- 22 8月, 2012 7 次提交
-
-
由 Avi Kivity 提交于
The scsi passthrough handler falls through after completing a request into the failure path, resulting in a use after free. Reproducible by running a guest with aio=native on a block device. Reported-by: NStefan Priebe <s.priebe@profihost.ag> Signed-off-by: NAvi Kivity <avi@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 730a9c53) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Anthony Liguori 提交于
From Markus: Before: $ qemu-system-x86_64 -display none -drive if=ide qemu-system-x86_64: Device needs media, but drive is empty qemu-system-x86_64: Initialization of device ide-hd failed [Exit 1 ] After: $ qemu-system-x86_64 -display none -drive if=ide qemu-system-x86_64: Device needs media, but drive is empty Segmentation fault (core dumped) [Exit 139 (SIGSEGV)] This error always existed as qdev_init() frees the object. But QOM goes a bit further and purposefully sets the class pointer to NULL to help find use-after-free. It worked :-) Cc: Andreas Faerber <afaerber@suse.de> Reported-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com> (cherry picked from commit 7de3abe5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jan Kiszka 提交于
We need at least 1M of RAM to map the option ROM. Otherwise, we will corrupt host memory or even crash: $ qemu-system-x86_64 -nodefaults --enable-kvm -vnc :0 -m 640k Segmentation fault (core dumped) Reported-and-tested-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com> Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com> (cherry picked from commit a9605e03) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Christian Borntraeger 提交于
Invalid sccb addresses will cause specification or addressing exception. Lets add those checks. Furthermore, the good case (cc=0) was incorrect for KVM, we did not set the CC at all. We now use return codes < 0 as program checks and return codes > 0 as condition code values. Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: NAlexander Graf <agraf@suse.de> (cherry picked from commit 9abf567d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 David Gibson 提交于
Currently for powerpc, kvm_arch_handle_exit() always returns 1, meaning that its caller - kvm_cpu_exec() - will always exit immediately afterwards to the loop in qemu_kvm_cpu_thread_fn(). There's no need to do this. Once we've handled the hypercall there's no reason we can't go straight around and KVM_RUN again, which is what ret = 0 will signal. The only exception might be for hypercalls which affect the state of cpu_can_run(), however the only one that might do this is H_CEDE and for kvm that is always handled in the kernel, not qemu. Furtherm setting ret = 0 means that when exit_requested is set from a hypercall, we will enter KVM_RUN once more with a signal which lets the the kernel do its internal logic to complete the hypercall with out actually executing any more guest code. This is important if our hypercall also triggered a reset, which previously would re-initialize everything without completing the hypercall. This caused the kernel to get confused because it thought the guest was still in the middle of a hypercall when it has actually been reset. This patch therefore changes to ret = 0, which is both a bugfix and a small optimization. Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> Signed-off-by: NAlexander Graf <agraf@suse.de> (cherry picked from commit 78e8fde2) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Maydell 提交于
Both MacOS and Solaris have special case handling for the CPU type, because the check_define probes will return i386 even if the hardware is 64 bit and x86_64 would be preferable. Move these checks earlier in the configure probing so that we can do them only if the user didn't specify a CPU with --cpu. This fixes a bug where the user's command line argument was being ignored. Reviewed-by: NAndreas F=E4rber <afaerber@suse.de> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com> (cherry picked from commit bbea4050) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Anthony Liguori 提交于
From Markus: Makes "make check" hang: QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 gtester -k --verbose -m=quick tests/crash-test tests/rtc-test TEST: tests/crash-test... (pid=972) qemu-system-x86_64: Device needs media, but drive is empty [Nothing happens, wait a while, then hit ^C] make: *** [check-qtest-x86_64] Interrupt This was due to the fact that we weren't checked for errors when reading from the QMP socket. This patch adds appropriate error checking. Reported-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com> (cherry picked from commit 039380a8) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
- 13 7月, 2012 1 次提交
-
-
由 Michael Roth 提交于
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
- 11 7月, 2012 2 次提交
-
-
由 Michael Roth 提交于
-
由 Alexander Graf 提交于
Some of the virtio devices have the same frontend name, but actually implement different devices behind the scenes through aliases. The indicator which device type to use is the architecture. On s390, we want s390 virtio devices. On everything else, we want PCI devices. Reflect this in the alias selection code. This way we fix commands like -device virtio-blk on s390x which with this patch applied select the correct virtio-blk-s390 device rather than virtio-blk-pci. Reported-by: NChristian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com> Signed-off-by: NAlexander Graf <agraf@suse.de>
-
- 29 6月, 2012 1 次提交
-
-
由 Jason Wang 提交于
Commit ff71f2e8 prevent the possible crash during initialization of linux driver by checking the operating mode.This seems too strict as: - the real card could still work in mode other than normal - some buggy driver who does not set correct opmode after eeprom access So, considering rx ring address were reset to zero (which could be safely trated as an address not intened to DMA to), in order to both letting old guest work and preventing the unexpected DMA to guest, we can forbid packet receiving when rx ring address is zero. Tested-by: NAvi Kivity <avi@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com> (cherry picked from commit fcce6fd2) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
