Xie Yongji [Wed, 20 Mar 2019 11:26:40 +0000 (19:26 +0800)]
virtio: Introduce started flag to VirtioDevice
The virtio 1.0 transitional devices support driver uses the device
before setting the DRIVER_OK status bit. So we introduce a started
flag to indicate whether driver has started the device or not.
Signed-off-by: Xie Yongji <xieyongji@baidu.com> Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
Message-Id: <20190320112646.3712-2-xieyongji@baidu.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20190315180735.13096-1-marcandre.lureau@redhat.com> Reviewed-by: Jens Freimann <jfreimann@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Relying on setting properties on parents types which may not
be relevant to certain sub-classes had unexpected side-effects
causing bugs in device config defaults. It is preferrable to
be explicit about which devices get which properties, even if
this needs repetition.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20190215103239.28640-3-berrange@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
hw: report invalid disable-legacy|modern usage for virtio-1-only devs
A number of virtio devices (gpu, crypto, mouse, keyboard, tablet) only
support the virtio-1 (aka modern) mode. Currently if the user launches
QEMU, setting those devices to enable legacy mode, QEMU will silently
create them in modern mode, ignoring the user's (mistaken) request.
This patch introduces proper data validation so that an attempt to
configure a virtio-1-only devices in legacy mode gets reported as an
error to the user.
Checking this required introduction of a new field to explicitly track
what operating model is to be used for a device, separately from the
disable_modern and disable_legacy fields that record the user's
requested configuration.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20190215103239.28640-2-berrange@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Peter Maydell [Mon, 20 May 2019 16:22:05 +0000 (17:22 +0100)]
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches:
- block: AioContext management, part 1
- qmp: forbid qmp_cont in RUN_STATE_FINISH_MIGRATE
- nvme: fix copy direction in DMA reads going to CMB
- file-posix: Fix block status for unaligned raw images with O_DIRECT
- file-posix: Fix xfs_write_zeroes() after EOF
- Documentation and iotests improvements
# gpg: Signature made Mon 20 May 2019 16:12:38 BST
# gpg: using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* remotes/kevin/tags/for-upstream: (24 commits)
iotests: Make 245 faster and more reliable
iotests.py: Fix VM.run_job
iotests.py: Let assert_qmp() accept an array
block: Improve "Block node is read-only" message
qemu-img.texi: Describe human-readable info output
qemu-img.texi: Be specific about JSON object types
iotests: Test unaligned raw images with O_DIRECT
block/file-posix: Unaligned O_DIRECT block-status
test-block-iothread: Test AioContext propagation for block jobs
blockjob: Remove AioContext notifiers
blockjob: Propagate AioContext change to all job nodes
block: Add blk_set_allow_aio_context_change()
block: Implement .(can_)set_aio_ctx for BlockBackend
test-block-iothread: Test AioContext propagation through the tree
block: Propagate AioContext change to parents
block: Move recursion to bdrv_set_aio_context()
block: Make bdrv_attach/detach_aio_context() static
block: Add bdrv_try_set_aio_context()
nvme: fix copy direction in DMA reads going to CMB
iotest: fix 169: do not run qmp_cont in RUN_STATE_FINISH_MIGRATE
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Max Reitz [Wed, 15 May 2019 20:15:03 +0000 (22:15 +0200)]
iotests: Make 245 faster and more reliable
Sometimes, 245 fails for me because some stream job has already finished
while the test expects it to still be active. (With -c none, it fails
basically every time.) The most reliable way to fix this is to simply
set auto_finalize=false so the job will remain in the block graph as
long as we need it. This allows us to drop the rate limiting, too,
which makes the test faster.
The only problem with this is that there is a single place that yields a
different error message depending on whether the stream job is still
copying data (so COR is enabled) or not (COR has been disabled, but the
job still has the WRITE_UNCHANGED permission on the target node). We
can easily address that by expecting either error message.
Note that we do not need auto_finalize=false (or rate limiting) for the
active commit job, because It never completes without an explicit
block-job-complete anyway.
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Max Reitz [Wed, 15 May 2019 20:15:02 +0000 (22:15 +0200)]
iotests.py: Fix VM.run_job
log() is in the current module, there is no need to prefix it. In fact,
doing so may make VM.run_job() unusable in tests that never use
iotests.log() themselves.
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Max Reitz [Wed, 15 May 2019 20:15:01 +0000 (22:15 +0200)]
iotests.py: Let assert_qmp() accept an array
Sometimes we cannot tell which error message qemu will emit, and we do
not care. With this change, we can then just pass an array of all
possible messages to assert_qmp() and it will choose the right one.
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Max Reitz [Wed, 15 May 2019 20:15:00 +0000 (22:15 +0200)]
block: Improve "Block node is read-only" message
This message does not make any sense when it appears as the response to
making an R/W node read-only. We should detect that case and emit a
different message, then.
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Max Reitz [Wed, 15 May 2019 07:59:17 +0000 (09:59 +0200)]
qemu-img.texi: Describe human-readable info output
Ideally, it should be self-explanatory. However, keys like "disk size"
arguably really are not self-explanatory. In any case, there is no harm
in going into a some more detail here.
Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Max Reitz [Wed, 15 May 2019 07:59:16 +0000 (09:59 +0200)]
qemu-img.texi: Be specific about JSON object types
Just writing that --output=json outputs JSON information does not really
help; we should also make a note of what QAPI type the result object
has. (The map subcommand does not emit a QAPI-typed object, but its
section already describes the object structure well enough.)
Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Max Reitz [Wed, 15 May 2019 04:15:41 +0000 (06:15 +0200)]
iotests: Test unaligned raw images with O_DIRECT
We already have 221 for accesses through the page cache, but it is
better to create a new file for O_DIRECT instead of integrating those
test cases into 221. This way, we can make use of
_supported_cache_modes (and _default_cache_mode) so the test is
automatically skipped on filesystems that do not support O_DIRECT.
As part of the split, add _supported_cache_modes to 221. With that, it
no longer fails when run with -c none or -c directsync.
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Max Reitz [Wed, 15 May 2019 04:15:40 +0000 (06:15 +0200)]
block/file-posix: Unaligned O_DIRECT block-status
Currently, qemu crashes whenever someone queries the block status of an
unaligned image tail of an O_DIRECT image:
$ echo > foo
$ qemu-img map --image-opts driver=file,filename=foo,cache.direct=on
Offset Length Mapped to File
qemu-img: block/io.c:2093: bdrv_co_block_status: Assertion `*pnum &&
QEMU_IS_ALIGNED(*pnum, align) && align > offset - aligned_offset'
failed.
This is because bdrv_co_block_status() checks that the result returned
by the driver's implementation is aligned to the request_alignment, but
file-posix can fail to do so, which is actually mentioned in a comment
there: "[...] possibly including a partial sector at EOF".
Fix this by rounding up those partial sectors.
There are two possible alternative fixes:
(1) We could refuse to open unaligned image files with O_DIRECT
altogether. That sounds reasonable until you realize that qcow2
does necessarily not fill up its metadata clusters, and that nobody
runs qemu-img create with O_DIRECT. Therefore, unpreallocated qcow2
files usually have an unaligned image tail.
(2) bdrv_co_block_status() could ignore unaligned tails. It actually
throws away everything past the EOF already, so that sounds
reasonable.
Unfortunately, the block layer knows file lengths only with a
granularity of BDRV_SECTOR_SIZE, so bdrv_co_block_status() usually
would have to guess whether its file length information is inexact
or whether the driver is broken.
Fixing what raw_co_block_status() returns is the safest thing to do.
There seems to be no other block driver that sets request_alignment and
does not make sure that it always returns aligned values.
Cc: qemu-stable@nongnu.org Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Mon, 6 May 2019 17:18:04 +0000 (19:18 +0200)]
blockjob: Remove AioContext notifiers
The notifiers made sure that the job is quiesced and that the
job->aio_context field is updated. The first part is unnecessary today
since bdrv_set_aio_context_ignore() drains the block node, and this
means drainig the block job, too. The second part can be done in the
.set_aio_ctx callback of the block job BdrvChildRole.
The notifiers were problematic because they poll the AioContext while
the graph is in an inconsistent state with some nodes already in the new
context, but others still in the old context. So removing the notifiers
not only simplifies the code, but actually makes the code safer.
Kevin Wolf [Mon, 6 May 2019 17:18:03 +0000 (19:18 +0200)]
blockjob: Propagate AioContext change to all job nodes
Block jobs require that all of the nodes the job is using are in the
same AioContext. Therefore all BdrvChild objects of the job propagate
.(can_)set_aio_context to all other job nodes, so that the switch is
checked and performed consistently even if both nodes are in different
subtrees.
Kevin Wolf [Mon, 6 May 2019 17:18:02 +0000 (19:18 +0200)]
block: Add blk_set_allow_aio_context_change()
Some users (like block jobs) can tolerate an AioContext change for their
BlockBackend. Add a function that tells the BlockBackend that it can
allow changes.
Kevin Wolf [Mon, 6 May 2019 17:18:01 +0000 (19:18 +0200)]
block: Implement .(can_)set_aio_ctx for BlockBackend
bdrv_try_set_aio_context() currently fails if a BlockBackend is attached
to a node because it doesn't implement the BdrvChildRole callbacks for
AioContext management.
We can allow changing the AioContext of monitor-owned BlockBackends as
long as no device is attached to them.
When setting the AioContext of the root node of a BlockBackend, we now
need to pass blk->root as an ignored child because we don't want the
root node to recursively call back into BlockBackend and execute
blk_do_set_aio_context() a second time.
Kevin Wolf [Mon, 6 May 2019 17:17:59 +0000 (19:17 +0200)]
block: Propagate AioContext change to parents
All block nodes and users in any connected component of the block graph
must be in the same AioContext, so changing the AioContext of one node
must not only change all of its children, but all of its parents (and
in turn their children etc.) as well.
Kevin Wolf [Mon, 6 May 2019 17:17:58 +0000 (19:17 +0200)]
block: Move recursion to bdrv_set_aio_context()
Instead of having two recursions, in bdrv_attach_aio_context() and in
bdrv_detach_aio_context(), just having one recursion is enough. Said
functions are only about a single node now.
It is important that the recursion doesn't happen between detaching and
attaching a context to the current node because the nested call will
drain the node, and draining with a NULL context would segfault.
Kevin Wolf [Mon, 6 May 2019 17:17:57 +0000 (19:17 +0200)]
block: Make bdrv_attach/detach_aio_context() static
Since commit b97511c7bc8, there is no reason for block drivers any more
to call these functions (see the function comment in block_int.h). They
are now just internal helper functions for bdrv_set_aio_context()
and can be made static.
Kevin Wolf [Mon, 6 May 2019 17:17:56 +0000 (19:17 +0200)]
block: Add bdrv_try_set_aio_context()
Eventually, we want to make sure that all parents and all children of a
node are in the same AioContext as the node itself. This means that
changing the AioContext may fail because one of the other involved
parties (e.g. a guest device that was configured with an iothread)
cannot allow switching to a different AioContext.
