Kevin Wolf [Fri, 4 Jul 2014 15:11:28 +0000 (17:11 +0200)]
qed: Make qiov match request size until backing file EOF
If a QED image has a shorter backing file and a read request to
unallocated clusters goes across EOF of the backing file, the backing
file sees a shortened request and the rest is filled with zeros.
However, the original too long qiov was used with the shortened request.
This patch makes the qiov size match the request size, avoiding a
potential buffer overflow in raw-posix.
Kevin Wolf [Thu, 3 Jul 2014 12:43:32 +0000 (14:43 +0200)]
qcow2: Make qiov match request size until backing file EOF
If a qcow2 image has a shorter backing file and a read request to
unallocated clusters goes across EOF of the backing file, the backing
file sees a shortened request and the rest is filled with zeros.
However, the original too long qiov was used with the shortened request.
This patch makes the qiov size match the request size, avoiding a
potential buffer overflow in raw-posix.
Kevin Wolf [Thu, 3 Jul 2014 11:21:24 +0000 (13:21 +0200)]
block: Make qiov match the request size until EOF
If a read request goes across EOF, the block driver sees a shortened
request that stops at EOF (the rest is memsetted in block.c), however
the original qiov was used for this request.
This patch makes the qiov size match the request size, avoiding a
potential buffer overflow in raw-posix.
Paolo Bonzini [Mon, 7 Jul 2014 13:18:04 +0000 (15:18 +0200)]
AioContext: speed up aio_notify
In many cases, the call to event_notifier_set in aio_notify is unnecessary.
In particular, if we are executing aio_dispatch, or if aio_poll is not
blocking, we know that we will soon get to the next loop iteration (if
necessary); the thread that hosts the AioContext's event loop does not
need any nudging.
The patch includes a Promela formal model that shows that this really
works and does not need any further complication such as generation
counts. It needs a memory barrier though.
The generation counts are not needed because any change to
ctx->dispatching after the memory barrier is okay for aio_notify.
If it changes from zero to one, it is the right thing to skip
event_notifier_set. If it changes from one to zero, the
event_notifier_set is unnecessary but harmless.
Paolo Bonzini [Mon, 7 Jul 2014 13:18:03 +0000 (15:18 +0200)]
test-aio: fix GSource-based timer test
The current test depends too much on the implementation of the AioContext
GSource. Just iterate on the main loop until the callback has been invoked
the right number of times.
Kevin Wolf [Mon, 7 Jul 2014 15:00:37 +0000 (17:00 +0200)]
block: Fix bdrv_is_allocated() return value
bdrv_is_allocated() should return either 0 or 1 in successful cases.
We're lucky that currently, the callers that rely on this (e.g. because
they check for ret == 1) don't seem to break badly. They just might skip
some optimisation or in the case of qemu-io 'map' print separate lines
where a single line would suffice. In theory, a wrong allocation status
could lead to image corruption with certain operations, so let's fix
this quickly.
Kevin Wolf [Mon, 7 Jul 2014 14:38:58 +0000 (16:38 +0200)]
block/backup: Fix hang for unaligned image size
When doing a block backup of an image with an unaligned size (with
respect to the BACKUP_CLUSTER_SIZE), qemu would check the allocation
status of sectors after the end of the image. bdrv_is_allocated()
returns a result that is valid for 0 sectors in this case, so the backup
job ran into an endless loop.
Stop looping when seeing a result valid for 0 sectors, we're at EOF then.
The test case looks somewhat unrelated at first sight because I
originally tried to reproduce a different suspected bug that turned out
to not exist. Still a good test case and it accidentally found this one.
Peter Maydell [Tue, 8 Jul 2014 14:10:42 +0000 (15:10 +0100)]
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20140708' into staging
Bugfixes for s390x: set subsystem id in the lowcore when booting from the
s390-ccw bios, and set the channel-program address after I/O completion,
when applicable.
# gpg: Signature made Tue 08 Jul 2014 14:18:20 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found
* remotes/cohuck/tags/s390x-20140708:
s390x/css: reflect cpa in scsw
pc-bios/s390-ccw: update binary
pc-bios/s390-ccw: store proper subsystem information word
Cornelia Huck [Mon, 30 Jun 2014 12:33:38 +0000 (14:33 +0200)]
s390x/css: reflect cpa in scsw
We neglected to update the the channel-program-address field of the scsw
after completion of the start or the halt function: Fortunately, Linux
didn't miss it so far. Let's update it for the cases where the cpa is
expected to be valid; in some cases, the cpa is 'unpredictable', so we
leave it untouched.
pc-bios/s390-ccw: store proper subsystem information word
POP chapter 17 requires to store a subsystem information word at 184
during IPL. Furthermore bytes 188-191 should be zero. The bootmap might
contain data blocks that are written to the first page. We have to
write these values after we processed the bootmap and before the final
IPL.
