Loongson multimedia condition instructions were previously implemented as
write 0 to rd due to lack of documentation. So I just confirmed with Loongson
about their encoding and implemented them correctly.
configure: Override the os default with --disable-pie
Some distributions, e.g. Ubuntu 19.10, enable PIE by default.
If for some reason one wishes to build a non-pie binary, we
must provide additional options to override.
At the same time, reorg the code to an elif chain.
configure: Always detect -no-pie toolchain support
The CFLAGS_NOPIE and LDFLAGS_NOPIE variables are used
in pc-bios/optionrom/Makefile, which has nothing to do
with the PIE setting of the main qemu executables.
This overrides any operating system default to build
all executables as PIE, which is important for ROMs.
The commentary talks about "in concert with the addresses
assigned in the relevant linker script", except there is no
linker script for softmmu, nor has there been for some time.
(Do not confuse the user-only linker script editing that was
removed in the previous patch, because user-only does not
use this code_gen_buffer allocation method.)
This adjustment was random and unnecessary. The user mode
startup code in probe_guest_base() will choose a value for
guest_base that allows the host qemu binary to not conflict
with the guest binary.
With modern distributions, this isn't even used, as the default
is PIE, which does the same job in a more portable way.
* remotes/jnsnow/tags/ide-pull-request:
cmd646-ide: use qdev gpio rather than qemu_allocate_irqs()
via-ide: use qdev gpio rather than qemu_allocate_irqs()
via-ide: don't use PCI level for legacy IRQs
hw/ide/sii3112: Use qdev gpio rather than qemu_allocate_irqs()
fdc/i8257: implement verify transfer mode
Mark Cave-Ayland [Tue, 24 Mar 2020 21:05:17 +0000 (21:05 +0000)]
via-ide: don't use PCI level for legacy IRQs
The PCI level calculation was accidentally left in when rebasing from a
previous patchset. Since both IRQs are driven separately, the value
being passed into the IRQ handler should be used directly.
Peter Maydell [Mon, 23 Mar 2020 15:17:15 +0000 (15:17 +0000)]
hw/ide/sii3112: Use qdev gpio rather than qemu_allocate_irqs()
Coverity points out (CID 1421984) that we are leaking the
memory returned by qemu_allocate_irqs(). We can avoid this
leak by switching to using qdev_init_gpio_in(); the base
class finalize will free the irqs that this allocates under
the hood.
Sven Schnelle [Fri, 1 Nov 2019 16:55:13 +0000 (17:55 +0100)]
fdc/i8257: implement verify transfer mode
While working on the Tulip driver i tried to write some Teledisk images to
a floppy image which didn't work. Turned out that Teledisk checks the written
data by issuing a READ command to the FDC but running the DMA controller
in VERIFY mode. As we ignored the DMA request in that case, the DMA transfer
never finished, and Teledisk reported an error.
The i8257 spec says about verify transfers:
3) DMA verify, which does not actually involve the transfer of data. When an
8257 channel is in the DMA verify mode, it will respond the same as described
for transfer operations, except that no memory or I/O read/write control signals
will be generated.
Hervé proposed to remove all the dma_mode_ok stuff from fdc to have a more
clear boundary between DMA and FDC, so this patch also does that.
Peter Maydell [Fri, 27 Mar 2020 16:04:22 +0000 (16:04 +0000)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches:
- Fix another case of mirror block job deadlocks
- Minor fixes
# gpg: Signature made Fri 27 Mar 2020 15:18:37 GMT
# gpg: using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <[email protected]>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* remotes/kevin/tags/for-upstream:
qcow2: Remove unused fields from BDRVQcow2State
mirror: Wait only for in-flight operations
Revert "mirror: Don't let an operation wait for itself"
nvme: Print 'cqid' for nvme_del_cq
block: fix bdrv_root_attach_child forget to unref child_bs
block/iscsi:use the flags in iscsi_open() prevent Clang warning
Kevin Wolf [Thu, 26 Mar 2020 17:07:57 +0000 (18:07 +0100)]
qcow2: Remove unused fields from BDRVQcow2State
These fields were already removed in commit c3c10f72, but then commit b58deb34 revived them probably due to bad merge conflict resolution.
They are still unused, so remove them again.
