Kevin Wolf [Thu, 1 Jul 2010 14:08:51 +0000 (16:08 +0200)]
block: Handle multiwrite errors only when all requests have completed
Don't try to be clever by freeing all temporary data and calling all callbacks
when the return value (an error) is certain. Doing so has at least two
important problems:
* The temporary data that is freed (qiov, possibly zero buffer) is still used
by the requests that have not yet completed.
* Calling the callbacks for all requests in the multiwrite means for the caller
that it may free buffers etc. which are still in use.
Just remember the error value and do the cleanup when all requests have
completed.
Kevin Wolf [Wed, 14 Jul 2010 10:42:02 +0000 (12:42 +0200)]
block: Fix early failure in multiwrite
bdrv_aio_writev may call the callback immediately (and it will commonly do so
in error cases). Current code doesn't consider this. For details see the
comment added by this patch.
Kevin Wolf [Wed, 16 Jun 2010 14:38:15 +0000 (16:38 +0200)]
block: Add bdrv_(p)write_sync
Add new functions that write and flush the written data to disk immediately.
This is what needs to be used for image format metadata to maintain integrity
for cache=... modes that don't use O_DSYNC. (Actually, we only need barriers,
and therefore the functions are defined as such, but flushes is what is
implemented in this patch - we can try to change that later)
Kevin Wolf [Mon, 7 Jun 2010 14:43:22 +0000 (16:43 +0200)]
qcow2: Restore L1 entry on l2_allocate failure
If writing the L1 table to disk failed, we need to restore its old content in
memory to avoid inconsistencies.
Reported-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 68dba0bf455e60061bb3c9c40ef0d82916372664)
Kevin Wolf [Wed, 14 Jul 2010 09:50:47 +0000 (11:50 +0200)]
block/vdi: Fix image opening and creation for odd disk sizes
The fix is based on a patch from Kevin Wolf. Here his comment:
"The number of blocks needs to be rounded up to cover all of the virtual hard
disk. Without this fix, we can't even open our own images if their size is not
a multiple of the block size."
While Kevin's patch addressed vdi_create, my modification also fixes
vdi_open which now accepts images with odd disk sizes.
v3:
Don't allow reading of disk images with too large disk sizes.
Neither VBoxManage nor old versions of qemu-img read such images.
This change requires rounding of odd disk sizes before we do the checks.
Cc: Kevin Wolf <kwolf@redhat.com> Cc: François Revol <revol@free.fr> Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit f21dc3a4652eeb82117d7d55d975278fe1444b26)
Stefan Weil [Mon, 10 May 2010 19:46:26 +0000 (21:46 +0200)]
block/vpc: Fix conversion from size to disk geometry
The VHD algorithm calculates a disk geometry
which is usually smaller than the requested size.
QEMU tried to round up but failed for certain sizes:
qemu-img create -f vpc disk.vpc 9437184
would create an image with 9435136 bytes
(which is too small for qemu-img convert).
Instead of hacking the geometry algorithm, the patch
increases the number of sectors until we get enough
sectors.
Cc: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit dede4188cc817a039154ed2ecd7f3285f6b94056)
Kevin Wolf [Wed, 21 Apr 2010 09:37:52 +0000 (11:37 +0200)]
qcow2: Remove abort on free_clusters failure
While it's true that during regular operation free_clusters failure would be a
bug, an I/O error can always happen. There's no need to kill the VM, the worst
thing that can happen (and it will) is that we leak some clusters.
Kevin Wolf [Fri, 16 Apr 2010 17:28:14 +0000 (19:28 +0200)]
vmdk: Fix COW
When trying to do COW, VMDK wrote the data back to the backing file. This
problem was revealed by the patch that made backing files read-only. This patch
does not only fix the problem, but also simplifies the VMDK code a bit.
This fixes the backing file qemu-iotests cases for VMDK.
Kevin Wolf [Wed, 14 Jul 2010 08:33:49 +0000 (10:33 +0200)]
qcow2: Fix creation of large images
qcow_create2 assumes that the new image will only need one cluster for its
refcount table initially. Obviously that's not true any more when the image is
big enough (exact value depends on the cluster size).