Peter Maydell [Tue, 8 Jul 2014 13:01:58 +0000 (14:01 +0100)]
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140708' into staging
target-arm queue:
* fix handling of KVM reset for 32-bit ARM CPUs
* implement NOR flash alias for vexpress-a9
* make sure libvixl gets its own utils.h rather than somebody else's
# gpg: Signature made Tue 08 Jul 2014 13:12:05 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <[email protected]>"
* remotes/pmaydell/tags/pull-target-arm-20140708:
target-arm: Implement vCPU reset via KVM_ARM_VCPU_INIT for 32-bit CPUs
hw/arm/vexpress: Alias NOR flash at 0 for vexpress-a9
disas/libvixl: prepend the include path of libvixl header files
Peter Maydell [Thu, 26 Jun 2014 17:16:13 +0000 (18:16 +0100)]
target-arm: Implement vCPU reset via KVM_ARM_VCPU_INIT for 32-bit CPUs
Implement kvm_arm_vcpu_init() as a simple call to arm_arm_vcpu_init()
(which uses the KVM_ARM_VCPU_INIT vcpu ioctl to tell the kernel
to re-initialize the vCPU), rather than via the complicated code
which saves a copy of the register state on first init and then
writes it back to the kernel. This is much simpler and brings the
32-bit KVM code into line with the 64-bit code.
disas/libvixl: prepend the include path of libvixl header files
Currently the Makefile of disas/libvixl appends
-I$(SRC_PATH)/disas/libvixl to QEMU_CFLAGS. As a consequence C++ files
that #include "utils.h", such as disas/libvixl/a64/instructions-a64.cc,
are going to look for utils.h on all the other include paths first.
When building QEMU as part of the Xen make system, another unrelated
utils.h file is going to be chosen for inclusion, causing a build
failure:
In file included from disas/libvixl/a64/instructions-a64.cc:27:0:
/qemu/disas/libvixl/a64/instructions-a64.h:88:64: error:
'rawbits_to_float' was not declared in this scope
const float kFP32PositiveInfinity = rawbits_to_float(0x7f800000);
Fix the problem by prepending (rather than appending) the libvixl
include path to QEMU_CFLAGS.
Peter Maydell [Tue, 8 Jul 2014 10:38:12 +0000 (11:38 +0100)]
Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' into staging
Patch queue for ppc - 2014-07-08
A few bug fixes for 2.1:
- Fix e500* TLB emulation with qemu-system-ppc
- Update SLOF to current upstream (good number of bugfixes)
- Make POWER7 / POWER8 PVR match more agnostic (needed in 2.1 for cmdline compat)
- Fix u-boot.e500 install (how did that happen?)
- Fix H_CAS on LE hosts
- ppc64le-linux-user fixes
# gpg: Signature made Tue 08 Jul 2014 11:18:58 BST using RSA key ID 03FEDC60
# gpg: Can't check signature: public key not found
* remotes/agraf/tags/signed-ppc-for-upstream:
PPC: e500: Actually install u-boot.e500
target-ppc: Remove POWER7+ and POWER8E families
target-ppc: Add pvr_match() callback
pseries: Update SLOF firmware image to qemu-slof-20140630
PPC: Fix booke206 TLB with phys addrs > 32bit
target-ppc: Fix gdbstub for ppc64le-linux-user
target-ppc: Change default cpu for ppc64le-linux-user
target-ppc: KVMPPC_H_CAS fix cpu-version endianess
POWER8E is architecturally equal to POWER8 and POWER7+ is equal to
POWER7. Also no user space tool makes any difference for CPU node name
in the device tree (such as PowerPC,POWER7@0 vs. PowerPC,POWER7+@0).
So there is no point in emulating POWER7+ and POWER8E apart from POWER7
and POWER8. Also, the previos patch implemented multiple PVR mask support
per CPU class so POWER7 class now covers both POWER7 and POWER7+ CPUs,
same is valid for POWER8/8E.
This removes POWER7+ and POWER8E classes. This replaces references
to POWER7P/POWER8E families with POWER7/POWER8 families.
So far it was enough to have a base PVR value and mask per CPU
family such as POWER7 or POWER8. However there CPUs which are
completely architecturally compatible but have different PVRs such
as POWER7/POWER7+ and POWER8/POWER8E. For these CPUs, top 16 bits
are CPU family and low 16 bits are the version. The families have
PVR base values different enough so defining a mask which
would cover both (or potentially more) CPUs within the family is
not possible.
This adds a pvr_match() callback to PowerPCCPUClass. The default
handler simply compares PVR defined in the class.
This implements ppc_pvr_match_power7/ppc_pvr_match_power8 callbacks
for POWER7/8 families. These check for POWER7/POWER7+ and POWER8/POWER8E.
