- 10 6月, 2020 10 次提交
-
-
由 Greg Kurz 提交于
Locking was introduced in QEMU 2.7 to address the deprecation of readdir_r(3) in glibc 2.24. It turns out that the frontend code is the worst place to handle a critical section with a pthread mutex: the code runs in a coroutine on behalf of the QEMU mainloop and then yields control, waiting for the fsdev backend to process the request in a worker thread. If the client resends another readdir request for the same fid before the previous one finally unlocked the mutex, we're deadlocked. This never bit us because the linux client serializes readdir requests for the same fid, but it is quite easy to demonstrate with a custom client. A good solution could be to narrow the critical section in the worker thread code and to return a copy of the dirent to the frontend, but this causes quite some changes in both 9p.c and codir.c. So, instead of that, in order for people to easily backport the fix to older QEMU versions, let's simply use a CoMutex since all the users for this sit in coroutines. Fixes: 7cde47d4 ("9p: add locking to V9fsDir") Reviewed-by: NChristian Schoenebeck <qemu_oss@crudebyte.com> Message-Id: <158981894794.109297.3530035833368944254.stgit@bahia.lan> Signed-off-by: NGreg Kurz <groug@kaod.org> (cherry picked from commit ed463454) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Raphael Pour 提交于
Close inherited stderr of the parent if fork_process is false. Otherwise no one will close it. (introduced by e6df58a5) This only affected 'qemu-nbd -c /dev/nbd0'. Signed-off-by: NRaphael Pour <raphael.pour@hetzner.com> Message-Id: <d8ddc993-9816-836e-a3de-c6edab9d9c49@hetzner.com> Reviewed-by: NEric Blake <eblake@redhat.com> [eblake: Enhance commit message] Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit 0eaf453e) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Richard Henderson 提交于
Must clear the tail for AdvSIMD when SVE is enabled. Fixes: ca40a6e6 Cc: qemu-stable@nongnu.org Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org> Message-id: 20200513163245.17915-15-richard.henderson@linaro.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> (cherry picked from commit 525d9b6d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Igor Mammedov 提交于
Since 5.0 QEMU uses hostmem backend for allocating main guest RAM. The backend however calls mbind() which is typically NOP in case of default policy/absent host-nodes bitmap. However when runing in container with black-listed mbind() syscall, QEMU fails to start with error "cannot bind memory to host NUMA nodes: Operation not permitted" even when user hasn't provided host-nodes to pin to explictly (which is the case with -m option) To fix issue, call mbind() only in case when user has provided host-nodes explicitly (i.e. host_nodes bitmap is not empty). That should allow to run QEMU in containers with black-listed mbind() without memory pinning. If QEMU provided memory-pinning is required user still has to white-list mbind() in container configuration. Reported-by: NManuel Hohmann <mhohmann@physnet.uni-hamburg.de> Signed-off-by: NIgor Mammedov <imammedo@redhat.com> Message-Id: <20200430154606.6421-1-imammedo@redhat.com> Tested-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> (cherry picked from commit 70b6d525) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Nicholas Piggin 提交于
If mtmsr L=1 sets MSR[EE] while there is a maskable exception pending, it does not cause an interrupt. This causes the test case to hang: https://lists.gnu.org/archive/html/qemu-ppc/2019-10/msg00826.html More recently, Linux reduced the occurance of operations (e.g., rfi) which stop translation and allow pending interrupts to be processed. This started causing hangs in Linux boot in long-running kernel tests, running with '-d int' shows the decrementer stops firing despite DEC wrapping and MSR[EE]=1. https://lists.ozlabs.org/pipermail/linuxppc-dev/2020-April/208301.html The cause is the broken mtmsr L=1 behaviour, which is contrary to the architecture. From Power ISA v3.0B, p.977, Move To Machine State Register, Programming Note states: If MSR[EE]=0 and an External, Decrementer, or Performance Monitor exception is pending, executing an mtmsrd instruction that sets MSR[EE] to 1 will cause the interrupt to occur before the next instruction is executed, if no higher priority exception exists Fix this by handling L=1 exactly the same way as L=0, modulo the MSR bits altered. The confusion arises