Petr Matousek [Thu, 18 Sep 2014 06:35:37 +0000 (08:35 +0200)]
slirp: udp: fix NULL pointer dereference because of uninitialized socket
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.
Fix this by checking that the socket is not just a socket stub.
Peter Maydell [Tue, 23 Sep 2014 13:43:47 +0000 (14:43 +0100)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20140923-1' into staging
usb: enable hotplug, switch to realize, ohci tracing, misc fixes.
# gpg: Signature made Tue 23 Sep 2014 12:42:29 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <[email protected]>"
# gpg: aka "Gerd Hoffmann <[email protected]>"
# gpg: aka "Gerd Hoffmann (private) <[email protected]>"
* remotes/kraxel/tags/pull-usb-20140923-1: (26 commits)
usb: tag standalone ehci as hotpluggable
usb: tag standalone uhci as hotpluggable
usb: tag xhci as hotpluggable
usb-serial: only check speed once at realize time
usb-bus: introduce a wrapper function to check speed
usb-bus: remove "init" from USBDeviceClass struct
usb-mtp: convert init to realize
usb-redir: convert init to realize
usb-audio: convert init to realize
dev-wacom: convert init to realize
dev-hid: convert init to realize
usb-ccid: convert init to realize
dev-serial: convert init to realize
dev-bluetooth: convert init to realize
dev-uas: using error_report instead of fprintf
dev-uas: convert init to realize
dev-storage: usring error_report instead of fprintf/printf
dev-storage: convert init to realize
usb-hub: convert init to realize
libusb: using error_report instead of fprintf
...
Add support for format-0 ccws in channel programs. As a format-1 ccw
contains the same information as format-0 ccws, only supporting larger
addresses, simply convert every ccw to format-1 as we walk the chain.
Peter Maydell [Tue, 23 Sep 2014 11:08:55 +0000 (12:08 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
# gpg: Signature made Mon 22 Sep 2014 12:41:59 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>"
# gpg: aka "Stefan Hajnoczi <[email protected]>"
* remotes/stefanha/tags/block-pull-request: (59 commits)
block: Always compile virtio-blk dataplane
vring: Better error handling if num is too large
virtio: Import virtio_vring.h
async: aio_context_new(): Handle event_notifier_init failure
block: vhdx - fix reading beyond pointer during image creation
block: delete cow block driver
block/archipelago: Fix typo in qemu_archipelago_truncate()
ahci: Add test_identify case to ahci-test.
ahci: Add test_hba_enable to ahci-test.
ahci: Add test_hba_spec to ahci-test.
ahci: properly shadow the TFD register
ahci: add test_pci_enable to ahci-test.
ahci: Add test_pci_spec to ahci-test.
ahci: MSI capability should be at 0x80, not 0x50.
ahci: Adding basic functionality qtest.
layout: Add generators for refcount table and blocks
fuzz: Add fuzzing functions for entries of refcount table and blocks
docs: List all image elements currently supported by the fuzzer
qapi/block-core: Add "new" qcow2 options
qcow2: Add overlap-check.template option
...
Gerd Hoffmann [Fri, 29 Aug 2014 12:40:08 +0000 (14:40 +0200)]
usb: tag standalone ehci as hotpluggable
Add a flag to EHCIPCIInfo saying whenever the controller supports
companions or not. Make sure we only allow registering companions for
ehci versions supporting that. Enable pci hotplug for the ehci
variants not supporting companions.
Gerd Hoffmann [Fri, 29 Aug 2014 12:13:11 +0000 (14:13 +0200)]
usb: tag standalone uhci as hotpluggable
uhci hostadapters in companion setups can't be hotplugged. So leave
hotplug disabled for all ich9 variants (which are already tagged with
unplug = true in the info struct). For the other variants we'll enable
hotplug and remove the companion setup properties.
Whatever the chardev is open or not, we should assure
the speed is matched each other. So, call usb_check_attach()
check speed. And then pass &error_abort at all calls to
usb_device_attach().