This changes ppc_cpu_compare_class_pvr_mask() not to check masks but
use the pvr_match() callback.
Since all server CPUs use the same mask, this defines one mask
value - CPU_POWERPC_POWER_SERVER_MASK - which is used everywhere now.
This removes other mask definitions.
This removes pvr_mask from PowerPCCPUClass as it is not used anymore.
This removes pvr initialization for POWER7/8 families as it is not used
to find the class, the pvr_match() callback is used instead.
pseries: Update SLOF firmware image to qemu-slof-20140630
The changelog is:
> Quieten the grub warning
> Add boot menu support
> boot from disk having chrp-boot file
> fat16: fix read and remove debug messages
> dhcparch define missing in compilation
> pci-scan: reserve memory for pci-bridge without devices
> pci-bridge: Fix ranges when no device beyond the bridge
> Set dhcp arch in board-qemu config file
> xhci: fix controller stop
> dhcp: support client architecture code 93
> virtio-blk: support variable block size
> usb: use common pci dma alloc/mapping routines
> Remove unused SLOF code
> pci-bridge: generic bridge needs to support pci dma functions
> pci: extract dma functions as separate file
> e1000: fix usage of multiple nics
Alexander Graf [Wed, 2 Jul 2014 17:09:47 +0000 (19:09 +0200)]
PPC: Fix booke206 TLB with phys addrs > 32bit
We were truncating physical addresses to 32bit when using qemu-system-ppc
with a booke206 TLB implementation. This patch fixes that and makes the full
address space available.
target-ppc: Change default cpu for ppc64le-linux-user
The default, 970fx, doesn't support MSR_LE. So even though we set LE in
ppc_cpu_reset, it gets cleared again in hreg_store_msr. Error out if a
user-selected cpu model doesn't support LE.
Signed-off-by: Richard Henderson <[email protected]>
[agraf: switch to POWER7 as default for BE and LE] Signed-off-by: Alexander Graf <[email protected]>
During KVMPPC_H_CAS processing, the cpu-version updated value is stored
without taking care of the current endianess. As a consequence, the guest
may not switch to the right CPU model, leading to unexpected results.
If needed, the value is now converted.
Fixes: 6d9412ea8132 ("target-ppc: Implement "compat" CPU option") Signed-off-by: Laurent Dufour <[email protected]> Reviewed-by: Greg Kurz <[email protected]> Signed-off-by: Alexander Graf <[email protected]>
Peter Maydell [Mon, 7 Jul 2014 18:06:55 +0000 (19:06 +0100)]
Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-2.1' into staging
PowerPC Reference Platform (PReP)
* Update OpenHack'Ware firmware to replace QEMU-side workarounds
# gpg: Signature made Mon 07 Jul 2014 15:49:42 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <[email protected]>"
# gpg: aka "Andreas Färber <[email protected]>"
* remotes/afaerber/tags/prep-for-2.1:
prep: Update ppc_rom.bin
prep: Remove CPU reset entry point hack related to OpenHack'Ware
prep: Remove PCI memory hack related to OpenHack'Ware
Peter Maydell [Mon, 7 Jul 2014 15:30:14 +0000 (16:30 +0100)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
pc,vhost,virtio fixes, test
Bugfixes all over the place.
There's a non bugfix here: re-enabling the vhost-user test,
though the patch just brings back functionality that
I disabled earlier to fix mingw build failures.
This is now sorted, and keeping the unit test enabled
seems important since the feature relies on an external
server to work, so isn't easy to test.
Signed-off-by: Michael S. Tsirkin <[email protected]>
# gpg: Signature made Sun 06 Jul 2014 11:01:35 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <[email protected]>"
# gpg: aka "Michael S. Tsirkin <[email protected]>"
* remotes/mst/tags/for_upstream:
qemu-char: add chr_add_watch support in mux chardev
virtio-pci: fix MSI memory region use after free
qdev: Fix crash when using non-device class name on -global
qdev: Don't abort() in case globals can't be set
hw/virtio: enable common virtio feature for mmio device
acpi: fix typo in memory hotplug MMIO region name
pci: assign devfn to pci_dev before calling pci_device_iommu_address_space()
Handle G_IO_HUP in tcp_chr_read for tcp chardev
virtio: move common virtio properties to bus class device
pc-dimm: error out if memory hotplug is not enabled
numa: check for busy memory backend
qtest: enable vhost-user-test
Peter Maydell [Mon, 7 Jul 2014 14:02:36 +0000 (15:02 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Block pull request
# gpg: Signature made Mon 07 Jul 2014 13:27:20 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>"
# gpg: aka "Stefan Hajnoczi <[email protected]>"
* remotes/stefanha/tags/block-pull-request:
qmp: show QOM properties in device-list-properties
dataplane: submit I/O as a batch
linux-aio: implement io plug, unplug and flush io queue
block: block: introduce APIs for submitting IO as a batch
ahci: map memory via device's address space instead of address_space_memory
raw-posix: Fix raw_getlength() to always return -errno on error
qemu-iotests: Disable Quorum testing in 041 when Quorum is not builtin
ahci.c: mask unused flags when reading size PRDT DBC
MAINTAINERS: add Stefan Hajnoczi to IDE maintainers
mirror: Fix qiov size for short requests
Fix nocow typos in manpage
Collection of fixes to build QEMU with Xen support on ARM:
- use xenstore_read_fe_uint64 to retrieve the page-ref (xenfb);
- use xen_pfn_t instead of unsigned long in xenfb;
- unsigned long/xenpfn_t in xen_remove_from_physmap;
- in xen-mapcache.c use HOST_LONG_BITS to check for QEMU's address space
size.
