1. 03 11月, 2016 4 次提交
    • G
      vnc: fix qemu crash because of SIGSEGV · 91a2f462
      Gonglei 提交于
      The backtrace is:
      
      0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.so.0
      0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at ui/vnc.c:680
      vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, dst_y=363, w=1, h=1) at ui/vnc.c:915
      0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
      dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575
      0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
      dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
      0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at hw/display/cirrus_vga.c:774
      cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:793
      cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:915
      cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
      0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
      0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7f0b69a268d8, size=size@entry=4,
      access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>,
      mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
      0x00007f0b77968315 in memory_region_dispatch_write (mr=mr@entry=0x7f0b7b096e40, addr=addr@entry=320, data=18446744073709551362,
      size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262
      0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
      attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
      address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
      0x00007f0b77925c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=...,
      buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
      0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
      0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
      0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at pthread_create.c:308
      0x00007f0b70d3d66d in clone () from /lib64/libc.so.6
      
      The code path while meeting segfault:
       vnc_dpy_copy
         vnc_update_client
           vnc_disconnect_finish [while vnc_disconnect_start() is invoked because somethins wrong]
             vnc_update_server_surface
               vd->server = NULL;
         vnc_server_fb_stride
           pixman_image_get_stride(vd->server)
      
      Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid segmentation fault.
      
      Cc: Gerd Hoffmann <kraxel@redhat.com>
      Cc: Daniel P. Berrange <berrange@redhat.com>
      Reported-by: NYanying Zhuang <ann.zhuangyanying@huawei.com>
      Signed-off-by: NGonglei <arei.gonglei@huawei.com>
      Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
      Message-id: 1472788698-120964-1-git-send-email-arei.gonglei@huawei.com
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      (cherry picked from commit 3e10c3ec)
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      91a2f462
    • L
      virtio-balloon: discard virtqueue element on reset · 520d4b28
      Ladi Prosek 提交于
      The one pending element is being freed but not discarded on device
      reset, which causes svq->inuse to creep up, eventually hitting the
      "Virtqueue size exceeded" error.
      
      Properly discarding the element on device reset makes sure that its
      buffers are unmapped and the inuse counter stays balanced.
      
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Cc: Roman Kagan <rkagan@virtuozzo.com>
      Cc: Stefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: NLadi Prosek <lprosek@redhat.com>
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      (cherry picked from commit 104e70ca)
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      520d4b28
    • S
      virtio: zero vq->inuse in virtio_reset() · 4b6542dd
      Stefan Hajnoczi 提交于
      vq->inuse must be zeroed upon device reset like most other virtqueue
      fields.
      
      In theory, virtio_reset() just needs assert(vq->inuse == 0) since
      devices must clean up in-flight requests during reset (requests cannot
      not be leaked!).
      
      In practice, it is difficult to achieve vq->inuse == 0 across reset
      because balloon, blk, 9p, etc implement various different strategies for
      cleaning up requests.  Most devices call g_free(elem) directly without
      telling virtio.c that the VirtQueueElement is cleaned up.  Therefore
      vq->inuse is not decremented during reset.
      
      This patch zeroes vq->inuse and trusts that devices are not leaking
      VirtQueueElements across reset.
      
      I will send a follow-up series that refactors request life-cycle across
      all devices and converts vq->inuse = 0 into assert(vq->inuse == 0) but
      this more invasive approach is not appropriate for stable trees.
      Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
      Cc: qemu-stable <qemu-stable@nongnu.org>
      Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: NLadi Prosek <lprosek@redhat.com>
      (cherry picked from commit 4b7f91ed)
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      4b6542dd
    • M
      Merge tag 'ppc-for-2.7-20161013' into stable-2.7-staging · c1a77fd6
      Michael Roth 提交于
      qemu-2.7 (stable): ppc patch queue 2016-10-13
      
      TCG for ppc does not properly implement hardware transactional memory.
      It has a stub implementation in which transactions always fail.
      Unfortunately in v2.7.0, HTM is advertised as being available to
      guests, which means guests may incorrectly attempt to use it and hang.
      
      This has been the case for a while, but has become more urgent with
      recent (guest) Linux kernel versions which attempt to lazily enable
      TM.  Under TCG that now triggers the problem regularly, instead of
      just when running a TM aware userspace program.
      
