The license is the 'GNU General Public License v2.0 or later',
not 'and':
This program is free software; you can redistribute it and/ori
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of
the License, or (at your option) any later version.
Elazar Leibovich [Sun, 15 Mar 2020 13:26:34 +0000 (15:26 +0200)]
hw/scsi/vmw_pvscsi: Remove assertion for kick after reset
When running Ubuntu 3.13.0-65-generic guest, QEMU sometimes crashes
during guest ACPI reset. It crashes on assert(s->rings_info_valid)
in pvscsi_process_io().
Analyzing the crash revealed that it happens when userspace issues
a sync during a reboot syscall.
Since QEMU pvscsi should imitate VMware pvscsi device emulation,
we decided to imitate VMware's behavior in this case.
To check VMware behavior, we wrote a kernel module that issues
a reset to the pvscsi device and then issues a kick. We ran it on
VMware ESXi 6.5 and it seems that it simply ignores the kick.
Hence, we decided to ignore the kick as well.
Bugfixes all over the place.
Add a new balloon maintainer.
A checkpatch enhancement to enforce ACPI change rules.
Signed-off-by: Michael S. Tsirkin <[email protected]>
# gpg: Signature made Tue 31 Mar 2020 15:54:36 BST
# gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469
# gpg: issuer "[email protected]"
# gpg: Good signature from "Michael S. Tsirkin <[email protected]>" [full]
# gpg: aka "Michael S. Tsirkin <[email protected]>" [full]
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
# Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469
* remotes/mst/tags/for_upstream:
vhost-vsock: fix double close() in the realize() error path
acpi: add acpi=OnOffAuto machine property to x86 and arm virt
fix vhost_user_blk_watch crash
hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
virtio-iommu: avoid memleak in the unrealize
virtio-blk: delete vqs on the error path in realize()
acpi: pcihp: fix left shift undefined behavior in acpi_pcihp_eject_slot()
virtio-serial-bus: Plug memory leak on realize() error paths
MAINTAINERS: Add myself as virtio-balloon co-maintainer
checkpatch: enforce process for expected files
vhost-vsock: fix double close() in the realize() error path
vhost_dev_cleanup() closes the vhostfd parameter passed to
vhost_dev_init(), so this patch avoids closing it twice in
the vhost_vsock_device_realize() error path.
Peter Maydell [Tue, 31 Mar 2020 13:49:46 +0000 (14:49 +0100)]
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
# gpg: Signature made Tue 31 Mar 2020 14:15:18 BST
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <[email protected]>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
qtest: add tulip test case
hw/net/allwinner-sun8i-emac.c: Fix REG_ADDR_HIGH/LOW reads
net: tulip: check frame size and r/w data length
net/colo-compare.c: Expose "expired_scan_cycle" to users
net/colo-compare.c: Expose "compare_timeout" to users
hw/net/can: Make CanBusClientInfo::can_receive() return a boolean
hw/net: Make NetCanReceive() return a boolean
hw/net/rtl8139: Update coding style to make checkpatch.pl happy
hw/net/rtl8139: Simplify if/else statement
hw/net/smc91c111: Let smc91c111_can_receive() return a boolean
hw/net/e1000e_core: Let e1000e_can_receive() return a boolean
Fixed integer overflow in e1000e
hw/net/i82596.c: Avoid reading off end of buffer in i82596_receive()
hw/net/i82596: Correct command bitmask (CID 1419392)
Li Qiang [Mon, 30 Mar 2020 14:52:01 +0000 (07:52 -0700)]
qtest: add tulip test case
The tulip networking card emulation has an OOB issue in
'tulip_copy_tx_buffers' when the guest provide malformed descriptor.
This test will trigger a ASAN heap overflow crash. To trigger this
issue we can construct the data as following:
1. construct a 'tulip_descriptor'. Its control is set to
'0x7ff | 0x7ff << 11', this will make the 'tulip_copy_tx_buffers's
'len1' and 'len2' to 0x7ff(2047). So 'len1+len2' will overflow
'TULIPState's 'tx_frame' field. This descriptor's 'buf_addr1' and
'buf_addr2' should set to a guest address.
2. write this descriptor to tulip device's CSR4 register. This will
set the 'TULIPState's 'current_tx_desc' field.
3. write 'CSR6_ST' to tulip device's CSR6 register. This will trigger
'tulip_xmit_list_update' and finally calls 'tulip_copy_tx_buffers'.