This patch calculates the refcount table size dynamically.
Kevin Wolf [Wed, 14 Jul 2010 08:30:31 +0000 (10:30 +0200)]
vmdk: fix double free
fail_gd error case would also free rgd_buf that was already freed
Signed-off-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit a161329b61106ab093aab6d3227ac85e0b8251a9)
CC block/vvfat.o
cc1: warnings being treated as errors
block/vvfat.c: In function 'commit_one_file':
block/vvfat.c:2259: error: ignoring return value of 'ftruncate', declared with attribute warn_unused_result
make: *** [block/vvfat.o] Error 1
CC block/vvfat.o
In file included from /usr/include/stdio.h:912,
from ./qemu-common.h:19,
from block/vvfat.c:27:
In function 'snprintf',
inlined from 'init_directories' at block/vvfat.c:871,
inlined from 'vvfat_open' at block/vvfat.c:1068:
/usr/include/bits/stdio2.h:65: error: call to __builtin___snprintf_chk will always overflow destination buffer
make: *** [block/vvfat.o] Error 1
Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name> Signed-off-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 2dedf83ef0cc3463783d6b71bf1b25476f691f3a)
Jes Sorensen [Fri, 11 Jun 2010 14:02:34 +0000 (16:02 +0200)]
Correct definitions for FD_CMD_SAVE and FD_CMD_RESTORE
Correct definitions for FD_CMD_SAVE and FD_CMD_RESTORE in hw/fdc.c
Per https://bugs.launchpad.net/qemu/+bug/424453 the correct values
for FD_CMD_SAVE is 0x2e and FD_CMD_RESTORE is 0x4e. Verified against
the Intel 82078 manual which can be found at:
http://wiki.qemu.org/Documentation/HardwareManuals page 22.
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit bb350a5e9b961a8c3940b3451c329ff07c027aa1)
Kevin Wolf [Fri, 28 May 2010 10:21:27 +0000 (12:21 +0200)]
qcow2: Fix corruption after error in update_refcount
After it is done with updating refcounts in the cache, update_refcount writes
all changed entries to disk. If a refcount block allocation fails, however,
there was no change yet and therefore first_index = last_index = -1. Don't
treat -1 as a normal sector index (resulting in a 512 byte write!) but return
without updating anything in this case.
Kevin Wolf [Fri, 28 May 2010 10:05:45 +0000 (12:05 +0200)]
qcow2: Fix corruption after refblock allocation
Refblock allocation code needs to take into consideration that update_refcount
will load a different refcount block into the cache, so it must initialize the
cache for a new refcount block only afterwards. Not doing this means that not
only the refcount in the wrong block is updated, but also that the caller will
work on the wrong block.
Kevin Wolf [Fri, 28 May 2010 17:12:24 +0000 (19:12 +0200)]
qcow2: Fix error handling in l2_allocate
l2_allocate has some intermediate states in which the image is inconsistent.
Change the order to write to the L1 table only after the new L2 table has
successfully been initialized.
Also reset the L2 cache in failure case, it's very likely wrong.
Kevin Wolf [Fri, 28 May 2010 17:06:31 +0000 (19:06 +0200)]
qcow2: Clear L2 table cache after write error
If the L2 table was already updated in cache, but writing it to disk has
failed, we must not continue using the changed version in the cache to stay
consistent with what's on the disk.
Kevin Wolf [Tue, 4 May 2010 14:35:24 +0000 (16:35 +0200)]
ide: Fix ide_dma_cancel
When cancelling a request, bdrv_aio_cancel may decide that it waits for
completion of a request rather than for cancellation. IDE therefore can't
abandon its DMA status before calling bdrv_aio_cancel; otherwise the callback
of a completed request would use invalid data.
Luiz Capitulino [Wed, 2 Jun 2010 20:19:56 +0000 (17:19 -0300)]
usb-bus: fix no params
After commit 702f3e0fb52c124c07f215426eeadb70a716643f, the params is
nerver NULL. It should check *params instead of params to determine
whether the params is empty.
