Peter Maydell [Thu, 17 Dec 2015 11:10:03 +0000 (11:10 +0000)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20151215-1' into staging
coreaudio: use new-in-OSX-10.6 APIs, cleanups.
# gpg: Signature made Tue 15 Dec 2015 10:15:24 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <[email protected]>"
# gpg: aka "Gerd Hoffmann <[email protected]>"
# gpg: aka "Gerd Hoffmann (private) <[email protected]>"
* remotes/kraxel/tags/pull-audio-20151215-1:
audio/coreaudio.c: Avoid deprecated AudioDeviceAdd/RemoveIOProc APIs
audio/coreaudio.c: Use new-in-OSX-10.6 APIs when available
audio/coreaudio.c: Factor out uses of AudioDeviceGet/SetProperty
audio/coreaudio.c: Use new-in-OSX-10.6 API for getting default voice
audio/coreaudio.c: Factor out use of AudioHardwareGetProperty
Peter Maydell [Thu, 17 Dec 2015 10:26:17 +0000 (10:26 +0000)]
Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20151215-1' into staging
usb: ehci idt fix, event support for mtp
# gpg: Signature made Tue 15 Dec 2015 09:54:22 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <[email protected]>"
# gpg: aka "Gerd Hoffmann <[email protected]>"
# gpg: aka "Gerd Hoffmann (private) <[email protected]>"
* remotes/kraxel/tags/pull-usb-20151215-1:
ehci: make idt processing more robust
usb-mtp: add support for basic mtp events
usb-mtp: Add support for inotify based file monitoring
usb-mtp: free objects on a mtp reset
usb-mtp: use a list for keeping track of children
The AudioDeviceAddIOProc() and AudioDeviceRemoveIOProc() functions were
deprecated in OSX 10.5. Since we don't support any earlier versions of
OSX, we can simply replace them with the new APIs
AudioDeviceCreateIOProcID() and AudioDeviceRemoveIOProcID().
Peter Maydell [Sat, 28 Nov 2015 21:55:23 +0000 (21:55 +0000)]
audio/coreaudio.c: Use new-in-OSX-10.6 APIs when available
Use the new-in-OSX 10.6 API AudioObjectGetPropertyData() instead
of the deprecated AudioDeviceGetProperty() and AudioDeviceSetProperty()
functions when possible.
Peter Maydell [Sat, 28 Nov 2015 21:55:22 +0000 (21:55 +0000)]
audio/coreaudio.c: Factor out uses of AudioDeviceGet/SetProperty
The CoreAudio APIs AudioDeviceGetProperty and AudioDeviceSetProperty are
deprecated from OSX 10.6, so factor out our calls to them so we can
provide versions which use the replacement APIs on OSX newer than 10.5.
Peter Maydell [Sat, 28 Nov 2015 21:55:20 +0000 (21:55 +0000)]
audio/coreaudio.c: Factor out use of AudioHardwareGetProperty
The CoreAudio function AudioHardwareGetProperty has been deprecated
starting with OSX 10.6, so factor out our call to it so we can
provide an equivalent with the new APIs when they exist.
Gerd Hoffmann [Mon, 14 Dec 2015 08:21:23 +0000 (09:21 +0100)]
ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
Bandan Das [Mon, 23 Nov 2015 21:37:05 +0000 (16:37 -0500)]
usb-mtp: add support for basic mtp events
When the host polls for events, we check our
events qlist and send one event at a time. Also, note
that the event packet needs to be sent in one go, so
I increased the max packet size to 64.
Bandan Das [Mon, 23 Nov 2015 21:37:04 +0000 (16:37 -0500)]
usb-mtp: Add support for inotify based file monitoring
For now, we use inotify watches to track only a small number of
events, namely, add, delete and modify. Note that for delete, the kernel
already deactivates the watch for us and we just need to
take care of modifying our internal state.
Bandan Das [Mon, 23 Nov 2015 21:37:02 +0000 (16:37 -0500)]
usb-mtp: use a list for keeping track of children
To support adding/removal of objects, we will need to update
the object cache hierarchy we have built internally. Convert
to using a Qlist for easier management.