Following shows the backtrack of crash:
==31781==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000007cd0 at pc 0x7fe03c5a077a bp 0x7fff05b46770 sp 0x7fff05b45f18
WRITE of size 2047 at 0x628000007cd0 thread T0
#0 0x7fe03c5a0779 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
#1 0x5575fb6daa6a in flatview_read_continue /home/test/qemu/exec.c:3194
#2 0x5575fb6daccb in flatview_read /home/test/qemu/exec.c:3227
#3 0x5575fb6dae66 in address_space_read_full /home/test/qemu/exec.c:3240
#4 0x5575fb6db0cb in address_space_rw /home/test/qemu/exec.c:3268
#5 0x5575fbdfd460 in dma_memory_rw_relaxed /home/test/qemu/include/sysemu/dma.h:87
#6 0x5575fbdfd4b5 in dma_memory_rw /home/test/qemu/include/sysemu/dma.h:110
#7 0x5575fbdfd866 in pci_dma_rw /home/test/qemu/include/hw/pci/pci.h:787
#8 0x5575fbdfd8a3 in pci_dma_read /home/test/qemu/include/hw/pci/pci.h:794
#9 0x5575fbe02761 in tulip_copy_tx_buffers hw/net/tulip.c:585
#10 0x5575fbe0366b in tulip_xmit_list_update hw/net/tulip.c:678
#11 0x5575fbe04073 in tulip_write hw/net/tulip.c:783
Coverity points out (CID 1421926) that the read code for
REG_ADDR_HIGH reads off the end of the buffer, because it does a
32-bit read from byte 4 of a 6-byte buffer.
The code also has an endianness issue for both REG_ADDR_HIGH and
REG_ADDR_LOW, because it will do the wrong thing on a big-endian
host.
Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this;
the write code is not incorrect, but for consistency we make it use
stl_le_p() and stw_le_p().
Tulip network driver while copying tx/rx buffers does not check
frame size against r/w data length. This may lead to OOB buffer
access. Add check to avoid it.
Limit iterations over descriptors to avoid potential infinite
loop issue in tulip_xmit_list_update.
Zhang Chen [Wed, 18 Mar 2020 08:23:19 +0000 (16:23 +0800)]
net/colo-compare.c: Expose "compare_timeout" to users
The "compare_timeout" determines the maximum time to hold the primary net packet.
This patch expose the "compare_timeout", make user have ability to
adjest the value according to application scenarios.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1737400
Fixed setting max_queue_num if there are no peers in
NICConf. qemu_new_nic() creates NICState with 1 NetClientState(index
0) without peers, set max_queue_num to 0 - It prevents undefined
behavior and possible crashes, especially during pcie hotplug.
Peter Maydell [Thu, 12 Mar 2020 20:16:38 +0000 (20:16 +0000)]
hw/net/i82596.c: Avoid reading off end of buffer in i82596_receive()
The i82596_receive() function attempts to pass the guest a buffer
which is effectively the concatenation of the data it is passed and a
4 byte CRC value. However, rather than implementing this as "write
the data; then write the CRC" it instead bumps the length value of
the data by 4, and writes 4 extra bytes from beyond the end of the
buffer, which it then overwrites with the CRC. It also assumed that
we could always fit all four bytes of the CRC into the final receive
buffer, which might not be true if the CRC needs to be split over two
receive buffers.
Calculate separately how many bytes we need to transfer into the
guest's receive buffer from the source buffer, and how many we need
to transfer from the CRC work.
We add a count 'bufsz' of the number of bytes left in the source
buffer, which we use purely to assert() that we don't overrun.
Spotted by Coverity (CID 1419396) for the specific case when we end
up using a local array as the source buffer.
The command is 32-bit, but we are loading the 16 upper bits with
the 'get_uint16(s->scb + 2)' call.
Once shifted by 16, the command bits match the status bits:
- Command
Bit 31 ACK-CX Acknowledges that the CU completed an Action Command.
Bit 30 ACK-FR Acknowledges that the RU received a frame.
Bit 29 ACK-CNA Acknowledges that the Command Unit became not active.
Bit 28 ACK-RNR Acknowledges that the Receive Unit became not ready.
- Status
Bit 15 CX The CU finished executing a command with its I(interrupt) bit set.
Bit 14 FR The RU finished receiving a frame.
Bit 13 CNA The Command Unit left the Active state.
Bit 12 RNR The Receive Unit left the Ready state.
Add the SCB_COMMAND_ACK_MASK definition to simplify the code.
