1. 16 1月, 2018 34 次提交
    • P
      block/iscsi: fix initialization of iTask in iscsi_co_get_block_status · 79f9c75e
      Peter Lieven 提交于
      in case of unaligned requests or on a target that does not support
      block provisioning we leave iTask uninitialized and check iTask.task
      for NULL later.
      
      Fixes: e38bc234Signed-off-by: NPeter Lieven <pl@kamp.de>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Message-Id: <1515425247-21730-1-git-send-email-pl@kamp.de>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      79f9c75e
    • D
      find_ram_offset: Align ram_addr_t allocation on long boundaries · 801110ab
      Dr. David Alan Gilbert 提交于
      The dirty bitmaps are built from 'long's and there is fast-path code
      for synchronising the case where the RAMBlock is aligned to the start
      of a long boundary.  Align the allocation to this boundary
      to cause the fast path to be used.
      
      Offsets before change:
      11398@1515169675.018566:find_ram_offset size: 0x1e0000 @ 0x8000000
      11398@1515169675.020064:find_ram_offset size: 0x20000 @ 0x81e0000
      11398@1515169675.020244:find_ram_offset size: 0x20000 @ 0x8200000
      11398@1515169675.024343:find_ram_offset size: 0x1000000 @ 0x8220000
      11398@1515169675.025154:find_ram_offset size: 0x10000 @ 0x9220000
      11398@1515169675.027682:find_ram_offset size: 0x40000 @ 0x9230000
      11398@1515169675.032921:find_ram_offset size: 0x200000 @ 0x9270000
      11398@1515169675.033307:find_ram_offset size: 0x1000 @ 0x9470000
      11398@1515169675.033601:find_ram_offset size: 0x1000 @ 0x9471000
      
      after change:
      10923@1515169108.818245:find_ram_offset size: 0x1e0000 @ 0x8000000
      10923@1515169108.819410:find_ram_offset size: 0x20000 @ 0x8200000
      10923@1515169108.819587:find_ram_offset size: 0x20000 @ 0x8240000
      10923@1515169108.823708:find_ram_offset size: 0x1000000 @ 0x8280000
      10923@1515169108.824503:find_ram_offset size: 0x10000 @ 0x9280000
      10923@1515169108.827093:find_ram_offset size: 0x40000 @ 0x92c0000
      10923@1515169108.833045:find_ram_offset size: 0x200000 @ 0x9300000
      10923@1515169108.833504:find_ram_offset size: 0x1000 @ 0x9500000
      10923@1515169108.833787:find_ram_offset size: 0x1000 @ 0x9540000
      Suggested-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
      Message-Id: <20180105170138.23357-3-dgilbert@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      801110ab
    • D
      find_ram_offset: Add comments and tracing · 154cc9ea
      Dr. David Alan Gilbert 提交于
      Add some comments so I can understand the various nested loops.
      Add some tracing so I can see what they're doing.
      Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
      Message-Id: <20180105170138.23357-2-dgilbert@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      154cc9ea
    • D
      cpu_physical_memory_sync_dirty_bitmap: Another alignment fix · aa777e29
      Dr. David Alan Gilbert 提交于
      This code has an optimised, word aligned version, and a boring
      unaligned version. My commit f70d3451 fixed one alignment issue, but
      there's another.
      
      The optimised version operates on 'longs' dealing with (typically) 64
      pages at a time, replacing the whole long by a 0 and counting the bits.
      If the Ramblock is less than 64bits in length that long can contain bits
      representing two different RAMBlocks, but the code will update the
      bmap belinging to the 1st RAMBlock only while having updated the total
      dirty page count for both.
      
      This probably didn't matter prior to 6b6712ef which split the dirty
      bitmap by RAMBlock, but now they're separate RAMBlocks we end up
      with a count that doesn't match the state in the bitmaps.
      
      Symptom:
        Migration showing a few dirty pages left to be sent constantly
        Seen on aarch64 and x86 with x86+ovmf
      Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
      Reported-by: NWei Huang <wei@redhat.com>
      Fixes: 6b6712efSigned-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      aa777e29
    • E
      checkpatch: Enforce proper do/while (0) style · f4bdc13e
      Eric Blake 提交于
      Use of a loop construct for code that is not intended to repeat
      does not make much idiomatic sense, except in one place: it is a
      common usage in macros in order to wrap arbitrary code with
      single-statement semantics.  But when used in a macro, it is more
      typical for the caller to supply the trailing ';' when calling
      the macro.
      
