1. 11 5月, 2016 4 次提交
    • C
      configure: error on unknown --with-sdlabi value · e07047cf
      Cole Robinson 提交于
      I accidentally tried --with-sdlabi="1.0", and it failed much later in
      a weird way. Instead, throw an error if the value isn't in our
      whitelist.
      Signed-off-by: NCole Robinson <crobinso@redhat.com>
      Message-id: 60e4822e17697d257a914df03bdb9fff4b4c0490.1462557436.git.crobinso@redhat.com
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      e07047cf
    • C
      configure: build SDL if only SDL2 available · ee8466d0
      Cole Robinson 提交于
      Right now if SDL2 is installed but not SDL1, default configure will
      entirely disable SDL. Check upfront for SDL2 using pkg-config, but
      still prefer SDL1 if both versions are installed.
      Signed-off-by: NCole Robinson <crobinso@redhat.com>
      Message-id: c9e570b5964d128a3595efe3170129a3da459776.1462557436.git.crobinso@redhat.com
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      ee8466d0
    • C
      ui: sdl2: Release grab before opening console window · 56f289f3
      Cole Robinson 提交于
      sdl 2.0.4 currently has a bug which causes our UI shortcuts to fire
      rapidly in succession:
      
        https://bugzilla.libsdl.org/show_bug.cgi?id=3287
      
      It's a toss up whether ctrl+alt+f or ctrl+alt+2 will fire an
      odd or even number of times, thus determining whether the action
      succeeds or fails.
      
      Opening monitor/serial windows is doubly broken, since it will often
      lock the UI trying to grab the pointer:
      
        0x00007fffef3720a5 in SDL_Delay_REAL () at /lib64/libSDL2-2.0.so.0
        0x00007fffef3688ba in X11_SetWindowGrab () at /lib64/libSDL2-2.0.so.0
        0x00007fffef2f2da7 in SDL_SendWindowEvent () at /lib64/libSDL2-2.0.so.0
        0x00007fffef2f080b in SDL_SetKeyboardFocus () at /lib64/libSDL2-2.0.so.0
        0x00007fffef35d784 in X11_DispatchFocusIn.isra.8 () at /lib64/libSDL2-2.0.so.0
        0x00007fffef35dbce in X11_DispatchEvent () at /lib64/libSDL2-2.0.so.0
        0x00007fffef35ee4a in X11_PumpEvents () at /lib64/libSDL2-2.0.so.0
        0x00007fffef2eea6a in SDL_PumpEvents_REAL () at /lib64/libSDL2-2.0.so.0
        0x00007fffef2eeab5 in SDL_WaitEventTimeout_REAL () at /lib64/libSDL2-2.0.so.0
        0x000055555597eed0 in sdl2_poll_events (scon=0x55555876f928) at ui/sdl2.c:593
      
      We can work around that hang by ungrabbing the pointer before launching
      a new window. This roughly matches what our sdl1 code does
      Signed-off-by: NCole Robinson <crobinso@redhat.com>
      Message-id: 31c9ab6540b031f7a614c59edcecea9877685612.1462557436.git.crobinso@redhat.com
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      56f289f3
    • C
      ui: gtk: fix crash when terminal inner-border is NULL · 4fd811a6
      Cole Robinson 提交于
      VTE terminal inner-border can be NULL. The vte-0.36 (API 2.90)
      code checks for the condition too so I assume it's not just a bug
      
      Fixes a crash on Fedora 24 with gtk 3.20
      Signed-off-by: NCole Robinson <crobinso@redhat.com>
      Message-id: 2b2e85d403e8760ea53afd735a170500d5c17716.1462557436.git.crobinso@redhat.com
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      4fd811a6
  2. 09 5月, 2016 2 次提交
  3. 03 5月, 2016 2 次提交
  4. 02 5月, 2016 7 次提交
    • G
      vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). · fd3c136b
      Gerd Hoffmann 提交于
      Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
      registers, to make sure the vga registers will always have the
      values needed by vbe mode.  This makes sure the sanity checks
      applied by vbe_fixup_regs() are effective.
      
      Without this guests can muck with shift_control, can turn on planar
      vga modes or text mode emulation while VBE is active, making qemu
      take code paths meant for CGA compatibility, but with the very
      large display widths and heigts settable using VBE registers.
      
