Lena Djokic [Thu, 24 Nov 2016 16:08:58 +0000 (17:08 +0100)]
linux-user: Fix mq_open
If fourth argument is NULL it should be passed without
using lock_user function which would, in that case, return
EFAULT, and system call supports passing NULL as fourth argument.
Lena Djokic [Thu, 24 Nov 2016 16:08:53 +0000 (17:08 +0100)]
linux-user: Fix inotify_init1 support
This commit adds necessary conversion of argument passed to inotify_init1.
inotify_init1 flags can be IN_NONBLOCK and IN_CLOEXEC which rely on O_NONBLOCK
and O_CLOEXEC and those can have different values on different platforms.
* remotes/rth/tags/pull-or-20170214: (24 commits)
target/openrisc: Optimize for r0 being zero
target/openrisc: Tidy handling of delayed branches
target/openrisc: Tidy ppc/npc implementation
target/openrisc: Optimize l.jal to next
target/openrisc: Fix madd
target/openrisc: Implement muld, muldu, macu, msbu
target/openrisc: Represent MACHI:MACLO as a single unit
target/openrisc: Implement msync
target/openrisc: Enable trap, csync, msync, psync for user mode
target/openrisc: Set flags on helpers
target/openrisc: Use movcond where appropriate
target/openrisc: Keep SR_CY and SR_OV in a separate variables
target/openrisc: Keep SR_F in a separate variable
target/openrisc: Invert the decoding in dec_calc
target/openrisc: Put SR[OVE] in TB flags
target/openrisc: Streamline arithmetic and OVE
target/openrisc: Rationalize immediate extraction
target/openrisc: Tidy insn dumping
target/openrisc: Implement lwa, swa
target/openrisc: Fix exception handling status registers
...
The HW does not special-case r0, but the ABI specifies that r0 should
contain 0. If we expose this fact to the optimizer, we can simplify
a lot of the generated code. We must of course verify that r0==0, but
that is trivial to do with a TB flag.
The NPC SPR is really only supposed to be used for FPGA debugging.
It contains the same contents as PC, unless one plays games. Follow
the or1ksim implementation in flushing delayed branch state when it
is changed.
The PPC SPR need not be updated every instruction, merely when we
exit the TB or attempt to read its contents.
Note that the specification for lf.madd.s is confused. It's
the only mention of supposed FPMADDHI/FPMADDLO special registers.
On the other hand, or1ksim implements a somewhat normal non-fused
multiply and add. Mirror that.
Fix incorrect overflow calculation. Move overflow exception check
to a helper function, to eliminate inline branches. Remove some
incorrect special casing of R0. Implement multiply inline.
Stafford Horne [Fri, 13 Jan 2017 22:00:28 +0000 (07:00 +0900)]
target/openrisc: Fix exception handling status registers
I am working on testing instruction emulation patches for the linux
kernel. During testing I found these 2 issues:
- sets DSX (delay slot exception) but never clears it
- EEAR for illegal insns should point to the bad exception (as per
openrisc spec) but its not
This patch fixes these two issues by clearing the DSX flag when not in a
delay slot and by setting EEAR to exception PC when handling illegal
instruction exceptions.
After this patch the openrisc kernel with latest patches boots great on
qemu and instruction emulation works.
Peter Maydell [Mon, 13 Feb 2017 18:49:26 +0000 (18:49 +0000)]
Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20170213a' into staging
Migration
Amit: migration: remove myself as maintainer
MAINTAINERS: update my email address
Ashijeet: migrate: Introduce zero RAM checks to skip RAM migration
Pavel: Postcopy release RAM
Halil: consolidate VMStateField.start
Hailiang: COLO: fix setting checkpoint-delay not working properly
COLO: Shutdown related socket fd while do failover
COLO: Don't process failover request while loading VM's state
Me:
migration: Add VMSTATE_UNUSED_VARRAY_UINT32
migration: Add VMSTATE_WITH_TMP
tests/migration: Add test for VMSTATE_WITH_TMP
virtio-net VMState conversion and new VMSTATE macros
# gpg: Signature made Mon 13 Feb 2017 17:36:39 GMT
# gpg: using RSA key 0x0516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7
* remotes/dgilbert/tags/pull-migration-20170213a:
virtio/migration: Migrate virtio-net to VMState
tests/migration: Add test for VMSTATE_WITH_TMP
migration: Add VMSTATE_WITH_TMP
migration: Add VMSTATE_UNUSED_VARRAY_UINT32
COLO: Don't process failover request while loading VM's state
COLO: Shutdown related socket fd while do failover
COLO: fix setting checkpoint-delay not working properly
migration: consolidate VMStateField.start
migrate: Introduce zero RAM checks to skip RAM migration
migration: discard non-dirty ram pages after the start of postcopy
add 'release-ram' migrate capability
migration: add MigrationState arg for ram_save_/compressed_/page()
MAINTAINERS: update my email address
migration: remove myself as maintainer
VMSTATE_WITH_TMP is for handling structures where some calculation
or rearrangement of the data needs to be performed before the data
hits the wire.
