- 06 8月, 2016 26 次提交
-
-
由 Michael S. Tsirkin 提交于
This reverts commit 1f8828ef. Cc: qemu-stable@nongnu.org Reported-by: NRobin Geuze <robing@transip.nl> Tested-by: NRobin Geuze <robing@transip.nl> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 6c666823) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
virtio migrates the low 32 feature bits twice, the first copy is there for compatibility but ever since 019a3edb: ("virtio: make features 64bit wide") it's ignored on load. This is wrong since virtio_net_load tests self announcement and guest offloads before the second copy including high feature bits is loaded. This means that self announcement, control vq and guest offloads are all broken after migration. Fix it up by loading low feature bits: somewhat ugly since high and low bits become out of sync temporarily, but seems unavoidable for compatibility. The right thing to do for new features is probably to test the host features, anyway. Fixes: 019a3edb ("virtio: make features 64bit wide") Cc: qemu-stable@nongnu.org Reported-by: NRobin Geuze <robing@transip.nl> Tested-by: NRobin Geuze <robing@transip.nl> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 62cee1a2) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Artyom Tarasenko 提交于
Signed-off-by: NArtyom Tarasenko <atar4qemu@gmail.com> Reviewed-by: NRichard Henderson <rth@twiddle.net> Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk> (cherry picked from commit b64d2e57) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
s->blocksize may be larger than 512, in which case our tweaks to max_xfer_len and opt_xfer_len must be scaled appropriately. CC: qemu-stable@nongnu.org Reported-by: NFam Zheng <famz@redhat.com> Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NFam Zheng <famz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit efaf4781) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Fam Zheng 提交于
The rationale is similar to the above mode sense response interception: this is practically the only channel to communicate restraints from elsewhere such as host and block driver. The scsi bus we attach onto can have a larger max xfer len than what is accepted by the host file system (guarding between the host scsi LUN and QEMU), in which case the SG_IO we generate would get -EINVAL. Signed-off-by: NFam Zheng <famz@redhat.com> Message-Id: <1464243305-10661-3-git-send-email-famz@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 063143d5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
The NBD layer was breaking up request at a limit of 2040 sectors (just under 1M) to cater to old qemu-nbd. But the server limit was raised to 32M in commit 2d821488 to match the kernel, more than three years ago; and the upstream NBD Protocol is proposing documentation that without any explicit communication to state otherwise, a client should be able to safely assume that a 32M transaction will work. It is time to rely on the larger sizing, and any downstream distro that cares about maximum interoperability to older qemu-nbd servers can just tweak the value of #define NBD_MAX_SECTORS. Signed-off-by: NEric Blake <eblake@redhat.com> Reviewed-by: NKevin Wolf <kwolf@redhat.com> Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: NFam Zheng <famz@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 476b923c) Conflicts: include/block/nbd.h * removed context dependency on 943cec86Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Alex Williamson 提交于
Commit 2d82f8a3 ("vfio/pci: Convert all MemoryRegion to dynamic alloc and consistent functions") converted VFIOPCIDevice.vga to be dynamically allocted, negating the need for VFIOPCIDevice.has_vga. Unfortunately not all of the has_vga users were converted, nor was the field removed from the structure. Correct these oversights. Reported-by: NPeter Maloney <peter.maloney@brockmann-consult.de> Tested-by: NPeter Maloney <peter.maloney@brockmann-consult.de> Fixes: 2d82f8a3 ("vfio/pci: Convert all MemoryRegion to dynamic alloc and consistent functions") Fixes: https://bugs.launchpad.net/qemu/+bug/1591628 Cc: qemu-stable@nongnu.org Signed-off-by: NAlex Williamson <alex.williamson@redhat.com> (cherry picked from commit 4d3fc4fd) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Lin Ma 提交于