This fixes Coverity 1419392 (CONSTANT_EXPRESSION_RESULT):
/hw/net/i82596.c: 352 in examine_scb()
346 cuc = (command >> 8) & 0x7;
347 ruc = (command >> 4) & 0x7;
348 DBG(printf("MAIN COMMAND %04x cuc %02x ruc %02x\n", command, cuc, ruc));
349 /* and clear the scb command word */
350 set_uint16(s->scb + 2, 0);
351
>>> CID 1419392: (CONSTANT_EXPRESSION_RESULT)
>>> "command & (2147483648UL /* 1UL << 31 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
352 if (command & BIT(31)) /* ACK-CX */
353 s->scb_status &= ~SCB_STATUS_CX;
>>> CID 1419392: (CONSTANT_EXPRESSION_RESULT)
>>> "command & (1073741824UL /* 1UL << 30 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
354 if (command & BIT(30)) /*ACK-FR */
355 s->scb_status &= ~SCB_STATUS_FR;
>>> CID 1419392: (CONSTANT_EXPRESSION_RESULT)
>>> "command & (536870912UL /* 1UL << 29 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
356 if (command & BIT(29)) /*ACK-CNA */
357 s->scb_status &= ~SCB_STATUS_CNA;
>>> CID 1419392: (CONSTANT_EXPRESSION_RESULT)
>>> "command & (268435456UL /* 1UL << 28 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
358 if (command & BIT(28)) /*ACK-RNR */
359 s->scb_status &= ~SCB_STATUS_RNR;
Peter Maydell [Tue, 31 Mar 2020 10:20:21 +0000 (11:20 +0100)]
Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200330' into staging
Improve PIE and other linkage
Fix for decodetree vs Python3 floor division operator
Fix i386 INDEX_op_dup2_vec expansion
Fix loongson multimedia condition instructions
# gpg: Signature made Tue 31 Mar 2020 04:50:15 BST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "[email protected]"
# gpg: Good signature from "Richard Henderson <[email protected]>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F
* remotes/rth/tags/pull-tcg-20200330:
decodetree: Use Python3 floor division operator
tcg/i386: Fix INDEX_op_dup2_vec
target/mips: Fix loongson multimedia condition instructions
configure: Support -static-pie if requested
configure: Override the os default with --disable-pie
configure: Unnest detection of -z,relro and -z,now
configure: Always detect -no-pie toolchain support
configure: Do not force pie=no for non-x86
tcg: Remove softmmu code_gen_buffer fixed address
configure: Drop adjustment of textseg
This script started using Python2, where the 'classic' division
operator returns the floor result. In commit 3d004a371 we started
to use Python3, where the division operator returns the float
result ('true division').
To keep the same behavior, use the 'floor division' operator "//"
which returns the floor result.
* remotes/pmaydell/tags/pull-target-arm-20200330:
target/arm: fix incorrect current EL bug in aarch32 exception emulation
hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
docs/conf.py: Raise ConfigError for bad Sphinx Python version
hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
Changbin Du [Sat, 28 Mar 2020 14:02:32 +0000 (22:02 +0800)]
target/arm: fix incorrect current EL bug in aarch32 exception emulation
The arm_current_el() should be invoked after mode switching. Otherwise, we
get a wrong current EL value, since current EL is also determined by
current mode.
In some places in xlnx_zynqmp_realize() we were putting an
error into our local Error*, but forgetting to check for
failure and pass it back to the caller. Add the missing code.
Peter Maydell [Mon, 30 Mar 2020 12:18:59 +0000 (13:18 +0100)]
hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
In xlnx_zynqmp_realize() if the attempt to realize the SD
controller object fails then the error-return path will leak
the 'bus_name' string. Fix this by deferring the allocation
until after the realize has succeeded.
Peter Maydell [Mon, 30 Mar 2020 12:18:59 +0000 (13:18 +0100)]
docs/conf.py: Raise ConfigError for bad Sphinx Python version
Raise ConfigError rather than VersionRequirementError when we detect
that the Python being used by Sphinx is too old.
Currently the way we flag the Python version problem up to the user
causes Sphinx to print an unnecessary Python stack trace as well as
the information about the problem; in most versions of Sphinx this is
unavoidable.
The upstream Sphinx developers kindly added a feature to allow
conf.py to report errors to the user without the backtrace:
https://github.com/sphinx-doc/sphinx/commit/be608ca2313fc08eb842f3dc19d0f5d2d8227d08
but the exception type they chose for this was ConfigError.
Switch to ConfigError, which won't make any difference with currently
deployed Sphinx versions, but will be prettier one day when the user
is using a Sphinx version with the new feature.
Niek Linnenbank [Mon, 30 Mar 2020 12:18:58 +0000 (13:18 +0100)]
hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
The allwinner_h3_dramc_map_rows function simulates row addressing behavior
when bootloader software attempts to detect the amount of available SDRAM.