      Although qemu coding style frowns on bare:
        if (cond)
          statement1;
        else
          statement2;
      where extra semicolons actually cause syntax errors, we still
      want our macro styles to be easily copied to other projects.
      Thus, declare it an error if we encounter any form of 'while (0)'
      with a semicolon in the same line.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Message-Id: <20171201232433.25193-8-eblake@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      f4bdc13e
    • E
      maint: Fix macros with broken 'do/while(0); ' usage · 2562755e
      Eric Blake 提交于
      The point of writing a macro embedded in a 'do { ... } while (0)'
      loop (particularly if the macro has multiple statements or would
      otherwise end with an 'if' statement) is so that the macro can be
      used as a drop-in statement with the caller supplying the
      trailing ';'.  Although our coding style frowns on brace-less 'if':
        if (cond)
          statement;
        else
          something else;
      that is the classic case where failure to use do/while(0) wrapping
      would cause the 'else' to pair with any embedded 'if' in the macro
      rather than the intended outer 'if'.  But conversely, if the macro
      includes an embedded ';', then the same brace-less coding style
      would now have two statements, making the 'else' a syntax error
      rather than pairing with the outer 'if'.  Thus, even though our
      coding style with required braces is not impacted, ending a macro
      with ';' makes our code harder to port to projects that use
      brace-less styles.
      
      The change should have no semantic impact.  I was not able to
      fully compile-test all of the changes (as some of them are
      examples of the ugly bit-rotting debug print statements that are
      completely elided by default, and I didn't want to recompile
      with the necessary -D witnesses - cleaning those up is left as a
      bite-sized task for another day); I did, however, audit that for
      all files touched, all callers of the changed macros DID supply
      a trailing ';' at the callsite, and did not appear to be used
      as part of a brace-less conditional.
      
      Found mechanically via: $ git grep -B1 'while (0);' | grep -A1 \\\\
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Acked-by: NCornelia Huck <cohuck@redhat.com>
      Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
      Message-Id: <20171201232433.25193-7-eblake@redhat.com>
      Reviewed-by: NJuan Quintela <quintela@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      2562755e
    • E
      tests: Avoid 'do/while(false); ' in vhost-user-bridge · 241187c1
      Eric Blake 提交于
      Use of a do/while(0) loop as a way to allow break statements in
      the middle of execute-once code is unusual.  More typical is
      the use of goto for early exits, with a label at the end of
      the execute-once code, rather than nesting code in a scope;
      however, the comment at the end of the existing code makes this
      alternative a bit unpractical.
      
      So, to avoid false positives from a future syntax check about
      'while (false);', and to keep the loop form (in case someone
      ever does add DONTWAIT support, where they can just as easily
      manipulate the initial loop condition or add an if around the
      final 'break'), I opted to use the form of a while(1) loop (the
      break as an early exit is more idiomatic there), coupled with
      a final break preserving the original comment.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Message-Id: <20171201232433.25193-6-eblake@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      241187c1
    • E
      chardev: Clean up previous patch indentation · 539022dd
      Eric Blake 提交于
      The previous patch left in an extra scope layer for ease of
      review; time to remove it.  No semantic change.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Message-Id: <20171201232433.25193-5-eblake@redhat.com>
      Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      539022dd
    • E
      chardev: Use goto/label instead of do/break/while(0) · 19a4d43e
      Eric Blake 提交于
      Use of a do/while(0) control flow in order to permit an early break
      is an unusual paradigm, and triggers a false positive with a planned
      future syntax check against 'while (0);'.  Rewrite the code to use a
      goto instead.  This patch temporarily keeps an extra level of
      indentation to highlight the change; the next patch cleans it up.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Message-Id: <20171201232433.25193-4-eblake@redhat.com>
      Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      19a4d43e
    • E
      mips: Tweak location of ';' in macros · 94f5c480
      Eric Blake 提交于
      It is more typical to provide the ';' by the caller of a macro
      than to embed it in the macro itself; this is because syntax
      highlight engines can get confused if a macro is called without
      a semicolon before the closing '}'.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-Id: <20171201232433.25193-3-eblake@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      94f5c480
    • E
      net: Drop unusual use of do { } while (0); · 1b4c0a04
      Eric Blake 提交于
      For a couple of macros in pcnet.c, we have to provide a new scope
      to avoid compiler warnings about declarations in the middle of a
      switch statement that aren't in a sub-scope.  But use of
      'do { ... } while (0);' merely to provide that new scope is arcane
      overkill, compared to just using '{ ... }'.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NThomas Huth <thuth@redhat.com>
      Message-Id: <20171201232433.25193-2-eblake@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      1b4c0a04
    • L
      irq: fix memory leak · 01960e6d
      linzhecheng 提交于
      entry is moved from list but is not freed.
      Signed-off-by: Nlinzhecheng <linzhecheng@huawei.com>
      
