- 28 7月, 2020 2 次提交
-
-
由 Jason Wang 提交于
We try to check whether a peer is VDPA in order to get config from there - with no peer, this leads to a NULL pointer dereference. Add a check before trying to access the peer type. No peer means not VDPA. Fixes: 108a6481 ("vhost-vdpa: introduce vhost-vdpa backend") Cc: Cindy Lu <lulu@redhat.com> Tested-by: NCornelia Huck <cohuck@redhat.com> Reviewed-by: NCornelia Huck <cohuck@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Yuri Benditovich 提交于
We should use the index passed by the caller instead of the queue_sel when checking the enablement of a specific virtqueue. This is reported in https://bugzilla.redhat.com/show_bug.cgi?id=1702608 Fixes: f19bcdfe ("virtio-pci: implement queue_enabled method") Signed-off-by: NYuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
- 27 7月, 2020 7 次提交
-
-
由 Laurent Vivier 提交于
In legacy mode, virtio_pci_queue_enabled() falls back to virtio_queue_enabled() to know if the queue is enabled. But virtio_queue_enabled() calls again virtio_pci_queue_enabled() if k->queue_enabled is set. This ends in a crash after a stack overflow. The problem can be reproduced with "-device virtio-net-pci,disable-legacy=off,disable-modern=true -net tap,vhost=on" And a look to the backtrace is very explicit: ... #4 0x000000010029a438 in virtio_queue_enabled () #5 0x0000000100497a9c in virtio_pci_queue_enabled () ... #130902 0x000000010029a460 in virtio_queue_enabled () #130903 0x0000000100497a9c in virtio_pci_queue_enabled () #130904 0x000000010029a460 in virtio_queue_enabled () #130905 0x0000000100454a20 in vhost_net_start () ... This patch fixes the problem by introducing a new function for the legacy case and calls it from virtio_pci_queue_enabled(). It also calls it from virtio_queue_enabled() to avoid code duplication. Fixes: f19bcdfe ("virtio-pci: implement queue_enabled method") Cc: Jason Wang <jasowang@redhat.com> Cc: Cindy Lu <lulu@redhat.com> CC: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Message-Id: <20200727153319.43716-1-lvivier@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Cindy Lu 提交于
In the function vhost_vdpa_dma_map/unmap, The struct msg was not initialized all its fields. Signed-off-by: NCindy Lu <lulu@redhat.com> Message-Id: <20200710064642.24505-1-lulu@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Acked-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NLi Qiang <liq3ea@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Raphael Norwitz 提交于
The VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS vhost-user protocol feature introduced a shadow-table, used by the backend to dynamically determine how a vdev's memory regions have changed since the last vhost_user_set_mem_table() call. On hot-remove, a memmove() operation is used to overwrite the removed shadow region descriptor(s). The size parameter of this memmove was off by 1 such that if a VM with a backend supporting the VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS filled it's shadow-table (by performing the maximum number of supported hot-add operatons) and attempted to remove the last region, Qemu would read an out of bounds value and potentially crash. This change fixes the memmove() bounds such that this erroneous read can never happen. Signed-off-by: NPeter Turschmid <peter.turschm@nutanix.com> Signed-off-by: NRaphael Norwitz <raphael.norwitz@nutanix.com> Message-Id: <1594799958-31356-1-git-send-email-raphael.norwitz@nutanix.com> Fixes: f1aeb14b ("Transmit vhost-user memory regions individually") Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Hogan Wang 提交于