      The problem is already fixed in the 2.8/master branch, by correctly
      advertising HTM as not being available with TCG.  This series
      backports the relevant patches to the qemu-2.7 stable branch to fix
      the problem there.
      
      * tag 'ppc-for-2.7-20161013':
        ppc: Check the availability of transactional memory
        hw/ppc/spapr: Fix the selection of the processor features
        hw/ppc/spapr: Move code related to "ibm,pa-features" to a separate function
        linux-headers: update
      c1a77fd6
  2. 13 10月, 2016 4 次提交
  3. 02 9月, 2016 1 次提交
  4. 31 8月, 2016 5 次提交
  5. 30 8月, 2016 4 次提交
  6. 25 8月, 2016 1 次提交
    • P
      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging · e00da552
      Peter Maydell 提交于
      virtio: fixes
      
      some bugfixes for virtio
      balloon is still broken wrt migration
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      
      # gpg: Signature made Tue 23 Aug 2016 17:33:11 BST
      # gpg:                using RSA key 0x281F0DB8D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
      # gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
      # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
      #      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469
      
      * remotes/mst/tags/for_upstream:
        virtio: decrement vq->inuse in virtqueue_discard()
        virtio: recalculate vq->inuse after migration
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      e00da552
  7. 24 8月, 2016 3 次提交
  8. 22 8月, 2016 4 次提交
  9. 19 8月, 2016 4 次提交
  10. 18 8月, 2016 7 次提交
    • P
      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging · 02b1ad88
      Peter Maydell 提交于
      # gpg: Signature made Thu 18 Aug 2016 14:39:31 BST
      # gpg:                using RSA key 0x9CA4ABB381AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
      # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8
      
      * remotes/stefanha/tags/block-pull-request:
        block: fix possible reorder of flush operations
        block: fix deadlock in bdrv_co_flush
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      02b1ad88
    • D
      block: fix possible reorder of flush operations · 156af3ac
      Denis V. Lunev 提交于
      This patch reduce CPU usage of flush operations a bit. When we have one
      flush completed we should kick only next operation. We should not start
      all pending operations in the hope that they will go back to wait on
      wait_queue.
      
      Also there is a technical possibility that requests will get reordered
      with the previous approach. After wakeup all requests are removed from
      the wait queue. They become active and they are processed one-by-one
      adding to the wait queue in the same order. Though new flush can arrive
      while all requests are not put into the queue.
      Signed-off-by: NDenis V. Lunev <den@openvz.org>
      Tested-by: NEvgeny Yakovlev <eyakovlev@virtuozzo.com>
      Signed-off-by: NEvgeny Yakovlev <eyakovlev@virtuozzo.com>
      Message-id: 1471457214-3994-3-git-send-email-den@openvz.org
      CC: Stefan Hajnoczi <stefanha@redhat.com>
      CC: Fam Zheng <famz@redhat.com>
      CC: Kevin Wolf <kwolf@redhat.com>
      CC: Max Reitz <mreitz@redhat.com>
      Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
      156af3ac
    • E
      block: fix deadlock in bdrv_co_flush · ce83ee57
      Evgeny Yakovlev 提交于
      The following commit
          commit 3ff2f67a
          Author: Evgeny Yakovlev <eyakovlev@virtuozzo.com>
          Date:   Mon Jul 18 22:39:52 2016 +0300
          block: ignore flush requests when storage is clean
      has introduced a regression.
      
      There is a problem that it is still possible for 2 requests to execute
      in non sequential fashion and sometimes this results in a deadlock
      when bdrv_drain_one/all are called for BDS with such stalled requests.
      
      1. Current flushed_gen and flush_started_gen is 1.
      2. Request 1 enters bdrv_co_flush to with write_gen 1 (i.e. the same
         as flushed_gen). It gets past flushed_gen != flush_started_gen and
         sets flush_started_gen to 1 (again, the same it was before).
      3. Request 1 yields somewhere before exiting bdrv_co_flush
      4. Request 2 enters bdrv_co_flush with write_gen 2. It gets past
         flushed_gen != flush_started_gen and sets flush_started_gen to 2.
      5. Request 2 runs to completion and sets flushed_gen to 2
      6. Request 1 is resumed, runs to completion and sets flushed_gen to 1.
         However flush_started_gen is now 2.
      