Add "realize/unrealize" in USBDeviceClass, which has errp
as a parameter. So all the implementations now use
error_setg instead of error_report for reporting error.
Note: this patch still keep "init" in USBDeviceClass, and
call kclass->init in usb_device_realize(), avoid breaking
git bisect. After realize all usb devices, will be removed.
Peter Maydell [Tue, 23 Sep 2014 10:00:07 +0000 (11:00 +0100)]
Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-09-22' into staging
trivial patches for 2014-09-22
# gpg: Signature made Mon 22 Sep 2014 09:10:03 BST using RSA key ID A4C3D7DB
# gpg: Good signature from "Michael Tokarev <[email protected]>"
# gpg: aka "Michael Tokarev <[email protected]>"
# gpg: aka "Michael Tokarev <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5
# Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514 66A7 BEE5 9D74 A4C3 D7DB
* remotes/mjt/tags/trivial-patches-2014-09-22:
arch_init: Setting QEMU_ARCH enum straight
pc: Add missing 'static' attribute
block: allow creation of fixed vhdx images
vl: Print maxmem in hex format for error message
configure: trivial fixes
xen-hvm.c: Always return -1 when failure occurs in xen_hvm_init()
rdma: Fix incorrect description in comments
Fix typos and misspellings in comments
qemu-char: Permit only a single "stdio" character device
All memory regions used by VFIO are LITTLE_ENDIAN and they
already take care of endiannes when accessing real device BARs
except ROM - it was broken on BE hosts.
This fixes endiannes for ROM BARs the same way as it is done
for other BARs.
This has been tested on PPC64 BE/LE host/guest in all possible
combinations including TCG.
This header has no further dependencies. It only has some stable data
types and primitive functions, so we can copy it to include/hw/virtio in
order to allow vring code (and its user virtio-blk dataplane) to be
built unconditionally, even for cross compiling.
On a system with a low limit of open files the initialization
of the event notifier could fail and QEMU exits without printing any
error information to the user.
The problem can be easily reproduced by enforcing a low limit of open
files and start QEMU with enough I/O threads to hit this limit.
The same problem raises, without the creation of I/O threads, while
QEMU initializes the main event loop by enforcing an even lower limit of
open files.
This commit adds an error message on failure:
# qemu [...] -object iothread,id=iothread0 -object iothread,id=iothread1
qemu: Failed to initialize event notifier: Too many open files in system
Jeff Cody [Tue, 16 Sep 2014 19:12:06 +0000 (15:12 -0400)]
block: vhdx - fix reading beyond pointer during image creation
In vhdx_create_metadata(), we allocate 40 bytes to entry_buffer for
the various metadata table entries. However, we write out 64kB from
that buffer into the new file. Only write out the correct 40 bytes.
Stefan Hajnoczi [Tue, 16 Sep 2014 14:24:24 +0000 (15:24 +0100)]
block: delete cow block driver
This patch removes support for the cow file format.
Normally we do not break backwards compatibility but in this case there
is no impact and it is the most logical option. Extraordinary claims
require extraordinary evidence so I will show why removing the cow block
driver is the right thing to do.
The cow file format is the disk image format for Usermode Linux, a way
of running a Linux system in userspace. The performance of UML was
never great and it was hacky, but it enjoyed some popularity before
hardware virtualization support became mainstream.
QEMU's block/cow.c is supposed to read this image file format.
Unfortunately the file format was underspecified:
1. Earlier Linux versions used the MAXPATHLEN constant for the backing
filename field. The value of MAXPATHLEN can change, so Linux
switched to a 4096 literal but QEMU has a 1024 literal.
2. Padding was not used on the header struct (both in the Linux kernel
and in QEMU) so the struct layout varied across architectures. In
particular, i386 and x86_64 were different due to int64_t alignment
differences. Linux now uses __attribute__((packed)), QEMU does not.
