From 3c15d3a45045de82c744c49ff471d4c7ba405187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Mon, 12 Oct 2015 12:54:57 +0200 Subject: [PATCH 01/24] hw/acpi/aml-build: remove useless glib version check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 2.22 is the minimum version required Signed-off-by: Marc-André Lureau Signed-off-by: Michael Tokarev --- hw/acpi/aml-build.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c index 0d4b3247b7..a00a0abe83 100644 --- a/hw/acpi/aml-build.c +++ b/hw/acpi/aml-build.c @@ -1163,9 +1163,7 @@ void *acpi_data_push(GArray *table_data, unsigned size) unsigned acpi_data_len(GArray *table) { -#if GLIB_CHECK_VERSION(2, 22, 0) assert(g_array_get_element_size(table) == 1); -#endif return table->len; } From 5accecb3a6b49d8ca79684179610583e9c7c1bf5 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Tue, 13 Oct 2015 09:38:50 +0200 Subject: [PATCH 02/24] gdbstub: Fix buffer overflows in gdb_handle_packet() Some places in gdb_handle_packet() can get an arbitrary length (most times directly from the client) and either didn't check it at all or checked against the wrong value, potentially causing buffer overflows. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Signed-off-by: Michael Tokarev --- gdbstub.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/gdbstub.c b/gdbstub.c index d2c95b5d1e..9c29aa0e87 100644 --- a/gdbstub.c +++ b/gdbstub.c @@ -956,6 +956,13 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf) if (*p == ',') p++; len = strtoull(p, NULL, 16); + + /* memtohex() doubles the required space */ + if (len > MAX_PACKET_LENGTH / 2) { + put_packet (s, "E22"); + break; + } + if (target_memory_rw_debug(s->g_cpu, addr, mem_buf, len, false) != 0) { put_packet (s, "E14"); } else { @@ -970,6 +977,12 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf) len = strtoull(p, (char **)&p, 16); if (*p == ':') p++; + + /* hextomem() reads 2*len bytes */ + if (len > strlen(p) / 2) { + put_packet (s, "E22"); + break; + } hextomem(mem_buf, p, len); if (target_memory_rw_debug(s->g_cpu, addr, mem_buf, len, true) != 0) { @@ -1107,7 +1120,8 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf) cpu = find_cpu(thread); if (cpu != NULL) { cpu_synchronize_state(cpu); - len = snprintf((char *)mem_buf, sizeof(mem_buf), + /* memtohex() doubles the required space */ + len = snprintf((char *)mem_buf, sizeof(buf) / 2, "CPU#%d [%s]", cpu->cpu_index, cpu->halted ? "halted " : "running"); memtohex(buf, mem_buf, len); @@ -1136,8 +1150,8 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf) put_packet(s, "E01"); break; } - hextomem(mem_buf, p + 5, len); len = len / 2; + hextomem(mem_buf, p + 5, len); mem_buf[len++] = 0; qemu_chr_be_write(s->mon_chr, mem_buf, len); put_packet(s, "OK"); From b21de19992cefdfef68217e50a8365ee5e535e10 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Thu, 15 Oct 2015 10:54:15 +0200 Subject: [PATCH 03/24] hw/display/tcx: Remove superfluous OBJECT() typecasts The tcx_initfn() function is already supplied with an Object *obj pointer, so there is no need to cast the state pointer back to an Object pointer all over the place. And while we're at it, also remove the superfluous "return;" statement in this function. Signed-off-by: Thomas Huth Reviewed-by: Markus Armbruster Acked-by: Mark Cave-Ayland Signed-off-by: Michael Tokarev --- hw/display/tcx.c | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/hw/display/tcx.c b/hw/display/tcx.c index bf119bc89a..d720ea6666 100644 --- a/hw/display/tcx.c +++ b/hw/display/tcx.c @@ -944,57 +944,55 @@ static void tcx_initfn(Object *obj) SysBusDevice *sbd = SYS_BUS_DEVICE(obj); TCXState *s = TCX(obj); - memory_region_init_ram(&s->rom, OBJECT(s), "tcx.prom", FCODE_MAX_ROM_SIZE, + memory_region_init_ram(&s->rom, obj, "tcx.prom", FCODE_MAX_ROM_SIZE, &error_fatal); memory_region_set_readonly(&s->rom, true); sysbus_init_mmio(sbd, &s->rom); /* 2/STIP : Stippler */ - memory_region_init_io(&s->stip, OBJECT(s), &tcx_stip_ops, s, "tcx.stip", + memory_region_init_io(&s->stip, obj, &tcx_stip_ops, s, "tcx.stip", TCX_STIP_NREGS); sysbus_init_mmio(sbd, &s->stip); /* 3/BLIT : Blitter */ - memory_region_init_io(&s->blit, OBJECT(s), &tcx_blit_ops, s, "tcx.blit", + memory_region_init_io(&s->blit, obj, &tcx_blit_ops, s, "tcx.blit", TCX_BLIT_NREGS); sysbus_init_mmio(sbd, &s->blit); /* 5/RSTIP : Raw Stippler */ - memory_region_init_io(&s->rstip, OBJECT(s), &tcx_rstip_ops, s, "tcx.rstip", + memory_region_init_io(&s->rstip, obj, &tcx_rstip_ops, s, "tcx.rstip", TCX_RSTIP_NREGS); sysbus_init_mmio(sbd, &s->rstip); /* 6/RBLIT : Raw Blitter */ - memory_region_init_io(&s->rblit, OBJECT(s), &tcx_rblit_ops, s, "tcx.rblit", + memory_region_init_io(&s->rblit, obj, &tcx_rblit_ops, s, "tcx.rblit", TCX_RBLIT_NREGS); sysbus_init_mmio(sbd, &s->rblit); /* 7/TEC : ??? */ - memory_region_init_io(&s->tec, OBJECT(s), &tcx_dummy_ops, s, - "tcx.tec", TCX_TEC_NREGS); + memory_region_init_io(&s->tec, obj, &tcx_dummy_ops, s, "tcx.tec", + TCX_TEC_NREGS); sysbus_init_mmio(sbd, &s->tec); /* 8/CMAP : DAC */ - memory_region_init_io(&s->dac, OBJECT(s), &tcx_dac_ops, s, - "tcx.dac", TCX_DAC_NREGS); + memory_region_init_io(&s->dac, obj, &tcx_dac_ops, s, "tcx.dac", + TCX_DAC_NREGS); sysbus_init_mmio(sbd, &s->dac); /* 9/THC : Cursor */ - memory_region_init_io(&s->thc, OBJECT(s), &tcx_thc_ops, s, "tcx.thc", + memory_region_init_io(&s->thc, obj, &tcx_thc_ops, s, "tcx.thc", TCX_THC_NREGS); sysbus_init_mmio(sbd, &s->thc); /* 11/DHC : ??? */ - memory_region_init_io(&s->dhc, OBJECT(s), &tcx_dummy_ops, s, "tcx.dhc", + memory_region_init_io(&s->dhc, obj, &tcx_dummy_ops, s, "tcx.dhc", TCX_DHC_NREGS); sysbus_init_mmio(sbd, &s->dhc); /* 12/ALT : ??? */ - memory_region_init_io(&s->alt, OBJECT(s), &tcx_dummy_ops, s, "tcx.alt", + memory_region_init_io(&s->alt, obj, &tcx_dummy_ops, s, "tcx.alt", TCX_ALT_NREGS); sysbus_init_mmio(sbd, &s->alt); - - return; } static void tcx_realizefn(DeviceState *dev, Error **errp) From 53d47be25a0c8bde5aa5b53625bc810f91c6271f Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Mon, 26 Oct 2015 14:27:31 -0600 Subject: [PATCH 04/24] maint: Ignore ivshmem binaries Commit a75eb03b added ivshmem-client and ivshmem-server binaries, but did not mark them for exclusion in .gitignore. Signed-off-by: Eric Blake Signed-off-by: Michael Tokarev --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 75bceb9975..88a80ff4a5 100644 --- a/.gitignore +++ b/.gitignore @@ -24,6 +24,8 @@ /*-darwin-user /*-linux-user /*-bsd-user +/ivshmem-client +/ivshmem-server /libdis* /libuser /linux-headers/asm From 6ba9fe86957c3c8febf74c2495d901ac4061a673 Mon Sep 17 00:00:00 2001 From: Cao jin Date: Sun, 25 Oct 2015 16:23:28 +0800 Subject: [PATCH 05/24] fix bad indentation in pcie_cap_slot_write_config() bad indentation conflicts with CODING_STYLE doc Signed-off-by: Cao jin Signed-off-by: Michael Tokarev --- hw/pci/pcie.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c index 32c65c27a4..0eab29d534 100644 --- a/hw/pci/pcie.c +++ b/hw/pci/pcie.c @@ -426,13 +426,13 @@ void pcie_cap_slot_write_config(PCIDevice *dev, */ if ((sltsta & PCI_EXP_SLTSTA_PDS) && (val & PCI_EXP_SLTCTL_PCC) && ((val & PCI_EXP_SLTCTL_PIC_OFF) == PCI_EXP_SLTCTL_PIC_OFF)) { - PCIBus *sec_bus = pci_bridge_get_sec_bus(PCI_BRIDGE(dev)); - pci_for_each_device(sec_bus, pci_bus_num(sec_bus), - pcie_unplug_device, NULL); + PCIBus *sec_bus = pci_bridge_get_sec_bus(PCI_BRIDGE(dev)); + pci_for_each_device(sec_bus, pci_bus_num(sec_bus), + pcie_unplug_device, NULL); - pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA, - PCI_EXP_SLTSTA_PDS); - pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, + pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA, + PCI_EXP_SLTSTA_PDS); + pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, PCI_EXP_SLTSTA_PDC); } From 3cd01b6ed8a1ae472f09cbcc47b7cba4d732f94c Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Tue, 20 Oct 2015 13:41:33 -0600 Subject: [PATCH 06/24] tests: ignore test-qga Commit 62c39b30 added a new test, but did not mark it for exclusion in .gitignore. Signed-off-by: Eric Blake Signed-off-by: Michael Tokarev --- tests/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/.gitignore b/tests/.gitignore index 65496aa5a6..e96f569903 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -30,6 +30,7 @@ test-qapi-types.[ch] test-qapi-visit.[ch] test-qdev-global-props test-qemu-opts +test-qga test-qmp-commands test-qmp-commands.h test-qmp-event From 2c21ec3d1818cb0395b5a9b73128e6920d44def7 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 19 Oct 2015 16:08:39 +0200 Subject: [PATCH 07/24] xen: fix invalid assertion Asserting "true" is not that useful. Reported by Coverity. Signed-off-by: Paolo Bonzini Acked-by: Stefano Stabellini Signed-off-by: Michael Tokarev --- hw/xen/xen_pt_config_init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c index 0efee112fd..3d8686d550 100644 --- a/hw/xen/xen_pt_config_init.c +++ b/hw/xen/xen_pt_config_init.c @@ -1937,7 +1937,7 @@ static int xen_pt_config_reg_init(XenPCIPassthroughState *s, break; case 4: rc = xen_host_pci_get_long(&s->real_device, offset, &val); break; - default: assert(1); + default: abort(); } if (rc) { /* Serious issues when we cannot read the host values! */ @@ -1982,7 +1982,7 @@ static int xen_pt_config_reg_init(XenPCIPassthroughState *s, break; case 4: pci_set_long(s->dev.config + offset, val); break; - default: assert(1); + default: abort(); } /* set register value pointer to the data. */ reg_entry->ptr.byte = s->dev.config + offset; From a6c6d827605e416f0e127a325ee1efc9cf16afa5 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Fri, 9 Oct 2015 17:56:36 +0200 Subject: [PATCH 08/24] hw/input/tsc210x: Remove superfluous memset g_malloc0 already clears the memory, so no need for additional memsets here. And while we're at it, let's also remove the superfluous typecasts for the return values of g_malloc0 and use the type-safe g_new0 instead. Signed-off-by: Thomas Huth Reviewed-by: Eric Blake Signed-off-by: Michael Tokarev --- hw/input/tsc210x.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c index fae3385636..1073bbfec6 100644 --- a/hw/input/tsc210x.c +++ b/hw/input/tsc210x.c @@ -1086,9 +1086,7 @@ uWireSlave *tsc2102_init(qemu_irq pint) { TSC210xState *s; - s = (TSC210xState *) - g_malloc0(sizeof(TSC210xState)); - memset(s, 0, sizeof(TSC210xState)); + s = g_new0(TSC210xState, 1); s->x = 160; s->y = 160; s->pressure = 0; @@ -1135,9 +1133,7 @@ uWireSlave *tsc2301_init(qemu_irq penirq, qemu_irq kbirq, qemu_irq dav) { TSC210xState *s; - s = (TSC210xState *) - g_malloc0(sizeof(TSC210xState)); - memset(s, 0, sizeof(TSC210xState)); + s = g_new0(TSC210xState, 1); s->x = 400; s->y = 240; s->pressure = 0; From 112317867d573bb053d431f098060cf996d9b2e8 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Fri, 9 Oct 2015 17:56:37 +0200 Subject: [PATCH 09/24] tests/i44fx-test: No need for zeroing memory before memset Change a g_malloc0 into g_malloc since the following memset fills the whole buffer anyway. Signed-off-by: Thomas Huth Reviewed-by: Laszlo Ersek Signed-off-by: Michael Tokarev --- tests/i440fx-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/i440fx-test.c b/tests/i440fx-test.c index d0bc8de25a..7fa170990f 100644 --- a/tests/i440fx-test.c +++ b/tests/i440fx-test.c @@ -191,7 +191,7 @@ static void write_area(uint32_t start, uint32_t end, uint8_t value) uint32_t size = end - start + 1; uint8_t *data; - data = g_malloc0(size); + data = g_malloc(size); memset(data, value, size); memwrite(start, data, size); From e9d49d518d5d2b0411ee2625e46662a6065a909c Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Fri, 9 Oct 2015 17:56:38 +0200 Subject: [PATCH 10/24] linux-user/syscall: Replace g_malloc0 + memcpy with g_memdup No need to use g_malloc0 to zero the memory if we memcpy to the whole buffer afterwards anyway. Actually, there is even a function which combines both steps, g_memdup, so let's use this function here instead. Signed-off-by: Thomas Huth Reviewed-by: Eric Blake Signed-off-by: Michael Tokarev --- linux-user/syscall.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 8bfb24f05b..6c64ba63db 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -5325,8 +5325,7 @@ static abi_long do_open_by_handle_at(abi_long mount_fd, abi_long handle, return -TARGET_EFAULT; } - fh = g_malloc0(total_size); - memcpy(fh, target_fh, total_size); + fh = g_memdup(target_fh, total_size); fh->handle_bytes = size; fh->handle_type = tswap32(target_fh->handle_type); From 1a13b27273cdc4f6fd18bc1e83950d47c6b5928b Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Fri, 9 Oct 2015 17:56:35 +0200 Subject: [PATCH 11/24] hw/dma/pxa2xx: Remove superfluous memset g_malloc0 already clears the memory, so no need for the additional memset here. And while we're at it, also convert the g_malloc0 to the preferred g_new0. Signed-off-by: Thomas Huth Reviewed-by: Eric Blake Signed-off-by: Michael Tokarev --- hw/dma/pxa2xx_dma.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hw/dma/pxa2xx_dma.c b/hw/dma/pxa2xx_dma.c index d4501fb4cb..54cdb25a32 100644 --- a/hw/dma/pxa2xx_dma.c +++ b/hw/dma/pxa2xx_dma.c @@ -459,9 +459,8 @@ static int pxa2xx_dma_init(SysBusDevice *sbd) return -1; } - s->chan = g_malloc0(sizeof(PXA2xxDMAChannel) * s->channels); + s->chan = g_new0(PXA2xxDMAChannel, s->channels); - memset(s->chan, 0, sizeof(PXA2xxDMAChannel) * s->channels); for (i = 0; i < s->channels; i ++) s->chan[i].state = DCSR_STOPINTR; From 374ec0669a1aa3affac7850a16c6cad18221c439 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 19 Oct 2015 16:08:40 +0200 Subject: [PATCH 12/24] bt: fix use of uninitialized variable seqlen sdp_svc_match, sdp_attr_match and sdp_svc_attr_match read the last argument. The only sensible way to change the code is to make that last argument "len" instead of "seqlen" which is the length of a subsequence in the previous "if" branch. To make the structure of the code clearer, use "else" instead of "else if". Reported by Coverity. Signed-off-by: Paolo Bonzini Signed-off-by: Michael Tokarev --- hw/bt/sdp.