AbSl6oaHjpfEPC7JaORIdzu8+GAIhT6fWP4MNa0bkWtatGh3OXJvMboalu1jtARE
 DCpTvA4pRyjJ8WFO/CYASxeeFeZX7DYCy4RYklSk7cbQ5xH9n2Jq3g/92y+07KnQ
 bZYpP57Lor8p2bHenr8p9V/dIlIKTgQkcgqIumNSSrIBU4NCVb2G566kfTSKZy4S
 Alq/dmWs3oxmidviz8HT0aX6tVJgFU2rkIVE4nCZjCH/0fQYU7NVfMshFNLar8zQ
 lCe1K7Yiv+u6W/bgUIG3AM1GVbsb8X2YKNTEUXOls54Jzjep3lQrsoVCaaQLgaI5
 Cz+uCGX+4x4Pe9h6XWDk
 =oraU
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'pmaydell/tags/pull-target-arm-20130910' into staging

ARM queue:
 * aarch64 preparation patchset (excluding the defconfigs, so this
   doesn't actually enable the new targets yet)
 * minor bugfixes and cleanups
 * disable "-cpu any" in system emulation mode
 * fix ARMv7M stack alignment on reset

# gpg: Signature made Tue 10 Sep 2013 01:46:11 PM CDT using RSA key ID 14360CDE
# gpg: Can't check signature: public key not found

# By Alexander Graf (13) and others
# Via Peter Maydell
* pmaydell/tags/pull-target-arm-20130910: (28 commits)
  configure: Add handling code for AArch64 targets
  linux-user: Add AArch64 support
  linux-user: Allow targets to specify a minimum uname release
  linux-user: Add AArch64 termbits.h definitions
  linux-user: Implement cpu_set_tls() and cpu_clone_regs() for AArch64
  linux-user: Make sure NWFPE code is 32 bit ARM only
  linux-user: Add signal handling for AArch64
  linux-user: Fix up AArch64 syscall handlers
  linux-user: Add syscall number definitions for AArch64
  linux-user: Add cpu loop for AArch64
  linux-user: Don't treat AArch64 cpu names specially
  target-arm: Add AArch64 gdbstub support
  target-arm: Add AArch64 translation stub
  target-arm: Prepare translation for AArch64 code
  target-arm: Disable 32 bit CPUs in 64 bit linux-user builds
  target-arm: Add new AArch64CPUInfo base class and subclasses
  target-arm: Pass DisasContext* to gen_set_pc_im()
  target-arm: Fix target_ulong/uint32_t confusions
  target-arm: Export cpu_env
  target-arm: Extract the disas struct to a header file
  ...

Message-id: 1378839142-7726-1-git-send-email-peter.maydell@linaro.org
Signed-off-by: Anthony Liguori <anthony@codemonkey.ws>
2013-09-11 14:46:52 -05:00
Peter Maydell
031c44e4de pl110: Clarify comment about PL110 ID on VersatilePB
Clarify a comment about the ID register value presented by
the PL110 variant present on the VersatilePB board (based
on testing what the actual hardware does), to indicate that
this is not an error in our emulation, and to remove an #if-0.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2013-09-10 19:09:33 +01:00
Gerd Hoffmann
c58c7b959b qxl: fix local renderer
The local spice renderer assumes the primary surface is located at the
start of the "ram" bar.  This used to be a requirement in qxl hardware
revision 1.  In revision 2+ this is relaxed.  Nevertheless guest drivers
continued to use the traditional location, for historical and backward
compatibility reasons.  The qxl kms driver doesn't though as it depends
on qxl revision 4+ anyway.

Result is that local rendering is hosed for recent linux guests, you'll
get pixel garbage with non-spice ui (gtk, sdl, vnc) and when doing
screendumps.  Fix that by doing a proper mapping of the guest-specified
memory location.

https://bugzilla.redhat.com/show_bug.cgi?id=948717

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-09-10 11:14:08 +02:00
Gerd Hoffmann
18b203850a qxl: trace io port name
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-09-10 11:14:08 +02:00
Alex Bligh
bc72ad6754 aio / timers: Switch entire codebase to the new timer API
This is an autogenerated patch using scripts/switch-timer-api.

Switch the entire code base to using the new timer API.

Note this patch may introduce some line length issues.

