[Qemu-devel] [PATCH 091/156] qcow2: Validate snapshot table offset/size (CVE-2014-0144)
From: Kevin Wolf kw...@redhat.com
This avoid unbounded memory allocation and fixes a potential buffer
overflow on 32 bit hosts.
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Max Reitz mre...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit ce48f2f441ca98885267af6fd636a7cb804ee646)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/qcow2-snapshot.c | 29 -
block/qcow2.c | 15 +++
block/qcow2.h | 29 -
tests/qemu-iotests/080 | 27 +++
tests/qemu-iotests/080.out | 17 +
5 files changed, 91 insertions(+), 26 deletions(-)
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 3529c68..7548165 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -26,31 +26,6 @@
#include block/block_int.h
#include block/qcow2.h
-typedef struct QEMU_PACKED QCowSnapshotHeader {
-/* header is 8 byte aligned */
-uint64_t l1_table_offset;
-
-uint32_t l1_size;
-uint16_t id_str_size;
-uint16_t name_size;
-
-uint32_t date_sec;
-uint32_t date_nsec;
-
-uint64_t vm_clock_nsec;
-
-uint32_t vm_state_size;
-uint32_t extra_data_size; /* for extension */
-/* extra data follows */
-/* id_str follows */
-/* name follows */
-} QCowSnapshotHeader;
-
-typedef struct QEMU_PACKED QCowSnapshotExtraData {
-uint64_t vm_state_size_large;
-uint64_t disk_size;
-} QCowSnapshotExtraData;
-
void qcow2_free_snapshots(BlockDriverState *bs)
{
BDRVQcowState *s = bs-opaque;
@@ -357,6 +332,10 @@ int qcow2_snapshot_create(BlockDriverState *bs,
QEMUSnapshotInfo *sn_info)
uint64_t *l1_table = NULL;
int64_t l1_table_offset;
+if (s-nb_snapshots = QCOW_MAX_SNAPSHOTS) {
+return -EFBIG;
+}
+
memset(sn, 0, sizeof(*sn));
/* Generate an ID if it wasn't passed */
diff --git a/block/qcow2.c b/block/qcow2.c
index de86302..3b81c53 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -625,6 +625,21 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
goto fail;
}
+/* Snapshot table offset/length */
+if (header.nb_snapshots QCOW_MAX_SNAPSHOTS) {
+error_setg(errp, Too many snapshots);
+ret = -EINVAL;
+goto fail;
+}
+
+ret = validate_table_offset(bs, header.snapshots_offset,
+header.nb_snapshots,
+sizeof(QCowSnapshotHeader));
+if (ret 0) {
+error_setg(errp, Invalid snapshot table offset);
+goto fail;
+}
+
s-snapshots_offset = header.snapshots_offset;
s-nb_snapshots = header.nb_snapshots;
diff --git a/block/qcow2.h b/block/qcow2.h
index 922e190..99fe092 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -38,6 +38,7 @@
#define QCOW_CRYPT_AES 1
#define QCOW_MAX_CRYPT_CLUSTERS 32
+#define QCOW_MAX_SNAPSHOTS 65536
/* indicate that the refcount of the referenced cluster is exactly one. */
#define QCOW_OFLAG_COPIED (1ULL 63)
@@ -97,6 +98,32 @@ typedef struct QCowHeader {
uint32_t header_length;
} QEMU_PACKED QCowHeader;
+typedef struct QEMU_PACKED QCowSnapshotHeader {
+/* header is 8 byte aligned */
+uint64_t l1_table_offset;
+
+uint32_t l1_size;
+uint16_t id_str_size;
+uint16_t name_size;
+
+uint32_t date_sec;
+uint32_t date_nsec;
+
+uint64_t vm_clock_nsec;
+
+uint32_t vm_state_size;
+uint32_t extra_data_size; /* for extension */
+/* extra data follows */
+/* id_str follows */
+/* name follows */
+} QCowSnapshotHeader;
+
+typedef struct QEMU_PACKED QCowSnapshotExtraData {
+uint64_t vm_state_size_large;
+uint64_t disk_size;
+} QCowSnapshotExtraData;
+
+
typedef struct QCowSnapshot {
uint64_t l1_table_offset;
uint32_t l1_size;
@@ -202,7 +229,7 @@ typedef struct BDRVQcowState {
AES_KEY aes_decrypt_key;
uint64_t snapshots_offset;
int snapshots_size;
-int nb_snapshots;
+unsigned int nb_snapshots;
QCowSnapshot *snapshots;
int flags;
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index f58ac73..8a8b460 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -47,6 +47,8 @@ header_size=104
offset_backing_file_offset=8
offset_refcount_table_offset=48
offset_refcount_table_clusters=56
+offset_nb_snapshots=60
+offset_snapshots_offset=64
offset_header_size=100
offset_ext_magic=$header_size
offset_ext_size=$((header_size + 4))
@@ -90,6 +92,31 @@ poke_file $TEST_IMG $offset_refcount_table_offset
\xff\xff\xff\xff\xff\xff\
poke_file $TEST_IMG $offset_refcount_table_clusters \x00\x00\x00\x7f
{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+echo
+echo == Invalid snapshot table ==
+_make_test_img 64M
+poke_file $TEST_IMG $offset_nb_snapshots \xff\xff\xff\xff
+{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 |
[Qemu-devel] [PATCH 045/156] virtio: avoid buffer overrun on incoming migration
CVE-2013-6399
vdev-queue_sel is read from the wire, and later used in the
emulation code as an index into vdev-vq[]. If the value of
vdev-queue_sel exceeds the length of vdev-vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
Reviewed-by: Peter Maydell peter.mayd...@linaro.org
Signed-off-by: Juan Quintela quint...@redhat.com
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
hw/virtio/virtio.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 8dc3cb3..705fad9 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -904,6 +904,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
qemu_get_8s(f, vdev-status);
qemu_get_8s(f, vdev-isr);
qemu_get_be16s(f, vdev-queue_sel);
+if (vdev-queue_sel = VIRTIO_PCI_QUEUE_MAX) {
+return -1;
+}
qemu_get_be32s(f, features);
if (virtio_set_features(vdev, features) 0) {
--
1.9.1
[Qemu-devel] [PATCH 022/156] block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file.
From: Benoît Canet benoit.ca...@irqsave.net
In 1.7.1 qcow2_create2 reopen the file for flushing without the
BDRV_O_NO_BACKING
flags.
As a consequence the code would recursively open the whole backing chain.
These three stack arrays would pile up through the recursion and lead to a
coroutine
stack overflow.
Convert these array to malloced buffers in order to streamline the coroutine
footprint.
Symptoms where freezes or segfaults on production machines while taking QMP
externals
snapshots. The overflow disturbed coroutine switching.
Signed-off-by: Benoit Canet benoit.ca...@gmail.com
*note: backport of upstream's 1ba4b6a
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block.c | 32 +++-
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/block.c b/block.c
index 382ea71..8f84dbc 100644
--- a/block.c
+++ b/block.c
@@ -966,14 +966,14 @@ fail:
*/
int bdrv_open_backing_file(BlockDriverState *bs, QDict *options, Error **errp)
{
-char backing_filename[PATH_MAX];
-int back_flags, ret;
+char *backing_filename = g_malloc0(PATH_MAX);
+int back_flags, ret = 0;
BlockDriver *back_drv = NULL;
Error *local_err = NULL;
if (bs-backing_hd != NULL) {
QDECREF(options);
-return 0;
+goto free_exit;
}
/* NULL means an empty set of options */
@@ -986,10 +986,9 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict
*options, Error **errp)
backing_filename[0] = '\0';
} else if (bs-backing_file[0] == '\0' qdict_size(options) == 0) {
QDECREF(options);
-return 0;
+goto free_exit;
} else {
-bdrv_get_full_backing_filename(bs, backing_filename,
- sizeof(backing_filename));
+bdrv_get_full_backing_filename(bs, backing_filename, PATH_MAX);
}
bs-backing_hd = bdrv_new();
@@ -1012,11 +1011,14 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict
*options, Error **errp)
error_setg(errp, Could not open backing file: %s,
error_get_pretty(local_err));
error_free(local_err);
-return ret;
+goto free_exit;
}
pstrcpy(bs-backing_file, sizeof(bs-backing_file),
bs-backing_hd-file-filename);
-return 0;
+ret = 0;
+free_exit:
+g_free(backing_filename);
+return ret;
}
/*
@@ -1032,7 +1034,8 @@ int bdrv_open(BlockDriverState *bs, const char *filename,
QDict *options,
{
int ret;
/* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */
-char tmp_filename[PATH_MAX + 1];
+char *backing_filename = NULL;
+char *tmp_filename = g_malloc0(PATH_MAX + 1);
BlockDriverState *file = NULL;
QDict *file_options = NULL;
const char *drvname;
@@ -1052,7 +1055,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename,
QDict *options,
int64_t total_size;
BlockDriver *bdrv_qcow2;
QEMUOptionParameter *create_options;
-char backing_filename[PATH_MAX];
+backing_filename = g_malloc0(PATH_MAX);
if (qdict_size(options) != 0) {
error_setg(errp, Can't use snapshot=on with driver-specific
options);
@@ -1075,7 +1078,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename,
QDict *options,
bdrv_unref(bs1);
-ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
+ret = get_tmp_filename(tmp_filename, PATH_MAX + 1);
if (ret 0) {
error_setg_errno(errp, -ret, Could not get temporary filename);
goto fail;
@@ -1083,8 +1086,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename,
QDict *options,
/* Real path is meaningless for protocols */
if (path_has_protocol(filename)) {
-snprintf(backing_filename, sizeof(backing_filename),
- %s, filename);
+snprintf(backing_filename, PATH_MAX, %s, filename);
} else if (!realpath(filename, backing_filename)) {
ret = -errno;
error_setg_errno(errp, errno, Could not resolve path '%s',
filename);
@@ -1206,6 +1208,8 @@ fail:
if (error_is_set(local_err)) {
error_propagate(errp, local_err);
}
+g_free(tmp_filename);
+g_free(backing_filename);
return ret;
close_and_fail:
@@ -1214,6 +1218,8 @@ close_and_fail:
if (error_is_set(local_err)) {
error_propagate(errp, local_err);
}
+g_free(tmp_filename);
+g_free(backing_filename);
return ret;
}
--
1.9.1
Re: [Qemu-devel] another locking issue in current dataplane code?
Ping. has anyone seen a similar hang on x86? On 07/07/14 13:58, Christian Borntraeger wrote: Folks, with current 2.1-rc0 ( + dataplane: do not free VirtQueueElement in vring_push() + virtio-blk: avoid dataplane VirtIOBlockReq early free + some not-ready yet s390 patches for migration ) I still having issues with dataplane during managedsave (without dataplane everything seems to work fine): With 1 CPU and 1 disk (and some workload, e.g. a simple dd on the disk) I get: Thread 3 (Thread 0x3fff90fd910 (LWP 27218)): #0 0x03fffcdb7ba0 in __lll_lock_wait () from /lib64/libpthread.so.0 #1 0x03fffcdbac0c in __pthread_mutex_cond_lock () from /lib64/libpthread.so.0 #2 0x03fffcdb399a in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #3 0x801fff06 in qemu_cond_wait (cond=optimized out, mutex=mutex@entry=0x8037f788 qemu_global_mutex) at /home/cborntra/REPOS/qemu/util/qemu-thread-posix.c:135 #4 0x800472f4 in qemu_kvm_wait_io_event (cpu=optimized out) at /home/cborntra/REPOS/qemu/cpus.c:843 #5 qemu_kvm_cpu_thread_fn (arg=0x809ad6b0) at /home/cborntra/REPOS/qemu/cpus.c:879 #6 0x03fffcdaf412 in start_thread () from /lib64/libpthread.so.0 #7 0x03fffba350ae in thread_start () from /lib64/libc.so.6 Thread 2 (Thread 0x3fff88fd910 (LWP 27219)): #0 0x03fffba2a8e0 in ppoll () from /lib64/libc.so.6 #1 0x801af250 in ppoll (__ss=0x0, __timeout=0x0, __nfds=optimized out, __fds=optimized out) at /usr/include/bits/poll2.h:77 #2 qemu_poll_ns (fds=fds@entry=0x3fff40010c0, nfds=nfds@entry=3, timeout=-1) at /home/cborntra/REPOS/qemu/qemu-timer.c:314 #3 0x801b0702 in aio_poll (ctx=0x807f2230, blocking=blocking@entry=true) at /home/cborntra/REPOS/qemu/aio-posix.c:221 #4 0x800be3c4 in iothread_run (opaque=0x807f20d8) at /home/cborntra/REPOS/qemu/iothread.c:41 #5 0x03fffcdaf412 in start_thread () from /lib64/libpthread.so.0 #6 0x03fffba350ae in thread_start () from /lib64/libc.so.6 Thread 1 (Thread 0x3fff9c529b0 (LWP 27215)): #0 0x03fffcdb38f0 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 #1 0x801fff06 in qemu_cond_wait (cond=cond@entry=0x807f22c0, mutex=mutex@entry=0x807f2290) at /home/cborntra/REPOS/qemu/util/qemu-thread-posix.c:135 #2 0x80212906 in rfifolock_lock (r=r@entry=0x807f2290) at /home/cborntra/REPOS/qemu/util/rfifolock.c:59 #3 0x8019e536 in aio_context_acquire (ctx=ctx@entry=0x807f2230) at /home/cborntra/REPOS/qemu/async.c:295 #4 0x801a34e6 in bdrv_drain_all () at /home/cborntra/REPOS/qemu/block.c:1907 #5 0x80048e24 in do_vm_stop (state=RUN_STATE_PAUSED) at /home/cborntra/REPOS/qemu/cpus.c:538 #6 vm_stop (state=state@entry=RUN_STATE_PAUSED) at /home/cborntra/REPOS/qemu/cpus.c:1221 #7 0x800e6338 in qmp_stop (errp=errp@entry=0x3a9dc00) at /home/cborntra/REPOS/qemu/qmp.c:98 #8 0x800e1314 in qmp_marshal_input_stop (mon=optimized out, qdict=optimized out, ret=optimized out) at qmp-marshal.c:2806 #9 0x8004b91a in qmp_call_cmd (cmd=optimized out, params=0x8096cf50, mon=0x8080b8a0) at /home/cborntra/REPOS/qemu/monitor.c:5038 #10 handle_qmp_command (parser=optimized out, tokens=optimized out) at /home/cborntra/REPOS/qemu/monitor.c:5104 #11 0x801faf16 in json_message_process_token (lexer=0x8080b7c0, token=0x808f2610, type=optimized out, x=optimized out, y=6) at /home/cborntra/REPOS/qemu/qobject/json-streamer.c:87 #12 0x80212bac in json_lexer_feed_char (lexer=lexer@entry=0x8080b7c0, ch=optimized out, flush=flush@entry=false) at /home/cborntra/REPOS/qemu/qobject/json-lexer.c:303 #13 0x80212cfe in json_lexer_feed (lexer=0x8080b7c0, buffer=optimized out, size=optimized out) at /home/cborntra/REPOS/qemu/qobject/json-lexer.c:356 #14 0x801fb10e in json_message_parser_feed (parser=optimized out, buffer=optimized out, size=optimized out) at /home/cborntra/REPOS/qemu/qobject/json-streamer.c:110 #15 0x80049f28 in monitor_control_read (opaque=optimized out, buf=optimized out, size=optimized out) at /home/cborntra/REPOS/qemu/monitor.c:5125 #16 0x800c8636 in qemu_chr_be_write (len=1, buf=0x3a9e010 }[B\377\373\251\372\b, s=0x807f5af0) at /home/cborntra/REPOS/qemu/qemu-char.c:213 #17 tcp_chr_read (chan=optimized out, cond=optimized out, opaque=0x807f5af0) at /home/cborntra/REPOS/qemu/qemu-char.c:2690 #18 0x03fffcc9f05a in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #19 0x801ae3e0 in glib_pollfds_poll () at /home/cborntra/REPOS/qemu/main-loop.c:190 #20 os_host_main_loop_wait (timeout=optimized out) at /home/cborntra/REPOS/qemu/main-loop.c:235 #21 main_loop_wait (nonblocking=optimized out) at /home/cborntra/REPOS/qemu/main-loop.c:484 #22 0x800169e2 in main_loop () at /home/cborntra/REPOS/qemu/vl.c:2024 #23 main (argc=optimized
[Qemu-devel] [Bug 1307473] Re: guest hang due to missing clock interrupt
We haven't been able to reproduce the issues under lab conditions, and I'm not willing to use our production setup as a guinypig anymore. These issues have cost me too much credibility already. We believe #1326367 is causing this, as we've bisected this issue to be between 3.13.0-27.50 and 3.13.0-29.53 (see our results earlier). #1326367 is the only change which felt relevant, but admittedly, this is just a hunch. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1307473 Title: guest hang due to missing clock interrupt Status in QEMU: New Status in “linux” package in Ubuntu: Confirmed Status in “qemu” package in Ubuntu: Confirmed Bug description: I noticed on 2 different systems that after upgrade from precise to latest trusty VMs are crashing: - in case of Windows VMs I'm getting BSOD with error message: A clock interrupt was not received on a secondary processor within the allocated time interval. - On linux VMs I'm noticing hrtimer: interrupt took 2992229 ns messages - On some proprietary virtual appliances I'm noticing crashes an due to missing timer interrupts QEMU version is: QEMU emulator version 1.7.91 (Debian 2.0.0~rc1+dfsg-0ubuntu3) Full command line: qemu-system-x86_64 -enable-kvm -name win7eval -S -machine pc- i440fx-1.7,accel=kvm,usb=off -cpu host -m 4096 -realtime mlock=off -smp 4,sockets=1,cores=4,threads=1 -uuid 05e5089a- 4aa1-6bb2-ef06-ab4d020a -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/win7eval.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -boot strict=on -device piix3-usb- uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/vm/win7eval.qcow2,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio- disk0,id=virtio-disk0,bootindex=1 -drive file=/home/damarion/iso/7600.16385.090713-1255_x86fre_enterprise_en- us_EVAL_Eval_Enterprise-GRMCENEVAL_EN_DVD.iso,if=none,id=drive- ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive =drive-ide0-0-0,id=ide0-0-0 -drive file=/home/damarion/iso/virtio- win-0.1-74.iso,if=none,id=drive-ide0-1-0,readonly=on,format=raw -device ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -netdev tap,fd=24,id=hostnet0 -device e1000,netdev=hostnet0,id=net0,mac=52:54:00:38:31:0a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa- serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -vnc 127.0.0.1:1 -device VGA,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1307473/+subscriptions
Re: [Qemu-devel] [PATCH v4] tests: Functions bus_foreach and device_find from libqos virtio API
On Fri, Jul 04, 2014 at 12:36:49AM +0200, Marc Marí wrote:
+static void qvirtio_pci_foreach_callback(
+QPCIDevice *dev, int devfn, void *data)
+{
+QVirtioPCIForeachData *d = data;
+QVirtioPCIDevice *vpcidev = qpcidevice_to_qvirtiodevice(dev);
+
+if (vpcidev-vdev.device_type == d-device_type) {
+d-func(vpcidev-vdev, d-user_data);
+}
+
+g_free(vpcidev);
Fine for now but eventually I think we need to pass ownership of vpcidev
to -func() and only free vpcidev if the device type didn't match.
+QVirtioPCIDevice *qvirtio_pci_device_find(QPCIBus *bus, uint16_t device_type)
+{
+QVirtioPCIDevice *dev;
+
+dev = g_malloc0(sizeof(*dev));
+qvirtio_pci_foreach(bus, device_type, qvirtio_pci_assign_device, dev);
+
+return dev;
+}
What if the device is not found, should we return NULL?
pgpUVc3cYWFXa.pgp
Description: PGP signature
[Qemu-devel] [PATCH for-2.1] AioContext: do not rely on aio_poll(ctx, true) result to end a loop
Currently, whenever aio_poll(ctx, true) has completed all pending
work it returns true *and* the next call to aio_poll(ctx, true)
will not block.
This invariant has its roots in qemu_aio_flush()'s implementation
as while (qemu_aio_wait()) {}. However, qemu_aio_flush() does
not exist anymore and bdrv_drain_all() is implemented differently;
and this invariant is complicated to maintain and subtly different
from the return value of GMainLoop's g_main_context_iteration.
All calls to aio_poll(ctx, true) except one are guarded by a
while() loop checking for a request to be incomplete, or a
BlockDriverState to be idle. The one remaining call (in
iothread.c) uses this to delay the aio_context_release/acquire
pair until the AioContext is quiescent, however:
- we can do the same just by using non-blocking aio_poll,
similar to how vl.c invokes main_loop_wait
- it is buggy, because it does not ensure that the AioContext
is released between an aio_notify and the next time the
iothread goes to sleep. This leads to hangs when stopping
the dataplane thread.
In the end, these semantics are a bad match for the current
users of AioContext. So modify that one exception in iothread.c,
which also fixes the hangs, as well as the testcase so that
it use the same idiom as the actual QEMU code.
Reported-by: Christian Borntraeger borntrae...@de.ibm.com
Tested-by: Christian Borntraeger borntrae...@de.ibm.com
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
include/block/aio.h | 6 +++---
iothread.c | 5 -
tests/test-aio.c| 25 +
3 files changed, 20 insertions(+), 16 deletions(-)
diff --git a/include/block/aio.h b/include/block/aio.h
index 433e7ff..c23de3c 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -214,9 +214,9 @@ bool aio_pending(AioContext *ctx);
/* Progress in completing AIO work to occur. This can issue new pending
* aio as a result of executing I/O completion or bh callbacks.
*
- * If there is no pending AIO operation or completion (bottom half),
- * return false. If there are pending AIO operations of bottom halves,
- * return true.
+ * Return whether any progress was made by executing AIO or bottom half
+ * handlers. If @blocking == true, this should always be true except
+ * if someone called aio_notify.