from L=0 being "context synchronizing" whereas L=1 is "execution synchronizing", which is a weaker semantic. However this is not a relaxation of the requirement that these exceptions cause interrupts when MSR[EE]=1 (e.g., when mtmsr executes to completion as TCG is doing here), rather it specifies how a pipelined processor can have multiple instructions in flight where one may influence how another behaves. Cc: qemu-stable@nongnu.org Reported-by: NAnton Blanchard <anton@ozlabs.org> Reported-by: NNathan Chancellor <natechancellor@gmail.com> Tested-by: NNathan Chancellor <natechancellor@gmail.com> Signed-off-by: NNicholas Piggin <npiggin@gmail.com> Message-Id: <20200414111131.465560-1-npiggin@gmail.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Tested-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 5ed19506) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Philippe Mathieu-Daudé 提交于
vu_queue_pop() returns memory that must be freed with free(). Cc: qemu-stable@nongnu.org Reported-by: Coverity (CID 1421887 ALLOC_FREE_MISMATCH) Suggested-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> (cherry picked from commit 4ff97121) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Anthony PERARD 提交于
Commit a31ca680 ("qemu/queue.h: clear linked list pointers on remove") revealed that a request was removed twice from a list, once in xen_block_finish_request() and a second time in xen_block_release_request() when both function are called from xen_block_complete_aio(). But also, the `requests_inflight' counter is decreased twice, and thus became negative. This is a bug that was introduced in bfd0d636 ("xen-block: improve response latency"), where a `finished' list was removed. That commit also introduced a leak of request in xen_block_do_aio(). That function calls xen_block_finish_request() but the request is never released after that. To fix both issue, we do two changes: - we squash finish_request() and release_request() together as we want to remove a request from 'inflight' list to add it to 'freelist'. - before releasing a request, we need to let the other end know the result, thus we should call xen_block_send_response() before releasing a request. The first change fixes the double QLIST_REMOVE() as we remove the extra call. The second change makes the leak go away because if we want to call finish_request(), we need to call a function that does all of finish, send response, and release. Fixes: bfd0d636 ("xen-block: improve response latency") Signed-off-by: NAnthony PERARD <anthony.perard@citrix.com> Message-Id: <20200406140217.1441858-1-anthony.perard@citrix.com> Reviewed-by: NPaul Durrant <paul@xen.org> [mreitz: Amended commit message as per Paul's suggestions] Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit 36d883ba) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Maydell 提交于
In write_elf_section() we set the 'shdr' pointer to point to local structures shdr32 or shdr64, which we fill in to be written out to the ELF dump. Unfortunately the address we pass to fd_write_vmcore() has a spurious '&' operator, so instead of writing out the section header we write out the literal pointer value followed by whatever is on the stack after the 'shdr' local variable. Pass the correct address into fd_write_vmcore(). Spotted by Coverity: CID 1421970. Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20200324173630.12221-1-peter.maydell@linaro.org (cherry picked from commit 174d2d68) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Richard Henderson 提交于
We were only constructing the 64-bit element, and not replicating the 64-bit element across the rest of the vector. Cc: qemu-stable@nongnu.org Signed-off-by: NRichard Henderson <richard.henderson@linaro.org> (cherry picked from commit e20cb81d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Peter Maydell 提交于
In the function amdvi_log_event(), we write an event log buffer entry into guest ram, whose contents are passed to the function via the "uint64_t *evt" argument. Unfortunately, a spurious '&' in the call to dma_memory_write() meant that instead of writing the event to the guest we would write the literal value of the pointer, plus whatever was in the following 8 bytes on the stack. This error was spotted by Coverity. Fix the bug by removing the '&'. Fixes: CID 1421945 Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Message-Id: <20200326105349.24588-1-peter.maydell@linaro.org> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit 32a2d6b1) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