- 25 6月, 2012 29 次提交
-
-
由 Daniel Verkamp 提交于
As in the SATA and AHCI specifications, a FIS is 5 Dwords of 4 bytes each, which comes to 20 bytes (decimal), not 0x20. Signed-off-by: NDaniel Verkamp <daniel@drv.nu> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 4bb9c939) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Hajnoczi 提交于
The qemu-img.1 man page is missing the qed format from its list of supported formats. Document the image creation options for qed. Suggested-by: NMichael Tokarev <mjt@tls.msk.ru> Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit f085800e) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Weil 提交于
The local variables ret, i are only used if __linux__ is defined. Signed-off-by: NStefan Weil <sw@weilnetz.de> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 47ce9ef7) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 MORITA Kazutaka 提交于
bdrv_save_vmstate and bdrv_load_vmstate should return the vmstate size on success, and -errno on error. Signed-off-by: NMORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 6f3c714e) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jan Beulich 提交于
Legacy (non-pvops) gntdev drivers may require this to be done when the number of grants intended to be used simultaneously exceeds a certain driver specific default limit. Signed-off-by: NJan Beulich <jbeulich@suse.com> Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com> (cherry picked from commit 64c27e5b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Bruce Rogers 提交于
File is targeted for install, but is never installed. Signed-off-by: NBruce Rogers <brogers@suse.com> Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com> (cherry picked from commit 0cd23fcc) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Pavel Hrdina 提交于
The Windows uses 'READ' command at the start of an instalation without checking the 'dir' register. We have to abort the transfer with an abnormal termination if there is no media in the drive. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit c52acf60) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Hajnoczi 提交于
The autoclear feature bits can be used for qcow2 file format features that are safe to "drop" by old programs that do not understand the feature. Upon opening the image file unknown autoclear feature bits are cleared and the image file header is rewritten, but this was happening too early in the code when critical header fields were not yet loaded. Process autoclear feature bits after all necessary header information has been loaded. Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit af7b708d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Pavel Dovgaluk 提交于
Prevent disk data loss when closing qemu console window under Windows 7. v3. Comment for Sleep() parameter was updated. Signed-off-by: Pavel Dovgalyuk<pavel.dovgaluk@gmail.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit b75a0282) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Zhi Yong Wu 提交于
Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com> Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 87267753) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jason Baron 提交于
Currently, we do not properly cleanup, if pci_bridge_dev_initfn fails to initialize properly. Make sure to call pci_bridge_exitfn() in the error path. Signed-off-by: NJason Baron <jbaron@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 80aa796b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jason Baron 提交于
While looking into hot-plugging bridges, I can create a qemu segfault via: $ device_add pci-bridge Bridge chassis not specified. Each bridge is required to be assigned a unique chassis id > 0. ** ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0) I'm proposing to fix this by adding a call to 'object_unparent()', before the call to qdev_free(). I see there is already a precedent for this usage pattern as seen in qdev_simple_unplug_cb(): /* can be used as ->unplug() callback for the simple cases */ int qdev_simple_unplug_cb(DeviceState *dev) { /* just zap it */ object_unparent(OBJECT(dev)); qdev_free(dev); return 0; } Signed-off-by: NJason Baron <jbaron@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 266ca11a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jan Kiszka 提交于
Call msi_reset on device reset as still required by the core. CC: Gerd Hoffmann <kraxel@redhat.com> CC: qemu-stable@nongnu.org Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 8e729e3b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jan Kiszka 提交于
Call msi_reset on device reset as still required by the core. CC: Alexander Graf <agraf@suse.de> CC: qemu-stable@nongnu.org Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 868a1a52) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
Some drivers (Linux' 8139too among them) rely on the NIC injecting an interrupt in the event of a receive buffer overflow and, accordingly, set the RxOverflow bit in the interrupt mask. Unfortunately rtl8139's can_receive method ignores the RxOverflow flag, which may lead to a situation where rtl8139 stops receiving packets (can_receive returns 0) when the receive buffer becomes full. If the driver eventually read from the receive buffer or reset the card the emulator could recover from this situation. However some implementations only do this upon receiving an interrupt with either RxOK or RxOverflow set in the ISR; interrupt that will never come because QEMU's flow control mechanisms would prevent rtl8139 from receiving any packet. Letting packets go through when the overflow interrupt is enabled makes the QEMU emulator compliant to the spec and solves the problem. This patch should fix a relatively common (in our experience) network stall observed when running enterprise distros with rtl8139 as the NIC; in some cases the 8139too device driver gets loaded and when under heavy load the network eventually stops working. Reported-by: NHayato Kakuta <kakuta.hayato@oss.ntt.co.jp> Tested-by: NHayato Kakuta <kakuta.hayato@oss.ntt.co.jp> Acked-by: NIgor Kovalenko <igor.v.kovalenko@gmail.com> Signed-off-by: NFernando Luis Vazquez Cao <fernando@oss.ntt.co.jp> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit fee9d348) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Weil 提交于