*
* If there are no pending bottom halves, but there are pending AIO
* operations, it may not be possible to make any progress without
diff --git a/iothread.c b/iothread.c
index 1fbf9f1..d9403cf 100644
--- a/iothread.c
+++ b/iothread.c
@@ -30,6 +30,7 @@ typedef ObjectClass IOThreadClass;
static void *iothread_run(void *opaque)
{
IOThread *iothread = opaque;
+bool blocking;
qemu_mutex_lock(iothread-init_done_lock);
iothread-thread_id = qemu_get_thread_id();
@@ -38,8 +39,10 @@ static void *iothread_run(void *opaque)
while (!iothread-stopping) {
aio_context_acquire(iothread-ctx);
-while (!iothread-stopping aio_poll(iothread-ctx, true)) {
+blocking = true;
+while (!iothread-stopping aio_poll(iothread-ctx, blocking)) {
/* Progress was made, keep going */
+blocking = false;
}
aio_context_release(iothread-ctx);
}
diff --git a/tests/test-aio.c b/tests/test-aio.c
index 264dab9..4c40a49 100644
--- a/tests/test-aio.c
+++ b/tests/test-aio.c
@@ -24,14 +24,6 @@ typedef struct {
bool auto_set;
} EventNotifierTestData;
-/* Wait until there are no more BHs or AIO requests */
-static void wait_for_aio(void)
-{
-while (aio_poll(ctx, true)) {
-/* Do nothing */
-}
-}
-
/* Wait until event notifier becomes inactive */
static void wait_until_inactive(EventNotifierTestData *data)
{
@@ -204,7 +196,9 @@ static void test_bh_schedule10(void)
g_assert(aio_poll(ctx, true));
g_assert_cmpint(data.n, ==, 2);
-wait_for_aio();
+while (data.n 10) {
+aio_poll(ctx, true);
+}
g_assert_cmpint(data.n, ==, 10);
g_assert(!aio_poll(ctx, false));
@@ -252,7 +246,9 @@ static void test_bh_delete_from_cb(void)
qemu_bh_schedule(data1.bh);
g_assert_cmpint(data1.n, ==, 0);
-wait_for_aio();
+while (data1.n data1.max) {
+aio_poll(ctx, true);
+}
g_assert_cmpint(data1.n, ==, data1.max);
g_assert(data1.bh == NULL);
@@ -287,7 +283,12 @@ static void test_bh_delete_from_cb_many(void)
g_assert_cmpint(data4.n, ==, 1);
g_assert(data1.bh == NULL);
-wait_for_aio();
+while (data1.n data1.max ||
+ data2.n data2.max ||
+ data3.n data3.max ||
+ data4.n data4.max) {
+aio_poll(ctx, true);
+}
g_assert_cmpint(data1.n, ==, data1.max);
g_assert_cmpint(data2.n, ==, data2.max);
g_assert_cmpint(data3.n, ==, data3.max);
@@ -306,7 +307,7 @@ static void test_bh_flush(void)
qemu_bh_schedule(data.bh);
g_assert_cmpint(data.n, ==, 0);
-wait_for_aio();
+g_assert(aio_poll(ctx, true));
Re: [Qemu-devel] live migration + licensing issue.
Anshul Makkar anshul.mak...@profitbricks.com writes: Hi, Yeah, I am aware of this option. But the point where I am concerned is that if Windows VM is running in QEMU 1.0 with pc-model 1.0 and then I upgrade the QEMU to 2.0 and I specify machine as pc-1.2, then Windows will see this as change in hardware and complain about the license. Works as designed. Sorry, if my understanding is wrong here or i am missing something. Changing the machine type is the virtual equivalent of replacing the motherboard.
[Qemu-devel] [PATCH 079/156] bochs: Check catalog_size header field (CVE-2014-0143)
From: Kevin Wolf kw...@redhat.com
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s-catalog_bitmap
buffer overflow on big endian hosts.
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Stefan Hajnoczi stefa...@redhat.com
Reviewed-by: Max Reitz mre...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit e3737b820b45e54b059656dc3f914f895ac7a88b)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/bochs.c | 13 +
tests/qemu-iotests/078 | 13 +
tests/qemu-iotests/078.out | 10 +-
3 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/block/bochs.c b/block/bochs.c
index 04cca71..d1b1a2c 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -122,7 +122,14 @@ static int bochs_open(BlockDriverState *bs, QDict
*options, int flags,
bs-total_sectors = le64_to_cpu(bochs.extra.redolog.disk) / 512;
}
+/* Limit to 1M entries to avoid unbounded allocation. This is what is
+ * needed for the largest image that bximage can create (~8 TB). */
s-catalog_size = le32_to_cpu(bochs.catalog);
+if (s-catalog_size 0x10) {
+error_setg(errp, Catalog size is too large);
+return -EFBIG;
+}
+
s-catalog_bitmap = g_malloc(s-catalog_size * 4);
ret = bdrv_pread(bs-file, le32_to_cpu(bochs.header), s-catalog_bitmap,
@@ -141,6 +148,12 @@ static int bochs_open(BlockDriverState *bs, QDict
*options, int flags,
s-extent_size = le32_to_cpu(bochs.extent);
+if (s-catalog_size bs-total_sectors / s-extent_size) {
+error_setg(errp, Catalog size is too small for this disk size);
+ret = -EINVAL;
+goto fail;
+}
+
qemu_co_mutex_init(s-lock);
return 0;
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index 73b573a..902ef0f 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -43,6 +43,7 @@ _supported_proto generic
_supported_os Linux
catalog_size_offset=$((0x48))
+disk_size_offset=$((0x58))
echo
echo == Read from a valid image ==
@@ -55,6 +56,18 @@ _use_sample_img empty.bochs.bz2
poke_file $TEST_IMG $catalog_size_offset \xff\xff\xff\xff
{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+echo
+echo == Overflow for catalog size * sizeof(uint32_t) ==
+_use_sample_img empty.bochs.bz2
+poke_file $TEST_IMG $catalog_size_offset \x00\x00\x00\x40
+{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+
+echo
+echo == Too small catalog bitmap for image size ==
+_use_sample_img empty.bochs.bz2
+poke_file $TEST_IMG $disk_size_offset \x00\xc0\x0f\x00\x00\x00\x00\x7f
+{ $QEMU_IO -c read 2T 4k $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo *** done
rm -f $seq.full
diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
index ef8c42d..7254693 100644
--- a/tests/qemu-iotests/078.out
+++ b/tests/qemu-iotests/078.out
@@ -5,6 +5,14 @@ read 512/512 bytes at offset 0
512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== Negative catalog size ==
-qemu-io: can't open device TEST_DIR/empty.bochs: Could not open
'TEST_DIR/empty.bochs': Interrupted system call
+qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too large
+no file open, try 'help open'
+
+== Overflow for catalog size * sizeof(uint32_t) ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too large
+no file open, try 'help open'
+
+== Too small catalog bitmap for image size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for
this disk size
no file open, try 'help open'
*** done
--
1.9.1
Re: [Qemu-devel] another locking issue in current dataplane code?
On 08/07/14 12:37, Christian Borntraeger wrote: On 08/07/14 12:12, Christian Borntraeger wrote: On 08/07/14 11:09, Christian Borntraeger wrote: On 08/07/14 09:43, Ming Lei wrote: On Tue, Jul 8, 2014 at 3:19 PM, Christian Borntraeger borntrae...@de.ibm.com wrote: Ping. has anyone seen a similar hang on x86? The problem seems to be, that for managedsave, we do a VM stop before we call the migration_state_notifier. to be verified. Yes. virsh suspend also hangs. Any ideas? Finally found a solution. Merging belows merge request from upstream seems to fix my issues. I guess the plugging/unplugging fixed this implicetely,but I dont understand it yet. Since the problem is gone, I will no longer investigate... Sigh. This merge just made the bug less likely to occur. Bug fixes for QEMU 2.1-rc1. The following changes since commit 9d9de254c2b81b68cd48f2324cc753a570a4cdd8: MAINTAINERS: seccomp: change email contact for Eduardo Otubo (2014-07-03 12:36:15 +0100) are available in the git repository at: git://github.com/stefanha/qemu.git tags/block-pull-request for you to fetch changes up to f4eb32b590bf58c1c67570775eb78beb09964fad: qmp: show QOM properties in device-list-properties (2014-07-07 11:10:05 +0200)
Re: [Qemu-devel] [PATCH v2 8/9] target-mips: add BadInstr and BadInstrP support
Hi James,
On 08/07/2014 13:44, James Hogan wrote:
Hi Leon,
On 08/07/14 08:57, Leon Alrae wrote:
BadInstr Register (CP0 Register 8, Select 1)
The BadInstr register is a read-only register that capture the most recent
instruction which caused an exception.
BadInstrP Register (CP0 Register 8, Select 2)
The BadInstrP register contains the prior branch instruction, when the
faulting instruction is in a branch delay slot.
Using error_code to indicate whether AdEL or TLBL was triggered during
instruction fetch, in this case BadInstr is not updated as valid instruction
word is not available.
Signed-off-by: Leon Alrae leon.al...@imgtec.com
---
target-mips/cpu.h |6 +++
target-mips/helper.c| 44 --
target-mips/op_helper.c | 17 +-
target-mips/translate.c | 80
+++---
4 files changed, 136 insertions(+), 11 deletions(-)
diff --git a/target-mips/cpu.h b/target-mips/cpu.h
index bc5..656f5ca 100644
--- a/target-mips/cpu.h
+++ b/target-mips/cpu.h
@@ -177,6 +177,8 @@ struct TCState {
target_ulong CP0_TCScheFBack;
int32_t CP0_Debug_tcstatus;
target_ulong CP0_UserLocal;
+uint32_t CP0_BadInstr;
+uint32_t CP0_BadInstrP;
According to the PRA, BadInstr/BadInstrP are instantiated per VPE, so
shouldn't these be in struct CPUMIPSState?
Cheers
James
Thanks for pointing this out - I'll correct it in the next version.
Regards,
Leon
[Qemu-devel] [PATCH 104/156] dmg: drop broken bdrv_pread() loop
From: Stefan Hajnoczi stefa...@redhat.com
It is not necessary to check errno for EINTR and the block layer does
not produce short reads. Therefore we can drop the loop that attempts
to read a compressed chunk.
The loop is buggy because it incorrectly adds the transferred bytes
twice:
do {
ret = bdrv_pread(...);
i += ret;
} while (ret = 0 ret + i s-lengths[chunk]);
Luckily we can drop the loop completely and perform a single
bdrv_pread().
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Max Reitz mre...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit b404bf854217dbe8a5649449eb3ad33777f7d900)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/dmg.c | 15 ++-
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/block/dmg.c b/block/dmg.c
index f4f3e8e..1cc5426 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -298,21 +298,10 @@ static inline int dmg_read_chunk(BlockDriverState *bs,
int sector_num)
s-current_chunk = s-n_chunks;
switch (s-types[chunk]) {
case 0x8005: { /* zlib compressed */
-int i;
-
/* we need to buffer, because only the chunk as whole can be
* inflated. */
-i = 0;
-do {
-ret = bdrv_pread(bs-file, s-offsets[chunk] + i,
- s-compressed_chunk + i,
- s-lengths[chunk] - i);
-if (ret 0 errno == EINTR) {
-ret = 0;
-}
-i += ret;
-} while (ret = 0 ret + i s-lengths[chunk]);
-
+ret = bdrv_pread(bs-file, s-offsets[chunk],
+ s-compressed_chunk, s-lengths[chunk]);
if (ret != s-lengths[chunk]) {
return -1;
}
--
1.9.1
Re: [Qemu-devel] Which method executes the translated blocks (TBs)?
On 8 July 2014 18:26, Anderson Sartor andersonsar...@gmail.com wrote: Hi all, Which method, in fact, executes the TBs (full-system emulation)? Is it tcg_qemu_tb_exec() from cpu_exec()? Yes. At this point, is it possible for the execution of the TB to be interrupted (it will try to execute this TB again)? Depends what you mean. There are circumstances where we won't actually execute the TB but will stop immediately, but guest interrupts aren't one of them. (tcg/tcg.h has a good documentation comment for tcg_qemu_tb_exec describing this.) It's also possible that execution of the TB might be aborted due to an exception that causes us to longjmp out and never return from tcg_qemu_tb_exec(). If positive, how do I know whether a TB was completely executed? Not sure exactly what you're trying to do here; bear in mind that tcg_qemu_tb_exec() may execute more than one TB before it returns. thanks -- PMM
[Qemu-devel] [PATCH 034/156] vmstate: add VMSTATE_VALIDATE
From: Michael S. Tsirkin m...@redhat.com
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin m...@redhat.com
Signed-off-by: Juan Quintela quint...@redhat.com
(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
include/migration/vmstate.h | 8
1 file changed, 8 insertions(+)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 13fb78d..3007d89 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -204,6 +204,14 @@ extern const VMStateInfo vmstate_info_bitmap;
.offset = vmstate_offset_value(_state, _field, _type), \
}
+/* Validate state using a boolean predicate. */
+#define VMSTATE_VALIDATE(_name, _test) { \
+.name = (_name), \
+.field_exists = (_test), \
+.flags= VMS_ARRAY | VMS_MUST_EXIST, \
+.num = 0, /* 0 elements: no data, only run _test */ \
+}
+
#define VMSTATE_POINTER(_field, _state, _version, _info, _type) {\
.name = (stringify(_field)), \
.version_id = (_version),\
--
1.9.1
[Qemu-devel] [PATCH 152/156] qapi: zero-initialize all QMP command parameters
In general QMP command parameter values are specified by consumers of the
QMP/HMP interface, but in the case of optional parameters these values may
be left uninitialized.
It is considered a bug for code to make use of optional parameters that have
not been flagged as being present by the marshalling code (via corresponding
has_parameter parameter), however our marshalling code will still pass
these uninitialized values on to the corresponding QMP function (to then
be ignored). Some compilers (clang in particular) consider this unsafe
however, and generate warnings as a result. As reported by Peter Maydell:
This is something clang's -fsanitize=undefined spotted. The
code generated by qapi-commands.py in qmp-marshal.c for
qmp_marshal_* functions where there are some optional
arguments looks like this:
bool has_force = false;
bool force;
mi = qmp_input_visitor_new_strict(QOBJECT(args));
v = qmp_input_get_visitor(mi);
visit_type_str(v, device, device, errp);
visit_start_optional(v, has_force, force, errp);
if (has_force) {
visit_type_bool(v, force, force, errp);
}
visit_end_optional(v, errp);
qmp_input_visitor_cleanup(mi);
if (error_is_set(errp)) {
goto out;
}
qmp_eject(device, has_force, force, errp);
In the case where has_force is false, we never initialize
force, but then we use it by passing it to qmp_eject.
I imagine we don't then actually use the value, but clang
complains in particular for 'bool' variables because the value
that ends up being loaded from memory for 'force' is not either
0 or 1 (being uninitialized stack contents).
Fix this by initializing all QMP command parameters to {0} in the
marshalling code prior to passing them on to the QMP functions.
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
Reported-by: Peter Maydell peter.mayd...@linaro.org
Tested-by: Peter Maydell peter.mayd...@linaro.org
Reviewed-by: Eric Blake ebl...@redhat.com
Reviewed-by: Markus Armbruster arm...@redhat.com
Signed-off-by: Luiz Capitulino lcapitul...@redhat.com
(cherry picked from commit fc13d937269c1cd01a4b7720c1dcce01722727a2)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
scripts/qapi-commands.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/qapi-commands.py b/scripts/qapi-commands.py
index b12b696..b9c41fb 100644
--- a/scripts/qapi-commands.py
+++ b/scripts/qapi-commands.py
@@ -119,7 +119,7 @@ bool has_%(argname)s = false;
argname=c_var(argname), argtype=c_type(argtype))
else:
ret += mcgen('''
-%(argtype)s %(argname)s;
+%(argtype)s %(argname)s = {0};
''',
argname=c_var(argname), argtype=c_type(argtype))
--
1.9.1
[Qemu-devel] [PATCH 112/156] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
From: Kevin Wolf kw...@redhat.com
For the L1 table to loaded for an internal snapshot, the code allocated
only enough memory to hold the currently active L1 table. If the
snapshot's L1 table is actually larger than the current one, this leads
to a buffer overflow.
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Max Reitz mre...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit c05e4667be91b46ab42b5a11babf8e84d476cc6b)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/qcow2-snapshot.c | 2 +-
tests/qemu-iotests/029 | 18 +-
tests/qemu-iotests/029.out | 4
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 7548165..4170e87 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -673,7 +673,7 @@ int qcow2_snapshot_load_tmp(BlockDriverState *bs, const
char *snapshot_name)
sn = s-snapshots[snapshot_index];
/* Allocate and read in the snapshot's L1 table */
-new_l1_bytes = s-l1_size * sizeof(uint64_t);
+new_l1_bytes = sn-l1_size * sizeof(uint64_t);
new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512));
ret = bdrv_pread(bs-file, sn-l1_table_offset, new_l1_table,
new_l1_bytes);
diff --git a/tests/qemu-iotests/029 b/tests/qemu-iotests/029
index 567e071..fa46ace 100755
--- a/tests/qemu-iotests/029
+++ b/tests/qemu-iotests/029
@@ -30,7 +30,8 @@ status=1 # failure is the default!
_cleanup()
{
- _cleanup_test_img
+rm -f $TEST_IMG.snap
+_cleanup_test_img
}
trap _cleanup; exit \$status 0 1 2 3 15
@@ -44,6 +45,9 @@ _supported_fmt qcow2
_supported_proto generic
_supported_os Linux
+offset_size=24
+offset_l1_size=36
+
echo
echo Test loading internal snapshots where the L1 table of the snapshot
echo is smaller than the current L1 table.
@@ -77,6 +81,18 @@ _make_test_img 64M
_check_test_img
+echo
+echo qcow2_snapshot_load_tmp() should take the L1 size from the snapshot
+echo
+
+CLUSTER_SIZE=512
+_make_test_img 64M
+{ $QEMU_IMG snapshot -c foo $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+poke_file $TEST_IMG $offset_size \x00\x00\x00\x00\x00\x00\x02\x00
+poke_file $TEST_IMG $offset_l1_size \x00\x00\x00\x01
+{ $QEMU_IMG convert -s foo $TEST_IMG $TEST_IMG.snap; } 21 | _filter_qemu_io
| _filter_testdir
+
+
# success, all done
echo *** done
rm -f $seq.full
diff --git a/tests/qemu-iotests/029.out b/tests/qemu-iotests/029.out
index 9029698..ce0e64d 100644
--- a/tests/qemu-iotests/029.out
+++ b/tests/qemu-iotests/029.out
@@ -20,4 +20,8 @@ wrote 4096/4096 bytes at offset 1099511627776
read 4096/4096 bytes at offset 1099511627776
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
No errors were found on the image.
+
+qcow2_snapshot_load_tmp() should take the L1 size from the snapshot
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
*** done
--
1.9.1
[Qemu-devel] [PATCH v5] spapr: add uuid/host details to device tree
Useful for identifying the guest/host uniquely within the
guest. Adding following properties to the guest root node.
vm,uuid - uuid of the guest
host-model - Host model number
host-serial - Host machine serial number
hypervisor type - Tells its kvm
Signed-off-by: Nikunj A Dadhania nik...@linux.vnet.ibm.com
---
v5:
* Use glib function to read file
* Callee allocates and caller frees
* Remove IBM, suffix
v4: make uuid as human readable
v3: rebase to ppcnext
v2: indentation fixes
---
hw/ppc/spapr.c | 28
target-ppc/kvm.c | 13 -
target-ppc/kvm_ppc.h | 12
3 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 077ad2d..8c57ce4 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -318,6 +318,7 @@ static void *spapr_create_fdt_skel(hwaddr initrd_base,
QemuOpts *opts = qemu_opts_find(qemu_find_opts(smp-opts), NULL);
unsigned sockets = opts ? qemu_opt_get_number(opts, sockets, 0) : 0;
uint32_t cpus_per_socket = sockets ? (smp_cpus / sockets) : 1;
+char *buf;
add_str(hypertas, hcall-pft);
add_str(hypertas, hcall-term);
@@ -347,6 +348,33 @@ static void *spapr_create_fdt_skel(hwaddr initrd_base,
_FDT((fdt_property_string(fdt, model, IBM pSeries (emulated by
qemu;
_FDT((fdt_property_string(fdt, compatible, qemu,pseries)));
+if (kvm_enabled()) {
+_FDT((fdt_property_string(fdt, hypervisor, kvm)));
+}
+
+/*
+ * Add info to guest to indentify which host is it being run on
+ * and what is the uuid of the guest
+ */
+if (kvmppc_get_host_model(buf)) {
+_FDT((fdt_property_string(fdt, host-model, buf)));
+g_free(buf);
+}
+if (kvmppc_get_host_serial(buf)) {
+_FDT((fdt_property_string(fdt, host-serial, buf)));
+g_free(buf);
+}
+
+buf = g_strdup_printf(UUID_FMT, qemu_uuid[0], qemu_uuid[1],
+ qemu_uuid[2], qemu_uuid[3], qemu_uuid[4],
+ qemu_uuid[5], qemu_uuid[6], qemu_uuid[7],
+ qemu_uuid[8], qemu_uuid[9], qemu_uuid[10],
+ qemu_uuid[11], qemu_uuid[12], qemu_uuid[13],
+ qemu_uuid[14], qemu_uuid[15]);
+
+_FDT((fdt_property_string(fdt, vm,uuid, buf)));
+g_free(buf);
+
_FDT((fdt_property_cell(fdt, #address-cells, 0x2)));
_FDT((fdt_property_cell(fdt, #size-cells, 0x2)));
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 2d87108..afc7963 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -1369,7 +1369,7 @@ static int read_cpuinfo(const char *field, char *value,
int len)
}
do {
-if(!fgets(line, sizeof(line), f)) {
+if (!fgets(line, sizeof(line), f)) {
break;
}
if (!strncmp(line, field, field_len)) {
@@ -1404,6 +1404,17 @@ uint32_t kvmppc_get_tbfreq(void)
return retval;
}
+bool kvmppc_get_host_serial(char **value)
+{
+return g_file_get_contents(/proc/device-tree/system-id, value, NULL,
+ NULL);
+}
+
+bool kvmppc_get_host_model(char **value)
+{
+return g_file_get_contents(/proc/device-tree/model, value, NULL, NULL);
+}
+
/* Try to find a device tree node for a CPU with clock-frequency property */
static int kvmppc_find_cpu_dt(char *buf, int buf_len)
{
diff --git a/target-ppc/kvm_ppc.h b/target-ppc/kvm_ppc.h
index 1118122..fad2b8c 100644
--- a/target-ppc/kvm_ppc.h
+++ b/target-ppc/kvm_ppc.h
@@ -19,6 +19,8 @@ uint32_t kvmppc_get_tbfreq(void);
uint64_t kvmppc_get_clockfreq(void);
uint32_t kvmppc_get_vmx(void);
uint32_t kvmppc_get_dfp(void);
+bool kvmppc_get_host_model(char **buf);
+bool kvmppc_get_host_serial(char **buf);
int kvmppc_get_hasidle(CPUPPCState *env);
int kvmppc_get_hypercall(CPUPPCState *env, uint8_t *buf, int buf_len);
int kvmppc_set_interrupt(PowerPCCPU *cpu, int irq, int level);
@@ -60,6 +62,16 @@ static inline uint32_t kvmppc_get_tbfreq(void)
return 0;
}
+static inline bool kvmppc_get_host_model(char **buf)
+{
+return false;
+}
+
+static inline bool kvmppc_get_host_serial(char **buf)
+{
+return false;
+}
+
static inline uint64_t kvmppc_get_clockfreq(void)
{
return 0;
--
1.8.3.1
Re: [Qemu-devel] [PATCH] migration: catch unknown flag combinations in ram_load
On (Wed) 09 Jul 2014 [11:28:27], Peter Maydell wrote: On 9 July 2014 05:25, Amit Shah amit.s...@redhat.com wrote: (CC'ing Peter Maydell for his thoughts) On (Tue) 08 Jul 2014 [22:55:42], Peter Lieven wrote: Hi Juan, Am 25.06.2014 um 13:55 schrieb Juan Quintela quint...@redhat.com: Peter Lieven p...@kamp.de wrote: this patch extends commit db80fac by not only checking for unknown flags, but also filtering out unknown flag combinations. Suggested-by: Eric Blake ebl...@redhat.com Signed-off-by: Peter Lieven p...@kamp.de Reviewed-by: Juan Quintela quint...@redhat.com Will be on next pull request, thanks. Have you forgotten to pull this one? It might be too late for 2.1 though. Juan is away for a couple of weeks. This looks like a good fix to pull in for 2.1, though. Peter, do you agree? Can you pick this up if so? What's the bug it's fixing? I had a look at the commit message, but that suggests it's just tightening up sanity checking, not fixing an actual issue... Maybe you can clarify. Right, it improves correctness: after this patch, we ensure a rogue or corrupt migration stream cannot cause problems on the dest. Amit
Re: [Qemu-devel] [PATCH] migration: catch unknown flag combinations in ram_load
On 9 July 2014 11:44, Amit Shah amit.s...@redhat.com wrote: On (Wed) 09 Jul 2014 [11:28:27], Peter Maydell wrote: On 9 July 2014 05:25, Amit Shah amit.s...@redhat.com wrote: Juan is away for a couple of weeks. This looks like a good fix to pull in for 2.1, though. Peter, do you agree? Can you pick this up if so? What's the bug it's fixing? I had a look at the commit message, but that suggests it's just tightening up sanity checking, not fixing an actual issue... Maybe you can clarify. Right, it improves correctness: after this patch, we ensure a rogue or corrupt migration stream cannot cause problems on the dest. OK; we're treating those as bugs so yes, I think this is 2.1 material. Has somebody other than the original author tested it? (That's a step that would usually be done by Juan as the maintainer.) If somebody can provide a Tested-by: I'm happy to apply it to master. thanks -- PMM
[Qemu-devel] [PATCH 07/10] aio-win32: add aio_set_dispatching optimization
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
aio-win32.c | 17 -
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/aio-win32.c b/aio-win32.c
index 1ec434a..fd52686 100644
--- a/aio-win32.c
+++ b/aio-win32.c
@@ -144,12 +144,25 @@ bool aio_poll(AioContext *ctx, bool blocking)
{
AioHandler *node;
HANDLE events[MAXIMUM_WAIT_OBJECTS + 1];
-bool progress, first;
+bool was_dispatching, progress, first;
int count;
int timeout;
+was_dispatching = ctx-dispatching;
progress = false;
+/* aio_notify can avoid the expensive event_notifier_set if
+ * everything (file descriptors, bottom halves, timers) will
+ * be re-evaluated before the next blocking poll(). This is
+ * already true when aio_poll is called with blocking == false;
+ * if blocking == true, it is only true after poll() returns.