Jan Kiszka [Wed, 2 Jun 2010 20:19:55 +0000 (17:19 -0300)]
Avoid crash on '-usbdevice <device>' without parameters
Many usbdevice_init implementors assume params is non-NULL.
Signed-off-by: Jan Kiszka <jan.kiszka@web.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 702f3e0fb52c124c07f215426eeadb70a716643f)
Paul Brook [Wed, 2 Jun 2010 20:19:54 +0000 (17:19 -0300)]
Fix -usbdevice crash
If -usbdevice is used on a machine with no USB busses, usb_create
will fail and return NULL. Patch below handles this failure gracefully
rather than crashing when we try to init the device.
Alexander Graf [Tue, 1 Jun 2010 23:56:50 +0000 (01:56 +0200)]
Fix multiboot compilation
Commit dd4239d6574ca41c94fc0d0f77ddc728510ffc57 broke multiboot. It replaced the
instruction "rep insb (%dx), %es:(%edi)" by the binary output of
"addr32 rep insb (%dx), %es:(%di)".
Linuxboot calls the respective helper function in a code16 section. So the
original instruction was automatically translated to its "addr32" equivalent.
For multiboot, we're running in code32 so gcc didn't add the "addr32" which
breaks the instruction.
This patch splits that helper function in one which uses addr32 and one which
does not, so everyone's happy.
The good news is that nobody probably cared so far. The bundled multiboot.bin
binary was built before the change and is thus correct.
Please also put this patch into -stable.
Signed-off-by: Alexander Graf <agraf@suse.de> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 590bf491a49670843ee902c47f7ab1de5e9acd06)
Loïc Minier [Sun, 31 Jan 2010 11:22:52 +0000 (12:22 +0100)]
Fix missing symbols in .rel/.rela.plt sections
Fix .rel.plt sections in the output to not only include .rel.plt
sections from the input but also the .rel.iplt sections and to define
the hidden symbols __rel_iplt_start and __rel_iplt_end around
.rel.iplt as otherwise we get undefined references to these when
linking statically to a multilib libc.a. This fixes the static build
under i386.
Apply similar logic to rela.plt/.iplt and __rela_iplt/_plt_start/_end to
fix the static build under amd64.
Thomas Monjalon [Fri, 28 May 2010 19:07:32 +0000 (21:07 +0200)]
target-ppc: fix RFI by clearing some bits of MSR
Since commit 2ada0ed, "Return From Interrupt" is broken for PPC processors
because some interrupt specifics bits of SRR1 are copied to MSR.
SRR1 is a save of MSR during interrupt.
During RFI, MSR must be restored from SRR1.
But some bits of SRR1 are interrupt-specific and are not used for MSR saving.
This is the specification (ISA 2.06) at chapter 6.4.3 (Interrupt Processing):
"2. Bits 33:36 and 42:47 of SRR1 or HSRR1 are loaded with information specific
to the interrupt type.
3. Bits 0:32, 37:41, and 48:63 of SRR1 or HSRR1 are loaded with a copy of the
corresponding bits of the MSR."
Below is a representation of MSR bits which are not saved:
0:15 16:31 32 33:36 37:41 42:47 48:63
——— | ——— | — X X X X — — — — — X X X X X X | ————
0000 0000 | 7 | 8 | 3 | F | 0000
History:
In the initial Qemu implementation (e1833e1), the mask 0x783F0000 was used for
saving MSR in SRR1. But all the bits 32:47 were cleared during RFI restoring.
This was wrong. The commit 2ada0ed explains that this breaks Altivec.
Indeed, bit 38 (for Altivec support) must be saved and restored.
The change of 2ada0ed was to restore all the bits of SRR1 to MSR.
But it's also wrong.
Explanation:
As an example, let's see what's happening after a TLB miss.