Kevin Wolf [Thu, 26 Mar 2020 15:36:28 +0000 (16:36 +0100)]
mirror: Wait only for in-flight operations
mirror_wait_for_free_in_flight_slot() just picks a random operation to
wait for. However, a MirrorOp is already in s->ops_in_flight when
mirror_co_read() waits for free slots, so if not enough slots are
immediately available, an operation can end up waiting for itself, or
two or more operations can wait for each other to complete, which
results in a hang.
Fix this by adding a flag to MirrorOp that tells us if the request is
already in flight (and therefore occupies slots that it will later
free), and picking only such operations for waiting.
The fix was incomplete as it only protected against requests waiting for
themselves, but not against requests waiting for each other. We need a
different solution.
Chen Qun [Wed, 11 Mar 2020 03:29:27 +0000 (11:29 +0800)]
block/iscsi:use the flags in iscsi_open() prevent Clang warning
Clang static code analyzer show warning:
block/iscsi.c:1920:9: warning: Value stored to 'flags' is never read
flags &= ~BDRV_O_RDWR;
^ ~~~~~~~~~~~~
In iscsi_allocmap_init() only checks BDRV_O_NOCACHE, which
is the same in both of flags and bs->open_flags.
We can use the flags instead bs->open_flags to prevent Clang warning.
tests/docker: Install gcrypt devel package in Debian image
In commit 6f8bbb374be we enabled building with the gcrypt library
on the the Debian 'x86 host', which was based on Debian Stretch.
Later in commit 698a71edbed we upgraded the Debian base image to
Buster.
Apparently Debian Stretch was listing gcrypt as a QEMU dependency,
but this is not the case anymore in Buster, so we need to install
it manually (it it not listed by 'apt-get -s build-dep qemu' in
the common debian10.docker anymore). This fixes:
$ ../configure $QEMU_CONFIGURE_OPTS
ERROR: User requested feature gcrypt
configure was not able to find it.
Install gcrypt devel >= 1.5.0
Results summary:
0: 91 times (91.00%), avg time 5.547 (0.45 varience/0.67 deviation)
-6: 9 times (9.00%), avg time 3.394 (0.02 varience/0.13 deviation)
Ran command 100 times, 91 passes
When re-run with "--accel tcg,thread=single" the instability goes
away.
Results summary:
0: 100 times (100.00%), avg time 17.318 (249.76 varience/15.80 deviation)
Ran command 100 times, 100 passes
Which seems to indicate there is some aspect of the MIPS MTTCG fixes
that has been missed. Ideally we would fix that but I'm afraid I don't
have time to investigate and am not super familiar with the
architecture anyway. In lieu of someone tracking down the failure lets
disable it for now.
Alex Bennée [Mon, 23 Mar 2020 16:15:08 +0000 (16:15 +0000)]
tests/vm: fix basevm config
When the patch was merged it was part of a longer series which had
already merged the config changes. Semu-revert the config related
changes for now so things will build.
Gerd Hoffmann [Mon, 23 Mar 2020 16:15:07 +0000 (16:15 +0000)]
tests/vm: update NetBSD to 9.0
The installer supports GPT now, so the install workflow has changed a
bit. Also: run without VGA device. This works around a bug in the
seabios sercon code and makes the bootloader menu show up on the serial
line, so we can drop the quirk for that.
Alex Bennée [Thu, 26 Mar 2020 16:46:16 +0000 (16:46 +0000)]
qemu/atomic.h: add #ifdef guards for stdatomic.h
Deep inside the FreeBSD netmap headers we end up including stdatomic.h
which clashes with qemu's atomic functions which are modelled along
the C11 standard. To avoid a massive rename lets just ifdef around the
problem.