+ *
+ * If we're in a nested event loop, ctx-dispatching might be true.
+ * In that case we can restore it just before returning, but we
+ * have to clear it now.
+ */
+aio_set_dispatching(ctx, !blocking);
+
ctx-walking_handlers++;
/* fill fd sets */
@@ -170,6 +183,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
timeout = blocking
? qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)) : 0;
ret = WaitForMultipleObjects(count, events, FALSE, timeout);
+aio_set_dispatching(ctx, true);
if (first aio_bh_poll(ctx)) {
progress = true;
@@ -191,5 +205,6 @@ bool aio_poll(AioContext *ctx, bool blocking)
progress |= timerlistgroup_run_timers(ctx-tlg);
+aio_set_dispatching(ctx, was_dispatching);
return progress;
}
--
1.9.3
[Qemu-devel] [PATCH for-2.2 00/10] AioContext cleanups and Win32 socket support
This series simplifies heavily aio_poll by splitting it into three phases: prepare (aio_compute_timeout), poll, dispatch. The resulting code shares more logic between aio_poll and the GSource wrappers, and makes it easier to add Win32 support for sockets. Win32 support for sockets is a prerequisite for moving the NBD server into the BlockDriverState's attached AioContext. It is done in the final patch, based on earlier work from Or Goshen (from Intel). I had to more or less rewrite it to fit the new framework, but you can see parts of Or's work, as well as traces of aio-posix.c and main-loop.c logic. Tested with NBD boot under Wine. Paolo Paolo Bonzini (10): AioContext: take bottom halves into account when computing aio_poll timeout aio-win32: Evaluate timers after handles aio-win32: Factor out duplicate code into aio_dispatch_handlers AioContext: run bottom halves after polling AioContext: export and use aio_dispatch test-aio: test timers on Windows too aio-win32: add aio_set_dispatching optimization AioContext: introduce aio_prepare qemu-coroutine-io: fix for Win32 aio-win32: add support for sockets aio-posix.c | 58 aio-win32.c | 262 +++- async.c | 39 +--- block/Makefile.objs | 2 - include/block/aio.h | 25 - nbd.c | 2 +- qemu-coroutine-io.c | 4 +- tests/test-aio.c| 48 +++--- 8 files changed, 277 insertions(+), 163 deletions(-) -- 1.9.3
Re: [Qemu-devel] [PATCH] migration: catch unknown flag combinations in ram_load
On (Wed) 09 Jul 2014 [11:50:18], Peter Maydell wrote: On 9 July 2014 11:44, Amit Shah amit.s...@redhat.com wrote: On (Wed) 09 Jul 2014 [11:28:27], Peter Maydell wrote: On 9 July 2014 05:25, Amit Shah amit.s...@redhat.com wrote: Juan is away for a couple of weeks. This looks like a good fix to pull in for 2.1, though. Peter, do you agree? Can you pick this up if so? What's the bug it's fixing? I had a look at the commit message, but that suggests it's just tightening up sanity checking, not fixing an actual issue... Maybe you can clarify. Right, it improves correctness: after this patch, we ensure a rogue or corrupt migration stream cannot cause problems on the dest. OK; we're treating those as bugs so yes, I think this is 2.1 material. Has somebody other than the original author tested it? (That's a step that would usually be done by Juan as the maintainer.) If somebody can provide a Tested-by: I'm happy to apply it to master. Not really sure if Juan did that as part of his 'thanks, applied' workflow, but I'll run this through the autotest migration tests and report back. Amit
[Qemu-devel] [PATCH 043/156] Fix vmstate_info_int32_le comparison/assign
From: Dr. David Alan Gilbert dgilb...@redhat.com
Fix comparison of vmstate_info_int32_le so that it succeeds if loaded
value is (l)ess than or (e)qual
When the comparison succeeds, assign the value loaded
This is a change in behaviour but I think the original intent, since
the idea is to check if the version/size of the thing you're loading is
less than some limit, but you might well want to do something based on
the actual version/size in the file
Fix up comment and name text
Signed-off-by: Dr. David Alan Gilbert dgilb...@redhat.com
Signed-off-by: Juan Quintela quint...@redhat.com
(cherry picked from commit 24a370ef2351dc596a7e47508b952ddfba79ef94)
Conflicts:
vmstate.c
*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
savevm.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/savevm.c b/savevm.c
index 8a22807..40054cf 100644
--- a/savevm.c
+++ b/savevm.c
@@ -,22 +,24 @@ const VMStateInfo vmstate_info_int32_equal = {
.put = put_int32,
};
-/* 32 bit int. See that the received value is the less or the same
- than the one in the field */
+/* 32 bit int. Check that the received value is less than or equal to
+ the one in the field */
static int get_int32_le(QEMUFile *f, void *pv, size_t size)
{
-int32_t *old = pv;
-int32_t new;
-qemu_get_sbe32s(f, new);
+int32_t *cur = pv;
+int32_t loaded;
+qemu_get_sbe32s(f, loaded);
-if (*old = new)
+if (loaded = *cur) {
+*cur = loaded;
return 0;
+}
return -EINVAL;
}
const VMStateInfo vmstate_info_int32_le = {
-.name = int32 equal,
+.name = int32 le,
.get = get_int32_le,
.put = put_int32,
};
--
1.9.1
Re: [Qemu-devel] [Bug 1324112] [NEW] qemu parallel building error on libcacard.la
On Tue, Jun 10, 2014 at 04:35:36PM -, tal zilcer wrote: The following patch solved the issue for me: --- a/qemu/libcacard/Makefile +++ b/qemu/libcacard/Makefile @@ -26,8 +26,8 @@ vscclient$(EXESUF): libcacard/vscclient.o libcacard.la libcacard.la: LDFLAGS += -rpath $(libdir) -no-undefined \ -export-syms $(SRC_PATH)/libcacard/libcacard.syms libcacard.la: LIBS = $(libcacard_libs) -libcacard.la: $(libcacard-lobj-y) - $(call LINK,$^) +libcacard.la: $(libcacard-obj-y) + $(call LINK,$(libcacard-lobj-y)) libcacard.pc: $(SRC_PATH)/libcacard/libcacard.pc.in $(call quiet-command,sed -e 's|@LIBDIR@|$(libdir)|' \ Peter, any thoughts on this Makefile issue? Stefan -Original Message- From: Tal Zilcer Sent: Tuesday, June 10, 2014 6:09 PM To: 'Bug 1324112' Subject: RE: [Qemu-devel] [Bug 1324112] [NEW] qemu parallel building error on libcacard.la To summarize what I think is the problem: Libcacard.la depends on trace/generated*.la files(ibcacard.la: $(libcacard-lobj-y)) Trace/generated*.o files depends on trace/generated*.la files($(libcacard-obj-y): | $(libcacard-lobj-y)) Also util depends on generated-*.o files (util-obj-y += generated-events.o) This means when libcacard.la is being build generated-*.o files can be build by the util target. I think you should change libcacard.la dependencies to include the o files and not only the la files. Thanks, tal -Original Message- From: Tal Zilcer Sent: Tuesday, June 10, 2014 3:46 PM To: 'Bug 1324112' Subject: RE: [Qemu-devel] [Bug 1324112] [NEW] qemu parallel building error on libcacard.la I did some more experiments and maybe I found the issue. I added a two prints to rules.mak: %.o: %.c $(call quiet-command,$(CC) $(QEMU_INCLUDES) $(QEMU_CFLAGS) $(QEMU_DGFLAGS) $(CFLAGS) $($@-cflags) -c -o $@ $, CC$(TARGET_DIR)$@) @echo o:$@ %.lo: %.c $(call quiet-command,$(LIBTOOL) --mode=compile --tag=CC $(CC) $(QEMU_INCLUDES) $(QEMU_CFLAGS) $(QEMU_DGFLAGS) $(CFLAGS) -c -o $@ $, lt CC $@) @echo lolololololo:$@ This two prints symbolize the end of the file build. Here is the end of the log that I got for a failed build(using V=1): libtool: compile: /home/talz/workspace/m/EZdk-nps/tools/3rd-party-libs/ccache/ccache_output/bin/ccache /usr/bin/gcc -I/home/talz/workspace/m/EZdk-nps/tools/qemu/qemu/tcg -I/home/talz/workspace/m/EZdk-nps/tools/qemu/qemu/tcg/i386 -I/home/talz/workspace/m/EZdk-nps/tools/qemu/qemu/linux-headers -I/home/talz/workspace/m/EZdk-nps/tools/qemu/build/linux_x86_64/linux-headers -I. -I/home/talz/workspace/m/EZdk-nps/tools/qemu/qemu -I/home/talz/workspace/m/EZdk-nps/tools/qemu/qemu/include -I/home/talz/workspace/m/EZdk-nps/tools/qemu/qemu/libcacard -Itrace -Itrace -DPIE -m64 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -Wendif-labels -Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration -Wold-style-definition -Wtype-limits -fstack-protector-all -I/usr/include/libpng12 -I/usr/include/nss3 -I/usr/include/nspr4 -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/home/talz/workspace/m/EZdk-nps/tools/qemu/qemu/tests -MMD -MP -MT trace/generated-tracers.lo -MF trace/generated-tracers.d -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -g -c trace/generated-tracers.c -fPIE -o trace/generated-tracers.o /dev/null 21 lolololololo:trace/generated-tracers.lo libtool --mode=link --tag=CC c++ -fPIE -DPIE -m64 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -Wendif-labels -Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration -Wold-style-definition -Wtype-limits -fstack-protector-all -I/usr/include/libpng12 -I/usr/include/nss3 -I/usr/include/nspr4 -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/home/talz/workspace/m/EZdk-nps/tools/qemu/qemu/tests -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -g -Wl,--warn-common -Wl,-z,relro -Wl,-z,now -pie -m64 -g -rpath /home/talz/workspace/m/EZdk-nps/tools/qemu/install/linux_x86_64/lib -no-undefined -export-syms /home/talz/workspace/m/EZdk-nps/tools/qemu/qemu/libcacard/libcacard.syms -o libcacard.la stubs/arch-query-cpu-def.lo stubs/clock-warp.lo stubs/cpu-get-clock.lo stubs/cpu-get-icount.lo stubs/dump.lo
Re: [Qemu-devel] [PATCH] migration: catch unknown flag combinations in ram_load
On 9 July 2014 11:56, Amit Shah amit.s...@redhat.com wrote: On (Wed) 09 Jul 2014 [11:50:18], Peter Maydell wrote: OK; we're treating those as bugs so yes, I think this is 2.1 material. Has somebody other than the original author tested it? (That's a step that would usually be done by Juan as the maintainer.) If somebody can provide a Tested-by: I'm happy to apply it to master. Not really sure if Juan did that as part of his 'thanks, applied' workflow, but I'll run this through the autotest migration tests and report back. Thanks; it seems better to double-check given where we are in the release cycle. -- PMM
[Qemu-devel] [PATCH 119/156] qcow1: Validate image size (CVE-2014-0223)
From: Kevin Wolf kw...@redhat.com
A huge image size could cause s-l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s-l1_size.
This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).
Cc: qemu-sta...@nongnu.org
Signed-off-by: Kevin Wolf kw...@redhat.com
(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/qcow.c | 16 ++--
tests/qemu-iotests/092 | 9 +
tests/qemu-iotests/092.out | 7 +++
3 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 73a96a0..2840386 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
int cluster_sectors;
int l2_bits;
int l2_size;
-int l1_size;
+unsigned int l1_size;
uint64_t cluster_offset_mask;
uint64_t l1_table_offset;
uint64_t *l1_table;
@@ -163,7 +163,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options,
int flags,
/* read the level 1 table */
shift = s-cluster_bits + s-l2_bits;
-s-l1_size = (header.size + (1LL shift) - 1) shift;
+if (header.size UINT64_MAX - (1LL shift)) {
+error_setg(errp, Image too large);
+ret = -EINVAL;
+goto fail;
+} else {
+uint64_t l1_size = (header.size + (1LL shift) - 1) shift;
+if (l1_size INT_MAX / sizeof(uint64_t)) {
+error_setg(errp, Image too large);
+ret = -EINVAL;
+goto fail;
+}
+s-l1_size = l1_size;
+}
s-l1_table_offset = header.l1_table_offset;
s-l1_table = g_malloc(s-l1_size * sizeof(uint64_t));
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index fb8bacc..ae6ca76 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -43,6 +43,7 @@ _supported_fmt qcow
_supported_proto generic
_supported_os Linux
+offset_size=24
offset_cluster_bits=32
offset_l2_bits=33
@@ -72,6 +73,14 @@ poke_file $TEST_IMG $offset_l2_bits \x0e
poke_file $TEST_IMG $offset_l2_bits \x1b
{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+echo
+echo == Invalid size ==
+_make_test_img 64M
+poke_file $TEST_IMG $offset_size \xee\xee\xee\xee\xee\xee\xee\xee
+{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+poke_file $TEST_IMG $offset_size \x7f\xff\xff\xff\xff\xff\xff\xff
+{ $QEMU_IO -c write 0 64M $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo *** done
rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index 73918b3..ac03302 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -21,4 +21,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: L2 table size
must be between 512 an
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512
and 64k
no file open, try 'help open'
+
+== Invalid size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: Image too large
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Image too large
+no file open, try 'help open'
*** done
--
1.9.1
[Qemu-devel] [PATCH 04/10] AioContext: run bottom halves after polling
Make the dispatching phase the same before blocking and afterwards.
The next patch will make aio_dispatch public and use it directly
for the GSource case, instead of aio_poll. aio_poll can then be
simplified heavily.
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
aio-posix.c | 4
aio-win32.c | 8 +++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/aio-posix.c b/aio-posix.c
index 55706f8..798a3ff 100644
--- a/aio-posix.c
+++ b/aio-posix.c
@@ -264,6 +264,10 @@ bool aio_poll(AioContext *ctx, bool blocking)
/* Run dispatch even if there were no readable fds to run timers */
aio_set_dispatching(ctx, true);
+if (aio_bh_poll(ctx)) {
+progress = true;
+}
+
if (aio_dispatch(ctx)) {
progress = true;
}
diff --git a/aio-win32.c b/aio-win32.c
index 5e37b42..2ac38a8 100644
--- a/aio-win32.c
+++ b/aio-win32.c
@@ -143,7 +143,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
{
AioHandler *node;
HANDLE events[MAXIMUM_WAIT_OBJECTS + 1];
-bool progress;
+bool progress, first;
int count;
int timeout;
@@ -177,6 +177,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
}
ctx-walking_handlers--;
+first = true;
/* wait until next event */
while (count 0) {
@@ -186,6 +187,11 @@ bool aio_poll(AioContext *ctx, bool blocking)
? qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)) : 0;
ret = WaitForMultipleObjects(count, events, FALSE, timeout);
+if (first aio_bh_poll(ctx)) {
+progress = true;
+}
+first = false;
+
/* if we have any signaled events, dispatch event */
if ((DWORD) (ret - WAIT_OBJECT_0) = count) {
break;
--
1.9.3
Re: [Qemu-devel] [PATCH] prepend the include path of libvixl header files
On Tue, 8 Jul 2014, Peter Maydell wrote: On 7 July 2014 16:25, Stefano Stabellini stefano.stabell...@eu.citrix.com wrote: Currently the Makefile of disas/libvixl appends -I$(SRC_PATH)/disas/libvixl to QEMU_CFLAGS. As a consequence C++ files that #include utils.h, such as disas/libvixl/a64/instructions-a64.cc, are going to look for utils.h on all the other include paths first. When building QEMU as part of the Xen make system, another unrelated utils.h file is going to be chosen for inclusion, causing a build failure: In file included from disas/libvixl/a64/instructions-a64.cc:27:0: /qemu/disas/libvixl/a64/instructions-a64.h:88:64: error: ‘rawbits_to_float’ was not declared in this scope const float kFP32PositiveInfinity = rawbits_to_float(0x7f80); Fix the problem by prepending (rather than appending) the libvixl include path to QEMU_CFLAGS. Signed-off-by: Stefano Stabellini stefano.stabell...@eu.citrix.com --- diff --git a/disas/libvixl/Makefile.objs b/disas/libvixl/Makefile.objs index 0adb3ce..17e6565 100644 --- a/disas/libvixl/Makefile.objs +++ b/disas/libvixl/Makefile.objs @@ -3,6 +3,6 @@ libvixl_OBJS = utils.o \ a64/decoder-a64.o \ a64/disasm-a64.o -$(addprefix $(obj)/,$(libvixl_OBJS)): QEMU_CFLAGS += -I$(SRC_PATH)/disas/libvixl +$(addprefix $(obj)/,$(libvixl_OBJS)): QEMU_CFLAGS := -I$(SRC_PATH)/disas/libvixl $(QEMU_CFLAGS) common-obj-$(CONFIG_ARM_A64_DIS) += $(libvixl_OBJS) Reviewed-by: Peter Maydell peter.mayd...@linaro.org I spent a few moments wondering if the conversion of QEMU_CFLAGS from recursively-expanded to simply-expanded would be a problem, but because this is a target-specific variable it's pretty much going to be expanded at the same point that it would be anyhow. Thanks Peter. Are you going to pick it up or do you want me to send a pull request?
[Qemu-devel] [PATCH 055/156] usb: sanity check setup_index+setup_len in post_load
From: Michael S. Tsirkin m...@redhat.com
CVE-2013-4541
s-setup_len and s-setup_index are fed into usb_packet_copy as
size/offset into s-data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann kra...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
Reviewed-by: Gerd Hoffmann kra...@redhat.com
Signed-off-by: Juan Quintela quint...@redhat.com
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
hw/usb/bus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index ca329be..53c85fe 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -47,7 +47,9 @@ static int usb_device_post_load(void *opaque, int version_id)
} else {
dev-attached = 1;
}
-if (dev-setup_index = sizeof(dev-data_buf) ||
+if (dev-setup_index 0 ||
+dev-setup_len 0 ||
+dev-setup_index = sizeof(dev-data_buf) ||
dev-setup_len = sizeof(dev-data_buf)) {
return -EINVAL;
}
--
1.9.1
[Qemu-devel] [PATCH 147/156] virtio-serial: don't migrate the config space
From: Alexander Graf ag...@suse.de
The device configuration is set at realize time and never changes. It
should not be migrated as it is done today. For the sake of compatibility,
let's just skip them at load time.
Signed-off-by: Alexander Graf ag...@suse.de
[ added missing casts to uint16_t *,
added From, SoB and commit message,
Greg Kurz gk...@linux.vnet.ibm.com ]
Reviewed-by: Michael S. Tsirkin m...@redhat.com
Signed-off-by: Greg Kurz gk...@linux.vnet.ibm.com
Reviewed-by: Michael S. Tsirkin m...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
(cherry picked from commit e38e943a1fa20d04deb1899be19b12aadec7a585)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
hw/char/virtio-serial-bus.c | 16 ++--
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
index a7ede90..f3e496f 100644
--- a/hw/char/virtio-serial-bus.c
+++ b/hw/char/virtio-serial-bus.c
@@ -670,6 +670,7 @@ static int virtio_serial_load(QEMUFile *f, void *opaque,
int version_id)
uint32_t max_nr_ports, nr_active_ports, ports_map;
unsigned int i;
int ret;
+uint32_t tmp;
if (version_id 3) {
return -EINVAL;
@@ -685,17 +686,12 @@ static int virtio_serial_load(QEMUFile *f, void *opaque,
int version_id)
return 0;
}
-/* The config space */
-qemu_get_be16s(f, s-config.cols);
-qemu_get_be16s(f, s-config.rows);
-
-qemu_get_be32s(f, max_nr_ports);
-tswap32s(max_nr_ports);
-if (max_nr_ports tswap32(s-config.max_nr_ports)) {
-/* Source could have had more ports than us. Fail migration. */
-return -EINVAL;
-}
+/* Unused */
+qemu_get_be16s(f, (uint16_t *) tmp);
+qemu_get_be16s(f, (uint16_t *) tmp);
+qemu_get_be32s(f, tmp);
+max_nr_ports = tswap32(s-config.max_nr_ports);
for (i = 0; i (max_nr_ports + 31) / 32; i++) {
qemu_get_be32s(f, ports_map);
--
1.9.1
[Qemu-devel] [PATCH 138/156] qga: Fix handle fd leak in acquire_privilege()
From: Gonglei arei.gong...@huawei.com
token should be closed in all conditions.