Stefan Hajnoczi [Tue, 20 May 2014 12:29:01 +0000 (14:29 +0200)]
qmp: show QOM properties in device-list-properties
Devices can use a mix of qdev and QOM properties. Currently only the
qdev properties are displayed by device-list-properties.
This patch extends the property enumeration algorithm to also display
QOM properties (excluding the implicit "type", "realized",
"hotpluggable", and "parent_bus" properties).
When a qdev property exists, use the qdev type name to preserve
backwards compatibility. QOM type names can be different for bool (qdev
on/off) and str (used by qdev pointers).
Ming Lei [Fri, 4 Jul 2014 10:04:35 +0000 (18:04 +0800)]
dataplane: submit I/O as a batch
Before commit 580b6b2aa2(dataplane: use the QEMU block
layer for I/O), dataplane for virtio-blk submits block
I/O as a batch.
This commit 580b6b2aa2 replaces the custom linux AIO
implementation(including submit I/O as a batch) with QEMU
block layer, but this commit causes ~40% throughput regression
on virtio-blk performance, and removing submitting I/O
as a batch is one of the causes.
This patch applies the newly introduced bdrv_io_plug() and
bdrv_io_unplug() interfaces to support submitting I/O
at batch for Qemu block layer, and in my test, the change
can improve throughput by ~30% with 'aio=native'.
Result on one of my small machine(host: x86_64, 2cores, 4thread, guest: 4cores):
- qemu master: 65K IOPS
- qemu master with these patches: 92K IOPS
- 2.0.0 release(dataplane using custom linux aio): 104K IOPS
Ming Lei [Fri, 4 Jul 2014 10:04:34 +0000 (18:04 +0800)]
linux-aio: implement io plug, unplug and flush io queue
This patch implements .bdrv_io_plug, .bdrv_io_unplug and
.bdrv_flush_io_queue callbacks for linux-aio Block Drivers,
so that submitting I/O as a batch can be supported on linux-aio.
[Unprocessed requests are completed with -EIO instead of a bogus ret
value.
--Stefan]
Ming Lei [Fri, 4 Jul 2014 10:04:33 +0000 (18:04 +0800)]
block: block: introduce APIs for submitting IO as a batch
This patch introduces three APIs so that following
patches can support queuing I/O requests and submitting them
as a batch for improving I/O performance.
Le Tan [Thu, 3 Jul 2014 08:26:27 +0000 (16:26 +0800)]
ahci: map memory via device's address space instead of address_space_memory
In map_page() in hw/ide/ahci.c, replace cpu_physical_memory_map() and
cpu_physical_memory_unmap() with dma_memory_map() and dma_memory_unmap(),
because ahci devices should not access memory directly but via their address
space. Add an AddressSpace parameter to map_page(). In order to call
map_page(), we should pass the AHCIState.as as the AddressSpace argument.
ahci.c: mask unused flags when reading size PRDT DBC
The data byte count(DBC) read from the description information is defined for
bits 21:00. Bits 30:22 are reserved and bit 31 is the Interrupt on Completion
(I) flag.
Completion interrupts are triggered after every transaction instead of on
I-flag in QEMU. tbl_entry_size is a signed integer and improperly reading the
DBC leads to a negative offset that causes sglist allocation to fail.
Kevin Wolf [Tue, 1 Jul 2014 14:52:21 +0000 (16:52 +0200)]
mirror: Fix qiov size for short requests
When mirroring an image of a size that is not a multiple of the
mirror job granularity, the last request would have the right nb_sectors
argument, but a qiov that is rounded up to the next multiple of the
granularity. Don't do this.
This fixes a segfault that is caused by raw-posix being confused by this
and allocating a buffer with request length, but operating on it with
qiov length.
