| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
since our seek times are virtually 0. Although this flag is
deprecated by newer ATA standards, Linux at least checks it for CD
drives, and would timeout in some cases if we do not set it.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating an HVM domain, if e.g. another domain is created before
qemu allocates video memory, the extra 8MB memory ballooning is not
available any more, because it got consumed by the other domain.
This fixes it by taking video memory from the main memory:
- make hvmloader use e820_malloc to reserve some of the main memory
and notify ioemu of its address through the Xen platform PCI card.
- add XENMAPSPACE_mfn to the xen_add_to_physmap memory op, to allow
ioemu to move the MFNs between the original position and the PCI
mapping, when LFB acceleration is disabled/enabled
- add a remove_from_physmap memory op, to allow ioemu to unmap it
completely for the case of old guests with acceleration disabled.
- add xc_domain_memory_translate_gpfn_list to libxc to allow ioemu to
get the MFNs of the video memory.
- have xend save the PCI memory space instead of ioemu: if a memory
page is there, the guest can access it like usual memory, so xend
can safely be responsible to save it. The extra benefit is that
live migration will apply the logdirty optimization there too.
- handle old saved images, populating the video memory from ioemu if
really needed.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
| |
Signed-off-by: Yu Zhao <yu.zhao@intel.com>
|
| |
|
|
|
|
| |
That permits to reduce the amount of difference with upstream.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
| |
There is a small bug on the serial emulation code that prevents kgdb
from working correctly over the serial.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
|
|
|
| |
Check BAR type indicator to avoid I/O BAR being mistaken as 64-bit =
memory BAR.
Signed-off-by: Yu Zhao <yu.zhao@intel.com>
|
| |
|
|
|
|
|
| |
Currently we are trying to read the same value twice in the
serial_load function, this patch fixes that.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
| |
memory sizes greater than 2GB when built as a 32-bit binary.
Instead, direct HVM Linux loading approximates end of low memory via a
different method.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pt_bar_reg_parse() is called for expansion rom base address register.
Currently it returns PT_BAR_FLAG_MEM if bit 0 is 0. It returns
PT_BAR_FLAG_IO if bit 0 is 1.
But bit 0 in expansion rom base address register is enable bit. If bit
0 is 1 for some reason, it returns PT_BAR_FLAG_IO. Expansion rom is
mapped to memory space. It should return PT_BAR_FLAG_MEM.
After applying this patch, it returns PT_BAR_FLAG_MEM regardless
of bit 0, when it is called for expansion rom base address register.
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
|
|
|
|
| |
I forgot to shift value read from real device. If the emulated
register offset is not aligned with 4 byte, the write emulation will
not be handled well because of corrupting register value read from
real device. The patch fixes this issue.
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
|
|
|
|
|
|
| |
libpci returns ALL F when error occurs. Currently, if libpci returns
ALL F, emulation stops. But it is possible that the field of real register
which is read by guest software is ALL F.
After applying this patch, if libpci returns ALL F, ioemu will log
warning message and continue the emulation.
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes writing handlers for base address registers (include
expansion rom base address register) as follows.
It can be applied to both ioemu-remote and ioemu.
- Current implementation can not work fine when base address registers
are accessed via 1 byte write access and 2 byte write access. This
patch enables them.
- Currently guest software can set address which is not aligned
with resource size and page size. The patch does not allow guest
software to set unaligned address.
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- fix log messages to make analysis easier when issue occurs.
- remove verbose message.
- add comments in the source code.
- fix wrong comments in the source code.
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch backports following changes of ioemu-remote to ioemu.
It fixs warning in tools/ioemu/hw/pass-through.h and
tools/ioemu/hw/pass-through.c.
commit 30f00a0284a5ee356de6f6095e52173f2234145b
Author: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Fri Jul 18 16:02:23 2008 +0100
hw/pass-through.c: pt_unregister_regions returns void
It only ever falls off the end, and its return value is not used
by its one caller.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
commit 439836900dad41f66234d2a14981aa2a90d4d346
Author: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Tue Jul 22 11:55:18 2008 +0100
Add missing cast for printf of maddr
commit cf5b00e6b714eb5f900d55471d85956b09cb8fd9
Author: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Thu Jul 24 13:57:10 2008 +0100
pass-through.h: Sprinkle some #ifdefs to cope with pciutils-dev
versions
Some versions of pciutils-dev contain #defines which others are
lacking.