      Which is good for one or another buffer overflow.  Not that
      critical as they typically read overflows happening somewhere
      in the display code.  So guests can DoS by crashing qemu with a
      segfault, but it is probably not possible to break out of the VM.
      
      Fixes: CVE-2016-3712
      Reported-by: NZuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
      Reported-by: NP J P <ppandit@redhat.com>
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      fd3c136b
    • G
      vga: update vga register setup on vbe changes · 2068192d
      Gerd Hoffmann 提交于
      Call the new vbe_update_vgaregs() function on vbe configuration
      changes, to make sure vga registers are up-to-date.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      2068192d
    • G
      vga: factor out vga register setup · 7fa5c2c5
      Gerd Hoffmann 提交于
      When enabling vbe mode qemu will setup a bunch of vga registers to make
      sure the vga emulation operates in correct mode for a linear
      framebuffer.  Move that code to a separate function so we can call it
      from other places too.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      7fa5c2c5
    • G
      vga: add vbe_enabled() helper · bfa0f151
      Gerd Hoffmann 提交于
      Makes code a bit easier to read.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      bfa0f151
    • G
      vga: fix banked access bounds checking (CVE-2016-3710) · 3bf18170
      Gerd Hoffmann 提交于
      vga allows banked access to video memory using the window at 0xa00000
      and it supports a different access modes with different address
      calculations.
      
      The VBE bochs extentions support banked access too, using the
      VBE_DISPI_INDEX_BANK register.  The code tries to take the different
      address calculations into account and applies different limits to
      VBE_DISPI_INDEX_BANK depending on the current access mode.
      
      Which is probably effective in stopping misprogramming by accident.
      But from a security point of view completely useless as an attacker
      can easily change access modes after setting the bank register.
      
      Drop the bogus check, add range checks to vga_mem_{readb,writeb}
      instead.
      
      Fixes: CVE-2016-3710
      Reported-by: NQinghao Tang <luodalongde@gmail.com>
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      3bf18170
    • J
      configure: Check if struct fsxattr is available from linux header · 277abf15
      Jan Vesely 提交于
      Fixes build failure with --enable-xfsctl and
      new linux headers (>=4.5) and older xfsprogs(<4.5):
      In file included from /usr/include/xfs/xfs.h:38:0,
                       from /var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:97:
      /usr/include/xfs/xfs_fs.h:42:8: error: redefinition of ‘struct fsxattr’
       struct fsxattr {
              ^
      In file included from /var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:60:0:
      /usr/include/linux/fs.h:155:8: note: originally defined here
       struct fsxattr {
      
      This is really a bug in the system headers, but we can work around it
      by defining HAVE_FSXATTR in the QEMU headers if linux/fs.h provides
      the struct, so that xfs_fs.h doesn't try to define it as well.
      
      CC: qemu-trivial@nongnu.org
      CC: Markus Armbruster <armbru@redhat.com>
      CC: Peter Maydell <peter.maydell@linaro.org>
      CC: Stefan Weil <sw@weilnetz.de>
      Tested-by: NStefan Weil <sw@weilnetz.de>
      Signed-off-by: NJan Vesely <jano.vesely@gmail.com>
      [PMM: adjusted commit message, comments]
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      277abf15
    • P
      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging · 20b0f5fe
      Peter Maydell 提交于
      acpi: last minute fix for 2.6
      
      Minor, obvious fix only affecting BE hosts.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      
      # gpg: Signature made Sun 01 May 2016 13:43:28 BST using RSA key ID D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
      # gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"
      
      * remotes/mst/tags/for_upstream:
        acpi: fix bios linker loadder COMMAND_ALLOCATE on bigendian host
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      20b0f5fe
  5. 01 5月, 2016 1 次提交
  6. 29 4月, 2016 6 次提交
  7. 28 4月, 2016 7 次提交
    • P
      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20160428' into staging · 8c4bf975
      Peter Maydell 提交于
      MIPS patches 2016-04-28
      
      Changes:
      * fixed RDHWR exception host PC
      
      # gpg: Signature made Thu 28 Apr 2016 10:11:18 BST using RSA key ID 0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"
      
      * remotes/lalrae/tags/mips-20160428:
        target-mips: Fix RDHWR exception host PC
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      8c4bf975
    • P
      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2016-04-28' into staging · 736f85d5
      Peter Maydell 提交于
      Fix dangling pointers and error message regressions
      
      # gpg: Signature made Thu 28 Apr 2016 07:25:51 BST using RSA key ID EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
      # gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>"
      
      * remotes/armbru/tags/pull-error-2016-04-28:
        qom: -object error messages lost location, restore it
        replay: Fix dangling location bug in replay_configure()
        QemuOpts: Fix qemu_opts_foreach() dangling location regression
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      736f85d5
    • P
      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.6-20160426' into staging · 61861eff
      Peter Maydell 提交于
      ppc patch queue for 2016-04-26 (last minute qemu-2.6 fix)
      
      This just has one, last-minute, fix for a serious regression of memory
      hotplug.
      