Peter Maydell [Thu, 26 Mar 2020 15:44:26 +0000 (15:44 +0000)]
Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-03-26' into staging
Block patches for 5.0-rc1:
- Fix qemu-img convert with a host device or iscsi target
- Use-after-free fix in mirror
- Some minor qcow2 fixes
- Minor sheepdog fix
- Minor qemu-img check report fix
* remotes/maxreitz/tags/pull-block-2020-03-26:
iotests/138: Test leaks/corruptions fixed report
iotests: Add poke_file_[bl]e functions
qemu-img: Fix check's leak/corruption fix report
sheepdog: Consistently set bdrv_has_zero_init_truncate
qcow2: Avoid feature name extension on small cluster size
qcow2: List autoclear bit names in header
qcow2: Comment typo fixes
block: trickle down the fallback image creation function use to the block drivers
block: pass BlockDriver reference to the .bdrv_co_create
block/mirror: fix use after free of local_err
Max Reitz [Tue, 24 Mar 2020 17:27:57 +0000 (18:27 +0100)]
iotests/138: Test leaks/corruptions fixed report
Test that qemu-img check reports the number of leaks and corruptions
fixed in its JSON report (after a successful run).
While touching the _unsupported_imgopts line, adjust the note on why
data_file does not work with this test: The current comment sounds a bit
like it is a mistake for qemu-img check not to check external data
files' refcounts. But there are no such refcounts, so it is no mistake.
Just say that qemu-img check does not do much for external data files,
and this is why this test does not work with them.
Max Reitz [Tue, 24 Mar 2020 17:27:56 +0000 (18:27 +0100)]
iotests: Add poke_file_[bl]e functions
Similarly to peek_file_[bl]e, we may want to write binary integers into
a file. Currently, this often means messing around with poke_file and
raw binary strings. I hope these functions make it a bit more
comfortable.
Max Reitz [Tue, 24 Mar 2020 17:27:55 +0000 (18:27 +0100)]
qemu-img: Fix check's leak/corruption fix report
There are two problems with qemu-img check's report on how many leaks
and/or corruptions have been fixed:
(1) ImageCheck.has_leaks_fixed and ImageCheck.has_corruptions_fixed are
only true when ImageCheck.leaks or ImageCheck.corruptions (respectively)
are non-zero. qcow2's check implementation will set the latter to zero
after it has fixed leaks and corruptions, though, so leaks-fixed and
corruptions-fixed are actually never reported after successful repairs.
We should always report them when they are non-zero, just like all the
other fields of ImageCheck.
(2) After something has been fixed and we run the check a second time,
leaks_fixed and corruptions_fixed are taken from the first run; but
has_leaks_fixed and has_corruptions_fixed are not. The second run
actually cannot fix anything, so with (1) fixed, has_leaks_fixed and
has_corruptions_fixed will always be false here. (With (1) unfixed,
they will at least be false on successful runs, because then the number
of leaks and corruptions found in the second run should be 0.)
We should save has_leaks_fixed and has_corruptions_fixed just like we
save leaks_fixed and corruptions_fixed.
Eric Blake [Tue, 24 Mar 2020 17:42:33 +0000 (12:42 -0500)]
sheepdog: Consistently set bdrv_has_zero_init_truncate
block_int.h claims that .bdrv_has_zero_init must return 0 if
.bdrv_has_zero_init_truncate does likewise; but this is violated if
only the former callback is provided if .bdrv_co_truncate also exists.
When adding the latter callback, it was mistakenly added to only one
of the three possible sheepdog instantiations.
Eric Blake [Tue, 24 Mar 2020 17:42:32 +0000 (12:42 -0500)]
qcow2: Avoid feature name extension on small cluster size
As the feature name table can be quite large (over 9k if all 64 bits
of all three feature fields have names; a mere 8 features leaves only
8 bytes for a backing file name in a 512-byte cluster), it is unwise
to emit this optional header in images with small cluster sizes.
Update iotest 036 to skip running on small cluster sizes; meanwhile,
note that iotest 061 never passed on alternative cluster sizes
(however, I limited this patch to tests with output affected by adding
feature names, rather than auditing for other tests that are not
robust to alternative cluster sizes).
Eric Blake [Tue, 24 Mar 2020 17:42:31 +0000 (12:42 -0500)]
qcow2: List autoclear bit names in header
The feature table is supposed to advertise the name of all feature
bits that we support; however, we forgot to update the table for
autoclear bits. While at it, move the table to read-only memory in
code, and tweak the qcow2 spec to name the second autoclear bit.
Update iotests that are affected by the longer header length.
Maxim Levitsky [Thu, 26 Mar 2020 01:12:18 +0000 (03:12 +0200)]
block: trickle down the fallback image creation function use to the block drivers
Instead of checking the .bdrv_co_create_opts to see if we need the
fallback, just implement the .bdrv_co_create_opts in the drivers that
need it.