To avoid spurious compiler warnings we add some #ifdefs. *sigh*
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
|
| |
... as it's implied by the function name.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
| |
When we don't have an LFB (standard VGA), we can not and do not need
vram tracking at all since we always get explicit dirtying.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
| |
Signed-off-by: Jean Guyader <jean.guyader@eu.citrix.com>
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
|
|
|
|
|
|
| |
When passthrough device is hot removed from HVM domain by "xm
pci-detach" command, following issues occur. The patch fixes them.
- Allocated memory is not deallocated.
- Unbind interrupt with invalid interrupt pin.
- MSI-X memory mapped register area is not unmapped.
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
|
|
| |
We can now actually drop the shadow vram entirely thanks to dirty page
tracking.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
| |
Signed-off-by: Trolle Selander <trolle.selander@eu.citrix.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
| |
Signed-off-by: KUWAMURA Shin'ya <kuwa@jp.fujitsu.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In pt_bar_mapping function, r->addr should not be changed by invalid
value(-1). This value(-1) causes failure of mapping BAR when I/O Space
or Memory Space enable bit is updated repeatedly by native windows
driver.
This situation occurs in Windows Vista guest.
Signed-off-by: Naoki Nishiguchi <nisiguti@jp.fujitsu.com>
|
| |
|
|
| |
Signed-off-by: Naoki Nishiguchi <nisiguti@jp.fujitsu.com>
|
| |
|
|
|
|
|
|
| |
Previously, all data descriptors used TSE context descriptor. It's not
correct, per spec, data descriptor uses TSE bit to indicate whether
use TSE. Legacy data descripter never use TSE.
Signed-off-by; Anthony Xu <anthony.xu@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and Device Specific Registers for pt device.
I implemented following Capability Structures and Device Specific
Registers.
* Configuration Header Type 0
-> emulation.
"emulation" does not mean no accessing real I/O device.
Access real I/O device, but guest value and real value
might be different.
* MSI Capability Structure
-> emulation.
Behavior is not changed from existed implementation in
pt-msi.c, although code is changed.
* MSI-X Capability Structure
-> emulation.
Behavior is not changed from existed implementation in
pt-msi.c, although code is changed.
* PCI Express Capability Structure
-> emulation.
* PCI Power Management Capability Structure
-> emulation.
* Vital Product Data Capability Structure
-> emulation.
Emulated register is only Next Capability Pointer
Register.
All other registers are passthrough.
* Vendor Specific Capability Structure
-> emulation
Emulated register is only Next Capability Pointer
Register.
All other registers are passthrough.
* Device Specific Register (exclude capability structures)
-> passthrough.
The device drivers in guest domain are allowed to access
Device Specific Register. So various I/O device will work.
I assigned following device to guest domain, and they worked fine.
- PCIe NIC (MSI)
- PCI NIC (MSI)
- UHCI (INTx interrupt)
- IDE Controller (INTx interrupt)
Signed-off-by: Yuji Shimada <shimada-yxb@necst.nec.co.jp>
|
| |
|
|
|
| |
From: Haitao Shan <haitao.shan@intel.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
| |
From: Haitao Shan <haitao.shan@intel.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
| |
Set dom->buffer.max_capacity to xend configured limit.
Signed-off-by: Pat Campbell <plc@novell.com>
|
| |
|
|
|
|
|
|
|
| |
usbdevice = "disk:<filename>"
expect a raw device (as this probably is the most usual case) and
usbdevice = "disk-qcow:<filename>"
expect a COW image (autodetected, probably qcow2).
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is an extension for qemu-dm to enable emulation of generic
PCI devices. The information for the PCI devices can be passed by
command line parameter.
The command line parameter is "-pciemulation" followed by the
information which contains a label and hex value of the configuration
registers separated by ":".
The configuration registers for each PCI device are below.
vendorid
deviceid
command
status
revision
classcode
headertype
subvendorid
subsystemid
interruputline
interruptpin
This is an example of command line parameter.
-pciemulation hba1:1240:0780:0002:0:0:010000:0:10b5:0777:05:1
Signed-off-by: Shinji Matsumoto <smatsumoto@marathontechnologies.com>
|
| |
|
|
|
|
| |
does not really belong to hw/, but to /, like sdl.c and vnc.c.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Bring the DisplayState dpy_resize interface back to how it is in qemu
mainstream, thus making the code easier to merge.
In order to support sharing the framebuffer, I am adding a new resize
interface called dpy_resize_shared that also has a depth and a pixels
parameters. As a consequence I could remove the dpy_colourdepth
callback and make the code cleaner and easier to read.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add S3 suspend logic in PM1A control register. when guest write
specific value to this register,
QEMU will trigger S3 sleep by
* reset all qemu device
* set CMOS shutdown status as S3 resume, so that rombios will do
S3 resume later
* request Xen to S3-suspend the guest
Signed-off-by: Yu Ke <ke.yu@intel.com>
Signed-off-by: Liping Ke <liping.ke@intel.com?