The pci host config register is used to save PCI address for read/write config data. If guest writes a value to config register, and then QEMU pauses the vcpu to migrate, after the migration, the guest will continue to write pci config data, and the write data will be ignored because of new qemu process losing the config register state. To trigger the bug: 1. guest is booting in seabios. 2. guest enables the SMRAM in seabios:piix4_apmc_smm_setup, and then expects to disable the SMRAM by pci_config_writeb. 3. after guest writes the pci host config register, QEMU pauses vcpu to finish migration. 4. guest write of config data(0x0A) fails to disable the SMRAM because the config register state is lost. 5. guest continues to boot and crashes in ipxe option ROM due to SMRAM in enabled state. Example Reproducer: step 1. Make modifications to seabios and qemu for increase reproduction efficiency, write 0xf0 to 0x402 port notify qemu to stop vcpu after 0x0cf8 port wrote i440 configure register. qemu stop vcpu when catch 0x402 port wrote 0xf0. seabios:/src/hw/pci.c @@ -52,6 +52,11 @@ void pci_config_writeb(u16 bdf, u32 addr, u8 val) writeb(mmconfig_addr(bdf, addr), val); } else { outl(ioconfig_cmd(bdf, addr), PORT_PCI_CMD); + if (bdf == 0 && addr == 0x72 && val == 0xa) { + dprintf(1, "stop vcpu\n"); + outb(0xf0, 0x402); // notify qemu to stop vcpu + dprintf(1, "resume vcpu\n"); + } outb(val, PORT_PCI_DATA + (addr & 3)); } } qemu:hw/char/debugcon.c @@ -60,6 +61,9 @@ static void debugcon_ioport_write(void *opaque, hwaddr addr, uint64_t val, printf(" [debugcon: write addr=0x%04" HWADDR_PRIx " val=0x%02" PRIx64 "]\n", addr, val); #endif + if (ch == 0xf0) { + vm_stop(RUN_STATE_PAUSED); + } /* XXX this blocks entire thread. Rewrite to use * qemu_chr_fe_write and background I/O callbacks */ qemu_chr_fe_write_all(&s->chr, &ch, 1); step 2. start vm1 by the following command line, and then vm stopped. $ qemu-system-x86_64 -machine pc-i440fx-5.0,accel=kvm\ -netdev tap,ifname=tap-test,id=hostnet0,vhost=on,downscript=no,script=no\ -device virtio-net-pci,netdev=hostnet0,id=net0,bus=pci.0,addr=0x13,bootindex=3\ -device cirrus-vga,id=video0,vgamem_mb=16,bus=pci.0,addr=0x2\ -chardev file,id=seabios,path=/var/log/test.seabios,append=on\ -device isa-debugcon,iobase=0x402,chardev=seabios\ -monitor stdio step 3. start vm2 to accept vm1 state. $ qemu-system-x86_64 -machine pc-i440fx-5.0,accel=kvm\ -netdev tap,ifname=tap-test1,id=hostnet0,vhost=on,downscript=no,script=no\ -device virtio-net-pci,netdev=hostnet0,id=net0,bus=pci.0,addr=0x13,bootindex=3\ -device cirrus-vga,id=video0,vgamem_mb=16,bus=pci.0,addr=0x2\ -chardev file,id=seabios,path=/var/log/test.seabios,append=on\ -device isa-debugcon,iobase=0x402,chardev=seabios\ -monitor stdio \ -incoming tcp:127.0.0.1:8000 step 4. execute the following qmp command in vm1 to migrate. (qemu) migrate tcp:127.0.0.1:8000 step 5. execute the following qmp command in vm2 to resume vcpu. (qemu) cont Before this patch, we get KVM "emulation failure" error on vm2. This patch fixes it. Cc: qemu-stable@nongnu.org Signed-off-by: NHogan Wang <hogan.wang@huawei.com> Message-Id: <20200727084621.3279-1-hogan.wang@huawei.com> Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 David Hildenbrand 提交于
Trying to run simple virtio-mem-pci examples currently fails with qemu-system-x86_64: -device virtio-mem-pci,id=vm0,memdev=mem0,node=0, requested-size=300M: device is modern-only, use disable-legacy=on due to the added safety checks in 9b3a35ec ("virtio: verify that legacy support is not accidentally on"). As noted by Conny, we have to force virtio version 1. While at it, use qdev_realize() to set the parent bus and realize - like most other virtio-*-pci implementations. Fixes: 0b9a2443 ("virtio-pci: Proxy for virtio-mem") Reviewed-by: NCornelia Huck <cohuck@redhat.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: "Michael S. Tsirkin" <mst@redhat.com> Signed-off-by: NDavid Hildenbrand <david@redhat.com> Message-Id: <20200727115905.129397-1-david@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 KONRAD Frederic 提交于
Don't send the trailing 0 from the string. Signed-off-by: NKONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: NAlex Bennée <alex.bennee@linaro.org> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Message-Id: <1592215252-26742-2-git-send-email-frederic.konrad@adacore.com> Message-Id: <20200724064509.331-4-alex.bennee@linaro.org>
-
由 Laurent Vivier 提交于