Currently the line that calculates the 64-bit address of the mirrored row
uses a signed 32-bit multiply operation that in theory could result in the
upper 32-bit be all 1s. This commit ensures that the row mirror address
is calculated using only 64-bit operations.
Niek Linnenbank [Mon, 30 Mar 2020 12:18:58 +0000 (13:18 +0100)]
hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
The Orange Pi PC initialization function needs to verify that the SD card
block backend is usable before calling the Boot ROM setup routine. When
calling blk_is_available() the input parameter should not be NULL.
This commit ensures that blk_is_available is only called with non-NULL input.
Li Feng [Mon, 23 Mar 2020 05:29:24 +0000 (13:29 +0800)]
fix vhost_user_blk_watch crash
the G_IO_HUP is watched in tcp_chr_connect, and the callback
vhost_user_blk_watch is not needed, because tcp_chr_hup is registered as
callback. And it will close the tcp link.
Peter Maydell [Thu, 26 Mar 2020 10:53:49 +0000 (10:53 +0000)]
hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
In the function amdvi_log_event(), we write an event log buffer
entry into guest ram, whose contents are passed to the function
via the "uint64_t *evt" argument. Unfortunately, a spurious
'&' in the call to dma_memory_write() meant that instead of
writing the event to the guest we would write the literal value
of the pointer, plus whatever was in the following 8 bytes
on the stack. This error was spotted by Coverity.
Pan Nengyuan [Sat, 28 Mar 2020 00:57:04 +0000 (08:57 +0800)]
virtio-blk: delete vqs on the error path in realize()
virtio_vqs forgot to free on the error path in realize(). Fix that.
The asan stack:
Direct leak of 14336 byte(s) in 1 object(s) allocated from:
#0 0x7f58b93fd970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
#1 0x7f58b858249d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
#2 0x5562cc627f49 in virtio_add_queue /mnt/sdb/qemu/hw/virtio/virtio.c:2413
#3 0x5562cc4b524a in virtio_blk_device_realize /mnt/sdb/qemu/hw/block/virtio-blk.c:1202
#4 0x5562cc613050 in virtio_device_realize /mnt/sdb/qemu/hw/virtio/virtio.c:3615
#5 0x5562ccb7a568 in device_set_realized /mnt/sdb/qemu/hw/core/qdev.c:891
#6 0x5562cd39cd45 in property_set_bool /mnt/sdb/qemu/qom/object.c:2238
Igor Mammedov [Thu, 26 Mar 2020 13:56:24 +0000 (09:56 -0400)]
acpi: pcihp: fix left shift undefined behavior in acpi_pcihp_eject_slot()
Coverity spots subj in following guest triggered code path
pci_write(, data = 0) -> acpi_pcihp_eject_slot(,slots = 0)
uinst32_t slot = ctz32(slots)
...
... = ~(1U << slot)
where 'slot' value is 32 in case 'slots' bitmap is empty.
'slots' is a bitmap and empty one shouldn't do anything
so return early doing nothing if resulted slot value is
not valid (i.e. not in 0-31 range)
The leak stack:
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f04a8008ae8 in __interceptor_malloc (/lib64/libasan.so.5+0xefae8)
#1 0x7f04a73cf1d5 in g_malloc (/lib64/libglib-2.0.so.0+0x531d5)
#2 0x56273eaee484 in aio_bh_new /mnt/sdb/backup/qemu/util/async.c:125
#3 0x56273eafe9a8 in qemu_bh_new /mnt/sdb/backup/qemu/util/main-loop.c:532
#4 0x56273d52e62e in virtser_port_device_realize /mnt/sdb/backup/qemu/hw/char/virtio-serial-bus.c:946
#5 0x56273dcc5040 in device_set_realized /mnt/sdb/backup/qemu/hw/core/qdev.c:891
#6 0x56273e5ebbce in property_set_bool /mnt/sdb/backup/qemu/qom/object.c:2238
#7 0x56273e5e5a9c in object_property_set /mnt/sdb/backup/qemu/qom/object.c:1324
#8 0x56273e5ef5f8 in object_property_set_qobject /mnt/sdb/backup/qemu/qom/qom-qobject.c:26
#9 0x56273e5e5e6a in object_property_set_bool /mnt/sdb/backup/qemu/qom/object.c:1390
#10 0x56273daa40de in qdev_device_add /mnt/sdb/backup/qemu/qdev-monitor.c:680
#11 0x56273daa53e9 in qmp_device_add /mnt/sdb/backup/qemu/qdev-monitor.c:805
MAINTAINERS: Add myself as virtio-balloon co-maintainer
As suggested by Michael, let's add me as co-maintainer of virtio-balloon.
