- 17 3月, 2017 40 次提交
-
-
由 Peter Lieven 提交于
the current implementation fails if we try to freeze an already frozen filesystem. This can happen if a filesystem is mounted more than once (e.g. with a bind mount). Suggested-by: NChristian Theune <ct@flyingcircus.io> Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Lieven <pl@kamp.de> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit ce2eb6c4) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Paolo Bonzini 提交于
Commit 2afbdf84 ("target-i386: exception handling for memory helpers", 2015-09-15) changed tlb_fill's cpu_restore_state+raise_exception_err to raise_exception_err_ra. After this change, the cpu_restore_state and raise_exception_err's cpu_loop_exit are merged into raise_exception_err_ra's cpu_loop_exit_restore. This actually fixed some bugs, but when SVM is enabled there is a second path from raise_exception_err_ra to cpu_loop_exit. This is the VMEXIT path, and now cpu_vmexit is called without a cpu_restore_state before. The fix is to pass the retaddr to cpu_vmexit (via cpu_svm_check_intercept_param). All helpers can now use GETPC() to pass the correct retaddr, too. Cc: qemu-stable@nongnu.org Fixes: 2afbdf84Reported-by: NAlexander Boettcher <alexander.boettcher@genode-labs.com> Tested-by: NAlexander Boettcher <alexander.boettcher@genode-labs.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 65c9d60a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Pavel Dovgalyuk 提交于
This patch adds call to apic_reset_irq_delivered when the virtual machine is reset. Signed-off-by: NPavel Dovgalyuk <pavel.dovgaluk@ispras.ru> Message-Id: <20170131114054.276.62201.stgit@PASHA-ISP> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit f65e8212) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Richard Henderson 提交于
Fixes the booting of ss20 roms. Cc: qemu-stable@nongnu.org Reported-by: NMichael Russo <mike@papersolve.com> Tested-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: NRichard Henderson <rth@twiddle.net> (cherry picked from commit 3db010c3) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 QingFeng Hao 提交于
The problem was triggered by qemu-iotests case 055. It failed when it was comparing the compressed vmdk image with original test.img. The cause is that buf_len in vmdk_write_extent wasn't converted to little-endian before it was stored to disk. But later vmdk_read_extent read it and converted it from little-endian to cpu endian. If the cpu is big-endian like s390, the problem will happen and the data length read by vmdk_read_extent will become invalid! The fix is to add the conversion in vmdk_write_extent, meanwhile, repair the endianness problem of lba field which shall also be converted to little-endian before storing to disk. Cc: qemu-stable@nongnu.org Signed-off-by: NQingFeng Hao <haoqf@linux.vnet.ibm.com> Signed-off-by: NJing Liu <liujbjl@linux.vnet.ibm.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NFam Zheng <famz@redhat.com> Message-id: 20161216052040.53067-2-haoqf@linux.vnet.ibm.com Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit 4545d4f4) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Sam Bobroff 提交于
Programs run under qemu-ppc64 on an x86_64 host currently segfault if they use pthread_create() due to the adjustment made to the NIP in commit bd6fefe7. This patch changes cpu_loop() to set the NIP back to the pre-incremented value before calling do_syscall(), which causes the correct address to be used for the new thread and corrects the fault. Signed-off-by: NSam Bobroff <sam.bobroff@au1.ibm.com> Reviewed-by: NLaurent Vivier <laurent@vivier.eu> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 2635531f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael Tokarev 提交于
When qemu vnc server is trying to send large update to clients, there might be a situation when system responds with something like EAGAIN, indicating that there's no system memory to send that much data (depending on the network speed, client and server and what is happening). In this case, something like this happens on qemu side (from strace): sendmsg(16, {msg_name(0)=NULL, msg_iov(1)=[{"\244\"..., 729186}], msg_controllen=0, msg_flags=0}, 0) = 103950 sendmsg(16, {msg_name(0)=NULL, msg_iov(1)=[{"lz\346"..., 1559618}], msg_controllen=0, msg_flags=0}, 0) = -1 EAGAIN sendmsg(-1, {msg_name(0)=NULL, msg_iov(1)=[{"lz\346"..., 1559618}], msg_controllen=0, msg_flags=0}, 0) = -1 EBADF qemu closes the socket before the retry, and obviously it gets EBADF when trying to send to -1. This is because there