So move CloseHandle(token) to out branch.
Signed-off-by: Wang Rui moon.wang...@huawei.com
Signed-off-by: Gonglei arei.gong...@huawei.com
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
(cherry picked from commit 374044f08fe18a18469b981812cd8695f5b3569c)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
qga/commands-win32.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/qga/commands-win32.c b/qga/commands-win32.c
index a6a0af2..c59e144 100644
--- a/qga/commands-win32.c
+++ b/qga/commands-win32.c
@@ -31,7 +31,7 @@
static void acquire_privilege(const char *name, Error **err)
{
-HANDLE token;
+HANDLE token = NULL;
TOKEN_PRIVILEGES priv;
Error *local_err = NULL;
@@ -57,13 +57,15 @@ static void acquire_privilege(const char *name, Error **err)
goto out;
}
-CloseHandle(token);
} else {
error_set(local_err, QERR_QGA_COMMAND_FAILED,
failed to open privilege token);
}
out:
+if (token) {
+CloseHandle(token);
+}
if (local_err) {
error_propagate(err, local_err);
}
--
1.9.1
[Qemu-devel] [Bug 955379] Re: cmake hangs with qemu-arm-static
Isn't it fixed yet with latest qemu 2.1 rc? -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/955379 Title: cmake hangs with qemu-arm-static Status in QEMU: Confirmed Status in Linaro QEMU: Confirmed Status in “qemu-linaro” package in Ubuntu: Confirmed Bug description: I'm using git commit 3e7ecd976b06f... configured with --target-list =arm-linux-user --static in a chroot environment to compile some things. I ran into this problem with both pcl and opencv-2.3.1. cmake consistently freezes at some point during its execution, though in a different spot each time, usually during a step when it's searching for some libraries. For instance, pcl most commonly stops after: [snip] -- Boost version: 1.46.1 -- Found the following Boost libraries: -- system -- filesystem -- thread -- date_time -- checking for module 'eigen3' -- found eigen3, version 3.0.1 which is perplexing because it freezes after finding what it wants, not during the search. When it does get past that point, it does so almost immediately but freezes somewhere else. I'm using 64-bit Ubuntu 11.10 with kernel release 3.0.0-16-generic with an Intel i5. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/955379/+subscriptions
Re: [Qemu-devel] [PATCH] linux-aio: fix submit aio as a batch
On Tue, Jul 08, 2014 at 11:45:10PM +0800, Ming Lei wrote: In the enqueue path, we can't complete request, otherwise Co-routine re-entered recursively may be caused, so this patch fixes the issue with below ideas: Thi probably happens when the caller is in coroutine context and its completion function invokes qemu_coroutine_enter() on itself. The solution is to invoke completions from a BH (other places in the block layer do this too). - for -EAGAIN, retry the submission in an introduced event handler I agree with Paolo that a BH is appropriate. - for part of completion, just update the io queue, since it is moving on after all If we do this then we need to guarantee that io_submit() will be called at some point soon. Otherwise requests could get stuck if the guest doesn't submit any more I/O requests to push the queue. Please split this into separate patches. You're trying to do too much. Overall, I would prefer it if we avoid the extra complexity of deferring io_submit() on EAGAIN and partial submission. Do you understand why the kernel is producing this behavior? Can we set the right capacity in io_setup() so it doesn't happen? +if (enqueue) +return ret; Please set up a git hook to run checkpatch.pl. It will alert you when you violate QEMU coding style: http://blog.vmsplice.net/2011/03/how-to-automatically-run-checkpatchpl.html I already mentioned coding style in previous patches, using a git hook will avoid it happening again. pgppubcpZnIhH.pgp Description: PGP signature
Re: [Qemu-devel] E6500 inside QEMU?
On 09/07/2014 11:46, Alexander Graf wrote: Am 09.07.2014 um 10:26 schrieb Frederic Konrad fred.kon...@greensocs.com: Hi, I saw some patches about E6500 cpu on the mailing list. here: http://qemu.11.n7.nabble.com/PATCH-1-2-QEMU-PPC-specify-PVRs-for-all-e500-cores-td248146.html What is the status of E6500 upstream? That patch only added the PVR values for use with KVM. We don't have any support for 6500 specific features yet (threading, hw table walk, Altivec. Though Altivec emulation does exist already, so that'd mostly be a matter of plumbing it into the booke exception paths. Alex Ok that's what I thought :). Thanks for the clarification! Fred
[Qemu-devel] [PATCH for-2.1 1/2] qmp: hide hotplugged device property from device-list-properties
The hotplugged device property was not reported before commit
f4eb32b590bf58c1c67570775eb78beb09964fad (qmp: show QOM properties in
device-list-properties). Fix this difference.
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
---
qmp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/qmp.c b/qmp.c
index 0d2553a..c6767c4 100644
--- a/qmp.c
+++ b/qmp.c
@@ -509,6 +509,7 @@ DevicePropertyInfoList *qmp_device_list_properties(const
char *typename,
if (strcmp(prop-name, type) == 0 ||
strcmp(prop-name, realized) == 0 ||
strcmp(prop-name, hotpluggable) == 0 ||
+strcmp(prop-name, hotplugged) == 0 ||
strcmp(prop-name, parent_bus) == 0) {
continue;
}
--
1.9.3
[Qemu-devel] [PATCH for-2.1 2/2] qdev-monitor: include QOM properties in -device FOO, help output
Update -device FOO,help to include QOM properties in addition to qdev
properties. Devices are gradually adding more QOM properties that are
not reflected as qdev properties.
It is important to report all device properties since management tools
like libvirt use this information (and device-list-properties QMP) to
detect the presence of QEMU features.
This patch reuses the device-list-properties QMP machinery to avoid code
duplication.
Reported-by: Cole Robinson crobi...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
---
qdev-monitor.c | 40 +---
1 file changed, 17 insertions(+), 23 deletions(-)
diff --git a/qdev-monitor.c b/qdev-monitor.c
index f87f3d8..5fe5e75 100644
--- a/qdev-monitor.c
+++ b/qdev-monitor.c
@@ -182,9 +182,10 @@ static const char *find_typename_by_alias(const char
*alias)
int qdev_device_help(QemuOpts *opts)
{
+Error *local_err = NULL;
const char *driver;
-Property *prop;
-ObjectClass *klass;
+DevicePropertyInfoList *prop_list;
+DevicePropertyInfoList *prop;
driver = qemu_opt_get(opts, driver);
if (driver is_help_option(driver)) {
@@ -196,35 +197,28 @@ int qdev_device_help(QemuOpts *opts)
return 0;
}
-klass = object_class_by_name(driver);
-if (!klass) {
+if (!object_class_by_name(driver)) {
const char *typename = find_typename_by_alias(driver);
if (typename) {
driver = typename;
-klass = object_class_by_name(driver);
}
}
-if (!object_class_dynamic_cast(klass, TYPE_DEVICE)) {
-return 0;
+prop_list = qmp_device_list_properties(driver, local_err);
+if (!prop_list) {
+error_printf(%s\n, error_get_pretty(local_err));
+error_free(local_err);
+return 1;
}
-do {
-for (prop = DEVICE_CLASS(klass)-props; prop prop-name; prop++) {
-/*
- * TODO Properties without a parser are just for dirty hacks.
- * qdev_prop_ptr is the only such PropertyInfo. It's marked
- * for removal. This conditional should be removed along with
- * it.
- */
-if (!prop-info-set) {
-continue; /* no way to set it, don't show */
-}
-error_printf(%s.%s=%s\n, driver, prop-name,
- prop-info-legacy_name ?: prop-info-name);
-}
-klass = object_class_get_parent(klass);
-} while (klass != object_class_by_name(TYPE_DEVICE));
+
+for (prop = prop_list; prop; prop = prop-next) {
+error_printf(%s.%s=%s\n, driver,
+ prop-value-name,
+ prop-value-type);
+}
+
+qapi_free_DevicePropertyInfoList(prop_list);
return 1;
}
--
1.9.3
Re: [Qemu-devel] [PATCH v3 0/4] virtio-blk: fix issues with unified virtio-blk request handling
Am 09.07.2014 um 10:05 hat Stefan Hajnoczi geschrieben: v3: * Add Christian's Tested-by: [Kevin] * Resolved merge conflict in Patch 4 with qemu.git/master [Kevin] This series fixes issues recently introduced when unifying virtio-blk dataplane's request handling with non-dataplane virtio-blk. The problems include broken memory allocation for dataplane requests and a performance regression for non-dataplane. See the patches for details. Thanks, applied to the block branch. Kevin
Re: [Qemu-devel] [PATCH] linux-aio: fix submit aio as a batch
On 07/09/2014 02:29 AM, Stefan Hajnoczi wrote: +if (enqueue) +return ret; Please set up a git hook to run checkpatch.pl. It will alert you when you violate QEMU coding style: http://blog.vmsplice.net/2011/03/how-to-automatically-run-checkpatchpl.html I already mentioned coding style in previous patches, using a git hook will avoid it happening again. Nice trick; I've added it to http://wiki.qemu.org/Contribute/SubmitAPatch -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature
[Qemu-devel] [PATCH 124/156] blockdev: Plug memory leak in blockdev_init()
From: Markus Armbruster arm...@redhat.com
blockdev_init() leaks bs_opts when qemu_opts_create() fails, i.e. when
the ID is bad. Missed in commit ec9c10d.
Signed-off-by: Markus Armbruster arm...@redhat.com
Reviewed-by: Benoit Canet ben...@irqsave.net
Signed-off-by: Kevin Wolf kw...@redhat.com
(cherry picked from commit 6376f9522372d589f3efe60001dc0486237dd375)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
blockdev.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/blockdev.c b/blockdev.c
index 29b44a5..31b66cc 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -334,7 +334,7 @@ static DriveInfo *blockdev_init(QDict *bs_opts,
opts = qemu_opts_create(qemu_common_drive_opts, id, 1, error);
if (error_is_set(error)) {
error_propagate(errp, error);
-return NULL;
+goto err_no_opts;
}
qemu_opts_absorb_qdict(opts, bs_opts, error);
@@ -535,8 +535,9 @@ err:
QTAILQ_REMOVE(drives, dinfo, next);
g_free(dinfo);
early_err:
-QDECREF(bs_opts);
qemu_opts_del(opts);
+err_no_opts:
+QDECREF(bs_opts);
return NULL;
}
--
1.9.1
Re: [Qemu-devel] [PATCH for-2.1] AioContext: do not rely on aio_poll(ctx, true) result to end a loop
Am 09.07.2014 um 10:49 hat Paolo Bonzini geschrieben:
Currently, whenever aio_poll(ctx, true) has completed all pending
work it returns true *and* the next call to aio_poll(ctx, true)
will not block.
This invariant has its roots in qemu_aio_flush()'s implementation
as while (qemu_aio_wait()) {}. However, qemu_aio_flush() does
not exist anymore and bdrv_drain_all() is implemented differently;
and this invariant is complicated to maintain and subtly different
from the return value of GMainLoop's g_main_context_iteration.
All calls to aio_poll(ctx, true) except one are guarded by a
while() loop checking for a request to be incomplete, or a
BlockDriverState to be idle. The one remaining call (in
iothread.c) uses this to delay the aio_context_release/acquire
pair until the AioContext is quiescent, however:
- we can do the same just by using non-blocking aio_poll,
similar to how vl.c invokes main_loop_wait
- it is buggy, because it does not ensure that the AioContext
is released between an aio_notify and the next time the
iothread goes to sleep. This leads to hangs when stopping
the dataplane thread.
In the end, these semantics are a bad match for the current
users of AioContext. So modify that one exception in iothread.c,
which also fixes the hangs, as well as the testcase so that
it use the same idiom as the actual QEMU code.
Reported-by: Christian Borntraeger borntrae...@de.ibm.com
Tested-by: Christian Borntraeger borntrae...@de.ibm.com
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
Thanks, applied to the block branch.
Kevin
Re: [Qemu-devel] [PATCH] configure: make libnfs not_found message more user friendly
Am 09.07.2014 um 12:28 hat Liu Yuan geschrieben: Cc: Kevin Wolf kw...@redhat.com Signed-off-by: Liu Yuan namei.u...@gmail.com --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 7dd43fd..684fcdf 100755 --- a/configure +++ b/configure @@ -3996,7 +3996,7 @@ if test $libnfs != no ; then LIBS=$LIBS $libnfs_libs else if test $libnfs = yes ; then - feature_not_found libnfs + feature_not_found libnfs libnfs (=1.9.3) development files required to compile libnfs The message would be more consistent with other features if this said something like this: feature_not_found libnfs Install libnfs-devel = 1.9.3 Kevin
[Qemu-devel] [PATCH 017/156] qcow2: Flush metadata during read-only reopen
From: Kevin Wolf kw...@redhat.com
If lazy refcounts are enabled for a backing file, committing to this
backing file may leave it in a dirty state even if the commit succeeds.
The reason is that the bdrv_flush() call in bdrv_commit() doesn't flush
refcount updates with lazy refcounts enabled, and qcow2_reopen_prepare()
doesn't take care to flush metadata.
In order to fix this, this patch also fixes qcow2_mark_clean(), which
contains another ineffective bdrv_flush() call beause lazy refcounts are
disabled only afterwards. All existing callers of qcow2_mark_clean()
either don't modify refcounts or already flush manually, so that this
fixes only a latent, but not yet actually triggerable bug.
Another instance of the same problem is live snapshots. Again, a real
corruption is prevented by an explicit flush for non-read-only images in
external_snapshot_prepare(), but images using lazy refcounts stay dirty.
Cc: qemu-sta...@nongnu.org
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit 4c2e5f8f46a17966dc45b5a3e07b97434c0eabdf)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/qcow2.c | 25 +
tests/qemu-iotests/039 | 20
tests/qemu-iotests/039.out | 11 +++
3 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index 6e5d98d..b43c7d0 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -269,12 +269,15 @@ static int qcow2_mark_clean(BlockDriverState *bs)
BDRVQcowState *s = bs-opaque;
if (s-incompatible_features QCOW2_INCOMPAT_DIRTY) {
-int ret = bdrv_flush(bs);
+int ret;
+
+s-incompatible_features = ~QCOW2_INCOMPAT_DIRTY;
+
+ret = bdrv_flush(bs);
if (ret 0) {
return ret;
}
-s-incompatible_features = ~QCOW2_INCOMPAT_DIRTY;
return qcow2_update_header(bs);
}
return 0;
@@ -792,11 +795,25 @@ static int qcow2_set_key(BlockDriverState *bs, const char
*key)
return 0;
}
-/* We have nothing to do for QCOW2 reopen, stubs just return
- * success */
+/* We have no actual commit/abort logic for qcow2, but we need to write out any
+ * unwritten data if we reopen read-only. */
static int qcow2_reopen_prepare(BDRVReopenState *state,
BlockReopenQueue *queue, Error **errp)
{
+int ret;
+
+if ((state-flags BDRV_O_RDWR) == 0) {
+ret = bdrv_flush(state-bs);
+if (ret 0) {
+return ret;
+}
+
+ret = qcow2_mark_clean(state-bs);
+if (ret 0) {
+return ret;
+}
+}
+
return 0;
}
diff --git a/tests/qemu-iotests/039 b/tests/qemu-iotests/039
index 8bade92..cc4fad8 100755
--- a/tests/qemu-iotests/039
+++ b/tests/qemu-iotests/039
@@ -130,6 +130,26 @@ ulimit -c $old_ulimit
./qcow2.py $TEST_IMG dump-header | grep incompatible_features
_check_test_img
+echo
+echo == Committing to a backing file with lazy_refcounts=on ==
+
+IMGOPTS=compat=1.1,lazy_refcounts=on
+TEST_IMG=$TEST_IMG.base _make_test_img $size
+
+IMGOPTS=compat=1.1,lazy_refcounts=on,backing_file=$TEST_IMG.base
+_make_test_img $size
+
+$QEMU_IO -c write 0 512 $TEST_IMG | _filter_qemu_io
+$QEMU_IMG commit $TEST_IMG
+
+# The dirty bit must not be set
+./qcow2.py $TEST_IMG dump-header | grep incompatible_features
+./qcow2.py $TEST_IMG.base dump-header | grep incompatible_features
+
+_check_test_img
+TEST_IMG=$TEST_IMG.base _check_test_img
+
+
# success, all done
echo *** done
rm -f $seq.full
diff --git a/tests/qemu-iotests/039.out b/tests/qemu-iotests/039.out
index 077fa64..fb31ae0 100644
--- a/tests/qemu-iotests/039.out
+++ b/tests/qemu-iotests/039.out
@@ -54,4 +54,15 @@ wrote 512/512 bytes at offset 0
512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
incompatible_features 0x0
No errors were found on the image.
+
+== Committing to a backing file with lazy_refcounts=on ==
+Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=134217728
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
backing_file='TEST_DIR/t.IMGFMT.base'
+wrote 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Image committed.
+incompatible_features 0x0
+incompatible_features 0x0
+No errors were found on the image.
+No errors were found on the image.
*** done
--
1.9.1
Re: [Qemu-devel] [PATCH for-2.1 2/2] qdev-monitor: include QOM properties in -device FOO, help output
On 07/09/2014 06:01 AM, Stefan Hajnoczi wrote: Update -device FOO,help to include QOM properties in addition to qdev properties. Devices are gradually adding more QOM properties that are not reflected as qdev properties. It is important to report all device properties since management tools like libvirt use this information (and device-list-properties QMP) to detect the presence of QEMU features. This patch reuses the device-list-properties QMP machinery to avoid code duplication. Reported-by: Cole Robinson crobi...@redhat.com Signed-off-by: Stefan Hajnoczi stefa...@redhat.com --- qdev-monitor.c | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) Reviewed-by: Eric Blake ebl...@redhat.com -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature
[Qemu-devel] [PATCH 005/156] target-i386: Fix CC_OP_CLR vs PF
From: Richard Henderson r...@twiddle.net
Parity should be set for a zero result.
Cc: qemu-sta...@nongnu.org
Reviewed-by: Paolo Bonzini pbonz...@redhat.com
Reviewed-by: Edgar E. Iglesias edgar.igles...@xilinx.com
Signed-off-by: Richard Henderson r...@twiddle.net
(cherry picked from commit d2fe51bda8adf33d07c21e034fdc13a1e1fa4e19)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
target-i386/cc_helper.c | 2 +-
target-i386/translate.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/target-i386/cc_helper.c b/target-i386/cc_helper.c
index ee04092..05dd12b 100644
--- a/target-i386/cc_helper.c
+++ b/target-i386/cc_helper.c
@@ -103,7 +103,7 @@ target_ulong helper_cc_compute_all(target_ulong dst,
target_ulong src1,
case CC_OP_EFLAGS:
return src1;
case CC_OP_CLR:
-return CC_Z;
+return CC_Z | CC_P;
case CC_OP_MULB:
return compute_all_mulb(dst, src1);
diff --git a/target-i386/translate.c b/target-i386/translate.c
index 7916e5b..b19ea14 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -915,7 +915,7 @@ static void gen_compute_eflags(DisasContext *s)
return;
}
if (s-cc_op == CC_OP_CLR) {
-tcg_gen_movi_tl(cpu_cc_src, CC_Z);
+tcg_gen_movi_tl(cpu_cc_src, CC_Z | CC_P);
set_cc_op(s, CC_OP_EFLAGS);
return;
}
--
1.9.1
Re: [Qemu-devel] virtualize sparc developer workstation?
Am 08.07.2014 00:15, schrieb Mark Cave-Ayland: Sadly sun4u support isn't quite there yet; it's enough to boot Linux (and with git master you can actually start booting the *BSD kernels and Solaris) but there are still some issues with the device tree that need to be resolved in order for this to work. is there an better working sparc architecture available with qemu near to my system specs - means big endian, 32- or 64bit, solaris? As my QEMU work is unsponsored, I'm afraid the pace of development is restricted to what I can do in my spare time. If you're not subscribed to the list full time, I can let you know when I make any further progress if that helps? im subscribed but you can email me any progress you've made - thx
Re: [Qemu-devel] [Qemu-trivial] [PATCH trivial] qemu-img: Remove redundancy ret = -1
03.07.2014 17:57, Chen Gang wrote: In this case, 'ret' is already '-1', so need not do it again. It's a very minor thing in an error path, maybe compiler even eliminates this statement entirely by its own already. Not sure it is worth the effort but applied to the -trivial tree anyway, thanks! /mjt
[Qemu-devel] [PATCH 142/156] usb: Fix usb-bt-dongle initialization.
From: Hani Benhabiles kroo...@gmail.com
Due to an incomplete initialization, adding a usb-bt-dongle device through HMP
or QMP will cause a segmentation fault.
Signed-off-by: Hani Benhabiles h...@linux.com
Reviewed-by: Paolo Bonzini pbonz...@redhat.com
Signed-off-by: Gerd Hoffmann kra...@redhat.com
(cherry picked from commit c340a284f382a5f40774521f41b4bade76ddfa58)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
hw/usb/dev-bluetooth.c | 24
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/hw/usb/dev-bluetooth.c b/hw/usb/dev-bluetooth.c
index 7f292b1..43a9a6d 100644
--- a/hw/usb/dev-bluetooth.c
+++ b/hw/usb/dev-bluetooth.c
@@ -19,6 +19,7 @@
*/
#include qemu-common.h
+#include qemu/error-report.h
#include hw/usb.h
#include hw/usb/desc.h
#include sysemu/bt.h
@@ -506,6 +507,14 @@ static int usb_bt_initfn(USBDevice *dev)
usb_desc_create_serial(dev);
usb_desc_init(dev);
+s-dev.opaque = s;
+if (!s-hci) {
+s-hci = bt_new_hci(qemu_find_bt_vlan(0));
+}
+s-hci-opaque = s;
+s-hci-evt_recv = usb_bt_out_hci_packet_event;
+s-hci-acl_recv = usb_bt_out_hci_packet_acl;
+usb_bt_handle_reset(s-dev);
s-intr = usb_ep_get(dev, USB_TOKEN_IN, USB_EVT_EP);
return 0;
@@ -516,6 +525,7 @@ static USBDevice *usb_bt_init(USBBus *bus, const char
*cmdline)
USBDevice *dev;
struct USBBtState *s;
HCIInfo *hci;
+const char *name = usb-bt-dongle;
if (*cmdline) {
hci = hci_init(cmdline);
@@ -525,19 +535,17 @@ static USBDevice *usb_bt_init(USBBus *bus, const char
*cmdline)
if (!hci)
return NULL;
-dev = usb_create_simple(bus, usb-bt-dongle);
+dev = usb_create(bus, name);
if (!dev) {
+error_report(Failed to create USB device '%s', name);
return NULL;
}
s = DO_UPCAST(struct USBBtState, dev, dev);
-s-dev.opaque = s;
-
s-hci = hci;
-s-hci-opaque = s;
-s-hci-evt_recv = usb_bt_out_hci_packet_event;
-s-hci-acl_recv = usb_bt_out_hci_packet_acl;
-
-usb_bt_handle_reset(s-dev);
+if (qdev_init(dev-qdev) 0) {
+error_report(Failed to initialize USB device '%s', name);
+return NULL;
+}
return dev;
}
--
1.9.1
[Qemu-devel] [PATCH 08/10] AioContext: introduce aio_prepare
This will be used to implement socket polling on Windows.