Signed-off-by: Alex Bligh <alex@alex.org.uk>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-08-22 19:14:24 +02:00
Andreas Färber
01774ddbcf tcx: QOM cast cleanup
Introduce a type constant, use QOM casts and rename the parent field.

Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:06:05 +02:00
Andreas Färber
5d7a11e438 pl110: QOM'ify pl110, pl110_versatile and pl111
Let pl110_versatile and pl111 inherit from pl110 and use PL110() cast;
set their version index in an instance_init.

Reviewed-by: Hu Tao <hutao@cn.fujitsu.com>
[AF: Set version PL110 explicitly, suggested by Hu Tao; fixed inheritence]
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:06:05 +02:00
Andreas Färber
513960eaae pl110: Rename pl110_state to PL110State
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:06:05 +02:00
Andreas Färber
54df97bb0c milkymist-vgafb: QOM cast cleanup
Introduce a type constant, use QOM casts and rename the parent field.

Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:06:05 +02:00
Andreas Färber
56299135f5 milkymist-tmu2: QOM cast cleanup
Introduce a type constant, use QOM casts and rename the parent field.

Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:06:02 +02:00
Andreas Färber
66c2de562f jazz_led: QOM cast cleanup
Introduce a type constant, use QOM casts and rename the parent field.

Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:05:59 +02:00
Andreas Färber
0f31aa8625 g364fb: QOM cast cleanup
Introduce a type constant, use QOM casts and rename the parent field and
prepare for QOM realize.

Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:05:58 +02:00
Andreas Färber
f27321aa3a exynos4210_fimd: QOM cast cleanup
Introduce a type constant, use QOM casts and rename the parent field.

Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29 21:05:58 +02:00
Marcel Apfelbaum
125ee0ed9c devices: Associate devices to their logical category
The category will be used to sort the devices displayed in
the command line help.

Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Message-id: 1375107465-25767-4-git-send-email-marcel.a@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-07-29 10:37:09 -05:00
Andreas Färber
af21c74039 display/vmware_vga: QOM parent field cleanup
Replace direct uses of pci_vmsvga_state_s::card with QOM casts and
rename it to parent_obj.

Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-23 00:37:34 +02:00
Peter Crosthwaite
39d4598763 display/vmware_vga: QOM casting sweep
Define and use standard QOM cast macro. Remove usages of DO_UPCAST() and
direct -> style casting.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
[AF: Renamed to TYPE_VMWARE_VGA and VMWARE_VGA()]
Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-23 00:37:34 +02:00
Paolo Bonzini
5444e768ee add a header file for atomic operations
We're already using them in several places, but __sync builtins are just
too ugly to type, and do not provide seqcst load/store operations.

Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:49 +02:00
Paolo Bonzini
3eadad551d hw/d*: pass owner to memory_region_init* functions
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:47 +02:00
Paolo Bonzini
db10ca9057 piolist: add owner argument to initialization functions and pass devices
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:47 +02:00
Paolo Bonzini
42e038fe91 vga: set owner in vga_update_memory_access
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:46 +02:00
Paolo Bonzini
c84b28eeea vga: pass owner to vga_init_io
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:46 +02:00
Paolo Bonzini
8311832773 vga: pass owner to vga_init_vbe
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:46 +02:00
Paolo Bonzini
9eb58a473b vga: pass owner to cirrus_init_common
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:46 +02:00
Paolo Bonzini
270327feb2 vga: pass owner to vga_common_init
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:46 +02:00
Paolo Bonzini
712f0cc777 vga: pass owner to vga_init
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:46 +02:00
Paolo Bonzini
dfde4e6e1a memory: add ref/unref calls
Add ref/unref calls at the following places:

- places where memory regions are stashed by a listener and
  used outside the BQL (including in Xen or KVM).

- memory_region_find callsites

- creation of aliases and containers (only the aliased/contained
  region gets a reference to avoid loops)

- around calls to del_subregion/add_subregion, where the region
  could disappear after the first call

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:45 +02:00
Paolo Bonzini
2c9b15cab1 memory: add owner argument to initialization functions
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:44 +02:00
Jan Kiszka
04e8cd506a vmware-vga: Accept unaligned I/O accesses
Before switching to the memory core dispatcher, we need to make sure
that this pv-device will continue to receive unaligned portio accesses.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04 17:42:43 +02:00
Anthony Liguori
9fbbf0d1b1 Merge remote-tracking branch 'spice/spice.v71' into staging
# By Gerd Hoffmann (1) and Hans de Goede (1)
# Via Gerd Hoffmann
* spice/spice.v71:
  spice: Add -spice disable-agent-file-transfer cmdline option (rhbz#961850)
  qxl: fix Coverity scan SIGN_EXTENSION error

Message-id: 1372060666-18182-1-git-send-email-kraxel@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-06-24 14:33:09 -05:00
Gerd Hoffmann
bfc10122fa qxl: fix Coverity scan SIGN_EXTENSION error
Cc: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-06-24 08:23:09 +02:00
Anthony PERARD
329f97fc4f qxl: Fix QXLRam initialisation.
The qxl driver expect NULL for QXLRam.memory_configs, but this is never
initialized.