Therefore:
1. QEMU cow images do not conform to the Linux cow image file format.
2. cow images cannot be shared between different host architectures.
This means QEMU cow images are useless and QEMU has not had bug reports
from users actually hitting these issues.
Let's get rid of this thing, it serves no purpose and no one will be
affected.
John Snow [Thu, 21 Aug 2014 17:44:39 +0000 (13:44 -0400)]
ahci: Add test_identify case to ahci-test.
Utilizing all of the bring-up code in pci_enable and hba_enable,
this test issues a simple IDENTIFY command via the HBA and retrieves
the response via the PIO receive mechanisms of the HBA.
Bugs: The DPS interrupt (Descriptor Processed Status) does not
currently get set. This will need to be adjusted in a future
patch series when the AHCI DMA pathways are reworked to allow
the feature, which may be utilized by OSX guests.
John Snow [Thu, 21 Aug 2014 17:44:38 +0000 (13:44 -0400)]
ahci: Add test_hba_enable to ahci-test.
This test engages the HBA functionality and initializes
values to sane defaults to allow for minimal HBA functionality.
Buffers are allocated and pointers are updated to allow minimal
I/O commands to complete as expected. Error registers and responses
are sanity checked for specification adherence.
John Snow [Thu, 21 Aug 2014 17:44:37 +0000 (13:44 -0400)]
ahci: Add test_hba_spec to ahci-test.
Add a test routine that checks the boot-up values of the HBA
configuration memory space against the AHCI 1.3 specification
and Intel ICH9 data sheet (for Q35 machines) for adherence and
sane values.
The HBA is not yet engaged or put into the idle state.
[Replaced g_assert_false(...) with g_assert(!...) for glib <2.38
compatibility, reported by Peter Maydell <[email protected]>.
--Stefan]
John Snow [Thu, 21 Aug 2014 17:44:36 +0000 (13:44 -0400)]
ahci: properly shadow the TFD register
In a real AHCI device, several S/ATA registers are mirrored or shadowed
within the AHCI register set. These registers are not updated
synchronously for each read access, but are instead updated after a
Device-to-Host Register FIS packet is received. The D2H FIS contains
the values from these registers on the device.
In QEMU, by reaching directly into the device to grab these bits before
they are "sent," we may introduce race conditions where unexpected
values are present "before they are sent" which could cause issues for
some guests, particularly if an attempt is made to read the PxTFD
register prior to enabling the port, where incorrect values will be read.
This patch also addresses the boot-time values for the PxTFD and PxSIG
registers to bring them in line with the AHCI 1.3 specification.
Lastly, several fields (PxTFD, PxSIG and PxSACT) are read-only,
and any attempts to write to them should be ignored.
John Snow [Thu, 21 Aug 2014 17:44:33 +0000 (13:44 -0400)]
ahci: MSI capability should be at 0x80, not 0x50.
In the Intel ICH9 data sheet, the MSI capability offset
in the PCI configuration space for ICH9 AHCI devices is
specified to be 0x80.
Further, the PCI capability pointer should always point
to 0x80 in ICH9 devices, despite the fact that AHCI 1.3
specifies that it should be pointing to PMCAP (Which in
this instance would be 0x70) to maintain adherence to
the Intel data sheet specifications and real observed behavior.
John Snow [Thu, 21 Aug 2014 17:44:32 +0000 (13:44 -0400)]
ahci: Adding basic functionality qtest.
Currently, there is no qtest to test the functionality of
the AHCI functionality present within the Q35 machine type.
This patch adds a skeleton for an AHCI test suite,
and adds a simple sanity-check test case where we
identify that the AHCI device is present, then
disengage the virtual machine.
Max Reitz [Wed, 20 Aug 2014 17:59:35 +0000 (19:59 +0200)]
qcow2: Add overlap-check.template option
Being able to set the overlap-check option to a string and then refine
it via the overlap-check.* options is a nice idea for the command line
but does not work so well for non-flattened dicts. In that case, one can
only specify either but not both, so add a field to overlap-check.*
which does the same as directly specifying overlap-check but can be used
in conjunction with the other fields in non-flattened dicts.
