Peter Maydell [Mon, 27 Jul 2020 14:55:56 +0000 (15:55 +0100)]
Merge remote-tracking branch 'remotes/stsquad/tags/pull-fixes-for-rc2-270720-1' into staging
Various fixes for rc2:
- get shippable working again
- semihosting bug fixes
- tweak tb-size handling for low memory machines
- i386 compound literal float fix
- linux-user MAP_FIXED->MAP_NOREPLACE on fallback
- docker binfmt_misc fixes
- linux-user nanosleep fix
- tests/vm drain console fixes
# gpg: Signature made Mon 27 Jul 2020 09:45:31 BST
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <[email protected]>" [full]
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* remotes/stsquad/tags/pull-fixes-for-rc2-270720-1:
tests/vm: add shutdown timeout in basevm.py
python/qemu: Change ConsoleSocket to optionally drain socket.
python/qemu: Cleanup changes to ConsoleSocket
linux-user, ppc: fix clock_nanosleep() for linux-user-ppc
linux-user: fix clock_nanosleep()
tests/docker: add support for DEB_KEYRING
tests/docker: fix binfmt_misc image building
tests/docker: fix update command due to python3 str/bytes distinction
linux-user: don't use MAP_FIXED in pgd_find_hole_fallback
target/i386: floatx80: avoid compound literals in static initializers
accel/tcg: better handle memory constrained systems
util/oslib-win32: add qemu_get_host_physmem implementation
util: add qemu_get_host_physmem utility function
semihosting: don't send the trailing '\0'
semihosting: defer connect_chardevs a little more to use serialx
shippable: add one more qemu to registry url
Robert Foley [Fri, 24 Jul 2020 06:45:08 +0000 (07:45 +0100)]
python/qemu: Change ConsoleSocket to optionally drain socket.
The primary purpose of this change is to clean up
machine.py's console_socket property to return a single type,
a ConsoleSocket.
ConsoleSocket now derives from a socket, which means that
in the default case (of not draining), machine.py
will see the same behavior as it did prior to ConsoleSocket.
If the call is interrupted by a signal handler, it fails with error EINTR
and if "remain" is not NULL and "flags" is not TIMER_ABSTIME, it returns
the remaining unslept time in "remain".
Update linux-user to not overwrite the "remain" structure if there is no
error.
Found with "make check-tcg", linux-test fails on nanosleep test:
TEST linux-test on x86_64
.../tests/tcg/multiarch/linux-test.c:242: nanosleep
Alex Bennée [Fri, 24 Jul 2020 06:45:04 +0000 (07:45 +0100)]
tests/docker: add support for DEB_KEYRING
For installing stuff from sid or ports you may need to manually
specify the location of the keyring. You can even import keys into
your personal keyring and point it there, e.g.:
Alex Bennée [Fri, 24 Jul 2020 06:45:01 +0000 (07:45 +0100)]
linux-user: don't use MAP_FIXED in pgd_find_hole_fallback
Plain MAP_FIXED has the undesirable behaviour of splatting exiting
maps so we don't actually achieve what we want when looking for gaps.
We should be using MAP_FIXED_NOREPLACE. As this isn't always available
we need to potentially check the returned address to see if the kernel
gave us what we asked for.
target/i386: floatx80: avoid compound literals in static initializers
Quoting ISO C99 6.7.8p4, "All the expressions in an initializer for an
object that has static storage duration shall be constant expressions or
string literals".
The compound literal produced by the make_floatx80() macro is not such a
constant expression, per 6.6p7-9. (An implementation may accept it,
according to 6.6p10, but is not required to.)
Therefore using "floatx80_zero" and make_floatx80() for initializing
"f2xm1_table" and "fpatan_table" is not portable. And gcc-4.8 in RHEL-7.6
actually chokes on them:
> target/i386/fpu_helper.c:871:5: error: initializer element is not constant
> { make_floatx80(0xbfff, 0x8000000000000000ULL),
> ^
We've had the make_floatx80_init() macro for this purpose since commit 3bf7e40ab914 ("softfloat: fix for C99", 2012-03-17), so let's use that
macro again.