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/hw/bt/sdp.c b/hw/bt/sdp.c index c903747952..b9bcdcc78d 100644 --- a/hw/bt/sdp.c +++ b/hw/bt/sdp.c @@ -150,12 +150,14 @@ static ssize_t sdp_svc_search(struct bt_l2cap_sdp_state_s *sdp, if (seqlen < 3 || len < seqlen) return -SDP_INVALID_SYNTAX; len -= seqlen; - while (seqlen) if (sdp_svc_match(sdp, &req, &seqlen)) return -SDP_INVALID_SYNTAX; - } else if (sdp_svc_match(sdp, &req, &seqlen)) - return -SDP_INVALID_SYNTAX; + } else { + if (sdp_svc_match(sdp, &req, &len)) { + return -SDP_INVALID_SYNTAX; + } + } if (len < 3) return -SDP_INVALID_SYNTAX; @@ -278,8 +280,11 @@ static ssize_t sdp_attr_get(struct bt_l2cap_sdp_state_s *sdp, while (seqlen) if (sdp_attr_match(record, &req, &seqlen)) return -SDP_INVALID_SYNTAX; - } else if (sdp_attr_match(record, &req, &seqlen)) - return -SDP_INVALID_SYNTAX; + } else { + if (sdp_attr_match(record, &req, &len)) { + return -SDP_INVALID_SYNTAX; + } + } if (len < 1) return -SDP_INVALID_SYNTAX; @@ -393,8 +398,11 @@ static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_sdp_state_s *sdp, while (seqlen) if (sdp_svc_match(sdp, &req, &seqlen)) return -SDP_INVALID_SYNTAX; - } else if (sdp_svc_match(sdp, &req, &seqlen)) - return -SDP_INVALID_SYNTAX; + } else { + if (sdp_svc_match(sdp, &req, &len)) { + return -SDP_INVALID_SYNTAX; + } + } if (len < 3) return -SDP_INVALID_SYNTAX; @@ -413,8 +421,11 @@ static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_sdp_state_s *sdp, while (seqlen) if (sdp_svc_attr_match(sdp, &req, &seqlen)) return -SDP_INVALID_SYNTAX; - } else if (sdp_svc_attr_match(sdp, &req, &seqlen)) - return -SDP_INVALID_SYNTAX; + } else { + if (sdp_svc_attr_match(sdp, &req, &len)) { + return -SDP_INVALID_SYNTAX; + } + } if (len < 1) return -SDP_INVALID_SYNTAX; From fedf0d35aafc4f1f1e5f6dbc80cb23ae1ae49f0b Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Tue, 3 Nov 2015 17:12:03 +0100 Subject: [PATCH 13/24] ui: Use g_new() & friends where that makes obvious sense g_new(T, n) is neater than g_malloc(sizeof(T) * n). It's also safer, for two reasons. One, it catches multiplication overflowing size_t. Two, it returns T * rather than void *, which lets the compiler catch more type errors. This commit only touches allocations with size arguments of the form sizeof(T). Same Coccinelle semantic patch as in commit b45c03f. Signed-off-by: Markus Armbruster Reviewed-by: Eric Blake Signed-off-by: Michael Tokarev --- ui/console.c | 2 +- ui/curses.c | 2 +- ui/input-legacy.c | 4 ++-- ui/keymaps.c | 2 +- ui/sdl.c | 2 +- ui/vnc-jobs.c | 6 +++--- ui/vnc.c | 4 ++-- 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ui/console.c b/ui/console.c index f26544eb26..745c354f53 100644 --- a/ui/console.c +++ b/ui/console.c @@ -450,7 +450,7 @@ static void text_console_resize(QemuConsole *s) if (s->width < w1) w1 = s->width; - cells = g_malloc(s->width * s->total_height * sizeof(TextCell)); + cells = g_new(TextCell, s->width * s->total_height); for(y = 0; y < s->total_height; y++) { c = &cells[y * s->width]; if (w1 > 0) { diff --git a/ui/curses.c b/ui/curses.c index 266260a401..7e7e4029ec 100644 --- a/ui/curses.c +++ b/ui/curses.c @@ -431,7 +431,7 @@ void curses_display_init(DisplayState *ds, int full_screen) curses_winch_init(); - dcl = (DisplayChangeListener *) g_malloc0(sizeof(DisplayChangeListener)); + dcl = g_new0(DisplayChangeListener, 1); dcl->ops = &dcl_ops; register_displaychangelistener(dcl); diff --git a/ui/input-legacy.c b/ui/input-legacy.c index a67ed329ce..e0a39f08a5 100644 --- a/ui/input-legacy.c +++ b/ui/input-legacy.c @@ -206,7 +206,7 @@ QEMUPutMouseEntry *qemu_add_mouse_event_handler(QEMUPutMouseEvent *func, { QEMUPutMouseEntry *s; - s = g_malloc0(sizeof(QEMUPutMouseEntry)); + s = g_new0(QEMUPutMouseEntry, 1); s->qemu_put_mouse_event = func; s->qemu_put_mouse_event_opaque = opaque; @@ -240,7 +240,7 @@ QEMUPutLEDEntry *qemu_add_led_event_handler(QEMUPutLEDEvent *func, { QEMUPutLEDEntry *s; - s = g_malloc0(sizeof(QEMUPutLEDEntry)); + s = g_new0(QEMUPutLEDEntry, 1); s->put_led = func; s->opaque = opaque; diff --git a/ui/keymaps.c b/ui/keymaps.c index 49410ae9d1..1b9ba3fa24 100644 --- a/ui/keymaps.c +++ b/ui/keymaps.c @@ -109,7 +109,7 @@ static kbd_layout_t *parse_keyboard_layout(const name2keysym_t *table, } if (!k) { - k = g_malloc0(sizeof(kbd_layout_t)); + k = g_new0(kbd_layout_t, 1); } for(;;) { diff --git a/ui/sdl.c b/ui/sdl.c index 3be29101ed..570cb99f08 100644 --- a/ui/sdl.c +++ b/ui/sdl.c @@ -985,7 +985,7 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame) sdl_grab_start(); } - dcl = g_malloc0(sizeof(DisplayChangeListener)); + dcl = g_new0(DisplayChangeListener, 1); dcl->ops = &dcl_ops; register_displaychangelistener(dcl); diff --git a/ui/vnc-jobs.c b/ui/vnc-jobs.c index 22c9abce55..9512b87183 100644 --- a/ui/vnc-jobs.c +++ b/ui/vnc-jobs.c @@ -79,7 +79,7 @@ static void vnc_unlock_queue(VncJobQueue *queue) VncJob *vnc_job_new(VncState *vs) { - VncJob *job = g_malloc0(sizeof(VncJob)); + VncJob *job = g_new0(VncJob, 1); job->vs = vs; vnc_lock_queue(queue); @@ -90,7 +90,7 @@ VncJob *vnc_job_new(VncState *vs) int vnc_job_add_rect(VncJob *job, int x, int y, int w, int h) { - VncRectEntry *entry = g_malloc0(sizeof(VncRectEntry)); + VncRectEntry *entry = g_new0(VncRectEntry, 1); entry->rect.x = x; entry->rect.y = y; @@ -298,7 +298,7 @@ disconnected: static VncJobQueue *vnc_queue_init(void) { - VncJobQueue *queue = g_malloc0(sizeof(VncJobQueue)); + VncJobQueue *queue = g_new0(VncJobQueue, 1); qemu_cond_init(&queue->cond); qemu_mutex_init(&queue->mutex); diff --git a/ui/vnc.c b/ui/vnc.c index a47f2b382c..f20c08db4a 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2982,7 +2982,7 @@ static void vnc_refresh(DisplayChangeListener *dcl) static void vnc_connect(VncDisplay *vd, int csock, bool skipauth, bool websocket) { - VncState *vs = g_malloc0(sizeof(VncState)); + VncState *vs = g_new0(VncState, 1); int i; vs->csock = csock; @@ -3005,7 +3005,7 @@ static void vnc_connect(VncDisplay *vd, int csock, vs->lossy_rect = g_malloc0(VNC_STAT_ROWS * sizeof (*vs->lossy_rect)); for (i = 0; i < VNC_STAT_ROWS; ++i) { - vs->lossy_rect[i] = g_malloc0(VNC_STAT_COLS * sizeof (uint8_t)); + vs->lossy_rect[i] = g_new0(uint8_t, VNC_STAT_COLS); } VNC_DEBUG("New client on socket %d\n", csock); From 9de68637dff05a18d0eafcff2737e551b70bc490 Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Thu, 29 Oct 2015 16:55:21 +0100 Subject: [PATCH 14/24] qxl: Use g_new() & friends where that makes obvious sense g_new(T, n) is neater than g_malloc(sizeof(T) * n). It's also safer, for two reasons. One, it catches multiplication overflowing size_t. Two, it returns T * rather than void *, which lets the compiler catch more type errors. This commit only touches allocations with size arguments of the form sizeof(T). Same Coccinelle semantic patch as in commit b45c03f. Signed-off-by: Markus Armbruster Reviewed-by: Eric Blake Reviewed-by: Gerd Hoffmann Signed-off-by: Michael Tokarev --- hw/display/qxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 9c961dae93..8a3040cbbf 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -2156,7 +2156,7 @@ static int qxl_post_load(void *opaque, int version) qxl_create_guest_primary(d, 1, QXL_SYNC); /* replay surface-create and cursor-set commands */ - cmds = g_malloc0(sizeof(QXLCommandExt) * (d->ssd.num_surfaces + 1)); + cmds = g_new0(QXLCommandExt, d->ssd.num_surfaces + 1); for (in = 0, out = 0; in < d->ssd.num_surfaces; in++) { if (d->guest_surfaces.cmds[in] == 0) { continue; From 98f343395e937fa1db3a28dfb4f303f97cfddd6c Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Thu, 29 Oct 2015 16:55:22 +0100 Subject: [PATCH 15/24] usb: Use g_new() & friends where that makes obvious sense g_new(T, n) is neater than g_malloc(sizeof(T) * n). It's also safer, for two reasons. One, it catches multiplication overflowing size_t. Two, it returns T * rather than void *, which lets the compiler catch more type errors. This commit only touches allocations with size arguments of the form sizeof(T). Same Coccinelle semantic patch as in commit b45c03f. Signed-off-by: Markus Armbruster Reviewed-by: Eric Blake Reviewed-by: Gerd Hoffmann Signed-off-by: Michael Tokarev --- hw/usb/ccid-card-emulated.c | 4 ++-- hw/usb/dev-mtp.c | 3 +-- hw/usb/hcd-xhci.c | 2 +- hw/usb/redirect.c | 6 +++--- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/hw/usb/ccid-card-emulated.c b/hw/usb/ccid-card-emulated.c index 72329ed7d7..869a63c5b7 100644 --- a/hw/usb/ccid-card-emulated.c +++ b/hw/usb/ccid-card-emulated.c @@ -166,7 +166,7 @@ static void emulated_push_event(EmulatedState *card, EmulEvent *event) static void emulated_push_type(EmulatedState *card, uint32_t type) { - EmulEvent *event = (EmulEvent *)g_malloc(sizeof(EmulEvent)); + EmulEvent *event = g_new(EmulEvent, 1); assert(event); event->p.gen.type = type; @@ -175,7 +175,7 @@ static void