Some versions declare open_by_handle_at, but don't define AT_EMPTY_PATH. Extend the check in configure to test both preconditions. Signed-off-by: NStefan Weil <sw@weilnetz.de> Acked-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: NSerge Hallyn <serge.hallyn@ubuntu.com> (cherry picked from commit acc55ba8) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Weil 提交于
Each string which is shown during readline completion in the QEMU monitor is allocated dynamically but currently never deallocated. Add the missing loop which calls g_free for the allocated strings. Signed-off-by: NStefan Weil <sw@weilnetz.de> Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com> (cherry picked from commit fc9fa4bd) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
Some gcc versions seem not to be able to figure out that the switch statement covers all possible values and that c is therefore always initialised. Add a default branch for them. Reported-by: Nmalc <av1474@comtv.ru> Signed-off-by: NKevin Wolf <kwolf@redhat.com> Signed-off-by: Nmalc <av1474@comtv.ru> (cherry picked from commit 1417d7e4) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jan Kiszka 提交于
Due to a offset between the clock used to generate the in-kernel count_load_time (CLOCK_MONOTONIC) and the clock used for processing this in userspace (vm_clock), reading back the output of PIT channel 2 via port 0x61 was broken. One use cases that suffered from it was the CPU frequency calibration of SeaBIOS, which also affected IDE/AHCI timeouts. This fixes it by calibrating the offset between both clocks on kvm_pit_get and adjusting the kernel value before saving it in the userspace state. As the calibration only works while the vm_clock is running, we cache the in-kernel state across stopped phases. Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com> Signed-off-by: NAvi Kivity <avi@redhat.com> (cherry picked from commit 0cdd3d14) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jim Meyering 提交于
kvm_put_apic_state's attempt to clear *kapic before setting its bits cleared sizeof(void*) bytes (no more than 8) rather than the intended 1024 (KVM_APIC_REG_SIZE) bytes. Spotted by coverity. Signed-off-by: NJim Meyering <meyering@redhat.com> Signed-off-by: NAvi Kivity <avi@redhat.com> (cherry picked from commit 0614cb82) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Harsh Prateek Bora 提交于
Signed-off-by: NHarsh Prateek Bora <harsh@linux.vnet.ibm.com> Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com> (cherry picked from commit 263ddcc8) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Harsh Prateek Bora 提交于
Signed-off-by: NHarsh Prateek Bora <harsh@linux.vnet.ibm.com> Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com> (cherry picked from commit 0d665005) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Filippov 提交于
Taken conditional branches fail to update CCOUNT register because accumulated ccount_delta is reset during translation of non-taken branch. To fix it only update CCOUNT once per conditional branch instruction translation. This fixes guest linux freeze on LTP waitpid06 test. Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com> Signed-off-by: NBlue Swirl <blauwirbel@gmail.com> (cherry picked from commit d865f307) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Filippov 提交于
tb_invalidate_phys_addr has to be called with the exact physical address of the breakpoint we add/remove, not just the page's base address. Otherwise we easily fail to flush the right TB. This breakage was introduced by the commit f3705d53 "memory: make phys_page_find() return an unadjusted". This appeared to work for some guest architectures because their cpu_get_phys_page_debug implementation returns full translated physical address, not just the base of the TARGET_PAGE_SIZE-sized page. Reported-by: NTeLeMan <geleman@gmail.com> Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com> Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com> Signed-off-by: NBlue Swirl <blauwirbel@gmail.com> (cherry picked from commit 9d70c4b7) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Filippov 提交于
Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com> Signed-off-by: NBlue Swirl <blauwirbel@gmail.com> (cherry picked from commit c305e32f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Filippov 提交于
Hardware pagetable walking may not be nested. Stop guessing and pass explicit flag to the get_physical_addr_mmu function that controls page table lookup. Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com> Signed-off-by: NBlue Swirl <blauwirbel@gmail.com> (cherry picked from commit 57705a67) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Filippov 提交于
This is to avoid interference of internal QEMU helpers (cpu_get_phys_page_debug, tb_invalidate_virtual_addr) with guest-visible TLB state. Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com> Signed-off-by: NBlue Swirl <blauwirbel@gmail.com> (cherry picked from commit ae4e7982) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Filippov 提交于
Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com> Signed-off-by: NBlue Swirl <blauwirbel@gmail.com> (cherry picked from commit 16bde77a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Filippov 提交于
According to ISA, 4.4.2.6, EXCVADDR may be changed by any TLB miss, even if the miss is handled entirely by processor hardware. Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com> Signed-off-by: NBlue Swirl <blauwirbel@gmail.com> (cherry picked from commit 39e7d37f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-