[s/Driver/Drive/ in qemu-iotests 041 as suggested by Eric
--Stefan]
Paolo Bonzini [Fri, 4 Jul 2014 09:43:49 +0000 (11:43 +0200)]
virtio-pci: fix MSI memory region use after free
After memory region QOMification QEMU is stricter in detecting
wrong usage of the memory region API. Here it detected a
memory_region_destroy done before the corresponding
memory_region_del_subregion; the memory_region_destroy is
done by msix_uninit_exclusive_bar, the memory_region_del_subregion
is done by the PCI core's pci_unregister_io_regions before
pc->exit is called.
The problem was introduced by
commit 06a1307379fcd6c551185ad87679cd7ed896b9ea
virtio-pci: add device_unplugged callback
As noted in that commit log, virtio device kick callbacks need to be
stopped before generic virtio is cleaned up. This is because these are
notifications from pci proxy to the generic virtio device so they need
to be stopped in the unplug call before the virtio device is unrealized.
However interrupts are notifications from the virtio device to
the pci proxy so they need to stay around while the device
is realized.
The memory API misuse caused an assertion when hot-unplugging virtio
devices. Using the API correctly fixes the assertion.
qdev: Fix crash when using non-device class name on -global
This fixes the following crash:
$ qemu-system-x86_64 -global container.xxx=y
hw/core/qdev-properties-system.c:399:qdev_add_one_global: Object 0x7f7eff234100 is not an instance of type device
Aborted (core dumped)
New behavior will be to just warn, just like when non-existing clas
names are used:
$ qemu-system-x86_64 -global container.xxx=y
qemu-system-x86_64: Warning: "-global container.xxx=y" not used
Ming Lei [Wed, 4 Jun 2014 02:05:55 +0000 (10:05 +0800)]
hw/virtio: enable common virtio feature for mmio device
Both 'indirect_desc' and 'event_idx' are bus independent features,
and they should be enabled for mmio devices too.
On arm64 quad core VM(qemu-kvm), the patch can increase block I/O
performance a lot with latest linux tree:
- without the patch: 14K IOPS
- with the patch: 34K IOPS
Le Tan [Wed, 2 Jul 2014 00:06:35 +0000 (08:06 +0800)]
pci: assign devfn to pci_dev before calling pci_device_iommu_address_space()
In function do_pci_register_device() in file hw/pci/pci.c, move the assignment
of pci_dev->devfn to the position before the call to
pci_device_iommu_address_space(pci_dev) which will use the value of
pci_dev->devfn.
Fixes: 9eda7d373e9c691c070eddcbe3467b991f67f6bd
pci: Introduce helper to retrieve a PCI device's DMA address space
Since commit cdaa86a54b232572bba594bf87a7416e527e460c
("Add G_IO_HUP handler for socket chardev")
GLib limitation results in a bug on Windows host. Steps to reproduce:
Start qemu: qemu-system-i386 -qmp tcp:127.0.0.1:4444:server:nowait
Connect with telnet: telnet 127.0.0.1 4444
Try sending some data from telnet.
Expected result: answers from QEMU.
Observed result: no answers (actually tcp_chr_read is not called at all).
Due to GLib limitations it is not possible to create several watches on one
channel on Windows hosts. See bug #338943 in GNOME bugzilla for details:
https://bugzilla.gnome.org/show_bug.cgi?id=338943
Igor Mammedov [Mon, 30 Jun 2014 10:43:29 +0000 (12:43 +0200)]
pc-dimm: error out if memory hotplug is not enabled
fixes QEMU abort in case it's started without memory
hotplug enabled.
as result of fix it will print following messages:
"
-device pc-dimm,id=d1,memdev=m1: memory hotplug is not enabled, enable it on startup
-device pc-dimm,id=d1,memdev=m1: Device 'pc-dimm' could not be initialized
"
Also fixup assert condition to detect hotplug address
space overflow.
The mmsghdr struct is only introduced in Linux 2.6.32; add a
configure check for it and disable L2TPV3 on hosts which are
too old to provide it, rather than simply failing to compile.
Peter Maydell [Tue, 1 Jul 2014 12:13:04 +0000 (13:13 +0100)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Block pull request
# gpg: Signature made Tue 01 Jul 2014 09:47:15 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>"
# gpg: aka "Stefan Hajnoczi <[email protected]>"
* remotes/stefanha/tags/block-pull-request: (23 commits)
block: add backing-file option to block-stream
block: extend block-commit to accept a string for the backing file
block: add helper function to determine if a BDS is in a chain
block: add QAPI command to allow live backing file change
qapi: Change back sector-count to sectors-count in quorum QAPI events.
block/cow: Avoid use of uninitialized cow_bs in error path
block: simplify bdrv_find_base() and bdrv_find_overlay()
block: make 'top' argument to block-commit optional
iotests: Add more tests to quick group
iotests: Add qemu tests to quick group
iotests: Simplify qemu-iotests-quick.sh
qemu-img create: add 'nocow' option
virtio-blk: remove need for explicit x-data-plane=on option
qdev: drop iothread property type
virtio-blk: replace x-iothread with iothread link property
virtio-blk: move qdev properties into virtio-blk.c
virtio: fix virtio-blk child refcount in transports
virtio-blk: drop virtio_blk_set_conf()
virtio-blk: use aliases instead of duplicate qdev properties
qdev: add qdev_alias_all_properties()
...