On Windows, select() and g_poll() are completely different;
sockets are polled with select() before calling g_poll,
and the g_poll must be nonblocking if select() says a
socket is ready.
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
aio-posix.c | 5 +
aio-win32.c | 5 +
async.c | 5 +
include/block/aio.h | 9 -
4 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/aio-posix.c b/aio-posix.c
index 0936b4f..d3ac06e 100644
--- a/aio-posix.c
+++ b/aio-posix.c
@@ -100,6 +100,11 @@ void aio_set_event_notifier(AioContext *ctx,
(IOHandler *)io_read, NULL, notifier);
}
+bool aio_prepare(AioContext *ctx)
+{
+return false;
+}
+
bool aio_pending(AioContext *ctx)
{
AioHandler *node;
diff --git a/aio-win32.c b/aio-win32.c
index fd52686..4542270 100644
--- a/aio-win32.c
+++ b/aio-win32.c
@@ -76,6 +76,11 @@ void aio_set_event_notifier(AioContext *ctx,
aio_notify(ctx);
}
+bool aio_prepare(AioContext *ctx)
+{
+return false;
+}
+
bool aio_pending(AioContext *ctx)
{
AioHandler *node;
diff --git a/async.c b/async.c
index a5126ff..bcba052 100644
--- a/async.c
+++ b/async.c
@@ -188,6 +188,11 @@ aio_ctx_prepare(GSource *source, gint*timeout)
/* We assume there is no timeout already supplied */
*timeout = qemu_timeout_ns_to_ms(aio_compute_timeout(ctx));
+
+if (aio_prepare(ctx)) {
+*timeout = 0;
+}
+
return *timeout == 0;
}
diff --git a/include/block/aio.h b/include/block/aio.h
index 45408f7..d129e22 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -205,7 +205,14 @@ void qemu_bh_cancel(QEMUBH *bh);
void qemu_bh_delete(QEMUBH *bh);
/* Return whether there are any pending callbacks from the GSource
- * attached to the AioContext.
+ * attached to the AioContext, before g_poll is invoked.
+ *
+ * This is used internally in the implementation of the GSource.
+ */
+bool aio_prepare(AioContext *ctx);
+
+/* Return whether there are any pending callbacks from the GSource
+ * attached to the AioContext, after g_poll is invoked.
*
* This is used internally in the implementation of the GSource.
*/
--
1.9.3
Re: [Qemu-devel] [PATCH v4] spapr: add uuid/host details to device tree
On 08.07.14 13:04, Nikunj A Dadhania wrote:
Alexander Graf ag...@suse.de writes:
On 08.07.14 07:00, Nikunj A Dadhania wrote:
Useful for identifying the guest/host uniquely within the
guest. Adding following properties to the guest root node.
vm,uuid - uuid of the guest
host-model - Host model number
host-serial - Host machine serial number
hypervisor type - Tells its kvm
Signed-off-by: Nikunj A Dadhania nik...@linux.vnet.ibm.com
---
v4: make uuid as human readable
v3: rebase to ppcnext
v2: indentation fixes
---
hw/ppc/spapr.c | 25 +
target-ppc/kvm.c | 44 +++-
target-ppc/kvm_ppc.h | 12
3 files changed, 80 insertions(+), 1 deletion(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 077ad2d..485ea66 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -318,6 +318,7 @@ static void *spapr_create_fdt_skel(hwaddr initrd_base,
QemuOpts *opts = qemu_opts_find(qemu_find_opts(smp-opts), NULL);
unsigned sockets = opts ? qemu_opt_get_number(opts, sockets, 0) : 0;
uint32_t cpus_per_socket = sockets ? (smp_cpus / sockets) : 1;
+char char_buf[512];
Can't you just return callee allocated, caller free'd memory?
Tried doing it more in line of read_cpuinfo in target-ppc/kvm.c
I could do it either ways.
Yeah, feel free to convert that one too if you like ;).
add_str(hypertas, hcall-pft);
add_str(hypertas, hcall-term);
@@ -347,6 +348,30 @@ static void *spapr_create_fdt_skel(hwaddr initrd_base,
_FDT((fdt_property_string(fdt, model, IBM pSeries (emulated by
qemu;
_FDT((fdt_property_string(fdt, compatible, qemu,pseries)));
+if (kvm_enabled()) {
+_FDT((fdt_property_string(fdt, hypervisor, kvm)));
+}
+
+/*
+ * Add info to guest to indentify which host is it being run on
+ * and what is the uuid of the guest
+ */
+memset(char_buf, 0, sizeof(char_buf));
+if (!kvmppc_get_host_model(char_buf, sizeof(char_buf))) {
+_FDT((fdt_property_string(fdt, host-model, char_buf)));
+memset(char_buf, 0, sizeof(char_buf));
+}
+if (!kvmppc_get_host_serial(char_buf, sizeof(char_buf))) {
+_FDT((fdt_property_string(fdt, host-serial, char_buf)));
+}
Please be aware that all of the above is bogus when you start thinking
about live migration.
Yes, there are tools that look at these. Is there a way to update these
on migration?
As Ben already mentioned ;).
+
+snprintf(char_buf, 37, UUID_FMT, qemu_uuid[0], qemu_uuid[1],
g_strdup_printf()
Ok.
+ qemu_uuid[2], qemu_uuid[3], qemu_uuid[4], qemu_uuid[5],
+ qemu_uuid[6], qemu_uuid[7], qemu_uuid[8], qemu_uuid[9],
+ qemu_uuid[10], qemu_uuid[11], qemu_uuid[12], qemu_uuid[13],
+ qemu_uuid[14], qemu_uuid[15]);
+_FDT((fdt_property_string(fdt, vm,uuid, char_buf)));
+
_FDT((fdt_property_cell(fdt, #address-cells, 0x2)));
_FDT((fdt_property_cell(fdt, #size-cells, 0x2)));
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 2d87108..25091f8 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -1369,7 +1369,7 @@ static int read_cpuinfo(const char *field, char *value,
int len)
}
do {
-if(!fgets(line, sizeof(line), f)) {
+if (!fgets(line, sizeof(line), f)) {
break;
}
if (!strncmp(line, field, field_len)) {
@@ -1404,6 +1404,48 @@ uint32_t kvmppc_get_tbfreq(void)
return retval;
}
+int32_t kvmppc_get_host_serial(char *value, int len)
+{
+FILE *f;
+int ret = -1;
+char line[512];
+
+memset(line, 0, sizeof(line));
+f = fopen(/proc/device-tree/system-id, r);
+if (!f) {
+return ret;
+}
+
+if (fgets(line, sizeof(line), f)) {
+snprintf(value, len, IBM,%s, line);
Why IBM,system-id?
There were userspace tools that looking at lparcfg, and were encoded
similarly.
I don't think we own the IBM namespace, so I find this slightly bogus.
Also why would a host machine have to be made by IBM?
+ret = 0;
+}
+fclose(f);
+
+return ret;
I think it makes sense to extract the read a full file into a buffer
logic into a separate function. For bonus points, find a glib function
that already does it and use that ;).
Let me search.
+}
+
+int32_t kvmppc_get_host_model(char *value, int len)
+{
+FILE *f;
+int ret = -1;
+char line[512];
+
+memset(line, 0, sizeof(line));
+f = fopen(/proc/device-tree/model, r);
+if (!f) {
+return ret;
+}
+
+if (fgets(line, sizeof(line), f)) {
+snprintf(value, len, IBM,%s, line);
Same here - wouldn't this be IBM,IBM,foo?
No, it will be IBM,model
Hrm, I just tried to compare this with a pHyp system and can't seem to
find any /proc/device-tree/host* files. What am I missing?
Alex
Re: [Qemu-devel] [PULL for-2.1 00/10] KVM changes (+ misc small fixes) for 2.1
Il 09/07/2014 17:59, Paolo Bonzini ha scritto: The following changes since commit 9d9de254c2b81b68cd48f2324cc753a570a4cdd8: MAINTAINERS: seccomp: change email contact for Eduardo Otubo (2014-07-03 12:36:15 +0100) are available in the git repository at: git://github.com/bonzini/qemu.git for you to fetch changes up to 8bf3cc8370059a08996651a63cdabe0d2503b430: qtest: fix vhost-user-test compilation with old GLib (2014-07-09 17:36:15 +0200) Eduardo Habkost (1): target-i386: Add kvmclock-stable-bit feature bit name James Hogan (4): mips/kvm: Init EBase to correct KSEG0 mips_malta: Change default KVM cpu to 24Kc (no FP) mips_malta: Remove incorrect KVM TE references mips_malta: Catch kernels linked at wrong address Miroslav Rezanina (1): Enforce stack protector usage Nikolay Nikolaev (1): qtest: fix vhost-user-test compilation with old GLib Paolo Bonzini (2): watchdog: fix deadlock with -watchdog-action pause mc146818rtc: register the clock reset notifier on the right clock Stefan Weil (1): oslib-posix: Fix new compiler error with -Wclobbered configure | 7 +++ hw/mips/mips_malta.c| 27 +++ hw/timer/mc146818rtc.c | 2 +- hw/watchdog/watchdog.c | 6 +- target-i386/cpu.c | 2 +- target-mips/translate.c | 8 +++- tests/vhost-user-test.c | 4 util/oslib-posix.c | 30 -- 8 files changed, 64 insertions(+), 22 deletions(-) Nevermind, included the wrong version of patch 2. Paolo
[Qemu-devel] [PULL 10/10] qtest: fix vhost-user-test compilation with old GLib
From: Nikolay Nikolaev n.nikol...@virtualopensystems.com Mising G_TIME_SPAN_SECOND definition breaks the RHEL6 compilation as GLib version before 2.26 does not have it. In such case just define it. Reported-by: Kevin Wolf kw...@redhat.com Signed-off-by: Nikolay Nikolaev n.nikol...@virtualopensystems.com Signed-off-by: Paolo Bonzini pbonz...@redhat.com --- tests/vhost-user-test.c | 4 1 file changed, 4 insertions(+) diff --git a/tests/vhost-user-test.c b/tests/vhost-user-test.c index 2af2381..406ba70 100644 --- a/tests/vhost-user-test.c +++ b/tests/vhost-user-test.c @@ -22,6 +22,10 @@ #include qemu/sockets.h /* GLIB version compatibility flags */ +#if !GLIB_CHECK_VERSION(2, 26, 0) +#define G_TIME_SPAN_SECOND (G_GINT64_CONSTANT(100)) +#endif + #if GLIB_CHECK_VERSION(2, 28, 0) #define HAVE_MONOTONIC_TIME #endif -- 1.8.3.1
Re: [Qemu-devel] live migration + licensing issue.
Am 09.07.2014 13:09, schrieb Anshul Makkar: Thanks. I got the point. And for the record, the point is that the machine version on the destination side needs to match the source side. So, if the default or pc alias is used in 1.0, which resolves to pc-1.0, then it needs to be pc-1.0, not pc-1.2. If an explicit machine name such as pc-0.15 was used then that exact machine must be used on the destination as well. Andreas On Wed, Jul 9, 2014 at 9:36 AM, Markus Armbruster arm...@redhat.com wrote: Anshul Makkar anshul.mak...@profitbricks.com writes: Hi, Yeah, I am aware of this option. But the point where I am concerned is that if Windows VM is running in QEMU 1.0 with pc-model 1.0 and then I upgrade the QEMU to 2.0 and I specify machine as pc-1.2, then Windows will see this as change in hardware and complain about the license. Works as designed. Sorry, if my understanding is wrong here or i am missing something. Changing the machine type is the virtual equivalent of replacing the motherboard. -- SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
Re: [Qemu-devel] [PULL 03/18] target-alpha: Store IOV exception in fp_status
On 9 July 2014 17:20, Richard Henderson r...@twiddle.net wrote: We were not representing the IOV (integer overflow) exception at all. For ease of implementation, allocate a generic bit in softfloat, even though softfloat will never raise the exception itself. I don't think we should use softfloat flag bits for keeping information which isn't about softfloat's status. Why can't you just put this in the per-CPU state? thanks -- PMM
Re: [Qemu-devel] [PATCH] qtest: fix vhost-user-test compilation with old GLib
Am 09.07.2014 um 17:06 hat Nikolay Nikolaev geschrieben: Mising G_TIME_SPAN_SECOND definition breaks the RHEL6 compilation as GLib version before 2.26 does not have it. In such case just define it. Reported-by: Kevin Wolf kw...@redhat.com Signed-off-by: Nikolay Nikolaev n.nikol...@virtualopensystems.com Thanks, this fixes the build for me. Tested-by: Kevin Wolf kw...@redhat.com
Re: [Qemu-devel] [PULL for-2.1 00/18] target-alpha patch queue
On 9 July 2014 17:20, Richard Henderson r...@twiddle.net wrote: The queue consists of Al Viro's recent work looking at the dark corner cases of Alpha FPU exception signalling, for which I am most grateful. Please pull for 2.1. Richard Henderson (18): include/fpu/softfloat.h | 13 ++-- target-alpha/cpu.h| 1 - target-alpha/fpu_helper.c | 139 +++-- target-alpha/helper.c | 19 +++-- target-alpha/helper.h | 12 +-- target-alpha/int_helper.c | 59 +- target-alpha/mem_helper.c | 9 ++- target-alpha/translate.c | 191 +++--- 8 files changed, 227 insertions(+), 216 deletions(-) My general feeling here is that this is too much code and too late for 2.1; can we hold it over to 2.2 ? thanks -- PMM
[Qemu-devel] [PATCH 061/156] linux-user/elfload.c: Fix incorrect ARM HWCAP bits
From: Peter Maydell peter.mayd...@linaro.org The ELF HWCAP bits for ARM features THUMBEE, NEON, VFPv3 and VFPv3D16 are all off by one compared to the kernel definitions. Fix this discrepancy and add in the missing CRUNCH bit which was the cause of the off-by-one error. (We don't emulate any of the CPUs which have that weird hardware, so it's otherwise uninteresting to us.) Cc: qemu-sta...@nongnu.org Signed-off-by: Peter Maydell peter.mayd...@linaro.org Signed-off-by: Riku Voipio riku.voi...@linaro.org (cherry picked from commit 43ce393ee5f7b96d2ac22fedc40d6b6fb3f65a3e) Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com --- linux-user/elfload.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index 8dd424d..7d1e097 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -346,10 +346,11 @@ enum ARM_HWCAP_ARM_EDSP = 1 7, ARM_HWCAP_ARM_JAVA = 1 8, ARM_HWCAP_ARM_IWMMXT= 1 9, -ARM_HWCAP_ARM_THUMBEE = 1 10, -ARM_HWCAP_ARM_NEON = 1 11, -ARM_HWCAP_ARM_VFPv3 = 1 12, -ARM_HWCAP_ARM_VFPv3D16 = 1 13, +ARM_HWCAP_ARM_CRUNCH= 1 10, +ARM_HWCAP_ARM_THUMBEE = 1 11, +ARM_HWCAP_ARM_NEON = 1 12, +ARM_HWCAP_ARM_VFPv3 = 1 13, +ARM_HWCAP_ARM_VFPv3D16 = 1 14, }; #define TARGET_HAS_VALIDATE_GUEST_SPACE -- 1.9.1
[Qemu-devel] [PATCH 038/156] virtio: out-of-bounds buffer write on invalid state load
From: Michael S. Tsirkin m...@redhat.com
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i num; i++) {
vdev-vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin m...@redhat.com
Reviewed-by: Michael Roth mdr...@linux.vnet.ibm.com
Signed-off-by: Juan Quintela quint...@redhat.com
(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
hw/virtio/virtio.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 965b2c0..8dc3cb3 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -888,7 +888,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
-int num, i, ret;
+int i, ret;
+uint32_t num;
uint32_t features;
uint32_t supported_features;
BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
@@ -916,6 +917,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
num = qemu_get_be32(f);
+if (num VIRTIO_PCI_QUEUE_MAX) {
+error_report(Invalid number of PCI queues: 0x%x, num);
+return -1;
+}
+
for (i = 0; i num; i++) {
vdev-vq[i].vring.num = qemu_get_be32(f);
if (k-has_variable_vring_alignment) {
--
1.9.1
Re: [Qemu-devel] [PULL for-2.1 00/18] target-alpha patch queue
On 07/09/2014 09:30 AM, Peter Maydell wrote: My general feeling here is that this is too much code and too late for 2.1; can we hold it over to 2.2 ? Ok then. r~
Re: [Qemu-devel] [PULL 03/18] target-alpha: Store IOV exception in fp_status
On 07/09/2014 09:28 AM, Peter Maydell wrote: I don't think we should use softfloat flag bits for keeping information which isn't about softfloat's status. Why can't you just put this in the per-CPU state? It is (mostly) being stored in per-CPU state. But for efficiency, the per-CPU state is in the softfloat format. For this new bit, I'd prefer to not require a second load to examine the exception flags for the insn. And while I could privately define a symbol for the unused bit in the existing softfloat status, that seemed more hazardous than just defining the bit in the global softfloat enumeration. r~
[Qemu-devel] [PATCH 093/156] qcow2: Fix backing file name length check
From: Kevin Wolf kw...@redhat.com
len could become negative and would pass the check then. Nothing bad
happened because bdrv_pread() happens to return an error for negative
length values, but make variables for sizes unsigned anyway.
This patch also changes the behaviour to error out on invalid lengths
instead of silently truncating it to 1023.
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Max Reitz mre...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit 6d33e8e7dc9d40ea105feed4b39caa3e641569e8)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/qcow2.c | 9 ++---
tests/qemu-iotests/080 | 8
tests/qemu-iotests/080.out | 5 +
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index f1f8c9c..3e620f2 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -448,7 +448,8 @@ static int qcow2_open(BlockDriverState *bs, QDict *options,
int flags,
Error **errp)
{
BDRVQcowState *s = bs-opaque;
-int len, i, ret = 0;
+unsigned int len, i;
+int ret = 0;
QCowHeader header;
QemuOpts *opts;
Error *local_err = NULL;
@@ -723,8 +724,10 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
/* read the backing file name */
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
-if (len 1023) {
-len = 1023;
+if (len MIN(1023, s-cluster_size - header.backing_file_offset)) {
+error_setg(errp, Backing file name too long);
+ret = -EINVAL;
+goto fail;
}
ret = bdrv_pread(bs-file, header.backing_file_offset,
bs-backing_file, len);
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 7255b6c..f3091a9 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,7 @@ _supported_os Linux
header_size=104
offset_backing_file_offset=8
+offset_backing_file_size=16
offset_l1_size=36
offset_l1_table_offset=40
offset_refcount_table_offset=48
@@ -135,6 +136,13 @@ poke_file $TEST_IMG $offset_l1_table_offset
\x12\x34\x56\x78\x90\xab\xcd\xe
poke_file $TEST_IMG $offset_l1_size \x00\x00\x00\x01
{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+echo
+echo == Invalid backing file size ==
+_make_test_img 64M
+poke_file $TEST_IMG $offset_backing_file_offset
\x00\x00\x00\x00\x00\x00\x10\x00
+poke_file $TEST_IMG $offset_backing_file_size \xff\xff\xff\xff
+{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo *** done
rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 4ec2545..8103211 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -58,4 +58,9 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table
offset
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
no file open, try 'help open'
+
+== Invalid backing file size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long
+no file open, try 'help open'
*** done
--
1.9.1
[Qemu-devel] [PATCH v4 2.1 2/4] virtio-blk: Bypass error action and I/O accounting on invalid r/w
When a device model's I/O operation fails, we execute the error
action. This lets layers above QEMU implement thin provisioning, or
attempt to correct errors before they reach the guest. But when the
I/O operation fails because it's invalid, reporting the error to the
guest is the only sensible action.
If the guest's read or write asks for an invalid sector range, fail
the request right away, without considering the error action. No
change with error action BDRV_ACTION_REPORT.
Furthermore, bypass I/O accounting, because we want to track only I/O
that actually reaches the block layer.
The next commit will extend invalid sector range to cover attempts
to read/write beyond the end of the medium.
Signed-off-by: Markus Armbruster arm...@redhat.com
---
hw/block/virtio-blk.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index d946fa9..53d6f92 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -307,15 +307,16 @@ static void virtio_blk_handle_write(VirtIOBlockReq *req,
MultiReqBuffer *mrb)
sector = virtio_ldq_p(VIRTIO_DEVICE(req-dev), req-out.sector);
-bdrv_acct_start(req-dev-bs, req-acct, req-qiov.size, BDRV_ACCT_WRITE);
-
trace_virtio_blk_handle_write(req, sector, req-qiov.size / 512);
if (!virtio_blk_sect_range_ok(req-dev, sector, req-qiov.size)) {
-virtio_blk_rw_complete(req, -EIO);
+virtio_blk_req_complete(req, VIRTIO_BLK_S_IOERR);
+virtio_blk_free_request(req);
return;
}
+bdrv_acct_start(req-dev-bs, req-acct, req-qiov.size, BDRV_ACCT_WRITE);
+
if (mrb-num_writes == 32) {
virtio_submit_multiwrite(req-dev-bs, mrb);
}
@@ -337,14 +338,15 @@ static void virtio_blk_handle_read(VirtIOBlockReq *req)
sector = virtio_ldq_p(VIRTIO_DEVICE(req-dev), req-out.sector);
-bdrv_acct_start(req-dev-bs, req-acct, req-qiov.size, BDRV_ACCT_READ);
-
trace_virtio_blk_handle_read(req, sector, req-qiov.size / 512);
if (!virtio_blk_sect_range_ok(req-dev, sector, req-qiov.size)) {
-virtio_blk_rw_complete(req, -EIO);
+virtio_blk_req_complete(req, VIRTIO_BLK_S_IOERR);
+virtio_blk_free_request(req);
return;
}
+
+bdrv_acct_start(req-dev-bs, req-acct, req-qiov.size, BDRV_ACCT_READ);
bdrv_aio_readv(req-dev-bs, sector, req-qiov,
req-qiov.size / BDRV_SECTOR_SIZE,
virtio_blk_rw_complete, req);
--
1.9.3
Re: [Qemu-devel] [PATCH for 2.1 V2] qemu-img info: show nocow info
On 07/07/2014 09:08 PM, Chunyan Liu wrote:
Add nocow info in 'qemu-img info' output to show whether the file
currently has NOCOW flag set or not.