Max Reitz [Fri, 11 Dec 2015 15:23:05 +0000 (16:23 +0100)]
blockdev: Mark {insert, remove}-medium experimental
While in the long term we want throttling to be its own block filter
BDS, in the short term we want it to be part of the BB instead of a BDS;
even in the long term we may want legacy throttling to be automatically
tied to the BB.
blockdev-insert-medium and blockdev-remove-medium do not retain
throttling information in the BB (deliberately so). Therefore, using
them means tying this information to a BDS, which would break the model
described above. (The same applies to other flags such as
detect_zeroes.) We probably want to move this information to the BB or
its own filter BDS before blockdev-{insert,remove}-medium can be
considered completely stable.
Therefore, mark these functions experimental for the time being.
My fix (84e7b80a) replaced the last_sent_block update that I'd
removed earlier; however it was too aggressive in the xbzrle case.
save_xbzrle_page might return '0' to mean that the page didn't
need sending since it was the same as the last sent version;
in this case we can't update 'last_sent_block' since we didn't
actually send it.
Symptom: 'Illegal RAM offset 1018000' as we try and send a page
to the wrong RAMBlock; potentially that could be a data
corruption if you were really unlucky.
Greg Kurz [Tue, 8 Dec 2015 15:54:57 +0000 (16:54 +0100)]
virtio-9p-device: add minimal unrealize handler
Since commit 4652f1640e029e1f2433fa77ba6af285 "virtio-9p: add savevm
handlers", if the user hot-unplugs a quiescent 9p device and live
migrates, the source QEMU crashes before migration completetion...
This happens because virtio-9p devices have a realize handler which
calls virtio_init() and register_savevm(). Both calls store pointers
to the device internals, that get dereferenced during migration even
if the device got unplugged.
This patch simply adds an unrealize handler to perform minimal
cleanup and avoid the crash. Hot unplug of non-quiescent 9p devices
is still not supported in QEMU, and not supported by linux guests
either.
blk_attach_dev() fails here only when we're working for device
"sdhci-pci" (which already attached the backend), and then we don't
want to attach a second time. If we ever create another failure mode,
we're setting up ourselves to using the same backend from multiple
frontends, which is likely to end in tears. Can't clean this up this
close to the release, so mark it FIXME.
sdhci: Sanitize "sdhci-pci" properties for future qomification
We currently fuse controller and card into a single device model, but
we intend qomify things properly and separate the two. The properties
that really belong to the card would then have to somehow pass-through
to the card's properties. To avoid that complication, either mark
them experimental or drop them.
Properties "capareg", "maxcurr" and the usual PCI device properties
belong to the controller. Property "drive" belongs to the card;
rename it to "x-drive". Properties "logical_block_size",
"physical_block_size", "min_io_size", "opt_io_size",
"discard_granularity" belong to the card, but have no effect; drop
them.
Fam Zheng [Mon, 7 Dec 2015 10:59:27 +0000 (18:59 +0800)]
virtio-blk: Drop x-data-plane option
The official way of enabling dataplane is through the "iothread"
property that references an iothread object created by "-object
iothread". Since the old "x-data-plane=on" way now even crashes, it's
probably easier to just drop it:
Peter Maydell [Mon, 7 Dec 2015 14:18:31 +0000 (14:18 +0000)]
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
# gpg: Signature made Mon 07 Dec 2015 14:06:07 GMT using RSA key ID 398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <[email protected]>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
lan9118: log and ignore access to invalid registers, rather than aborting
lan9118: fix emulation of MAC address loaded bit in E2P_CMD register
vmxnet3: silence warning
pcnet: fix rx buffer overflow(CVE-2015-7512)
net: pcnet: add check to validate receive data size(CVE-2015-7504)
e1000: fix hang of win2k12 shutdown with flood ping
Andrew Baumann [Fri, 4 Dec 2015 18:58:50 +0000 (10:58 -0800)]
lan9118: log and ignore access to invalid registers, rather than aborting
With this change, access to invalid/unimplemented device registers are
logged as a "guest error" rather than aborting qemu with
hw_error. This enables drivers for similar devices (e.g. SMSC 9221),
by simply ignoring the unimplemented writes. It's also closer to what
real hardware does.
Andrew Baumann [Fri, 4 Dec 2015 18:58:49 +0000 (10:58 -0800)]
lan9118: fix emulation of MAC address loaded bit in E2P_CMD register
There appears to have been a longstanding typo in the implementation
of the "MAC address loaded" bit in the E2P_CMD (EEPROM command)
register. The code was using 0x10, but the controller spec says it
should be bit 8 (0x100).