Introduce a set of functions that allow to first check whether all
involved nodes can switch to a new context and only then do the actual
switch. The check recursively covers children and parents.
nvme: fix copy direction in DMA reads going to CMB
`nvme_dma_read_prp` erronously used `qemu_iovec_*to*_buf` instead of
`qemu_iovec_*from*_buf` when the request involved the controller memory
buffer.
Signed-off-by: Klaus Birkelund Jensen <klaus.jensen@cnexlabs.com> Reviewed-by: Kenneth Heitke <kenneth.heitke@intel.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
iotest: fix 169: do not run qmp_cont in RUN_STATE_FINISH_MIGRATE
qmp_cont fails if vm in RUN_STATE_FINISH_MIGRATE, so let's wait for
final RUN_STATE_POSTMIGRATE. Also, while being here, check qmp_cont
result.
Reported-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Tested-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
qmp_cont in RUN_STATE_FINISH_MIGRATE may lead to moving vm to
RUN_STATE_RUNNING, before actual migration finish. So, when migration
thread will try to go to RUN_STATE_POSTMIGRATE, assuming transition
RUN_STATE_FINISH_MIGRATE->RUN_STATE_POSTMIGRATE, it will crash, as
current state is RUN_STATE_RUNNING, and transition
RUN_STATE_RUNNING->RUN_STATE_POSTMIGRATE is forbidden.
Reported-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Alberto Garcia [Tue, 14 May 2019 13:57:35 +0000 (16:57 +0300)]
block: Use BDRV_REQUEST_MAX_BYTES instead of BDRV_REQUEST_MAX_SECTORS
There are a few places in which we turn a number of bytes into sectors
in order to compare the result against BDRV_REQUEST_MAX_SECTORS
instead of using BDRV_REQUEST_MAX_BYTES directly.
Signed-off-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Alberto Garcia [Fri, 10 May 2019 16:22:54 +0000 (19:22 +0300)]
qcow2: Define and use QCOW2_COMPRESSED_SECTOR_SIZE
When an L2 table entry points to a compressed cluster the space used
by the data is specified in 512-byte sectors. This size is independent
from BDRV_SECTOR_SIZE and is specific to the qcow2 file format.
The QCOW2_COMPRESSED_SECTOR_SIZE constant defined in this patch makes
this explicit.
Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Max Reitz [Fri, 10 May 2019 21:12:44 +0000 (23:12 +0200)]
block/file-posix: Truncate in xfs_write_zeroes()
XFS_IOC_ZERO_RANGE does not increase the file length:
$ touch foo
$ xfs_io -c 'zero 0 65536' foo
$ stat -c "size=%s, blocks=%b" foo
size=0, blocks=128
We do want writes beyond the EOF to automatically increase the file
length, however. This is evidenced by the fact that iotest 061 is
broken on XFS since qcow2's check implementation checks for blocks
beyond the EOF.
Reported-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Peter Maydell [Mon, 20 May 2019 09:51:42 +0000 (10:51 +0100)]
Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging
This fixes the virtfs documentation (LP 1581976), deprecates the
-virtfs_synth command line option, along with some assorted cleanups.
# gpg: Signature made Fri 17 May 2019 19:29:40 BST
# gpg: using RSA key B4828BAF943140CEF2A3491071D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>" [full]
# gpg: aka "Gregory Kurz <gregory.kurz@free.fr>" [full]
# gpg: aka "[jpeg image of size 3330]" [full]
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6
* remotes/gkurz/tags/for-upstream:
virtfs: Fix documentation of -fsdev and -virtfs
vl: Deprecate -virtfs_synth
fsdev: Error out when unsupported option is passed
fsdev: Move some types definition to qemu-fsdev.c
fsdev: Drop unused opaque field
fsdev: Drop unused extern declaration
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
# Conflicts:
# qemu-deprecated.texi
Record the software fp control register, as set by the
osf_setsysinfo syscall. Add those masked exceptions
to fpcr_exc_enable. Do not raise a signal for masked
fp exceptions.
Fixes: https://bugs.launchpad.net/bugs/1701835 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Drop the "RI" and "FIR" prefixes; use only the normal linux names.
Add the FPCR to the dump.
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
* remotes/kraxel/tags/ui-20190517-pull-request:
kbd-state: fix autorepeat handling
ui/console: Precautionary glBindTexture and surface->texture validation in surface_gl_update_texture
ui/curses: manipulate cchar_t with standard curses functions
ui/curses: do not assume wchar_t contains unicode
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Greg Kurz [Fri, 17 May 2019 15:34:49 +0000 (17:34 +0200)]
virtfs: Fix documentation of -fsdev and -virtfs
This fixes several things:
- add "id" description to -virtfs documentation
- split the description into several lines in both usage and documentation
for accurateness and clarity
- add documentation and usage of the synth fsdriver
- add "throttling.*" description to -fsdev local
- add some missing periods
- add proper reference to the virtfs-proxy-helper(1) manual page
- document that the virtio device may be either virtio-9p-pci, virtio-9p-ccw
or virtio-9p-device, depending on the machine type
Greg Kurz [Fri, 17 May 2019 15:34:48 +0000 (17:34 +0200)]
vl: Deprecate -virtfs_synth
The synth fsdriver never got used for anything else but the QTest
testcase for VirtIO 9P. And even there, QTest uses -fsdev synth and
-device virtio-9p-... directly.
Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Greg Kurz [Fri, 17 May 2019 15:34:48 +0000 (17:34 +0200)]
fsdev: Error out when unsupported option is passed
Each fsdriver only supports a subset of the options that can be passed
to -fsdev. Unsupported options are simply ignored. This could cause the
user to erroneously think QEMU has a bug.