      Message-Id: <20171225024704.19540-1-linzhecheng@huawei.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      01960e6d
    • P
      cpus: unify qemu_*_wait_io_event · db08b687
      Paolo Bonzini 提交于
      Except for round-robin TCG, every other accelerator is using more or
      less the same code around qemu_wait_io_event_common.  The exception
      is HAX, which also has to eat the dummy APC that is queued by
      qemu_cpu_kick_thread.
      
      We can add the SleepEx call to qemu_wait_io_event under "if
      (!tcg_enabled())", since that is the condition that is used in
      qemu_cpu_kick_thread, and unify the function for KVM, HAX, HVF and
      multi-threaded TCG.  Single-threaded TCG code can also be simplified
      since it is only used in the round-robin, sleep-if-all-CPUs-idle case.
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      db08b687
    • P
      icount: fixed saving/restoring of icount warp timers · b39e3f34
      Pavel Dovgalyuk 提交于
      This patch adds saving and restoring of the icount warp
      timers in the vmstate.
      It is needed because there timers affect the virtual clock value.
      Therefore determinism of the execution in icount record/replay mode
      depends on determinism of the timers.
      Signed-off-by: NPavel Dovgalyuk <pavel.dovgaluk@ispras.ru>
      Acked-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NPavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
      b39e3f34
    • A
      scripts/qemu-gdb/timers.py: new helper to dump timer state · c24999fa
      Alex Bennée 提交于
      This introduces the qemu-gdb command "qemu timers" which will dump the
      state of the main timers in the system.
      Signed-off-by: NAlex Bennée <alex.bennee@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      c24999fa
    • A
      scripts/qemu-gdb: add simple tcg lock status helper · f1cd52d8
      Alex Bennée 提交于
      Add a simple helper to dump lock state.
      Signed-off-by: NAlex Bennée <alex.bennee@linaro.org>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      f1cd52d8
    • P
      target-i386: update hflags on Hypervisor.framework · 809092f3
      Paolo Bonzini 提交于
      This ensures that x86_cpu_dump_state shows registers with the correct
      size.
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      809092f3
    • T
      target/i386: hax: Move x86_update_hflags. · df16af87
      Tao Wu 提交于
      x86_update_hflags reference env->efer which is updated in hax_get_msrs,
      so it has to be called after hax_get_msrs. This fix the bug that sometimes
      dump_state show 32 bits regs even in 64 bits mode.
      Signed-off-by: NTao Wu <lepton@google.com>
      Message-Id: <20180110195056.85403-3-lepton@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      df16af87
    • T
      target/i386: hax: change to use x86_update_hflags · e527f86e
      Tao Wu 提交于
      Change to use x86_update_hflags instead of keeping another copy
      at hax side. This also fix bug like HF_CPL_MASK should be SS.DPL,
      not CS.DPL.
      Signed-off-by: NTao Wu <lepton@google.com>
      Message-Id: <20180110195056.85403-2-lepton@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      e527f86e
    • T
      target/i386: move hflags update code to a function · 35b1b927
      Tao Wu 提交于
      We will share the same code for hax/kvm.
      Signed-off-by: NTao Wu <lepton@google.com>
      Message-Id: <20180110195056.85403-1-lepton@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      35b1b927
    • T
      tests/boot-serial-test: Add support for the raspi2 machine · 52cb6817
      Thomas Huth 提交于
      The raspi2 machine supports loading firmware images, so we can easily
      load a small test sequence as raw binary blob here to test the UART.
      Signed-off-by: NThomas Huth <thuth@redhat.com>
      Message-Id: <1512031988-32490-8-git-send-email-thuth@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      52cb6817
    • T
      tests/boot-serial-test: Add a test for the moxiesim machine · 7244edf2
      Thomas Huth 提交于
      Now that moxiesim supports the -bios parameter, we can check this machine
      in the boot-serial tester, too, by supplying a mini bios that only writes
      'T' characters to the UART.
      Signed-off-by: NThomas Huth <thuth@redhat.com>
      Message-Id: <1512031988-32490-7-git-send-email-thuth@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      7244edf2
    • T
      tests/boot-serial-test: Add tests for microblaze boards · acf53766
      Thomas Huth 提交于
      This adds two simple TCG + UART tests for the microblaze boards,
      one in big endian mode, and one in little endian mode.
      Signed-off-by: NThomas Huth <thuth@redhat.com>
      Message-Id: <1512031988-32490-5-git-send-email-thuth@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      acf53766
    • S
      scsi-disk: release AioContext in unaligned WRITE SAME case · 24355b79
      Stefan Hajnoczi 提交于
      scsi_write_same_complete() can retry the write if the request was
      unaligned.  Make sure to release the AioContext when that code path is
      taken!
      