In function pci_assign_dev_load_option_rom, For those pci devices don't have 'rom' file under sysfs or if loading ROM from external file, The function returns NULL, and won't set the passed 'size' variable. In these 2 cases, qemu still reports "Invalid ROM" error message, Users may be confused by it. Signed-off-by: NLin Ma <lma@suse.com> Message-Id: <1466010327-22368-1-git-send-email-lma@suse.com> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit be968c72) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
If a QAPI struct has a mandatory alternate member which is not present on input, the input visitor reports an error for the missing alternate without setting the discriminator, but the cleanup code for the struct still tries to use the dealloc visitor to clean up the alternate. Commit dbf11922 changed visit_start_alternate to set *obj to NULL when an error occurs, where it was previously left untouched. Thus, before the patch, the dealloc visitor is blindly trying to cleanup whatever branch corresponds to (*obj)->type == 0 (that is, QTYPE_NONE, because *obj still pointed to zeroed memory), which selects the default branch of the switch and sets an error, but this second error is ignored by the way the dealloc visitor is used; but after the patch, the attempt to switch dereferences NULL. When cleaning up after a partial object parse, we specifically check for !*obj after visit_start_struct() (see gen_visit_object()); doing the same for alternates fixes the crash. Enhance the testsuite to give coverage for both missing struct and missing alternate members. Also add an abort - we expect visit_start_alternate() to either set an error or to set (*obj)->type to a valid QType that corresponds to actual user input, and QTYPE_NONE should never be reachable from valid input. Had the abort() been in place earlier, we might have noticed the dealloc visitor dereferencing bogus zeroed memory prior to when commit dbf11922 forced our hand by setting *obj to NULL and causing a fault. Test case: {'execute':'blockdev-add', 'arguments':{'options':{'driver':'raw'}}} The choice of 'driver':'raw' selects a BlockdevOptionsGenericFormat struct, which has a mandatory 'file':'BlockdevRef' in QAPI. Since 'file' is missing as a sibling of 'driver', this should report a graceful error rather than fault. After this patch, we are back to: {"error": {"class": "GenericError", "desc": "Parameter 'file' is missing"}} Generated code in qapi-visit.c changes as: |@@ -2444,6 +2444,9 @@ void visit_type_BlockdevRef(Visitor *v, | if (err) { | goto out; | } |+ if (!*obj) { |+ goto out_obj; |+ } | switch ((*obj)->type) { | case QTYPE_QDICT: | visit_start_struct(v, name, NULL, 0, &err); |@@ -2459,10 +2462,13 @@ void visit_type_BlockdevRef(Visitor *v, | case QTYPE_QSTRING: | visit_type_str(v, name, &(*obj)->u.reference, &err); | break; |+ case QTYPE_NONE: |+ abort(); | default: | error_setg(&err, QERR_INVALID_PARAMETER_TYPE, name ? name : "null", | "BlockdevRef"); | } |+out_obj: | visit_end_alternate(v); Reported by Kashyap Chamarthy <kchamart@redhat.com> CC: qemu-stable@nongnu.org Signed-off-by: NEric Blake <eblake@redhat.com> Message-Id: <1466012271-5204-1-git-send-email-eblake@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Tested-by: NKashyap Chamarthy <kchamart@redhat.com> [Commit message tweaked] Signed-off-by: NMarkus Armbruster <armbru@redhat.com> (cherry picked from commit 9b4e38fe) Conflicts: tests/test-qmp-input-visitor.c * removed contexual/functional dependencies on 68ab47e4Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Reitz 提交于
We refuse to open images whose L1 table we deem "too big". Consequently, we should not produce such images ourselves. Cc: qemu-stable@nongnu.org Signed-off-by: NMax Reitz <mreitz@redhat.com> Message-id: 20160615153630.2116-3-mreitz@redhat.com Reviewed-by: NEric Blake <eblake@redhat.com> [mreitz: Added QEMU_BUILD_BUG_ON()] Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit 84c26520) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Reviewed-by: NAlberto Garcia <berto@igalia.com> (cherry picked from commit 91ab6883) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Lieven 提交于
commit fefe2a78 accidently dropped the code path for injecting raw packets. This feature is needed for sending gratuitous ARPs after an incoming migration has completed. The result is increased network downtime for vservers where the network card is not virtio-net with the VIRTIO_NET_F_GUEST_ANNOUNCE feature. Fixes: fefe2a78 Cc: qemu-stable@nongnu.org Cc: hongyang.yang@easystack.cn Signed-off-by: NPeter Lieven <pl@kamp.de> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit ca1ee3d6) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Daniel P. Berrange 提交于