Enforce strict checking of supported options for all fsdrivers. This
shouldn't impact libvirt, since it doesn't know about the synth and
proxy fsdrivers.
Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Eric Blake <eblake@redhat.com>
Greg Kurz [Fri, 17 May 2019 15:34:48 +0000 (17:34 +0200)]
fsdev: Move some types definition to qemu-fsdev.c
It would make sense for these types to be defined in a header file if
we had an API for fsdrivers to register themselves. In practice, we
only have three of them and it is very unlikely we add new ones since
the future of file sharing between host and guest is the upcoming
virtio-fs.
Move the types to qemu-fsdev.c instead since they are only used there.
Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Peter Maydell [Fri, 17 May 2019 15:17:34 +0000 (16:17 +0100)]
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
Mostly bugfixes and cleanups, the most important being
"megasas: fix mapped frame size" from Peter Lieven.
In addition, -realtime is marked as deprecated.
* remotes/bonzini/tags/for-upstream: (21 commits)
hw/net/ne2000: Extract the PCI device from the chipset common code
hw/char: Move multi-serial devices into separate file
ioapic: allow buggy guests mishandling level-triggered interrupts to make progress
build: don't build hardware objects with linux-user
build: chardev is only needed for softmmu targets
configure: qemu-ga is only needed with softmmu targets
build: replace GENERATED_FILES by generated-files-y
trace: only include trace-event-subdirs when they are needed
sun4m: obey -vga none
mips-fulong2e: obey -vga none
hw/i386/acpi: Assert a pointer is not null BEFORE using it
hw/i386/acpi: Add object_resolve_type_unambiguous to improve modularity
hw/acpi/piix4: Move TYPE_PIIX4_PM to a public header
memory: correct the comment to DIRTY_MEMORY_MIGRATION
vl: fix -sandbox parsing crash when seccomp support is disabled
hvf: Add missing break statement
megasas: fix mapped frame size
vl: Add missing descriptions to the VGA adapters list
Declare -realtime as deprecated
roms: assert if max rom size is less than the used size
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 17 May 2019 14:46:37 +0000 (15:46 +0100)]
Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-20190517' into staging
qemu-sparc queue
# gpg: Signature made Fri 17 May 2019 10:30:54 BST
# gpg: using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F
# gpg: issuer "mark.cave-ayland@ilande.co.uk"
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>" [full]
# Primary key fingerprint: CC62 1AB9 8E82 200D 915C C9C4 5BC2 C56F AE0F 321F
* remotes/mcayland/tags/qemu-sparc-20190517:
MAINTAINERS: add myself for leon3
leon3: introduce the plug and play mechanism
leon3: add a little bootloader
grlib, apbuart: get rid of the old-style create function
grlib, gptimer: get rid of the old-style create function
grlib, irqmp: get rid of the old-style create function
leon3: fix the error message when no bios are provided
hw/char/escc: Lower irq when transmit buffer is filled
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
hw/net/ne2000: Extract the PCI device from the chipset common code
The ne2000.c file contains functions common the the ISA and PCI
devices. To allow to build with one or another, extract the PCI
specific part into a new file.
This fix an issue where the NE2000_ISA Kconfig had to pull the
full PCI core objects.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20190504123538.14952-1-philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Thomas Huth [Sun, 31 Mar 2019 12:40:28 +0000 (14:40 +0200)]
hw/char: Move multi-serial devices into separate file
In our downstream distribution of QEMU, we'd like to ship the binary
without the multi-serial PCI devices. To make this disablement easier,
let's move the devices into a separate file and add a proper Kconfig-
switch for these devices.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1554036028-31410-1-git-send-email-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
ioapic: allow buggy guests mishandling level-triggered interrupts to make progress
It was found that Hyper-V 2016 on KVM in some configurations (q35 machine +
piix4-usb-uhci) hangs on boot. Root-cause was that one of Hyper-V
level-triggered interrupt handler performs EOI before fixing the cause of
the interrupt. This results in IOAPIC keep re-raising the level-triggered
interrupt after EOI because irq-line remains asserted.
Gory details: https://www.spinics.net/lists/kvm/msg184484.html
(the whole thread).
Turns out we were dealing with similar issues before; in-kernel IOAPIC
implementation has commit 184564efae4d ("kvm: ioapic: conditionally delay
irq delivery duringeoi broadcast") which describes a very similar issue.
Steal the idea from the above mentioned commit for IOAPIC implementation in
QEMU. SUCCESSIVE_IRQ_MAX_COUNT, delay and the comment are borrowed as well.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20190402080215.10747-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
build: don't build hardware objects with linux-user
Some objects are only needed for system emulation and tools.
We can ignore them for the user mode case
Update tests to run accordingly: conditionally build some tests
on CONFIG_BLOCK.
Some tests use components that are only built when softmmu or
block tools are enabled, not for linux-user. So, if these components
are not available, disable the tests.
configure: qemu-ga is only needed with softmmu targets
Remove it from the list of tools if --disable-system
and --disable-tools are used as we don't need it for
linux-user targets.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
[lv: I also disable it with disable-tools, not only with disable-system] Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-Id: <20190401141222.30034-4-lvivier@redhat.com>
hw/i386/acpi: Assert a pointer is not null BEFORE using it
Commit 72c194f7e75c added a non-null check on the 'obj' pointer.
