- 03 11月, 2016 28 次提交
-
-
由 Daniel P. Berrange 提交于
If the qio_channel_tls_new_(server|client) methods fail, we disconnect the client. Unfortunately a missing return means we then go on to try and run the TLS handshake on a NULL I/O channel. This gives predictably segfaulty results. The main way to trigger this is to request a bogus TLS priority string for the TLS credentials. e.g. -object tls-creds-x509,id=tls0,priority=wibble,... Most other ways appear impossible to trigger except perhaps if OOM conditions cause gnutls initialization to fail. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 660a2d83) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Emilio G. Cota 提交于
The old map's bucket locks are being unlocked *after* that same old map has been passed to RCU for destruction. This is a bug that can cause a segfault, since there's no guarantee that the deletion will be deferred (e.g. there may be no concurrent readers). The segfault is easily triggered in RHEL6/CentOS6 with qht-test, particularly on a single-core system or by pinning qht-test to a single core. Fix it by unlocking the map's bucket locks right after having published the new map, and (crucially) before marking the map for deletion via call_rcu(). While at it, expand qht_do_resize() to atomically do (1) a reset, (2) a resize, or (3) a reset+resize. This simplifies the calling code, since the new function (qht_do_resize_reset()) acquires and releases the buckets' locks. Note that no qht_do_reset inline is provided, since it would have no users--qht_reset() already performs a reset without taking ht->lock. Reported-by: NPeter Maydell <peter.maydell@linaro.org> Reported-by: NDaniel P. Berrange <berrange@redhat.com> Signed-off-by: NEmilio G. Cota <cota@braap.org> Message-Id: <1475706880-10667-3-git-send-email-cota@braap.org> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 76b553b3) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Emilio G. Cota 提交于
Sometimes gcc doesn't pick up the fact that 'new' is properly set if 'resize == true', which may generate an unnecessary build warning. Fix it by removing 'resize' and directly checking that 'new' is non-NULL. Signed-off-by: NEmilio G. Cota <cota@braap.org> Message-Id: <1475706880-10667-2-git-send-email-cota@braap.org> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit f555a9d0) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
Commit 69ef1f36 accidentally broke migrate_set_parameter's ability to set the cpu-throttle-increment to anything other than the default, because it forgot to parse the user's string into an integer. CC: qemu-stable@nongnu.org Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: NJuan Quintela <quintela@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit bb2b777c) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 John Snow 提交于
We can teach Xen to drain and flush each device as it needs to, instead of trying to flush ALL devices. This removes the last user of blk_flush_all. The function is therefore removed under the premise that any new uses of blk_flush_all would be the wrong paradigm: either flush the single device that requires flushing, or use an appropriate flush_all mechanism from outside of the BlkBackend layer. Signed-off-by: NJohn Snow <jsnow@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Acked-by: NFam Zheng <famz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 49137bf6) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 John Snow 提交于
Reimplement bdrv_flush_all for vm_stop. In contrast to blk_flush_all, bdrv_flush_all does not have device model restrictions. This allows us to flush and halt unconditionally without error. This allows us to do things like migrate when we have a device with an open tray, but has a node that may need to be flushed, or nodes that aren't currently attached to any device and need to be flushed. Specifically, this allows us to migrate when we have a CDROM with an open tray. Signed-off-by: NJohn Snow <jsnow@redhat.com> Reviewed-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Acked-by: NFam Zheng <famz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 22af08ea) Conflicts: cpus.c * drop context dependancy on 6d0ceb80Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 John Snow 提交于
Commit fe1a9cbc moved the flush_all routine from the bdrv layer to the block-backend layer. In doing so, however, the semantics of the routine changed slightly such that flush_all now used blk_flush instead of bdrv_flush. blk_flush can fail if the attached device model reports that it is not "available," (i.e. the tray is open.) This changed the semantics of flush_all such that it can now fail for e.g. open CDROM drives. Reintroduce bdrv_flush_all to regain the old semantics without having to alter the behavior of blk_flush or blk_flush_all, which are already 'doing the right thing.' Signed-off-by: NJohn Snow <jsnow@redhat.com> Reviewed-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Acked-by: NFam Zheng <famz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 4085f5c7) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