QEMU issues the ioctl(KVM_CAP_PPC_FWNMI) on the first vCPU. If the first vCPU is currently running, the vCPU mutex is held and the ioctl() cannot be done and waits until the mutex is released. This never happens and the VM is stuck. To avoid this deadlock, issue the ioctl on the same vCPU doing the RTAS call. The problem can be reproduced by booting a guest with several vCPUs (the probability to have the problem is (n - 1) / n, n = # of CPUs), and then by triggering a kernel crash with "echo c >/proc/sysrq-trigger". On the reboot, the kernel hangs after: ... [ 0.000000] ----------------------------------------------------- [ 0.000000] ppc64_pft_size = 0x0 [ 0.000000] phys_mem_size = 0x48000000 [ 0.000000] dcache_bsize = 0x80 [ 0.000000] icache_bsize = 0x80 [ 0.000000] cpu_features = 0x0001c06f8f4f91a7 [ 0.000000] possible = 0x0003fbffcf5fb1a7 [ 0.000000] always = 0x00000003800081a1 [ 0.000000] cpu_user_features = 0xdc0065c2 0xaee00000 [ 0.000000] mmu_features = 0x3c006041 [ 0.000000] firmware_features = 0x00000085455a445f [ 0.000000] physical_start = 0x8000000 [ 0.000000] ----------------------------------------------------- [ 0.000000] numa: NODE_DATA [mem 0x47f33c80-0x47f3ffff] Fixes: ec010c00 ("ppc/spapr: KVM FWNMI should not be enabled until guest requests it") Cc: npiggin@gmail.com Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Message-Id: <20200724083533.281700-1-lvivier@redhat.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
- 24 7月, 2020 6 次提交
-
-
由 Peter Maydell 提交于
virtio-input-hid.c undefines CONFIG_CURSES before including ui/console.h. However since commits e2f82e92 and b0766612 that header does not have behaviour dependent on CONFIG_CURSES. Remove the now-unneeded undef. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NThomas Huth <thuth@redhat.com> Acked-by: NMichael S. Tsirkin <mst@redhat.com> Message-id: 20200723192457.28136-1-peter.maydell@linaro.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Thomas Huth 提交于
The USB_DWC2 switch is currently "default y", so it is included in all qemu-system-* builds, even if it is not needed. Even worse, it does a "select USB", so USB devices are now showing up as available on targets that do not support USB at all. This sysbus device should only be included by the boards that need it, i.e. by the Raspi machines. Fixes: 153ef166 ("dwc-hsotg (dwc2) USB host controller emulation") Signed-off-by: NThomas Huth <thuth@redhat.com> Reviewed-by: NPaul Zimmerman <pauldzim@gmail.com> Message-id: 20200722154719.10130-1-thuth@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Stefan Weil 提交于
Fixes: b98e8d12Signed-off-by: NStefan Weil <sw@weilnetz.de> Message-Id: <20200722204054.1400555-1-sw@weilnetz.de> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NLi Qiang <liq3ea@gmail.com> [Commit message tweaked] Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
-
由 Markus Armbruster 提交于
Tracked down with scripts/coccinelle/err-bad-newline.cocci. Cc: Peter Xu <peterx@redhat.com> Cc: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200722084048.1726105-3-armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Acked-by: NDavid Gibson <david@gibson.dropbear.id.au> Reviewed-by: NPeter Xu <peterx@redhat.com>
-
由 Halil Pasic 提交于
The function machine_get_loadparm() is supposed to produce a C-string, that is a NUL-terminated one, but it does not. ElectricFence can detect this problem if the loadparm machine property is used. Let us make the returned string a NUL-terminated one. Fixes: 7104bae9 ("hw/s390x: provide loadparm property for the machine") Signed-off-by: NHalil Pasic <pasic@linux.ibm.com> Reviewed-by: NThomas Huth <thuth@redhat.com> Message-Id: <20200723162717.88485-1-pasic@linux.ibm.com> Signed-off-by: NCornelia Huck <cohuck@redhat.com>
-
由 Christian Borntraeger 提交于
Right now, -no-reboot prevents secure guests from running. This is correct from an implementation point of view, as we have modeled the transition from non-secure to secure as a program directed IPL. From a user perspective, this is not the behavior of least surprise. We should implement the IPL into protected mode similar to the functions that we use for kdump/kexec. In other words, we do not stop here when -no-reboot is specified on the command line. Like function 0 or function 1, function 10 is not a classic reboot. For example, it can only be called once. Before calling it a second time, a real reboot/reset must happen in-between. So function code 10 is more or less a state transition reset, but not a "standard" reset or reboot. Fixes: 4d226deafc44 ("s390x: protvirt: Support unpack facility") Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: NJanosch Frank <frankja@linux.ibm.com> Reviewed-by: NDavid Hildenbrand <david@redhat.com> Acked-by: NViktor Mihajlovski <mihajlov@linux.ibm.com> Message-Id: <20200721103202.30610-1-borntraeger@de.ibm.com> [CH: tweaked description] Signed-off-by: NCornelia Huck <cohuck@redhat.com>