Alex Bennée [Fri, 24 Jul 2020 06:44:59 +0000 (07:44 +0100)]
accel/tcg: better handle memory constrained systems
It turns out there are some 64 bit systems that have relatively low
amounts of physical memory available to them (typically CI system).
Even with swapping available a 1GB translation buffer that fills up
can put the machine under increased memory pressure. Detect these low
memory situations and reduce tb_size appropriately.
Alex Bennée [Fri, 24 Jul 2020 06:44:57 +0000 (07:44 +0100)]
util: add qemu_get_host_physmem utility function
This will be used in a future patch. For POSIX systems _SC_PHYS_PAGES
isn't standardised but at least appears in the man pages for
Open/FreeBSD. The result is advisory so any users of it shouldn't just
fail if we can't work it out.
The win32 stub currently returns 0 until someone with a Windows system
can develop and test a patch.
QEMU issues the ioctl(KVM_CAP_PPC_FWNMI) on the first vCPU.
If the first vCPU is currently running, the vCPU mutex is held
and the ioctl() cannot be done and waits until the mutex is released.
This never happens and the VM is stuck.
To avoid this deadlock, issue the ioctl on the same vCPU doing the
RTAS call.
The problem can be reproduced by booting a guest with several vCPUs
(the probability to have the problem is (n - 1) / n, n = # of CPUs),
and then by triggering a kernel crash with "echo c >/proc/sysrq-trigger".
Peter Maydell [Sun, 26 Jul 2020 16:17:58 +0000 (17:17 +0100)]
Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200725' into staging
Fix some cputlb commentary
Fix an hppa temporary leak
Fix an i386 translation issue with loop insns
# gpg: Signature made Sat 25 Jul 2020 17:03:59 BST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "[email protected]"
# gpg: Good signature from "Richard Henderson <[email protected]>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F
* remotes/rth/tags/pull-tcg-20200725:
target/i386: Save cc_op before loop insns
target/hppa: Free some temps in do_sub
tcg: update comments for save_iotlb_data in cputlb
Peter Maydell [Sat, 25 Jul 2020 19:30:58 +0000 (20:30 +0100)]
Merge remote-tracking branch 'remotes/stefanberger/tags/pull-tpm-2020-07-24-1' into staging
Merge tpm 2020/07/24 v1
# gpg: Signature made Sat 25 Jul 2020 01:13:22 BST
# gpg: using RSA key B818B9CADF9089C2D5CEC66B75AD65802A0B4211
# gpg: Good signature from "Stefan Berger <[email protected]>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211
* remotes/stefanberger/tags/pull-tpm-2020-07-24-1:
tpm_emulator: Report an error if chardev is missing
tpm: Improve help on TPM types when none are available
Revert "tpm: Clean up error reporting in tpm_init_tpmdev()"
* remotes/kraxel/tags/fixes-20200724-pull-request:
configure: Allow to build tools without pixman
hw/input/virtio-input-hid.c: Don't undef CONFIG_CURSES
hw: Only compile the usb-dwc2 controller if it is really needed
John Snow [Mon, 20 Jul 2020 16:02:52 +0000 (12:02 -0400)]
python/machine: Change default timeout to 30 seconds
3 seconds is too short for some tests running inside busy VMs. Build it out to
a rather generous 30 seconds to find out conclusively if there are more severe
problems in the merge/CI tests.
We report some -tpmdev failures, but then continue as if all was fine.
Reproducer:
$ qemu-system-x86_64 -nodefaults -S -display none -monitor stdio -chardev null,id=tpm0 -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0
qemu-system-x86_64: -tpmdev emulator,id=tpm0,chardev=chrtpm: tpm-emulator: tpm chardev 'chrtpm' not found.
qemu-system-x86_64: -tpmdev emulator,id=tpm0,chardev=chrtpm: tpm-emulator: Could not cleanly shutdown the TPM: No such file or directory
QEMU 5.0.90 monitor - type 'help' for more information
(qemu) qemu-system-x86_64: -device tpm-tis,tpmdev=tpm0: Property 'tpm-tis.tpmdev' can't find value 'tpm0'
$ echo $?