When qemu uses iscsi devices in sg mode, iscsilun->block_size is left at 0. Prior to commits cf081fca and similar, when block limits were tracked in sectors, this did not matter: various block limits were just left at 0. But when we started scaling by block size, this caused SIGFPE. Then, in a later patch, commit a5b8dd2c added an assertion to bdrv_open_common() that request_alignment is always non-zero; which was not true for SG mode. Rather than relax that assertion, we can just provide a sane value (we don't know of any SG device with a block size smaller than qemu's default sizing of 512 bytes). One possible solution for SG mode is to just blindly skip ALL of iscsi_refresh_limits(), since we already short circuit so many other things in sg mode. But this patch takes a slightly more conservative approach, and merely guarantees that scaling will succeed, while still using multiples of the original size where possible. Resulting limits may still be zero in SG mode (that is, we mostly only fix block_size used as a denominator or which affect assertions, not all uses). Reported-by: NHolger Schranz <holger@fam-schranz.de> Signed-off-by: NEric Blake <eblake@redhat.com> CC: qemu-stable@nongnu.org Message-Id: <1473283640-15756-1-git-send-email-eblake@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 95eaa785) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Daniel P. Berrange 提交于
Broken in previous commit: commit aaa4d20b Author: Kevin Wolf <kwolf@redhat.com> Date: Wed Jun 1 15:21:05 2016 +0200 qcow2: Make copy_sectors() byte based The copy_sectors() code was originally using the 'sector' parameter for encryption, which was passed in by the caller from the QCowL2Meta.offset field (aka the guest logical offset). After the change, the code is using 'cluster_offset' which was passed in from QCow2L2Meta.alloc_offset field (aka the host physical offset). This would cause the data to be encrypted using an incorrect initialization vector which will in turn cause later reads to return garbage. Although current qcow2 built-in encryption is blocked from usage in the emulator, one could still hit this if writing to the file via qemu-{img,io,nbd} commands. Cc: qemu-stable@nongnu.org Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit bb9f8dd0) Conflicts: tests/qemu-iotests/group * drop context dependancy on non-2.7 iotest groups Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 David Gibson 提交于
d1f6af6a "kvm-irqchip: simplify kvm_irqchip_add_msi_route" was a cleanup of kvmchip routing configuration, that was mostly intended for x86. However, it also contains a subtle change in behaviour which breaks EEH[1] error recovery on certain VFIO passthrough devices on spapr guests. So far it's only been seen on a BCM5719 NIC on a POWER8 server, but there may be other hardware with the same problem. It's also possible there could be circumstances where it causes a bug on x86 as well, though I don't know of any obvious candidates. Prior to d1f6af6a, both vfio_msix_vector_do_use() and vfio_add_kvm_msi_virq() used msg == NULL as a special flag to mark this as the "dummy" vector used to make the host hardware state sync with the guest expected hardware state in terms of MSI configuration. Specifically that flag caused vfio_add_kvm_msi_virq() to become a no-op, meaning the dummy irq would always be delivered via qemu. d1f6af6a changed vfio_add_kvm_msi_virq() so it takes a vector number instead of the msg parameter, and determines the correct message itself. The test for !msg was removed, and not replaced with anything there or in the caller. With an spapr guest which has a VFIO device, if an EEH error occurs on the host hardware, then the device will be isolated then reset. This is a combination of host and guest action, mediated by some EEH related hypercalls. I haven't fully traced the mechanics, but somehow installing the kvm irqchip route for the dummy irq on the BCM5719 means that after EEH reset and recovery, at least some irqs are no longer delivered to the guest. In particular, the guest never gets the link up event, and so the NIC is effectively dead. [1] EEH (Enhanced Error Handling) is an IBM POWER server specific PCI-* error reporting and recovery mechanism. The concept is somewhat similar to PCI-E AER, but the details are different. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1373802 Cc: Alex Williamson <alex.williamson@redhat.com> Cc: Peter Xu <peterx@redhat.com> Cc: Gavin Shan <gwshan@au1.ibm.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> Cc: qemu-stable@nongnu.org Fixes: d1f6af6a ("kvm-irqchip: simplify kvm_irqchip_add_msi_route") Signed-off-by: NAlex Williamson <alex.williamson@redhat.com> (cherry picked from commit 6d17a018) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Cornelia Huck 提交于