emulated_push_type(EmulatedState *card, uint32_t type) static void emulated_push_error(EmulatedState *card, uint64_t code) { - EmulEvent *event = (EmulEvent *)g_malloc(sizeof(EmulEvent)); + EmulEvent *event = g_new(EmulEvent, 1); assert(event); event->p.error.type = EMUL_ERROR; diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 809b1cb118..a2762679eb 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -359,8 +359,7 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) } while ((entry = readdir(dir)) != NULL) { if ((o->nchildren % 32) == 0) { - o->children = g_realloc(o->children, - (o->nchildren + 32) * sizeof(MTPObject *)); + o->children = g_renew(MTPObject *, o->children, o->nchildren + 32); } o->children[o->nchildren] = usb_mtp_object_alloc(s, s->next_handle++, o, entry->d_name); diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 1c57e20e70..268ab36468 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -2188,7 +2188,7 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid, xfer->trbs = NULL; } if (!xfer->trbs) { - xfer->trbs = g_malloc(sizeof(XHCITRB) * length); + xfer->trbs = g_new(XHCITRB, length); xfer->trb_alloced = length; } xfer->trb_count = length; diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 38086cd0f2..30ff742730 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -322,7 +322,7 @@ static void packet_id_queue_add(struct PacketIdQueue *q, uint64_t id) DPRINTF("adding packet id %"PRIu64" to %s queue\n", id, q->name); - e = g_malloc0(sizeof(struct PacketIdQueueEntry)); + e = g_new0(struct PacketIdQueueEntry, 1); e->id = id; QTAILQ_INSERT_TAIL(&q->head, e, next); q->size++; @@ -468,7 +468,7 @@ static void bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0; } - bufp = g_malloc(sizeof(struct buf_packet)); + bufp = g_new(struct buf_packet, 1); bufp->data = data; bufp->len = len; bufp->offset = 0; @@ -2234,7 +2234,7 @@ static int usbredir_get_bufpq(QEMUFile *f, void *priv, size_t unused) endp->bufpq_size = qemu_get_be32(f); for (i = 0; i < endp->bufpq_size; i++) { - bufp = g_malloc(sizeof(struct buf_packet)); + bufp = g_new(struct buf_packet, 1); bufp->len = qemu_get_be32(f); bufp->status = qemu_get_be32(f); bufp->offset = 0; From 9f503153c78a23bcd44409cea64442c4ecd82ea5 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 3 Nov 2015 11:34:31 +0000 Subject: [PATCH 16/24] configure: remove help string for 'vnc-tls' option The '--enable-vnc-tls' option to configure was removed in commit 3e305e4a4752f70c0b5c3cf5b43ec957881714f7 Author: Daniel P. Berrange Date: Thu Aug 6 14:39:32 2015 +0100 ui: convert VNC server to use QCryptoTLSSession This removes the corresponding help string. Signed-off-by: Daniel P. Berrange Signed-off-by: Michael Tokarev --- configure | 1 - 1 file changed, 1 deletion(-) diff --git a/configure b/configure index 60cbd84fff..b68776435c 100755 --- a/configure +++ b/configure @@ -1348,7 +1348,6 @@ disabled with --disable-FEATURE, default is enabled if available: vte vte support for the gtk UI curses curses UI vnc VNC UI support - vnc-tls TLS encryption for VNC server vnc-sasl SASL encryption for VNC server vnc-jpeg JPEG lossy compression for VNC server vnc-png PNG compression for VNC server From b30d80546421c6ea919096b596887f496c80af0a Mon Sep 17 00:00:00 2001 From: Cao jin Date: Tue, 3 Nov 2015 10:36:42 +0800 Subject: [PATCH 17/24] qom/object: fix 2 comment typos Also change the misleading definition of macro OBJECT_CLASS_CHECK Signed-off-by: Cao jin Signed-off-by: Michael Tokarev --- include/qom/object.h | 10 +++++----- qom/object.c | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/qom/object.h b/include/qom/object.h index be7280c862..0bb89d481e 100644 --- a/include/qom/object.h +++ b/include/qom/object.h @@ -510,16 +510,16 @@ struct TypeInfo /** * OBJECT_CLASS_CHECK: - * @class: The C type to use for the return value. - * @obj: A derivative of @type to cast. - * @name: the QOM typename of @class. + * @class_type: The C type to use for the return value. + * @class: A derivative class of @class_type to cast. + * @name: the QOM typename of @class_type. * * A type safe version of @object_class_dynamic_cast_assert. This macro is * typically wrapped by each type to perform type safe casts of a class to a * specific class type. */ -#define OBJECT_CLASS_CHECK(class, obj, name) \ - ((class *)object_class_dynamic_cast_assert(OBJECT_CLASS(obj), (name), \ +#define OBJECT_CLASS_CHECK(class_type, class, name) \ + ((class_type *)object_class_dynamic_cast_assert(OBJECT_CLASS(class), (name), \ __FILE__, __LINE__, __func__)) /** diff --git a/qom/object.c b/qom/object.c