This way we don't break various places that need to know if the
underlying protocol/format really supports image creation, and this way
we still allow some drivers to not support image creation.
Note that technically this driver reverts the image creation fallback
for the vxhs driver since I don't have a means to test it, and IMHO it
is better to leave it not supported as it was prior to generic image
creation patches.
Also drop iscsi_create_opts which was left accidentally.
Peter Maydell [Thu, 26 Mar 2020 09:28:11 +0000 (09:28 +0000)]
Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20200325b' into staging
Combo Migration/HMP/virtiofs pull
Small fixes all around.
Ones that are noticeable:
a) Igor's migration compatibility fix affecting older machine types
has been seen in the wild
b) Philippe's autconverge fix should fix an intermittently
failing migration test.
c) Mao's makes a small change to the output of 'info
migrate_parameters' for tls-authz.
# gpg: Signature made Wed 25 Mar 2020 13:14:48 GMT
# gpg: using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <[email protected]>" [full]
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7
* remotes/dgilbert/tags/pull-migration-20200325b:
migration: use "" instead of (null) for tls-authz
migration/ram: fix use after free of local_err
migration/colo: fix use after free of local_err
vl.c: fix migration failure for 3.1 and older machine types
tools/virtiofsd/passthrough_ll: Fix double close()
hmp/vnc: Fix info vnc list leak
tests/migration: Reduce autoconverge initial bandwidth
xbzrle: update xbzrle doc
hmp-cmd: fix a missing_break warning
linux-user: Add x86_64 vsyscall page to /proc/self/maps
The page isn't (necessarily) present in the host /proc/self/maps,
and even if it might be it isn't present in page_flags, and even
if it was it might not have the same set of page permissions.
The easiest thing to do, particularly when it comes to the
"[vsyscall]" note at the end of line, is to special case it.
Notice the magic page during translate, much like we already
do for the arm32 commpage. At runtime, raise an exception to
return cpu_loop for emulation.
This is a bit tidier than open-coding the 5 lines necessary
to initialize the target_siginfo_t. In addition, this zeros
the remaining bytes of the target_siginfo_t, rather than
passing in garbage.
We are not short of numbers for EXCP_*. There is no need to confuse things
by having EXCP_VMEXIT and EXCP_SYSCALL overlap, even though the former is
only used for system mode and the latter is only used for user mode.
This patch fixes two problems:
- it cleanups linux-user variants (for instance ppc64-linux-user
and ppc64le-linux-user)
- it removes the .o file when it removes the .d file, otherwise the .o
file is never updated
Mao Zhongyi [Wed, 25 Mar 2020 01:49:30 +0000 (09:49 +0800)]
migration: use "" instead of (null) for tls-authz
run:
(qemu) info migrate_parameters
announce-initial: 50 ms
...
announce-max: 550 ms
multifd-compression: none
xbzrle-cache-size: 4194304
max-postcopy-bandwidth: 0
tls-authz: '(null)'
Migration parameter 'tls-authz' is used to provide the QOM ID
of a QAuthZ subclass instance that provides the access control
check, default is NULL. But the empty string is not a valid
object ID, so use "" instead of the default. Although it will
fail when lookup an object with ID "", it is harmless, just
consistent with tls_creds.
As a bonus, this patch also fixed the bad indentation on the
last line and removed 'has_tls_authz' redundant check in
'hmp_info_migrate_parameters'.
local_err is used again in migration_bitmap_sync_precopy() after
precopy_notify(), so we must zero it. Otherwise try to set
non-NULL local_err will crash.
local_err is used again in secondary_vm_do_failover() after
replication_stop_all(), so we must zero it. Otherwise try to set
non-NULL local_err will crash.
Igor Mammedov [Wed, 4 Mar 2020 17:27:48 +0000 (12:27 -0500)]
vl.c: fix migration failure for 3.1 and older machine types
Migration from QEMU(v4.0) fails when using 3.1 or older machine
type. For example if one attempts to migrate
QEMU-2.12 started as
qemu-system-ppc64 -nodefaults -M pseries-2.12 -m 4096 -mem-path /tmp/
to current master, it will fail with
qemu-system-ppc64: Unknown ramblock "ppc_spapr.ram", cannot accept migration
qemu-system-ppc64: error while loading state for instance 0x0 of device 'ram'
qemu-system-ppc64: load of migration failed: Invalid argument
Caused by 900c0ba373 commit which switches main RAM allocation to
memory backends and the fact in 3.1 and older QEMU, backends used
full[***] QOM path as memory region name instead of backend's name.