- 04 6月, 2020 13 次提交
-
-
由 Stefan Hajnoczi 提交于
Although qemu-ga has supported vsock since 2016 it was not documented on the man page. Also add the socket address representation to the qga --help output. Fixes: 586ef5de ("qga: add vsock-listen method") Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: NStefano Garzarella <sgarzare@redhat.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 7b46aadb) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
The QAPI struct GuestFileWhence has a comment about how we are exploiting equivalent values between two different integer types shared in a union. But C says behavior is undefined on assignments to overlapping storage when the two types are not the same width, and indeed, 'int64_t value' and 'enum QGASeek name' are very likely to be different in width. Utilize a temporary variable to fix things. Reported-by: NPeter Maydell <peter.maydell@linaro.org> Fixes: 0b4b4938 Fixes: Coverity CID 1421990 Signed-off-by: NEric Blake <eblake@redhat.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit a23f38a7) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Basil Salman 提交于
guest-file-read command is currently implemented to read from a file handle count number of bytes. when executed with a very large count number qemu-ga crashes. after some digging turns out that qemu-ga crashes after trying to allocate a buffer large enough to save the data read in it, the buffer was allocated using g_malloc0 which is not fail safe, and results a crash in case of failure. g_malloc0 was replaced with g_try_malloc0() which returns NULL on failure, A check was added for that case in order to prevent qemu-ga from crashing and to send a response to the qemu-ga client accordingly. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1594054Signed-off-by: NBasil Salman <basil@daynix.com> Reported-by: NFakhri Zulkifli <mohdfakhrizulkifli@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 807e2b6f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Sameeh Jubran 提交于
This patch handles the case where VSS Provider is already registered, where in such case qga uninstalls the provider and registers it again. Signed-off-by: NSameeh Jubran <sjubran@redhat.com> Signed-off-by: NBasil Salman <basil@daynix.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit b2413df8) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Basil Salman 提交于
Installation might fail if we don't wait for the provider unregisteration process to finish. Signed-off-by: NSameeh Jubran <sjubran@redhat.com> Signed-off-by: NBasil Salman <basil@daynix.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit bb1ce44b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Cornelia Huck 提交于
Commit bb157911 ("compat: disable edid on virtio-gpu base device") tried to disable 'edid' on the virtio-gpu base device. However, that device is not 'virtio-gpu', but 'virtio-gpu-device'. Fix it. Fixes: bb157911 ("compat: disable edid on virtio-gpu base device") Reported-by: NLukáš Doktor <ldoktor@redhat.com> Tested-by: NLukáš Doktor <ldoktor@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: NCornelia Huck <cohuck@redhat.com> Message-id: 20200318093919.24942-1-cohuck@redhat.com Cc: qemu-stable@nongnu.org Signed-off-by: NCornelia Huck <cohuck@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 02501fc3) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
Prior to 1143ec5e it was OK to qemu_iovec_from_buf() from aligned-up buffer to original qiov, as qemu_iovec_from_buf() will stop at qiov end anyway. But after 1143ec5e we assume that bdrv_co_do_copy_on_readv works on part of original qiov, defined by qiov_offset and bytes. So we must not touch qiov behind qiov_offset+bytes bound. Fix it. Cc: qemu-stable@nongnu.org # v4.2 Fixes: 1143ec5eSigned-off-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: NJohn Snow <jsnow@redhat.com> Message-id: 20200312081949.5350-1-vsementsov@virtuozzo.com Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 4ab78b19) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Vitaly Chikunov 提交于
