diff options
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | block/vpc.c | 18 | ||||
| -rw-r--r-- | device_tree.c | 2 | ||||
| -rw-r--r-- | gdbstub.c | 1 | ||||
| -rw-r--r-- | hw/acpi/ich9.c | 4 | ||||
| -rw-r--r-- | include/hw/timer/a9gtimer.h | 2 | ||||
| -rw-r--r-- | include/migration/vmstate.h | 3 | ||||
| -rw-r--r-- | include/qemu-common.h | 114 | ||||
| -rw-r--r-- | qapi-schema.json | 2 | ||||
| -rw-r--r-- | tests/Makefile | 4 | ||||
| -rwxr-xr-x | tests/qemu-iotests/135 | 54 | ||||
| -rw-r--r-- | tests/qemu-iotests/135.out | 5 | ||||
| -rw-r--r-- | tests/qemu-iotests/group | 1 | ||||
| -rw-r--r-- | tests/qemu-iotests/sample_images/afl5.img.bz2 | bin | 0 -> 175 bytes |
15 files changed, 198 insertions, 16 deletions
diff --git a/.gitignore b/.gitignore index aed0e1ff02..61bc49263a 100644 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,8 @@ /trace/generated-tcg-tracers.h /trace/generated-ust-provider.h /trace/generated-ust.c +/ui/shader/texture-blit-frag.h +/ui/shader/texture-blit-vert.h /libcacard/trace/generated-tracers.c *-timestamp /*-softmmu @@ -135,7 +135,7 @@ endif else \ mv $@.tmp $@; \ cp -p $@ $@.old; \ - fi, " GEN $@"); + fi, " GEN $@"); defconfig: rm -f config-all-devices.mak $(SUBDIR_DEVICES_MAK) diff --git a/block/vpc.c b/block/vpc.c index 37572bab86..3e385d9fb9 100644 --- a/block/vpc.c +++ b/block/vpc.c @@ -168,6 +168,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, uint8_t buf[HEADER_SIZE]; uint32_t checksum; uint64_t computed_size; + uint64_t pagetable_size; int disk_type = VHD_DYNAMIC; int ret; @@ -269,7 +270,17 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4); + if (s->max_table_entries > SIZE_MAX / 4 || + s->max_table_entries > (int) INT_MAX / 4) { + error_setg(errp, "Max Table Entries too large (%" PRId32 ")", + s->max_table_entries); + ret = -EINVAL; + goto fail; + } + + pagetable_size = (uint64_t) s->max_table_entries * 4; + + s->pagetable = qemu_try_blockalign(bs->file, pagetable_size); if (s->pagetable == NULL) { ret = -ENOMEM; goto fail; @@ -277,14 +288,13 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags, s->bat_offset = be64_to_cpu(dyndisk_header->table_offset); - ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, - s->max_table_entries * 4); + ret = bdrv_pread(bs->file, s->bat_offset, s->pagetable, pagetable_size); if (ret < 0) { goto fail; } s->free_data_block_offset = - (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511; + ROUND_UP(s->bat_offset + pagetable_size, 512); for (i = 0; i < s->max_table_entries; i++) { be32_to_cpus(&s->pagetable[i]); diff --git a/device_tree.c b/device_tree.c index d2de580947..a9f5f8e598 100644 --- a/device_tree.c +++ b/device_tree.c @@ -241,7 +241,7 @@ uint32_t qemu_fdt_alloc_phandle(void *fdt) /* * We need to find out if the user gave us special instruction at - * which phandle id to start allocting phandles. + * which phandle id to start allocating phandles. */ if (!phandle) { phandle = machine_phandle_start(current_machine); @@ -1285,6 +1285,7 @@ static void gdb_vm_state_change(void *opaque, int running, RunState state) ret = GDB_SIGNAL_UNKNOWN; break; } + gdb_set_stop_cpu(cpu); snprintf(buf, sizeof(buf), "T%02xthread:%02x;", ret, cpu_index(cpu)); send_packet: diff --git a/hw/acpi/ich9.c b/hw/acpi/ich9.c index f04f6dc8c3..1c7fcfa9d7 100644 --- a/hw/acpi/ich9.c +++ b/hw/acpi/ich9.c @@ -221,9 +221,9 @@ static void pm_reset(void *opaque) acpi_pm_tmr_reset(&pm->acpi_regs); acpi_gpe_reset(&pm->acpi_regs); + pm->smi_en = 0; if (!pm->smm_enabled) { - /* Mark SMM as already inited to prevent SMM from running. KVM does not - * support SMM mode. */ + /* Mark SMM as already inited to prevent SMM from running. */ pm->smi_en |= ICH9_PMIO_SMI_EN_APMC_EN; } pm->smi_en_wmask = ~0; diff --git a/include/hw/timer/a9gtimer.h b/include/hw/timer/a9gtimer.h index b88c02a6ef..98d8e0ae53 100644 --- a/include/hw/timer/a9gtimer.h +++ b/include/hw/timer/a9gtimer.h @@ -37,7 +37,7 @@ #define R_CONTROL_TIMER_ENABLE (1 << 0) #define R_CONTROL_COMP_ENABLE (1 << 1) #define R_CONTROL_IRQ_ENABLE (1 << 2) -#define R_CONTROL_AUTO_INCREMENT (1 << 2) +#define R_CONTROL_AUTO_INCREMENT (1 << 3) #define R_CONTROL_PRESCALER_SHIFT 8 #define R_CONTROL_PRESCALER_LEN 8 #define R_CONTROL_PRESCALER_MASK (((1 << R_CONTROL_PRESCALER_LEN) - 1) << \ diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h index f51ff693e9..2e5a97dec4 100644 --- a/include/migration/vmstate.h +++ b/include/migration/vmstate.h @@ -75,9 +75,6 @@ int register_savevm_live(DeviceState *dev, void *opaque); void unregister_savevm(DeviceState *dev, const char *idstr, void *opaque); -void register_device_unmigratable(DeviceState *dev, const char *idstr, - void *opaque); - typedef struct VMStateInfo VMStateInfo; typedef struct VMStateDescription VMStateDescription; diff --git a/include/qemu-common.h b/include/qemu-common.h index 237d6547b3..fb3da6ca22 100644 --- a/include/qemu-common.h +++ b/include/qemu-common.h @@ -148,13 +148,125 @@ static inline bool is_help_option(const char *s) return !strcmp(s, "?") || !strcmp(s, "help"); } -/* cutils.c */ +/* util/cutils.c */ +/** + * pstrcpy: + * @buf: buffer to copy string into + * @buf_size: size of @buf in bytes + * @str: string to copy + * + * Copy @str into @buf, including the trailing NUL, but do not + * write more than @buf_size bytes. The resulting buffer is + * always NUL terminated (even if the source string was too long). + * If @buf_size is zero or negative then no bytes are copied. + * + * This function is similar to strncpy(), but avoids two of that + * function's problems: + * * if @str fits in the buffer, pstrcpy() does not zero-fill the + * remaining space at the end of @buf + * * if @str is too long, pstrcpy() will copy the first @buf_size-1 + * bytes and then add a NUL + */ void pstrcpy(char *buf, int buf_size, const char *str); +/** + * strpadcpy: + * @buf: buffer to copy string into + * @buf_size: size of @buf in bytes + * @str: string to copy + * @pad: character to pad the remainder of @buf with + * + * Copy @str into @buf (but *not* its trailing NUL!), and then pad the + * rest of the buffer with the @pad character. If @str is too large + * for the buffer then it is truncated, so that @buf contains the + * first @buf_size characters of @str, with no terminator. + */ void strpadcpy(char *buf, int buf_size, const char *str, char pad); +/** + * pstrcat: + * @buf: buffer containing existing string + * @buf_size: size of @buf in bytes + * @s: string to concatenate to @buf + * + * Append a copy of @s to the string already in @buf, but do not + * allow the buffer to overflow. If the existing contents of @buf + * plus @str would total more than @buf_size bytes, then write + * as much of @str as will fit followed by a NUL terminator. + * + * @buf must already contain a NUL-terminated string, or the + * behaviour is undefined. + * + * Returns: @buf. + */ char *pstrcat(char *buf, int buf_size, const char *s); +/** + * strstart: + * @str: string to test + * @val: prefix string to look for + * @ptr: NULL, or pointer to be written to indicate start of + * the remainder of the string + * + * Test whether @str starts with the prefix @val. + * If it does (including the degenerate case where @str and @val + * are equal) then return true. If @ptr is not NULL then a + * pointer to the first character following the prefix is written + * to it. If @val is not a prefix of @str then return false (and + * @ptr is not written to). + * + * Returns: true if @str starts with prefix @val, false otherwise. + */ int strstart(const char *str, const char *val, const char **ptr); +/** + * stristart: + * @str: string to test + * @val: prefix string to look for + * @ptr: NULL, or pointer to be written to indicate start of + * the remainder of the string + * + * Test whether @str starts with the case-insensitive prefix @val. + * This function behaves identically to strstart(), except that the + * comparison is made after calling qemu_toupper() on each pair of + * characters. + * + * Returns: true if @str starts with case-insensitive prefix @val, + * false otherwise. + */ int stristart(const char *str, const char *val, const char **ptr); +/** + * qemu_strnlen: + * @s: string + * @max_len: maximum number of bytes in @s to scan + * + * Return the length of the string @s, like strlen(), but do not + * examine more than @max_len bytes of the memory pointed to by @s. + * If no NUL terminator is found within @max_len bytes, then return + * @max_len instead. + * + * This function has the same behaviour as the POSIX strnlen() + * function. + * + * Returns: length of @s in bytes, or @max_len, whichever is smaller. + */ int qemu_strnlen(const char *s, int max_len); +/** + * qemu_strsep: + * @input: pointer to string to parse + * @delim: string containing delimiter characters to search for + * + * Locate the first occurrence of any character in @delim within + * the string referenced by @input, and replace it with a NUL. + * The location of the next character after the delimiter character + * is stored into @input. + * If the end of the string was reached without finding a delimiter + * character, then NULL is stored into @input. + * If @input points to a NULL pointer on entry, return NULL. + * The return value is always the original value of *@input (and + * so now points to a NUL-terminated string corresponding to the + * part of the input up to the first delimiter). + * + * This function has the same behaviour as the BSD strsep() function. + * + * Returns: the pointer originally in @input. + */ char *qemu_strsep(char **input, const char *delim); time_t mktimegm(struct tm *tm); int qemu_fls(int i); diff --git a/qapi-schema.json b/qapi-schema.json index a0a45f7d51..4342a08d30 100644 --- a/qapi-schema.json +++ b/qapi-schema.json @@ -15,7 +15,7 @@ { 'include': 'qapi/trace.json' } ## -# LostTickPolicy: +# @LostTickPolicy: # # Policy for handling lost ticks in timer devices. # diff --git a/tests/Makefile b/tests/Makefile index 8d26736f1f..749458224a 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -487,10 +487,10 @@ check-report-unit.xml: $(check-unit-y) # Reports and overall runs check-report.xml: $(patsubst %,check-report-qtest-%.xml, $(QTEST_TARGETS)) check-report-unit.xml - $(call quiet-command,$(SRC_PATH)/scripts/gtester-cat $^ > $@, " GEN $@") + $(call quiet-command,$(SRC_PATH)/scripts/gtester-cat $^ > $@, " GEN $@") check-report.html: check-report.xml - $(call quiet-command,gtester-report $< > $@, " GEN $@") + $(call quiet-command,gtester-report $< > $@, " GEN $@") # Other tests diff --git a/tests/qemu-iotests/135 b/tests/qemu-iotests/135 new file mode 100755 index 0000000000..16bf736560 --- /dev/null +++ b/tests/qemu-iotests/135 @@ -0,0 +1,54 @@ +#!/bin/bash +# +# Test VPC open of image with large Max Table Entries value. +# +# Copyright (C) 2015 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +# creator +owner=jcody@redhat.com + +seq=`basename $0` +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! + +_cleanup() +{ + _cleanup_test_img +} +trap "_cleanup; exit \$status" 0 1 2 3 15 + +# get standard environment, filters and checks +. ./common.rc +. ./common.filter + +_supported_fmt vpc +_supported_proto generic +_supported_os Linux + +_use_sample_img afl5.img.bz2 + +echo +echo "=== Verify image open and failure ====" +$QEMU_IMG info "$TEST_IMG" 2>&1| _filter_testdir + +# success, all done +echo "*** done" +rm -f $seq.full +status=0 diff --git a/tests/qemu-iotests/135.out b/tests/qemu-iotests/135.out new file mode 100644 index 0000000000..793898b930 --- /dev/null +++ b/tests/qemu-iotests/135.out @@ -0,0 +1,5 @@ +QA output created by 135 + +=== Verify image open and failure ==== +qemu-img: Could not open 'TEST_DIR/afl5.img': Max Table Entries too large (1073741825) +*** done diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group index 6206765aac..c430b6c234 100644 --- a/tests/qemu-iotests/group +++ b/tests/qemu-iotests/group @@ -133,3 +133,4 @@ 131 rw auto quick 132 rw auto quick 134 rw auto quick +135 rw auto diff --git a/tests/qemu-iotests/sample_images/afl5.img.bz2 b/tests/qemu-iotests/sample_images/afl5.img.bz2 Binary files differnew file mode 100644 index 0000000000..1614348865 --- /dev/null +++ b/tests/qemu-iotests/sample_images/afl5.img.bz2 |