If VNC is chosen as the compile time default display backend, QEMU will print the host/port it listens on at startup. Previously this would look like VNC server running on '::1:5900' but in 04d2529d the ':' was accidentally replaced with a ';'. This the ':' back. Reported-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Message-id: 1465382576-25552-1-git-send-email-berrange@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 83cf07b0) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Daniel P. Berrange 提交于
The QTask struct is just a standalone struct, not a QOM Object, so calling object_ref() on it is not appropriate. This results in mangling the 'destroy' field in the QTask struct, causing the later call to qtask_free() to try to call the function at address 0x1, with predictably segfault happy results. There is in fact no need for ref counting with QTask, as the call to qtask_abort() or qtask_complete() will automatically free associated memory. This fixes the crash shown in https://bugs.launchpad.net/qemu/+bug/1589923Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit bc35d510) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gerd Hoffmann 提交于
vmsvga_fifo_run is called in regular intervals (on each display update) and will resume where it left off. So we can simply exit the loop, without having to worry about how processing will continue. Fixes: CVE-2016-4453 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: N李强 <liqiang6-s@360.cn> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com (cherry picked from commit 4e68a0ee) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gerd Hoffmann 提交于
The fifo is normal ram. So kvm vcpu threads and qemu iothread can access the fifo in parallel without syncronization. Which in turn implies we can't use the fifo pointers in-place because the guest can try changing them underneath us. So add shadows for them, to make sure the guest can't modify them after we've applied sanity checks. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com (cherry picked from commit 7e486f75) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gerd Hoffmann 提交于
Make sure all fifo ptrs are within range. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: N李强 <liqiang6-s@360.cn> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com (cherry picked from commit c2e3c54d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gerd Hoffmann 提交于
Sanity checks are applied when the fifo is enabled by the guest (SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest changes the fifo registers afterwards. Move the checks to vmsvga_fifo_length so they are done each time qemu is about to read from the fifo. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: N李强 <liqiang6-s@360.cn> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com (cherry picked from commit 52136026) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Fam Zheng 提交于
Similar to the "!drv || !drv->bdrv_aio_ioctl" case above, here it is okay to set co.ret and return. As pointed out by Paolo, a BH will be created as necessary by the caller (bdrv_co_maybe_schedule_bh). Besides, as pointed out by Kevin, "data" was leaked before. Reported-by: NKevin Wolf <kwolf@redhat.com> Reported-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NFam Zheng <famz@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-id: 20160601015223.19277-1-famz@redhat.com Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit c8a9fd80) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically looks for requests and fetches them. A loop doing that in mptsas_fetch_requests() could run infinitely if 's->state' was not operational. Move check to avoid such a loop. Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 06630554) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
Vmware Paravirtual SCSI emulation uses command descriptors to process SCSI commands. These descriptors come with their ring buffers. A guest could set the ring buffer size to an arbitrary value leading to OOB access issue. Add check to avoid it. Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com> Reviewed-by: NShmulik Ladkani <shmulik.ladkani@ravellosystems.com> Reviewed-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 3e831b40) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Steven Luo 提交于