That was changed after 3.1 to use prefix-less names by default
(fa0cb34d22) for new machine types.
*** effectively makes main RAM memory region names defined by
MachineClass::default_ram_id being altered with '/objects/' prefix
and therefore migration fails as old QEMU sends prefix-less
name while new QEMU expects name with prefix when using 3.1 and
older machine types.
Fix it by forcing implicit[1] memory backend to always use
prefix-less names for its memory region by setting
'x-use-canonical-path-for-ramblock-id'
property to false.
1) i.e. memory backend created by compat glue which maps
-m/-mem-path/-mem-prealloc/default RAM size into
appropriate backend type/options to match old CLI format.
On success, the fdopendir() call closes fd. Later on the error
path we try to close an already-closed fd. This can lead to
use-after-free. Fix by only closing the fd if the fdopendir()
call failed.
When using max-bandwidth=~100Mb/s, this test fails on Travis-CI
s390x when configured with --disable-tcg:
$ make check-qtest
TEST check-qtest-s390x: tests/qtest/boot-serial-test
qemu-system-s390x: -accel tcg: invalid accelerator tcg
qemu-system-s390x: falling back to KVM
TEST check-qtest-s390x: tests/qtest/pxe-test
TEST check-qtest-s390x: tests/qtest/test-netfilter
TEST check-qtest-s390x: tests/qtest/test-filter-mirror
TEST check-qtest-s390x: tests/qtest/test-filter-redirector
TEST check-qtest-s390x: tests/qtest/drive_del-test
TEST check-qtest-s390x: tests/qtest/device-plug-test
TEST check-qtest-s390x: tests/qtest/virtio-ccw-test
TEST check-qtest-s390x: tests/qtest/cpu-plug-test
TEST check-qtest-s390x: tests/qtest/migration-test
**
ERROR:tests/qtest/migration-test.c:1229:test_migrate_auto_converge: 'got_stop' should be FALSE
ERROR - Bail out! ERROR:tests/qtest/migration-test.c:1229:test_migrate_auto_converge: 'got_stop' should be FALSE
make: *** [tests/Makefile.include:633: check-qtest-s390x] Error 1
Per David Gilbert, "it could just be the writing is slow on s390
and the migration thread fast; in which case the autocomplete
wouldn't be needed. Perhaps we just need to reduce the bandwidth
limit."
Tuning the threshold by reducing the initial bandwidth makes the
autoconverge test pass.
Pan Nengyuan [Wed, 18 Mar 2020 07:16:20 +0000 (15:16 +0800)]
hmp-cmd: fix a missing_break warning
This fix coverity issues 94417686:
1260 break;
CID 94417686: (MISSING_BREAK)
1261. unterminated_case: The case for value "MIGRATION_PARAMETER_THROTTLE_TRIGGER_THRESHOLD" is not terminated by a 'break' statement.