The cssid 255 is reserved but still valid from an architectural point of view. However, feeding a bogus schid of 0xffffffff into the virtio hypercall will lead to a crash: Stack trace of thread 138363: #0 0x00000000100d168c css_find_subch (qemu-system-s390x) #1 0x00000000100d3290 virtio_ccw_hcall_notify #2 0x00000000100cbf60 s390_virtio_hypercall #3 0x000000001010ff7a handle_hypercall #4 0x0000000010079ed4 kvm_cpu_exec (qemu-system-s390x) #5 0x00000000100609b4 qemu_kvm_cpu_thread_fn #6 0x000003ff8b887bb4 start_thread (libpthread.so.0) #7 0x000003ff8b78df0a thread_start (libc.so.6) This is because the css array was only allocated for 0..254 instead of 0..255. Let's fix this by bumping MAX_CSSID to 255 and fencing off the reserved cssid of 255 during css image allocation. Reported-by: NChristian Borntraeger <borntraeger@de.ibm.com> Tested-by: NChristian Borntraeger <borntraeger@de.ibm.com> Cc: qemu-stable@nongnu.org Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 882b3b97) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 John Snow 提交于
Similar to existing fixes for IDE (87ac25fd) and ATAPI (7f951b2d), the AIOCB must be cleared in the callback. Otherwise, we may accidentally try to reset a dangling pointer in bdrv_aio_cancel() from a port reset. Signed-off-by: NJohn Snow <jsnow@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Message-id: 1474575040-32079-2-git-send-email-jsnow@redhat.com Signed-off-by: NJohn Snow <jsnow@redhat.com> (cherry picked from commit df403bc5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Fam Zheng 提交于
With an ejected block backend, blk_get_aio_context() would return qemu_aio_context. In this case don't assert. Signed-off-by: NFam Zheng <famz@redhat.com> Message-Id: <1473848224-24809-3-git-send-email-famz@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 2a2d69f4) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Fam Zheng 提交于
Even if tray is not open, it can be empty (blk_is_inserted() == false). Handle both cases correctly by replacing the s->tray_open checks with blk_is_available(), which is an AND of the two. Also simplify successive checks of them into blk_is_available(), in a couple cases. Signed-off-by: NFam Zheng <famz@redhat.com> Message-Id: <1473848224-24809-2-git-send-email-famz@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit cd723b85) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Fam Zheng 提交于
Right after main_loop ends, we release various things but keep iothread alive. The latter is not prepared to the sudden change of resources. Specifically, after bdrv_close_all(), virtio-scsi dataplane get a surprise at the empty BlockBackend: (gdb) bt at /usr/src/debug/qemu-2.6.0/hw/scsi/virtio-scsi.c:543 at /usr/src/debug/qemu-2.6.0/hw/scsi/virtio-scsi.c:577 It is because the d->conf.blk->root is set to NULL, then blk_get_aio_context() returns qemu_aio_context, whereas s->ctx is still pointing to the iothread: hw/scsi/virtio-scsi.c:543: if (s->dataplane_started) { assert(blk_get_aio_context(d->conf.blk) == s->ctx); } To fix this, let's stop iothreads before doing bdrv_close_all(). Cc: qemu-stable@nongnu.org Signed-off-by: NFam Zheng <famz@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-id: 1473326931-9699-1-git-send-email-famz@redhat.com Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit dce8921b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Daniel P. Berrange 提交于
The XTS cipher mode needs to be used with a cipher which has a block size of 16 bytes. If a mis-matching block size is used, the code will either corrupt memory beyond the IV array, or not fully encrypt/decrypt the IV. This fixes a memory corruption crash when attempting to use cast5-128 with xts, since the former has an 8 byte block size. A test case is added to ensure the cipher creation fails with such an invalid combination. Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit a5d2f44d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Paolo Bonzini 提交于
These issues cause respectively a QEMU crash and a leak of 2 bytes of stack. They were discovered by VictorV of 360 Marvel Team. Reported-by: NTom Victor <i-tangtianwen@360.cm> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 65a8e1f6) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