      Patch author's comment:
          Really sorry for the way last-minute fix, but without this memory
          hotplug is totally broken :( Hoping to get this in for Wednesday's
          RC4, which I think will be the final before release.
      
      # gpg: Signature made Tue 26 Apr 2016 03:52:20 BST using RSA key ID 20D9B392
      # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
      # gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
      # gpg: WARNING: This key is not certified with sufficiently trusted signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392
      
      * remotes/dgibson/tags/ppc-for-2.6-20160426:
        spapr_drc: fix aborts during DRC-count based hotplug
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      61861eff
    • J
      target-mips: Fix RDHWR exception host PC · d96391c1
      James Hogan 提交于
      Commit b00c7218 ("target-mips: add PC, XNP reg numbers to RDHWR")
      changed the rdhwr helpers to use check_hwrena() to check the register
      being accessed is enabled in CP0_HWREna when used from user mode. If
      that check fails an EXCP_RI exception is raised at the host PC
      calculated with GETPC().
      
      However check_hwrena() may not be fully inlined as the
      do_raise_exception() part of it is common regardless of the arguments.
      This causes GETPC() to calculate the address in the call in the helper
      instead of the generated code calling the helper. No TB will be found
      and the EPC reported with the resulting guest RI exception points to the
      beginning of the TB instead of the RDHWR instruction.
      
      We can't reliably force check_hwrena() to be inlined, and converting it
      to a macro would be ugly, so instead pass the host PC in as an argument,
      with each rdhwr helper passing GETPC(). This should avoid any dependence
      on compiler behaviour, and in practice seems to ensure the full inlining
      of check_hwrena() on x86_64.
      
      This issue causes failures when running a MIPS KVM (trap & emulate)
      guest in a MIPS QEMU TCG guest, as the inner guest kernel will do a
      RDHWR of counter, which is disabled in the outer guest's CP0_HWREna by
      KVM so it can emulate the inner guest's counter. The emulation fails and
      the RI exception is passed to the inner guest.
      
      Fixes: b00c7218 ("target-mips: add PC, XNP reg numbers to RDHWR")
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Cc: Leon Alrae <leon.alrae@imgtec.com>
      Cc: Yongbok Kim <yongbok.kim@imgtec.com>
      Cc: Aurelien Jarno <aurelien@aurel32.net>
      Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>
      Reviewed-by: NLeon Alrae <leon.alrae@imgtec.com>
      Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
      d96391c1
    • M
      qom: -object error messages lost location, restore it · 51b9b478
      Markus Armbruster 提交于
      qemu_opts_foreach() runs its callback with the error location set to
      the option's location.  Any errors the callback reports use the
      option's location automatically.
      
      Commit 90998d58 moved the actual error reporting from "inside"
      qemu_opts_foreach() to after it.  Here's a typical hunk:
      
      	 if (qemu_opts_foreach(qemu_find_opts("object"),
          -                          object_create,
          -                          object_create_initial, NULL)) {
          +                          user_creatable_add_opts_foreach,
          +                          object_create_initial, &err)) {
          +        error_report_err(err);
      	     exit(1);
      	 }
      
      Before, object_create() reports from within qemu_opts_foreach(), using
      the option's location.  Afterwards, we do it after
      qemu_opts_foreach(), using whatever location happens to be current
      there.  Commonly a "none" location.
      
      This is because Error objects don't have location information.
      Problematic.
      