Peter Lieven [Mon, 30 Jun 2014 08:57:51 +0000 (10:57 +0200)]
ui/vnc: fix potential memory corruption issues
this patch makes the VNC server work correctly if the
server surface and the guest surface have different sizes.
Basically the server surface is adjusted to not exceed VNC_MAX_WIDTH
x VNC_MAX_HEIGHT and additionally the width is rounded up to multiple of
VNC_DIRTY_PIXELS_PER_BIT.
If we have a resolution whose width is not dividable by VNC_DIRTY_PIXELS_PER_BIT
we now get a small black bar on the right of the screen.
If the surface is too big to fit the limits only the upper left area is shown.
On top of that this fixes 2 memory corruption issues:
The first was actually discovered during playing
around with a Windows 7 vServer. During resolution
change in Windows 7 it happens sometimes that Windows
changes to an intermediate resolution where
server_stride % cmp_bytes != 0 (in vnc_refresh_server_surface).
This happens only if width % VNC_DIRTY_PIXELS_PER_BIT != 0.
The second is a theoretical issue, but is maybe exploitable
by the guest. If for some reason the guest surface size is bigger
than VNC_MAX_WIDTH x VNC_MAX_HEIGHT we end up in severe corruption since
this limit is nowhere enforced.
Peter Lieven [Mon, 30 Jun 2014 08:07:54 +0000 (10:07 +0200)]
ui/vnc: limit client_cut_text msg payload size
currently a malicious client could define a payload
size of 2^32 - 1 bytes and send up to that size of
data to the vnc server. The server would allocated
that amount of memory which could easily create an
out of memory condition.
This patch limits the payload size to 1MB max.
Please note that client_cut_text messages are currently
silently ignored.
Jincheng Miao [Fri, 20 Jun 2014 06:12:52 +0000 (14:12 +0800)]
usb: initialize libusb_device to avoid crash
If libusb_get_device_list() fails, the uninitialized local variable
libusb_device would be passed to libusb_free_device_list(), that
will cause a crash, like:
(gdb) bt
#0 0x00007fbbb4bafc10 in pthread_mutex_lock () from /lib64/libpthread.so.0
#1 0x00007fbbb233e653 in libusb_unref_device (dev=0x6275682d627375)
at core.c:902
#2 0x00007fbbb233e739 in libusb_free_device_list (list=0x7fbbb6e8436e,
unref_devices=<optimized out>) at core.c:653
#3 0x00007fbbb6cd80a4 in usb_host_auto_check (unused=unused@entry=0x0)
at hw/usb/host-libusb.c:1446
#4 0x00007fbbb6cd8525 in usb_host_initfn (udev=0x7fbbbd3c5670)
at hw/usb/host-libusb.c:912
#5 0x00007fbbb6cc123b in usb_device_init (dev=0x7fbbbd3c5670)
at hw/usb/bus.c:106
...
Peter Maydell [Tue, 1 Jul 2014 10:55:48 +0000 (11:55 +0100)]
Merge remote-tracking branch 'remotes/bonzini/memory' into staging
* remotes/bonzini/memory:
qdev: correctly send DEVICE_DELETED for recursively-deleted devices
memory: do not give a name to the internal exec.c regions
memory: MemoryRegion: Add size property
memory: MemoryRegion: Add may-overlap and priority props
memory: MemoryRegion: Add container and addr props
memory: MemoryRegion: replace owner field with QOM parent
memory: MemoryRegion: QOMify
memory: MemoryRegion: use /machine as default owner
libqtest: escape strings in QMP commands, fix leak
qom: object: Ignore refs/unrefs of NULL
qom: object: remove parent pointer when unparenting
mc146818rtc: add "rtc-time" link to "/machine/rtc"
qom: allow creating an alias of a child<> property
qom: add a generic mechanism to resolve paths
qom: add object_property_add_alias()
Peter Maydell [Tue, 1 Jul 2014 09:28:52 +0000 (10:28 +0100)]
Merge remote-tracking branch 'remotes/bonzini/scsi-next' into staging
* remotes/bonzini/scsi-next:
configure: Fix -lm test, so that tools can be compiled on hosts that require -lm
virtio-scsi: scsi events must be converted to target endianness
virtio-scsi: virtio_scsi_push_event() lacks VirtIOSCSIReq parsing
Yang Zhiyong [Sat, 21 Jun 2014 18:43:03 +0000 (02:43 +0800)]
trace: add qemu_system_powerdown_request and qemu_system_shutdown_request trace events
We have the experience that the guest doesn't stop successfully
though it was instructed to shut down.