rlwinm cannot just AND with Mask if shift value is zero on ppc64 when Mask Begin is greater than Mask End and high bits are set to 1. Note that PowerISA 3.0B says that for `rlwinm' ROTL32 is used, and ROTL32 is defined (in 3.3.14) so that rotated value should have two copies of lower word of the source value. This seems to be another incarnation of the fix from 820724d1 ("target-ppc: Fix rlwimi, rlwinm, rlwnm again"), except I leave optimization when Mask value is less than 32 bits. Fixes: 7b4d326f ("target-ppc: Use the new deposit and extract ops") Cc: qemu-stable@nongnu.org Signed-off-by: NVitaly Chikunov <vt@altlinux.org> Message-Id: <20200309204557.14836-1-vt@altlinux.org> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 94f040aa) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
Assume we have two regions, A and B, and region B is in-flight now, region A is not yet touched, but it is unallocated and should be skipped. Correspondingly, as progress we have total = A + B current = 0 If we reset unallocated region A and call progress_reset_callback, it will calculate 0 bytes dirty in the bitmap and call job_progress_set_remaining, which will set total = current + 0 = 0 + 0 = 0 So, B bytes are actually removed from total accounting. When job finishes we'll have total = 0 current = B , which doesn't sound good. This is because we didn't considered in-flight bytes, actually when calculating remaining, we should have set (in_flight + dirty_bytes) as remaining, not only dirty_bytes. To fix it, let's refactor progress calculation, moving it to block-copy itself instead of fixing callback. And, of course, track in_flight bytes count. We still have to keep one callback, to maintain backup job bytes_read calculation, but it will go on soon, when we turn the whole backup process into one block_copy call. Cc: qemu-stable@nongnu.org Signed-off-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: NAndrey Shinkevich <andrey.shinkevich@virtuozzo.com> Message-Id: <20200311103004.7649-3-vsementsov@virtuozzo.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit d0ebeca1) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
We need it in separate to pass to the block-copy object in the next commit. Cc: qemu-stable@nongnu.org Signed-off-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: NAndrey Shinkevich <andrey.shinkevich@virtuozzo.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Message-Id: <20200311103004.7649-2-vsementsov@virtuozzo.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit 01fe1ca9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
On success path we return what inflate() returns instead of 0. And it most probably works for Z_STREAM_END as it is positive, but is definitely broken for Z_BUF_ERROR. While being here, switch to errno return code, to be closer to qcow2_compress API (and usual expectations). Revert condition in if to be more positive. Drop dead initialization of ret. Cc: qemu-stable@nongnu.org # v4.0 Fixes: 341926abSigned-off-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Message-Id: <20200302150930.16218-1-vsementsov@virtuozzo.com> Reviewed-by: NAlberto Garcia <berto@igalia.com> Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit e7266570) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Christophe de Dinechin 提交于
Compile error reported by gcc 10.0.1: scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: scsi/qemu-pr-helper.c:523:32: error: array subscript <unknown> is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] 523 | paramp.trnptid_list[paramp.num_transportid++] = id; | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from scsi/qemu-pr-helper.c:36: /usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ 168 | struct transportid *trnptid_list[]; | ^~~~~~~~~~~~ scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ 424 | struct prout_param_descriptor paramp; | ^~~~~~ This highlights an actual implementation issue in function multipath_pr_out. The variable paramp is declared with type `struct prout_param_descriptor`, which is a struct terminated by an empty array in mpath_persist.h: struct transportid *trnptid_list[]; That empty array was filled with code that looked like that: trnptid_list[paramp.descr.num_transportid++] = id; This is an actual out-of-bounds access. The fix is to malloc `paramp`. Signed-off-by: NChristophe de Dinechin <dinechin@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 4ce1e15f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Stefan Hajnoczi 提交于