If memory is set to 0xc2c2.., it leads to a spice-critical error when
trying to start qxl.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-06-21 22:52:50 +04:00
Paolo Bonzini
052e87b073 memory: make section size a 128-bit integer
So far, the size of all regions passed to listeners could fit in 64 bits,
because artificial regions (containers and aliases) are eliminated by
the memory core, leaving only device regions which have reasonable sizes

An IOMMU however cannot be eliminated by the memory core, and may have
an artificial size, hence we may need 65 bits to represent its size.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-06-20 16:32:47 +02:00
Andreas Färber
db895a1e6a isa: Use realizefn for ISADevice
Drop ISADeviceClass::init and the resulting no-op initfn and let
children implement their own realizefn. Adapt error handling.
Split off an instance_init where sensible.

Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-06-07 12:14:45 +02:00
Anthony Liguori
7087d3df18 Merge remote-tracking branch 'mjt/trivial-patches' into staging
# By Ed Maste (3) and others
# Via Michael Tokarev
* mjt/trivial-patches:
  do not check pointers after dereferencing them
  m25p80: Add Micron n25q032a
  qemu: fix out of tree cross compile
  slirp: cleanup leftovers from misc.h
  migration: Remove duplicate bandwidth_limit set
  docs: Fix typo and update file in migration
  configure: try pkg-config ncurses first
  rtc: remove rtc_set_date
  linux-user: Fix typo in comment
  configure: remove confusing file manipulation
  debugcon: fix compiler warning when open DEBUG_DEBUGCON
  debugcon: make debug message more readable
  debugcon: fix always print "addr=0x0, val=0x0" bug when use DEBUG_DEBUGCON
  Remove unnecessary break statements
  don't run pkg-config for features explicitly disabled

Message-id: 51A9CCFB.1000109@msgid.tls.msk.ru
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-06-03 08:37:44 -05:00
Mark Cave-Ayland
f10acc8b38 tcx: Fix 24-bit display mode
Commit d08151bf (conversion of tcx to the memory API) broke the 24-bit mode of
the tcx display adapter by accidentally passing in the final address of the
dirty region to memory_region_reset_dirty() instead of its size.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2013-06-02 16:45:40 +00:00
Stefan Weil
6681fca3fc Remove unnecessary break statements
Fix these warnings from cppcheck:

hw/display/cirrus_vga.c:2603:
hw/sd/sd.c:348:
hw/timer/exynos4210_mct.c:1033:
target-arm/translate.c:9886:
target-s390x/mem_helper.c:518:
target-unicore32/translate.c:1936:
 style: Consecutive return, break, continue, goto or throw statements are unnecessary.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-06-01 14:25:38 +04:00
Hans de Goede
0a2b5e3a78 qxl: Call spice_qxl_driver_unload from qxl_enter_vga_mode
With a SPICE_DISPLAY_CAP_MONITORS_CONFIG capable client, the client needs to
know what part of the primary to use for each monitor. If the guest driver
does not support this, the server sends messages to the client for a
single monitor spanning the entire primary.

As soon as the guest calls spice_qxl_monitors_config_async once, the server
sets the red_worker driver_has_monitors_config flag and stops doing this.

This is a problem when the driver gets unloaded, for example after a reboot
or when switching to a text vc with usermode mode-setting under Linux.

To reproduce this start a multi-mon capable Linux guest which uses
usermode mode-setting and then once X has started switch to a text vc. Note
how the client window does not only not resize, if you try to resize it
manually you always keep blackborders since the aspect is wrong.

This patch calls a new spice-server method called spice_qxl_driver_unload
which clears the driver_has_monitors_config flag inside the server, thereby
fixing this.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-05-09 11:46:53 +02:00
Andreas Färber
a72dc5fc67 vga-isa: QOM'ify ISA VGA
Introduce type constant and cast macro to obsolete DO_UPCAST() and
container_of(). Prepares for ISA realizefn.