On my Debian jessie system, including nettle/pbkdf2.h does not cause NULL to be defined, which causes the test to fail to compile. Include stddef.h to bring in a definition of NULL. Cc: qemu-trivial@nongnu.org Cc: qemu-stable@nongnu.org Signed-off-by: NSteven Luo <steven+qemu@steven676.net> Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 9e87a691) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
QEMU has currently two ways to prevent migration to occur: - migration blocker when it depends on runtime state - VMStateDescription.unmigratable when migration is not supported at all This patch gathers all the logic into a single function to be called from both the savevm and the migrate paths. This fixes a bug with 9p, at least, where savevm would succeed and the following would happen in the guest after loadvm: $ ls /host ls: cannot access /host: Protocol error With this patch: (qemu) savevm foo Migration is disabled when VirtFS export path '/' is mounted in the guest using mount_tag 'host' Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <146239057139.11271.9011797645454781543.stgit@bahia.huguette.org> [Update subject according to Paolo's suggestion - Amit] Signed-off-by: NAmit Shah <amit.shah@redhat.com> (cherry picked from commit 24f3902b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
Similar to commit df7b97ff, we are mishandling clients that give an unaligned NBD_CMD_TRIM request, and potentially trimming bytes that occur before their request; which in turn can cause potential unintended data loss (unlikely in practice, since most clients are sane and issue aligned trim requests). However, while we fixed read and write by switching to the byte interfaces of blk_, we don't yet have a byte interface for discard. On the other hand, trim is advisory, so rounding the user's request to simply ignore the first and last unaligned sectors (or the entire request, if it is sub-sector in length) is just fine. CC: qemu-stable@nongnu.org Signed-off-by: NEric Blake <eblake@redhat.com> Message-Id: <1464173965-9694-1-git-send-email-eblake@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 353ab969) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Lieven 提交于
at least in the path via virtio-blk the maximum size is not restricted. Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Lieven <pl@kamp.de> Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit a6b3167f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gavin Shan 提交于
vfio_eeh_container_op() is the backend that communicates with host kernel to support EEH functionality in QEMU. However, the functon should return the value from host kernel instead of 0 unconditionally. dwg: Specifically the problem occurs for the handful of EEH sub-operations which can return a non-zero, non-error result. Signed-off-by: NGavin Shan <gwshan@linux.vnet.ibm.com> Acked-by: NAlex Williamson <alex.williamson@redhat.com> [dwg: clarification to commit message] Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit d917e88d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
- 05 8月, 2016 14 次提交
-
-
由 Gerd Hoffmann 提交于
Commit "fd3c136b vga: make sure vga register setup for vbe stays intact (CVE-2016-3712)." causes a regression. The win7 installer is unhappy because it can't freely modify vga registers any more while in vbe mode. This patch introduces a new sr_vbe register set. The vbe_update_vgaregs will fill sr_vbe[] instead of sr[]. Normal vga register reads and writes go to sr[]. Any sr register read access happens through a new sr() helper function which will read from sr_vbe[] with vbe active and from sr[] otherwise. This way we can allow guests update sr[] registers as they want, without allowing them disrupt vbe video modes that way. Cc: qemu-stable@nongnu.org Reported-by: NThomas Lamprecht <thomas@lamprecht.org> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com (cherry picked from commit 94ef4f33) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Thomas Huth 提交于
QEMU currently crashes when an OHCI controller is instantiated with too many ports, e.g. "-device pci-ohci,num-ports=100,masterbus=1". Thus add a proper check in usb_ohci_init() to make sure that we do not use more than OHCI_MAX_PORTS = 15 ports here. Ticket: https://bugs.launchpad.net/qemu/+bug/1581308Signed-off-by: NThomas Huth <thuth@redhat.com> Message-id: 1463995387-11710-1-git-send-email-thuth@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit d400fc01) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Lieven 提交于