      Reproducer:
      
          $ qemu-system-x86_64 -nodefaults -display none -object secret,id=foo,foo=bar
          qemu-system-x86_64: Property '.foo' not found
      
      Note no location.  This commit restores it:
      
          qemu-system-x86_64: -object secret,id=foo,foo=bar: Property '.foo' not found
      
      Note that the qemu_opts_foreach() bug just fixed could mask the bug
      here: if the location it leaves dangling hasn't been clobbered, yet,
      it's the correct one.
      Reported-by: NEric Blake <eblake@redhat.com>
      Cc: Daniel P. Berrange <berrange@redhat.com>
      Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
      Message-Id: <1461767349-15329-4-git-send-email-armbru@redhat.com>
      Reviewed-by: NDaniel P. Berrange <berrange@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      [Paragraph on Error added to commit message]
      51b9b478
    • M
      replay: Fix dangling location bug in replay_configure() · d9d3aaea
      Markus Armbruster 提交于
      replay_configure() pushes and pops a Location with automatic storage
      duration.  Except it fails to pop when -icount parameter "rr" isn't
      given.  cur_loc then points to unused stack space, and will most
      likely get clobbered in short order.
      
      Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
      report bogus locations.
      
      Broken in commit 890ad550.
      
      I didn't take the time to find a reproducer.
      
      Cc: Eduardo Habkost <ehabkost@redhat.com>
      Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
      Message-Id: <1461767349-15329-3-git-send-email-armbru@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NEduardo Habkost <ehabkost@redhat.com>
      d9d3aaea
    • M
      QemuOpts: Fix qemu_opts_foreach() dangling location regression · 37f32349
      Markus Armbruster 提交于
      qemu_opts_foreach() pushes and pops a Location with automatic storage
      duration.  Except it fails to pop when @func() returns non-zero.
      cur_loc then points to unused stack space, and will most likely get
      clobbered in short order.
      
      Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
      report bogus locations.
      
      Affects several qemu command line options as well as qemu-img,
      qemu-io, qemu-nbd -object, and blkdebug's configuration file.
      
      Broken in commit a4c7367f, v2.4.0.
      
      Reproducer:
          $ qemu-system-x86_64 -nodefaults -display none -object secret,id=foo,foo=bar
      
      main() reports "Property '.foo' not found" like this:
      
          if (qemu_opts_foreach(qemu_find_opts("object"),
                                user_creatable_add_opts_foreach,
                                object_create_delayed, &err)) {
              error_report_err(err);
              exit(1);
          }
      
      cur_loc then points to where qemu_opts_foreach()'s Location used to
      be, i.e. unused stack space.  With optimization, this Location doesn't
      get clobbered for me, and also happens to be the correct location.
      Without optimization, it does get clobbered in a way that makes
      error_report_err() report no location.
      Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
      Message-Id: <1461767349-15329-2-git-send-email-armbru@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      37f32349
  8. 26 4月, 2016 1 次提交
    • M
      spapr_drc: fix aborts during DRC-count based hotplug · df18b2db
      Michael Roth 提交于
      CPU/memory resources can be signalled en-masse via
      spapr_hotplug_req_add_by_count(), and when doing so, actually change
      the meaning of the 'drc' parameter passed to
      spapr_hotplug_req_event() to be a count rather than an index.
      
      f40eb921 added a hook in spapr_hotplug_req_event() to record when a
      device had been 'signalled' to the guest, but that code assumes that
      drc is always an index. In cases where it's a count, such as memory
      hotplug, the DRC lookup will fail, leading to an assert.
      
      Fix this by only explicitly setting the signalled state for cases where
      we are doing PCI hotplug.
      
      For other resources types, since we cannot selectively track whether a
      resource has been signalled in cases where we signal attach as a count,
      set the 'signalled' state to true immediately upon making the
      resource available via drck->attach().
      Reported-by: NBharata B Rao <bharata@linux.vnet.ibm.com>
      Cc: Bharata B Rao <bharata@linux.vnet.ibm.com>
      Cc: david@gibson.dropbear.id.au
      Cc: qemu-ppc@nongnu.org
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
      df18b2db
  9. 25 4月, 2016 2 次提交
    • G
      usb/uhci: move pid check · f419a626
      Gerd Hoffmann 提交于
      commit "5f77e06b usb: add pid check at the first of uhci_handle_td()"
      moved the pid verification to the start of the uhci_handle_td function,
      to simplify the error handling (we don't have to free stuff which we
      didn't allocate in the first place ...).
      
      Problem is now the check fires too often, it raises error IRQs even for
      TDs which we are not going to process because they are not set active.
      