1261 case MIGRATION_PARAMETER_THROTTLE_TRIGGER_THRESHOLD:
1262 p->has_throttle_trigger_threshold = true;
1263 visit_type_int(v, param, &p->throttle_trigger_threshold, &err);
1264 case MIGRATION_PARAMETER_CPU_THROTTLE_INITIAL:
ui/input-linux: Do not ignore ioctl() return value
Fix warnings reported by Clang static code analyzer:
CC ui/input-linux.o
ui/input-linux.c:343:9: warning: Value stored to 'rc' is never read
rc = ioctl(il->fd, EVIOCGBIT(EV_REL, sizeof(relmap)), &relmap);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ui/input-linux.c:351:9: warning: Value stored to 'rc' is never read
rc = ioctl(il->fd, EVIOCGBIT(EV_ABS, sizeof(absmap)), &absmap);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ui/input-linux.c:354:13: warning: Value stored to 'rc' is never read
rc = ioctl(il->fd, EVIOCGABS(ABS_X), &absinfo);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ui/input-linux.c:357:13: warning: Value stored to 'rc' is never read
rc = ioctl(il->fd, EVIOCGABS(ABS_Y), &absinfo);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ui/input-linux.c:365:9: warning: Value stored to 'rc' is never read
rc = ioctl(il->fd, EVIOCGBIT(EV_KEY, sizeof(keymap)), keymap);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ui/input-linux.c:366:9: warning: Value stored to 'rc' is never read
rc = ioctl(il->fd, EVIOCGKEY(sizeof(keystate)), keystate);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Peter Maydell [Tue, 24 Mar 2020 16:56:05 +0000 (16:56 +0000)]
Merge remote-tracking branch 'remotes/mdroth/tags/qga-pull-2020-03-24-tag0' into staging
qemu-ga patch queue for hard-freeze
* fix undefined C behavior with guest-file-* interfaces
* fix w32 installer issues
* fix crash for large file reads via guest-file-read on windows
* add missing man page documentation for virtio-vsock
* remotes/mdroth/tags/qga-pull-2020-03-24-tag0:
qemu-ga: document vsock-listen in the man page
qga: Fix undefined C behavior
qga-win: prevent crash when executing guest-file-read with large count
qga-win: Handle VSS_E_PROVIDER_ALREADY_REGISTERED error
qga: Installer: Wait for installation to finish
Eric Blake [Fri, 20 Mar 2020 15:05:07 +0000 (10:05 -0500)]
qga: Fix undefined C behavior
The QAPI struct GuestFileWhence has a comment about how we are
exploiting equivalent values between two different integer types
shared in a union. But C says behavior is undefined on assignments to
overlapping storage when the two types are not the same width, and
indeed, 'int64_t value' and 'enum QGASeek name' are very likely to be
different in width. Utilize a temporary variable to fix things.
Basil Salman [Wed, 11 Mar 2020 17:04:17 +0000 (19:04 +0200)]
qga-win: prevent crash when executing guest-file-read with large count
guest-file-read command is currently implemented to read from a
file handle count number of bytes. when executed with a very large count number
qemu-ga crashes.
after some digging turns out that qemu-ga crashes after trying to allocate
a buffer large enough to save the data read in it, the buffer was allocated using
g_malloc0 which is not fail safe, and results a crash in case of failure.
g_malloc0 was replaced with g_try_malloc0() which returns NULL on failure,
A check was added for that case in order to prevent qemu-ga from crashing
and to send a response to the qemu-ga client accordingly.
Peter Maydell [Tue, 24 Mar 2020 12:24:41 +0000 (12:24 +0000)]
Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-03-24' into staging
Block patches for 5.0-rc0:
- Use-after-free fix
- Fix for a memleak in an error path
- Preventative measures against other potential use-after-frees, and
against NULL deferences at runtime
- iotest fixes
* remotes/maxreitz/tags/pull-block-2020-03-24:
iotests/026: Move v3-exclusive test to new file
iotests: Fix cleanup path in some tests
block/qcow2: zero data_file child after free
block: bdrv_set_backing_bs: fix use-after-free
block: Assert BlockDriver::format_name is not NULL
block: Avoid memleak on qcow2 image info failure
There is a use-after-free possible: bdrv_unref_child() leaves
bs->backing freed but not NULL. bdrv_attach_child may produce nested
polling loop due to drain, than access of freed pointer is possible.