According to the e300 manual (E300CORERM table 5-6), the TLB miss interrupts
set the bits 44-47 for KEY, I/D, WAY and S/L. These bits are specifics to the
interrupt and must not be copied into MSR at the end of the interrupt.
With the current implementation, a TLB miss overwrite bits POW, TGPR and ILE.
Fix:
It shouldn't be needed to filter-out bits on MSR saving when interrupt occurs.
Specific bits overwrite MSR ones in SRR1.
But at the end of interrupt (RFI), specifics bits must be cleared before
restoring MSR from SRR1. The mask 0x783F0000 apply here.
Discussion:
The bits of the mask 0x783F0000 are cleared after an interrupt.
I cannot find a specification which talks about this
but I assume it is the truth since Linux can run this way.
Maybe it's not perfect but it's better (works for e300).
Signed-off-by: Thomas Monjalon <thomas@monjalon.net> Acked-by: Alexander Graf <agraf@suse.de> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit c3d420ead1aee9fcfd12be11cbdf6b1620134773)
Rabin Vincent [Sun, 2 May 2010 09:50:51 +0000 (15:20 +0530)]
arm_timer: reload timer when enabled
Reload the timer when TimerControl is written, if the timer is to be
enabled. Otherwise, if an earlier write to TimerLoad was done while
periodic mode was not set, s->delta may incorrectly still have the value
of the maximum limit instead of the value written to TimerLoad.
This problem is evident on versatileap on current linux-next, which
enables TIMER_CTRL_32BIT before writing to TimerLoad and then enabling
periodic mode and starting the timer. This causes the first periodic
tick to be scheduled to occur after 0xffffffff periods, leading to a
perceived hang while the kernel waits for the first timer tick.
Signed-off-by: Rabin Vincent <rabin@rab.in> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d6759902cb467c002086853d2eb38fb969c29f7f)
If the user wants to create a chardev of type socket but forgets to give a
host= option, qemu_opt_get returns NULL. This NULL pointer is then fed into
strlen a few lines below without a check which results in a segfault.
This fixes it.
Before issuing the barrier to the block driver we need to flush our oustanding
queue of write requests, as the flush is supposed to be issued after them.
block: fix sector comparism in multiwrite_req_compare
The difference between the start sectors of two requests can be larger
than the size of the "int" type, which can lead to a not correctly
sorted multiwrite array and thus spurious I/O errors and filesystem
corruption due to incorrect request merges.
So instead of doing the cute sector arithmetics trick spell out the
exact comparisms.
Spotted by Kevin Wolf based on a testcase from Michael Tokarev.
Code for saving irq_state got vm_state
macros wrong, passing in the wrong parameter.
As a result, we both saved a wrong value
and restored it to a wrong offset.
This leads to device and bus irq counts getting
out of sync, which in turn leads to interrupts getting lost or
never cleared, such as
https://bugzilla.redhat.com/show_bug.cgi?id=588133
Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit c3f8f61157625d0bb5bfc135047573de48fdc675)
TeLeMan [Mon, 8 Feb 2010 08:20:00 +0000 (16:20 +0800)]
qemu-img: use the heap instead of the huge stack array for win32
The default stack size of PE is 1MB on win32 and IO_BUF_SIZE in
img_convert() & img_rebase() is 2MB, so qemu-img will crash when doing
"convert" & "rebase" on win32.
Although we can improve the stack size of PE to resolve it, I think we
should avoid using the huge stack variables.
Signed-off-by: TeLeMan <geleman@gmail.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 72ff25e4e98d6dba9286d032b9ff5432553bbad5)
Juergen Lock [Tue, 12 Jan 2010 22:48:04 +0000 (23:48 +0100)]
Workaround for broken OSS_GETVERSION on FreeBSD, part two
Turns out on those versions of FreeBSD (>= 7.x) that know OSS_GETVERSION
the ioctl doesn't actually work yet (except in the Linuxolator), so if
building on FreeBSD assume the sound drivers are new enough if the ioctl
returns the errno it does currently on FreeBSD.
