summaryrefslogtreecommitdiffstats
path: root/hw/xen
Commit message (Collapse)AuthorAgeFilesLines
...
* xen/pt: mark all PCIe capability bits read-onlyJan Beulich2015-06-021-1/+1
| | | | | | | | | | | xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read- only to avoid unintended write-back (just a precaution, the field ought to be read-only in hardware). This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* xen/pt: split out calculation of throughable mask in PCI config space handlingJan Beulich2015-06-021-31/+20Star
| | | | | | | | | | | | | | | | | This is just to avoid having to adjust that calculation later in multiple places. Note that including ->ro_mask in get_throughable_mask()'s calculation is only an apparent (i.e. benign) behavioral change: For r/o fields it doesn't matter > whether they get passed through - either the same flag is also set in emu_mask (then there's no change at all) or the field is r/o in hardware (and hence a write won't change it anyway). This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
* xen/pt: correctly handle PM status bitJan Beulich2015-06-021-1/+2
| | | | | | | | | | xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* xen/pt: consolidate PM capability emu_maskJan Beulich2015-06-021-21/+4Star
| | | | | | | | | | | | | | | There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask variable - we can have the same effect by setting the field descriptor's emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write() is being retained in order to allow later patches to be less intrusive. This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
* xen/MSI: don't open-code pass-through of enable bit modificationsJan Beulich2015-06-021-8/+2Star
| | | | | | | | | | | | | | | | Without this the actual XSA-131 fix would cause the enable bit to not get set anymore (due to the write back getting suppressed there based on the OR of emu_mask, ro_mask, and res_mask). Note that the fiddling with the enable bit shouldn't really be done by qemu, but making this work right (via libxc and the hypervisor) will require more extensive changes, which can be postponed until after the security issue got addressed. This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* xen/MSI-X: limit error messagesJan Beulich2015-06-022-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Limit error messages resulting from bad guest behavior to avoid allowing the guest to cause the control domain's disk to fill. The first message in pci_msix_write() can simply be deleted, as this is indeed bad guest behavior, but such out of bounds writes don't really need to be logged. The second one is more problematic, as there guest behavior may only appear to be wrong: For one, the old logic didn't take the mask-all bit into account. And then this shouldn't depend on host device state (i.e. the host may have masked the entry without the guest having done so). Plus these writes shouldn't be dropped even when an entry is unmasked. Instead, if they can't be made take effect right away, they should take effect on the next unmasking or enabling operation - the specification explicitly describes such caching behavior. Until we can validly drop the message (implementing such caching/latching behavior), issue the message just once per MSI-X table entry. Note that the log message in pci_msix_read() similar to the one being removed here is not an issue: "addr" being of unsigned type, and the maximum size of the MSI-X table being 32k, entry_nr simply can't be negative and hence the conditonal guarding issuing of the message will never be true. This is XSA-130. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* xen: don't allow guest to control MSI mask registerJan Beulich2015-06-021-10/+88
| | | | | | | | | | | It's being used by the hypervisor. For now simply mimic a device not capable of masking, and fully emulate any accesses a guest may issue nevertheless as simple reads/writes without side effects. This is XSA-129. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* xen: properly gate host writes of modified PCI CFG contentsJan Beulich2015-06-023-10/+21
| | | | | | | | | | | | | | | | | The old logic didn't work as intended when an access spanned multiple fields (for example a 32-bit access to the location of the MSI Message Data field with the high 16 bits not being covered by any known field). Remove it and derive which fields not to write to from the accessed fields' emulation masks: When they're all ones, there's no point in doing any host write. This fixes a secondary issue at once: We obviously shouldn't make any host write attempt when already the host read failed. This is XSA-128. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* xen: limit guest control of PCI command registerJan Beulich2015-04-102-27/+13Star