index 11cd86b931..fc6e161088 100644 --- a/qom/object.c +++ b/qom/object.c @@ -204,7 +204,7 @@ static bool type_is_ancestor(TypeImpl *type, TypeImpl *target_type) { assert(target_type); - /* Check if typename is a direct ancestor of type */ + /* Check if target_type is a direct ancestor of type */ while (type) { if (type == target_type) { return true; From 6268520d7df9b3f183bb4397218c9287441bc04f Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 2 Nov 2015 15:17:37 +0100 Subject: [PATCH 18/24] pci-assign: do not test path with access() before opening Using access() is a time-of-check/time-of-use race condition. It is okay to use them to provide better error messages, but that is pretty much it. In this case we can get the same error from fopen(), so just use strerror and errno there---which actually improves the error message most of the time. Signed-off-by: Paolo Bonzini Reviewed-by: Eric Blake Signed-off-by: Michael Tokarev --- hw/i386/pci-assign-load-rom.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/hw/i386/pci-assign-load-rom.c b/hw/i386/pci-assign-load-rom.c index 34a3a7ed7f..e40b586b92 100644 --- a/hw/i386/pci-assign-load-rom.c +++ b/hw/i386/pci-assign-load-rom.c @@ -45,14 +45,10 @@ void *pci_assign_dev_load_option_rom(PCIDevice *dev, struct Object *owner, return NULL; } - if (access(rom_file, F_OK)) { - error_report("pci-assign: Insufficient privileges for %s", rom_file); - return NULL; - } - /* Write "1" to the ROM file to enable it */ fp = fopen(rom_file, "r+"); if (fp == NULL) { + error_report("pci-assign: Cannot open %s: %s", rom_file, strerror(errno)); return NULL; } val = 1; From 258133bda9a6f22ba436ef9b63b7c086cc80190b Mon Sep 17 00:00:00 2001 From: Gonglei Date: Mon, 2 Nov 2015 09:13:48 +0800 Subject: [PATCH 19/24] ivshmem-server: fix possible OVERRUN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit >>> CID 1337991: Memory - illegal accesses (OVERRUN) >>> Decrementing "i". The value of "i" is now 65534. 218 while (i--) { 219 event_notifier_cleanup(&peer->vectors[i]); 220 } Signed-off-by: Gonglei Reviewed-by: Marc-André Lureau Signed-off-by: Michael Tokarev --- contrib/ivshmem-server/ivshmem-server.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/contrib/ivshmem-server/ivshmem-server.c b/contrib/ivshmem-server/ivshmem-server.c index 5e5239ce45..d9e26b0574 100644 --- a/contrib/ivshmem-server/ivshmem-server.c +++ b/contrib/ivshmem-server/ivshmem-server.c @@ -168,7 +168,9 @@ ivshmem_server_handle_new_conn(IvshmemServer *server) } if (i == G_MAXUINT16) { IVSHMEM_SERVER_DEBUG(server, "cannot allocate new client id\n"); - goto fail; + close(newfd); + g_free(peer); + return -1; } peer->id = server->cur_id++; From 74de807f794ac5201b2b3c38ddadeef84a676a97 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 19 Oct 2015 16:08:38 +0200 Subject: [PATCH 20/24] target-alpha: fix uninitialized variable I am not sure why the compiler does not catch it. There is no semantic change since gen_excp returns EXIT_NORETURN, but the old code is wrong. Reported by Coverity. Signed-off-by: Paolo Bonzini Signed-off-by: Michael Tokarev --- target-alpha/translate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-alpha/translate.c b/target-alpha/translate.c index 87950c63ec..9909c70b1b 100644 --- a/target-alpha/translate.c +++ b/target-alpha/translate.c @@ -2916,7 +2916,7 @@ void gen_intermediate_code(CPUAlphaState *env, struct TranslationBlock *tb) num_insns++; if (unlikely(cpu_breakpoint_test(cs, ctx.pc, BP_ANY))) { - gen_excp(&ctx, EXCP_DEBUG, 0); + ret = gen_excp(&ctx, EXCP_DEBUG, 0); /* The address covered by the breakpoint must be included in [tb->pc, tb->pc + tb->size) in order to for it to be properly cleared -- thus we increment the PC here so that From 68851b98e5bf6d397498b74f1776801274ab8d48 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Thu, 22 Oct 2015 13:51:30 +0200 Subject: [PATCH 21/24] exec: avoid unnecessary cacheline bounce on ram_list.mru_block Whenever the MRU cache hits for the list of RAM blocks, qemu_get_ram_block does an unnecessary write that causes a processor cache line to bounce from one core to another. This causes a performance hit. Reported-by: Emilio G. Cota Signed-off-by: Paolo Bonzini Signed-off-by: Michael Tokarev --- exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exec.c b/exec.c index ed88e72f14..a028961587 100644 --- a/exec.c +++ b/exec.c @@ -903,7 +903,7 @@ static RAMBlock *qemu_get_ram_block(ram_addr_t addr) block = atomic_rcu_read(&ram_list.mru_block); if (block && addr - block->offset < block->max_length) { - goto found; + return