Later, commit 500b11ea5095 added code which uses the 'obj'
pointer _before_ the assertion check. Move the assertion
_before_ the pointer use.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20190427144025.22880-4-philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/i386/acpi: Add object_resolve_type_unambiguous to improve modularity
When building with CONFIG_Q35=n, we get:
LINK x86_64-softmmu/qemu-system-x86_64
/usr/bin/ld: hw/i386/acpi-build.o: in function `acpi_get_misc_info':
/source/qemu/hw/i386/acpi-build.c:243: undefined reference to `ich9_lpc_find'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:204: qemu-system-x86_64] Error 1
This is due to a dependency in acpi-build.c on the ICH9_LPC
(via ich9_lpc_find) and PIIX4_PM (via piix4_pm_find) devices.
To allow better modularity (compile acpi-build.c with only
Q35/ICH9 or ISAPC/PIIX4), refactor the similar helper as
object_resolve_type_unambiguous(). This way we relax the
linker dependencies and can build the x86 targets with a
selection of machines (instead of all of them).
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20190427144025.22880-3-philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/acpi/piix4: Move TYPE_PIIX4_PM to a public header
Move the TYPE_PIIX4_PM definition to the corresponding header,
so other files can use it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20190427144025.22880-2-philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Gerd Hoffmann [Tue, 14 May 2019 04:24:43 +0000 (06:24 +0200)]
kbd-state: fix autorepeat handling
When allowing multiple down-events in a row (key autorepeat) we can't
use change_bit() any more to update the state, because autorepeat events
don't change the key state. We have to explicitly use set_bit() and
clear_bit() instead.
HOU Qiming [Tue, 7 May 2019 08:05:01 +0000 (11:05 +0300)]
ui/console: Precautionary glBindTexture and surface->texture validation in surface_gl_update_texture
In a GVT-g setup with dmabuf and GTK GUI, the current 2D texture at
surface_gl_update_texture is not necessarily
surface->texture. Adding a glBindTexture fixes related crashes and
artifacts, and is generally more secure.
Peter Maydell [Fri, 17 May 2019 10:40:23 +0000 (11:40 +0100)]
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
# gpg: Signature made Fri 17 May 2019 10:01:18 BST
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
net/colo-compare.c: Fix a crash in COLO Primary.
net/slirp: fix the IPv6 prefix length error message
e1000: Never increment the RX undersize count register
vhost_net: don't set backend for the uninitialized virtqueue
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* remotes/vivier/tags/m68k-staging-pull-request:
target/m68k: Optimize rotate_x() using extract_i32()
target/m68k: Fix a tcg_temp leak
target/m68k: Reduce the l1 TCGLabel scope
target/m68k: Switch to transaction_failed hook
target/m68k: In get_physical_address() check for memory access failures
target/m68k: In dump_address_map() check for memory access failures
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
# Conflicts:
# target/m68k/cpu.h
Because event_unhandled_count may be accessed concurrently, it needs
to be protected by taking the lock. However the assert is outside the
lock, probably causing it to read garbage and aborting Qemu erroneously.
The Bug only happens when running Qemu in COLO mode.
This Patch fixes the following bug: https://bugs.launchpad.net/qemu/+bug/1824622
Signed-off-by: Lukas Straub <lukasstraub2@web.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
net/slirp: fix the IPv6 prefix length error message
Reword and add a missing parentheses at the end of the
error message.
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Chris Kenna [Thu, 4 Apr 2019 15:21:26 +0000 (10:21 -0500)]
e1000: Never increment the RX undersize count register
In situations where e1000 receives an undersized Ethernet frame,
QEMU increments the emulated "Receive Undersize Count (RUC)"
register when padding the frame.
This is incorrect because this an expected scenario (e.g. with
VLAN tag stripping) and not an error. As such, QEMU should not
increment the emulated RUC.
Fixes: 3b2743017749 ("e1000: Implementing various counters") Reviewed-by: Mark Kanda <mark.kanda@oracle.com> Reviewed-by: Bhavesh Davda <bhavesh.davda@oracle.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Chris Kenna <chris.kenna@oracle.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Jason Wang [Mon, 25 Mar 2019 03:40:36 +0000 (11:40 +0800)]
vhost_net: don't set backend for the uninitialized virtqueue
We used to set backend unconditionally, this won't work for some
guests (e.g windows driver) who may not initialize all virtqueues. For
kernel backend, this will fail since it may try to validate the rings
during setting backend.
Fixing this by simply skipping the backend set when we find desc is
not ready.
Reviewed-by: Michael S. Tsirkin<mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
KONRAD Frederic [Wed, 15 May 2019 12:31:33 +0000 (14:31 +0200)]
MAINTAINERS: add myself for leon3
Reviewed-by: Fabien Chouteau <chouteau@adacore.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
KONRAD Frederic [Wed, 15 May 2019 12:31:31 +0000 (14:31 +0200)]
leon3: add a little bootloader
This adds a little bootloader to the leon3_machine when a ram image is
given through the kernel parameter and no bios are provided:
* The UART transmiter is enabled.
* The TIMER is initialized.
Reviewed-by: Fabien Chouteau <chouteau@adacore.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
KONRAD Frederic [Wed, 15 May 2019 12:31:30 +0000 (14:31 +0200)]
grlib, apbuart: get rid of the old-style create function
Suggested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
KONRAD Frederic [Wed, 15 May 2019 12:31:29 +0000 (14:31 +0200)]
grlib, gptimer: get rid of the old-style create function
Suggested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
KONRAD Frederic [Wed, 15 May 2019 12:31:28 +0000 (14:31 +0200)]
grlib, irqmp: get rid of the old-style create function
Suggested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
KONRAD Frederic [Wed, 15 May 2019 12:31:27 +0000 (14:31 +0200)]
leon3: fix the error message when no bios are provided
The leon3 board is looking for u-boot.bin by default (LEON3_PROM_FILENAME)..