Signed-off-by: Chunyan Liu cy...@suse.com
---
Changes:
- add documentation of nocow in qapi/block-core.json.
@@ -625,4 +646,8 @@ void bdrv_image_info_dump(fprintf_function func_fprintf,
void *f,
func_fprintf(f, Format specific information:\n);
bdrv_image_info_specific_dump(func_fprintf, f,
info-format_specific);
}
+
+if (info-has_nocow info-nocow) {
+func_fprintf(f, Set NOCOW flag: yes\n);
Reads awkwardly. How about:
NOCOW flag: set
(and if we could reliably tell that the fs supports nocow but the flag
is clear, then we could have 'NOCOW flag: clear')
--
Eric Blake eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
[Qemu-devel] [PATCH for-2.1] dma-helpers: Fix too long qiov
If the size of the scatter/gather list isn't a multiple of 512, the
number of sectors for the block layer request is rounded down, resulting
in a qiov that doesn't match the request length. Truncate the qiov to the
new length of the request.
This fixes the IDE qtest case /x86_64/ide/bmdma/short_prdt.
Signed-off-by: Kevin Wolf kw...@redhat.com
---
dma-helpers.c | 4
include/qemu-common.h | 1 +
util/iov.c| 13 +
3 files changed, 18 insertions(+)
diff --git a/dma-helpers.c b/dma-helpers.c
index 53cbe92..499b52b 100644
--- a/dma-helpers.c
+++ b/dma-helpers.c
@@ -170,6 +170,10 @@ static void dma_bdrv_cb(void *opaque, int ret)
return;
}
+if (dbs-iov.size ~BDRV_SECTOR_MASK) {
+qemu_iovec_discard_back(dbs-iov, dbs-iov.size ~BDRV_SECTOR_MASK);
+}
+
dbs-acb = dbs-io_func(dbs-bs, dbs-sector_num, dbs-iov,
dbs-iov.size / 512, dma_bdrv_cb, dbs);
assert(dbs-acb);
diff --git a/include/qemu-common.h b/include/qemu-common.h
index ae76197..6ef8282 100644
--- a/include/qemu-common.h
+++ b/include/qemu-common.h
@@ -329,6 +329,7 @@ size_t qemu_iovec_memset(QEMUIOVector *qiov, size_t offset,
int fillc, size_t bytes);
ssize_t qemu_iovec_compare(QEMUIOVector *a, QEMUIOVector *b);
void qemu_iovec_clone(QEMUIOVector *dest, const QEMUIOVector *src, void *buf);
+void qemu_iovec_discard_back(QEMUIOVector *qiov, size_t bytes);
bool buffer_is_zero(const void *buf, size_t len);
diff --git a/util/iov.c b/util/iov.c
index 2b4f46d..24566c8 100644
--- a/util/iov.c
+++ b/util/iov.c
@@ -550,3 +550,16 @@ size_t iov_discard_back(struct iovec *iov, unsigned int
*iov_cnt,
return total;
}
+
+void qemu_iovec_discard_back(QEMUIOVector *qiov, size_t bytes)
+{
+size_t total;
+unsigned int niov = qiov-niov;
+
+assert(qiov-size = bytes);
+total = iov_discard_back(qiov-iov, niov, bytes);
+assert(total == bytes);
+
+qiov-niov = niov;
+qiov-size -= bytes;
+}
--
1.8.3.1
Re: [Qemu-devel] [PATCH for-2.1 1/2] qmp: hide hotplugged device property from device-list-properties
On 07/09/2014 06:01 AM, Stefan Hajnoczi wrote:
The hotplugged device property was not reported before commit
f4eb32b590bf58c1c67570775eb78beb09964fad (qmp: show QOM properties in
device-list-properties). Fix this difference.
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
---
qmp.c | 1 +
1 file changed, 1 insertion(+)
Reviewed-by: Eric Blake ebl...@redhat.com
diff --git a/qmp.c b/qmp.c
index 0d2553a..c6767c4 100644
--- a/qmp.c
+++ b/qmp.c
@@ -509,6 +509,7 @@ DevicePropertyInfoList *qmp_device_list_properties(const
char *typename,
if (strcmp(prop-name, type) == 0 ||
strcmp(prop-name, realized) == 0 ||
strcmp(prop-name, hotpluggable) == 0 ||
+strcmp(prop-name, hotplugged) == 0 ||
strcmp(prop-name, parent_bus) == 0) {
continue;
}
--
Eric Blake eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
Re: [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14
* Michael Roth (mdr...@linux.vnet.ibm.com) wrote: Hi everyone, The following new patches are queued for QEMU stable v1.7.2: https://github.com/mdroth/qemu/commits/stable-1.7-staging The release is planned for 2014-07-21: http://wiki.qemu.org/Planning/1.7 Please respond here or CC qemu-sta...@nongnu.org on any patches you think should be included in the release. You might want to include: a890a2f9137ac3cf5b607649e66a6f3a5512d8dc - virtio: validate config_len on load which guards against a mismatched config len on the migration stream overwriting things. however, if you do you should also include: 2f5732e9648fcddc8759a8fd25c0b41a38352be6 - Allow mismatched virtio config-len which instead of erroring, just discards the data to cope with changes in the config len. Dave Testing/feedback is greatly appreciated. As you maybe have noticed, the 1.7.2 stable release is late by almost an entire release cycle. There were some important fixes planned for 1.7.2 however, so hopefully better late than never. Due to the delay the patch queue for this release is quite a bit longer than usual, so anyone interested in this release is highly encouraged to review/test. 2.0.1 has similarly slipped by half a release cycle, so 2.0.1 will be going out during the originally planned date release date for 2.0.2, and is the only planned stable release for the 2.0 series: http://wiki.qemu.org/Planning/2.0 My apologies for the delays. For 2.1.x, we should be back on track for the normal stable release schedule (2.1.1 midway through 2.2 development, and 2.1.2 roughly coinciding with 2.2 release). Thanks! Alexander Graf (3): kvmclock: Ensure time in migration never goes backward KVM: Fix GSI number space limit virtio-serial: don't migrate the config space Alexey Kardashevskiy (1): spapr_pci: Fix number of returned vectors in ibm, change-msi Andreas Färber (2): sdhci: Fix misuse of qemu_free_irqs() hw: Fix qemu_allocate_irqs() leaks Benoît Canet (2): ide: Correct improper smart self test counter reset in ide core. block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file. ChenLiang (1): migration: remove duplicate code Cornelia Huck (1): s390x/css: handle emw correctly for tsch Cédric Le Goater (1): virtio-net: byteswap virtio-net header David Hildenbrand (1): s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG Dmitry Fleytman (4): vmxnet3: validate interrupt indices coming from guest vmxnet3: validate queues configuration coming from guest vmxnet3: validate interrupt indices read on migration vmxnet3: validate queues configuration read on migration Dr. David Alan Gilbert (1): Fix vmstate_info_int32_le comparison/assign Edgar E. Iglesias (1): target-arm: Make vbar_write 64bit friendly on 32bit hosts Eduardo Habkost (1): target-i386: Filter FEAT_7_0_EBX TCG features too Fam Zheng (2): scsi: Change scsi sense buf size to 252 curl: check data size before memcpy to local buffer. (CVE-2014-0144) Gal Hammer (1): char: restore read callback on a reattached (hotplug) chardev Gonglei (1): qga: Fix handle fd leak in acquire_privilege() Hani Benhabiles (5): usb: Fix usb-bt-dongle initialization. nbd: Don't export a block device with no medium. nbd: Don't validate from and len in NBD_CMD_DISC. nbd: Close socket on negotiation failure. nbd: Shutdown socket before closing. Hannes Reinecke (1): megasas: Implement LD_LIST_QUERY Hu Tao (1): qcow2: fix offset overflow in qcow2_alloc_clusters_at() Jeff Cody (3): vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) Kevin Wolf (35): qcow2: Flush metadata during read-only reopen block: Use BDRV_O_NO_BACKING where appropriate qemu-iotests: Support for bochs format bochs: Unify header structs and make them QEMU_PACKED bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) bochs: Check catalog_size header field (CVE-2014-0143) bochs: Check extent_size header field (CVE-2014-0142) bochs: Fix bitmap offset calculation vpc: Validate block size (CVE-2014-0142) qcow2: Check header_length (CVE-2014-0144) qcow2: Check backing_file_offset (CVE-2014-0144) qcow2: Check refcount table size (CVE-2014-0144) qcow2: Validate refcount table offset qcow2: Validate snapshot table offset/size (CVE-2014-0144) qcow2: Validate active L1 table offset and size (CVE-2014-0144)
[Qemu-devel] [PATCH 09/10] qemu-coroutine-io: fix for Win32
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
nbd.c | 2 +-
qemu-coroutine-io.c | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/nbd.c b/nbd.c
index e7d1cee..5c28f71 100644
--- a/nbd.c
+++ b/nbd.c
@@ -156,7 +156,7 @@ ssize_t nbd_wr_sync(int fd, void *buffer, size_t size, bool
do_read)
err = socket_error();
/* recoverable error */
-if (err == EINTR || (offset 0 err == EAGAIN)) {
+if (err == EINTR || (offset 0 (err == EAGAIN || err ==
EWOULDBLOCK))) {
continue;
}
diff --git a/qemu-coroutine-io.c b/qemu-coroutine-io.c
index 054ca70..d404926 100644
--- a/qemu-coroutine-io.c
+++ b/qemu-coroutine-io.c
@@ -34,13 +34,15 @@ qemu_co_sendv_recvv(int sockfd, struct iovec *iov, unsigned
iov_cnt,
{
size_t done = 0;
ssize_t ret;
+int err;
while (done bytes) {
ret = iov_send_recv(sockfd, iov, iov_cnt,
offset + done, bytes - done, do_send);
if (ret 0) {
done += ret;
} else if (ret 0) {
-if (errno == EAGAIN) {
+err = socket_error();
+if (err == EAGAIN || err == EWOULDBLOCK) {
qemu_coroutine_yield();
} else if (done == 0) {
return -1;
--
1.9.3
[Qemu-devel] [PATCH 066/156] virtio: allow mapping up to max queue size
From: Michael S. Tsirkin m...@redhat.com
It's a loop from i num_sg and the array is VIRTQUEUE_MAX_SIZE - so
it's OK if the value read is VIRTQUEUE_MAX_SIZE.
Not a big problem in practice as people don't use
such big queues, but it's inelegant.
Reported-by: Dr. David Alan Gilbert dgilb...@redhat.com
Cc: qemu-sta...@nongnu.org
Signed-off-by: Michael S. Tsirkin m...@redhat.com
(cherry picked from commit 937251408051e0489f78e4db3c92e045b147b38b)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
hw/virtio/virtio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 151fae9..c6265c6 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -427,7 +427,7 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
unsigned int i;
hwaddr len;
-if (num_sg = VIRTQUEUE_MAX_SIZE) {
+if (num_sg VIRTQUEUE_MAX_SIZE) {
error_report(virtio: map attempt out of bounds: %zd %d,
num_sg, VIRTQUEUE_MAX_SIZE);
exit(1);
--
1.9.1
[Qemu-devel] [PATCH 06/10] test-aio: test timers on Windows too
Use EventNotifier instead of a pipe, which makes it trivial to test
timers on Windows.
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
tests/test-aio.c | 48 +++-
1 file changed, 11 insertions(+), 37 deletions(-)
diff --git a/tests/test-aio.c b/tests/test-aio.c
index 4c40a49..23ca10a 100644
--- a/tests/test-aio.c
+++ b/tests/test-aio.c
@@ -57,8 +57,6 @@ static void bh_test_cb(void *opaque)
}
}
-#if !defined(_WIN32)
-
static void timer_test_cb(void *opaque)
{
TimerTestData *data = opaque;
@@ -68,12 +66,10 @@ static void timer_test_cb(void *opaque)
}
}
-static void dummy_io_handler_read(void *opaque)
+static void dummy_io_handler_read(EventNotifier *e)
{
}
-#endif /* !_WIN32 */
-
static void bh_delete_cb(void *opaque)
{
BHTestData *data = opaque;
@@ -428,24 +424,18 @@ static void test_wait_event_notifier_noflush(void)
event_notifier_cleanup(data.e);
}
-#if !defined(_WIN32)
-
static void test_timer_schedule(void)
{
TimerTestData data = { .n = 0, .ctx = ctx, .ns = SCALE_MS * 750LL,
.max = 2,
.clock_type = QEMU_CLOCK_VIRTUAL };
-int pipefd[2];
+EventNotifier e;
/* aio_poll will not block to wait for timers to complete unless it has
* an fd to wait on. Fixing this breaks other tests. So create a dummy one.
*/
-g_assert(!qemu_pipe(pipefd));
-qemu_set_nonblock(pipefd[0]);
-qemu_set_nonblock(pipefd[1]);
-
-aio_set_fd_handler(ctx, pipefd[0],
- dummy_io_handler_read, NULL, NULL);
+event_notifier_init(e, false);
+aio_set_event_notifier(ctx, e, dummy_io_handler_read);
aio_poll(ctx, false);
aio_timer_init(ctx, data.timer, data.clock_type,
@@ -484,15 +474,12 @@ static void test_timer_schedule(void)
g_assert(!aio_poll(ctx, false));
g_assert_cmpint(data.n, ==, 2);
-aio_set_fd_handler(ctx, pipefd[0], NULL, NULL, NULL);
-close(pipefd[0]);
-close(pipefd[1]);
+aio_set_event_notifier(ctx, e, NULL);
+event_notifier_cleanup(e);
timer_del(data.timer);
}
-#endif /* !_WIN32 */
-
/* Now the same tests, using the context as a GSource. They are
* very similar to the ones above, with g_main_context_iteration
* replacing aio_poll. However:
@@ -775,25 +762,19 @@ static void test_source_wait_event_notifier_noflush(void)
event_notifier_cleanup(data.e);
}
-#if !defined(_WIN32)
-
static void test_source_timer_schedule(void)
{
TimerTestData data = { .n = 0, .ctx = ctx, .ns = SCALE_MS * 750LL,
.max = 2,
.clock_type = QEMU_CLOCK_VIRTUAL };
-int pipefd[2];
+EventNotifier e;
int64_t expiry;
/* aio_poll will not block to wait for timers to complete unless it has
* an fd to wait on. Fixing this breaks other tests. So create a dummy one.
*/
-g_assert(!qemu_pipe(pipefd));
-qemu_set_nonblock(pipefd[0]);
-qemu_set_nonblock(pipefd[1]);
-
-aio_set_fd_handler(ctx, pipefd[0],
- dummy_io_handler_read, NULL, NULL);
+event_notifier_init(e, false);
+aio_set_event_notifier(ctx, e, dummy_io_handler_read);
do {} while (g_main_context_iteration(NULL, false));
aio_timer_init(ctx, data.timer, data.clock_type,
@@ -818,15 +799,12 @@ static void test_source_timer_schedule(void)
g_assert_cmpint(data.n, ==, 2);
g_assert(qemu_clock_get_ns(data.clock_type) expiry);
-aio_set_fd_handler(ctx, pipefd[0], NULL, NULL, NULL);
-close(pipefd[0]);
-close(pipefd[1]);
+aio_set_event_notifier(ctx, e, NULL);
+event_notifier_cleanup(e);
timer_del(data.timer);
}
-#endif /* !_WIN32 */
-
/* End of tests. */
@@ -857,9 +835,7 @@ int main(int argc, char **argv)
g_test_add_func(/aio/event/wait, test_wait_event_notifier);
g_test_add_func(/aio/event/wait/no-flush-cb,
test_wait_event_notifier_noflush);
g_test_add_func(/aio/event/flush, test_flush_event_notifier);
-#if !defined(_WIN32)
g_test_add_func(/aio/timer/schedule, test_timer_schedule);
-#endif
g_test_add_func(/aio-gsource/notify,
test_source_notify);
g_test_add_func(/aio-gsource/flush, test_source_flush);
@@ -874,8 +850,6 @@ int main(int argc, char **argv)
g_test_add_func(/aio-gsource/event/wait,
test_source_wait_event_notifier);
g_test_add_func(/aio-gsource/event/wait/no-flush-cb,
test_source_wait_event_notifier_noflush);
g_test_add_func(/aio-gsource/event/flush,
test_source_flush_event_notifier);
-#if !defined(_WIN32)
g_test_add_func(/aio-gsource/timer/schedule,
test_source_timer_schedule);
-#endif
return g_test_run();
}
--
1.9.3
[Qemu-devel] [PATCH v3 2.1 3/4] virtio-blk: Treat read/write beyond end as invalid
The block layer fails such reads and writes just fine. However, they
then get treated like valid operations that fail: the error action
gets executed. Unwanted; reporting the error to the guest is the only
sensible action.
Reject them before passing them to the block layer. This bypasses the
error action and I/O accounting.
Signed-off-by: Markus Armbruster arm...@redhat.com
Reviewed-by: Fam Zheng f...@redhat.com
---
hw/block/virtio-blk.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 53d6f92..8a2cff2 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -291,12 +291,19 @@ static void virtio_blk_handle_flush(VirtIOBlockReq *req,
MultiReqBuffer *mrb)
static bool virtio_blk_sect_range_ok(VirtIOBlock *dev,
uint64_t sector, size_t size)
{
+uint64_t nb_sectors = size BDRV_SECTOR_BITS;
+uint64_t total_sectors;
+
if (sector dev-sector_mask) {
return false;
}
if (size % dev-conf-logical_block_size) {
return false;
}
+bdrv_get_geometry(dev-bs, total_sectors);
+if (sector total_sectors || nb_sectors total_sectors - sector) {
+return false;
+}
return true;
}
--
1.9.3
Re: [Qemu-devel] [PATCH] hw/ppc/spapr_hcall.c: Fix typo in function names
On 08.07.14 17:02, Peter Maydell wrote: Fix a typo in the names of a couple of functions (s/resouce/resource/). Signed-off-by: Peter Maydell peter.mayd...@linaro.org Thanks, applied to ppc-next-2.2. Alex
[Qemu-devel] [PULL v2 02/10] mips/kvm: Disable FPU on reset with KVM
From: James Hogan james.ho...@imgtec.com
KVM doesn't yet support the MIPS FPU, or writing to the guest's Config1
register which contains the FPU implemented bit. Clear QEMU's version of
that bit on reset and display a warning that the FPU has been disabled.
The previous incorrect Config1 CP0 register value wasn't being passed to
KVM yet, however we should ensure it is set correctly now to reduce the
risk of breaking migration/loadvm to a future version of QEMU/Linux that
does support it.
Signed-off-by: James Hogan james.ho...@imgtec.com
Cc: Aurelien Jarno aurel...@aurel32.net
Cc: Paolo Bonzini pbonz...@redhat.com
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
target-mips/kvm.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/target-mips/kvm.c b/target-mips/kvm.c
index 844e5bb..97fd51a 100644
--- a/target-mips/kvm.c
+++ b/target-mips/kvm.c
@@ -61,6 +61,13 @@ int kvm_arch_init_vcpu(CPUState *cs)
void kvm_mips_reset_vcpu(MIPSCPU *cpu)
{
+CPUMIPSState *env = cpu-env;
+
+if (env-CP0_Config1 (1 CP0C1_FP)) {
+fprintf(stderr, Warning: FPU not supported with KVM, disabling\n);
+env-CP0_Config1 = ~(1 CP0C1_FP);
+}
+
DPRINTF(%s\n, __func__);
}
--
1.8.3.1
Re: [Qemu-devel] [PULL 37/37] tests: add human format test for string output visitor
Am 29.06.2014 19:00, schrieb Michael S. Tsirkin:
From: Hu Tao hu...@cn.fujitsu.com
Signed-off-by: Hu Tao hu...@cn.fujitsu.com
Acked-by: Michael S. Tsirkin m...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
tests/test-string-output-visitor.c | 109
++---
1 file changed, 90 insertions(+), 19 deletions(-)
diff --git a/tests/test-string-output-visitor.c
b/tests/test-string-output-visitor.c
index 28e7359..e89e43c 100644
--- a/tests/test-string-output-visitor.c
+++ b/tests/test-string-output-visitor.c
[...]
@@ -162,12 +195,26 @@ static void test_visitor_out_enum(TestOutputVisitorData
*data,
EnumOne i;
for (i = 0; i ENUM_ONE_MAX; i++) {
+char *str_human;
+int len;
+
visit_type_EnumOne(data-ov, i, unused, err);
g_assert(!err);
+len = strlen(EnumOne_lookup[i]) + 2;
+str_human = g_malloc0(len);
+str_human[0] = '';
+strncpy(str_human + 1, EnumOne_lookup[i], strlen(EnumOne_lookup[i]));
+str_human[len - 1] = '';
+
str = string_output_get_string(data-sov);
g_assert(str != NULL);
-g_assert_cmpstr(str, ==, EnumOne_lookup[i]);
+if (data-human) {
+g_assert_cmpstr(str, ==, str_human);
This test is seriously busted: str_human is not NUL-terminated, breaking
-rc1's make check. Eric did ask to use g_strdup_printf() instead, which
would've prevented this bug, on the fixup series that appears to have
been squashed here.
Did anyone run make check at all? Peter?
Will cook up a patch.
Regards,
Andreas
+} else {
+g_assert_cmpstr(str, ==, EnumOne_lookup[i]);
+}
+g_free(str_human);
g_free(str);
}
}
[snip]
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
[Qemu-devel] [PATCH 090/156] qcow2: Validate refcount table offset
From: Kevin Wolf kw...@redhat.com
The end of the refcount table must not exceed INT64_MAX so that integer
overflows are avoided.
Also check for misaligned refcount table. Such images are invalid and
probably the result of data corruption. Error out to avoid further
corruption.