While at it, also add "balloon.c" and "include/sysemu/balloon.h" to the
file list.
If the process documented in tests/qtest/bios-tables-test.c
is followed, then same patch never touches both expected
files and code. Teach checkpatch to enforce this rule.
Loongson multimedia condition instructions were previously implemented as
write 0 to rd due to lack of documentation. So I just confirmed with Loongson
about their encoding and implemented them correctly.
configure: Override the os default with --disable-pie
Some distributions, e.g. Ubuntu 19.10, enable PIE by default.
If for some reason one wishes to build a non-pie binary, we
must provide additional options to override.
At the same time, reorg the code to an elif chain.
configure: Always detect -no-pie toolchain support
The CFLAGS_NOPIE and LDFLAGS_NOPIE variables are used
in pc-bios/optionrom/Makefile, which has nothing to do
with the PIE setting of the main qemu executables.
This overrides any operating system default to build
all executables as PIE, which is important for ROMs.
The commentary talks about "in concert with the addresses
assigned in the relevant linker script", except there is no
linker script for softmmu, nor has there been for some time.
(Do not confuse the user-only linker script editing that was
removed in the previous patch, because user-only does not
use this code_gen_buffer allocation method.)
This adjustment was random and unnecessary. The user mode
startup code in probe_guest_base() will choose a value for
guest_base that allows the host qemu binary to not conflict
with the guest binary.
With modern distributions, this isn't even used, as the default
is PIE, which does the same job in a more portable way.
* remotes/jnsnow/tags/ide-pull-request:
cmd646-ide: use qdev gpio rather than qemu_allocate_irqs()
via-ide: use qdev gpio rather than qemu_allocate_irqs()
via-ide: don't use PCI level for legacy IRQs
hw/ide/sii3112: Use qdev gpio rather than qemu_allocate_irqs()
fdc/i8257: implement verify transfer mode
Mark Cave-Ayland [Tue, 24 Mar 2020 21:05:17 +0000 (21:05 +0000)]
via-ide: don't use PCI level for legacy IRQs
The PCI level calculation was accidentally left in when rebasing from a
previous patchset. Since both IRQs are driven separately, the value
being passed into the IRQ handler should be used directly.
Peter Maydell [Mon, 23 Mar 2020 15:17:15 +0000 (15:17 +0000)]
hw/ide/sii3112: Use qdev gpio rather than qemu_allocate_irqs()
Coverity points out (CID 1421984) that we are leaking the
memory returned by qemu_allocate_irqs(). We can avoid this
leak by switching to using qdev_init_gpio_in(); the base
class finalize will free the irqs that this allocates under
the hood.
Sven Schnelle [Fri, 1 Nov 2019 16:55:13 +0000 (17:55 +0100)]
fdc/i8257: implement verify transfer mode
While working on the Tulip driver i tried to write some Teledisk images to
a floppy image which didn't work. Turned out that Teledisk checks the written
data by issuing a READ command to the FDC but running the DMA controller
in VERIFY mode. As we ignored the DMA request in that case, the DMA transfer
never finished, and Teledisk reported an error.
The i8257 spec says about verify transfers:
3) DMA verify, which does not actually involve the transfer of data. When an
8257 channel is in the DMA verify mode, it will respond the same as described
for transfer operations, except that no memory or I/O read/write control signals
will be generated.
Hervé proposed to remove all the dma_mode_ok stuff from fdc to have a more
clear boundary between DMA and FDC, so this patch also does that.
Peter Maydell [Fri, 27 Mar 2020 16:04:22 +0000 (16:04 +0000)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches:
- Fix another case of mirror block job deadlocks
- Minor fixes
# gpg: Signature made Fri 27 Mar 2020 15:18:37 GMT
# gpg: using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <[email protected]>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* remotes/kevin/tags/for-upstream:
qcow2: Remove unused fields from BDRVQcow2State
mirror: Wait only for in-flight operations
Revert "mirror: Don't let an operation wait for itself"
nvme: Print 'cqid' for nvme_del_cq
block: fix bdrv_root_attach_child forget to unref child_bs
block/iscsi:use the flags in iscsi_open() prevent Clang warning
Kevin Wolf [Thu, 26 Mar 2020 17:07:57 +0000 (18:07 +0100)]
qcow2: Remove unused fields from BDRVQcow2State
These fields were already removed in commit c3c10f72, but then commit b58deb34 revived them probably due to bad merge conflict resolution.
They are still unused, so remove them again.