| | | | | | | | | | | | | | | | Otherwise the guest can abuse that control to cause e.g. PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host. This is CVE-2015-2756 / XSA-126. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Message-id: alpine.DEB.2.02.1503311510300.7690@kaball.uk.xensource.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* xen-pt: fix Out-of-bounds readGonglei2015-03-101-1/+1
| | | | | | | | | The array length of s->real_device.io_regions[] is "PCI_NUM_REGIONS - 1". Signed-off-by: Gonglei <arei.gonglei@huawei.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* xen-pt: fix Negative array index readGonglei2015-03-101-4/+2Star
| | | | | | | | | | | | | | Coverity spot: Function xen_pt_bar_offset_to_index() may return a negative value (-1) which is used as an index to d->io_regions[] down the line. Let's pass index directly as an argument to xen_pt_bar_reg_parse(). Signed-off-by: Gonglei <arei.gonglei@huawei.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* xen-pt: Fix PCI devices re-attach failedLiang Li2015-01-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Use the 'xl pci-attach $DomU $BDF' command to attach more than one PCI devices to the guest, then detach the devices with 'xl pci-detach $DomU $BDF', after that, re-attach these PCI devices again, an error message will be reported like following: libxl: error: libxl_qmp.c:287:qmp_handle_error_response: receive an error message from QMP server: Duplicate ID 'pci-pt-03_10.1' for device. If using the 'address_space_memory' as the parameter of 'memory_listener_register', 'xen_pt_region_del' will not be called if the memory region's name is not 'xen-pci-pt-*' when the devices is detached. This will cause the device's related QemuOpts object not be released properly. Using the device's address space can avoid such issue, because the calling count of 'xen_pt_region_add' when attaching and the calling count of 'xen_pt_region_del' when detaching is the same, so all the memory region ref and unref by the 'xen_pt_region_add' and 'xen_pt_region_del' can be released properly. Signed-off-by: Liang Li <liang.z.li@intel.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reported-by: Longtao Pang <longtaox.pang@intel.com>
* hw: Convert from BlockDriverState to BlockBackend, mostlyMarkus Armbruster2014-10-201-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Device models should access their block backends only through the block-backend.h API. Convert them, and drop direct includes of inappropriate headers. Just four uses of BlockDriverState are left: * The Xen paravirtual block device backend (xen_disk.c) opens images itself when set up via xenbus, bypassing blockdev.c. I figure it should go through qmp_blockdev_add() instead. * Device model "usb-storage" prompts for keys. No other device model does, and this one probably shouldn't do it, either. * ide_issue_trim_cb() uses bdrv_aio_discard() instead of blk_aio_discard() because it fishes its backend out of a BlockAIOCB, which has only the BlockDriverState. * PC87312State has an unused BlockDriverState[] member. The next two commits take care of the latter two. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* memory: remove memory_region_destroyPaolo Bonzini2014-08-182-22/+0Star
| | | | | | | The function is empty after the previous patch, so remove it. Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* xen_backend: introduce xenstore_read_uint64 and xenstore_read_fe_uint64Stefano Stabellini2014-07-071-0/+18
| | | | | Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
* Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-05-07' ↵Peter Maydell2014-05-071-1/+0Star
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into staging trivial patches for 2014-05-07 # gpg: Signature made Wed 07 May 2014 18:01:15 BST using RSA key ID A4C3D7DB # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 # Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514 66A7 BEE5 9D74 A4C3 D7DB * remotes/mjt/tags/trivial-patches-2014-05-07: (21 commits) libcacard: remove unnecessary EOL from debug prints docs/memory.txt: Fix document on MMIO operations readline: Sort completions before printing them. readline: use g_strndup instead of open-coding it qmp: report path ambiguity error libcacard: replace pstrcpy() with memcpy() glib: move g_poll() replacement into glib-compat.h do not call g_thread_init() for glib >= 2.31 hw/9pfs: Add include file for exported symbol xen: remove unused global, xen_xcg hw: Add missing 'static' attributes qemu-timer: Add missing 'static' attribute ui: Add missing 'static' attribute monitor: Add missing 'static' attribute hw/s390x: Add missing 'static' attribute hw/mips: Add missing 'static' and 'const' attributes hw/9pfs: Add missing 'static' attributes arch_init: Be sure of only one exit entry with DPRINTF() for ram_load() tests/tcg: Fix compilation of test_path qga: Fix typo (plural) in comment ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| * xen: remove unused global, xen_xcgJim Meyering2014-05-071-1/+0Star