The virtqueue code sets up MemoryRegionCaches to access the virtqueue guest RAM data structures. The code currently assumes that VRingMemoryRegionCaches is initialized before device emulation code accesses the virtqueue. An assertion will fail in vring_get_region_caches() when this is not true. Device fuzzing found a case where this assumption is false (see below). Virtqueue guest RAM addresses can also be changed from a vCPU thread while an IOThread is accessing the virtqueue. This breaks the same assumption but this time the caches could become invalid partway through the virtqueue code. The code fetches the caches RCU pointer multiple times so we will need to validate the pointer every time it is fetched. Add checks each time we call vring_get_region_caches() and treat invalid caches as a nop: memory stores are ignored and memory reads return 0. The fuzz test failure is as follows: $ qemu -M pc -device virtio-blk-pci,id=drv0,drive=drive0,addr=4.0 \ -drive if=none,id=drive0,file=null-co://,format=raw,auto-read-only=off \ -drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw \ -display none \ -qtest stdio endianness outl 0xcf8 0x80002020 outl 0xcfc 0xe0000000 outl 0xcf8 0x80002004 outw 0xcfc 0x7 write 0xe0000000 0x24 0x00ffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffab5cffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffab0000000001 inb 0x4 writew 0xe000001c 0x1 write 0xe0000014 0x1 0x0d The following error message is produced: qemu-system-x86_64: /home/stefanha/qemu/hw/virtio/virtio.c:286: vring_get_region_caches: Assertion `caches != NULL' failed. The backtrace looks like this: #0 0x00007ffff5520625 in raise () at /lib64/libc.so.6 #1 0x00007ffff55098d9 in abort () at /lib64/libc.so.6 #2 0x00007ffff55097a9 in _nl_load_domain.cold () at /lib64/libc.so.6 #3 0x00007ffff5518a66 in annobin_assert.c_end () at /lib64/libc.so.6 #4 0x00005555559073da in vring_get_region_caches (vq=<optimized out>) at qemu/hw/virtio/virtio.c:286 #5 vring_get_region_caches (vq=<optimized out>) at qemu/hw/virtio/virtio.c:283 #6 0x000055555590818d in vring_used_flags_set_bit (mask=1, vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:398 #7 virtio_queue_split_set_notification (enable=0, vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:398 #8 virtio_queue_set_notification (vq=vq@entry=0x5555575ceea0, enable=enable@entry=0) at qemu/hw/virtio/virtio.c:451 #9 0x0000555555908512 in virtio_queue_set_notification (vq=vq@entry=0x5555575ceea0, enable=enable@entry=0) at qemu/hw/virtio/virtio.c:444 #10 0x00005555558c697a in virtio_blk_handle_vq (s=0x5555575c57e0, vq=0x5555575ceea0) at qemu/hw/block/virtio-blk.c:775 #11 0x0000555555907836 in virtio_queue_notify_aio_vq (vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:2244 #12 0x0000555555cb5dd7 in aio_dispatch_handlers (ctx=ctx@entry=0x55555671a420) at util/aio-posix.c:429 #13 0x0000555555cb67a8 in aio_dispatch (ctx=0x55555671a420) at util/aio-posix.c:460 #14 0x0000555555cb307e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at util/async.c:260 #15 0x00007ffff7bbc510 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0 #16 0x0000555555cb5848 in glib_pollfds_poll () at util/main-loop.c:219 #17 os_host_main_loop_wait (timeout=<optimized out>) at util/main-loop.c:242 #18 main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:518 #19 0x00005555559b20c9 in main_loop () at vl.c:1683 #20 0x0000555555838115 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4441 Reported-by: NAlexander Bulekov <alxndr@bu.edu> Cc: Michael Tsirkin <mst@redhat.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Message-Id: <20200207104619.164892-1-stefanha@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit abdd16f4) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
- 02 6月, 2020 17 次提交
-
-
由 Max Reitz 提交于
Test what happens when writing data to an external data file, where the write requires an L2 entry to be allocated, but the data write fails. Signed-off-by: NMax Reitz <mreitz@redhat.com> Message-Id: <20200225143130.111267-4-mreitz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 81311255) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Reitz 提交于
Test what happens when writing data to a preallocated zero cluster, but the data write fails. Signed-off-by: NMax Reitz <mreitz@redhat.com> Message-Id: <20200225143130.111267-3-mreitz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 31ab00f3) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Reitz 提交于