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Max Reitz mre...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit 8c7de28305a514d7f879fdfc677ca11fbf60d2e9)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/qcow2.c | 33 +
tests/qemu-iotests/080 | 13 +
tests/qemu-iotests/080.out | 10 ++
3 files changed, 56 insertions(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index 8c8996d..de86302 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -332,6 +332,32 @@ static int qcow2_check(BlockDriverState *bs,
BdrvCheckResult *result,
return ret;
}
+static int validate_table_offset(BlockDriverState *bs, uint64_t offset,
+ uint64_t entries, size_t entry_len)
+{
+BDRVQcowState *s = bs-opaque;
+uint64_t size;
+
+/* Use signed INT64_MAX as the maximum even for uint64_t header fields,
+ * because values will be passed to qemu functions taking int64_t. */
+if (entries INT64_MAX / entry_len) {
+return -EINVAL;
+}
+
+size = entries * entry_len;
+
+if (INT64_MAX - size offset) {
+return -EINVAL;
+}
+
+/* Tables must be cluster aligned */
+if (offset (s-cluster_size - 1)) {
+return -EINVAL;
+}
+
+return 0;
+}
+
static QemuOptsList qcow2_runtime_opts = {
.name = qcow2,
.head = QTAILQ_HEAD_INITIALIZER(qcow2_runtime_opts.head),
@@ -592,6 +618,13 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
goto fail;
}
+ret = validate_table_offset(bs, s-refcount_table_offset,
+s-refcount_table_size, sizeof(uint64_t));
+if (ret 0) {
+error_setg(errp, Invalid reference count table offset);
+goto fail;
+}
+
s-snapshots_offset = header.snapshots_offset;
s-nb_snapshots = header.nb_snapshots;
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6179e05..f58ac73 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,7 @@ _supported_os Linux
header_size=104
offset_backing_file_offset=8
+offset_refcount_table_offset=48
offset_refcount_table_clusters=56
offset_header_size=100
offset_ext_magic=$header_size
@@ -76,6 +77,18 @@ poke_file $TEST_IMG $offset_refcount_table_clusters
\xff\xff\xff\xff
poke_file $TEST_IMG $offset_refcount_table_clusters \x00\x02\x00\x01
{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+echo
+echo == Misaligned refcount table ==
+_make_test_img 64M
+poke_file $TEST_IMG $offset_refcount_table_offset
\x12\x34\x56\x78\x90\xab\xcd\xef
+{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+
+echo
+echo == Huge refcount offset ==
+_make_test_img 64M
+poke_file $TEST_IMG $offset_refcount_table_offset
\xff\xff\xff\xff\xff\xff\x00\x00
+poke_file $TEST_IMG $offset_refcount_table_clusters \x00\x00\x00\x7f
+{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
# success, all done
echo *** done
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 6fef6d9..f919b58 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -20,4 +20,14 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Reference count
table too large
no file open, try 'help open'
qemu-io: can't open device TEST_DIR/t.qcow2: Reference count table too large
no file open, try 'help open'
+
+== Misaligned refcount table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid reference count table
offset
+no file open, try 'help open'
+
+== Huge refcount offset ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid reference count table
offset
+no file open, try 'help open'
*** done
--
1.9.1
Re: [Qemu-devel] [PATCH] prepend the include path of libvixl header files
On Tue, 8 Jul 2014, Stefano Stabellini wrote: On Tue, 8 Jul 2014, Peter Maydell wrote: On 8 July 2014 12:55, Stefano Stabellini stefano.stabell...@eu.citrix.com wrote: Are you going to pick it up or do you want me to send a pull request? I'm going to put it in the target-arm pullreq I'm currently testing. Great, thanks! Unfortunately I found another one of these issues: disas/arm-a64.o adds -Idisas/libvixl via arm-a64.o-cflags instead of QEMU_CFLAGS. I don't know how I missed it the first time. Probably I didn't properly clean the QEMU build directory. I'll send a separate patch for that.
Re: [Qemu-devel] [PATCH v9 05/14] blockjob: Add ready field
On 07.07.2014 20:53, Eric Blake wrote: On 07/05/2014 11:47 AM, Max Reitz wrote: When a block job signals readiness, this is currently reported only through QMP. If qemu wants to use block jobs for internal tasks, there needs to be another way to correctly detect when a block job may be completed. For this reason, introduce a bool ready which is set when the block job may be completed. Signed-off-by: Max Reitz mre...@redhat.com --- blockjob.c | 3 +++ include/block/blockjob.h | 5 + qapi/block-core.json | 4 +++- 3 files changed, 11 insertions(+), 1 deletion(-) +++ b/qapi/block-core.json @@ -505,12 +505,14 @@ # # @io-status: the status of the job (since 1.3) # +# @ready: true if the job may be completed (since 2.1) Isn't this 2.2 now, or are you still shooting for calling this a bug fix in 2.1 hard freeze? Ah, right, I forgot. This should be 2.2, of course. Max Depending on the answer, Reviewed-by: Eric Blake ebl...@redhat.com
[Qemu-devel] [PATCH buildfix for-2.1] tests: Fix unterminated string output visitor enum human string
The buffer was being allocated of size string length plus two.
Around the string two quotes were being added, but no terminating NUL.
It was then compared using g_assert_cmpstr(), resulting in fairly random
assertion failures:
ERROR:tests/test-string-output-visitor.c:213:test_visitor_out_enum: assertion
failed (str == str_human): (\value1\ == \value1\\001EE\0171)
There is no g_assert_cmpnstr() counterpart, so use g_strdup_printf()
for safely assembling the string in the first place.
Cc: Hu Tao hu...@cn.fujitsu.com
Cc: Michael S. Tsirkin m...@redhat.com
Suggested-by: Eric Blake ebl...@redhat.com
Fixes: b4900c0 tests: add human format test for string output visitor
Signed-off-by: Andreas Färber afaer...@suse.de
---
tests/test-string-output-visitor.c | 7 +--
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/tests/test-string-output-visitor.c
b/tests/test-string-output-visitor.c
index e89e43c..101fb27 100644
--- a/tests/test-string-output-visitor.c
+++ b/tests/test-string-output-visitor.c
@@ -196,16 +196,11 @@ static void test_visitor_out_enum(TestOutputVisitorData
*data,
for (i = 0; i ENUM_ONE_MAX; i++) {
char *str_human;
-int len;
visit_type_EnumOne(data-ov, i, unused, err);
g_assert(!err);
-len = strlen(EnumOne_lookup[i]) + 2;
-str_human = g_malloc0(len);
-str_human[0] = '';
-strncpy(str_human + 1, EnumOne_lookup[i], strlen(EnumOne_lookup[i]));
-str_human[len - 1] = '';
+str_human = g_strdup_printf(\%s\, EnumOne_lookup[i]);
str = string_output_get_string(data-sov);
g_assert(str != NULL);
--
1.8.4.5
[Qemu-devel] [PULL 01/10] mips/kvm: Init EBase to correct KSEG0
From: James Hogan james.ho...@imgtec.com
The EBase CP0 register is initialised to 0x8000, however with KVM
the guest's KSEG0 is at 0x4000. The incorrect value doesn't get
passed to KVM yet as KVM doesn't implement the EBase register, however
we should set it correctly now so as not to break migration/loadvm to a
future version of QEMU that does support EBase.
Cc: Aurelien Jarno aurel...@aurel32.net
Cc: Paolo Bonzini pbonz...@redhat.com
Signed-off-by: James Hogan james.ho...@imgtec.com
Reviewed-by: Aurelien Jarno aurel...@aurel32.net
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
target-mips/translate.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/target-mips/translate.c b/target-mips/translate.c
index 2f91959..d7b8c4d 100644
--- a/target-mips/translate.c
+++ b/target-mips/translate.c
@@ -28,6 +28,7 @@
#include exec/helper-proto.h
#include exec/helper-gen.h
+#include sysemu/kvm.h
#define MIPS_DEBUG_DISAS 0
//#define MIPS_DEBUG_SIGN_EXTENSIONS
@@ -16076,7 +16077,12 @@ void cpu_state_reset(CPUMIPSState *env)
env-CP0_Random = env-tlb-nb_tlb - 1;
env-tlb-tlb_in_use = env-tlb-nb_tlb;
env-CP0_Wired = 0;
-env-CP0_EBase = 0x8000 | (cs-cpu_index 0x3FF);
+env-CP0_EBase = (cs-cpu_index 0x3FF);
+if (kvm_enabled()) {
+env-CP0_EBase |= 0x4000;
+} else {
+env-CP0_EBase |= 0x8000;
+}
env-CP0_Status = (1 CP0St_BEV) | (1 CP0St_ERL);
/* vectored interrupts not implemented, timer on int 7,
no performance counters. */
--
1.8.3.1
Re: [Qemu-devel] [PATCH buildfix for-2.1] tests: Fix unterminated string output visitor enum human string
On 07/09/2014 02:28 PM, Andreas Färber wrote: The buffer was being allocated of size string length plus two. Around the string two quotes were being added, but no terminating NUL. It was then compared using g_assert_cmpstr(), resulting in fairly random assertion failures: ERROR:tests/test-string-output-visitor.c:213:test_visitor_out_enum: assertion failed (str == str_human): (\value1\ == \value1\\001EE\0171) There is no g_assert_cmpnstr() counterpart, so use g_strdup_printf() for safely assembling the string in the first place. Cc: Hu Tao hu...@cn.fujitsu.com Cc: Michael S. Tsirkin m...@redhat.com Suggested-by: Eric Blake ebl...@redhat.com Fixes: b4900c0 tests: add human format test for string output visitor Signed-off-by: Andreas Färber afaer...@suse.de --- tests/test-string-output-visitor.c | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) Reviewed-by: Eric Blake ebl...@redhat.com -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature
[Qemu-devel] [PATCH v3 1/4] virtio-blk: avoid dataplane VirtIOBlockReq early free
VirtIOBlockReq is freed later by virtio_blk_free_request() in hw/block/virtio-blk.c. Remove this extraneous g_slice_free(). This patch fixes the following segfault: 0x556373af in virtio_blk_rw_complete (opaque=0x565ff5e0, ret=0) at hw/block/virtio-blk.c:99 99 bdrv_acct_done(req-dev-bs, req-acct); (gdb) print req $1 = (VirtIOBlockReq *) 0x565ff5e0 (gdb) print req-dev $2 = (VirtIOBlock *) 0x0 (gdb) bt #0 0x556373af in virtio_blk_rw_complete (opaque=0x565ff5e0, ret=0) at hw/block/virtio-blk.c:99 #1 0x55840ebe in bdrv_co_em_bh (opaque=0x566152d0) at block.c:4675 #2 0x5583de77 in aio_bh_poll (ctx=ctx@entry=0x563a8150) at async.c:81 #3 0x5584b7a7 in aio_poll (ctx=0x563a8150, blocking=blocking@entry=true) at aio-posix.c:188 #4 0x556e520e in iothread_run (opaque=0x563a7fd8) at iothread.c:41 #5 0x742ba124 in start_thread () from /usr/lib/libpthread.so.0 #6 0x716d14bd in clone () from /usr/lib/libc.so.6 Reported-by: Max Reitz mre...@redhat.com Cc: Fam Zheng f...@redhat.com Signed-off-by: Stefan Hajnoczi stefa...@redhat.com Tested-by: Christian Borntraeger borntrae...@de.ibm.com --- hw/block/dataplane/virtio-blk.c | 1 - 1 file changed, 1 deletion(-) diff --git a/hw/block/dataplane/virtio-blk.c b/hw/block/dataplane/virtio-blk.c index 4bc0729..bed9f13 100644 --- a/hw/block/dataplane/virtio-blk.c +++ b/hw/block/dataplane/virtio-blk.c @@ -68,7 +68,6 @@ static void complete_request_vring(VirtIOBlockReq *req, unsigned char status) vring_push(req-dev-dataplane-vring, req-elem, req-qiov.size + sizeof(*req-in)); notify_guest(req-dev-dataplane); -g_slice_free(VirtIOBlockReq, req); } static void handle_notify(EventNotifier *e) -- 1.9.3
Re: [Qemu-devel] [PATCH] migration: catch unknown flag combinations in ram_load
On 9 July 2014 05:25, Amit Shah amit.s...@redhat.com wrote: (CC'ing Peter Maydell for his thoughts) On (Tue) 08 Jul 2014 [22:55:42], Peter Lieven wrote: Hi Juan, Am 25.06.2014 um 13:55 schrieb Juan Quintela quint...@redhat.com: Peter Lieven p...@kamp.de wrote: this patch extends commit db80fac by not only checking for unknown flags, but also filtering out unknown flag combinations. Suggested-by: Eric Blake ebl...@redhat.com Signed-off-by: Peter Lieven p...@kamp.de Reviewed-by: Juan Quintela quint...@redhat.com Will be on next pull request, thanks. Have you forgotten to pull this one? It might be too late for 2.1 though. Juan is away for a couple of weeks. This looks like a good fix to pull in for 2.1, though. Peter, do you agree? Can you pick this up if so? What's the bug it's fixing? I had a look at the commit message, but that suggests it's just tightening up sanity checking, not fixing an actual issue... Maybe you can clarify. thanks -- PMM
[Qemu-devel] [PATCH QEMU-2.0/qemu-xen] disas/Makefile.objs: prepend -Idisas/libvixl
The following commit: commit 834fb1b269f4c9eb0ffc058fd6ab5a018c3bce1f Author: Stefano Stabellini stefano.stabell...@eu.citrix.com Date: Mon Jul 7 16:25:07 2014 +0100 disas/libvixl: prepend the include path of libvixl header files moves -Idisas/libvixl at the beginning of QEMU_CFLAGS. QEMU 2.0 needs one more fix to disas/Makefile.objs. QEMU 2.1 uses $($*.o-cflags) to accomplish the same thing, see: http://marc.info/?l=xen-develm=140493820011322 I had to fix QEMU 2.0 too because qemu-xen is based on QEMU 2.0. Signed-off-by: Stefano Stabellini stefano.stabell...@eu.citrix.com diff --git a/disas/Makefile.objs b/disas/Makefile.objs index 41c2374..a70c592 100644 --- a/disas/Makefile.objs +++ b/disas/Makefile.objs @@ -4,7 +4,7 @@ common-obj-$(CONFIG_ARM_DIS) += arm.o common-obj-$(CONFIG_ARM_A64_DIS) += arm-a64.o common-obj-$(CONFIG_ARM_A64_DIS) += libvixl/ libvixldir = $(SRC_PATH)/disas/libvixl -$(obj)/arm-a64.o: QEMU_CFLAGS += -I$(libvixldir) +$(obj)/arm-a64.o: QEMU_CFLAGS := -I$(libvixldir) $(QEMU_CFLAGS) common-obj-$(CONFIG_CRIS_DIS) += cris.o common-obj-$(CONFIG_HPPA_DIS) += hppa.o common-obj-$(CONFIG_I386_DIS) += i386.o
[Qemu-devel] [Bug 1335444] Re: qemu loses serial console data on EAGAIN
Kirill - thank you for looking into the problem. I reran the test of Method 1
with your patch, and it is still failing, but the blocks of missing data
seem to be smaller than before.
Here is an extract from the output of the Method 1 test without your patch.
In this case, the test failed because360 consecutive lines of output were
missing:
1071
1072
1433
1434
With your patch, it still failed, but only a single character was
missing:
1073
0001074
1075
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1335444
Title:
qemu loses serial console data on EAGAIN
Status in QEMU:
New
Bug description:
When running a guest OS with a serial console under qemu-system-i386
-nographic, parts of the serial console output are sometimes lost.
This happens when a write() to standard output by qemu returns EAGAIN,
as may be the case when the guest is generating console output faster
than the tty (or pty/pipe/socket, etc.) connected to qemu's standard
output accepts it. The bug affects all releases of qemu since 1.5,
which was the first version to set stdout to O_NONBLOCK mode. Version
1.4.2 and earlier work correctly.
To reproduce the bug, you will need a guest OS configured with a
serial console, and a host with a slow tty. Two different methods
of setting this up are outlined below.
Method 1
This fully automated test uses the pexpect Python module to run qemu
under a pty, with an Aboriginal Linux guest. A seq command is sent
to the guest to generate 100,000 lines of output containing sequential
integers, and the output is checked for gaps. The script limits the
tty output rate by occasionally sleeping for 1/10 of a second.
Run the following commands in a Bourne shell:
wget
http://landley.net/aboriginal/downloads/binaries/system-image-i686.tar.bz2
bunzip2 system-image-i686.tar.bz2 | tar xf -
cd system-image-i686
cat \END test.py
#!/usr/bin/python
import sys
import time
import pexpect
n = 10
child = pexpect.spawn('./run-emulator.sh', logfile = sys.stderr)
child.expect(/home #)
child.send(seq -f '%%08.0f' 0 %d\r % (n - 1))
for i in range(n):
child.expect(([0-9]+), timeout = 5)
got = int(child.match.group(1))
if got != i:
print sys.stderr, \nFAIL: expected %d, got %d % (i, got)
sys.exit(1)
if i % 100 == 0:
time.sleep(0.1)
child.send(exit)
print sys.stderr, \nPASS
sys.exit(0)
END
python test.py
This will output PASS if the console output contains the 100,000
sequential integers as expected, or FAIL if parts of the output
are missing due to the bug.
Method 2
This method does not require Python or pexpect. Instead, the qemu source
is modified to simulate a simulate a slow tty by forcing an EAGAIN return
from every other write(). If qemu were working correctly, this
change would not cause any data loss, because the writes would be
retried, but in actuality, they are not retried, and the end result is
that every other character in the guest output will be missing.
Apply the following patch to the qemu source (this is against 2.0.0):
--- ../qemu-2.0.0.orig/qemu-char.c 2014-04-17 16:44:45.0 +0300
+++ ./qemu-char.c 2014-06-20 16:47:18.0 +0300
@@ -779,6 +779,17 @@
size_t offset = 0;
GIOStatus status = G_IO_STATUS_NORMAL;
+/*
+ * Simulate a tty with a limited output buffer by returning
+ * EAGAIN on every second call.
+ */
+static unsigned int toggle = 0;
+toggle++;
+if (toggle 1) {
+ errno = EAGAIN;
+ return -1;
+}
+
while (offset len status == G_IO_STATUS_NORMAL) {
gsize bytes_written = 0;
Build and install qemu.
Run any serial console guest. You could use the same Aboriginal Linux image
as in Method 1, or for example the PLD RescueCD:
wget http://rescuecd.pld-linux.org/download/2011-02-12/x86/RCDx86_11_02.iso
qemu-system-i386 -nographic -cdrom RCDx86_11_02.iso
If this command is run with an unmodified qemu, a set of boot messages
will appear, starting with:
ISOLINUX 4.03 2010-10-22 Copyright (C) 1994-2010 H. Peter Anvin et
al
When qemu has been patched to simulate EAGAIN returns, every other
character in the boot messages will be missing, so that the first line
of output will instead read:
SLNX40 001-2 oyih C 9421 .PtrAvne l
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1335444/+subscriptions
Re: [Qemu-devel] [PATCH v10 18/18] Add qtest for vhost-user
Am 27.05.2014 um 14:07 hat Nikolay Nikolaev geschrieben: This test creates a 'server' chardev to listen for vhost-user messages. Once VHOST_USER_SET_MEM_TABLE is received it mmaps each received region, and read 1k bytes from it. The read data is compared to data from readl. The test requires hugetlbfs to be already mounted and writable. The mount point defaults to '/hugetlbfs' and can be specified via the environment variable QTEST_HUGETLBFS_PATH. The rom pc-bios/pxe-virtio.rom is used to instantiate a virtio pcicontroller. Signed-off-by: Antonios Motakis a.mota...@virtualopensystems.com Signed-off-by: Nikolay Nikolaev n.nikol...@virtualopensystems.com This breaks the test case build on RHEL 6 because G_TIME_SPAN_SECOND apparently doesn't exist before glib 2.26. Kevin
Re: [Qemu-devel] [PATCH] pass $($*.o-cflags) first to gcc/g++
Il 09/07/2014 22:34, Stefano Stabellini ha scritto: rules.mak adds cflags specific to the target source file ($($@-cflags)) for last on the compiler command line. As a consequence when compiling arm-a64.o, g++ might end up picking the wrong utils.h header file, because it looks for utils.h on all the other include paths first. Fix the issue by passing the source file specific cflags first. Do it consisently for *.c, *.cc, etc. Signed-off-by: Stefano Stabellini stefano.stabell...@eu.citrix.com You can just as well have a bug that requires you to put the option last (for example adding -Wno-something or -O0), which is why $($@-cflags)/$($*.o-cflags) comes last. What package is it that has the conflicting utils.h file? Any chance to get it fixed in your distro? Here I get: $ find /usr/include/ -name utils.h /usr/include/libnl3/netlink/utils.h /usr/include/libnl3/netlink/cli/utils.h /usr/include/id3/utils.h /usr/include/octave-3.6.4/octave/utils.h but none of them have the path in -I. Paolo
Re: [Qemu-devel] [PATCH v2 2.1 4/4] ide: Treat read/write beyond end as invalid
Am 04.07.2014 um 15:32 hat Markus Armbruster geschrieben:
The block layer fails such reads and writes just fine. However, they
then get treated like valid operations that fail: the error action
gets executed. Unwanted; reporting the error to the guest is the only
sensible action.
Reject them before passing them to the block layer. This bypasses the
error action and, for PIO but not DMA, I/O accounting. Tolerable,
because I/O accounting is an inconsistent mess anyway.
Signed-off-by: Markus Armbruster arm...@redhat.com
---
hw/ide/core.c | 28
1 file changed, 28 insertions(+)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 3a38f1e..63a500d 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -499,6 +499,18 @@ static void ide_rw_error(IDEState *s) {
ide_set_irq(s-bus);
}
+static bool ide_sect_range_ok(IDEState *s,
+ uint64_t sector, uint64_t nb_sectors)
+{
+uint64_t total_sectors;
+
+bdrv_get_geometry(s-bs, total_sectors);
+if (sector total_sectors || nb_sectors total_sectors - sector) {
+return false;
+}
+return true;
+}
+
static void ide_sector_read_cb(void *opaque, int ret)
{
IDEState *s = opaque;
@@ -554,6 +566,11 @@ void ide_sector_read(IDEState *s)
printf(sector=% PRId64 \n, sector_num);
#endif
+if (!ide_sect_range_ok(s, sector_num, n)) {
+ide_rw_error(s);
+return;
+}
+
s-iov.iov_base = s-io_buffer;
s-iov.iov_len = n * BDRV_SECTOR_SIZE;
qemu_iovec_init_external(s-qiov, s-iov, 1);
@@ -671,6 +688,12 @@ void ide_dma_cb(void *opaque, int ret)
sector_num, n, s-dma_cmd);
#endif
+if (!ide_sect_range_ok(s, sector_num, n)) {
+dma_buf_commit(s);
+ide_dma_error(s);
+goto eot;
Are you sure that this should be 'goto eot' rather than just 'return'?
When jumping to eot, we do the I/O accounting (which we said we don't
care about) and call ide_set_inactive() for a second time. The condition
for setting BM_STATUS_DMAING is never met when coming from here.
I am worried about ide_set_inactive() doing double request cleanup.