Unify function naming scheme while at it.

Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Message-id: 1367093935-29091-18-git-send-email-afaerber@suse.de
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-29 08:27:49 -05:00
Andreas Färber
6d4c2f1755 cirrus_vga: QOM'ify ISA Cirrus VGA
Introduce type constant and cast macro to obsolete DO_UPCAST().

Prepares for ISA realizefn.

Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Message-id: 1367093935-29091-3-git-send-email-afaerber@suse.de
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-29 08:27:47 -05:00
Gerd Hoffmann
5209089fcd console: zap ds arg from register_displaychangelistener
We don't have multiple DisplayStates any more,
so passing it in as argument is not needed.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-25 14:45:46 -05:00
Gerd Hoffmann
aa2beaa1f5 console: add device link to QemuConsoles
So it is possible to figure which qemu console displays which device.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-25 14:45:46 -05:00
Gerd Hoffmann
95be0669a3 console: qom-ify QemuConsole
Just the minimal bits to turn QemuConsoles into Objects.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-25 14:45:46 -05:00
Peter Maydell
21e5181f95 qdev: Drop taddr properties
Drop all the infrastructure for taddr properties (ie ones which
are 'hwaddr' sized). These are now unused, and any further desired
use would be rather questionable since device properties shouldn't
generally depend on a type that is conceptually variable based on
the target CPU. 32 or 64 bit integer properties should be used instead
as appropriate for the specific device.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2013-04-20 17:54:52 +00:00
Peter Maydell
19298eca06 hw/sm501: Use correct setter for sysbus-ohci dma-address property
The sysbus-ohci dma-address property is declared as a HEX64
property, not a TADDR, so use the correct setter for it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Andreas Färber <afaerber@suse.de>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2013-04-20 17:54:51 +00:00
Stefan Weil
e1fe50dcb3 Remove unneeded type casts
cpu_physical_memory_read, cpu_physical_memory_write take any pointer
as 2nd argument without needing a type cast.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-04-19 11:36:33 +02:00
Paolo Bonzini
2b6b7099fb configure: eliminate target_libs_softmmu
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
2013-04-18 14:12:31 +02:00
Anthony Liguori
6f8111a16d Merge remote-tracking branch 'spice/spice.v69' into staging
# By Hans de Goede (5) and others
# Via Gerd Hoffmann
* spice/spice.v69:
  spice-qemu-char: vmc_write: Don't write more bytes then we're asked too
  spice-qemu-char: Remove intermediate buffer
  spice-qemu-char: Add watch support
  spice-qemu-char: Remove #ifdef-ed code for old spice-server compat
  virtio-console: Remove any pending watches on close
  virtio-console: Also throttle when less was written then requested
  spice: (32 bit only) fix surface cmd tracking destruction
  qxl: add 2000x2000 and 2048x2048 video modes
  qxl: add 4k + 8k resolutions

Message-id: 1366106194-28826-1-git-send-email-kraxel@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-16 10:28:51 -05:00
Alon Levy
8bb9f51ca2 spice: (32 bit only) fix surface cmd tracking destruction
No change for 64 bit arches, but for 32 bit previously we zeroed half
the surfaces cmd array, instead of all of it.

Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 11:52:09 +02:00
Gerd Hoffmann
5c74fb27f9 qxl: add 2000x2000 and 2048x2048 video modes
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 11:52:00 +02:00
Gerd Hoffmann
bfe528b9b9 qxl: register QemuConsole for secondary cards
Hook secondary qxl cards properly into the qemu console subsystem.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:26:21 +02:00
Gerd Hoffmann
284d1c6b3b console: allow pinning displaychangelisteners to consoles
DisplayChangeListener gets a new QemuConsole field, which can be set to
non-NULL before registering.  This will pin the QemuConsole, so that
particular DisplayChangeListener will not follow console switches.

spice+gtk (which don't support text console input anyway) are switched
over to be pinned to console 0, which usually is the graphical display.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:26:20 +02:00
Gerd Hoffmann
dea1b0bdd8 xen: re-enable refresh interval reporting for xenfb
xenfb informs the guest about the gui refresh interval so it can avoid
pointless work.  That logic was temporarely disabled for the
DisplayState reorganization.  Restore it now, with a proper interface
for it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:26:20 +02:00
Gerd Hoffmann
d4bcb199fb qxl: add 4k + 8k resolutions
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:03:51 +02:00
Gerd Hoffmann
380cd056ec console: add GraphicHwOps
Pass a single GraphicHwOps struct pointer to graphic_console_init,
instead of a bunch of function pointers.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:03:49 +02:00
Gerd Hoffmann
2c62f08ddb console: simplify screendump
Screendumps are alot simpler as we can update non-active
QemuConsoles now.  So we only need to update the QemuConsole
we want write out, then dump the DisplaySurface content into
a ppm file.  Done.