handle_alloc() reuses preallocated zero clusters. If anything goes wrong during the data write, we do not change their L2 entry, so we must not let qcow2_alloc_cluster_abort() free them. Fixes: 8b24cd14 Cc: qemu-stable@nongnu.org Signed-off-by: NMax Reitz <mreitz@redhat.com> Message-Id: <20200225143130.111267-2-mreitz@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 3ede935f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
This adds a test for 'qemu-img convert' with copy offloading where the target image has an external data file. If the test hosts supports it, it tests both the case where copy offloading is supported and the case where it isn't (otherwise we just test unsupported twice). More specifically, the case with unsupported copy offloading tests qcow2_alloc_cluster_abort() with external data files. Signed-off-by: NKevin Wolf <kwolf@redhat.com> Message-Id: <20200211094900.17315-4-kwolf@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit a0cf8daf) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
For external data file, cluster allocations return an offset in the data file and are not refcounted. In this case, there is nothing to do for qcow2_alloc_cluster_abort(). Freeing the same offset in the qcow2 file is wrong and causes crashes in the better case or image corruption in the worse case. Signed-off-by: NKevin Wolf <kwolf@redhat.com> Message-Id: <20200211094900.17315-3-kwolf@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit c3b6658c) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
In the case that update_refcount() frees a refcount block, it evicts it from the metadata cache. Before doing so, however, it returns the currently used refcount block to the cache because it might be the same. Returning the refcount block early means that we need to reset old_table_index so that we reload the refcount block in the next iteration if it is actually still in use. Fixes: f71c08eaSigned-off-by: NKevin Wolf <kwolf@redhat.com> Message-Id: <20200211094900.17315-2-kwolf@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit dea9052e) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Alex Bennée 提交于
While do_gen_mem_cb does copy (via extu_tl_i64) vaddr into a new temp this won't help if the vaddr temp gets clobbered by the actual load/store op. To avoid this clobbering we explicitly copy vaddr before the op to ensure it is live my the time we do the instrumentation. Suggested-by: NRichard Henderson <richard.henderson@linaro.org> Signed-off-by: NAlex Bennée <alex.bennee@linaro.org> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Reviewed-by: NEmilio G. Cota <cota@braap.org> Cc: qemu-stable@nongnu.org Message-Id: <20200225124710.14152-18-alex.bennee@linaro.org> (cherry picked from commit fcc54ab5) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Emilio G. Cota 提交于
Fixes: 54cb65d8Reported-by: NRobert Henry <robhenry@microsoft.com> Signed-off-by: NEmilio G. Cota <cota@braap.org> Signed-off-by: NAlex Bennée <alex.bennee@linaro.org> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200105072940.32204-1-cota@braap.org> Cc: qemu-stable@nongnu.org Message-Id: <20200225124710.14152-12-alex.bennee@linaro.org> (cherry picked from commit dcc474c6) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Christian Borntraeger 提交于
There is a special quiesce PSW that we check for "shutdown". Otherwise disabled wait is detected as "crashed". Architecturally we must only check PSW bits 116-127. Fix this. Cc: qemu-stable@nongnu.org Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com> Message-Id: <1582204582-22995-1-git-send-email-borntraeger@de.ibm.com> Reviewed-by: NDavid Hildenbrand <david@redhat.com> Acked-by: NJanosch Frank <frankja@linux.ibm.com> Signed-off-by: NCornelia Huck <cohuck@redhat.com> (cherry picked from commit 8b51c096) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Finn Thain 提交于
Section 3.4.7 of the datasheet explains that, The RBE bit in the Interrupt Status register is set when the SONIC finishes using the second to last receive buffer and reads the last RRA descriptor. Actually, the SONIC is not truly out of resources, but gives the system an early warning of an impending out of resources condition. RBE does not mean actual receive buffer exhaustion, and reception should not be stopped. This is important because Linux will not check and clear the RBE interrupt until it receives another packet. But that won't happen if can_receive returns false. This bug causes the SONIC to become deaf (until reset). Fix this with a new flag to indicate actual receive buffer exhaustion. Signed-off-by: NFinn Thain <fthain@telegraphics.com.au> Tested-by: NLaurent Vivier <laurent@vivier.eu> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit c2279bd0) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Finn Thain 提交于
