aboutsummaryrefslogtreecommitdiffstats
path: root/tools/ioemu/hw
Commit message (Collapse)AuthorAgeFilesLines
...
* ioemu: serial save/load fixKeir Fraser2008-05-161-1/+7
| | | | | | | | | | | | | | | This patch fixes several bugs in serial.c (1) A typo in serial_save() where qemu_get_8s is called (should be qemu_put_8s) (2) No support provided in serial_load() for version_id == 1 (should unmarshal a 1 byte s->divider and should provide a default value for s->fcr) (3) Call serial_ioport_write() to initialize s->fcr. It is not sufficient to load its value; other hidden values (such as s->recv_fifo.itl) must be re-initialized. Signed-off-by: Ben Guthro <bguthro@virtualiron.com> Signed-off-by: Robert Phillips <rphillips@virtualiron.com>
* ioemu: Fix PVFB backend to limit frame buffer sizeKeir Fraser2008-05-151-0/+1
| | | | | | | | | | The recent fix to validate the frontend's frame buffer description neglected to limit the frame buffer size correctly. This lets a malicious frontend make the backend attempt to map an arbitrary amount of guest memory, which could be useful for a denial of service attack against dom0. Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qemu: Send unit_attention on cd-rom not_ready to ready transitionKeir Fraser2008-05-141-0/+6
| | | | | | | | | | | | | Patch sends a UNIT_ATTENTION(6), MEDIUM_MAY_HAVE_CHANGED(0x28) sense when cdrom transitions from not ready to ready. ATA Packet interface for CD-ROMS, SFF8020i.pdf. See state diagram Figure 12, page 82 and Table 44 -recommended Sense Key, ASC With patch in place HVM win2008 server guest sees the CD/DVD contents have changed when the media is switched. Signed-off-by: Pat Campbell <plc@novell.com>
* ioemu: Fix PVFB backend to validate frontend's frame buffer descriptionKeir Fraser2008-05-131-28/+79
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A buggy or malicious frontend can describe its shared framebuffer to the backend in a way that makes the backend map an arbitrary amount of guest memory, malloc an arbitrarily large internal buffer, copy arbitrary memory to that buffer, even beyond its end. A domU running a malicious frontend can abuse the former two for denial of service attacks against dom0. It can abuse the third to write arbitrary backend memory. It can abuse all three to terminate or crash the backend. Arbitrary code execution looks quite feasible. In more detail (ignoring #ifdef CONFIG_STUBDOM code): The frame buffer is described by the following parameters: * fb_len (size of shared framebuffer) * width, height, depth * row_stride, offset fb_len is fixed on startup. The frontend can modify the other parameters by sending a XENFB_TYPE_RESIZE event. xenfb_read_frontend_fb_config() limits fb_len according to backend configuration parameter videoram (from xenstore), if present. I believe videoram is not present by default. xenfb_map_fb() uses fb_len to map the frontend's framebuffer. The frontend can make it map arbitrarily much, unless limited by the videoram configuration parameter. This flaw always existed. xenfb_register_console() and xenfb_on_fb_event() pass width, height, depth and rowstride to QEMU's DisplayState object. The object sets itself up to work directly on the framebuffer (shared_buf true) if parameters allow that. Else it allocates an internal buffer of size height * width * depth / 8 (shared_buf false). The frontend can make it allocate arbitrarily much. This flaw always existed. xenfb_register_console() and xenfb_on_fb_event() pass width, height, depth and rowstride to QEMU's DisplayState object. The object sets itself up to work directly on the framebuffer (shared_buf true) if parameters allow that. Else it allocates an internal buffer of size height * width * depth / 8 (shared_buf false). The frontend can make it allocate arbitrarily much. This flaw was introduced by the move of PVFB into QEMU (xen-unstable cset 16220 ff). xenfb_on_fb_event() uses width and height to clip the area of an update event. It then passes that area to xenfb_guest_copy(). xenfb_invalidate() passes the complete screen area to xenfb_guest_copy(). xenfb_guest_copy() copies the argument area (x, y, w, h) into the internal buffer, unless shared_buf is true. This copies h blocks of memory. The i-th copy (counting from zero) copies w * depth / 8 bytes from shared framebuffer + offset + (y + i) * row_stride + x * depth / 8 to internal buffer + (y + i) * ds->linesize + x * ds->depth / 8 where ds->linesize and ds->depth are parameters of the internal buffer chosen by the backend. This copy can be made to read from the shared framebuffer and write to the internal buffer out of bounds. I believe the frontend can abuse this to write arbitrary backend memory. The flaw in its current form was introduced by the move of PVFB into QEMU (xen-unstable cset 16220 ff). Before, the framebuffer was always shared. From: Markus Armbruster <armbru@redhat.com> Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