Jason Wang [Mon, 30 Nov 2015 07:00:06 +0000 (15:00 +0800)]
pcnet: fix rx buffer overflow(CVE-2015-7512)
Backends could provide a packet whose length is greater than buffer
size. Check for this and truncate the packet to avoid rx buffer
overflow in this case.
net: pcnet: add check to validate receive data size(CVE-2015-7504)
In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.
Denis V. Lunev [Fri, 27 Nov 2015 06:48:41 +0000 (09:48 +0300)]
e1000: fix hang of win2k12 shutdown with flood ping
e1000 driver in Win2k12 is really well rotten. It 100% hangs on shutdown
of UP VM under flood ping. The guest checks card state and reinjects
itself interrupt in a loop. This is fatal for UP machine.
There is no good way to fix this misbehavior but to kludge it. The
emulation has interrupt throttling register aka ITR which limits
interrupt rate and allows the guest to proceed this phase.
There is no problem with this kludge for Linux guests - it adjust the
value of it itself.
Interrupt mitigation boosts performance when the guest suffers from
an high interrupt rate (i.e. receiving short UDP packets at high packet
rate). For some numerical results see the following link
http://info.iet.unipi.it/~luigi/papers/20130520-rizzo-vm.pdf
this should also boost performance a bit.
See https://bugzilla.redhat.com/show_bug.cgi?id=874406 for additional
details.
tests: Use proper functions types instead of void (*fn)
We have several function parameters declared as void (*fn). This is
just a stupid way to write void *, and the only purpose writing it
like that could serve is obscuring the sin of bypassing the type
system without need.
The original sin is commit 49ee359: its qtest_add_func() is a wrapper
for g_test_add_func(). Fix the parameter type to match
g_test_add_func()'s. This uncovers type errors in ide-test.c; fix
them.
Commit 7949c0e faithfully repeated the sin for qtest_add_data_func().
Fix it the same way, along with a harmless type error uncovered in
vhost-user-test.c.
Commit 063c23d repeated it for qtest_add_abrt_handler(). The screwy
parameter gets assigned to GHook member func, so change its type to
match. Requires wrapping kill_qemu() to keep the type checker happy.
Peter Maydell [Fri, 4 Dec 2015 09:49:28 +0000 (09:49 +0000)]
Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.5-20151204' into staging
ppc patch queue for 2.5 2015-12-04
This contains some last minute QOM behaviour fixes from Markus
Armbruster.
# gpg: Signature made Fri 04 Dec 2015 06:43:54 GMT using RSA key ID 20D9B392
# gpg: Good signature from "David Gibson <[email protected]>"
# gpg: aka "David Gibson (Red Hat) <[email protected]>"
# gpg: aka "David Gibson (ozlabs.org) <[email protected]>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392
* remotes/dgibson/tags/ppc-for-2.5-20151204:
spapr_drc: Change value of property "fdt" from null back to {}
spapr_drc: Make device "spapr-dr-connector" unavailable with -device
spapr_drc: Handle visitor errors properly
Paolo Bonzini [Mon, 30 Nov 2015 09:57:25 +0000 (10:57 +0100)]
bt: check struct sizes
See http://permalink.gmane.org/gmane.linux.bluez.kernel/36505. For historical
reasons these do not use sizeof, and Coverity caught a mistake in
EVT_ENCRYPT_CHANGE_SIZE.
In addition:
- remove status from create_conn_cancel_cp; the "status" field is only
in rp structs. Note that this means that the OCF_CREATE_CONN_CANCEL
could never have worked (it would have failed the LENGTH_CHECK), but
I am keeping it anyway.
- OCF_READ_LINK_QUALITY similarly could never have worked, but I am
fixing read_link_quality_cp anyway.
- fix inquiry_info which is shorter by one: the kernel has a struct that
is 14 byte long, but not counting the initial num_responses byte which
the kernel parses separately;
- remove extended_inquiry_info altogether, since it's not used and unlike
the other inquiry structs does not have the initial num_responses byte.
Paolo Bonzini [Fri, 6 Nov 2015 15:34:06 +0000 (16:34 +0100)]
gt64xxx: fix decoding of ISD register
The GT64xxx's internal registers can be placed above the first 4 GiB
in the address space, but not above the first 64 GiB. Correctly cast
the register to a 64-bit integer, and mask away bits above bit 35.
Datasheet at http://pdf.datasheetarchive.com/datasheetsmain/Datasheets-33/DSA-655889.pdf
(bug reported by Coverity).