The jazzsonic driver in Linux uses the Silicon Revision register value to probe the chip. The driver fails unless the SR register contains 4. Unfortunately, reading this register in QEMU usually returns 0 because the s->regs[] array gets wiped after a software reset. Fixes: bd8f1ebc ("net/dp8393x: fix hardware reset") Suggested-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: NFinn Thain <fthain@telegraphics.com.au> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit 083e21bb) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Finn Thain 提交于
These operations need to take place regardless of whether or not rx descriptors have been used up (that is, EOL flag was observed). The algorithm is now the same for a packet that was withheld as for a packet that was not. Signed-off-by: NFinn Thain <fthain@telegraphics.com.au> Tested-by: NLaurent Vivier <laurent@vivier.eu> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit 80b60673) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Finn Thain 提交于
When the SONIC receives a packet into the last available descriptor, it retains ownership of that descriptor for as long as necessary. Section 3.4.7 of the datasheet says, When the system appends more descriptors, the SONIC releases ownership of the descriptor after writing 0000h to the RXpkt.in_use field. The packet can now be processed by the host, so raise a PKTRX interrupt, just like the normal case. Signed-off-by: NFinn Thain <fthain@telegraphics.com.au> Tested-by: NLaurent Vivier <laurent@vivier.eu> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit d9fae131) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Finn Thain 提交于
The existing code has a bug where the Remaining Buffer Word Count (RBWC) is calculated with a truncating division, which gives the wrong result for odd-sized packets. Section 1.4.1 of the datasheet says, Once the end of the packet has been reached, the serializer will fill out the last word (16-bit mode) or long word (32-bit mode) if the last byte did not end on a word or long word boundary respectively. The fill byte will be 0FFh. Implement buffer padding so that buffer limits are correctly enforced. Signed-off-by: NFinn Thain <fthain@telegraphics.com.au> Tested-by: NLaurent Vivier <laurent@vivier.eu> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit 350e7d9a) *drop context dependencies from b7cbebf2, 1ccda935, and 19f70347Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Finn Thain 提交于
Section 3.4.1 of the datasheet says, The alignment of the RRA is confined to either word or long word boundaries, depending upon the data width mode. In 16-bit mode, the RRA must be aligned to a word boundary (A0 is always zero) and in 32-bit mode, the RRA is aligned to a long word boundary (A0 and A1 are always zero). This constraint has been implemented for 16-bit mode; implement it for 32-bit mode too. Signed-off-by: NFinn Thain <fthain@telegraphics.com.au> Tested-by: NLaurent Vivier <laurent@vivier.eu> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit ea227027) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Finn Thain 提交于
A received packet consumes pkt_size bytes in the buffer and the frame checksum that's appended to it consumes another 4 bytes. The Receive Buffer Address register takes the former quantity into account but not the latter. So the next packet written to the buffer overwrites the frame checksum. Fix this. Signed-off-by: NFinn Thain <fthain@telegraphics.com.au> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Tested-by: NLaurent Vivier <laurent@vivier.eu> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit bae112b8) *drop context dep. on 19f70347Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Finn Thain 提交于
Add a bounds check to prevent a large packet from causing a buffer overflow. This is defensive programming -- I haven't actually tried sending an oversized packet or a jumbo ethernet frame. The SONIC handles packets that are too big for the buffer by raising the RBAE interrupt and dropping them. Linux uses that interrupt to count dropped packets. Signed-off-by: NFinn Thain <fthain@telegraphics.com.au> Tested-by: NLaurent Vivier <laurent@vivier.eu> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit ada74315) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-