* ioemu: Fix build: use uint64_t rather than u64.Keir Fraser2008-05-122-3/+3
| | | | Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
* pvfb/ioemu: transmit refresh interval advice from backend to frontendKeir Fraser2008-05-121-31/+136
| | | | | | which permits the frontend to avoid useless polls. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* x86 hvm: Support MSI-X for HVM domains.Keir Fraser2008-05-124-27/+440
| | | | Signed-off-by: Shan Haitao <Haitao.shan@intel.com>
* shadow: track video RAM dirty bitsKeir Fraser2008-05-023-29/+104
| | | | | | | | | | This adds a new HVM op that enables tracking dirty bits of a range of video RAM. The idea is to optimize just for the most common case (only one guest mapping, with sometimes some temporary other mappings), which permits to keep the overhead on shadow as low as possible. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: always disable shared buffer in text modeKeir Fraser2008-05-021-4/+3
| | | | | | | by not calling get_bpp() (which only makes sense in graphical mode) and always use 0 instead. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* MSI 5/6: add MSI support to passthrough HVM domainKeir Fraser2008-05-014-1/+601
| | | | | | | Currently it only inercept access to MSI config space, no MSI-x support. Signed-off-by: Jiang Yunhong <yunhong.jiang@intel.com> Signed-off-by: Shan Haitao <haitao.shan@intel.com>
* MSI 2/6: change the pirq to be per-domainKeir Fraser2008-05-011-0/+14
| | | | | Signed-off-by: Jiang Yunhong <yunhong.jiang@intel.com> Signed-off-by: Shan Haitao <haitao.shan@intel.com>
* ioemu: Save PCI device INTx line states.Keir Fraser2008-04-241-2/+14
| | | | | | | | | | | Otherwise, ioemu can be out of sync with the hypervisor after restoring guest state, if INTx lines were asserted when the state was saved. This prevents ioemu from setting the line to zero in Xen (because it thinks the line is already zero). This can allow th eguest to enter an endless IRQ loop and hang. Signed-off-by: Kazuhiro Suzuki <kaz@jp.fujitsu.com> Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
* blktap: Automatically start tapdisk-ioemu on demandKeir Fraser2008-04-231-44/+1
| | | | | | | | | When a domain wants to use a tap:ioemu disk but has no device model, start a tapdisk-ioemu instance as provider. Also, move the creation and removal of communication pipes to xend so that qemu-dm doesn't need the unwanted SIGHUP handler anymore. Signed-off-by: Kevin Wolf <kwolf@suse.de>
* Revert 17499:451ae3b8e5c8Keir Fraser2008-04-231-1/+44
| | | | | | Breaks HVM guest creation (bugzilla #1221). Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
* blktap: Automatically start tapdisk-ioemu on demandKeir Fraser2008-04-221-44/+1
| | | | | | | | | When a domain wants to use a tap:ioemu disk but has no device model, start a tapdisk-ioemu instance as provider. Also, move the creation and removal of communication pipes to xend so that qemu-dm doesn't need the unwanted SIGHUP handler anymore. Signed-off-by: Kevin Wolf <kwolf@suse.de>
* stubdom: make use of PVFB resize eventKeir Fraser2008-04-163-45/+110
| | | | | | | | which with the offset support also permits to expose the VGA vram and non-shared vram throught PVFB at the same time, switching between both as appropriate. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* hvm: Add HVM_PARAM_DM_DOMAIN to let ioreq events go to a stub domainKeir Fraser2008-04-111-0/+1
| | | | | | | instead of dom0. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com> Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
* ioemu: Fix rtl8139 emulation so that reboot works correctly in 64-bitKeir Fraser2008-04-091-0/+18
| | | | | | | | Windows VMs. Return an error if the guest OS tries to transmit a packet with the transmitter disabled, so that it doesn't spin forever waiting for it to complete. Signed-off-by: Steven Smith <Steven.Smith@eu.citrix.com>
* ioemu: advertise write cache featureKeir Fraser2008-04-041-1/+2
| | | | Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: advertise write cache as enabled only when it actually is.Keir Fraser2008-04-021-1/+1
| | | | Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu rendering fixesKeir Fraser2008-04-012-8/+11
| | | | | | | | | | | | | | | | | | | | - no need to call the colourdepth callback in text mode: the buffer cannot be shared anyway; - line size changes are currently undetected: since we added a linesize parameter to the resize callback, we also need to detect line size changes and call dpy_resize accordingly; - 8 bit colour depth with the shared framebuffer is broken: in order to fix it I disabled the shared buffer in vnc for the 8bit colour depth case (it has to be done in software anyway..) and implemented paletted colours in both opengl and sdl; - opengl rendering is broken when there is padding in the framebuffer lines: removing unnecessary GL_UNPACK_ALIGNMENT settings so that the GL_UNPACK_ROW_LENGTH parameter can work properly. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* ioemu: actually check for errors in bdrv_flush et alKeir Fraser2008-03-312-1/+8
| | | | | | | | | | | | bdrv_flush is declared to return void, but this is wrong because it means that the implementations have nowhere to report their errors. Indeed, the implementations generally ignore errors. This patch corrects this by making it return int (implicitly, either 0 or -errno, as for other similar functions). All of the implementations and callers are adjusted too. Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
* ioemu: ne2k buffer full bug fix, by Marcel Block.Keir Fraser2008-03-281-1/+1
| | | | | | Backport from qemu upstream. Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
* ioemu: Perform emulated IDE flushes asynchronously.Keir Fraser2008-03-281-6/+46
| | | | | | | | | | Fixes 'Windows Bug Check 0x101 issue' in which a VCPU gets tied up for so long doing a synchronous flush to disc that it misses critical timer events. Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Modified-by: Ian Jackson <ian.jackson@eu.citrix.com> Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com>
* pvfb: Add offset in resize eventKeir Fraser2008-03-261-2/+6
| | | | | | Also support depth change. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: save IDE write cache flag.Keir Fraser2008-03-261-3/+6
| | | | Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* xenfb: Dynamic modes support.Keir Fraser2008-03-261-0/+31
| | | | | | | | | | | | Attached patch adds dynamic frame buffer size support to the xenfb PV backend QEMU xenfb. Backend sets feature-resize and handles the resize frame buffer event. Corresponding frontend LINUX patch is required for functionality but this patch is not dependent on it, preserving backwards compatibility. Signed-off-by: Pat Campbell <plc@novell.com>
* stubdom: remove unnecessary includeKeir Fraser2008-03-251-3/+0
| | | | Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: improve DMA transfersKeir Fraser2008-03-202-9/+19
| | | | | | by increasing the size of DMA buffers. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: IDE should accept SETMULT 0Keir Fraser2008-03-201-1/+0
| | | | | | as upstream qemu now does Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: Allow VNC buffer sharing when linesize != width * depthKeir Fraser2008-03-201-2/+2
| | | | Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* stubdom: disable xen_blktapKeir Fraser2008-03-181-0/+2
| | | | Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: Set subsystem vendor/device for ne2k device model.Keir Fraser2008-03-181-0/+4
| | | | | From: Kamala Narasimhan <kamala.narasimhan@citrix.com> Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
* Use ioemu block drivers through blktap.Keir Fraser2008-03-183-0/+750
| | | | | | | | | | Add support for a tap:ioemu pseudo driver. Devices using this driver won't use tapdisk (containing the code duplication) any more, but will connect to the qemu-dm of the domain. In this way no working configuration should be broken right now as you can still choose to use the tapdisk drivers. Signed-off-by: Kevin Wolf <kwolf@suse.de>
* ioemu: Let the USB tablet reach the far bottom and right pixelsKeir Fraser2008-03-051-4/+4
| | | | | | by fixing divisions / multiplications into using width-1. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: support shared framebuffer and linesize != width * depth.Keir Fraser2008-03-054-8/+8