WAS a special handling for EAGAIN, but now it doesn't work anymore, after commit 04d2529d, because now in all error-like cases we initiate vnc disconnect. This change were introduced in qemu 2.6, and caused numerous grief for many people, resulting in their vnc clients reporting sporadic random disconnects from vnc server. Fix that by doing the disconnect only when necessary, i.e. omitting this very case of EAGAIN. Hopefully the existing condition (comparing with QIO_CHANNEL_ERR_BLOCK) is sufficient, as the original code (before the above commit) were checking for other errno values too. Apparently there's another (semi?)bug exist somewhere here, since the code tries to write to fd# -1, it probably should check if the connection is open before. But this isn't important. Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru> Reviewed-by: NDaniel P. Berrange <berrange@redhat.com> Message-id: 1486115549-9398-1-git-send-email-mjt@msgid.tls.msk.ru Fixes: 04d2529d Cc: Daniel P. Berrange <berrange@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 537848ee) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
While doing multi block SDMA transfer in routine 'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting index 'begin' and data length 's->data_count' could end up to be same. This could lead to an OOB access issue. Correct transfer data length to avoid it. Cc: qemu-stable@nongnu.org Reported-by: NJiang Xin <jiangxin1@huawei.com> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Message-id: 20170130064736.9236-1-ppandit@redhat.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> (cherry picked from commit 42922105) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Lieven 提交于
commit 94d6a7a7 accidentally left the naming of runtime opts and QAPI scheme inconsistent. As one consequence passing of parameters in the URI is broken. Sync the naming of the runtime opts to the QAPI scheme. Please note that this is technically backwards incompatible with the 2.8 release, but the 2.8 release is the only version that had the wrong naming. Furthermore release 2.8 suffered from a NULL pointer dereference during URI parsing. Fixes: 94d6a7a7 Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Lieven <pl@kamp.de> Message-id: 1485942829-10756-3-git-send-email-pl@kamp.de [mreitz: Fixed commit message] Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit f67409a5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Lieven 提交于
parse_uint_full wants to put the parsed value into the variable passed via its second argument which is NULL. Fixes: 94d6a7a7 Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Lieven <pl@kamp.de> Reviewed-by: NEric Blake <eblake@redhat.com> Message-id: 1485942829-10756-2-git-send-email-pl@kamp.de Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit 8d20abe8) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Christian Borntraeger 提交于
Right now we reset all devices before we reset the cmma states. This can result in the host kernel discarding guest pages that were previously in the unused state but already contain a bios or a -kernel file before the cmma reset has finished. This race results in random guest crashes or hangs during very early reboot. Fixes: 1cd4e0f6 ("s390x/cmma: clean up cmma reset") Cc: qemu-stable@nongnu.org Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com> (cherry picked from commit 1a0e4c8b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 David Hildenbrand 提交于
"any" does not exist, therefore resulting in a misleading error message. Reported-by: NStefan Weil <sw@weilnetz.de> Signed-off-by: NDavid Hildenbrand <david@redhat.com> Message-Id: <20170130145025.26475-1-david@redhat.com> Reviewed-by: NStefan Weil <sw@weilnetz.de> Reviewed-by: NAlexander Graf <agraf@suse.de> Cc: qemu-stable@nongnu.org (cherry picked from commit d8923bc7) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Ladi Prosek 提交于
The AHCI emulation code supports 64-bit addressing and should advertise this fact in the Host Capabilities register. Both Linux and Windows drivers test this bit to decide if the upper 32 bits of various registers may be written to, and at least some versions of Windows have a bug where DMA is attempted with an address above 4GB but, in the absence of HOST_CAP_64, the upper 32 bits are left unititialized which leads to a memory corruption. [Maintainer edit: This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1411105, which affects Windows Server 2008 SP2 in some cases.] Signed-off-by: NLadi Prosek <lprosek@redhat.com> Message-id: 1484305370-6220-1-git-send-email-lprosek@redhat.com [Amended commit message --js] Signed-off-by: NJohn Snow <jsnow@redhat.com> (cherry picked from commit 98cb5dcc) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Paolo Bonzini 提交于