Kevin Wolf [Thu, 26 Mar 2020 15:36:28 +0000 (16:36 +0100)]
mirror: Wait only for in-flight operations
mirror_wait_for_free_in_flight_slot() just picks a random operation to
wait for. However, a MirrorOp is already in s->ops_in_flight when
mirror_co_read() waits for free slots, so if not enough slots are
immediately available, an operation can end up waiting for itself, or
two or more operations can wait for each other to complete, which
results in a hang.
Fix this by adding a flag to MirrorOp that tells us if the request is
already in flight (and therefore occupies slots that it will later
free), and picking only such operations for waiting.
The fix was incomplete as it only protected against requests waiting for
themselves, but not against requests waiting for each other. We need a
different solution.
Chen Qun [Wed, 11 Mar 2020 03:29:27 +0000 (11:29 +0800)]
block/iscsi:use the flags in iscsi_open() prevent Clang warning
Clang static code analyzer show warning:
block/iscsi.c:1920:9: warning: Value stored to 'flags' is never read
flags &= ~BDRV_O_RDWR;
^ ~~~~~~~~~~~~
In iscsi_allocmap_init() only checks BDRV_O_NOCACHE, which
is the same in both of flags and bs->open_flags.
We can use the flags instead bs->open_flags to prevent Clang warning.
tests/docker: Install gcrypt devel package in Debian image
In commit 6f8bbb374be we enabled building with the gcrypt library
on the the Debian 'x86 host', which was based on Debian Stretch.
Later in commit 698a71edbed we upgraded the Debian base image to
Buster.
Apparently Debian Stretch was listing gcrypt as a QEMU dependency,
but this is not the case anymore in Buster, so we need to install
it manually (it it not listed by 'apt-get -s build-dep qemu' in
the common debian10.docker anymore). This fixes:
$ ../configure $QEMU_CONFIGURE_OPTS
ERROR: User requested feature gcrypt
configure was not able to find it.
Install gcrypt devel >= 1.5.0
Results summary:
0: 91 times (91.00%), avg time 5.547 (0.45 varience/0.67 deviation)
-6: 9 times (9.00%), avg time 3.394 (0.02 varience/0.13 deviation)
Ran command 100 times, 91 passes
When re-run with "--accel tcg,thread=single" the instability goes
away.
Results summary:
0: 100 times (100.00%), avg time 17.318 (249.76 varience/15.80 deviation)
Ran command 100 times, 100 passes
Which seems to indicate there is some aspect of the MIPS MTTCG fixes
that has been missed. Ideally we would fix that but I'm afraid I don't
have time to investigate and am not super familiar with the
architecture anyway. In lieu of someone tracking down the failure lets
disable it for now.
Alex Bennée [Mon, 23 Mar 2020 16:15:08 +0000 (16:15 +0000)]
tests/vm: fix basevm config
When the patch was merged it was part of a longer series which had
already merged the config changes. Semu-revert the config related
changes for now so things will build.
Gerd Hoffmann [Mon, 23 Mar 2020 16:15:07 +0000 (16:15 +0000)]
tests/vm: update NetBSD to 9.0
The installer supports GPT now, so the install workflow has changed a
bit. Also: run without VGA device. This works around a bug in the
seabios sercon code and makes the bootloader menu show up on the serial
line, so we can drop the quirk for that.
Alex Bennée [Thu, 26 Mar 2020 16:46:16 +0000 (16:46 +0000)]
qemu/atomic.h: add #ifdef guards for stdatomic.h
Deep inside the FreeBSD netmap headers we end up including stdatomic.h
which clashes with qemu's atomic functions which are modelled along
the C11 standard. To avoid a massive rename lets just ifdef around the
problem.
Peter Maydell [Thu, 26 Mar 2020 15:44:26 +0000 (15:44 +0000)]
Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-03-26' into staging
Block patches for 5.0-rc1:
- Fix qemu-img convert with a host device or iscsi target
- Use-after-free fix in mirror
- Some minor qcow2 fixes
- Minor sheepdog fix
- Minor qemu-img check report fix
* remotes/maxreitz/tags/pull-block-2020-03-26:
iotests/138: Test leaks/corruptions fixed report
iotests: Add poke_file_[bl]e functions
qemu-img: Fix check's leak/corruption fix report
sheepdog: Consistently set bdrv_has_zero_init_truncate
qcow2: Avoid feature name extension on small cluster size
qcow2: List autoclear bit names in header
qcow2: Comment typo fixes
block: trickle down the fallback image creation function use to the block drivers
block: pass BlockDriver reference to the .bdrv_co_create
block/mirror: fix use after free of local_err
Max Reitz [Tue, 24 Mar 2020 17:27:57 +0000 (18:27 +0100)]
iotests/138: Test leaks/corruptions fixed report
Test that qemu-img check reports the number of leaks and corruptions
fixed in its JSON report (after a successful run).