Rodrigo Rebello [Thu, 12 Nov 2015 14:04:28 +0000 (12:04 -0200)]
configure: use appropriate code fragment for -fstack-protector checks
The check for stack-protector support consisted in compiling and linking
the test program below (output by function write_c_skeleton()) with the
compiler flag -fstack-protector-strong first and then with
-fstack-protector-all if the first one failed to work:
int main(void) { return 0; }
This caused false positives when using certain toolchains in which the
compiler accepted -fstack-protector-strong but no support was provided
by the C library, since for this stack-protector variant the compiler
emits canary code only for functions that meet specific conditions
(local arrays, memory references to local variables, etc.) and the code
fragment under test included none of them (hence no stack protection
code generated, no link failure).
This fix changes the test program used for -fstack-protector checks to
include a function that meets conditions which cause the compiler to
generate canary code in all variants.
crypto: avoid two coverity false positive error reports
In qcrypto_tls_creds_get_path() coverity complains that
we are checking '*creds' for NULL, despite having
dereferenced it previously. This is harmless bug due
to fact that the trace call was too early. Moving it
after the cleanup gets the desired semantics.
In qcrypto_tls_creds_check_cert_key_purpose() coverity
complains that we're passing a pointer to a previously
free'd buffer into gnutls_x509_crt_get_key_purpose_oid()
This is harmless because we're passing a size == 0, so
gnutls won't access the buffer, but rather just report
what size it needs to be. We can avoid it though by
explicitly setting the buffer to NULL after free'ing
it.
Peter Maydell [Tue, 24 Nov 2015 14:55:46 +0000 (14:55 +0000)]
configure: Diagnose broken linkers directly
Currently if the user's compiler works for creating .o files but
their linker is broken such that compiling an executable from a
C file does not work, we will report a misleading error message
about the compiler not supporting __thread (since that happens
to be the first test we run which requires a working linker).
Explicitly check that compile_prog works as well as compile_object,
so that people whose toolchain setup is broken get a more helpful
error message.
Paolo Bonzini [Fri, 27 Nov 2015 12:08:25 +0000 (13:08 +0100)]
bt: avoid unintended sign extension
In the case of a 4-byte length, shifting a value by 24 may cause
an unintended sign extension when converting from int to size_t.
Use a uint32_t variable instead.
John Snow [Wed, 25 Nov 2015 21:03:37 +0000 (16:03 -0500)]
util/id: fully allocate names table
Trivial: this array should be allocated to have ID_MAX entries always.
Otherwise if someone were to forget to expand this table, the assertion
in the id generator won't actually trigger; it will read junk data.
spapr_drc: Change value of property "fdt" from null back to {}
prop_get_fdt() misuses the visitor API: when fdt is null, it doesn't
visit anything. object_property_get_qobject() happily
object_property_get_qobject(). Amazingly, the latter survives the
misuse. Turns out we've papered over it long before prop_get_fdt()
existed, in commit 1d10b44.
However, commit 6c2f9a1 changed how we paper over it, and as a side
effect changed qom-get's value from {} to null. Change it right back
by fixing the visitor misuse.
Andreas Färber [Sat, 21 Nov 2015 01:20:06 +0000 (02:20 +0100)]
tests: Fix check-report-qtest-% target
Commit e253c28 ("tests: Fix how qom-test is run") introduced
$(qtest-generic-y) and used it for check-qtest-% target, but did not
update check-report-qtest-%. This causes check-report-qtest-aarch64.xml
target to fail with a gtester usage error for lack of test arguments.
Fix this by adding $(qtest-generic-y) in check-report-qtest-%.
Also add it in check-clean target, spotted by Markus.
While sending 'SetPixelFormat' messages to a VNC server,
the client could set the 'red-max', 'green-max' and 'blue-max'
values to be zero. This leads to a floating point exception in
write_png_palette while doing frame buffer updates.
Peter Maydell [Thu, 3 Dec 2015 11:08:43 +0000 (11:08 +0000)]
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
# gpg: Signature made Thu 03 Dec 2015 04:59:48 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>"
# gpg: aka "Stefan Hajnoczi <[email protected]>"
* remotes/stefanha/tags/block-pull-request:
iotests: Add regresion test case for write notifier assertion failure
iotests: Add "add_drive_raw" method
block: Don't wait serialising for non-COR read requests
iothread: include id in thread name
Fam Zheng [Tue, 1 Dec 2015 09:36:30 +0000 (17:36 +0800)]
iotests: Add regresion test case for write notifier assertion failure
The idea is to let the top level bs have a big request alignment with
blkdebug, so that the aio_write request issued from monitor will be
serialised. This tests that QEMU doesn't crash upon the read request
from the backup job's write notifier, which is a very special case of
"reentrant" request.