When icount is active, tb_add_jump is surprisingly called with an out of bounds basic block index. I have no idea how that can work, but it does not seem like a good idea. Clear *last_tb for all TB_EXIT_ICOUNT_EXPIRED cases, even when all you have to do is refill icount_extra. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 43d70ddf) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Li Qiang 提交于
When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. Signed-off-by: NLi Qiang <liqiang6-s@360.cn> { kraxel: with backward blits (negative pitch) addr is the topmost address, so check it as-is against vram size ] Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> Fixes: d3532a0d (CVE-2014-8106) Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com Reviewed-by: NLaszlo Ersek <lersek@redhat.com> (cherry picked from commit 62d4c6bd) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Christian Borntraeger 提交于
We must reset the CMMA states for normal memory (when not on mem path), but the current code does the opposite. This was unnoticed for some time as the kernel since 4.6 also had a bug which mostly disabled the paging optimizations. Fixes: 07059eff ("s390x/kvm: let the CPU model control CMM(A)") Cc: qemu-stable@nongnu.org # v2.8 Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 0cf4d747) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Lieven 提交于
nb_cls_shrunk in iscsi_allocmap_update can become -1 if the request starts and ends within the same cluster. This results in passing -1 to bitmap_set and bitmap_clear and they don't handle negative values properly. In the end this leads to data corruption. Fixes: e1123a3b Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Lieven <pl@kamp.de> Message-Id: <1484579832-18589-1-git-send-email-pl@kamp.de> Reviewed-by: NFam Zheng <famz@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 1da45e0c) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
Coverity reports that ARRAY_SIZE(elem->out_sg) (and all the others too) is wrong because elem->out_sg is a pointer. However, the check is not in the right place and the max_size argument of virtqueue_map_iovec can be removed. The check on in_num/out_num should be moved to qemu_get_virtqueue_element instead, before the call to virtqueue_alloc_element. Cc: qemu-stable@nongnu.org Reported-by: NPaolo Bonzini <pbonzini@redhat.com> Fixes: 3724650d ("virtio: introduce virtqueue_alloc_element") Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 6bdc21c0) * dropped context dep on 8607f5c3Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Daniel P. Berrange 提交于
Wayland always uses evdev as its input source, so QEMU can use the existing evdev keymap data Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> Tested-by: NStefan Hajnoczi <stefanha@redhat.com> Message-id: 20161201094117.16407-1-berrange@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit a8ffb372) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Richard Henderson 提交于
There were some patterns, like 0x0000_ffff_ffff_00ff, for which we would select to begin a multi-insn sequence with MOVN, but would fail to set the 0x0000 lane back from 0xffff. Signed-off-by: NRichard Henderson <rth@twiddle.net> Message-Id: <20161207180727.6286-3-rth@twiddle.net> (cherry picked from commit 8cf9a3d3) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Richard Henderson 提交于
When al == xzr, we cannot use addi/subi because that encodes xsp. Force a zero into the temp register for that (rare) case. Signed-off-by: NRichard Henderson <rth@twiddle.net> Message-Id: <20161207180727.6286-2-rth@twiddle.net> (cherry picked from commit b1eb20da) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Marc-André Lureau 提交于
CharDriverState.be should be updated to point to the current associated backend. Fix the regression introduced in the "mux" chardev from commit a4afa548. https://bugs.launchpad.net/bugs/1654137Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20170110110621.15287-1-marcandre.lureau@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit fb5e19d2) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Xu 提交于