For example, where the value on the wire is an offset from a
non-migrated base, but the data in the structure is the actual pointer.
To use it, a temporary type is created and a vmsd used on that type.
The first element of the type must be 'parent' a pointer back to the
type of the main structure. VMSTATE_WITH_TMP takes care of allocating
and freeing the temporary before running the child vmsd.
The post_load/pre_save on the child vmsd can copy things from the parent
to the temporary using the parent pointer and do any other calculations
needed; it can then use normal VMSD entries to do the actual data
storage without having to fiddle around with qemu_get_*/qemu_put_*
VMSTATE_UNUSED_VARRAY_UINT32 is used to skip a chunk of the stream
that's an n-element array; note the array size and the dynamic value
read never get multiplied so there's no overflow risk.
zhanghailiang [Tue, 17 Jan 2017 12:57:44 +0000 (20:57 +0800)]
COLO: Don't process failover request while loading VM's state
We should not do failover work while the main thread is loading
VM's state. Otherwise the consistent of VM's memory and
device state will be broken.
We will restart the loading process after jump over the stage,
The new failover status 'RELAUNCH' will help to record if we
need to restart the process.
zhanghailiang [Tue, 17 Jan 2017 12:57:43 +0000 (20:57 +0800)]
COLO: Shutdown related socket fd while do failover
If the net connection between primary host and secondary host breaks
while COLO/COLO incoming threads are doing read() or write().
It will block until connection is timeout, and the failover process
will be blocked because of it.
So it is necessary to shutdown all the socket fds used by COLO
to avoid this situation. Besides, we should close the corresponding
file descriptors after failvoer BH shutdown them,
Or there will be an error.
zhanghailiang [Tue, 17 Jan 2017 12:57:42 +0000 (20:57 +0800)]
COLO: fix setting checkpoint-delay not working properly
If we set checkpoint-delay through command 'migrate-set-parameters',
It will not take effect until we finish last sleep chekpoint-delay,
That's will be offensive espeically when we want to change its value
from an extreme big one to a proper value.
Fix it by using timer to realize checkpoint-delay.
Halil Pasic [Fri, 3 Feb 2017 17:52:17 +0000 (18:52 +0100)]
migration: consolidate VMStateField.start
The member VMStateField.start is used for two things, partial data
migration for VBUFFER data (basically provide migration for a
sub-buffer) and for locating next in QTAILQ.
The implementation of the VBUFFER feature is broken when VMSTATE_ALLOC
is used. This however goes unnoticed because actually partial migration
for VBUFFER is not used at all.
Let's consolidate the usage of VMStateField.start by removing support
for partial migration for VBUFFER.
migrate: Introduce zero RAM checks to skip RAM migration
Migration of a "none" machine with no RAM crashes abruptly as
bitmap_new() fails and thus aborts. Instead place zero RAM checks at
appropriate places to skip migration of RAM in this case and complete
migration successfully for devices only.
Pavel Butsykin [Fri, 3 Feb 2017 15:23:21 +0000 (18:23 +0300)]
migration: discard non-dirty ram pages after the start of postcopy
After the start of postcopy migration there are some non-dirty pages which have
already been migrated. These pages are no longer needed on the source vm so that
we can free them and it doen't hurt to complete the migration.
Pavel Butsykin [Fri, 3 Feb 2017 15:23:20 +0000 (18:23 +0300)]
add 'release-ram' migrate capability
This feature frees the migrated memory on the source during postcopy-ram
migration. In the second step of postcopy-ram migration when the source vm
is put on pause we can free unnecessary memory. It will allow, in particular,
to start relaxing the memory stress on the source host in a load-balancing
scenario.
Fam Zheng [Sat, 4 Feb 2017 14:32:45 +0000 (22:32 +0800)]
Makefile: Make "install" depend on "trace-events-all"
We install this file to data dir but since 0ab8ed18 it's no longer
required by any objects during "make". List it explicitly as a depended
target of install and fix the broken "make install" command.