| | | | | | | | | | | | | | Reviewed-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Jim Meyering <meyering@redhat.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* | xen: move Xen HVM files under hw/i386/xenWei Liu2014-05-074-683/+0Star
| | | | | | | | | | Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* | qemu-xen: free all the pirqs for msi/msix when driver unloadZhenzhong Duan2014-05-072-4/+8
|/ | | | | | | | | | | | | | | | Pirqs are not freed when driver unload, then new pirqs are allocated when driver reload. This could exhaust pirqs if do it in a loop. This patch fixes the bug by freeing pirqs when ENABLE bit is cleared in msi/msix control reg. There is also other way of fixing it such as reuse pirqs between driver reload, but this way is better. Xen-devel: http://marc.info/?l=xen-devel&m=136800120304275&w=2 Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* Call pci_piix3_xen_ide_unplug from unplug_disksStefano Stabellini2014-02-201-1/+2
| | | | | Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
* xen_pt: Fix passthrough of device with ROM.Anthony PERARD2014-01-171-2/+2
| | | | | | | | | | | | | | | | QEMU does not need and should not allocate memory for the ROM of a passthrough PCI device. So this patch initialize the particular region like any other PCI BAR of a passthrough device. When a guest will access the ROM, Xen will take care of the IO, QEMU will not be involved in it. Xen set a limit of memory available for each guest, allocating memory for a ROM can hit this limit. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reported-and-Tested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
* xen_pt: Fix debug output.Anthony PERARD2014-01-171-2/+2
| | | | | | Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
* apic: QOM'ify APICxiaoqiang zhao2013-12-241-2/+4
| | | | | | | | Convert 'init' function to QOM's 'realize' for apic, kvm/apic and xen/xen_apic. Signed-off-by: xiaoqiang zhao <zxq_yx_007@163.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
* xen-pvdevice: make device-id property compulsoryPaul Durrant2013-12-011-1/+5
| | | | | | | | | | | The intention of the Xen PV device is that it is used as a parent device for PV drivers in Xen HVM guests and the set of PV drivers that bind to the device is determined by its device ID (and possibly vendor ID and revision). As such, the device should not have a default device ID, it should always be supplied by the Xen toolstack. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* xen: fix two errors when debug is enabledWei Liu2013-12-011-1/+2
| | | | | | | | | | | | | | This patch fixes: 1. build error in xen_pt.c when XEN_PT_LOGGING_ENABLED is defined 2. debug output format string error when DEBUG_XEN is defined In the second case I also have the output info in consistent with the output in mapping function - that is, print start_addr instead of phys_offset. Signed-off-by: Sander Eikelenboom <linux@eikelenboom.it> Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* qdev: Drop misleading qdev_free() functionStefan Hajnoczi2013-11-051-1/+1
| | | | | | | | | | | | | | | | | | The qdev_free() function name is misleading since all the function does is unlink the device from its parent. The device is not necessarily freed. The device will be freed when its QObject refcount reaches zero. It is usual for the parent (bus) to hold the final reference but there are cases where something else holds a reference so "free" is a misleading name. Call object_unparent(obj) directly instead of having a qdev wrapper function. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
* qemu/xen: make use of xenstore relative pathsRoger Pau Monné2013-10-101-13/+6Star
| | | | | | | | | | | | | | | | Qemu has several hardcoded xenstore paths that are only valid on Dom0. Attempts to launch a Qemu instance (to act as a userspace backend for PV disks) will fail because Qemu is not able to access those paths when running on a domain different than Dom0. Instead make the xenstore paths relative to the domain where Qemu is actually running. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> Cc: xen-devel@lists.xenproject.org Cc: Anthony PERARD <anthony.perard@citrix.com>