1
This is a regression caused by commit d10e05f15d "tpm: Clean up error
reporting in tpm_init_tpmdev()". It's incomplete: be->create(opts)
continues to use error_report(), and we don't set an error when it
fails.
I figure converting the create() methods to Error would make some
sense, but I'm not sure it's worth the effort right now. Revert the
broken commit instead, and add a comment to tpm_init_tpmdev().
Thomas Huth [Thu, 23 Jul 2020 14:11:23 +0000 (16:11 +0200)]
configure: Allow to build tools without pixman
If pixman is not installed, it is currently not possible to run:
.../configure --disable-system --enable-tools
Seems like there was a dependency from one of the required source
files to pixman in the past, but since commit 1ac0206b2ae1ffaeec56
("qemu-timer.c: Trim list of included headers"), this dependency
should be gone. Thus allow to compile the tools without pixman now.
* remotes/armbru/tags/pull-error-2020-07-24:
qapi/error: Check format string argument in error_*prepend()
sd/milkymist-memcard: Fix format string
error: Strip trailing '\n' from error string arguments (again)
coccinelle/err-bad-newline: Fix for Python 3, and add patterns
virtio-input-hid.c undefines CONFIG_CURSES before including
ui/console.h. However since commits e2f82e924d057935 and b0766612d16da18
that header does not have behaviour dependent on CONFIG_CURSES.
Remove the now-unneeded undef.
Thomas Huth [Wed, 22 Jul 2020 15:47:19 +0000 (17:47 +0200)]
hw: Only compile the usb-dwc2 controller if it is really needed
The USB_DWC2 switch is currently "default y", so it is included in all
qemu-system-* builds, even if it is not needed. Even worse, it does a
"select USB", so USB devices are now showing up as available on targets
that do not support USB at all. This sysbus device should only be
included by the boards that need it, i.e. by the Raspi machines.
qapi/error: Check format string argument in error_*prepend()
error_propagate_prepend() "behaves like error_prepend()", and
error_prepend() uses "formatting @fmt, ... like printf()".
error_prepend() checks its format string argument, but
error_propagate_prepend() does not. Fix by addint the format
attribute to error_propagate_prepend() and error_vprepend().
This would have caught the bug fixed in the previous commit.
Missed in commit 4b5766488f "error: Fix use of error_prepend() with
&error_fatal, &error_abort".
The function machine_get_loadparm() is supposed to produce a C-string,
that is a NUL-terminated one, but it does not. ElectricFence can detect
this problem if the loadparm machine property is used.
Let us make the returned string a NUL-terminated one.
s390x/protvirt: allow to IPL secure guests with -no-reboot
Right now, -no-reboot prevents secure guests from running. This is
correct from an implementation point of view, as we have modeled the
transition from non-secure to secure as a program directed IPL. From
a user perspective, this is not the behavior of least surprise.
We should implement the IPL into protected mode similar to the
functions that we use for kdump/kexec. In other words, we do not stop
here when -no-reboot is specified on the command line. Like function 0
or function 1, function 10 is not a classic reboot. For example, it
can only be called once. Before calling it a second time, a real
reboot/reset must happen in-between. So function code 10 is more or
less a state transition reset, but not a "standard" reset or reboot.
HF2_GIF_MASK is set in env->hflags2 unconditionally on CPU reset
(see x86_cpu_reset()) but when calling KVM_SET_NESTED_STATE,
KVM_STATE_NESTED_GIF_SET is only valid for nSVM as e.g. nVMX code
looks like
if (kvm_state->hdr.vmx.vmxon_pa == -1ull) {
if (kvm_state->flags & ~KVM_STATE_NESTED_EVMCS)
return -EINVAL;
}
Also, when adjusting the environment after KVM_GET_NESTED_STATE we
need not reset HF2_GIF_MASK on VMX as e.g. x86_cpu_pending_interrupt()
expects it to be set.
Alternatively, we could've made env->hflags2 SVM-only.