But in the case this file is not found and no other file are given on the
command line we get the following error:
Suggested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
hw/char/escc: Lower irq when transmit buffer is filled
The SCC/ESCC will briefly stop asserting an interrupt when the
transmit FIFO is filled.
This code doesn't model the transmit FIFO/shift register so the
pending transmit interrupt is never deasserted which means that an
edge-triggered interrupt controller will never see the low-to-high
transition it needs to raise another interrupt. The practical
consequence of this is that guest firmware with an interrupt service
routine for the ESCC that does not send all of the data it has
immediately will stop sending data if the following sequence of
events occurs:
1. Disable processor interrupts
2. Write a character to the ESCC
3. Add additional characters to a buffer which is drained by the ISR
4. Enable processor interrupts
In this case, the first character will be sent, the interrupt will
fire and the ISR will output the second character. Since the pending
transmit interrupt remains asserted, no additional interrupts will
ever fire.
This behavior was triggered by firmware for an embedded system with a
Z85C30 which necessitated this patch.
This patch fixes that situation by explicitly lowering the IRQ when a
character is written to the buffer and no other interrupts are currently
pending.
Signed-off-by: Stephen Checkoway <stephen.checkoway@oberlin.edu> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Wei Yang [Fri, 26 Apr 2019 02:09:27 +0000 (10:09 +0800)]
memory: correct the comment to DIRTY_MEMORY_MIGRATION
The dirty bit is DIRTY_MEMORY_MIGRATION. Correct the comment.
Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190426020927.25470-1-richardw.yang@linux.intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
vl: fix -sandbox parsing crash when seccomp support is disabled
$ ./x86_64-softmmu/qemu-system-x86_64 -sandbox off
qemu-system-x86_64: -sandbox off: There is no option group 'sandbox'
Segmentation fault
Commit 5780760f5e ("seccomp: check TSYNC host capability") wrapped one
use of the sandbox option group to produce a sensible error, it didn't
do the same for another call to qemu_opts_parse_noisily():
(gdb) bt
at util/qemu-option.c:829
#0 0x00000000105b36d8 in opts_parse (list=0x0, params=0x3ffffffffab5 "off", permit_abbrev=true, defaults=false, errp=0x3ffffffff080)
at util/qemu-option.c:829
#1 0x00000000105b3b74 in qemu_opts_parse_noisily (list=<optimized out>, params=<optimized out>, permit_abbrev=<optimized out>) at util/qemu-option.c:890
#2 0x0000000010024964 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:3589
Fixes: 5780760f5ea6163939a5dabe7427318b4f07d1a2 Cc: david@gibson.dropbear.id.au Cc: otubo@redhat.com Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20190429134757.13570-1-marcandre.lureau@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
target/m68k: Optimize rotate_x() using extract_i32()
Optimize rotate_x() using tcg_gen_extract_i32(). We can now free the
'sz' tcg_temp earlier. Since it is allocated with tcg_const_i32(),
free it with tcg_temp_free_i32().
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20190310003428.11723-6-f4bug@amsat.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Peter Maydell [Mon, 10 Dec 2018 16:56:36 +0000 (16:56 +0000)]
target/m68k: Switch to transaction_failed hook
Switch the m68k target from the old unassigned_access hook
to the transaction_failed hook.
The notable difference is that rather than it being called
for all physical memory accesses which fail (including
those made by DMA devices or by the gdbstub), it is only
called for those made by the CPU via its MMU. (In previous
commits we put in explicit checks for the direct physical
loads made by the target/m68k code which will no longer
be handled by calling the unassigned_access hook.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20181210165636.28366-4-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Peter Maydell [Mon, 10 Dec 2018 16:56:35 +0000 (16:56 +0000)]
target/m68k: In get_physical_address() check for memory access failures
In get_physical_address(), use address_space_ldl() and
address_space_stl() instead of ldl_phys() and stl_phys().
This allows us to check whether the memory access failed.
For the moment, we simply return -1 in this case;
add a TODO comment that we should ideally generate the
appropriate kind of fault.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20181210165636.28366-3-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Peter Maydell [Thu, 16 May 2019 12:15:08 +0000 (13:15 +0100)]
Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20190510' into staging
Add CPUClass::tlb_fill.
Improve tlb_vaddr_to_host for use by ARM SVE no-fault loads.