Peter Maydell [Mon, 13 Feb 2017 10:16:23 +0000 (10:16 +0000)]
Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2017-02-12' into staging
Block patches
# gpg: Signature made Sun 12 Feb 2017 01:26:20 GMT
# gpg: using RSA key 0xF407DB0061D5CF40
# gpg: Good signature from "Max Reitz <[email protected]>"
# Primary key fingerprint: 91BE B60A 30DB 3E88 57D1 1829 F407 DB00 61D5 CF40
* remotes/maxreitz/tags/pull-block-2017-02-12: (21 commits)
qemu-img: Avoid setting ret to unused value in img_convert()
qemu-img: Use qemu_strtoul() rather than raw strtoul()
qemu-io: don't allow I/O operations larger than BDRV_REQUEST_MAX_BYTES
qcow2: Optimize the refcount-block overlap check
qemu-io: Add failure regression tests
qemu-iotests: Add _unsupported_fmt helper
qemu-io: Return non-zero exit code on failure
block/nfs: fix naming of runtime opts
block/nfs: fix NULL pointer dereference in URI parsing
block: bdrv_invalidate_cache: invalidate children first
block/qapi: reduce the execution time of qmp_query_blockstats
block/qapi: reduce the coupling between the bdrv_query_stats and bdrv_query_bds_stats
qemu-iotest: test to lookup protocol-based image with relative backing
qemu-iotests: Don't create fifos / pidfiles with protocol paths
block: check full backing filename when searching protocol filenames
block/vmdk: Fix the endian problem of buf_len and lba
iotests: record separate timings per format,protocol pair
iotests: Fix reference output for 059
qapi: Tweak error message of bdrv_query_image_info
qemu-img: Improve commit invalid base message
...
Peter Maydell [Mon, 13 Feb 2017 09:30:15 +0000 (09:30 +0000)]
Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20170210.0' into staging
VFIO updates 2017-02-10
- Fix GTT wrap-around for Skylake IGD assignment (Alex Williamson)
- Tag vfio-pci-igd-lpc-bridge as bridge device category (Thomas Huth)
- Don't build calxeda-xgmac or amd-xgbe except on ARM (Thomas Huth)
* remotes/awilliam/tags/vfio-updates-20170210.0:
hw/vfio: Add CONFIG switches for calxeda-xgmac and amd-xgbe
hw/vfio/pci-quirks: Set category of the "vfio-pci-igd-lpc-bridge" device
vfio-pci: Fix GTT wrap-around for Skylake+ IGD
Peter Maydell [Fri, 10 Feb 2017 16:28:24 +0000 (16:28 +0000)]
qemu-img: Avoid setting ret to unused value in img_convert()
Coverity points out that we assign the return value from
bdrv_snapshot_load_tmp() to 'ret' in img_convert(), but then
never use that variable. (We check for failure by looking
at local_err instead.) Drop the unused assignment, bringing
the call into line with the following call to
bdrv_snapshot_laod_tmp_by_id_or_name().
Peter Maydell [Fri, 10 Feb 2017 16:28:23 +0000 (16:28 +0000)]
qemu-img: Use qemu_strtoul() rather than raw strtoul()
Some of the argument parsing in qemu-img uses strtoul() to parse
integer arguments. This is tricky to get correct and in fact the
code does not get it right, because it assigns the result of
strtoul() to an 'int' variable and then tries to check for > INT_MAX.
Coverity correctly complains that the comparison is always false.
Rewrite to use qemu_strtoul(), which has a saner convention for
reporting conversion failures.
Alberto Garcia [Tue, 31 Jan 2017 16:09:54 +0000 (18:09 +0200)]
qemu-io: don't allow I/O operations larger than BDRV_REQUEST_MAX_BYTES
Passing a request size larger than BDRV_REQUEST_MAX_BYTES to any of the
I/O commands results in an error. While 'read' and 'write' handle the
error correctly, 'aio_read' and 'aio_write' hit an assertion:
The reason is that the QEMU I/O code cannot handle request sizes
larger than BDRV_REQUEST_MAX_BYTES, so this patch makes qemu-io check
that all values are within range.
Alberto Garcia [Wed, 1 Feb 2017 12:38:28 +0000 (14:38 +0200)]
qcow2: Optimize the refcount-block overlap check
The metadata overlap checks introduced in a40f1c2add help detect
corruption in the qcow2 image by verifying that data writes don't
overlap with existing metadata sections.