block; } QLIST_FOREACH_RCU(block, &ram_list.blocks, next) { if (addr - block->offset < block->max_length) { From 3ede8f699645f4ca7cdbc40d8139e5a0275b4805 Mon Sep 17 00:00:00 2001 From: Julio Guerra Date: Wed, 14 Oct 2015 19:43:19 +0200 Subject: [PATCH 22/24] taget-ppc: Fix read access to IBAT registers higher than IBAT3 Fix the index used to read the IBAT's vector which results in IBAT0..3 instead of IBAT4..N. The bug appeared by saving/restoring contexts including IBATs values. Signed-off-by: Julio Guerra Signed-off-by: Michael Tokarev --- target-ppc/translate_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c index 4934c80b8f..e88dc7fc7a 100644 --- a/target-ppc/translate_init.c +++ b/target-ppc/translate_init.c @@ -305,7 +305,7 @@ static void spr_read_ibat (DisasContext *ctx, int gprn, int sprn) static void spr_read_ibat_h (DisasContext *ctx, int gprn, int sprn) { - tcg_gen_ld_tl(cpu_gpr[gprn], cpu_env, offsetof(CPUPPCState, IBAT[sprn & 1][(sprn - SPR_IBAT4U) / 2])); + tcg_gen_ld_tl(cpu_gpr[gprn], cpu_env, offsetof(CPUPPCState, IBAT[sprn & 1][((sprn - SPR_IBAT4U) / 2) + 4])); } static void spr_write_ibatu (DisasContext *ctx, int sprn, int gprn) From a2f31f180499593b5edb8ac5ab8ac1b92f0abcd4 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 4 Nov 2015 14:48:47 +0100 Subject: [PATCH 23/24] qemu-sockets: do not test path with access() before unlinking Using access() is a time-of-check/time-of-use race condition. It is okay to use them to provide better error messages, but that is pretty much it. This is not one such case; on the other hand, access() *will* skip unlink() for a non-existent path, so ignore ENOENT return values from the unlink() system call. Signed-off-by: Paolo Bonzini Reviewed-by: Markus Armbruster Reviewed-by: Edgar E. Iglesias Signed-off-by: Michael Tokarev --- util/qemu-sockets.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c index dfe45875f8..5a31d164d9 100644 --- a/util/qemu-sockets.c +++ b/util/qemu-sockets.c @@ -751,8 +751,7 @@ int unix_listen_opts(QemuOpts *opts, Error **errp) qemu_opt_set(opts, "path", un.sun_path, &error_abort); } - if ((access(un.sun_path, F_OK) == 0) && - unlink(un.sun_path) < 0) { + if (unlink(un.sun_path) < 0 && errno != ENOENT) { error_setg_errno(errp, errno, "Failed to unlink socket %s", un.sun_path); goto err; From bd54a9f9435c85de190a82019faef16c5ecf8e46 Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Fri, 23 Oct 2015 11:53:55 -0400 Subject: [PATCH 24/24] tap-bsd: use user-specified tap device if it already exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Acked-by: Roger Pau Monné Signed-off-by: Ed Maste Signed-off-by: Michael Tokarev --- net/tap-bsd.c | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/net/tap-bsd.c b/net/tap-bsd.c index 7028d9be95..0103a97bf6 100644 --- a/net/tap-bsd.c +++ b/net/tap-bsd.c @@ -109,8 +109,7 @@ int tap_open(char *ifname, int ifname_size, int *vnet_hdr, #define PATH_NET_TAP "/dev/tap" -int tap_open(char *ifname, int ifname_size, int *vnet_hdr, - int vnet_hdr_required, int mq_required, Error **errp) +static int tap_open_clone(char *ifname, int ifname_size, Error **errp) { int fd, s, ret; struct ifreq ifr; @@ -126,7 +125,8 @@ int tap_open(char *ifname, int ifname_size, int *vnet_hdr, ret = ioctl(fd, TAPGIFNAME, (void *)&ifr); if (ret < 0) { error_setg_errno(errp, errno, "could not get tap interface name"); - goto error; + close(fd); + return -1; } if (ifname[0] != '\0') { @@ -135,19 +135,47 @@ int tap_open(char *ifname, int ifname_size, int *vnet_hdr, if (s < 0) { error_setg_errno(errp, errno, "could not open socket to set interface name"); - goto error; + close(fd); + return -1; } ifr.ifr_data = ifname; ret = ioctl(s, SIOCSIFNAME, (void *)&ifr); close(s); if (ret < 0) { error_setg(errp, "could not set tap interface name"); - goto error; + close(fd); + return -1; } } else { pstrcpy(ifname, ifname_size, ifr.ifr_name); } + return fd; +} + +int tap_open(char *ifname, int ifname_size, int *vnet_hdr, + int vnet_hdr_required, int mq_required, Error **errp) +{ + int fd = -1; + + /* If the specified tap device already exists just use it. */ + if (ifname[0] != '\0') { + char dname[100]; + snprintf(dname, sizeof dname, "/dev/%s", ifname); + TFR(fd = open(dname, O_RDWR)); + if (fd < 0 && errno != ENOENT) { + error_setg_errno(errp, errno, "could not open %s", dname); + return -1; + } + } + + if (fd < 0) { + /* Tap device not specified or does not exist. */ + if ((fd = tap_open_clone(ifname, ifname_size, errp)) < 0) { + return -1; + } + } + if (*vnet_hdr) { /* BSD doesn't have IFF_VNET_HDR */ *vnet_hdr = 0;