# gpg: Signature made Fri 10 May 2019 19:48:37 BST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F
* remotes/rth/tags/pull-tcg-20190510: (27 commits)
tcg: Use tlb_fill probe from tlb_vaddr_to_host
tcg: Remove CPUClass::handle_mmu_fault
tcg: Use CPUClass::tlb_fill in cputlb.c
target/xtensa: Convert to CPUClass::tlb_fill
target/unicore32: Convert to CPUClass::tlb_fill
target/tricore: Convert to CPUClass::tlb_fill
target/tilegx: Convert to CPUClass::tlb_fill
target/sparc: Convert to CPUClass::tlb_fill
target/sh4: Convert to CPUClass::tlb_fill
target/s390x: Convert to CPUClass::tlb_fill
target/riscv: Convert to CPUClass::tlb_fill
target/ppc: Convert to CPUClass::tlb_fill
target/openrisc: Convert to CPUClass::tlb_fill
target/nios2: Convert to CPUClass::tlb_fill
target/moxie: Convert to CPUClass::tlb_fill
target/mips: Convert to CPUClass::tlb_fill
target/mips: Tidy control flow in mips_cpu_handle_mmu_fault
target/mips: Pass a valid error to raise_mmu_exception for user-only
target/microblaze: Convert to CPUClass::tlb_fill
target/m68k: Convert to CPUClass::tlb_fill
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 16 May 2019 09:24:08 +0000 (10:24 +0100)]
Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20190514b' into staging
Migration pull 2019-05-14
Small fixes/cleanups
One HMP/monitor fix
# gpg: Signature made Tue 14 May 2019 19:03:53 BST
# gpg: using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <dgilbert@redhat.com>" [full]
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7
* remotes/dgilbert/tags/pull-migration-20190514b:
monitor: Call mon_get_cpu() only once at hmp_gva2gpa()
migration/ram.c: fix typos in comments
migration: Fix use-after-free during process exit
migration/savevm: wrap into qemu_loadvm_state_header()
migration/savevm: load_header before load_setup
migration/savevm: remove duplicate check of migration_is_blocked
migration: update comments of migration bitmap
migration/ram.c: start of migration_bitmap_sync_range is always 0
qemu-option.hx: Update missed parameter for colo-compare
migration/colo.h: Remove obsolete codes
migration/colo.c: Remove redundant input parameter
migration: savevm: fix error code with migration blockers
vmstate: check subsection_found is enough
migration: remove not used field xfer_limit
migration: not necessary to check ops again
migration: comment VMSTATE_UNUSED*() properly
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Lieven [Thu, 4 Apr 2019 12:10:15 +0000 (14:10 +0200)]
megasas: fix mapped frame size
the current value of 1024 bytes (16 * MFI_FRAME_SIZE) we map is not enough to hold
the maximum number of scatter gather elements we advertise. We actually need a
maximum of 2048 bytes. This is 128 max sg elements * 16 bytes (sizeof (union mfi_sgl)).
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <20190404121015.28634-1-pl@kamp.de> Reviewed-by: Hannes Reinecke <hare@suse.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Thomas Huth [Thu, 11 Apr 2019 17:53:45 +0000 (19:53 +0200)]
Declare -realtime as deprecated
The old -realtime mlock=on|off parameter does exactly the same as the
new -overcommit mem-lock=on|off parameter. Additionally, "-realtime"
does not activate any additional "realtime" capabilities as the name
might indicate. We should avoid to confuse the users this way, so
let's deprecate the old -realtime option.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20190411175345.19414-1-thuth@redhat.com>
Igor Mammedov [Thu, 11 Apr 2019 11:28:18 +0000 (13:28 +0200)]
roms: assert if max rom size is less than the used size
It would ensure that we would notice attempt to write beyond
the allocated buffer. In case of MemoryRegion backed ROM it's
the host buffer and the guest RAM otherwise.
assert can be triggered with:
dd if=/dev/zero of=/tmp/blob bs=63k count=1
qemu-system-x86_64 `for i in {1..33}; do echo -n " -acpitable /tmp/blob"; done`
Fixes: (a1666142db acpi-build: make ROMs RAM blocks resizeable) Reported-by: Wei Yang <richardw.yang@linux.intel.com> Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <1554982098-336210-1-git-send-email-imammedo@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Thomas Huth [Thu, 11 Apr 2019 18:22:40 +0000 (20:22 +0200)]
hw/input: Add a CONFIG_PS2 switch for the ps2.c file
ps2.c only needs to be compiled if we are building pckbd.c or pl050.c.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190411182240.5957-1-thuth@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Eduardo Habkost [Fri, 10 May 2019 18:56:20 +0000 (15:56 -0300)]
monitor: Call mon_get_cpu() only once at hmp_gva2gpa()
hmp_gva2gpa() calls mon_get_cpu() twice, which is unnecessary.
Not an actual bug, but this is reported as a defect by Coverity
Scan (CID 1401346).
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20190510185620.15757-1-ehabkost@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Wei Yang [Fri, 10 May 2019 23:37:29 +0000 (07:37 +0800)]
migration/ram.c: fix typos in comments
Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190510233729.15554-1-richardw.yang@linux.intel.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
It fixes heap-use-after-free which was found by clang's ASAN.