I've produced the following crash on 30 iotest with modified code. It
does not reproduce on master, but still seems possible:
#0 __strcmp_avx2 () at /lib64/libc.so.6
#1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350
#2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404
#3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063
#4 bdrv_replace_child_noperm
(child=child@entry=0x55c9d48e5520,
new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290
#5 bdrv_replace_child
(child=child@entry=0x55c9d48e5520,
new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320
#6 bdrv_root_attach_child
(child_bs=child_bs@entry=0x55c9d3cc2060,
child_name=child_name@entry=0x55c9d241d478 "backing",
child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424
#7 bdrv_attach_child
(parent_bs=parent_bs@entry=0x55c9d3c5a3d0,
child_bs=child_bs@entry=0x55c9d3cc2060,
child_name=child_name@entry=0x55c9d241d478 "backing",
child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
errp=errp@entry=0x7ffd117108e0) at block.c:5876
#8 in bdrv_set_backing_hd
(bs=bs@entry=0x55c9d3c5a3d0,
backing_hd=backing_hd@entry=0x55c9d3cc2060,
errp=errp@entry=0x7ffd117108e0)
at block.c:2576
#9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150
#10 job_prepare (job=0x55c9d49d84a0) at job.c:761
#11 job_txn_apply (txn=<optimized out>, fn=<optimized out>) at
job.c:145
#12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778
#13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832
#14 job_completed (job=0x55c9d49d84a0) at job.c:845
#15 job_completed (job=0x55c9d49d84a0) at job.c:836
#16 job_exit (opaque=0x55c9d49d84a0) at job.c:864
#17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117
#18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117
#19 aio_poll (ctx=ctx@entry=0x55c9d3c46720,
blocking=blocking@entry=true)
at util/aio-posix.c:728
#20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0)
at block/io.c:121
#21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0,
poll=poll@entry=true)
at block/io.c:114
#22 bdrv_replace_child_noperm
(child=child@entry=0x55c9d3d558f0,
new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258
#23 bdrv_replace_child
(child=child@entry=0x55c9d3d558f0,
new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320
#24 bdrv_root_attach_child
(child_bs=child_bs@entry=0x55c9d3d27300,
child_name=child_name@entry=0x55c9d241d478 "backing",
child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424
#25 bdrv_attach_child
(parent_bs=parent_bs@entry=0x55c9d3cc2060,
child_bs=child_bs@entry=0x55c9d3d27300,
child_name=child_name@entry=0x55c9d241d478 "backing",
child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
errp=errp@entry=0x7ffd11710c60) at block.c:5876
#26 bdrv_set_backing_hd
(bs=bs@entry=0x55c9d3cc2060,
backing_hd=backing_hd@entry=0x55c9d3d27300,
errp=errp@entry=0x7ffd11710c60)
at block.c:2576
#27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150
...
block: Assert BlockDriver::format_name is not NULL
bdrv_do_find_format() calls strcmp() using BlockDriver::format_name
as argument, which must not be NULL. Assert this field is not null
when we register a block driver in bdrv_register().
* remotes/dgibson/tags/ppc-for-5.0-20200324:
ppc/ppc405_boards: Remove unnecessary NULL check
hw/ppc: Take QEMU lock when calling ppc_dcr_read/write()
spapr: Fix memory leak in h_client_architecture_support()
target/ppc: don't byte swap ELFv2 signal handler
target/ppc: Fix ISA v3.0 (POWER9) slbia implementation
target/ppc: Fix slbia TLB invalidation gap
ppc/spapr: Set the effective address provided flag in mc error log.
Peter Maydell [Sun, 22 Mar 2020 19:22:58 +0000 (19:22 +0000)]
hw/ppc: Take QEMU lock when calling ppc_dcr_read/write()
The ppc_dcr_read() and ppc_dcr_write() functions call into callbacks
in device code, so we need to hold the QEMU iothread lock while
calling them. This is the case already for the callsites in
kvmppc_handle_dcr_read/write(), but we must also take the lock when
calling the helpers from TCG.
This fixes a bug where attempting to initialise the PPC405EP
SDRAM will cause an assertion when sdram_map_bcr() attempts
to remap memory regions.
Vincent Fazio [Thu, 19 Mar 2020 13:32:44 +0000 (08:32 -0500)]
target/ppc: don't byte swap ELFv2 signal handler
Previously, the signal handler would be byte swapped if the target and
host CPU used different endianness. This would cause a SIGSEGV when
attempting to translate the opcode pointed to by the swapped address.
Thread 1 "qemu-ppc64" received signal SIGSEGV, Segmentation fault.
0x00000000600a9257 in ldl_he_p (ptr=0x4c2c061000000000) at qemu/include/qemu/bswap.h:351
351 __builtin_memcpy(&r, ptr, sizeof(r));
#0 0x00000000600a9257 in ldl_he_p (ptr=0x4c2c061000000000) at qemu/include/qemu/bswap.h:351
#1 0x00000000600a92fe in ldl_be_p (ptr=0x4c2c061000000000) at qemu/include/qemu/bswap.h:449
#2 0x00000000600c0790 in translator_ldl_swap at qemu/include/exec/translator.h:201
#3 0x000000006011c1ab in ppc_tr_translate_insn at qemu/target/ppc/translate.c:7856
#4 0x000000006005ae70 in translator_loop at qemu/accel/tcg/translator.c:102
The signal handler will be byte swapped as a result of the __get_user()
call in sigaction() if it is necessary, no additional swap is required.