      So, lets move down the check a bit, so it is done only for active TDs,
      but still before we are going to allocate stuff to process the requested
      transfer.
      Reported-by: NJoe Clifford <joe@thunderbug.co.uk>
      Tested-by: NJoe Clifford <joe@thunderbug.co.uk>
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Message-id: 1461321893-15811-1-git-send-email-kraxel@redhat.com
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      f419a626
    • P
      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.6-20160423' into staging · 3123bd8e
      Peter Maydell 提交于
      ppc patch queue for 2016-03-23
      
      A single fix for a bug in parameter handling for the spapr PCI host
      bridge.
      
      # gpg: Signature made Sat 23 Apr 2016 07:55:29 BST using RSA key ID 20D9B392
      # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
      # gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
      # gpg: WARNING: This key is not certified with sufficiently trusted signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392
      
      * remotes/dgibson/tags/ppc-for-2.6-20160423:
        hw/ppc/spapr: Fix crash when specifying bad parameters to spapr-pci-host-bridge
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      3123bd8e
  10. 23 4月, 2016 1 次提交
    • T
      hw/ppc/spapr: Fix crash when specifying bad parameters to spapr-pci-host-bridge · da34fed7
      Thomas Huth 提交于
      QEMU currently crashes when using bad parameters for the
      spapr-pci-host-bridge device:
      
      $ qemu-system-ppc64 -device spapr-pci-host-bridge,buid=0x123,liobn=0x321,mem_win_addr=0x1,io_win_addr=0x10
      Segmentation fault
      
      The problem is that spapr_tce_find_by_liobn() might return NULL, but
      the code in spapr_populate_pci_dt() does not check for this condition
      and then tries to dereference this NULL pointer.
      Apart from that, the return value of spapr_populate_pci_dt() also
      has to be checked for all PCI buses, not only for the last one, to
      make sure we catch all errors.
      Signed-off-by: NThomas Huth <thuth@redhat.com>
      Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
      da34fed7
  11. 22 4月, 2016 7 次提交
    • P
      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging · 53343338
      Peter Maydell 提交于
      Mirror block job fixes for 2.6.0-rc4
      
      # gpg: Signature made Fri 22 Apr 2016 15:46:41 BST using RSA key ID C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
      
      * remotes/kevin/tags/for-upstream:
        mirror: Workaround for unexpected iohandler events during completion
        aio-posix: Skip external nodes in aio_dispatch
        virtio: Mark host notifiers as external
        event-notifier: Add "is_external" parameter
        iohandler: Introduce iohandler_get_aio_context
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      53343338
    • F
      mirror: Workaround for unexpected iohandler events during completion · ab27c3b5
      Fam Zheng 提交于
      Commit 5a7e7a0b moved mirror_exit to a BH handler but didn't add any
      protection against new requests that could sneak in just before the
      BH is dispatched. For example (assuming a code base at that commit):
      
              main_loop_wait # 1
                os_host_main_loop_wait
                  g_main_context_dispatch
                    aio_ctx_dispatch
                      aio_dispatch
                        ...
                          mirror_run
                            bdrv_drain
          (a)               block_job_defer_to_main_loop
                qemu_iohandler_poll
                  virtio_queue_host_notifier_read
                    ...
                      virtio_submit_multiwrite
          (b)           blk_aio_multiwrite
      
              main_loop_wait # 2
                <snip>
                      aio_dispatch
                        aio_bh_poll
          (c)             mirror_exit
      
      At (a) we know the BDS has no pending request. However, the same
      main_loop_wait call is going to dispatch iohandlers (EventNotifier
      events), which may lead to a new I/O from guest. So the invariant is
      already broken at (c). Data loss.
      
      Commit f3926945 made iohandler to use aio API.  The order of
      virtio_queue_host_notifier_read and block_job_defer_to_main_loop within
      a main_loop_wait becomes unpredictable, and even worse, if the host
      notifier event arrives at the next main_loop_wait call, the
      unpredictable order between mirror_exit and
      virtio_queue_host_notifier_read is also a trouble. As shown below, this
      commit made the bug easier to trigger:
      
          - Bug case 1:
      
              main_loop_wait # 1
                os_host_main_loop_wait
                  g_main_context_dispatch
                    aio_ctx_dispatch (qemu_aio_context)
                      ...
                        mirror_run
                          bdrv_drain
          (a)             block_job_defer_to_main_loop
                    aio_ctx_dispatch (iohandler_ctx)
                      virtio_queue_host_notifier_read
                        ...
                          virtio_submit_multiwrite
          (b)               blk_aio_multiwrite
      
              main_loop_wait # 2
                ...
                      aio_dispatch
                        aio_bh_poll
          (c)             mirror_exit
      