No console switching needed.  No special support code in the
gfx card emulation needed.  Zap it all.  Also move ppm_save
out of the vga code and next to the qmp_screendump function.

For now screen dumping is limited to console #0 (like it used
to be), even though it is dead simple to extend it to other
consoles.  I wanna finish the console cleanup before setting
new qapi interfaces into stone.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
2013-04-16 09:03:48 +02:00
Gerd Hoffmann
1dbfa00503 console: rename vga_hw_*, add QemuConsole param
Add QemuConsole parameter to vga_hw_*, so the interface allows to update
non-active consoles (the actual code can't handle this yet, see next
patch).  Passing NULL is allowed and updates the active console, like
the functions do today.

While touching all vga_hw_* calls anyway rename that to the functions to
hardware-neutral graphics_hw_*

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:03:48 +02:00
Gerd Hoffmann
eb2f9b024d hw/vmware_vga.c: various vmware vga fixes.
Hardcode depth to 32 bpp.  It effectively was that way before because
that is the default surface depth, this just makes it explicit in the
code.

Rename depth to new_depth to make it consistent with the new_width +
new_height names.  In theory we can make new_depth changeable (i.e.
allow the guest to fill in -- say -- 16 there).  In practice the guests
don't try, the X-Server refuses to start if you ask it to use 16bpp
depth (via DefaultDepth in the Screen section).

Always return the correct rmask+gmask+bmask values for the given
new_depth.

Fix mode setting to also verify at new_depth to make sure we have a
correct DisplaySurface, even if the current video mode happes to be
16bpp (set by vgabios via bochs vbe interface).  While being at it
switch over to use qemu_create_displaysurface_from, so the surface is
backed by guest-visible video memory and we save a memcpy.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:03:47 +02:00
Gerd Hoffmann
7a6404cd8b hw/vmware_vga.c: add tracepoints for mmio reads+writes
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:03:47 +02:00
Igor Mitsyanko
17866fc888 hw/vmware_vga.c: fix screen resize bug introduced after console revamp
In vmsvga display update function, a pointer to DisplaySurface must be acquired
after a call to vmsvga_check_size since this function might replace current
DisplaySurface with a new one.

Signed-off-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:03:46 +02:00
Igor Mitsyanko
522fccbe71 exynos4210_fimd.c: fix display resize bug introduced after console revamp
In exynos4210 display update function, we were acquiring DisplaySurface
pointer before calling screen resize function, not paying attention that resize
procedure can replace current DisplaySurface with newly allocated one.
Right thing to do is to initialize DisplaySurface AFTER a call to resize function.

Signed-off-by: Igor Mitsyanko <i.mitsyanko@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-16 09:03:46 +02:00
Paolo Bonzini
dccfcd0e5f sysemu: avoid proliferation of include/ subdirectories
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-15 18:19:25 +02:00
Peter Maydell
bd2be15003 arm: fix location of some include files
The recent rearrangement of include files had some minor errors:
 devices.h is not ARM specific and should not be in arm/
 arm.h should be in arm/

Move these two headers to correct this.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-15 15:16:01 +02:00
Paolo Bonzini
47b43a1f41 hw: move private headers to hw/ subdirectories.
Many headers are used only in a single directory.  These can be
kept in hw/.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08 18:13:16 +02:00
Paolo Bonzini
fc97bb5ba3 hw: move display devices to hw/display/, configure via default-configs/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08 18:13:13 +02:00
Paolo Bonzini
49ab747f66 hw: move target-independent files to subdirectories
This patch tackles all files that are compiled once, moving
them to subdirectories of hw/.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08 18:13:12 +02:00
Paolo Bonzini
1fd6bb44ed hw: make subdirectories for devices
Prepare the new directory structure.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08 18:13:11 +02:00