When LSI SAS1068 Host Bus emulator builds configuration page headers, mptsas_config_pack() should assert that the size fits in a byte. However, the size is expressed in 32-bit units, so up to 1020 bytes fit. The assertion was only allowing replies up to 252 bytes, so fix it. Suggested-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit cf2bce20) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
Vmware Paravirtual SCSI emulation uses command descriptors to process SCSI commands. These descriptors come with their ring buffers. A guest could set the page count for these rings to an arbitrary value, leading to infinite loop or OOB access. Add check to avoid it. Reported-by: NTom Victor <vv474172261@gmail.com> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 7f61f469) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Rony Weng 提交于
Openstack Cinder assigns volume a 36 characters uuid as serial. QEMU will shrinks the uuid to 20 characters, which does not match the original uuid. Note that there is no limit to the length of the serial number in the SCSI spec. 20 was copy-pasted from virtio-blk which in turn was copy-pasted from ATA; 36 is even more arbitrary. However, bumping it up too much might cause issues (e.g. 252 seems to make sense because then the maximum amount of returned data is 256; but who knows there's no off-by-one somewhere for such a nicely rounded number). Signed-off-by: NRony Weng <ronyweng@synology.com> Message-Id: <1472457138-23386-1-git-send-email-ronyweng@synology.com> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 48b62063) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Lin Ma 提交于
Function qemu_chr_alloc returns NULL if it failed to open logfile by any reason, says no write permission. For backends tty, stdio and msmouse, They need to check this return value to avoid segfault in this case. Signed-off-by: NLin Ma <lma@suse.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-Id: <20160914062250.22226-1-lma@suse.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 71200fb9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
Vmware Paravirtual SCSI emulator while processing IO requests could run into an infinite loop if 'pvscsi_ring_pop_req_descr' always returned positive value. Limit IO loop to the ring size. Cc: qemu-stable@nongnu.org Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit d251157a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Li Qiang 提交于
When processing IO request in mptsas, it uses g_new to allocate a 'req' object. If an error occurs before 'req->sreq' is allocated, It could lead to an OOB write in mptsas_free_request function. Use g_new0 to avoid it. Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 670e56d3) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
If the call to fid_to_qid() returns an error, we will call v9fs_path_free() on uninitialized paths. It is a regression introduced by the following commit: 56f101ec 9pfs: handle walk of ".." in the root directory Let's fix this by initializing dpath and path before calling fid_to_qid(). Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NCédric Le Goater <clg@kaod.org> [groug: updated the changelog to indicate this is regression and to provide the offending commit SHA1] Signed-off-by: NGreg Kurz <groug@kaod.org> (cherry picked from commit 13fd08e6) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gonglei 提交于
The backtrace is: 0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.so.0 0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at ui/vnc.c:680 vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, dst_y=363, w=1, h=1) at ui/vnc.c:915 0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319, dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575 0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319, dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at ui/console.c:2111 0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at hw/display/cirrus_vga.c:774 cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:793 cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:915 cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056 0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525 0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7f0b69a268d8, size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>, mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591 0x00007f0b77968315 in memory_region_dispatch_write (mr=mr@entry=0x7f0b7b096e40, addr=addr@entry=320, data=18446744073709551362, size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262 0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377", attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544 