      This patch fixes a hang when QEMU terminates after an unaligned WRITE
      SAME request has been processed with dataplane.  The hang occurs because
      iothread_stop_all() cannot acquire the AioContext lock that was leaked
      by the IOThread in scsi_write_same_complete().
      
      Fixes: b9e413dd ("block: explicitly acquire aiocontext in aio callbacks that need it").
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: qemu-stable@nongnu.org
      Reported-by: NCong Li <coli@redhat.com>
      Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
      Message-Id: <20180104142502.15175-1-stefanha@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      24355b79
    • M
      disas/s390: fix global-buffer-overflow · 02a2ad21
      Marc-André Lureau 提交于
      Spotted thanks to ASAN:
      
      ==25226==ERROR: AddressSanitizer: global-buffer-overflow on address 0x556715a1f120 at pc 0x556714b6f6b1 bp 0x7ffcdfac1360 sp 0x7ffcdfac1350
      READ of size 1 at 0x556715a1f120 thread T0
          #0 0x556714b6f6b0 in init_disasm /home/elmarco/src/qemu/disas/s390.c:219
          #1 0x556714b6fa6a in print_insn_s390 /home/elmarco/src/qemu/disas/s390.c:294
          #2 0x55671484d031 in monitor_disas /home/elmarco/src/qemu/disas.c:635
          #3 0x556714862ec0 in memory_dump /home/elmarco/src/qemu/monitor.c:1324
          #4 0x55671486342a in hmp_memory_dump /home/elmarco/src/qemu/monitor.c:1418
          #5 0x5567148670be in handle_hmp_command /home/elmarco/src/qemu/monitor.c:3109
          #6 0x5567148674ed in qmp_human_monitor_command /home/elmarco/src/qemu/monitor.c:613
          #7 0x556714b00918 in qmp_marshal_human_monitor_command /home/elmarco/src/qemu/build/qmp-marshal.c:1704
          #8 0x556715138a3e in do_qmp_dispatch /home/elmarco/src/qemu/qapi/qmp-dispatch.c:104
          #9 0x556715138f83 in qmp_dispatch /home/elmarco/src/qemu/qapi/qmp-dispatch.c:131
          #10 0x55671485cf88 in handle_qmp_command /home/elmarco/src/qemu/monitor.c:3839
          #11 0x55671514e80b in json_message_process_token /home/elmarco/src/qemu/qobject/json-streamer.c:105
          #12 0x5567151bf2dc in json_lexer_feed_char /home/elmarco/src/qemu/qobject/json-lexer.c:323
          #13 0x5567151bf827 in json_lexer_feed /home/elmarco/src/qemu/qobject/json-lexer.c:373
          #14 0x55671514ee62 in json_message_parser_feed /home/elmarco/src/qemu/qobject/json-streamer.c:124
          #15 0x556714854b1f in monitor_qmp_read /home/elmarco/src/qemu/monitor.c:3881
          #16 0x556715045440 in qemu_chr_be_write_impl /home/elmarco/src/qemu/chardev/char.c:172
          #17 0x556715047184 in qemu_chr_be_write /home/elmarco/src/qemu/chardev/char.c:184
          #18 0x55671505a8e6 in tcp_chr_read /home/elmarco/src/qemu/chardev/char-socket.c:440
          #19 0x5567150943c3 in qio_channel_fd_source_dispatch /home/elmarco/src/qemu/io/channel-watch.c:84
          #20 0x7fb90292b90b in g_main_dispatch ../glib/gmain.c:3182
          #21 0x7fb90292c7ac in g_main_context_dispatch ../glib/gmain.c:3847
          #22 0x556715162eca in glib_pollfds_poll /home/elmarco/src/qemu/util/main-loop.c:214
          #23 0x556715163001 in os_host_main_loop_wait /home/elmarco/src/qemu/util/main-loop.c:261
          #24 0x5567151631fa in main_loop_wait /home/elmarco/src/qemu/util/main-loop.c:515
          #25 0x556714ad6d3b in main_loop /home/elmarco/src/qemu/vl.c:1950
          #26 0x556714ade329 in main /home/elmarco/src/qemu/vl.c:4865
          #27 0x7fb8fe5c9009 in __libc_start_main (/lib64/libc.so.6+0x21009)
          #28 0x5567147af4d9 in _start (/home/elmarco/src/qemu/build/s390x-softmmu/qemu-system-s390x+0xf674d9)
      