Fam Zheng [Tue, 1 Dec 2015 09:36:28 +0000 (17:36 +0800)]
block: Don't wait serialising for non-COR read requests
The assertion problem was noticed in 06c3916b35a, but it wasn't
completely fixed, because even though the req is not marked as
serialising, it still gets serialised by wait_serialising_requests
against other serialising requests, which could lead to the same
assertion failure.
Fix it by even more explicitly skipping the serialising for this
specific case.
Paolo Bonzini [Tue, 24 Nov 2015 13:46:44 +0000 (14:46 +0100)]
iothread: include id in thread name
This makes it easier to find the desired thread. Use "IO" plus the id;
even with the 14 character limit on the thread name, enough of the id should
be readable (e.g. "IO iothreadNNN" with three characters for the number).
Peter Maydell [Wed, 2 Dec 2015 23:11:24 +0000 (23:11 +0000)]
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
virtio,vhost,mmap fixes for 2.5
vhost test patches to fix the travis build
virtio ccw patch to fix virtio 1
virtio pci patch to fix pci express
vhost user bridge patch to fix fd leaks
mmap-alloc patch to fix hugetlbfs on ppc64
remove dead code for vhost (trivial)
Signed-off-by: Michael S. Tsirkin <[email protected]>
# gpg: Signature made Wed 02 Dec 2015 20:38:41 GMT using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <[email protected]>"
# gpg: aka "Michael S. Tsirkin <[email protected]>"
* remotes/mst/tags/for_upstream:
util/mmap-alloc: fix hugetlb support on ppc64
virtio-pci: Set the QEMU_PCI_CAP_EXPRESS capability early in its DeviceClass realize method
virtio: handle non-virtio-1-capable backend for ccw
tests/vhost-user-bridge.c: fix fd leakage
vhost: drop dead code
vhost-user: verify that number of queues is non-zero
vhost-user-test: fix crash with glib < 2.36
vhost-user-test: use unix port for migration
vhost-user-test: fix chardriver race
Paolo Bonzini [Mon, 26 Jan 2015 11:12:27 +0000 (12:12 +0100)]
migration: do floating-point division
Dividing integer expressions transferred_bytes and time_spent, and then converting
the integer quotient to type double. Any remainder, or fractional part of the
quotient, is ignored. Fix this.
migration: Clean up use of g_poll() in socket_writev_buffer()
socket_writev_buffer() writes in a loop, using g_poll() to block. If
g_poll() fails, it tries to write more before the file descriptor is
ready. In theory, this could go into a tight loop. In practice,
errors other than EINTR are really unlikely, and when they happen,
we're probably screwed anyway, so we can just as well loop.
Clean it up a bit: retry poll on EINTR, keep ignoring other errors.
Since commit 8561c9244ddf1122d "exec: allocate PROT_NONE pages on top of
RAM", it is no longer possible to back guest RAM with hugepages on ppc64
hosts:
This is because on ppc64, Linux fixes a page size for a virtual address
at mmap time, so we can't switch a range of memory from anonymous
small pages to hugetlbs with MAP_FIXED.
Shmulik Ladkani [Wed, 2 Dec 2015 17:49:07 +0000 (19:49 +0200)]
virtio-pci: Set the QEMU_PCI_CAP_EXPRESS capability early in its DeviceClass realize method
In 1811e64 'hw/virtio: Add PCIe capability to virtio devices', the
QEMU_PCI_CAP_EXPRESS capability was added to virtio's pci_dev, within
'virtio_pci_realize' - the pci device object realization method.
This occurs to late, as 'pci_qdev_realize' (DeviceClass.realize of
TYPE_PCI_DEVICE) has already been called, without knowing that the
device instance is indeed an "express" instance, thus allocating
insufficient pci config space.
As a result, device may crash upon attempt to write to the PCIE config
space.
Fix, by arming the QEMU_PCI_CAP_EXPRESS capability early in virtio-pci's
own DeviceClass realize method.
This also makes code cleaner, as 'virtio_pci_realize' may now access the
'pci_is_express' predicate when needed.