Max Reitz [Wed, 20 Aug 2014 17:59:33 +0000 (19:59 +0200)]
qcow2: Fix leak of QemuOpts in qcow2_open()
Currently, the QemuOpts object opts is leaked if anything fails from its
creation up to and including the image repair block. Fix this by freeing
that object in the fail path.
Max Reitz [Fri, 5 Sep 2014 14:07:18 +0000 (16:07 +0200)]
qcow2: Check L1/L2/reftable entries for alignment
Offsets taken from the L1, L2 and refcount tables are generally assumed
to be correctly aligned. However, this cannot be guaranteed if the image
has been written to by something different than qemu, thus check all
offsets taken from these tables for correct cluster alignment.
Max Reitz [Fri, 5 Sep 2014 14:07:15 +0000 (16:07 +0200)]
qapi/block: Add "fatal" to BLOCK_IMAGE_CORRUPTED
Not every BLOCK_IMAGE_CORRUPTED event must be fatal; for example, when
reading from an image, they should generally not be. Nonetheless, even
an image only read from may of course be corrupted and this can be
detected during normal operation. In this case, a non-fatal event should
be emitted, but the image should not be marked corrupt (in accordance to
"fatal" set to false).
This is an analogue to Linux null_blk. It can be used for testing or
benchmarking block device emulation and general block layer
functionalities such as coroutines and throttling, where disk IO is not
necessary or wanted.
Use null-aio:// for AIO version, and null-co:// for coroutine version.
[Resolved conflict with Fam's async bdrv_aio_cancel() series:
1. Drop .bdrv_aio_cancel() since it is now done by block.c
2. Rename qemu_aio_release() to qemu_aio_unref()
--Stefan]
Paolo Bonzini [Mon, 15 Sep 2014 12:52:58 +0000 (14:52 +0200)]
aio-win32: avoid out-of-bounds access to the events array
If ret is WAIT_TIMEOUT and there was an event returned by select(),
we can write to a location after the end of the array. But in
that case we can retry the WaitForMultipleObjects call with the
same set of events, so just move the event[ret - WAIT_OBJECT_0]
assignment inside the existin conditional.
qdev-monitor: fix segmentation fault on qdev_device_help()
Normally, qmp_device_list_properties() may return NULL when
a device haven't special properties excpet Object and DeviceState
properties, such as virtio-balloon-device.
We just need check local_err instead of prop_list.
Example:
Segmentation fault (core dumped)
The backtrace as below:
Program received signal SIGSEGV, Segmentation fault.
0x00005555559af1a8 in error_get_pretty (err=0x0) at util/error.c:152
152 return err->msg;
(gdb) bt
func=0x55555574a6ca <device_help_func>, opaque=0x0, abort_on_failure=0) at util/qemu-option.c:1072
Now that all the implementations are converted to asynchronous version
and we can emulate synchronous cancellation with it. Let's drop the
unused member.
ide: Convert trim_aiocb_info.cancel to .cancel_async
We know that either bh is scheduled or ide_issue_trim_cb will be called
again, so we just set i, j and ret to the right values. In both cases,
ide_trim_bh_cb will be called.
Also forward the cancellation to the iocb->aiocb which we get from
bdrv_aio_discard.
sheepdog: Convert sd_aiocb_info.cancel to .cancel_async
Also drop the now unused SheepdogAIOCB.finished field. Note that this
aio is internal to sheepdog driver and has NULL cb and opaque, and
should be unused at all.
quorum: Convert quorum_aiocb_info.cancel to .cancel_async
Before, we cancel all the child requests with bdrv_aio_cancel, then free
the acb..
Now we just kick off asynchronous cancellation of child requests and
return, we know quorum_aio_cb will be called later, so in the end
quorum_aio_finalize will take care of calling the caller's cb.