The 'refcount-block' check in particular iterates over the refcount
table in order to get the addresses of all refcount blocks and check
that none of them overlap with the region where we want to write.
The problem with the refcount table is that since it always occupies
complete clusters its size is usually very big. With the default
values of cluster_size=64KB and refcount_bits=16 this table holds 8192
entries, each one of them enough to map 2GB worth of host clusters.
So unless we're using images with several TB of allocated data this
table is going to be mostly empty, and iterating over it is a waste of
CPU. If the storage backend is fast enough this can have an effect on
I/O performance.
This patch keeps the index of the last used (i.e. non-zero) entry in
the refcount table and updates it every time the table changes. The
refcount-block overlap check then uses that index instead of reading
the whole table.
In my tests with a 4GB qcow2 file stored in RAM this doubles the
amount of write IOPS.
Nir Soffer [Wed, 1 Feb 2017 00:31:19 +0000 (02:31 +0200)]
qemu-iotests: Add _unsupported_fmt helper
This helper allows adding tests supporting any format expect the
specified formats. This may be useful to test that many formats behave
in a common way.
Peter Lieven [Wed, 1 Feb 2017 09:53:49 +0000 (10:53 +0100)]
block/nfs: fix naming of runtime opts
commit 94d6a7a accidentally left the naming of runtime opts and QAPI
scheme inconsistent. As one consequence passing of parameters in the
URI is broken. Sync the naming of the runtime opts to the QAPI
scheme.
Please note that this is technically backwards incompatible with the 2.8
release, but the 2.8 release is the only version that had the wrong naming.
Furthermore release 2.8 suffered from a NULL pointer dereference during
URI parsing.
block: bdrv_invalidate_cache: invalidate children first
Current implementation invalidates firstly parent bds and then its
children. This leads to the following bug:
after incoming migration, in bdrv_invalidate_cache_all:
1. invalidate parent bds - reopen it with BDRV_O_INACTIVE cleared
2. child is not yet invalidated
3. parent check that its BDRV_O_INACTIVE is cleared
4. parent writes to child
5. assert in bdrv_co_pwritev, as BDRV_O_INACTIVE is set for child
This patch fixes it by just changing invalidate sequence: invalidate
children first.
Dou Liyang [Sun, 15 Jan 2017 08:01:15 +0000 (16:01 +0800)]
block/qapi: reduce the execution time of qmp_query_blockstats
In order to reduce the execution time, this patch optimize
the qmp_query_blockstats():
Remove the next_query_bds function.
Remove the bdrv_query_stats function.
Remove some judgement sentence.
The original qmp_query_blockstats calls next_query_bds to get
the next objects in each loops. In the next_query_bds, it checks
the query_nodes and blk. It also call bdrv_query_stats to get
the stats, In the bdrv_query_stats, it checks blk and bs each
times. This waste more times, which may stall the main loop a
bit. And if the disk is too many and donot use the dataplane
feature, this may affect the performance in main loop thread.
This patch removes that two functions, and makes the structure
clearly.
Dou Liyang [Sun, 15 Jan 2017 08:01:14 +0000 (16:01 +0800)]
block/qapi: reduce the coupling between the bdrv_query_stats and bdrv_query_bds_stats
The bdrv_query_stats and bdrv_query_bds_stats functions need to call
each other, that increases the coupling. it also makes the program
complicated and makes some unnecessary tests.
Remove the call from bdrv_query_bds_stats to bdrv_query_stats, just
take some recursion to make it clearly.
Avoid testing whether the blk is NULL during querying the bds stats.
It is unnecessary.
Jeff Cody [Thu, 26 Jan 2017 01:08:22 +0000 (20:08 -0500)]
qemu-iotest: test to lookup protocol-based image with relative backing
This test uses NFS and block-stream to force a lookup of a backing
image that has a relative filename, but a full backing image name
with the protocol path intact.
Jeff Cody [Thu, 26 Jan 2017 01:08:20 +0000 (20:08 -0500)]
block: check full backing filename when searching protocol filenames
In bdrv_find_backing_image(), if we are searching an image for a backing
file that contains a protocol, we currently only compare unmodified
paths.
However, some management software will change the backing filename to be
a relative filename in a path. QEMU is able to handle this fine,
because internally it will use path_combine to put together the full
protocol URI.
However, this can lead to an inability to match an image during a QAPI
command that needs to use bdrv_find_backing_image() to find the image,
when it is searched by the full URI.