Split irqchip works based on the fact that we kept the first 24 gsi routing entries inside KVM for userspace ioapic's use. When system boot, we'll reserve these MSI routing entries before hand. However, after migration, we forgot to re-configure it up in the destination side. The result is, we'll get invalid gsi routing entries after migration (all empty), and we get interrupts with vector=0, then strange things happen, like keyboard hang. The solution is simple - we update them after migration, which is a one line fix. Signed-off-by: NPeter Xu <peterx@redhat.com> Message-Id: <1483952153-7221-4-git-send-email-peterx@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 0f254b1a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Bruce Rogers 提交于
Commit 4299b90e added a check which is too broad, given that the source pitch value is not required to be initialized for solid fill operations. This patch refines the blit_is_unsafe() check to ignore source pitch in that case. After applying the above commit as a security patch, we noticed the SLES 11 SP4 guest gui failed to initialize properly. Signed-off-by: NBruce Rogers <brogers@suse.com> Message-id: 20170109203520.5619-1-brogers@suse.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 913a8788) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Roman Kapl 提交于
rcu_read_unlock was not called if the address_space_access_valid result is negative. This caused (at least) a problem when qemu on PPC/E500+TAP failed to terminate properly and instead got stuck in a deadlock. Signed-off-by: NRoman Kapl <rka@sysgo.com> Message-Id: <20170109110921.4931-1-rka@sysgo.com> Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 5ad4a2b7) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gonglei 提交于
Because the 'size_t' type is 4 bytes in 32-bit platform, which is the same with 'int'. It's easy to make 'max_len' to zero when integer overflow and then cause heap overflow if 'max_len' is zero. Using uint_64 instead of size_t to avoid the integer overflow. Cc: qemu-stable@nongnu.org Reported-by: NLi Qiang <liqiang6-s@360.cn> Signed-off-by: NGonglei <arei.gonglei@huawei.com> Tested-by: NLi Qiang <liqiang6-s@360.cn> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit a08aaff8) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Caoxinhua 提交于
QEMU will crash with the follow backtrace if the new created thread exited before we call qemu_thread_set_name() for it. (gdb) bt #0 0x00007f9a68b095d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007f9a68b0acc8 in __GI_abort () at abort.c:90 #2 0x00007f9a69cda389 in PAT_abort () from /usr/lib64/libuvpuserhotfix.so #3 0x00007f9a69cdda0d in patchIllInsHandler () from /usr/lib64/libuvpuserhotfix.so #4 <signal handler called> #5 pthread_setname_np (th=140298470549248, name=name@entry=0x8cc74a "io-task-worker") at ../nptl/sysdeps/unix/sysv/linux/pthread_setname.c:49 #6 0x00000000007f5f20 in qemu_thread_set_name (thread=thread@entry=0x7ffd2ac09680, name=name@entry=0x8cc74a "io-task-worker") at util/qemu_thread_posix.c:459 #7 0x00000000007f679e in qemu_thread_create (thread=thread@entry=0x7ffd2ac09680, name=name@entry=0x8cc74a "io-task-worker",start_routine=start_routine@entry=0x7c1300 <qio_task_thread_worker>, arg=arg@entry=0x7f99b8001720, mode=mode@entry=1) at util/qemu_thread_posix.c:498 #8 0x00000000007c15b6 in qio_task_run_in_thread (task=task@entry=0x7f99b80033d0, worker=worker@entry=0x7bd920 <qio_channel_socket_connect_worker>, opaque=0x7f99b8003370, destroy=0x7c6220 <qapi_free_SocketAddress>) at io/task.c:133 #9 0x00000000007bda04 in qio_channel_socket_connect_async (ioc=0x7f99b80014c0, addr=0x37235d0, callback=callback@entry=0x54ad00 <qemu_chr_socket_connected>, opaque=opaque@entry=0x38118b0, destroy=destroy@entry=0x0) at io/channel_socket.c:191 #10 0x00000000005487f6 in socket_reconnect_timeout (opaque=0x38118b0) at qemu_char.c:4402 #11 0x00007f9a6a1533b3 in g_timeout_dispatch () from /usr/lib64/libglib-2.0.so.0 #12 0x00007f9a6a15299a in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0 #13 0x0000000000747386 in glib_pollfds_poll () at main_loop.c:227 #14 0x0000000000747424 in os_host_main_loop_wait (timeout=404000000) at main_loop.c:272 #15 0x0000000000747575 in main_loop_wait (nonblocking=nonblocking@entry=0) at main_loop.c:520 #16 0x0000000000557d31 in main_loop () at vl.c:2170 #17 0x000000000041c8b7 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:5083 Let's detach the new thread after calling qemu_thread_set_name(). Signed-off-by: NCaoxinhua <caoxinhua@huawei.com> Signed-off-by: Nzhanghailiang <zhang.zhanghailiang@huawei.com> Message-Id: <1483493521-9604-1-git-send-email-zhang.zhanghailiang@huawei.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 2f75bd73) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Thomas Huth 提交于