The root cause may be not in QEMU mostly. However, QEMU is often
suspected at the beginning just because the issue occurred in
virtualization environment.
Therefore, we need to affirm that QEMU received the shutdown
request and raised ACPI irq from "virsh shutdown" command,
virt-manger or stopping QEMU process to the VM .
So that we can affirm the problems was belonged to the Guset OS
rather than the QEMU itself.
When we stop guests by "virsh shutdown" command or virt-manger,
or stopping QEMU process, qemu_system_powerdown_request() or
qemu_system_shutdown_request() is called. Then the below functions
in main_loop_should_exit() of Vl.c are called roughly in the
following order.
if (qemu_powerdown_requested())
qemu_system_powerdown()
monitor_protocol_event(QEVENT_POWERDOWN, NULL)
The tracepoint of monitor_protocol_event() already exists, but no
tracepoints are defined for qemu_system_powerdown_request() and
qemu_system_shutdown_request(). So this patch adds two tracepoints for
the two functions. We believe that it will become much easier to
isolate the problem mentioned above by these tracepoints.
Jeff Cody [Wed, 25 Jun 2014 19:40:11 +0000 (15:40 -0400)]
block: add backing-file option to block-stream
On some image chains, QEMU may not always be able to resolve the
filenames properly, when updating the backing file of an image
after a block job.
For instance, certain relative pathnames may fail, or drives may
have been specified originally by file descriptor (e.g. /dev/fd/???),
or a relative protocol pathname may have been used.
In these instances, QEMU may lack the information to be able to make
the correct choice, but the user or management layer most likely does
have that knowledge.
With this extension to the block-stream api, the user is able to change
the backing file of the active layer as part of the block-stream
operation.
This allows the change to be 'safe', in the sense that if the attempt
to write the active image metadata fails, then the block-stream
operation returns failure, without disrupting the guest.
If a backing file string is not specified in the command, the backing
file string to use is determined in the same manner as it was
previously.
Jeff Cody [Wed, 25 Jun 2014 19:40:10 +0000 (15:40 -0400)]
block: extend block-commit to accept a string for the backing file
On some image chains, QEMU may not always be able to resolve the
filenames properly, when updating the backing file of an image
after a block commit.
For instance, certain relative pathnames may fail, or drives may
have been specified originally by file descriptor (e.g. /dev/fd/???),
or a relative protocol pathname may have been used.
In these instances, QEMU may lack the information to be able to make
the correct choice, but the user or management layer most likely does
have that knowledge.
With this extension to the block-commit api, the user is able to change
the backing file of the overlay image as part of the block-commit
operation.
This allows the change to be 'safe', in the sense that if the attempt
to write the overlay image metadata fails, then the block-commit
operation returns failure, without disrupting the guest.
If the commit top is the active layer, then specifying the backing
file string will be treated as an error (there is no overlay image
to modify in that case).
If a backing file string is not specified in the command, the backing
file string to use is determined in the same manner as it was
previously.
Jeff Cody [Wed, 25 Jun 2014 19:40:09 +0000 (15:40 -0400)]
block: add helper function to determine if a BDS is in a chain
This is a small helper function, to determine if 'base' is in the
chain of BlockDriverState 'top'. It returns true if it is in the chain,
and false otherwise.
If either argument is NULL, it will also return false.
Jeff Cody [Tue, 1 Jul 2014 07:52:16 +0000 (09:52 +0200)]
block: add QAPI command to allow live backing file change
This allows a user to make a live change to the backing file recorded in
an open image.
The image file to modify can be specified 2 ways:
1) image filename
2) image node-name
Note: this does not cause the backing file itself to be reopened; it
merely changes the backing filename in the image file structure, and
in internal BDS structures.
It is the responsibility of the user to pass a filename string that
can be resolved when the image chain is reopened, and the filename
string is not validated.
A good analogy for this command is that it is a live version of
'qemu-img rebase -u', with respect to changing the backing file string.
[Jeff is offline so I respun this patch in his absence. Dropped image
filename since using node-name is preferred and this is a new command.
No need to introduce the limitations of finding images by filename.
--Stefan]
configure: Fix -lm test, so that tools can be compiled on hosts that require -lm
The existing test whether "-lm" needs to be included or not is
insufficient as it reports false negative on Fedora20/ppc64.
This happens because sin(0.0) is a constant value which compiler
can safely throw away and therefore there is no need to add "-lm".
As the result, qemu-nbd/qemu-io/qemu-img tools cannot compile.
This adds a global variable and uses it in the test to prevent
from optimization.