Cornelia Huck [Wed, 2 Dec 2015 17:31:57 +0000 (18:31 +0100)]
virtio: handle non-virtio-1-capable backend for ccw
If you run a qemu advertising VERSION_1 with an old kernel where
vhost did not yet support VERSION_1, you'll end up with a device
that is {modern pci|ccw revision 1} but does not advertise VERSION_1.
This is not a sensible configuration and is rejected by the Linux
guest drivers.
To fix this, add a ->post_plugged() callback invoked after features
have been queried that can handle the VERSION_1 bit being withdrawn
and change ccw to fall back to revision 0 if VERSION_1 is gone.
Note that pci is _not_ fixed; we'll need to rethink the approach
for the next release but at least for pci it's not a regression.
This fixes file descriptor leakage in vhost-user-bridge
application. Whenever a new callfd or kickfd is set, the previous
one should be explicitly closed. File descriptors used to map
guest's memory are closed immediately after mmap call.
Fam Zheng [Mon, 23 Nov 2015 02:28:04 +0000 (10:28 +0800)]
mirror: Quiesce source during "mirror_exit"
With dataplane, the ioeventfd events could be dispatched after
mirror_run releases the dirty bitmap, but before mirror_exit actually
does the device switch, because the iothread will still be running, and
it will cause silent data loss.
Fix this by adding a bdrv_drained_begin/end pair around the window, so
that no new external request will be handled.
Peter Maydell [Wed, 2 Dec 2015 15:41:38 +0000 (15:41 +0000)]
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
* exec.c use after free
* Xen 32-on-64 breakage
* missing EINTR
* naughty warning under qtest
# gpg: Signature made Wed 02 Dec 2015 12:13:55 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <[email protected]>"
# gpg: aka "Paolo Bonzini <[email protected]>"
* remotes/bonzini/tags/for-upstream:
translate-all: ensure host page mask is always extended with 1's
main-loop: suppress warnings under qtest
qemu-char: retry g_poll on EINTR
exec: Stop using memory after free
The prepare callback needs to be implemented with glib < 2.36,
quoting glib documentation:
"Since 2.36 this may be NULL, in which case the effect is as if the
function always returns FALSE with a timeout of -1."
vhost-user-tests uses a helper thread to dispatch the vhost-user servers
sources. However the CharDriverState is not thread-safe. Therefore, when
it's given to the thread, it shouldn't be manipulated concurrently.
We dispatch cleaning the server in an idle source. By the end of the
test, we ensure not to leave anything behind by joining the thread and
finishing the sources dispatch.
Kevin Wolf [Tue, 1 Dec 2015 14:16:49 +0000 (15:16 +0100)]
qcow2: Fix potential qemu-img check crash on 32 bit hosts
This crash was caught with qemu-iotests test case 138.
Commit b6d36de already fixed a few 32 bit truncation bugs that could
cause qemu-img check to allocate too little memory and consequently
it would segfault. On 32 bit hosts, there is one more place that needs
to be fixed because size_t was involved in the calculation and is a
32 bit type there.
Paolo Bonzini [Wed, 2 Dec 2015 12:00:54 +0000 (13:00 +0100)]
translate-all: ensure host page mask is always extended with 1's
Anthony reported that >4GB guests on Xen with 32bit QEMU broke after
commit 4ed023c ("Round up RAMBlock sizes to host page sizes", 2015-11-05).
In that patch sizes are masked against qemu_host_page_size/mask which
are uintptr_t, and thus 32bit on a 32bit QEMU, even though the ram space
might be bigger than 4GB on Xen.
Since ram_addr_t is not available on user-mode emulation targets, ensure
that we get a sign extension when masking away the low bits of the address.
Remove the ~10 year old scary comment that the type of these variables
is probably wrong, with another equally scary comment. The new comment
however does not have "???" in it, which is arguably an improvement.
For completeness use the alignment macros in linux-user and bsd-user
instead of manually doing an &. linux-user and bsd-user are not affected
by the Xen issue, however.
commit 01c22f2cdd4fcf02276ea10f48253850a5fd7259 ("main-loop: Suppress
"I/O thread spun" warnings for qtest") doesn't actually disable the
warning for everyone since some tests don't run under the qtest
accelerator.