-
- 23 7月, 2020 2 次提交
-
-
由 Bin Meng 提交于
Currently the debug region size is set to 0x100, but according to FE310-G000 and FE310-G002 manuals: FE310-G000: 0x100 - 0xFFF FE310-G002: 0x0 - 0xFFF Change the size to 0x1000 that applies to both. Signed-off-by: NBin Meng <bmeng.cn@gmail.com> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Message-Id: <1594891856-15474-1-git-send-email-bmeng.cn@gmail.com> Signed-off-by: NAlistair Francis <alistair.francis@wdc.com>
-
由 Jessica Clarke 提交于
The specification says: 0x00 TIME_LOW R: Get current time, then return low-order 32-bits. 0x04 TIME_HIGH R: Return high 32-bits from previous TIME_LOW read. ... To read the value, the kernel must perform an IO_READ(TIME_LOW), which returns an unsigned 32-bit value, before an IO_READ(TIME_HIGH), which returns a signed 32-bit value, corresponding to the higher half of the full value. However, we were just returning the current time for both. If the guest is unlucky enough to read TIME_LOW and TIME_HIGH either side of an overflow of the lower half, it will see time be in the future, before jumping backwards on the next read, and Linux currently relies on the atomicity guaranteed by the spec so is affected by this. Fix this violation of the spec by caching the correct value for TIME_HIGH whenever TIME_LOW is read, and returning that value for any TIME_HIGH read. Signed-off-by: NJessica Clarke <jrtc27@jrtc27.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Message-Id: <20200718004934.83174-1-jrtc27@jrtc27.com> Signed-off-by: NAlistair Francis <alistair.francis@wdc.com>
-
- 22 7月, 2020 9 次提交
-
-
由 Andrew Melnychenko 提交于
There is an issue when callback may be called with invalid vdev. It happens on unplug when vdev already deleted and VirtIOPciProxy is not. So now, callbacks accept proxy device, and vdev retrieved from it. Technically memio callbacks should be removed during the flatview update, but memoryregions remain til PCI device(and it's address space) completely deleted. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1716352Signed-off-by: NAndrew Melnychenko <andrew@daynix.com> Message-Id: <20200706112123.971087-1-andrew@daynix.com> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Liu Yi L 提交于
In chapter 10.4.23 of VT-d spec 3.0, Descriptor Width bit was introduced in VTD_IQA_REG. Software could set this bit to tell VT-d the QI descriptor from software would be 256 bits. Accordingly, the VTD_IQH_QH_SHIFT should be 5 when descriptor size is 256 bits. This patch adds the DW bit check when deciding the shift used to update VTD_IQH_REG. Signed-off-by: NLiu Yi L <yi.l.liu@intel.com> Message-Id: <1593850035-35483-1-git-send-email-yi.l.liu@intel.com> Reviewed-by: NPeter Xu <peterx@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Cornelia Huck 提交于
If a virtio device does not have legacy support, make sure that it is actually off, and bail out if not. For virtio-pci, this means that any device without legacy support that has been specified to modern-only (or that has been forced to it) will work. For virtio-ccw, this duplicates the check that is currently done prior to realization for any device that explicitly specified no support for legacy. This catches devices that have not been fenced properly. Signed-off-by: NCornelia Huck <cohuck@redhat.com> Message-Id: <20200707105446.677966-3-cohuck@redhat.com> Cc: qemu-stable@nongnu.org Acked-by: NHalil Pasic <pasic@linux.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Cornelia Huck 提交于
Several types of virtio devices had already been around before the virtio standard was specified. These devices support virtio in legacy (and transitional) mode. Devices that have been added in the virtio standard are considered non-transitional (i.e. with no support for legacy virtio). Provide a helper function so virtio transports can figure that out easily. Signed-off-by: NCornelia Huck <cohuck@redhat.com> Message-Id: <20200707105446.677966-2-cohuck@redhat.com> Cc: qemu-stable@nongnu.org Acked-by: NHalil Pasic <pasic@linux.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Alexander Duyck 提交于