if we open a NFS export with disabled cache we should refuse the readahead feature as it will cache data inside libnfs. If a export was opened with readahead enabled it should futher not be allowed to disable the cache while running. Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Lieven <pl@kamp.de> Reviewed-by: NJeff Cody <jcody@redhat.com> Message-id: 1463662083-20814-2-git-send-email-pl@kamp.de Signed-off-by: NJeff Cody <jcody@redhat.com> (cherry picked from commit 38f8d5e0) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. Routine get_cmd() uses DMA to read scsi commands into this buffer. Add check to validate DMA length against buffer size to avoid any overrun. Fixes CVE-2016-4441. Reported-by: NLi Qiang <liqiang6-s@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 6c1fef6b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. While writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check was missing to validate input length. Add check to avoid OOB write access. Fixes CVE-2016-4439. Reported-by: NLi Qiang <liqiang6-s@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit c98c6c10) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Paolo Bonzini 提交于
Now that json-streamer tries not to leak tokens on incomplete parse, the tokens can be freed twice if QEMU destroys the json-streamer object during the parser->emit call. To fix this, create the new empty GQueue earlier, so that it is already in place when the old one is passed to parser->emit. Reported-by: NChanglong Xie <xiecl.fnst@cn.fujitsu.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit a942d8fa) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
Valgrind complained about a number of leaks in tests/check-qobject-json: ==12657== definitely lost: 17,247 bytes in 1,234 blocks All of which had the same root cause: on an incomplete parse, we were abandoning the token queue without cleaning up the allocated data within each queue element. Introduced in commit 95385fe9, when we switched from QList (which recursively frees contents) to g_queue (which does not). We don't yet require glib 2.32 with its g_queue_free_full(), so open-code it instead. CC: qemu-stable@nongnu.org Signed-off-by: NEric Blake <eblake@redhat.com> Message-Id: <1463608012-12760-1-git-send-email-eblake@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> (cherry picked from commit ba4dba54) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
We currently have an error path during migration that can cause the source QEMU to abort: migration_thread() migration_completion() runstate_is_running() ----------------> true if guest is running bdrv_inactivate_all() ----------------> inactivate images qemu_savevm_state_complete_precopy() ... qemu_fflush() socket_writev_buffer() --------> error because destination fails qemu_fflush() -------------------> set error on migration stream migration_completion() -----------------> set migrate state to FAILED migration_thread() -----------------------> break migration loop vm_start() -----------------------------> restart guest with inactive images and you get: qemu-system-ppc64: socket_writev_buffer: Got err=104 for (32768/18446744073709551615) qemu-system-ppc64: /home/greg/Work/qemu/qemu-master/block/io.c:1342:bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed. Aborted (core dumped) If we try postcopy with a similar scenario, we also get the writev error message but QEMU leaves the guest paused because entered_postcopy is true. We could possibly do the same with precopy and leave the guest paused. But since the historical default for migration errors is to restart the source, this patch adds a call to bdrv_invalidate_cache_all() instead. Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Message-Id: <146357896785.6003.11983081732454362715.stgit@bahia.huguette.org> Signed-off-by: NAmit Shah <amit.shah@redhat.com> (cherry picked from commit fe904ea8) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Weil 提交于
The clang compiler supports a useful compiler option -Weverything, and GCC also has other warnings not enabled by -Wall. If glib header files trigger a warning, however, testing glib with -Werror will always fail. A size mismatch is also detected without -Werror, so simply remove it. Cc: qemu-stable@nongnu.org Signed-off-by: NStefan Weil <sw@weilnetz.de> Message-Id: <1461879221-13338-1-git-send-email-sw@weilnetz.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 5919e032) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Paolo Bonzini 提交于