      From here on out flushed_gen is always != to flush_started_gen and all
      further requests will wait on flush_queue. This change replaces
      flush_started_gen with an explicitly tracked active flush request.
      Signed-off-by: NEvgeny Yakovlev <eyakovlev@virtuozzo.com>
      Signed-off-by: NDenis V. Lunev <den@openvz.org>
      Message-id: 1471457214-3994-2-git-send-email-den@openvz.org
      CC: Stefan Hajnoczi <stefanha@redhat.com>
      CC: Fam Zheng <famz@redhat.com>
      CC: Kevin Wolf <kwolf@redhat.com>
      CC: Max Reitz <mreitz@redhat.com>
      Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
      ce83ee57
    • P
      Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging · 5844365f
      Peter Maydell 提交于
      # gpg: Signature made Thu 18 Aug 2016 06:36:16 BST
      # gpg:                using RSA key 0xEF04965B398D6211
      # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>"
      # gpg: WARNING: This key is not certified with sufficiently trusted signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 6211
      
      * remotes/jasowang/tags/net-pull-request:
        net/net: properly handle multiple packets in net_fill_rstate()
        net: vmxnet: use g_new for pkt initialisation
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      5844365f
    • P
      Merge remote-tracking branch 'remotes/famz/tags/docker-pull-request' into staging · 4b887ae6
      Peter Maydell 提交于
      Fix 'make docker-test-mingw@fedora'
      
      Peter,
      
      This is the single patch that stalls patchew's mingw testing. Since it
      is small and trivial, let's have it in 2.7.
      
      Fam
      
      # gpg: Signature made Wed 17 Aug 2016 13:13:53 BST
      # gpg:                using RSA key 0xCA35624C6A9171C6
      # gpg: Good signature from "Fam Zheng <famz@redhat.com>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the owner.
      # Primary key fingerprint: 5003 7CB7 9706 0F76 F021  AD56 CA35 624C 6A91 71C6
      
      * remotes/famz/tags/docker-pull-request:
        curl: Cast fd to int for DPRINTF
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      4b887ae6
    • Z
      net/net: properly handle multiple packets in net_fill_rstate() · e9e0a585
      Zhang Chen 提交于
      When network is busy, we will receive multiple packets at one time. In
      that situation, we should keep trying to do the receiving instead of
      finalizing only the first packet.
      Signed-off-by: NZhang Chen <zhangchen.fnst@cn.fujitsu.com>
      Signed-off-by: NLi Zhijian <lizhijian@cn.fujitsu.com>
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      e9e0a585
    • L
      net: vmxnet: use g_new for pkt initialisation · 47882fa4
      Li Qiang 提交于
      When network transport abstraction layer initialises pkt, the maximum
      fragmentation count is not checked. This could lead to an integer
      overflow causing a NULL pointer dereference. Replace g_malloc() with
      g_new() to catch the multiplication overflow.
      Reported-by: NLi Qiang <liqiang6-s@360.cn>
      Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org>
      Acked-by: NDmitry Fleytman <dmitry@daynix.com>
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      47882fa4
  11. 17 8月, 2016 2 次提交
  12. 16 8月, 2016 1 次提交
    • P
      linux-user: Fix llseek with high bit of offset_low set · 9fea273c
      Peter Maydell 提交于
      The llseek syscall takes two 32-bit arguments, offset_high
      and offset_low, which must be combined to form a single
      64-bit offset. Unfortunately we were combining them with
         (uint64_t)arg2 << 32) | arg3
      and arg3 is a signed type; this meant that when promoting
      arg3 to a 64-bit type it would be sign-extended. The effect
      was that if the offset happened to have bit 31 set then
      this bit would get sign-extended into all of bits 63..32.
      Explicitly cast arg3 to abi_ulong to avoid the erroneous
      sign extension.
      Reported-by: NChanho Park <parkch98@gmail.com>
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Tested-by: NChanho Park <parkch98@gmail.com>
      Message-id: 1470938379-1133-1-git-send-email-peter.maydell@linaro.org
      9fea273c