Paolo Bonzini [Tue, 1 Dec 2015 10:27:00 +0000 (11:27 +0100)]
qemu-char: retry g_poll on EINTR
This is a case where pty_chr_update_read_handler_locked's lack
of error checking can produce incorrect values. We are not using
SIGUSR1 anymore, so this is quite theoretical, but easy to fix.
Don Slutz [Mon, 30 Nov 2015 22:11:04 +0000 (17:11 -0500)]
exec: Stop using memory after free
memory_region_unref(mr) can free memory.
For example I got:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f43280d4700 (LWP 4462)]
0x00007f43323283c0 in phys_section_destroy (mr=0x7f43259468b0)
at /home/don/xen/tools/qemu-xen-dir/exec.c:1023
1023 if (mr->subpage) {
(gdb) bt
at /home/don/xen/tools/qemu-xen-dir/exec.c:1023
at /home/don/xen/tools/qemu-xen-dir/exec.c:1034
at /home/don/xen/tools/qemu-xen-dir/exec.c:2205
(gdb) p mr
$1 = (MemoryRegion *) 0x7f43259468b0
If there are a lot of guest memory ops in the TB, the amount of
code generated by tcg_out_tb_finalize could be well more than 1k.
In the short term, increase the reservation larger than any TB
seen in practice.
Peter Maydell [Thu, 26 Nov 2015 15:19:28 +0000 (15:19 +0000)]
ui/cocoa.m: Prevent activation clicks from going to guest
When QEMU is brought to the foreground, the click event that activates QEMU
should not go to the guest. Accidents happen when they do go to the guest
without giving the user a chance to handle them. In particular, if the
guest input device is not an absolute-position one then the location of
the guest cursor (and thus the click) will likely not be the location of
the host cursor when it is clicked, and could be completely obscured
below another window. Don't send mouse clicks to QEMU unless the
window either has focus or has grabbed mouse events.
Peter Maydell [Tue, 1 Dec 2015 16:30:27 +0000 (16:30 +0000)]
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20151201' into staging
Last round of s390x fixes for 2.5:
- The bios should be built for the first z machine, so that newer
instructions don't creep in.
- Silence annoying message when running make check.
- Fix a problem with the pci iommu exposed by recent changes.
# gpg: Signature made Tue 01 Dec 2015 08:59:42 GMT using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <[email protected]>"
# gpg: aka "Cornelia Huck <[email protected]>"
* remotes/cohuck/tags/s390x-20151201:
s390x/pci: fix up IOMMU size
s390x: no deprecation warning while testing
pc-bios/s390-ccw: rebuild image
pc-bios/s390-ccw: build for z900
Yi Min Zhao [Wed, 4 Nov 2015 07:50:45 +0000 (15:50 +0800)]
s390x/pci: fix up IOMMU size
Present code uses @size==UINT64_MAX to initialize IOMMU. It infers that it
can map any 64-bit IOVA whatsoever. But in fact, the largest DMA range for
each PCI Device on s390x is from ZPCI_SDMA_ADDR to ZPCI_EDMA_ADDR. The largest
value is returned from hardware, which is to indicate the largest range
hardware can support. But the real IOMMU size for specific PCI Device is
obtained once qemu intercepts mpcifc instruction that guest is requesting a
DMA range for that PCI Device. Therefore, before intercepting mpcifc instruction,
qemu cannot be aware of the size of IOMMU region that guest will use.
Moreover, iommu replay during device initialization for the whole region in
4k steps takes a very long time.
In conclusion, this patch intializes IOMMU region for each PCI Device when
intercept mpcifc instruction which is to register DMA range for the PCI Device.
And then, destroy IOMMU region when guest wants to deregister IOAT.
Cornelia Huck [Thu, 12 Nov 2015 15:46:09 +0000 (16:46 +0100)]
s390x: no deprecation warning while testing
'make check' tries to start all available machines; the deprecation
message for the s390-virtio machine is both useless and annoying
there. Silence it while testing.
Peter Maydell [Mon, 30 Nov 2015 21:59:22 +0000 (21:59 +0000)]
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
Two fixes for virtfs/9p from Paolo.