      0x556715a1f120 is located 32 bytes to the left of global variable 'char_hci_type_info' defined in '/home/elmarco/src/qemu/hw/bt/hci-csr.c:493:23' (0x556715a1f140) of size 104
      0x556715a1f120 is located 8 bytes to the right of global variable 's390_opcodes' defined in '/home/elmarco/src/qemu/disas/s390.c:860:33' (0x556715a15280) of size 40600
      
      This fix is based on Andreas Arnez <arnez@linux.vnet.ibm.com> upstream
      commit:
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=9ace48f3d7d80ce09c5df60cccb433470410b11b
      
      2014-08-19  Andreas Arnez  <arnez@linux.vnet.ibm.com>
      
             * s390-dis.c (init_disasm): Simplify initialization of
             opc_index[].  This also fixes an access after the last element
             of s390_opcodes[].
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Message-Id: <20180104160523.22995-19-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      02a2ad21
    • M
      mips: fix potential fopen(NULL,...) · b7438458
      Marc-André Lureau 提交于
      Spotted thanks to ASAN.
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Message-Id: <20180104160523.22995-18-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      b7438458
    • M
      tests: fix coroutine leak in /basic/entered · 6b2fef73
      Marc-André Lureau 提交于
      The coroutine is not finished by the time the test ends, resulting in
      ASAN warning:
      
      ==7005==ERROR: LeakSanitizer: detected memory leaks
      
      Direct leak of 312 byte(s) in 1 object(s) allocated from:
          #0 0x7fd35290fa38 in __interceptor_calloc (/lib64/libasan.so.4+0xdea38)
          #1 0x7fd3506c5f75 in g_malloc0 ../glib/gmem.c:124
          #2 0x55994af03e47 in qemu_coroutine_new /home/elmarco/src/qemu/util/coroutine-ucontext.c:144
          #3 0x55994aefed99 in qemu_coroutine_create /home/elmarco/src/qemu/util/qemu-coroutine.c:76
          #4 0x55994ac1eb50 in verify_entered_step_1 /home/elmarco/src/qemu/tests/test-coroutine.c:80
          #5 0x55994af03c75 in coroutine_trampoline /home/elmarco/src/qemu/util/coroutine-ucontext.c:119
          #6 0x7fd34ec02bef  (/lib64/libc.so.6+0x50bef)
      