Peter Maydell [Thu, 23 Jul 2020 18:00:42 +0000 (19:00 +0100)]
Merge remote-tracking branch 'remotes/alistair/tags/pull-riscv-to-apply-20200722-1' into staging
This PR contains a few RISC-V fixes.
The main fix is the correction of the goldfish RTC time. On top of that
some small fixes to the recently added vector extensions have been added
(including an assert that fixed a coverity report). There is a change in
the SiFive E debug memory size to match hardware. Finally there is a fix
for PMP accesses.
# gpg: Signature made Wed 22 Jul 2020 17:43:59 BST
# gpg: using RSA key F6C4AC46D4934868D3B8CE8F21E10D29DF977054
# gpg: Good signature from "Alistair Francis <[email protected]>" [full]
# Primary key fingerprint: F6C4 AC46 D493 4868 D3B8 CE8F 21E1 0D29 DF97 7054
* remotes/alistair/tags/pull-riscv-to-apply-20200722-1:
target/riscv: Fix the range of pmpcfg of CSR funcion table
hw/riscv: sifive_e: Correct debug block size
target/riscv: fix vector index load/store constraints
target/riscv: Quiet Coverity complains about vamo*
goldfish_rtc: Fix non-atomic read behaviour of TIME_LOW/TIME_HIGH
Peter Maydell [Thu, 23 Jul 2020 12:38:21 +0000 (13:38 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
acpi,virtio,pc: bugfixes
Fix bug in ACPI which were tripping up guests.
Fix a use-after-free with hotplug of virtio devices.
Block ability to create legacy devices which shouldn't have been
there in the first place.
Fix migration error handling with balloon.
Drop some dead code in virtio.
vtd emulation fixup.
Signed-off-by: Michael S. Tsirkin <[email protected]>
# gpg: Signature made Wed 22 Jul 2020 13:07:26 BST
# gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469
# gpg: issuer "[email protected]"
# gpg: Good signature from "Michael S. Tsirkin <[email protected]>" [full]
# gpg: aka "Michael S. Tsirkin <[email protected]>" [full]
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
# Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469
* remotes/mst/tags/for_upstream:
virtio-pci: Changed vdev to proxy for VirtIO PCI BAR callbacks.
intel_iommu: Use correct shift for 256 bits qi descriptor
virtio: verify that legacy support is not accidentally on
virtio: list legacy-capable devices
virtio-balloon: Replace free page hinting references to 'report' with 'hint'
virtio-balloon: Add locking to prevent possible race when starting hinting
virtio-balloon: Prevent guest from starting a report when we didn't request one
virtio: Drop broken and superfluous object_property_set_link()
acpi: accept byte and word access to core ACPI registers
LIU Zhiwei [Tue, 21 Jul 2020 13:37:42 +0000 (21:37 +0800)]
target/riscv: fix vector index load/store constraints
Although not explicitly specified that the the destination
vector register groups cannot overlap the source vector register group,
it is still necessary.
And this constraint has been added to the v0.8 spec.
goldfish_rtc: Fix non-atomic read behaviour of TIME_LOW/TIME_HIGH
The specification says:
0x00 TIME_LOW R: Get current time, then return low-order 32-bits.
0x04 TIME_HIGH R: Return high 32-bits from previous TIME_LOW read.
...
To read the value, the kernel must perform an IO_READ(TIME_LOW),
which returns an unsigned 32-bit value, before an IO_READ(TIME_HIGH),
which returns a signed 32-bit value, corresponding to the higher half
of the full value.
However, we were just returning the current time for both. If the guest
is unlucky enough to read TIME_LOW and TIME_HIGH either side of an
overflow of the lower half, it will see time be in the future, before
jumping backwards on the next read, and Linux currently relies on the
atomicity guaranteed by the spec so is affected by this. Fix this
violation of the spec by caching the correct value for TIME_HIGH
whenever TIME_LOW is read, and returning that value for any TIME_HIGH
read.
virtio-pci: Changed vdev to proxy for VirtIO PCI BAR callbacks.
There is an issue when callback may be called with invalid vdev.
It happens on unplug when vdev already deleted and VirtIOPciProxy is not.
So now, callbacks accept proxy device, and vdev retrieved from it.