If the buffer is not big enough, snprintf() does not return the number of bytes that have been written to the buffer, but the number of bytes that would be needed for writing the whole string. By using this value for the following vnc_write() calls, we send some junk at the end of the name in case the qemu_name is longer than 1017 bytes, which could confuse the VNC clients. Fix this by adding an additional size check here. Buglink: https://bugs.launchpad.net/qemu/+bug/1637447Signed-off-by: NThomas Huth <thuth@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Message-id: 1479749115-21932-1-git-send-email-thuth@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 97efe4f9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Paolo Bonzini 提交于
The direction is wrong; scsi_block_is_passthrough returns false for commands that *can* use sglists. Reported-by: NZhang Qian <zhangqian@sangfor.com.cn> Fixes: 8fdc7839 Cc: qemu-stable@nongnu.org Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 1f8af0d1) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Hervé Poussineau 提交于
This patch fixes a segfault at QEMU startup, introduced in a0815632. gd_vc_find_current() return NULL, which is dereferenced without checking it. While at it, disable the whole 'View' menu if no console exists. Reproducer: qemu-system-i386 -M none -nodefaults Signed-off-by: NHervé Poussineau <hpoussin@reactos.org> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Message-id: 1483263585-8101-1-git-send-email-hpoussin@reactos.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 3d4da9d6) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Igor Mammedov 提交于
'hotplugged' propperty is meant to be used on migration side when migrating source with hotplugged devices. However though it not exacly correct usage of 'hotplugged' property it's possible to set generic hotplugged property for CPU using -cpu foo,hotplugged=on or -global foo.hotplugged=on in this case qemu crashes with following backtrace: ... because pc_cpu_plug() assumes that hotplugged CPU could appear only after rtc/fw_cfg are initialized. Fix crash by replacing assumption with explicit checks of rtc/fw_cfg and updating them only if they were initialized. Cc: qemu-stable@nongnu.org Reported-by: NEduardo Habkost <ehabkost@redhat.com> Reviewed-by: NEduardo Habkost <ehabkost@redhat.com> Signed-off-by: NIgor Mammedov <imammedo@redhat.com> Message-Id: <1483108391-199542-1-git-send-email-imammedo@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 26ef65be) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
If the user passes -device virtio-9p without the corresponding -fsdev, QEMU dereferences a NULL pointer and crashes. This is a 2.8 regression introduced by commit 702dbcc2. Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NLi Qiang <liq3ea@gmail.com> (cherry picked from commit f2b58c43) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Halil Pasic 提交于
Correct recalculation of vq->inuse after migration for the corner case where the avail_idx has already wrapped but used_idx not yet. Also change the type of the VirtQueue.inuse to unsigned int. This is done to be consistent with other members representing sizes (VRing.num), and because C99 guarantees max ring size < UINT_MAX but does not guarantee max ring size < INT_MAX. Signed-off-by: NHalil Pasic <pasic@linux.vnet.ibm.com> Fixes: bccdef6b ("virtio: recalculate vq->inuse after migration") CC: qemu-stable@nongnu.org Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit e66bcc40) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Michael S. Tsirkin 提交于
PCI Express downstream slot has a single PCI slot behind it, using PCI_DEVFN(PCI_SLOT(devfn), 0) does not give you function 0 in cases such as ARI as well as some error cases. This is exactly what we are hitting: $ qemu-system-x86_64 -machine q35 -readconfig docs/q35-chipset.cfg -monitor stdio (qemu) device_add e1000e,bus=ich9-pcie-port-4,addr=00 (qemu) device_add e1000e,bus=ich9-pcie-port-4,addr=08 Segmentation fault (core dumped) The fix is to use the pci_get_function_0 API. Cc: qemu-stable@nongnu.org Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reported-by: NEduardo Habkost <ehabkost@redhat.com> Tested-by: NCao jin <caoj.fnst@cn.fujitsu.com> Tested-by: NEduardo Habkost <ehabkost@redhat.com> Reviewed-by: NEduardo Habkost <ehabkost@redhat.com> (cherry picked from commit d93ddfb1) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Dr. David Alan Gilbert 提交于