      Do not yield() to let the coroutine terminate.
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      Message-Id: <20180104160523.22995-17-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      6b2fef73
    • M
      tests: fix qmp-test leak · e313d5ce
      Marc-André Lureau 提交于
      Direct leak of 913 byte(s) in 43 object(s) allocated from:
          #0 0x55880a15df60 in __interceptor_malloc (/home/elmarco/src/qq/build/tests/qmp-test+0x110f60)
          #1 0x7f3f20fd098f in _IO_vasprintf (/lib64/libc.so.6+0x8098f)
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-Id: <20180104160523.22995-15-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      e313d5ce
    • M
      qemu-config: fix leak in query-command-line-options · b11e20fb
      Marc-André Lureau 提交于
      Direct leak of 160 byte(s) in 4 object(s) allocated from:
          #0 0x55ed7678cda8 in calloc (/home/elmarco/src/qq/build/x86_64-softmmu/qemu-system-x86_64+0x797da8)
          #1 0x7f3f5e725f75 in g_malloc0 /home/elmarco/src/gnome/glib/builddir/../glib/gmem.c:124
          #2 0x55ed778aa3a7 in query_option_descs /home/elmarco/src/qq/util/qemu-config.c:60:16
          #3 0x55ed778aa307 in get_drive_infolist /home/elmarco/src/qq/util/qemu-config.c:140:19
          #4 0x55ed778a9f40 in qmp_query_command_line_options /home/elmarco/src/qq/util/qemu-config.c:254:36
          #5 0x55ed76d4868c in qmp_marshal_query_command_line_options /home/elmarco/src/qq/build/qmp-marshal.c:3078:14
          #6 0x55ed77855dd5 in do_qmp_dispatch /home/elmarco/src/qq/qapi/qmp-dispatch.c:104:5
          #7 0x55ed778558cc in qmp_dispatch /home/elmarco/src/qq/qapi/qmp-dispatch.c:131:11
          #8 0x55ed768b592f in handle_qmp_command /home/elmarco/src/qq/monitor.c:3840:11
          #9 0x55ed7786ccfe in json_message_process_token /home/elmarco/src/qq/qobject/json-streamer.c:105:5
          #10 0x55ed778fe37c in json_lexer_feed_char /home/elmarco/src/qq/qobject/json-lexer.c:323:13
          #11 0x55ed778fdde6 in json_lexer_feed /home/elmarco/src/qq/qobject/json-lexer.c:373:15
          #12 0x55ed7786cd83 in json_message_parser_feed /home/elmarco/src/qq/qobject/json-streamer.c:124:12
          #13 0x55ed768b559e in monitor_qmp_read /home/elmarco/src/qq/monitor.c:3882:5
          #14 0x55ed77714f29 in qemu_chr_be_write_impl /home/elmarco/src/qq/chardev/char.c:167:9
          #15 0x55ed77714fde in qemu_chr_be_write /home/elmarco/src/qq/chardev/char.c:179:9
          #16 0x55ed7772ffad in tcp_chr_read /home/elmarco/src/qq/chardev/char-socket.c:440:13
          #17 0x55ed7777113b in qio_channel_fd_source_dispatch /home/elmarco/src/qq/io/channel-watch.c:84:12
          #18 0x7f3f5e71d90b in g_main_dispatch /home/elmarco/src/gnome/glib/builddir/../glib/gmain.c:3182
          #19 0x7f3f5e71e7ac in g_main_context_dispatch /home/elmarco/src/gnome/glib/builddir/../glib/gmain.c:3847
          #20 0x55ed77886ffc in glib_pollfds_poll /home/elmarco/src/qq/util/main-loop.c:214:9
          #21 0x55ed778865fd in os_host_main_loop_wait /home/elmarco/src/qq/util/main-loop.c:261:5
          #22 0x55ed77886222 in main_loop_wait /home/elmarco/src/qq/util/main-loop.c:515:11
          #23 0x55ed76d2a4df in main_loop /home/elmarco/src/qq/vl.c:1995:9
          #24 0x55ed76d1cb4a in main /home/elmarco/src/qq/vl.c:4914:5
          #25 0x7f3f555f6039 in __libc_start_main (/lib64/libc.so.6+0x21039)
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Message-Id: <20180104160523.22995-14-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      b11e20fb
    • M
      crypto: fix stack-buffer-overflow error · 83e33300
      Marc-André Lureau 提交于
      ASAN complains about:
      