Stefan Hajnoczi [Wed, 21 Apr 2010 19:35:45 +0000 (20:35 +0100)]
block: Free iovec arrays allocated by multiwrite_merge()
A new iovec array is allocated when creating a merged write request.
This patch ensures that the iovec array is deleted in addition to its
qiov owner.
Reported-by: Leszek Urbanski <tygrys@moo.pl> Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 1e1ea48d42e011b9bdd0d689d184e7cac4617b66)
Gerd Hoffmann [Wed, 6 Jan 2010 16:08:04 +0000 (17:08 +0100)]
lsi: pass lsi_request to lsi_reselect
All callers of lsi_reselect have a lsi_request struct at hand anyway.
So just pass it directly instead of having lsi_reselect search for it
using the tag.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit aa4d32c4742e62e09786bd1067a5b98239867e93)
Gerd Hoffmann [Wed, 6 Jan 2010 16:08:01 +0000 (17:08 +0100)]
lsi: have lsi_request for the whole life time of the request.
Right now lsi_request is allocated when a request is queued and released
when a request is unqueued. With this patch applied the lsi_request is
kept for the whole lifetime of the scsi request.
Rationale: We can use it for per-request data then. The patch does that
already for the request tag.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit af12ac9880eacdd79d49a11d5672df7170afb38f)
Stefan Weil [Fri, 9 Apr 2010 15:28:40 +0000 (17:28 +0200)]
tcp/mips: Change TCG_AREG0 (fp -> s0)
Register fp (frame pointer) is a bad choice for compilations
without optimisation, because the compiler makes heavy use
of this register (so the resulting code crashes).
Register s0 had been used for TCG_AREG1 in earlier releases,
but was no longer used and is now free for TCG_AREG0.
The resulting code works for compilations without
optimisation (tested with qemu mips in qemu mips
on x86 host).
Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Since commit 8da3ff180974732fc4272cb4433fef85c1822961 ("MMIO callback
interface changes"), the addresses passed to the I/O functions are an
offset to the start of the area. As a consequence, there is no need to
correct the address using the value of IOBR. This make possible the use
of the default MMIO functions. Moreover the addresses are now remaped
when the value if IOBR change.
The memory area corresponds to the devices behing the PCI bus, it should
not be mapped by the PCI controller. Remove the corresponding code.
Chris Webb [Mon, 8 Mar 2010 14:34:49 +0000 (14:34 +0000)]
Fix SIGFPE for vnc display of width/height = 1
During boot, the screen gets resized to height 1 and a mouse click at this
point will cause a division by zero when calculating the absolute pointer
position from the pixel (x, y). Return a click in the middle of the screen
instead in this case.
Signed-off-by: Chris Webb <chris@arachsys.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit cc39a92cbfc80c70d2b83708a4c9b309c3126ac3)
1) It is broken when using the device model instead of "-net nic". Example:
$ qemu-system-x86_64 -device rtl8139,vlan=0,id=net0,mac=52:54:00:82:41:fd,bus=pci.0,addr=0x4 -net user,vlan=0,name=hostnet0 -vnc 0.0.0.0:0 -boot n
Cannot boot from non-existent NIC
$
2) The mask was previously used to set which boot ROMs were supposed to be
loaded, but this was changed long time ago. Now all ROM images are loaded,
and SeaBIOS takes care of jumping to the right boot entry point depending on
the boot settings.
3) Interpretation and validation of the boot parameter letters is done on
the machine type code. Examples: PC accepts only a,b,c,d,n as valid boot
device letters. mac99 accepts only a,b,c,d,e,f.
As a side-effect of this change, qemu-kvm won't abort anymore if using "-boot n"
on a machine with no network devices. Checking if the requested boot device is
valid is now a task for the BIOS or the machine-type code.