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
Changeset 17289:d97e61001d81: introduced vfb configuration parameter
videoram, defaulting to zero. Value zero was interpreted as
unlimited. Changeset 17630:53195719f762 accidentally dropped the
special case for zero, which broke guests that don't specify videoram,
or specify videoram=0. Restore the old behavior.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
| |
|
|
|
| |
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes several bugs in serial.c
(1) A typo in serial_save() where qemu_get_8s is called (should be
qemu_put_8s)
(2) No support provided in serial_load() for version_id == 1 (should
unmarshal a 1 byte s->divider and should provide a default value
for s->fcr)
(3) Call serial_ioport_write() to initialize s->fcr. It is not
sufficient to load its value; other hidden values (such as
s->recv_fifo.itl) must be re-initialized.
Signed-off-by: Ben Guthro <bguthro@virtualiron.com>
Signed-off-by: Robert Phillips <rphillips@virtualiron.com>
|
| |
|
|
|
|
|
|
|
|
| |
The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly. This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Patch sends a UNIT_ATTENTION(6), MEDIUM_MAY_HAVE_CHANGED(0x28) sense
when cdrom transitions from not ready to ready.
ATA Packet interface for CD-ROMS, SFF8020i.pdf. See state diagram
Figure 12, page 82 and Table 44 -recommended Sense Key, ASC
With patch in place HVM win2008 server guest sees the CD/DVD contents
have changed when the media is switched.
Signed-off-by: Pat Campbell <plc@novell.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A buggy or malicious frontend can describe its shared framebuffer to
the backend in a way that makes the backend map an arbitrary amount of
guest memory, malloc an arbitrarily large internal buffer, copy
arbitrary memory to that buffer, even beyond its end. A domU running
a malicious frontend can abuse the former two for denial of service
attacks against dom0. It can abuse the third to write arbitrary
backend memory. It can abuse all three to terminate or crash the
backend. Arbitrary code execution looks quite feasible.
In more detail (ignoring #ifdef CONFIG_STUBDOM code):
The frame buffer is described by the following parameters:
* fb_len (size of shared framebuffer)
* width, height, depth
* row_stride, offset
fb_len is fixed on startup. The frontend can modify the other
parameters by sending a XENFB_TYPE_RESIZE event.
xenfb_read_frontend_fb_config() limits fb_len according to backend
configuration parameter videoram (from xenstore), if present. I
believe videoram is not present by default.
xenfb_map_fb() uses fb_len to map the frontend's framebuffer.
The frontend can make it map arbitrarily much, unless limited by the
videoram configuration parameter. This flaw always existed.
xenfb_register_console() and xenfb_on_fb_event() pass width, height,
depth and rowstride to QEMU's DisplayState object. The object sets
itself up to work directly on the framebuffer (shared_buf true) if
parameters allow that. Else it allocates an internal buffer of size
height * width * depth / 8 (shared_buf false).
The frontend can make it allocate arbitrarily much. This flaw always
existed.
xenfb_register_console() and xenfb_on_fb_event() pass width, height,
depth and rowstride to QEMU's DisplayState object. The object sets
itself up to work directly on the framebuffer (shared_buf true) if
parameters allow that. Else it allocates an internal buffer of size
height * width * depth / 8 (shared_buf false).
The frontend can make it allocate arbitrarily much. This flaw was
introduced by the move of PVFB into QEMU (xen-unstable cset 16220
ff).
xenfb_on_fb_event() uses width and height to clip the area of an
update event. It then passes that area to xenfb_guest_copy().
xenfb_invalidate() passes the complete screen area to
xenfb_guest_copy(). xenfb_guest_copy() copies the argument area (x,
y, w, h) into the internal buffer, unless shared_buf is true. This
copies h blocks of memory. The i-th copy (counting from zero) copies
w * depth / 8 bytes
from
shared framebuffer + offset + (y + i) * row_stride + x * depth / 8
to
internal buffer + (y + i) * ds->linesize + x * ds->depth / 8
where ds->linesize and ds->depth are parameters of the internal buffer
chosen by the backend.
This copy can be made to read from the shared framebuffer and write to
the internal buffer out of bounds. I believe the frontend can abuse
this to write arbitrary backend memory.
The flaw in its current form was introduced by the move of PVFB into
QEMU (xen-unstable cset 16220 ff). Before, the framebuffer was always
shared.
From: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
| |
which permits the frontend to avoid useless polls.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Shan Haitao <Haitao.shan@intel.com>
|