      ==8856==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd8a1fe168 at pc 0x561136cb4451 bp 0x7ffd8a1fe130 sp 0x7ffd8a1fd8e0
      READ of size 16 at 0x7ffd8a1fe168 thread T0
          #0 0x561136cb4450 in __asan_memcpy (/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x110450)
          #1 0x561136d2a6a7 in qcrypto_ivgen_essiv_calculate /home/elmarco/src/qq/crypto/ivgen-essiv.c:83:5
          #2 0x561136d29af8 in qcrypto_ivgen_calculate /home/elmarco/src/qq/crypto/ivgen.c:72:12
          #3 0x561136d07c8e in test_ivgen /home/elmarco/src/qq/tests/test-crypto-ivgen.c:148:5
          #4 0x7f77772c3b04 in test_case_run /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2237
          #5 0x7f77772c3ec4 in g_test_run_suite_internal /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2321
          #6 0x7f77772c3f6d in g_test_run_suite_internal /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333
          #7 0x7f77772c3f6d in g_test_run_suite_internal /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333
          #8 0x7f77772c3f6d in g_test_run_suite_internal /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2333
          #9 0x7f77772c4184 in g_test_run_suite /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:2408
          #10 0x7f77772c2e0d in g_test_run /home/elmarco/src/gnome/glib/builddir/../glib/gtestutils.c:1674
          #11 0x561136d0799b in main /home/elmarco/src/qq/tests/test-crypto-ivgen.c:173:12
          #12 0x7f77756e6039 in __libc_start_main (/lib64/libc.so.6+0x21039)
          #13 0x561136c13d89 in _start (/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x6fd89)
      
      Address 0x7ffd8a1fe168 is located in stack of thread T0 at offset 40 in frame
          #0 0x561136d2a40f in qcrypto_ivgen_essiv_calculate /home/elmarco/src/qq/crypto/ivgen-essiv.c:76
      
        This frame has 1 object(s):
          [32, 40) 'sector.addr' <== Memory access at offset 40 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
            (longjmp and C++ exceptions *are* supported)
      SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/elmarco/src/qq/build/tests/test-crypto-ivgen+0x110450) in __asan_memcpy
      Shadow bytes around the buggy address:
        0x100031437bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x100031437be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x100031437bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x100031437c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x100031437c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x100031437c20: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f3]f3 f3
        0x100031437c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x100031437c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x100031437c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x100031437c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x100031437c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      
      It looks like the rest of the code copes with ndata being larger than
      sizeof(sector), so limit the memcpy() range.
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Reviewed-by: NDaniel P. Berrange <berrange@redhat.com>
      Message-Id: <20180104160523.22995-13-marcandre.lureau@redhat.com>
      Tested-by: NThomas Huth <thuth@redhat.com>
      Reviewed-by: NThomas Huth <thuth@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      83e33300
    • M
      tests: fix migration-test leak · 890241ab
      Marc-André Lureau 提交于
      Direct leak of 12 byte(s) in 2 object(s) allocated from:
          #0 0x7f50d403c850 in malloc (/lib64/libasan.so.4+0xde850)
          #1 0x7f50d1ddf98f in vasprintf (/lib64/libc.so.6+0x8098f)
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-Id: <20180104160523.22995-12-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      890241ab
    • M
      readline: add a free function · e5dc1a6c
      Marc-André Lureau 提交于
      Fixes leaks such as:
      