Recently a feature named Free Page Reporting was added to the virtio balloon. In order to avoid any confusion we should drop the use of the word 'report' when referring to Free Page Hinting. So what this patch does is go through and replace all instances of 'report' with 'hint" when we are referring to free page hinting. Acked-by: NDavid Hildenbrand <david@redhat.com> Signed-off-by: NAlexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175128.21935.93927.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Alexander Duyck 提交于
There is already locking in place when we are stopping free page hinting but there is not similar protections in place when we start. I can only assume this was overlooked as in most cases the page hinting should not be occurring when we are starting the hinting, however there is still a chance we could be processing hints by the time we get back around to restarting the hinting so we are better off making sure to protect the state with the mutex lock rather than just updating the value with no protections. Based on feedback from Peter Maydell this issue had also been spotted by Coverity: CID 1430269 Acked-by: NDavid Hildenbrand <david@redhat.com> Signed-off-by: NAlexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175122.21935.78013.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Alexander Duyck 提交于
Based on code review it appears possible for the driver to force the device out of a stopped state when hinting by repeating the last ID it was provided. Prevent this by only allowing a transition to the start state when we are in the requested state. This way the driver is only allowed to send one descriptor that will transition the device into the start state. All others will leave it in the stop state once it has finished. Fixes: c13c4153 ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") Acked-by: NDavid Hildenbrand <david@redhat.com> Signed-off-by: NAlexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175115.21935.99563.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Markus Armbruster 提交于
virtio_crypto_pci_realize() and copies the value of vcrypto->vdev's property "cryptodev" to vcrypto's property: object_property_set_link(OBJECT(vrng), "rng", OBJECT(vrng->vdev.conf.rng), NULL); Since it does so only after realize, this always fails, but the error is ignored. It's actually superfluous: vcrypto's property is an alias of vcrypto->vdev's property, created by virtio_instance_init_common(). Drop the call. Same for virtio_ccw_crypto_realize(), virtio_rng_pci_realize(), virtio_ccw_rng_realize(). Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200721121153.1128844-1-armbru@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Michael Tokarev 提交于
All ISA registers should be accessible as bytes, words or dwords (if wide enough). Fix the access constraints for acpi-pm-evt, acpi-pm-tmr & acpi-cnt registers. Fixes: 5d971f9e (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") Fixes: afafe4bb (apci: switch cnt to memory api) Fixes: 77d58b1e (apci: switch timer to memory api) Fixes: b5a7c024 (apci: switch evt to memory api) Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ Buglink: https://bugs.debian.org/964793 BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 BugLink: https://bugs.launchpad.net/bugs/1886318Reported-By: NSimon John <git@the-jedi.co.uk> Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru> Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> Cc: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 21 7月, 2020 10 次提交
-
-
由 Philippe Mathieu-Daudé 提交于