address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2601 0x00007f0b77925c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=..., buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703 0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965 0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078 0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at pthread_create.c:308 0x00007f0b70d3d66d in clone () from /lib64/libc.so.6 The code path while meeting segfault: vnc_dpy_copy vnc_update_client vnc_disconnect_finish [while vnc_disconnect_start() is invoked because somethins wrong] vnc_update_server_surface vd->server = NULL; vnc_server_fb_stride pixman_image_get_stride(vd->server) Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid segmentation fault. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Daniel P. Berrange <berrange@redhat.com> Reported-by: NYanying Zhuang <ann.zhuangyanying@huawei.com> Signed-off-by: NGonglei <arei.gonglei@huawei.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1472788698-120964-1-git-send-email-arei.gonglei@huawei.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 3e10c3ec) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Ladi Prosek 提交于
The one pending element is being freed but not discarded on device reset, which causes svq->inuse to creep up, eventually hitting the "Virtqueue size exceeded" error. Properly discarding the element on device reset makes sure that its buffers are unmapped and the inuse counter stays balanced. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Roman Kagan <rkagan@virtuozzo.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NLadi Prosek <lprosek@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 104e70ca) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Hajnoczi 提交于
vq->inuse must be zeroed upon device reset like most other virtqueue fields. In theory, virtio_reset() just needs assert(vq->inuse == 0) since devices must clean up in-flight requests during reset (requests cannot not be leaked!). In practice, it is difficult to achieve vq->inuse == 0 across reset because balloon, blk, 9p, etc implement various different strategies for cleaning up requests. Most devices call g_free(elem) directly without telling virtio.c that the VirtQueueElement is cleaned up. Therefore vq->inuse is not decremented during reset. This patch zeroes vq->inuse and trusts that devices are not leaking VirtQueueElements across reset. I will send a follow-up series that refactors request life-cycle across all devices and converts vq->inuse = 0 into assert(vq->inuse == 0) but this more invasive approach is not appropriate for stable trees. Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Cc: qemu-stable <qemu-stable@nongnu.org> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NLadi Prosek <lprosek@redhat.com> (cherry picked from commit 4b7f91ed) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael Roth 提交于
qemu-2.7 (stable): ppc patch queue 2016-10-13 TCG for ppc does not properly implement hardware transactional memory. It has a stub implementation in which transactions always fail. Unfortunately in v2.7.0, HTM is advertised as being available to guests, which means guests may incorrectly attempt to use it and hang. This has been the case for a while, but has become more urgent with recent (guest) Linux kernel versions which attempt to lazily enable TM. Under TCG that now triggers the problem regularly, instead of just when running a TM aware userspace program. The problem is already fixed in the 2.8/master branch, by correctly advertising HTM as not being available with TCG. This series backports the relevant patches to the qemu-2.7 stable branch to fix the problem there. * tag 'ppc-for-2.7-20161013': ppc: Check the availability of transactional memory hw/ppc/spapr: Fix the selection of the processor features hw/ppc/spapr: Move code related to "ibm,pa-features" to a separate function linux-headers: update
-
- 13 10月, 2016 4 次提交
-
-
由 Thomas Huth 提交于
KVM-PR currently does not support transactional memory, and the implementation in TCG is just a fake. We should not announce TM support in the ibm,pa-features property when running on such a system, so disable it by default and only enable it if the KVM implementation supports it (i.e. recent versions of KVM-HV). These changes are based on some earlier work from Anton Blanchard (thanks!). Signed-off-by: NThomas Huth <thuth@redhat.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit bac3bf28)
-
由 Thomas Huth 提交于