Control flow of this use-after-free:
main_thread:
* Got SIGTERM and completes main loop
* Calls migration_shutdown
- migrate_fd_cancel (so, migration_thread begins to complete)
- object_unref(OBJECT(current_migration));
main_thread:
* Calls vm_shutdown -> drain bdrvs -> main loop
-> cleanup_bh -> use after free
If you want to reproduce, these couple of sleeps will help:
vl.c:4613:
migration_shutdown();
+ sleep(2);
migration.c:3269:
+ sleep(1);
trace_migration_thread_after_loop();
migration_iteration_finish(s);
Original output:
qemu-system-x86_64: terminating on signal 15 from pid 31980 (<unknown process>)
=================================================================
==31958==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900001d210
at pc 0x555558a535ca bp 0x7fffffffb190 sp 0x7fffffffb188
READ of size 8 at 0x61900001d210 thread T0 (qemu-vm-0)
#0 0x555558a535c9 in migrate_fd_cleanup migration/migration.c:1502:23
#1 0x5555594fde0a in aio_bh_call util/async.c:90:5
#2 0x5555594fe522 in aio_bh_poll util/async.c:118:13
#3 0x555559524783 in aio_poll util/aio-posix.c:725:17
#4 0x555559504fb3 in aio_wait_bh_oneshot util/aio-wait.c:71:5
#5 0x5555573bddf6 in virtio_blk_data_plane_stop
hw/block/dataplane/virtio-blk.c:282:5
#6 0x5555589d5c09 in virtio_bus_stop_ioeventfd hw/virtio/virtio-bus.c:246:9
#7 0x5555589e9917 in virtio_pci_stop_ioeventfd hw/virtio/virtio-pci.c:287:5
#8 0x5555589e22bf in virtio_pci_vmstate_change hw/virtio/virtio-pci.c:1072:9
#9 0x555557628931 in virtio_vmstate_change hw/virtio/virtio.c:2257:9
#10 0x555557c36713 in vm_state_notify vl.c:1605:9
#11 0x55555716ef53 in do_vm_stop cpus.c:1074:9
#12 0x55555716eeff in vm_shutdown cpus.c:1092:12
#13 0x555557c4283e in main vl.c:4617:5
#14 0x7fffdfdb482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x555556ecb118 in _start (x86_64-softmmu/qemu-system-x86_64+0x1977118)
0x61900001d210 is located 144 bytes inside of 952-byte region
[0x61900001d180,0x61900001d538)
freed by thread T6 (live_migration) here:
#0 0x555556f76782 in __interceptor_free
/tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x555558d5fa94 in object_finalize qom/object.c:618:9
#2 0x555558d57651 in object_unref qom/object.c:1068:9
#3 0x555558a55588 in migration_thread migration/migration.c:3272:5
#4 0x5555595393f2 in qemu_thread_start util/qemu-thread-posix.c:502:9
#5 0x7fffe057f6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
previously allocated by thread T0 (qemu-vm-0) here:
#0 0x555556f76b03 in __interceptor_malloc
/tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x7ffff6ee37b8 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7b8)
#2 0x555558d58031 in object_new qom/object.c:640:12
#3 0x555558a31f21 in migration_object_init migration/migration.c:139:25
#4 0x555557c41398 in main vl.c:4320:5
#5 0x7fffdfdb482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thread T6 (live_migration) created by T0 (qemu-vm-0) here:
#0 0x555556f5f0dd in pthread_create
/tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x555559538cf9 in qemu_thread_create util/qemu-thread-posix.c:539:11
#2 0x555558a53304 in migrate_fd_connect migration/migration.c:3332:5
#3 0x555558a72bd8 in migration_channel_connect migration/channel.c:92:5
#4 0x555558a6ef87 in exec_start_outgoing_migration migration/exec.c:42:5
#5 0x555558a4f3c2 in qmp_migrate migration/migration.c:1922:9
#6 0x555558bb4f6a in qmp_marshal_migrate qapi/qapi-commands-migration.c:607:5
#7 0x555559363738 in do_qmp_dispatch qapi/qmp-dispatch.c:131:5
#8 0x555559362a15 in qmp_dispatch qapi/qmp-dispatch.c:174:11
#9 0x5555571bac15 in monitor_qmp_dispatch monitor.c:4124:11
#10 0x55555719a22d in monitor_qmp_bh_dispatcher monitor.c:4207:9
#11 0x5555594fde0a in aio_bh_call util/async.c:90:5
#12 0x5555594fe522 in aio_bh_poll util/async.c:118:13
#13 0x5555595201e0 in aio_dispatch util/aio-posix.c:460:5
#14 0x555559503553 in aio_ctx_dispatch util/async.c:261:5
#15 0x7ffff6ede196 in g_main_context_dispatch
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a196)
SUMMARY: AddressSanitizer: heap-use-after-free migration/migration.c:1502:23
in migrate_fd_cleanup
Shadow bytes around the buggy address:
0x0c327fffb9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffba00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffba10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffba20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffba30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fffba40: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffba50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffba60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffba70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffba80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffba90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==31958==ABORTING
Signed-off-by: Yury Kotov <yury-kotov@yandex-team.ru>
Message-Id: <20190408113343.2370-1-yury-kotov@yandex-team.ru> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Fixed up comment formatting
Wei Yang [Wed, 24 Apr 2019 00:47:00 +0000 (08:47 +0800)]
migration/savevm: wrap into qemu_loadvm_state_header()
On source side, we have qemu_savevm_state_header() to send related data,
while on the receiving side those steps are scattered in
qemu_loadvm_state().
This patch wrap those related steps into qemu_loadvm_state_header() to
make it friendly to read.
Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190424004700.12766-5-richardw.yang@linux.intel.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Then it would be more proper to loadvm_state in the save sequence.
Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190424004700.12766-4-richardw.yang@linux.intel.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Since qemu_savevm_state is only called in save_snapshot, this means
migration_is_blocked has been already checked.
Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190424004700.12766-2-richardw.yang@linux.intel.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Yi Wang [Mon, 15 Apr 2019 06:51:29 +0000 (14:51 +0800)]
migration: update comments of migration bitmap
Since the ram bitmap and the unsent bitmap are split by RAMBlock
in commit 6b6712e, it's better to update the comments about them.
Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
Message-Id: <1555311089-18610-1-git-send-email-wang.yi59@zte.com.cn> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Wei Yang [Tue, 30 Apr 2019 03:44:10 +0000 (11:44 +0800)]
migration/ram.c: start of migration_bitmap_sync_range is always 0
We can eliminate to pass 0.
Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190430034412.12935-2-richardw.yang@linux.intel.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
qemu-option.hx: Update missed parameter for colo-compare
We missed the iothread related args in this file.
This patch is used to fix this issue.
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Message-Id: <20190426090730.2691-4-chen.zhang@intel.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Message-Id: <20190426090730.2691-3-chen.zhang@intel.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Message-Id: <20190426090730.2691-2-chen.zhang@intel.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
projects / mirror_qemu.git / log