Technically memio callbacks should be removed during the flatview update,
but memoryregions remain til PCI device(and it's address space) completely deleted. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1716352 Signed-off-by: Andrew Melnychenko <[email protected]>
Message-Id: <20200706112123[email protected]> Cc: [email protected] Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>
Liu Yi L [Sat, 4 Jul 2020 08:07:15 +0000 (01:07 -0700)]
intel_iommu: Use correct shift for 256 bits qi descriptor
In chapter 10.4.23 of VT-d spec 3.0, Descriptor Width bit was introduced
in VTD_IQA_REG. Software could set this bit to tell VT-d the QI descriptor
from software would be 256 bits. Accordingly, the VTD_IQH_QH_SHIFT should
be 5 when descriptor size is 256 bits.
This patch adds the DW bit check when deciding the shift used to update
VTD_IQH_REG.
Several types of virtio devices had already been around before the
virtio standard was specified. These devices support virtio in legacy
(and transitional) mode.
Devices that have been added in the virtio standard are considered
non-transitional (i.e. with no support for legacy virtio).
Provide a helper function so virtio transports can figure that out
easily.
Alexander Duyck [Mon, 20 Jul 2020 17:51:28 +0000 (10:51 -0700)]
virtio-balloon: Replace free page hinting references to 'report' with 'hint'
Recently a feature named Free Page Reporting was added to the virtio
balloon. In order to avoid any confusion we should drop the use of the word
'report' when referring to Free Page Hinting. So what this patch does is go
through and replace all instances of 'report' with 'hint" when we are
referring to free page hinting.
Alexander Duyck [Mon, 20 Jul 2020 17:51:22 +0000 (10:51 -0700)]
virtio-balloon: Add locking to prevent possible race when starting hinting
There is already locking in place when we are stopping free page hinting
but there is not similar protections in place when we start. I can only
assume this was overlooked as in most cases the page hinting should not be
occurring when we are starting the hinting, however there is still a chance
we could be processing hints by the time we get back around to restarting
the hinting so we are better off making sure to protect the state with the
mutex lock rather than just updating the value with no protections.
Based on feedback from Peter Maydell this issue had also been spotted by
Coverity: CID 1430269
Alexander Duyck [Mon, 20 Jul 2020 17:51:15 +0000 (10:51 -0700)]
virtio-balloon: Prevent guest from starting a report when we didn't request one
Based on code review it appears possible for the driver to force the device
out of a stopped state when hinting by repeating the last ID it was
provided.
Prevent this by only allowing a transition to the start state when we are
in the requested state. This way the driver is only allowed to send one
descriptor that will transition the device into the start state. All others
will leave it in the stop state once it has finished.
Michael Tokarev [Mon, 20 Jul 2020 16:06:27 +0000 (19:06 +0300)]
acpi: accept byte and word access to core ACPI registers
All ISA registers should be accessible as bytes, words or dwords
(if wide enough). Fix the access constraints for acpi-pm-evt,
acpi-pm-tmr & acpi-cnt registers.
* remotes/kevin/tags/for-upstream:
iotests: Test sparseness for qemu-img convert -n
qcow2: Implement v2 zero writes with discard if possible
file-posix: Handle `EINVAL` fallocate return value
* remotes/armbru/tags/pull-qom-2020-07-21:
qom: Make info qom-tree sort children more efficiently
qom: Document object_get_canonical_path() returns malloced string
qom: Change object_get_canonical_path_component() not to malloc
Peter Maydell [Tue, 21 Jul 2020 15:50:42 +0000 (16:50 +0100)]
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
# gpg: Signature made Tue 21 Jul 2020 14:31:13 BST
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <[email protected]>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
hw/net: Added plen fix for IPv6
qom: Make info qom-tree sort children more efficiently
Commit e8c9e65816 "qom: Make "info qom-tree" show children sorted"
sorts children the simple, stupid, quadratic way. I thought the
number of children would be small enough for this not to matter. I
was wrong: there are outliers with several hundred children, e.g ARM
machines nuri and smdkc210 each have a node with 513 children.