When searching for a protocol filename, if the straight comparison
fails, this patch will also compare against the full backing filename to
see if that is a match.
QingFeng Hao [Fri, 16 Dec 2016 05:20:40 +0000 (06:20 +0100)]
block/vmdk: Fix the endian problem of buf_len and lba
The problem was triggered by qemu-iotests case 055. It failed when it
was comparing the compressed vmdk image with original test.img.
The cause is that buf_len in vmdk_write_extent wasn't converted to
little-endian before it was stored to disk. But later vmdk_read_extent
read it and converted it from little-endian to cpu endian.
If the cpu is big-endian like s390, the problem will happen and
the data length read by vmdk_read_extent will become invalid!
The fix is to add the conversion in vmdk_write_extent, meanwhile,
repair the endianness problem of lba field which shall also be converted
to little-endian before storing to disk.
iotests: record separate timings per format,protocol pair
The 'check' program records timings for each test that
is run. These timings are only valid, however, for a
particular format/protocol combination. So if frequently
running 'check' with a variety of different formats or
protocols, the times printed can be very misleading.
Instead of having a single 'check.time' file, maintain
multiple 'check.time-$IMGPROTO-$IMGFMT' files.
Max Reitz [Thu, 1 Dec 2016 02:05:08 +0000 (03:05 +0100)]
qemu-img: Improve commit invalid base message
When trying to invoke qemu-img commit with a base image file name that
is not part of the top image's backing chain, the user receives a rather
plain "Base not found" error message. This is not really helpful because
it does not explain what "not found" means, potentially leaving the user
wondering why qemu cannot find a file despite it clearly existing in the
file system.
Improve the error message by clarifying that "not found" means "not
found in the top image's backing chain".
QingFeng Hao [Fri, 16 Dec 2016 05:47:23 +0000 (06:47 +0100)]
iotests: Fix a problem in common.filter
If TEST_DIR is set to /tmp, test case 144 will fail. The reason is that
TEST_DIR resembles 144's test image name tmp.qcow2.
When 144 is testing $TEST_DIR/tmp.qcow2, it wants to replace
$TEST_DIR/tmp.qcow2 to TEST_DIR/tmp.qcow2, but actually it will fail
and get TEST_DIRTEST_DIR.qcow2 in this case.
The fix is just to modify the code to replace $TEST_DIR/ with TEST_DIR/.
Thomas Huth [Fri, 10 Feb 2017 20:12:03 +0000 (13:12 -0700)]
hw/vfio: Add CONFIG switches for calxeda-xgmac and amd-xgbe
Both devices seem to be specific to the ARM platform. It's confusing
for the users if they show up on other target architectures, too
(e.g. when the user runs QEMU with "-device ?" to get a list of
supported devices). Thus let's introduce proper configuration switches
so that the devices are only compiled and included when they are
really required.
Alex Williamson [Fri, 10 Feb 2017 20:12:03 +0000 (13:12 -0700)]
vfio-pci: Fix GTT wrap-around for Skylake+ IGD
Previous IGD, up through Broadwell, only seem to write GTT values into
the first 1MB of space allocated for the BDSM, but clearly the GTT
can be multiple MB in size. Our test in vfio_igd_quirk_data_write()
correctly filters out indexes beyond 1MB, but given the 1MB mask we're
using, we re-apply writes only to the first 1MB of the guest allocated
BDSM.
We can't assume either the host or guest BDSM is naturally aligned, so
we can't simply apply a different mask. Instead, save the host BDSM
and do the arithmetic to subtract the host value to get the BDSM
offset and add it to the guest allocated BDSM.
Peter Maydell [Fri, 10 Feb 2017 18:54:30 +0000 (18:54 +0000)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20170210' into staging
target-arm queue:
* aspeed: minor fixes
* virt: declare fwcfg and virtio-mmio as DMA coherent in DT & ACPI
* arm: enable basic TCG emulation of PMU for AArch64
* remotes/pmaydell/tags/pull-target-arm-20170210:
aspeed/smc: use a modulo to check segment limits
aspeed/smc: handle dummies only in fast read mode
aspeed: remove useless comment on controller segment size
aspeed: check for negative values returned by blk_getlength()
hw/arm/virt: Declare fwcfg as dma cache coherent in dt
hw/arm/virt: Declare fwcfg as dma cache coherent in ACPI
hw/arm/virt: Declare virtio-mmio as dma cache coherent in ACPI
target-arm: Declare virtio-mmio as dma-coherent in dt
target-arm: Enable vPMU support under TCG mode
target-arm: Add support for PMU register PMINTENSET_EL1
target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
target-arm: Add support for PMU register PMSELR_EL0
Cédric Le Goater [Fri, 10 Feb 2017 17:40:29 +0000 (17:40 +0000)]
aspeed: remove useless comment on controller segment size
The flash devices used for the FMC controller (BMC firmware) are well
defined for each Aspeed machine and are all smaller than the default
mapping window size, at least for CE0 which is the chip the SoC boots
from.