A broken guest can specify physical addresses that correspond to any memory region, but it shouldn't be able to change ROM. Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Cc: qemu-stable@nongnu.org Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit f2fd57db) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eduardo Habkost 提交于
Original problem description by Greg Kurz: > Since commit "9a4c0e22 hw/virtio-pci: fix virtio > behaviour", passing -device virtio-blk-pci.disable-modern=off > has no effect on 2.6 machine types because the internal > virtio-pci.disable-modern=on compat property always prevail. The same bug also affects other abstract type names mentioned on compat_props by machine-types: apic-common, i386-cpu, pci-device, powerpc64-cpu, s390-skeys, spapr-pci-host-bridge, usb-device, virtio-pci, x86_64-cpu. The right fix for this problem is to make sure compat_props and -global options are always applied in the order they are registered, instead of reordering them based on the type hierarchy. But changing the ordering rules of -global is risky and might break existing configurations, so we shouldn't do that on a stable branch. This is a temporary hack that will work around the bug when registering compat_props properties: if we find an abstract class on compat_props, register properties for all its non-abstract subtypes instead. This will make sure -global won't be overridden by compat_props, while keeping the existing ordering rules on -global options. Note that there's one case that won't be fixed by this hack: "-global spapr-pci-vfio-host-bridge.<option>=<value>" won't be able to override compat_props, because spapr-pci-host-bridge is not an abstract class. Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> Message-Id: <1481575745-26120-1-git-send-email-ehabkost@redhat.com> Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: NHalil Pasic <pasic@linux.vnet.ibm.com> Reviewed-by: NGreg Kurz <groug@kaod.org> Tested-by: NGreg Kurz <groug@kaod.org> Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> (cherry picked from commit 0bcba41f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make QEMU vulnerable. While here, we also fix local_unlinkat_common() to use openat_dir() for the same reasons (it was a leftover in the original patchset actually). This fixes CVE-2016-9602. Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NDaniel P. Berrange <berrange@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> (cherry picked from commit b003fc0d) Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
When O_PATH is used with O_DIRECTORY, it only acts as an optimization: the openat() syscall simply finds the name in the VFS, and doesn't trigger the underlying filesystem. On systems that don't define O_PATH, because they have glibc version 2.13 or older for example, we can safely omit it. We don't want to deactivate O_PATH globally though, in case it is used without O_DIRECTORY. The is done with a dedicated macro. Systems without O_PATH may thus fail to resolve names that involve unreadable directories, compared to newer systems succeeding, but such corner case failure is our only option on those older systems to avoid the security hole of chasing symlinks inappropriately. Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NEric Blake <eblake@redhat.com> (added last paragraph to changelog as suggested by Eric Blake) Signed-off-by: NGreg Kurz <groug@kaod.org> (cherry picked from commit 918112c0) Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
The name argument can never be an empty string, and dirfd always point to the containing directory of the file name. AT_EMPTY_PATH is hence useless here. Also it breaks build with glibc version 2.13 and older. It is actually an oversight of a previous tentative patch to implement this function. We can safely drop it. Reported-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: NGreg Kurz <groug@kaod.org> Tested-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: NEric Blake <eblake@redhat.com> (cherry picked from commit b314f6a0) Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
If we cannot open the given path, we can return right away instead of passing -1 to fstatfs() and close(). This will make Coverity happy. (Coverity issue CID1371729) Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NDaniel P. berrange <berrange@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> (cherry picked from commit 23da0145) Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-