Nicholas Piggin [Thu, 19 Mar 2020 06:44:39 +0000 (16:44 +1000)]
target/ppc: Fix ISA v3.0 (POWER9) slbia implementation
The new ISA v3.0 slbia variants have not been implemented for TCG,
which can lead to crashing when a POWER9 machine boots Linux using
the hash MMU, for example ("disable_radix" kernel command line).
Nicholas Piggin [Wed, 18 Mar 2020 04:41:34 +0000 (14:41 +1000)]
target/ppc: Fix slbia TLB invalidation gap
slbia must invalidate TLBs even if it does not remove a valid SLB
entry, because slbmte can overwrite valid entries without removing
their TLBs.
As the architecture says, slbia invalidates all lookaside information,
not conditionally based on if it removed valid entries.
It does not seem possible for POWER8 or earlier Linux kernels to hit
this bug because it never changes its kernel SLB translations, and it
should always have valid entries if any accesses are made to userspace
regions. However other operating systems which may modify SLB entry 0
or do more fancy things with segments might be affected.
When POWER9 slbia support is added in the next patch, this becomes a
real problem because some new slbia variants don't invalidate all
non-zero entries.
ppc/spapr: Set the effective address provided flag in mc error log.
Per PAPR, it is expected to set effective address provided flag in
sub_err_type member of mc extended error log (i.e
rtas_event_log_v6_mc.sub_err_type). This somehow got missed in original
fwnmi-mce patch series. The current code just updates the effective address
but does not set the flag to indicate that it is available. Hence guest
fails to extract effective address from mce rtas log. This patch fixes
that.
Without this patch guest MCE logs fails print DAR value:
Peter Maydell [Mon, 23 Mar 2020 17:41:21 +0000 (17:41 +0000)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200323' into staging
target-arm queue:
* target/arm: avoid undefined behaviour shift in watchpoint code
* target/arm: avoid undefined behaviour shift in handle_simd_dupe()
* target/arm: add assert that immh != 0 in disas_simd_shift_imm()
* aspeed/smc: Fix DMA support for AST2600
* hw/arm/bcm283x: Correct the license text ('and' vs 'or')
* remotes/pmaydell/tags/pull-target-arm-20200323:
target/arm: Move computation of index in handle_simd_dupe
target/arm: Assert immh != 0 in disas_simd_shift_imm
target/arm: Rearrange disabled check for watchpoints
aspeed/smc: Fix DMA support for AST2600
hw/arm/bcm283x: Correct the license text
target/arm: Move computation of index in handle_simd_dupe
Coverity reports a BAD_SHIFT with ctz32(imm5), with imm5 == 0.
This is an invalid encoding, but we diagnose that just below
by rejecting size > 3. Avoid the warning by sinking the
computation of index below the check.
Cédric Le Goater [Mon, 23 Mar 2020 17:22:30 +0000 (17:22 +0000)]
aspeed/smc: Fix DMA support for AST2600
Recent firmwares uses SPI DMA transfers in U-Boot to load the
different images (kernel, initrd, dtb) in the SoC DRAM. The AST2600
FMC model is missing the masks to be applied on the DMA registers
which resulted in incorrect values. Fix that and wire the SPI
controllers which have DMA support on the AST2600.
The license is the 'GNU General Public License v2.0 or later',
not 'and':
This program is free software; you can redistribute it and/ori
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of
the License, or (at your option) any later version.
Stefan Hajnoczi [Thu, 19 Mar 2020 16:35:59 +0000 (16:35 +0000)]
aio-posix: fix io_uring with external events
When external event sources are disabled fdmon-io_uring falls back to
fdmon-poll. The ->need_wait() callback needs to watch for this so it
can return true when external event sources are disabled.
It is also necessary to call ->wait() when AioHandlers have changed
because io_uring is asynchronous and we must submit new sqes.
Both of these changes to ->need_wait() together fix tests/test-aio -p
/aio/external-client, which failed with:
projects / qemu.git / log