Cédric Le Goater [Fri, 10 Feb 2017 17:40:29 +0000 (17:40 +0000)]
aspeed: check for negative values returned by blk_getlength()
write_boot_rom() does not check for negative values. This is more a
problem for coverity than the actual code as the size of the flash
device is checked when the m25p80 object is created. If there is
anything wrong with the backing file, we should not even reach that
path.
Alexander Graf [Fri, 10 Feb 2017 17:40:29 +0000 (17:40 +0000)]
hw/arm/virt: Declare fwcfg as dma cache coherent in ACPI
Fw-cfg recently learned how to directly access guest memory and does so in
cache coherent fashion. Tell the guest about that fact when it's using ACPI.
Alexander Graf [Fri, 10 Feb 2017 17:40:29 +0000 (17:40 +0000)]
target-arm: Declare virtio-mmio as dma-coherent in dt
QEMU emulated hardware is always dma coherent with its guest. We do
annotate that correctly on the PCI host controller, but left out
virtio-mmio.
Recent kernels have started to interpret that flag rather than take
dma coherency as granted with virtio-mmio. While that is considered
a kernel bug, as it breaks previously working systems, it showed that
our dt description is incomplete.
This patch adds the respective marker that allows guest OSs to evaluate
that our virtio-mmio devices are indeed cache coherent.
Wei Huang [Fri, 10 Feb 2017 17:40:28 +0000 (17:40 +0000)]
target-arm: Enable vPMU support under TCG mode
This patch contains several fixes to enable vPMU under TCG mode. It
first removes the checking of kvm_enabled() while unsetting
ARM_FEATURE_PMU. With it, the .pmu option can be used to turn on/off vPMU
under TCG mode. Secondly the PMU node of DT table is now created under TCG.
The last fix is to disable the masking of PMUver field of ID_AA64DFR0_EL1.
Wei Huang [Fri, 10 Feb 2017 17:40:28 +0000 (17:40 +0000)]
target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
In order to support Linux perf, which uses PMXEVTYPER register,
this patch adds read/write access support for PMXEVTYPER. The access
is CONSTRAINED UNPREDICTABLE when PMSELR is not 0x1f. Additionally
this patch adds support for PMXEVTYPER_EL0.
Ladi Prosek [Fri, 10 Feb 2017 16:47:11 +0000 (11:47 -0500)]
ahci: advertise HOST_CAP_64
The AHCI emulation code supports 64-bit addressing and should advertise this
fact in the Host Capabilities register. Both Linux and Windows drivers test
this bit to decide if the upper 32 bits of various registers may be written
to, and at least some versions of Windows have a bug where DMA is attempted
with an address above 4GB but, in the absence of HOST_CAP_64, the upper 32
bits are left unititialized which leads to a memory corruption.
[Maintainer edit:
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1411105,
which affects Windows Server 2008 SP2 in some cases.]
Gerd Hoffmann [Thu, 9 Feb 2017 13:02:20 +0000 (14:02 +0100)]
cirrus: fix patterncopy checks
The blit_region_is_unsafe checks don't work correctly for the
patterncopy source. It's a fixed-sized region, which doesn't
depend on cirrus_blt_{width,height}. So go do the check in
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
it doesn't need to verify the source. Also handle the case where we
blit from cirrus_bitbuf correctly.
Security impact: I think for the most part error on the safe side this
time, refusing blits which should have been allowed.
Only exception is placing the blit source at the end of the video ram,
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But
even in that case I'm not fully sure this actually allows read access to
host memory. To trick the commit 5858dd18 security checks one has to
pick very small cirrus_blt_{width,height} values, which in turn implies
only a fraction of the blit source will actually be used.
Gerd Hoffmann [Mon, 23 Jan 2017 10:26:50 +0000 (11:26 +0100)]
virtio-gpu: fix resource leak in virgl_cmd_resource_unref
When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
we'll leak memory.
This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
projects / qemu.git / log