sfence was introduced before lfence and mfence. This fixes Linux 2.4's measurement of checksumming speeds for the pIII_sse algorithm: md: linear personality registered as nr 1 md: raid0 personality registered as nr 2 md: raid1 personality registered as nr 3 md: raid5 personality registered as nr 4 raid5: measuring checksumming speed 8regs : 384.400 MB/sec 32regs : 259.200 MB/sec invalid operand: 0000 CPU: 0 EIP: 0010:[<c0240b2a>] Not tainted EFLAGS: 00000246 eax: c15d8000 ebx: 00000000 ecx: 00000000 edx: c15d5000 esi: 8005003b edi: 00000004 ebp: 00000000 esp: c15bdf50 ds: 0018 es: 0018 ss: 0018 Process swapper (pid: 1, stackpage=c15bd000) Stack: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000206 c0241c6c 00001000 c15d4000 c15d7000 c15d4000 c15d4000 Call Trace: [<c0241c6c>] [<c0105000>] [<c0241db4>] [<c010503b>] [<c0105000>] [<c0107416>] [<c0105030>] Code: 0f ae f8 0f 10 04 24 0f 10 4c 24 10 0f 10 54 24 20 0f 10 5c <0>Kernel panic: Attempted to kill init! Reported-by: NStefan Weil <sw@weilnetz.de> Fixes: 121f3157 Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 14cb949a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Aurelien Jarno 提交于
Recent versions of GCC report the following error when compiling target-mips/helper.c: qemu/target-mips/helper.c:542:9: warning: ‘memset’ used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] This is indeed correct and due to a wrong usage of sizeof(). Fix that. Cc: Stefan Weil <sw@weilnetz.de> Cc: Leon Alrae <leon.alrae@imgtec.com> Cc: qemu-stable@nongnu.org LP: https://bugs.launchpad.net/qemu/+bug/1577841Signed-off-by: NAurelien Jarno <aurelien@aurel32.net> Reviewed-by: NStefan Weil <sw@weilnetz.de> Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com> Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com> (cherry picked from commit 9d989c73) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Roman Kagan 提交于
This patch is a rough fix to a memory corruption we are observing when running VMs with xhci USB controller and OVMF firmware. Specifically, on the following call chain xhci_reset xhci_disable_slot xhci_disable_ep xhci_set_ep_state QEMU overwrites guest memory using stale guest addresses. This doesn't happen when the guest (firmware) driver sets up xhci for the first time as there are no slots configured yet. However when the firmware hands over the control to the OS some slots and endpoints are already set up with their context in the guest RAM. Now the OS' driver resets the controller again and xhci_set_ep_state then reads and writes that memory which is now owned by the OS. As a quick fix, skip calling xhci_set_ep_state in xhci_disable_ep if the device context base address array pointer is zero (indicating we're in the HC reset and no DMA is possible). Cc: qemu-stable@nongnu.org Signed-off-by: NRoman Kagan <rkagan@virtuozzo.com> Message-id: 1462384435-1034-1-git-send-email-rkagan@virtuozzo.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 491d68d9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Dominik Dingel 提交于
While in the anonymous ram case we already take care of the right alignment such an alignment gurantee does not exist for file backed ram allocation. Instead, pagesize is used for alignment. On s390 this is not enough for gmap, as we need to satisfy an alignment up to segments. Reported-by: NHalil Pasic <pasic@linux.vnet.ibm.com> Signed-off-by: NDominik Dingel <dingel@linux.vnet.ibm.com> Message-Id: <1461585338-45863-1-git-send-email-dingel@linux.vnet.ibm.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit d2f39add) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Hemant Kumar 提交于
kvm_stat script is failing to execute on powerpc : # ./kvm_stat Traceback (most recent call last): File "./kvm_stat", line 825, in <module> main() File "./kvm_stat", line 813, in main providers = get_providers(options) File "./kvm_stat", line 778, in get_providers providers.append(TracepointProvider()) File "./kvm_stat", line 416, in __init__ self.filters = get_filters() File "./kvm_stat", line 315, in get_filters if ARCH.exit_reasons: AttributeError: 'ArchPPC' object has no attribute 'exit_reasons' This is because, its trying to access a non-defined attribute. Also, the IOCTL number of RESET is incorrect for powerpc. The correct number has been added. Signed-off-by: NHemant Kumar <hemant@linux.vnet.ibm.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> * cherry-picked from linux commit c7d4fb5a Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-