While n^2 sorting isn't noticeable in normal, human usage even for
n=513, it can be quite noticeable in certain automated tests. In
particular, the sort made device-introspect-test even slower. Commit 3e7b80f84d "tests: improve performance of device-introspect-test" just
fixed that by cutting back its excessive use of "info qom-tree".
Sorting more efficiently makes sense regardless, so do it.
qdev: Fix device_add DRIVER,help to print to monitor
Help on device properties gets printed to stdout instead of the
monitor. If you have the monitor anywhere else, no help for you.
Broken when commit e1043d674d "qdev: use object_property_help()"
accidentally switched from qemu_printf() to printf(). Switch right
back.
hw/nvram/fw_cfg: Let fw_cfg_add_from_generator() return boolean value
Commits b6d7e9b66f..a43770df5d simplified the error propagation.
Similarly to commit 6fd5bef10b "qom: Make functions taking Error**
return bool, not void", let fw_cfg_add_from_generator() return a
boolean value, not void.
This allow to simplify parse_fw_cfg() and fixes the error handling
issue reported by Coverity (CID 1430396):
In parse_fw_cfg():
Variable assigned once to a constant guards dead code.
Local variable local_err is assigned only once, to a constant
value, making it effectively constant throughout its scope.
If this is not the intent, examine the logic to see if there
is a missing assignment that would make local_err not remain
constant.
Document FWCfgDataGeneratorClass::get_data() return NULL
on error, and non-NULL on success. This allow us to simplify
fw_cfg_add_from_generator(). Since we don't need a local
variable to propagate the error, we can remove the ERRP_GUARD()
macro.
Kevin Wolf [Tue, 21 Jul 2020 13:55:19 +0000 (15:55 +0200)]
qcow2: Implement v2 zero writes with discard if possible
qcow2 version 2 images don't support the zero flag for clusters, so for
write_zeroes requests, we return -ENOTSUP and get explicit zero buffer
writes. If the image doesn't have a backing file, we can do better: Just
discard the respective clusters.
This is relevant for 'qemu-img convert -O qcow2 -n', where qemu-img has
to assume that the existing target image may contain any data, so it has
to write zeroes. Without this patch, this results in a fully allocated
target image, even if the source image was empty.
Antoine Damhet [Fri, 17 Jul 2020 13:56:04 +0000 (15:56 +0200)]
file-posix: Handle `EINVAL` fallocate return value
The `detect-zeroes=unmap` option may issue unaligned
`FALLOC_FL_PUNCH_HOLE` requests, raw block devices can (and will) return
`EINVAL`, qemu should then write the zeroes to the blockdev instead of
issuing an `IO_ERROR`.
qom: Change object_get_canonical_path_component() not to malloc
object_get_canonical_path_component() returns a malloced copy of a
property name on success, null on failure.
19 of its 25 callers immediately free the returned copy.
Change object_get_canonical_path_component() to return the property
name directly. Since modifying the name would be wrong, adjust the
return type to const char *.
Drop the free from the 19 callers become simpler, add the g_strdup()
to the other six.
hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
occurs while sending an Ethernet frame due to missing break statements
and improper checking of the buffer size.
Andrew [Thu, 16 Jul 2020 03:53:24 +0000 (06:53 +0300)]
hw/net: Added plen fix for IPv6
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1708065
With network backend with 'virtual header' - there was an issue
in 'plen' field. Overall, during TSO, 'plen' would be changed,
but with 'vheader' this field should be set to the size of the
payload itself instead of '0'.
Peter Maydell [Tue, 21 Jul 2020 13:03:45 +0000 (14:03 +0100)]
Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-07-21' into staging
Block patches for 5.1:
- Let LUKS images only be shared between VMs if the guest device was
configured to allow that
- Fix abort() from bdrv_aio_cancel() for guest devices without a BDS
qapi: Fix visit_type_STRUCT() not to fail for null object
To make deallocating partially constructed objects work, the
visit_type_STRUCT() need to succeed without doing anything when passed
a null object.