Commits b6d7e9b6..a43770df simplified the error propagation. Similarly to commit 6fd5bef1 "qom: Make functions taking Error** return bool, not void", let fw_cfg_add_from_generator() return a boolean value, not void. This allow to simplify parse_fw_cfg() and fixes the error handling issue reported by Coverity (CID 1430396): In parse_fw_cfg(): Variable assigned once to a constant guards dead code. Local variable local_err is assigned only once, to a constant value, making it effectively constant throughout its scope. If this is not the intent, examine the logic to see if there is a missing assignment that would make local_err not remain constant. It's the call of fw_cfg_add_from_generator(): Error *local_err = NULL; fw_cfg_add_from_generator(fw_cfg, name, gen_id, errp); if (local_err) { error_propagate(errp, local_err); return -1; } return 0; If it fails, parse_fw_cfg() sets an error and returns 0, which is wrong. Harmless, because the only caller passes &error_fatal. Reported-by: NPeter Maydell <peter.maydell@linaro.org> Fixes: Coverity CID 1430396: 'Constant' variable guards dead code (DEADCODE) Fixes: 6552d87c ("softmmu/vl: Let -fw_cfg option take a 'gen_id' argument") Reviewed-by: NLaszlo Ersek <lersek@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200721131911.27380-3-philmd@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
Document FWCfgDataGeneratorClass::get_data() return NULL on error, and non-NULL on success. This allow us to simplify fw_cfg_add_from_generator(). Since we don't need a local variable to propagate the error, we can remove the ERRP_GUARD() macro. Suggested-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200721131911.27380-2-philmd@redhat.com>
-
由 Markus Armbruster 提交于
object_get_canonical_path_component() returns a malloced copy of a property name on success, null on failure. 19 of its 25 callers immediately free the returned copy. Change object_get_canonical_path_component() to return the property name directly. Since modifying the name would be wrong, adjust the return type to const char *. Drop the free from the 19 callers become simpler, add the g_strdup() to the other six. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200714160202.3121879-4-armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NLi Qiang <liq3ea@gmail.com>
-
由 Philippe Mathieu-Daudé 提交于
The value returned by qemu_find_file() must be freed. This fixes Coverity issue CID 1430449, which points out that the memory returned by qemu_find_file() is leaked. Fixes: Coverity CID 1430449 (RESOURCE_LEAK) Fixes: 7dd8f6fd ('hw/avr: Add support for loading ELF/raw binaries') Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: NMichael Rolnik <mrolnik@gmail.com> Tested-by: NMichael Rolnik <mrolnik@gmail.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com> Message-Id: <20200714164257.23330-5-f4bug@amsat.org>
-
由 Mauro Matteo Cascella 提交于
A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It occurs while sending an Ethernet frame due to missing break statements and improper checking of the buffer size. Reported-by: NZiming Zhang <ezrakiez@gmail.com> Signed-off-by: NMauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Andrew 提交于
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1708065 With network backend with 'virtual header' - there was an issue in 'plen' field. Overall, during TSO, 'plen' would be changed, but with 'vheader' this field should be set to the size of the payload itself instead of '0'. Signed-off-by: NAndrew Melnychenko <andrew@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Gerd Hoffmann 提交于
Checking the enable/disable state of tracepoints via trace_event_get_state_backends() does not work for modules. qxl checks the state for a small optimization (avoid g_strndup call in case log_buf will not be used anyway), so we can just drop that check for modular builds. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-Id: <20200720100352.2477-2-kraxel@redhat.com>
-
由 Laurent Vivier 提交于
QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow 64-bit mode access in "runtime" and "operational" MemoryRegionOps. Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. XHCI specs: "If the xHC supports 64-bit addressing (AC64 = ‘1’), then software should write 64-bit registers using only Qword accesses. If a system is incapable of issuing Qword accesses, then writes to the 64-bit address fields shall be performed using 2 Dword accesses; low Dword-first, high-Dword second. If the xHC supports 32-bit addressing (AC64 = ‘0’), then the high Dword of registers containing 64-bit address fields are unused and software should write addresses using only Dword accesses" The problem has been detected with SLOF, as linux kernel always accesses registers using 32-bit access even if AC64 is set and revealed by 5d971f9e ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") Suggested-by: NAlexey Kardashevskiy <aik@au1.ibm.com> Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Message-id: 20200721083322.90651-1-lvivier@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Markus Armbruster 提交于