# gpg: Signature made Mon 30 Nov 2015 14:10:47 GMT using DSA key ID 0101DBC2
# gpg: Good signature from "Greg Kurz <[email protected]>"
# gpg: aka "Greg Kurz <[email protected]>"
# gpg: aka "Greg Kurz <[email protected]>"
# gpg: aka "Gregory Kurz (Groug) <[email protected]>"
# gpg: aka "Gregory Kurz (Cimai Technology) <[email protected]>"
# gpg: aka "Gregory Kurz (Meiosys Technology) <[email protected]>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2
* remotes/gkurz/tags/for-upstream:
virtio-9p: use QEMU thread pool
fsdev-proxy-helper: avoid TOC/TOU race
target-ppc and related bugfix patches for qemu-2.5
I don't have the facilities to test the Macintosh and BookE related
patches. I've sanity checked them (inspection + make check), but I'm
otherwise relying on the submitters.
# gpg: Signature made Mon 30 Nov 2015 08:42:01 GMT using RSA key ID 20D9B392
# gpg: Good signature from "David Gibson <[email protected]>"
# gpg: aka "David Gibson (Red Hat) <[email protected]>"
# gpg: aka "David Gibson (ozlabs.org) <[email protected]>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392
* remotes/dgibson/tags/ppc-for-2.5-20151130:
target-ppc/fpu_helper: fix FPSCR_FX bit shift operation
target-ppc: Move the FPSCR bit update macros to cpu.h
hw/ppc/ppc405_boards: Fix infinite recursion by converting taihu_cpld from old_mmio
hw/ppc/spapr: Remove duplicated "pseries" alias
mac_dbdma: always initialize channel field in DBDMA_channel
Peter Maydell [Mon, 30 Nov 2015 15:35:20 +0000 (15:35 +0000)]
Merge remote-tracking branch 'remotes/weil/tags/pull-wxx-20151130' into staging
wxx patch queue
# gpg: Signature made Mon 30 Nov 2015 05:48:33 GMT using RSA key ID 677450AD
# gpg: Good signature from "Stefan Weil <[email protected]>"
# gpg: aka "Stefan Weil <[email protected]>"
# gpg: aka "Stefan Weil <[email protected]>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4923 6FEA 75C9 5D69 8EC2 B78A E08C 21D5 6774 50AD
* remotes/weil/tags/pull-wxx-20151130:
w32: Use gcc option -mthreads
oslib-win32: Change return type of function getpagesize
trace/simple: Fix warning and wrong trace file name for MinGW
Paolo Bonzini [Fri, 27 Nov 2015 11:43:06 +0000 (12:43 +0100)]
virtio-9p: use QEMU thread pool
The QEMU thread pool already has a mechanism to invoke callbacks in the main
thread. It does not need an EventNotifier and it is more efficient too.
Use it instead of GAsyncQueue + GThreadPool + glue.
As a side effect, it silences Coverity's complaint about an unchecked
return value for event_notifier_init.
target-ppc/fpu_helper: fix FPSCR_FX bit shift operation
Currently in TCG mode, updating floating exception
summary bit (FPSCR_FX) in fpscr also updates
the upper 32bits of fpscr with all 1s.
Modify the bit shift operation statement to use
1ULL instead.
Peter Maydell [Mon, 16 Nov 2015 14:57:50 +0000 (14:57 +0000)]
hw/ppc/ppc405_boards: Fix infinite recursion by converting taihu_cpld from old_mmio
The taihu_cpld_writel() function had an obvious typo that meant that
if it was ever called it would go into an infinite recursion. Newer
versions of clang will detect and warn about this:
hw/ppc/ppc405_boards.c:481:1: warning: all paths through this function will call itself [-Winfinite-recursion]
Fix this by converting taihu_cpld from the legacy old_mmio accessors
to new-style ones, with an impl {} declaration to cause the core
memory code to do the splitting of 16 bit and 32 bit accesses into
multiple 8-bit accesses.
Thomas Huth [Mon, 23 Nov 2015 16:13:37 +0000 (17:13 +0100)]
hw/ppc/spapr: Remove duplicated "pseries" alias
The "pseries" alias is currently set twice, one time for the
pseries-2.4 machine and one time for the "pseries-2.5" machine.
To avoid confusion with the alias, let's remove the one from
the older machine class. And while we're at it, also remove
the "is_default = 0" there since the is_default variable
should be set to zero by default already.
Hervé Poussineau [Thu, 12 Nov 2015 21:24:08 +0000 (22:24 +0100)]
mac_dbdma: always initialize channel field in DBDMA_channel
dbdma_from_ch() uses channel field to return the right DBDMA object.
Previous code was working if guest OS was only using registered DMA channels.
However, it lead to QEMU crashes if guest OS was using unregistered DMA channels.
projects / qemu.git / log