          - Bug case 2:
      
              main_loop_wait # 1
                os_host_main_loop_wait
                  g_main_context_dispatch
                    aio_ctx_dispatch (qemu_aio_context)
                      ...
                        mirror_run
                          bdrv_drain
          (a)             block_job_defer_to_main_loop
      
              main_loop_wait # 2
                ...
                  aio_ctx_dispatch (iohandler_ctx)
                    virtio_queue_host_notifier_read
                      ...
                        virtio_submit_multiwrite
          (b)             blk_aio_multiwrite
                    aio_dispatch
                      aio_bh_poll
          (c)           mirror_exit
      
      In both cases, (b) breaks the invariant wanted by (a) and (c).
      
      Until then, the request loss has been silent. Later, 3f09bfbc added
      asserts at (c) to check the invariant (in
      bdrv_replace_in_backing_chain), and Max reported an assertion failure
      first visible there, by doing active committing while the guest is
      running bonnie++.
      
      2.5 added bdrv_drained_begin at (a) to protect the dataplane case from
      similar problems, but we never realize the main loop bug until now.
      
      As a bandage, this patch disables iohandler's external events
      temporarily together with bs->ctx.
      
      Launchpad Bug: 1570134
      
      Cc: qemu-stable@nongnu.org
      Signed-off-by: NFam Zheng <famz@redhat.com>
      Reviewed-by: NJeff Cody <jcody@redhat.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      ab27c3b5
    • F
      aio-posix: Skip external nodes in aio_dispatch · 37989ced
      Fam Zheng 提交于
      aio_poll doesn't poll the external nodes so this should never be true,
      but aio_ctx_dispatch may get notified by the events from GSource. To
      make bdrv_drained_begin effective in main loop, we should check the
      is_external flag here too.
      
      Also do the check in aio_pending so aio_dispatch is not called
      superfluously, when there is no events other than external ones.
      Signed-off-by: NFam Zheng <famz@redhat.com>
      Reviewed-by: NJeff Cody <jcody@redhat.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      37989ced
    • F
      virtio: Mark host notifiers as external · 14560d69
      Fam Zheng 提交于
      The effect of this change is the block layer drained section can work,
      for example when mirror job is being completed.
      Signed-off-by: NFam Zheng <famz@redhat.com>
      Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      14560d69
    • F
      event-notifier: Add "is_external" parameter · 54e18d35
      Fam Zheng 提交于
      All callers pass "false" keeping the old semantics. The windows
      implementation doesn't distinguish the flag yet. On posix, it is passed
      down to the underlying aio context.
      Signed-off-by: NFam Zheng <famz@redhat.com>
      Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      54e18d35
    • F
      iohandler: Introduce iohandler_get_aio_context · bcd82a96
      Fam Zheng 提交于
      Signed-off-by: NFam Zheng <famz@redhat.com>
      Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      bcd82a96
    • C
      util: align memory allocations to 2M on AArch64 · ee1e0f8e
      Christoffer Dall 提交于
      For KVM to use Transparent Huge Pages (THP) we have to ensure that the
      alignment of the userspace address of the KVM memory slot and the IPA
      that the guest sees for a memory region have the same offset from the 2M
      huge page size boundary.
      
      One way to achieve this is to always align the IPA region at a 2M
      boundary and ensure that the mmap alignment is also at 2M.
      
      Unfortunately, we were only doing this for __arm__, not for __aarch64__,
      so add this simple condition.
      
      This fixes a performance regression using KVM/ARM on AArch64 platforms
      that showed a performance penalty of more than 50%, introduced by the
      following commit:
      
      9fac18f0 (oslib: allocate PROT_NONE pages on top of RAM, 2015-09-10)
      
      We were only lucky before the above commit, because we were allocating
      large regions and naturally getting a 2M alignment on those allocations
      then.
      
      Cc: qemu-stable@nongnu.org
      Reported-by: NShih-Wei Li <shihwei@cs.columbia.edu>
      Signed-off-by: NChristoffer Dall <christoffer.dall@linaro.org>
      Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
      [PMM: wrapped long line]
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      ee1e0f8e