Kevin
[Qemu-devel] [PULL for-2.1 00/10] KVM changes (+ misc small fixes) for 2.1
The following changes since commit 9d9de254c2b81b68cd48f2324cc753a570a4cdd8: MAINTAINERS: seccomp: change email contact for Eduardo Otubo (2014-07-03 12:36:15 +0100) are available in the git repository at: git://github.com/bonzini/qemu.git for you to fetch changes up to 8bf3cc8370059a08996651a63cdabe0d2503b430: qtest: fix vhost-user-test compilation with old GLib (2014-07-09 17:36:15 +0200) Eduardo Habkost (1): target-i386: Add kvmclock-stable-bit feature bit name James Hogan (4): mips/kvm: Init EBase to correct KSEG0 mips_malta: Change default KVM cpu to 24Kc (no FP) mips_malta: Remove incorrect KVM TE references mips_malta: Catch kernels linked at wrong address Miroslav Rezanina (1): Enforce stack protector usage Nikolay Nikolaev (1): qtest: fix vhost-user-test compilation with old GLib Paolo Bonzini (2): watchdog: fix deadlock with -watchdog-action pause mc146818rtc: register the clock reset notifier on the right clock Stefan Weil (1): oslib-posix: Fix new compiler error with -Wclobbered configure | 7 +++ hw/mips/mips_malta.c| 27 +++ hw/timer/mc146818rtc.c | 2 +- hw/watchdog/watchdog.c | 6 +- target-i386/cpu.c | 2 +- target-mips/translate.c | 8 +++- tests/vhost-user-test.c | 4 util/oslib-posix.c | 30 -- 8 files changed, 64 insertions(+), 22 deletions(-) -- 1.8.3.1
[Qemu-devel] [PULL 10/18] target-alpha: Implement WH64EN
Backward compatible cache insn introduced for EV7. Reported-by: Al Viro v...@zeniv.linux.org.uk Signed-off-by: Richard Henderson r...@twiddle.net --- target-alpha/translate.c | 4 1 file changed, 4 insertions(+) diff --git a/target-alpha/translate.c b/target-alpha/translate.c index 6ea33f3..e0fc0a3 100644 --- a/target-alpha/translate.c +++ b/target-alpha/translate.c @@ -2333,6 +2333,10 @@ static ExitStatus translate_one(DisasContext *ctx, uint32_t insn) /* WH64 */ /* No-op */ break; +case 0xFC00: +/* WH64EN */ +/* No-op */ +break; default: goto invalid_opc; } -- 1.9.3
[Qemu-devel] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun
From: Peter Maydell peter.mayd...@linaro.org
The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.
Implement this fix by separating the can we stuff another word in the
FIFO logic from the should we transmit the packet now check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.
Signed-off-by: Peter Maydell peter.mayd...@linaro.org
Reviewed-by: Dr. David Alan Gilbert dgilb...@redhat.com
Cc: qemu-sta...@nongnu.org
(cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
hw/net/stellaris_enet.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 9dd77f7..8a1d0d1 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -252,10 +252,12 @@ static void stellaris_enet_write(void *opaque, hwaddr
offset,
s-tx_fifo[s-tx_fifo_len++] = value 24;
}
} else {
-s-tx_fifo[s-tx_fifo_len++] = value;
-s-tx_fifo[s-tx_fifo_len++] = value 8;
-s-tx_fifo[s-tx_fifo_len++] = value 16;
-s-tx_fifo[s-tx_fifo_len++] = value 24;
+if (s-tx_fifo_len + 4 = ARRAY_SIZE(s-tx_fifo)) {
+s-tx_fifo[s-tx_fifo_len++] = value;
+s-tx_fifo[s-tx_fifo_len++] = value 8;
+s-tx_fifo[s-tx_fifo_len++] = value 16;
+s-tx_fifo[s-tx_fifo_len++] = value 24;
+}
if (s-tx_fifo_len = s-tx_frame_len) {
/* We don't implement explicit CRC, so just chop it off. */
if ((s-tctl SE_TCTL_CRC) == 0)
--
1.9.1
Re: [Qemu-devel] [PATCH v9 03/14] qcow2: Optimize bdrv_make_empty()
Il 05/07/2014 19:47, Max Reitz ha scritto: bdrv_make_empty() is currently only called if the current image represents an external snapshot that has been committed to its base image; it is therefore unlikely to have internal snapshots. In this case, bdrv_make_empty() can be greatly sped up by creating an empty L1 table and dropping all data clusters at once by recreating the refcount structure accordingly instead of normally discarding all clusters. If there are snapshots, fall back to the simple implementation (discard all clusters). How much of this code could be reused by bdrv_create? Paolo
Re: [Qemu-devel] [PATCH v9 06/14] block/mirror: Improve progress report
Il 07/07/2014 21:13, Eric Blake ha scritto: On 07/05/2014 11:47 AM, Max Reitz wrote: Instead of taking the total length of the block device as the block job's length, use the number of dirty sectors. The progress is now the number of sectors mirrored to the target block device. Note that this may result in the job's length increasing during operation, which is however in fact desirable. Signed-off-by: Max Reitz mre...@redhat.com --- block/mirror.c | 34 ++ 1 file changed, 22 insertions(+), 12 deletions(-) Reviewed-by: Eric Blake ebl...@redhat.com This is an API change... IIUC the length can become bigger than the underlying device's size. Eric, how would libvirt expose this to clients and what are the chances that they get confused? Paolo
[Qemu-devel] [PATCH 01/10] AioContext: take bottom halves into account when computing aio_poll timeout
Right now, QEMU invokes aio_bh_poll before the poll phase
of aio_poll. It is simpler to do it afterwards and skip the
poll phase altogether when the OS-dependent parts of AioContext
are invoked from GSource. This way, AioContext behaves more
similarly when used as a GSource vs. when used as stand-alone.
As a start, take bottom halves into account when computing the
poll timeout. If a bottom half is ready, do a non-blocking
poll. As a side effect, this makes idle bottom halves work
with aio_poll; an improvement, but not really an important
one since they are deprecated.
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
aio-posix.c | 2 +-
aio-win32.c | 4 ++--
async.c | 32 ++--
include/block/aio.h | 8
4 files changed, 29 insertions(+), 17 deletions(-)
diff --git a/aio-posix.c b/aio-posix.c
index 2eada2e..55706f8 100644
--- a/aio-posix.c
+++ b/aio-posix.c
@@ -249,7 +249,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
/* wait until next event */
ret = qemu_poll_ns((GPollFD *)ctx-pollfds-data,
ctx-pollfds-len,
- blocking ? timerlistgroup_deadline_ns(ctx-tlg) : 0);
+ blocking ? aio_compute_timeout(ctx) : 0);
/* if we have any readable fds, dispatch event */
if (ret 0) {
diff --git a/aio-win32.c b/aio-win32.c
index c12f61e..fe7ee5b 100644
--- a/aio-win32.c
+++ b/aio-win32.c
@@ -165,8 +165,8 @@ bool aio_poll(AioContext *ctx, bool blocking)
while (count 0) {
int ret;
-timeout = blocking ?
-qemu_timeout_ns_to_ms(timerlistgroup_deadline_ns(ctx-tlg)) : 0;
+timeout = blocking
+? qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)) : 0;
ret = WaitForMultipleObjects(count, events, FALSE, timeout);
/* if we have any signaled events, dispatch event */
diff --git a/async.c b/async.c
index 34af0b2..ac40eab 100644
--- a/async.c
+++ b/async.c
@@ -152,39 +152,43 @@ void qemu_bh_delete(QEMUBH *bh)
bh-deleted = 1;
}
-static gboolean
-aio_ctx_prepare(GSource *source, gint*timeout)
+int
+aio_compute_timeout(AioContext *ctx)
{
-AioContext *ctx = (AioContext *) source;
+int64_t deadline;
+int timeout = -1;
QEMUBH *bh;
-int deadline;
-/* We assume there is no timeout already supplied */
-*timeout = -1;
for (bh = ctx-first_bh; bh; bh = bh-next) {
if (!bh-deleted bh-scheduled) {
if (bh-idle) {
/* idle bottom halves will be polled at least
* every 10ms */
-*timeout = 10;
+timeout = 1000;
} else {
/* non-idle bottom halves will be executed
* immediately */
-*timeout = 0;
-return true;
+return 0;
}
}
}
-deadline = qemu_timeout_ns_to_ms(timerlistgroup_deadline_ns(ctx-tlg));
+deadline = timerlistgroup_deadline_ns(ctx-tlg);
if (deadline == 0) {
-*timeout = 0;
-return true;
+return 0;
} else {
-*timeout = qemu_soonest_timeout(*timeout, deadline);
+return qemu_soonest_timeout(timeout, deadline);
}
+}
-return false;
+static gboolean
+aio_ctx_prepare(GSource *source, gint*timeout)
+{
+AioContext *ctx = (AioContext *) source;
+
+/* We assume there is no timeout already supplied */
+*timeout = qemu_timeout_ns_to_ms(aio_compute_timeout(ctx));
+return *timeout == 0;
}
static gboolean
diff --git a/include/block/aio.h b/include/block/aio.h
index c23de3c..7eeb961 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -303,4 +303,12 @@ static inline void aio_timer_init(AioContext *ctx,
timer_init(ts, ctx-tlg.tl[type], scale, cb, opaque);
}
+/**
+ * aio_compute_timeout:
+ * @ctx: the aio context
+ *
+ * Compute the timeout that a blocking aio_poll should use.
+ */
+int aio_compute_timeout(AioContext *ctx);
+
#endif
--
1.9.3
Re: [Qemu-devel] [PATCH v9 06/14] block/mirror: Improve progress report
On 07/09/2014 03:24 PM, Paolo Bonzini wrote: Il 07/07/2014 21:13, Eric Blake ha scritto: On 07/05/2014 11:47 AM, Max Reitz wrote: Instead of taking the total length of the block device as the block job's length, use the number of dirty sectors. The progress is now the number of sectors mirrored to the target block device. Note that this may result in the job's length increasing during operation, which is however in fact desirable. Signed-off-by: Max Reitz mre...@redhat.com --- block/mirror.c | 34 ++ 1 file changed, 22 insertions(+), 12 deletions(-) Reviewed-by: Eric Blake ebl...@redhat.com This is an API change... IIUC the length can become bigger than the underlying device's size. Eric, how would libvirt expose this to clients and what are the chances that they get confused? Libvirt has already documented that a job size is unrelated to the block device size, that it is only an approximation to completion, and that the completion number may change during operation. The only hard and fast rule is that the job is finished when the two counters are equal. I recommended this change precisely because the new semantics are better than the old, including how libvirt exposes the numbers to the end user - if the end parameter continues to grow more than the current parameter, it is DESIRABLE to expose that as sign that the guest is dirtying pages fast enough to cause problems in converging the block job. http://libvirt.org/html/libvirt-libvirt.html#virDomainBlockJobInfo The following fields provide an indication of block job progress. @cur indicates the current position and will be between 0 and @end. @end is the final cursor position for this operation and represents completion. To approximate progress, divide @cur by @end. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature
[Qemu-devel] [PATCH 122/156] target-xtensa: fix cross-page jumps/calls at the end of TB
From: Max Filippov jcmvb...@gmail.com
Use tb-pc instead of dc-pc to check for cross-page jumps.
When TB translation stops at the page boundary dc-pc points to the next
page allowing chaining to TBs in it, which is wrong.
Cc: qemu-sta...@nongnu.org
Signed-off-by: Max Filippov jcmvb...@gmail.com
(cherry picked from commit 433d33c555deeed375996e338df1a9510df401c6)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
target-xtensa/translate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target-xtensa/translate.c b/target-xtensa/translate.c
index 2d2df33..7d34326 100644
--- a/target-xtensa/translate.c
+++ b/target-xtensa/translate.c
@@ -414,7 +414,7 @@ static void gen_jump(DisasContext *dc, TCGv dest)
static void gen_jumpi(DisasContext *dc, uint32_t dest, int slot)
{
TCGv_i32 tmp = tcg_const_i32(dest);
-if (((dc-pc ^ dest) TARGET_PAGE_MASK) != 0) {
+if (((dc-tb-pc ^ dest) TARGET_PAGE_MASK) != 0) {
slot = -1;
}
gen_jump_slot(dc, tmp, slot);
@@ -442,7 +442,7 @@ static void gen_callw(DisasContext *dc, int callinc,
TCGv_i32 dest)
static void gen_callwi(DisasContext *dc, int callinc, uint32_t dest, int slot)
{
TCGv_i32 tmp = tcg_const_i32(dest);
-if (((dc-pc ^ dest) TARGET_PAGE_MASK) != 0) {
+if (((dc-tb-pc ^ dest) TARGET_PAGE_MASK) != 0) {
slot = -1;
}
gen_callw_slot(dc, callinc, tmp, slot);
--
1.9.1
Re: [Qemu-devel] [PATCH v9 03/14] qcow2: Optimize bdrv_make_empty()
On 09.07.2014 23:22, Paolo Bonzini wrote: Il 05/07/2014 19:47, Max Reitz ha scritto: bdrv_make_empty() is currently only called if the current image represents an external snapshot that has been committed to its base image; it is therefore unlikely to have internal snapshots. In this case, bdrv_make_empty() can be greatly sped up by creating an empty L1 table and dropping all data clusters at once by recreating the refcount structure accordingly instead of normally discarding all clusters. If there are snapshots, fall back to the simple implementation (discard all clusters). How much of this code could be reused by bdrv_create? Currently, none. The latest version of Hu Tao's preallocation series reuses minimal_blob_size(). The point of this code is to empty an image at runtime while keeping it consistent all the time. bdrv_open() does not have that problem; there are no pre-existing structures, therefore it can just go and create them. bdrv_make_empty() has to be careful (in this version) not to overwrite any data or metadata while relocating the structures. Kevin proposed another version which just marks the image dirty, clears the L1 table, relocates it and then writes minimal refcount structures. This will be shorted and in principle similar to how bdrv_open() works, but isn't worth sharing either. Max
[Qemu-devel] [PATCH 078/156] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
From: Kevin Wolf kw...@redhat.com
Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Stefan Hajnoczi stefa...@redhat.com
Reviewed-by: Max Reitz mre...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit 246f65838d19db6db55bfb41117c35645a2c4789)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/bochs.c | 16
tests/qemu-iotests/078 | 8
tests/qemu-iotests/078.out | 4
3 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/block/bochs.c b/block/bochs.c
index 708780d..04cca71 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -67,13 +67,13 @@ struct bochs_header {
typedef struct BDRVBochsState {
CoMutex lock;
uint32_t *catalog_bitmap;
-int catalog_size;
+uint32_t catalog_size;
-int data_offset;
+uint32_t data_offset;
-int bitmap_blocks;
-int extent_blocks;
-int extent_size;
+uint32_t bitmap_blocks;
+uint32_t extent_blocks;
+uint32_t extent_size;
} BDRVBochsState;
static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
@@ -97,7 +97,7 @@ static int bochs_open(BlockDriverState *bs, QDict *options,
int flags,
Error **errp)
{
BDRVBochsState *s = bs-opaque;
-int i;
+uint32_t i;
struct bochs_header bochs;
int ret;
@@ -152,8 +152,8 @@ fail:
static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num)
{
BDRVBochsState *s = bs-opaque;
-int64_t offset = sector_num * 512;
-int64_t extent_index, extent_offset, bitmap_offset;
+uint64_t offset = sector_num * 512;
+uint64_t extent_index, extent_offset, bitmap_offset;
char bitmap_entry;
// seek to sector
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index f55f46d..73b573a 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -42,11 +42,19 @@ _supported_fmt bochs
_supported_proto generic
_supported_os Linux
+catalog_size_offset=$((0x48))
+
echo
echo == Read from a valid image ==
_use_sample_img empty.bochs.bz2
{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+echo
+echo == Negative catalog size ==
+_use_sample_img empty.bochs.bz2
+poke_file $TEST_IMG $catalog_size_offset \xff\xff\xff\xff
+{ $QEMU_IO -c read 0 512 $TEST_IMG; } 21 | _filter_qemu_io |
_filter_testdir
+
# success, all done
echo *** done
rm -f $seq.full
diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
index 25d37c5..ef8c42d 100644
--- a/tests/qemu-iotests/078.out
+++ b/tests/qemu-iotests/078.out
@@ -3,4 +3,8 @@ QA output created by 078
== Read from a valid image ==
read 512/512 bytes at offset 0
512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+== Negative catalog size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Could not open
'TEST_DIR/empty.bochs': Interrupted system call
+no file open, try 'help open'
*** done
--
1.9.1
Re: [Qemu-devel] [PATCH for 2.1 V2] qemu-img info: show nocow info
On 7/9/2014 at 09:08 AM, in message 53bc9606.50...@redhat.com, Eric Blake
ebl...@redhat.com wrote:
On 07/07/2014 09:08 PM, Chunyan Liu wrote:
Add nocow info in 'qemu-img info' output to show whether the file
currently has NOCOW flag set or not.
Signed-off-by: Chunyan Liu cy...@suse.com
---
Changes:
- add documentation of nocow in qapi/block-core.json.
@@ -625,4 +646,8 @@ void bdrv_image_info_dump(fprintf_function
func_fprintf, void *f,
func_fprintf(f, Format specific information:\n);
bdrv_image_info_specific_dump(func_fprintf, f,
info-format_specific);
}
+
+if (info-has_nocow info-nocow) {
+func_fprintf(f, Set NOCOW flag: yes\n);
Reads awkwardly. How about:
NOCOW flag: set
Got it. Will Update. Thanks!
(and if we could reliably tell that the fs supports nocow but the flag
is clear, then we could have 'NOCOW flag: clear')
--
Eric Blake eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org
[Qemu-devel] [PATCH 099/156] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
From: Kevin Wolf kw...@redhat.com
In order to avoid integer overflows.
Signed-off-by: Kevin Wolf kw...@redhat.com
Reviewed-by: Max Reitz mre...@redhat.com
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
(cherry picked from commit bb572aefbdac290363bfa5ca0e810ccce0a14ed6)
Signed-off-by: Michael Roth mdr...@linux.vnet.ibm.com
---
block/qcow2-refcount.c | 11 ++-
block/qcow2.h | 6 +++---
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 29e25a7..8a968d1 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -28,7 +28,7 @@
#include qemu/range.h
#include qapi/qmp/types.h
-static int64_t alloc_clusters_noref(BlockDriverState *bs, int64_t size);
+static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size);
static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
int64_t offset, int64_t length,
int addend, enum qcow2_discard_type type);
@@ -634,15 +634,16 @@ int qcow2_update_cluster_refcount(BlockDriverState *bs,
/* return 0 if error */
-static int64_t alloc_clusters_noref(BlockDriverState *bs, int64_t size)
+static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size)
{
BDRVQcowState *s = bs-opaque;
-int i, nb_clusters, refcount;
+uint64_t i, nb_clusters;
+int refcount;
nb_clusters = size_to_clusters(s, size);
retry:
for(i = 0; i nb_clusters; i++) {
-int64_t next_cluster_index = s-free_cluster_index++;
+uint64_t next_cluster_index = s-free_cluster_index++;
refcount = get_refcount(bs, next_cluster_index);
if (refcount 0) {
@@ -659,7 +660,7 @@ retry:
return (s-free_cluster_index - nb_clusters) s-cluster_bits;
}
-int64_t qcow2_alloc_clusters(BlockDriverState *bs, int64_t size)
+int64_t qcow2_alloc_clusters(BlockDriverState *bs, uint64_t size)
{
int64_t offset;
int ret;
diff --git a/block/qcow2.h b/block/qcow2.h
index e1b4c4b..a20d91f 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -222,8 +222,8 @@ typedef struct BDRVQcowState {
uint64_t *refcount_table;
uint64_t refcount_table_offset;
uint32_t refcount_table_size;
-int64_t free_cluster_index;
-int64_t free_byte_offset;
+uint64_t free_cluster_index;
+uint64_t free_byte_offset;
CoMutex lock;
@@ -467,7 +467,7 @@ void qcow2_refcount_close(BlockDriverState *bs);
int qcow2_update_cluster_refcount(BlockDriverState *bs, int64_t cluster_index,
int addend, enum qcow2_discard_type type);
-int64_t qcow2_alloc_clusters(BlockDriverState *bs, int64_t size);
+int64_t qcow2_alloc_clusters(BlockDriverState *bs, uint64_t size);
int qcow2_alloc_clusters_at(BlockDriverState *bs, uint64_t offset,
int nb_clusters);
int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size);
--
1.9.1
Re: [Qemu-devel] [PATCH] migration: catch unknown flag combinations in ram_load
Hi Juan, Am 25.06.2014 um 13:55 schrieb Juan Quintela quint...@redhat.com: Peter Lieven p...@kamp.de wrote: this patch extends commit db80fac by not only checking for unknown flags, but also filtering out unknown flag combinations. Suggested-by: Eric Blake ebl...@redhat.com Signed-off-by: Peter Lieven p...@kamp.de Reviewed-by: Juan Quintela quint...@redhat.com Will be on next pull request, thanks. Have you forgotten to pull this one? It might be too late for 2.1 though. Peter
Re: [Qemu-devel] [Qemu-trivial] [PATCH] Fix new typos in comments (found by codespell)
07.07.2014 21:00, Stefan Weil пишет: arbitary - arbitrary basicly - basically Thanks, applied to the -trivial branch. /mjt
[Qemu-devel] [PULL 04/10] mips_malta: Catch kernels linked at wrong address
From: James Hogan james.ho...@imgtec.com
Add error reporting if the wrong type of kernel is provided for the
current mode of acceleration.
Currently a KVM kernel linked at 0x4000 can't be used with TCG, and
a normal kernel linked at 0x8000 can't be used with KVM.
Cc: Aurelien Jarno aurel...@aurel32.net
Cc: Paolo Bonzini pbonz...@redhat.com
Signed-off-by: James Hogan james.ho...@imgtec.com
Reviewed-by: Aurelien Jarno aurel...@aurel32.net
Signed-off-by: Paolo Bonzini pbonz...@redhat.com
---
hw/mips/mips_malta.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index 76cf5f2..95df42e 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -792,9 +792,23 @@ static int64_t load_kernel (void)
loaderparams.kernel_filename);
exit(1);
}
+
+/* Sanity check where the kernel has been linked */
if (kvm_enabled()) {
+if (kernel_entry 0x8000ll) {
+error_report(KVM guest kernels must be linked in useg.
+ Did you forget to enable CONFIG_KVM_GUEST?);
+exit(1);
+}
+
xlate_to_kseg0 = cpu_mips_kvm_um_phys_to_kseg0;
} else {
+if (!(kernel_entry 0x8000ll)) {
+error_report(KVM guest kernels aren't supported with TCG.
+ Did you unintentionally enable CONFIG_KVM_GUEST?);
+exit(1);
+}
+
xlate_to_kseg0 = cpu_mips_phys_to_kseg0;
}
--
1.8.3.1