The current code uses pa_features_206 for POWERPC_MMU_2_06, and for everything else, it uses pa_features_207. This is bad in some cases because there is also a "degraded" MMU version of ISA 2.06, called POWERPC_MMU_2_06a, which should of course use the flags for 2.06 instead. And there is also the possibility that the user runs the pseries machine with a POWER5+ or even 970 processor. In that case we certainly do not want to set the flags for 2.07, and rather simply skip the setting of the pa-features property instead. Signed-off-by: NThomas Huth <thuth@redhat.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 4cbec30d)
-
由 Thomas Huth 提交于
The function spapr_populate_cpu_dt() has become quite big already, and since we likely have to extend the pa-features property for every new processor generation, it is nicer if we put the related code into a separate function. Signed-off-by: NThomas Huth <thuth@redhat.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 230bf719)
-
由 Cornelia Huck 提交于
Update headers against 4.8-rc2. Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>
-
- 02 9月, 2016 1 次提交
-
-
由 Peter Maydell 提交于
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 31 8月, 2016 5 次提交
-
-
由 Peter Maydell 提交于
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Greg Kurz 提交于
The 9P spec at http://man.cat-v.org/plan_9/5/intro says: All directories must support walks to the directory .. (dot-dot) meaning parent directory, although by convention directories contain no explicit entry for .. or . (dot). The parent of the root directory of a server's tree is itself. This means that a client cannot walk further than the root directory exported by the server. In other words, if the client wants to walk "/.." or "/foo/../..", the server should answer like the request was to walk "/". This patch just does that: - we cache the QID of the root directory at attach time - during the walk we compare the QID of each path component with the root QID to detect if we're in a "/.." situation - if so, we skip the current component and go to the next one Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Greg Kurz 提交于
According to the 9P spec http://man.cat-v.org/plan_9/5/open about the create request: The names . and .. are special; it is illegal to create files with these names. This patch causes the create and lcreate requests to fail with EINVAL if the file name is either "." or "..". Even if it isn't explicitly written in the spec, this patch extends the checking to all requests that may cause a directory entry to be created: - mknod - rename - renameat - mkdir - link - symlink The unlinkat request also gets patched for consistency (even if rmdir("foo/..") is expected to fail according to POSIX.1-2001). The various error values come from the linux manual pages. Suggested-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Greg Kurz 提交于
Empty path components don't make sense for most commands and may cause undefined behavior, depending on the backend. Also, the walk request described in the 9P spec [1] clearly shows that the client is supposed to send individual path components: the official linux client never sends portions of path containing the / character for example. Moreover, the 9P spec [2] also states that a system can decide to restrict the set of supported characters used in path components, with an explicit mention "to remove slashes from name components". This patch introduces a new name_is_illegal() helper that checks the names sent by the client are not empty and don't contain unwanted chars. Since 9pfs is only supported on linux hosts, only the / character is checked at the moment. When support for other hosts (AKA. win32) is added, other chars may need to be blacklisted as well. If a client sends an illegal path component, the request will fail and ENOENT is returned to the client. [1] http://man.cat-v.org/plan_9/5/walk [2] http://man.cat-v.org/plan_9/5/introSuggested-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
* pc-bios/optionrom/Makefile fix for -O0 * revert socket_connect change # gpg: Signature made Tue 30 Aug 2016 15:36:59 BST # gpg: using RSA key 0xBFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: optionrom: cope with multiple -O options Revert "Change net/socket.c to use socket_*() functions" Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 30 8月, 2016 2 次提交
-
-
由 Paolo Bonzini 提交于
Reproducer: CFLAGS="-g3 -O0" ./configure --target-list=aarch64-softmmu,arm-softmmu --enable-vhost-net --enable-virtfs Here CFLAGS ends up with "-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 ... -g3 -O0" and pc-bios/optionrom/Makefile forgets to add the -O2 it needs. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Since commit 7e844959, the socket connect code is blocking, because calling socket_connect() without callback is blocking. This reverts the commit. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-