* devices: Associate devices to their logical categoryMarcel Apfelbaum2013-07-292-0/+2
| | | | | | | | | The category will be used to sort the devices displayed in the command line help. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Message-id: 1375107465-25767-4-git-send-email-marcel.a@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
* Xen PV DevicePaul Durrant2013-07-292-1/+132
| | | | | | | | | | | Introduces a new Xen PV PCI device which will act as a binding point for PV drivers for Xen. The device has parameterized vendor-id, device-id and revision to allow to be configured as a binding point for any vendor's PV drivers. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Andreas Färber <afaerber@suse.de>
* misc: Fix new typos in comments and stringsStefan Weil2013-07-271-1/+2
| | | | | | | | | | | | | | | | All these typos were found by codespell. sould -> should emperical -> empirical intialization -> initialization successfuly -> successfully gaurantee -> guarantee Fix also another error (before before) in the same context. Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* xen/xen_platform: QOM parent field cleanupAndreas Färber2013-07-231-8/+13
| | | | | | | | Replace direct uses of PCIXenPlatformState::pci_dev field with QOM casts and rename it to parent_obj. Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
* xen/xen_platform: QOM casting sweepPeter Crosthwaite2013-07-231-5/+9
| | | | | | | | | Define and use standard QOM cast macro. Remove usages of DO_UPCAST() and direct -> style upcasting. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> [AF: Dropped opaque casts] Signed-off-by: Andreas Färber <afaerber@suse.de>
* hw/[u-x]*: pass owner to memory_region_init* functionsPaolo Bonzini2013-07-044-8/+10
| | | | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* memory: add ref/unref callsPaolo Bonzini2013-07-041-0/+4
| | | | | | | | | | | | | | | | | Add ref/unref calls at the following places: - places where memory regions are stashed by a listener and used outside the BQL (including in Xen or KVM). - memory_region_find callsites - creation of aliases and containers (only the aliased/contained region gets a reference to avoid loops) - around calls to del_subregion/add_subregion, where the region could disappear after the first call Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* memory: add owner argument to initialization functionsPaolo Bonzini2013-07-044-7/+7
| | | | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* xen: Mark fixed platform I/O as unalignedJan Kiszka2013-07-041-0/+4
| | | | | | | | Before switching to the memory core dispatcher, we need to make sure that this pv-device will continue to receive unaligned portio accesses. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* memory: make section size a 128-bit integerPaolo Bonzini2013-06-201-3/+3
| | | | | | | | | | | So far, the size of all regions passed to listeners could fit in 64 bits, because artificial regions (containers and aliases) are eliminated by the memory core, leaving only device regions which have reasonable sizes An IOMMU however cannot be eliminated by the memory core, and may have an artificial size, hence we may need 65 bits to represent its size. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* hw/xen: Use g_free instead of free and fix potential memory leaksStefan Weil2013-06-111-2/+2
| | | | | | | | | The wrong functions and the missing calls of g_free were reported by cppcheck. Signed-off-by: Stefan Weil <sw@weilnetz.de> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* target-i386: Replace MSI_SPACE_SIZE with APIC_SPACE_SIZEIgor Mammedov2013-05-011-1/+1
| | | | | | | | Put APIC_SPACE_SIZE in a public header so that it can be reused elsewhere later. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
* sysemu: avoid proliferation of include/ subdirectoriesPaolo Bonzini2013-04-151-1/+1
| | | | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* hw: move private headers to hw/ subdirectories.Paolo Bonzini2013-04-086-4/+361
| | | | | | | Many headers are used only in a single directory. These can be kept in hw/. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* hw: move more files to hw/xen/Paolo Bonzini2013-04-087-0/+4275
| | | | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* hw: move target-independent files to subdirectoriesPaolo Bonzini2013-04-083-0/+976
| | | | | | | This patch tackles all files that are compiled once, moving them to subdirectories of hw/. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* hw: make subdirectories for devicesPaolo Bonzini2013-04-081-0/+0
Prepare the new directory structure. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>