nd_table[] contains NIC configuration for boards to pick up. Device code has no business looking there. Several devices do it anyway. Two of them already have a suitable FIXME comment: "allwinner-a10" and "msf2-soc". Copy it to the others: "allwinner-h3", "xlnx-versal", "xlnx,zynqmp", "sparc32-ledma", "riscv.sifive.u.soc". Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200715140440.3540942-3-armbru@redhat.com> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NNiek Linnenbank <nieklinnenbank@gmail.com> Reviewed-by: NThomas Huth <thuth@redhat.com> Signed-off-by: NThomas Huth <thuth@redhat.com>
-
由 Markus Armbruster 提交于
Watch this: $ qemu-system-aarch64 -M ast2600-evb -S -display none -qmp stdio {"QMP": {"version": {"qemu": {"micro": 50, "minor": 0, "major": 5}, "package": "v5.0.0-2464-g3a9163af"}, "capabilities": ["oob"]}} {"execute": "qmp_capabilities"} {"return": {}} {"execute": "device-list-properties", "arguments": {"typename": "msf2-soc"}} Unsupported NIC model: ftgmac100 armbru@dusky:~/work/images$ echo $? 1 This is what breaks "make check SPEED=slow". Root cause is m2sxxx_soc_initfn()'s messing with nd_table[] via qemu_check_nic_model(). That's wrong. We fixed the exact same bug for device "allwinner-a10" in commit 8aabc543 "hw/arm/allwinner-a10: Do not use nd_table in instance_init function". Fix this instance the same way: move the offending code to m2sxxx_soc_realize(), where it's less wrong, and add a FIXME comment. Fixes: 05b7374a ("msf2: Add EMAC block to SmartFusion2 SoC") Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20200715140440.3540942-2-armbru@redhat.com> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NThomas Huth <thuth@redhat.com> Signed-off-by: NThomas Huth <thuth@redhat.com>
-
- 20 7月, 2020 4 次提交
-
-
由 Peter Maydell 提交于
In armsse_realize() we have a loop over [0, info->num_cpus), which indexes into various fixed-size arrays in the ARMSSE struct. This confuses Coverity, which warns that we might overrun those arrays (CID 1430326, 1430337, 1430371, 1430414, 1430430). This can't actually happen, because the info struct is always one of the entries in the armsse_variants[] array and num_cpus is either 1 or 2; we also already assert in armsse_init() that num_cpus is not too large. However, adding an assert to armsse_realize() like the one in armsse_init() should help Coverity figure out that these code paths aren't possible. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20200713143716.9881-1-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
The doc-comments which document the qdev API are split between the header file and the C source files, because as a project we haven't been consistent about where we put them. Move all the doc-comments in qdev.c to the header files, so that users of the APIs don't have to look at the implementation files for this information. In the process, unify them into our doc-comment format and expand on them in some cases to clarify expected use cases. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Message-id: 20200711142425.16283-2-peter.maydell@linaro.org
-
由 Richard Henderson 提交于
When MTE is enabled, tag memory must exist for all RAM. It might be possible to simultaneously hot plug tag memory alongside the corresponding normal memory, but for now just disable hotplug. Signed-off-by: NRichard Henderson <richard.henderson@linaro.org> Message-id: 20200713213341.590275-4-richard.henderson@linaro.org Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Richard Henderson 提交于
While we expect KVM to support MTE at some future point, it certainly won't be ready in time for qemu 5.1. Signed-off-by: NRichard Henderson <richard.henderson@linaro.org> Message-id: 20200713213341.590275-3-richard.henderson@linaro.org Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-