Commit cdd2b228b9 "qapi: Smooth visitor error checking in generated
code" broke that. To reproduce, run tests/test-qobject-input-visitor
with AddressSanitizer:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x7f192d0c5d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
#1 0x7f192cd21b10 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51b10)
#2 0x556725f6bbee in visit_next_list qapi/qapi-visit-core.c:86
#3 0x556725f49e15 in visit_type_UserDefOneList tests/test-qapi-visit.c:474
#4 0x556725f4489b in test_visitor_in_fail_struct_in_list tests/test-qobject-input-visitor.c:1086
#5 0x7f192cd42f29 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72f29)
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
Test case /visitor/input/fail/struct-in-list feeds a list with a bad
element to the QObject input visitor. Visiting that element duly
fails, and aborts the visit with the list only partially constructed:
the faulty object is null. Cleaning up the partially constructed list
visits that null object, fails, and aborts the visit before the list
node gets freed.
Fix the the generated visit_type_STRUCT() to succeed for null objects.
Stefan Hajnoczi [Mon, 20 Jul 2020 10:01:41 +0000 (11:01 +0100)]
block: fix bdrv_aio_cancel() for ENOMEDIUM requests
bdrv_aio_cancel() calls aio_poll() on the AioContext for the given I/O
request until it has completed. ENOMEDIUM requests are special because
there is no BlockDriverState when the drive has no medium!
Define a .get_aio_context() function for BlkAioEmAIOCB requests so that
bdrv_aio_cancel() can find the AioContext where the completion BH is
pending. Without this function bdrv_aio_cancel() aborts on ENOMEDIUM
requests!
(gdb) bt
#1 0x00007ffff4f93895 in abort () at /lib64/libc.so.6
#2 0x0000555555dc6c00 in bdrv_aio_cancel (acb=0x555556765550) at block/io.c:2745
#3 0x0000555555dac202 in blk_aio_cancel (acb=0x555556765550) at block/block-backend.c:1546
#4 0x0000555555b1bd74 in ide_reset (s=0x555557213340) at hw/ide/core.c:1318
#5 0x0000555555b1e3a1 in ide_bus_reset (bus=0x5555572132b8) at hw/ide/core.c:2422
#6 0x0000555555b2aa27 in ahci_reset_port (s=0x55555720eb50, port=2) at hw/ide/ahci.c:650
#7 0x0000555555b29fd7 in ahci_port_write (s=0x55555720eb50, port=2, offset=44, val=16) at hw/ide/ahci.c:360
#8 0x0000555555b2a564 in ahci_mem_write (opaque=0x55555720eb50, addr=556, val=16, size=1) at hw/ide/ahci.c:513
#9 0x000055555598415b in memory_region_write_accessor (mr=0x55555720eb80, addr=556, value=0x7fffffffb838, size=1, shift=0, mask=255, attrs=...) at softmmu/memory.c:483
Looking at bdrv_aio_cancel:
2728 /* async I/Os */
2729
2730 void bdrv_aio_cancel(BlockAIOCB *acb)
2731 {
2732 qemu_aio_ref(acb);
2733 bdrv_aio_cancel_async(acb);
2734 while (acb->refcnt > 1) {
2735 if (acb->aiocb_info->get_aio_context) {
2736 aio_poll(acb->aiocb_info->get_aio_context(acb), true);
2737 } else if (acb->bs) {
2738 /* qemu_aio_ref and qemu_aio_unref are not thread-safe, so
2739 * assert that we're not using an I/O thread. Thread-safe
2740 * code should use bdrv_aio_cancel_async exclusively.