Signed-off-by: Alexey Kardashevskiy <[email protected]>
[Use Peter's improvement on the test to fool LTO, and remove the
now useless -lm addition in Makefile.target. - Paolo] Signed-off-by: Paolo Bonzini <[email protected]>
Paolo Bonzini [Thu, 26 Jun 2014 13:10:03 +0000 (15:10 +0200)]
qdev: correctly send DEVICE_DELETED for recursively-deleted devices
When a device is unparented (i.e. made completely hidden from management)
we want to send a DEVICE_DELETED event only if the device actually was
realized. This avoids raising DEVICE_DELETED events when device_add
fails.
However, this does not work right for recursively-deleted
devices: the whole tree is _first_ unrealized, _then_ unparented.
Then device_unparent sees realized==false and fails to trigger
the event. The solution is simply to move have_realized into
the DeviceState struct. If device_add fails, we never set the
new field to true and DEVICE_DELETED is not sent.
Fixes qemu-iotests testcase 067 (broken by commit 5942a19, though that
commit in turn fixed a possible segfault in the same test).
To allow devices to dynamically resize the device. The motivation is
to allow devices with variable size to init their memory_region
without size early and then correctly populate size at realize() time.
memory: MemoryRegion: Add may-overlap and priority props
QOM propertyify the .may-overlap and .priority fields. The setters
will re-add the memory as a subregion if needed (i.e. the values change
when the memory region is already contained).
memory: MemoryRegion: Add container and addr props
Expose the already existing .parent and .addr fields as QOM properties.
.parent (i.e. the field describing the memory region that contains this
one in Memory hierachy) is renamed "container". This is to avoid
confusion with the QOM parent.
Signed-off-by: Peter Crosthwaite <[email protected]>
[Remove setters. Do not unref parent on releasing the property. Clean
up error propagation. - Paolo] Signed-off-by: Paolo Bonzini <[email protected]>
QOMify memory regions as an Object. The former init() and destroy()
routines become instance_init() and instance_finalize() resp.
memory_region_init() is re-implemented to be:
object_initialize() + set fields
memory_region_destroy() is re-implemented to call unparent().
Signed-off-by: Peter Crosthwaite <[email protected]>
[Add newly-created MR as child, unparent on destruction. - Paolo] Signed-off-by: Paolo Bonzini <[email protected]>
Paolo Bonzini [Fri, 13 Jun 2014 07:35:18 +0000 (09:35 +0200)]
libqtest: escape strings in QMP commands, fix leak
libqtest is using g_strdup_printf to format QMP commands, but
this does not work if the argument strings need to be escaped.
Instead, use the fancy %-formatting functionality of QObject.
The only change required in tests is that strings have to be
formatted as %s, not '%s' or \"%s\". Luckily this usage of
parameterized QMP commands is not that frequent.
The leak is in socket_sendf. Since we are extracting the send
loop to a new function, fix it now.
Just do nothing if passed NULL for a ref or unref. This avoids
call sites that manage a combination of NULL or non-NULL pointers
having to add iffery around every ref and unref.
qom: object: remove parent pointer when unparenting
Certain parts of the QOM framework test this pointer to determine if
an object is parented. Nuke it when the object is unparented to allow
for reuse of an object after unparenting.
Marcelo Tosatti [Wed, 4 Jun 2014 17:52:03 +0000 (14:52 -0300)]
mc146818rtc: add "rtc-time" link to "/machine/rtc"
Add a link to rtc under /machine providing a stable
location for management apps to query the value of the
time. The link should be added by any object that sends
RTC_TIME_CHANGE events.
Paolo Bonzini [Thu, 5 Jun 2014 11:11:51 +0000 (13:11 +0200)]
qom: add a generic mechanism to resolve paths
It may be desirable to have custom link<> properties that do more
than just store an object. Even the addition of a "check"
function is not enough if setting the link has side effects
or if a non-standard reference counting is preferrable.
Avoid the assumption that the opaque field of a link<> is a
LinkProperty struct, by adding a generic "resolve" callback
to ObjectProperty. This fixes aliases of link properties.
Peter Maydell [Mon, 30 Jun 2014 18:03:37 +0000 (19:03 +0100)]
block/cow: Avoid use of uninitialized cow_bs in error path
Commit 25814e8987 introduced an error-exit code path which does
a "goto exit" before the cow_bs variable is initialized, meaning
we would call bdrv_unref() on an uninitialized variable and
likely segfault. Fix this by moving the NULL-initialization
to the top of the function and making the exit code path handle
the case where it is NULL.
Jeff Cody [Wed, 25 Jun 2014 19:35:26 +0000 (15:35 -0400)]
block: simplify bdrv_find_base() and bdrv_find_overlay()
This simplifies the function bdrv_find_overlay(). With this change,
bdrv_find_base() is just a subset of usage of bdrv_find_overlay(),
so this also takes advantage of that.
projects / qemu.git / log