Liu Yuan [Thu, 11 Sep 2014 05:41:21 +0000 (13:41 +0800)]
quorum: fix quorum_aio_cancel()
For a fifo read pattern, we only have one running aio (possible other cases that
has less number than num_children in the future), so we need to check if
.acb is NULL against bdrv_aio_cancel() to avoid segfault.
thread-pool: Convert thread_pool_aiocb_info.cancel to cancel_async
The .cancel_async shares the same the first half with .cancel: try to
steal the request if not submitted yet. In this case set the elem to
THREAD_DONE status and ret to -ECANCELED, which means
thread_pool_completion_bh will call the cb with -ECANCELED.
If the request is already submitted, do nothing, as we know the normal
completion will happen in the future.
Testing code update:
Before, done_cb is only called if the request is already submitted by
thread pool. Now done_cb is always called, even before it is submitted,
because we emulate bdrv_aio_cancel with bdrv_aio_cancel_async. So also
update the test criteria accordingly.
This is the async version of bdrv_aio_cancel, which doesn't block the
caller. It guarantees that the cb is called either before returning or
some time later.
bdrv_aio_cancel can base on bdrv_aio_cancel_async, later we can convert
all .io_cancel implementations to .io_cancel_async, and the aio_poll is
the common logic. In the end, .io_cancel can be dropped.
Before, bdrv_aio_cancel will either complete the request (like normal)
and call CB with an actual return code, or skip calling the request (for
example when the IO req is not submitted by thread pool yet).
We will change bdrv_aio_cancel to do it differently: always call CB
before return, with either [1] a normal req completion ret code, or [2]
ret == -ECANCELED. So the callers' callback must accept both cases. The
existing logic works with case [1], but not [2].
The simplest transition of callback code is do nothing in case [2], just
as if the CB is not called by the bdrv_aio_cancel() call.
John Snow [Sat, 13 Sep 2014 03:51:12 +0000 (23:51 -0400)]
ide/atapi: Mark non-data commands as complete
When the command completion code in IDE and AHCI
was unified to put all command completion inside
of a callback, "cmd_done," we neglected to
ensure that all AHCI/ATAPI command paths would
eventually register as finished. for the PCI
interface to IDE this is not a problem because
cmd_done is a nop, but the AHCI implementation
needs to send a D2H_REG_FIS and interrupt back
to the guest to inform of completion.
This patch adds calls to ide_stop_transfer,
which calls ide_cmd_done, inside of
ide_atapi_cmd_ok and ide_atapi_cmd_error.
This fixes regressions observed by trying to boot QEMU
with a Fedora 20 live CD under Q35/AHCI, which uses
ATAPI command 0x00, which is a status check that may
cause a hang because we never complete, and ATAPI
command 0x56, which is unsupported by our current
implementation and results in an error that we never
report back to the guest.
Peter Maydell [Sun, 14 Sep 2014 19:29:59 +0000 (20:29 +0100)]
block/vhdx.c: Mark parent_vhdx_guid variable as unused
The parent_vhdx_guid variable is defined but never used, which provokes
complaints from newer versions of clang. Since the variable definition
is here acting as documentation of the image format, mark it with the
'unused' attribute to keep the compiler happy rather than simply
deleting it.
When trying to create a fixed vhd image qemu-img will return the
following error:
qemu-img: test.vhdx: Could not create image: Cannot allocate memory
This happens because of a incorrect check in vhdx.c. Specifficaly,
in vhdx_create_bat(), after allocating memory for the BAT entry,
there is a check to determine if the allocation was unsuccsessful.
The error comes from the fact that it checks if s->bat isn't NULL,
which is true in case of succsessful allocation, and exits with
error ENOMEM.
usb-storage: Fix how legacy init handles option ID clash
usb_msd_init() calls qemu_opts_create() with a made-up ID and false
fail_if_exists. If the ID already exists, it happily messes up those
options, then fails drive_new(), because the BlockDriverState with
that ID already exists, too.
projects / qemu.git / log