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Acked-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry-picked from da1fcfda59a6bcbdf58d49243fbced455f2bf78a)
Kevin Wolf [Tue, 6 Apr 2010 13:30:14 +0000 (15:30 +0200)]
qcow2: Remove request from in-flight list after error
If we complete a request with a failure we need to remove it from the list of
requests that are in flight. If we don't do it, the next time the same AIOCB is
used for a cluster allocation it will create a loop in the list and qemu will
hang in an endless loop.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit c644db3d53c90ef569ff5a90e9f821b88e7123bb)
Kevin Wolf [Tue, 6 Apr 2010 13:30:09 +0000 (15:30 +0200)]
qcow2: Don't ignore immediate read/write failures
Returning -EIO is far from optimal, but at least it's an error code.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 171e3d6b9997c98a97d0c525867f7cd9b640cadd)
Kevin Wolf [Tue, 6 Apr 2010 16:24:07 +0000 (18:24 +0200)]
block: Fix multiwrite memory leak in error case
Previously multiwrite_user_cb was never called if a request in the multiwrite
batch failed right away because it did set mcb->error immediately. Make it look
more like a normal callback to fix this.
Reported-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 7eb58a6c556c3880e6712cbf6d24d681261c5095)
Kevin Wolf [Tue, 6 Apr 2010 16:24:06 +0000 (18:24 +0200)]
block: Fix error code in multiwrite for immediate failures
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 0f0b604b00851f2c7160b4195136c1fd27418088)
Kevin Wolf [Thu, 1 Apr 2010 20:48:44 +0000 (22:48 +0200)]
block: Fix multiwrite error handling
When two requests of the same multiwrite batch fail, the callback of all
requests in that batch were called twice. This could have any kind of nasty
effects, in my case it lead to use after free and eventually a segfault.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit cb6d3ca07b8f62b47ef30c6a92caa3e8bd71248b)
Gerd Hoffmann [Wed, 10 Mar 2010 16:47:17 +0000 (17:47 +0100)]
scsi-disk: fix buffer overflow
In case s->version is shorter than 4 bytes we overflow the memcpy src
buffer. Fix it by clearing the target buffer, then copy only the
amount of bytes we actually have.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from 314b1811c15f4e982e4667d9b845aee4b5a63d91)
The current implementation of alloc_refcount_block and grow_refcount_table has
fundamental problems regarding error handling. There are some places where an
I/O error means that the image is going to be corrupted. I have found that the
only way to fix this is to completely rewrite the thing.
In detail, the problem is that the refcount blocks itself are allocated using
alloc_refcount_noref (to avoid endless recursion when updating the refcount of
the new refcount block, which migh access just the same refcount block but its
allocation is not yet completed...). Only at the end of the refcount allocation
the refcount of the refcount block is increased. If an error happens in
between, the refcount block is in use, but has a refcount of zero and will
likely be overwritten later.
The new approach is explained in comments in the code. The trick is basically
to let new refcount blocks describe their own refcount, so their refcount will
be automatically changed when they are hooked up in the refcount table.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 92dcb59fd4e1491afa0756ee9c2594869b487d23)
Kevin Wolf [Tue, 23 Feb 2010 15:40:52 +0000 (16:40 +0100)]
qcow2: Factor next_refcount_table_size out
When the refcount table grows, it doesn't only grow by one entry but reserves
some space for future refcount blocks. The algorithm to calculate the number of
entries stays the same with the fixes, so factor it out before replacing the
rest.
As Juan suggested take the opportunity to simplify the code a bit.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 05121aedc41f87e44e41e9cef55f2e49ce7ba94e)
block: avoid creating too large iovecs in multiwrite_merge
If we go over the maximum number of iovecs support by syscall we get
back EINVAL from the kernel which translate to I/O errors for the guest.
Add a MAX_IOV defintion for platforms that don't have it. For now we use
the same 1024 define that's used on Linux and various other platforms,
but until the windows block backend implements some kind of vectored I/O
it doesn't matter.
Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit e2a305fb13ff0f5cf6ff805555aaa90a5ed5954c)
Kevin Wolf [Wed, 24 Feb 2010 15:17:58 +0000 (16:17 +0100)]
json-parser: Fix segfault on malformed input
If the parser fails to parse the key in parse_pair, it will access a NULL
pointer. A simple way to trigger this is sending {foo} via QMP. This patch
turns the segfault into a syntax error reply.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d758d90fe1f74a46042fca665036a23b4d5fe87d)
Aurelien Jarno [Mon, 1 Feb 2010 18:58:46 +0000 (19:58 +0100)]
target-sh4: MMU: fix mem_idx computation
The mem_idx is wrongly computed. As written in target-sh4/cpu.h, mode 0
corresponds to kernel mode (SR_MD = 1), while mode 1 corresponds to user
mode (SR_MD = 0).
The TCG code is called through a procedure call using the prologue
and epilogue code. This code does not save and restore enough registers.
The "Procedure Call Standard for the ARM Architecture" says:
A subroutine must preserve the contents of the registers r4-r8, r10,
r11 and SP (and r9 in PCS variants that designate r9 as v6).
The current code only saves and restores r9 to r11, and misses r4 to
r8. The patch fixes that by saving r4 to r12. Theoretically there is
no need to save and restore r12, but an even number of registers have
to be saved as per EABI.
workaround for cmd646 bmdma register access while no dma is active
This is a workaround only, and is a partial revert
of a few changes to BMDMAState which removed pci_dev
field on the way.
- cmd646 pci_from_bm() expects bm->unit value to
correspond with bm data being passed to callback
as opaque pointer. This breaks when write to dma
control register of second channel happens when no
dma operation is in progress, so bm->unit is zero
for second channel, and pci_from_bm() returns garbage
pointer. Crash happens shortly after that while
dereferencing that pointer.
v0->v1: cleaned up dead code from pci_from_bm.
Signed-off-by: Igor V. Kovalenko <igor.v.kovalenko@gmail.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 90228ee395b71cdd64e6bc844e3d553eb9ef643f)
Gerd Hoffmann [Wed, 10 Mar 2010 16:30:29 +0000 (17:30 +0100)]
fdc: fix drive property handling.
Fix the floppy controller init wrappers to set the drive properties
only in case the DriveInfo pointers passed in are non NULL. This allows
to set the properties using -global.
Aurelien Jarno [Sat, 6 Mar 2010 17:02:31 +0000 (18:02 +0100)]
target-i386: fix SIB decoding with index = 4
A SIB byte with an index of 4 means "no scaled index", even if the scale
value is not 0. In 64-bit mode, if REX.X is used, an index of 4 selects
%r12. This is correctly handled by the computation of the index variable,
which includes the index bits, and also the REX.X prefix:
index = ((code >> 3) & 7) | REX_X(s);
Thanks to Avi Kivity, Jamie Lokier and Malc for the analysis of the
problem and the initial patch.
Ryan Harper [Tue, 23 Feb 2010 15:13:14 +0000 (09:13 -0600)]
Fix segfault with ram_size > 4095M without kvm
Currently, x86_64-softmmu qemu segfaults when trying to use > 4095M memsize.
This patch adds a simple check and error message (much like the 2047 limit on
32-bit hosts) on ram_size in the control path after we determine we're
not using kvm
Upstream qemu-kvm is affected if using the -no-kvm option; this patch address
the segfault there as well.
Signed-off-by: Ryan Harper <ryanh@us.ibm.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Paolo Bonzini [Thu, 4 Feb 2010 13:31:50 +0000 (14:31 +0100)]
fix undefined shifts by >32
This one is for 0.12 too.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 0dfbd514460045e3af1ed6805ab97ffedbbd1ab2)
Kevin Wolf [Tue, 16 Feb 2010 14:54:49 +0000 (15:54 +0100)]
qcow2: Fix access after end of array
If a write requests crosses a L2 table boundary and all clusters until the
end of the L2 table are usable for the request, we must not look at the next
L2 entry because we already have arrived at the end of the array.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 4805bb66969622f86376191c94c4748bce91e6be)
net: Monitor command set_link finds only VLAN clients, fix
Clients not associated with a VLAN exist since commit d80b9fc6.
Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 2583ba97ef1de6040b7d0afd2b66737515de5423)