While touching the _unsupported_imgopts line, adjust the note on why
data_file does not work with this test: The current comment sounds a bit
like it is a mistake for qemu-img check not to check external data
files' refcounts. But there are no such refcounts, so it is no mistake.
Just say that qemu-img check does not do much for external data files,
and this is why this test does not work with them.
Max Reitz [Tue, 24 Mar 2020 17:27:56 +0000 (18:27 +0100)]
iotests: Add poke_file_[bl]e functions
Similarly to peek_file_[bl]e, we may want to write binary integers into
a file. Currently, this often means messing around with poke_file and
raw binary strings. I hope these functions make it a bit more
comfortable.
Max Reitz [Tue, 24 Mar 2020 17:27:55 +0000 (18:27 +0100)]
qemu-img: Fix check's leak/corruption fix report
There are two problems with qemu-img check's report on how many leaks
and/or corruptions have been fixed:
(1) ImageCheck.has_leaks_fixed and ImageCheck.has_corruptions_fixed are
only true when ImageCheck.leaks or ImageCheck.corruptions (respectively)
are non-zero. qcow2's check implementation will set the latter to zero
after it has fixed leaks and corruptions, though, so leaks-fixed and
corruptions-fixed are actually never reported after successful repairs.
We should always report them when they are non-zero, just like all the
other fields of ImageCheck.
(2) After something has been fixed and we run the check a second time,
leaks_fixed and corruptions_fixed are taken from the first run; but
has_leaks_fixed and has_corruptions_fixed are not. The second run
actually cannot fix anything, so with (1) fixed, has_leaks_fixed and
has_corruptions_fixed will always be false here. (With (1) unfixed,
they will at least be false on successful runs, because then the number
of leaks and corruptions found in the second run should be 0.)
We should save has_leaks_fixed and has_corruptions_fixed just like we
save leaks_fixed and corruptions_fixed.
Eric Blake [Tue, 24 Mar 2020 17:42:33 +0000 (12:42 -0500)]
sheepdog: Consistently set bdrv_has_zero_init_truncate
block_int.h claims that .bdrv_has_zero_init must return 0 if
.bdrv_has_zero_init_truncate does likewise; but this is violated if
only the former callback is provided if .bdrv_co_truncate also exists.
When adding the latter callback, it was mistakenly added to only one
of the three possible sheepdog instantiations.
Eric Blake [Tue, 24 Mar 2020 17:42:32 +0000 (12:42 -0500)]
qcow2: Avoid feature name extension on small cluster size
As the feature name table can be quite large (over 9k if all 64 bits
of all three feature fields have names; a mere 8 features leaves only
8 bytes for a backing file name in a 512-byte cluster), it is unwise
to emit this optional header in images with small cluster sizes.
Update iotest 036 to skip running on small cluster sizes; meanwhile,
note that iotest 061 never passed on alternative cluster sizes
(however, I limited this patch to tests with output affected by adding
feature names, rather than auditing for other tests that are not
robust to alternative cluster sizes).
Eric Blake [Tue, 24 Mar 2020 17:42:31 +0000 (12:42 -0500)]
qcow2: List autoclear bit names in header
The feature table is supposed to advertise the name of all feature
bits that we support; however, we forgot to update the table for
autoclear bits. While at it, move the table to read-only memory in
code, and tweak the qcow2 spec to name the second autoclear bit.
Update iotests that are affected by the longer header length.
Maxim Levitsky [Thu, 26 Mar 2020 01:12:18 +0000 (03:12 +0200)]
block: trickle down the fallback image creation function use to the block drivers
Instead of checking the .bdrv_co_create_opts to see if we need the
fallback, just implement the .bdrv_co_create_opts in the drivers that
need it.
This way we don't break various places that need to know if the
underlying protocol/format really supports image creation, and this way
we still allow some drivers to not support image creation.
Note that technically this driver reverts the image creation fallback
for the vxhs driver since I don't have a means to test it, and IMHO it
is better to leave it not supported as it was prior to generic image
creation patches.
Also drop iscsi_create_opts which was left accidentally.
Peter Maydell [Thu, 26 Mar 2020 09:28:11 +0000 (09:28 +0000)]
Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20200325b' into staging
Combo Migration/HMP/virtiofs pull
Small fixes all around.
Ones that are noticeable:
a) Igor's migration compatibility fix affecting older machine types
has been seen in the wild
b) Philippe's autconverge fix should fix an intermittently
failing migration test.
c) Mao's makes a small change to the output of 'info
migrate_parameters' for tls-authz.