2741 */
2742 assert(bdrv_get_aio_context(acb->bs) == qemu_get_aio_context());
2743 aio_poll(bdrv_get_aio_context(acb->bs), true);
2744 } else {
2745 abort(); <===============
2746 }
2747 }
2748 qemu_aio_unref(acb);
2749 }
Peter Maydell [Tue, 21 Jul 2020 09:24:38 +0000 (10:24 +0100)]
Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-07-21' into staging
* Fix memory leak in fuzzer
* Fuzzer documentation updates
* Some other minor fuzzer updates
* Fix "make check-qtest SPEED=slow" (bug in msf2 instance_init)
* remotes/huth-gitlab/tags/pull-request-2020-07-21:
hw: Mark nd_table[] misuse in realize methods FIXME
msf2: Unbreak device-list-properties for "msf-soc"
MAINTAINERS: Extend the device fuzzing section
docs/fuzz: add instructions for generating a coverage report
docs/fuzz: add information about useful libFuzzer flags
docs/fuzz: describe building fuzzers with enable-sanitizers
fuzz: build without AddressSanitizer, by default
gitlab-ci.yml: Add oss-fuzz build tests
fuzz: Fix leak when assembling datadir path string
scripts/oss-fuzz: Limit target list to i386-softmmu
Checking the enable/disable state of tracepoints via
trace_event_get_state_backends() does not work for modules.
qxl checks the state for a small optimization (avoid g_strndup
call in case log_buf will not be used anyway), so we can just
drop that check for modular builds.
xhci: fix valid.max_access_size to access address registers
QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
64-bit mode access in "runtime" and "operational" MemoryRegionOps.
Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
XHCI specs:
"If the xHC supports 64-bit addressing (AC64 = ‘1’), then software
should write 64-bit registers using only Qword accesses. If a
system is incapable of issuing Qword accesses, then writes to the
64-bit address fields shall be performed using 2 Dword accesses;
low Dword-first, high-Dword second. If the xHC supports 32-bit
addressing (AC64 = ‘0’), then the high Dword of registers containing
64-bit address fields are unused and software should write addresses
using only Dword accesses"
The problem has been detected with SLOF, as linux kernel always accesses
registers using 32-bit access even if AC64 is set and revealed by 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
My commit 'block/crypto: implement the encryption key management'
accidently allowed raw luks images to be shared between different
qemu processes without share-rw=on explicit override.
Fix that.
Fixes: bbfdae91fb ("block/crypto: implement the encryption key management")
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1857490
hw: Mark nd_table[] misuse in realize methods FIXME
nd_table[] contains NIC configuration for boards to pick up. Device
code has no business looking there. Several devices do it anyway.
Two of them already have a suitable FIXME comment: "allwinner-a10" and
"msf2-soc". Copy it to the others: "allwinner-h3", "xlnx-versal",
"xlnx,zynqmp", "sparc32-ledma", "riscv.sifive.u.soc".
Root cause is m2sxxx_soc_initfn()'s messing with nd_table[] via
qemu_check_nic_model(). That's wrong.
We fixed the exact same bug for device "allwinner-a10" in commit 8aabc5437b "hw/arm/allwinner-a10: Do not use nd_table in instance_init
function". Fix this instance the same way: move the offending code to
m2sxxx_soc_realize(), where it's less wrong, and add a FIXME comment.
Thomas Huth [Tue, 21 Jul 2020 05:36:09 +0000 (07:36 +0200)]
MAINTAINERS: Extend the device fuzzing section
The file docs/devel/fuzzing.txt should be in this section, too, and add
myself as a reviewer (since I often take the fuzzer patches through the
qtest-next tree, I should be notified on patches, too).
We already have a nice --enable-sanitizers option to enable
AddressSanitizer. There is no reason to duplicate and force this
functionality in --enable-fuzzing. In the future, if more sanitizers are
added to --enable-sanitizers, it might be impossible to build with both
--enable-sanitizers and --enable-fuzzing, since not all sanitizers are
compatible with libFuzzer. In that case, we could enable ASAN with
--extra-cflags="-fsanitize=address"
This tries to build and run the fuzzers with the same build-script used
by oss-fuzz. This doesn't guarantee that the builds on oss-fuzz will
also succeed, since oss-fuzz provides its own compiler and fuzzer vars,
but it can catch changes that are not compatible with the the
./scripts/oss-fuzz/build.sh script.
The strange way of finding fuzzer binaries stems from the method used by
oss-fuzz:
https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-runner/targets_list
fuzz: Fix leak when assembling datadir path string
We freed the string containing the final datadir path, but did not free
the path to the executable's directory that we get from
g_path_get_dirname(). Fix that.
projects / qemu.git / log