      Direct leak of 2 byte(s) in 1 object(s) allocated from:
          #0 0x7eff58beb850 in malloc (/lib64/libasan.so.4+0xde850)
          #1 0x7eff57942f0c in g_malloc ../glib/gmem.c:94
          #2 0x7eff579431cf in g_malloc_n ../glib/gmem.c:331
          #3 0x7eff5795f6eb in g_strdup ../glib/gstrfuncs.c:363
          #4 0x55db720f1d46 in readline_hist_add /home/elmarco/src/qq/util/readline.c:258
          #5 0x55db720f2d34 in readline_handle_byte /home/elmarco/src/qq/util/readline.c:387
          #6 0x55db71539d00 in monitor_read /home/elmarco/src/qq/monitor.c:3896
          #7 0x55db71f9be35 in qemu_chr_be_write_impl /home/elmarco/src/qq/chardev/char.c:167
          #8 0x55db71f9bed3 in qemu_chr_be_write /home/elmarco/src/qq/chardev/char.c:179
          #9 0x55db71fa013c in fd_chr_read /home/elmarco/src/qq/chardev/char-fd.c:66
          #10 0x55db71fe18a8 in qio_channel_fd_source_dispatch /home/elmarco/src/qq/io/channel-watch.c:84
          #11 0x7eff5793a90b in g_main_dispatch ../glib/gmain.c:3182
          #12 0x7eff5793b7ac in g_main_context_dispatch ../glib/gmain.c:3847
          #13 0x55db720af3bd in glib_pollfds_poll /home/elmarco/src/qq/util/main-loop.c:214
          #14 0x55db720af505 in os_host_main_loop_wait /home/elmarco/src/qq/util/main-loop.c:261
          #15 0x55db720af6d6 in main_loop_wait /home/elmarco/src/qq/util/main-loop.c:515
          #16 0x55db7184e0de in main_loop /home/elmarco/src/qq/vl.c:1995
          #17 0x55db7185e956 in main /home/elmarco/src/qq/vl.c:4914
          #18 0x7eff4ea17039 in __libc_start_main (/lib64/libc.so.6+0x21039)
      
      (while at it, use g_new0(ReadLineState), it's a bit easier to read)
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-Id: <20180104160523.22995-11-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      e5dc1a6c
    • M
      vl: fix direct firmware directories leak · 35471127
      Marc-André Lureau 提交于
      Note that data_dir[] will now point to allocated strings.
      
      Fixes:
      Direct leak of 16 byte(s) in 1 object(s) allocated from:
          #0 0x7f1448181850 in malloc (/lib64/libasan.so.4+0xde850)
          #1 0x7f1446ed8f0c in g_malloc ../glib/gmem.c:94
          #2 0x7f1446ed91cf in g_malloc_n ../glib/gmem.c:331
          #3 0x7f1446ef739a in g_strsplit ../glib/gstrfuncs.c:2364
          #4 0x55cf276439d7 in main /home/elmarco/src/qq/vl.c:4311
          #5 0x7f143dfad039 in __libc_start_main (/lib64/libc.so.6+0x21039)
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Message-Id: <20180104160523.22995-10-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      35471127
    • M
      tests: fix check-qobject leak · 87c258cd
      Marc-André Lureau 提交于
      /public/qobject_is_equal_conversion: OK
      
      =================================================================
      ==14396==ERROR: LeakSanitizer: detected memory leaks
      
      Direct leak of 56 byte(s) in 1 object(s) allocated from:
          #0 0x7f07682c5850 in malloc (/lib64/libasan.so.4+0xde850)
          #1 0x7f0767d12f0c in g_malloc ../glib/gmem.c:94
          #2 0x7f0767d131cf in g_malloc_n ../glib/gmem.c:331
          #3 0x562bd767371f in do_test_equality /home/elmarco/src/qq/tests/check-qobject.c:49
          #4 0x562bd7674a35 in qobject_is_equal_dict_test /home/elmarco/src/qq/tests/check-qobject.c:267
          #5 0x7f0767d37b04 in test_case_run ../glib/gtestutils.c:2237
          #6 0x7f0767d37ec4 in g_test_run_suite_internal ../glib/gtestutils.c:2321
          #7 0x7f0767d37f6d in g_test_run_suite_internal ../glib/gtestutils.c:2333
          #8 0x7f0767d38184 in g_test_run_suite ../glib/gtestutils.c:2408
          #9 0x7f0767d36e0d in g_test_run ../glib/gtestutils.c:1674
          #10 0x562bd7674e75 in main /home/elmarco/src/qq/tests/check-qobject.c:327
          #11 0x7f0766009039 in __libc_start_main (/lib64/libc.so.6+0x21039)
      Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-Id: <20180104160523.22995-9-marcandre.lureau@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      87c258cd
  2. 12 1月, 2018 6 次提交