# gpg: Signature made Wed 25 Mar 2020 13:14:48 GMT
# gpg: using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <[email protected]>" [full]
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7
* remotes/dgilbert/tags/pull-migration-20200325b:
migration: use "" instead of (null) for tls-authz
migration/ram: fix use after free of local_err
migration/colo: fix use after free of local_err
vl.c: fix migration failure for 3.1 and older machine types
tools/virtiofsd/passthrough_ll: Fix double close()
hmp/vnc: Fix info vnc list leak
tests/migration: Reduce autoconverge initial bandwidth
xbzrle: update xbzrle doc
hmp-cmd: fix a missing_break warning
linux-user: Add x86_64 vsyscall page to /proc/self/maps
The page isn't (necessarily) present in the host /proc/self/maps,
and even if it might be it isn't present in page_flags, and even
if it was it might not have the same set of page permissions.
The easiest thing to do, particularly when it comes to the
"[vsyscall]" note at the end of line, is to special case it.
Notice the magic page during translate, much like we already
do for the arm32 commpage. At runtime, raise an exception to
return cpu_loop for emulation.
This is a bit tidier than open-coding the 5 lines necessary
to initialize the target_siginfo_t. In addition, this zeros
the remaining bytes of the target_siginfo_t, rather than
passing in garbage.
We are not short of numbers for EXCP_*. There is no need to confuse things
by having EXCP_VMEXIT and EXCP_SYSCALL overlap, even though the former is
only used for system mode and the latter is only used for user mode.
This patch fixes two problems:
- it cleanups linux-user variants (for instance ppc64-linux-user
and ppc64le-linux-user)
- it removes the .o file when it removes the .d file, otherwise the .o
file is never updated
Mao Zhongyi [Wed, 25 Mar 2020 01:49:30 +0000 (09:49 +0800)]
migration: use "" instead of (null) for tls-authz
run:
(qemu) info migrate_parameters
announce-initial: 50 ms
...
announce-max: 550 ms
multifd-compression: none
xbzrle-cache-size: 4194304
max-postcopy-bandwidth: 0
tls-authz: '(null)'
Migration parameter 'tls-authz' is used to provide the QOM ID
of a QAuthZ subclass instance that provides the access control
check, default is NULL. But the empty string is not a valid
object ID, so use "" instead of the default. Although it will
fail when lookup an object with ID "", it is harmless, just
consistent with tls_creds.
As a bonus, this patch also fixed the bad indentation on the
last line and removed 'has_tls_authz' redundant check in
'hmp_info_migrate_parameters'.
local_err is used again in migration_bitmap_sync_precopy() after
precopy_notify(), so we must zero it. Otherwise try to set
non-NULL local_err will crash.
local_err is used again in secondary_vm_do_failover() after
replication_stop_all(), so we must zero it. Otherwise try to set
non-NULL local_err will crash.
Igor Mammedov [Wed, 4 Mar 2020 17:27:48 +0000 (12:27 -0500)]
vl.c: fix migration failure for 3.1 and older machine types
Migration from QEMU(v4.0) fails when using 3.1 or older machine
type. For example if one attempts to migrate
QEMU-2.12 started as
qemu-system-ppc64 -nodefaults -M pseries-2.12 -m 4096 -mem-path /tmp/
to current master, it will fail with
qemu-system-ppc64: Unknown ramblock "ppc_spapr.ram", cannot accept migration
qemu-system-ppc64: error while loading state for instance 0x0 of device 'ram'
qemu-system-ppc64: load of migration failed: Invalid argument
Caused by 900c0ba373 commit which switches main RAM allocation to
memory backends and the fact in 3.1 and older QEMU, backends used
full[***] QOM path as memory region name instead of backend's name.
That was changed after 3.1 to use prefix-less names by default
(fa0cb34d22) for new machine types.
*** effectively makes main RAM memory region names defined by
MachineClass::default_ram_id being altered with '/objects/' prefix
and therefore migration fails as old QEMU sends prefix-less
name while new QEMU expects name with prefix when using 3.1 and
older machine types.
Fix it by forcing implicit[1] memory backend to always use
prefix-less names for its memory region by setting
'x-use-canonical-path-for-ramblock-id'
property to false.
1) i.e. memory backend created by compat glue which maps
-m/-mem-path/-mem-prealloc/default RAM size into
appropriate backend type/options to match old CLI format.
On success, the fdopendir() call closes fd. Later on the error
path we try to close an already-closed fd. This can lead to
use-after-free. Fix by only closing the fd if the fdopendir()
call failed.
projects / qemu.git / log