| | | | | | | When sharing the buffer between e.g. xenfb and SDL, SDL must follow the line size. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: improve colordepth negotiationKeir Fraser2008-03-042-19/+34
| | | | | | | | By moving the colourdepth callback a bit earlier, we can let the display decide the actual depth to be used before the draw and whether sharing is possible or not. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* ioemu: xenfb shared memory patchKeir Fraser2008-03-031-29/+34
| | | | | | | | Share the internal xenfb backend buffer with sdl or vnc. All the needed functions are already in place because have been implemented for the previous cirrus vga shared memory patch. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* ioemu: sdl blittingKeir Fraser2008-03-031-6/+9
| | | | | | | | | | | | | Right now qemu takes care of converting pixels between the guest pixel format and the sdl pixel format, after that qemu also memcpy the converted pixels to the sdl buffer in video ram. This process can be improved using the SDL blit capabilities: the patch I am attaching creates an SDL Surface from the Cirrus VGA framebuffer and uses SDL blitting functions to convert and write pixels to video ram. SDL blitting functions are optimized and can even be hardware accelerated on some platforms. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
* ioemu: fix xenfb slow case update by shifting to the left beforeKeir Fraser2008-03-031-18/+34
| | | | | | | masking low bits instead of shifting to the right and masking high bits. Also adds 24bpp support. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
* merge with xen-unstable.hgAlex Williamson2008-02-292-7/+211
|\
| * stubdom: Fix compilation after abs_z to rel_z changeKeir Fraser2008-02-281-6/+4
| | | | | | | | | | From: Samuel Thibault <samuel.thibault@eu.citrix.com> Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
| * Rename struct xenkbd_position member abs_z to rel_z. Z-axis motion isKeir Fraser2008-02-281-3/+5
| | | | | | | | | | | | relative, not absolute. From: Markus Armbruster <armbru@redhat.com> Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
| * stubdom: use PVFB so as to e.g. permit SDL displayKeir Fraser2008-02-281-3/+207
| | | | | | | | | | | | | | | | This adds support in ioemu for PVFB frontend as stubdomain display. This permits for instance to use SDL in dom0 to perform the eventual display. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
| * ioemu: Fix e1000 mmio range size.Keir Fraser2008-02-271-1/+1
| | | | | | | | | | | | | | | | | | Per Intel 82540EM Software Developer's Manual pp. 211, the mmio size is 0x20000, or address overlapping occurs and causes the second card to fail, which happened to me earlier. From: Tina Yang <tina.yang@oracle.com> Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
* | merge with xen-unstable.hgAlex Williamson2008-02-265-2/+1864
|\|
| * ioemu: Do not sue xce_handle directly as a file descriptor.Keir Fraser2008-02-262-2/+2
| | | | | | | | | | | | | | xce handles are not supposed to be used as file descriptors, but xc_evtchn_fd() be used. Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
| * ioemu: e1000 emulationKeir Fraser2008-02-263-0/+1862
| | | | | | | | | | | | | | | | | | This is a direct port of the e1000 driver currently in Qemu CVS with extremely minimal changes. This is useful for Xen as new OSes may not support the old 100Mbps NICs we currently support (especially on non-x86). Drivers for e1000 should be more readily available. Signed-off-by: Alex Williamson <alex.williamson@hp.com>
* | [IA64] Fix qemu memory access on IA64Alex Williamson2008-02-221-2/+8
|/ | | | | | | | | | - Correct a parameter to xc_map_foreign_batch(). skipping vga hole. - sync_icache() might overrun a page boundary. qemu-dm will die. This re-enables HVM support after cset 99478ffd81ee8685e6376210a1bd654c3790bf8d in linux-2.6.18-xen.hg Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com>
* ioemu: Share framebuffer between VGA device model and VNC server.Keir Fraser2008-02-201-10/+12
| | | | | | | | | | | Now that the qemu WMVi patch is applied we can take full advantage of it sharing the video buffer between the vga driver and the qemu vnc server. This saves a lot of memcpy. It's worth mentioning again that when the guest colour depth is 24 bit we cannot share the buffer because 24 bpp is not supported by the vnc protocol, so we still have to do the translation 24 bpp -> 32 bpp. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-16 21:21:23 +0000