aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-08-11virtio-console: set frontend open permanently for console devsDaniel P. Berrange
The virtio-console.c file handles both serial consoles and interactive consoles, since they're backed by the same device model. Since serial devices are expected to be reliable and need to notify the guest when the backend is opened or closed, the virtio-console.c file wires up support for chardev events. This affects both serial consoles and interactive consoles, using a network connection based chardev backend such as 'socket', but not when using a PTY based backend or plain 'file' backends. When the host side is not connected the handle_output() method in virtio-serial-bus.c will drop any data sent by the guest, before it even reaches the virtio-console.c code. This means that if the chardev has a logfile configured, the data will never get logged. Consider for example, configuring a x86_64 guest with a plain UART serial port -chardev socket,id=charserial1,host=127.0.0.1,port=9001,server,nowait,logfile=console1.log,logappend=on -device isa-serial,chardev=charserial1,id=serial1 vs a s390 guest which has to use the virtio-console port -chardev socket,id=charconsole1,host=127.0.0.1,port=9000,server,nowait,logfile=console2.log,logappend=on -device virtconsole,chardev=charconsole1,id=console1 The isa-serial one gets data written to the log regardless of whether a client is connected, while the virtioconsole one only gets data written to the log when a client is connected. There is no need for virtio-serial-bus.c to aggressively drop the data for console devices, as the chardev code is prefectly capable of discarding the data itself. So this patch changes virtconsole devices so that they are always marked as having the host side open. This ensures that the guest OS will always send any data it has (Linux virtio-console hvc driver actually ignores the host open state and sends data regardless, but we should not rely on that), and also prevents the virtio-serial-bus code prematurely discarding data. The behaviour of virtserialport devices is *not* changed, only virtconsole, because for the former, it is important that the guest OSknow exactly when the host side is opened / closed so it can do any protocol re-negotiation that may be required. Fixes bug: https://bugs.launchpad.net/qemu/+bug/1599214 Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <1470241360-3574-2-git-send-email-berrange@redhat.com> Signed-off-by: Amit Shah <amit.shah@redhat.com>
2016-08-10Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
virtio/vhost: fixes some bugfixes for virtio/vhost Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Wed 10 Aug 2016 16:16:22 BST # gpg: using RSA key 0x281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: vhost-user: Attempt to fix a race with set_mem_table. vhost-user: Introduce a new protocol feature REPLY_ACK. vhost: check for vhost_ops before using. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-10Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
* pc-bios/optionrom/Makefile fixes * warning fixes for __atomic_load and -1 << x in clang * missed interrupt fix from Gonglei * checkpatch fix from Radim and myself # gpg: Signature made Wed 10 Aug 2016 14:54:31 BST # gpg: using RSA key 0xBFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: checkpatch: default to success if only warnings checkpatch: bump most warnings to errors CODING_STYLE, checkpatch: update line length rules checkpatch: check for CVS keywords on all sources checkpatch: tweak the files in which TABs are checked timer: set vm_clock disabled default checkpatch: ignore automatically imported Linux headers clang: Fix warning reg. expansion to 'defined' Disable warn about left shifts of negative values atomic: strip "const" from variables declared with typeof optionrom: fix compilation with mingw docker target optionrom: add -fno-stack-protector build-sys: fix building with make CFLAGS=.. argument linuxboot_dma: avoid guest ABI breakage on gcc vs. clang compilation Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-10vhost-user: Attempt to fix a race with set_mem_table.Prerna Saxena
The set_mem_table command currently does not seek a reply. Hence, there is no easy way for a remote application to notify to QEMU when it finished setting up memory, or if there were errors doing so. As an example: (1) Qemu sends a SET_MEM_TABLE to the backend (eg, a vhost-user net application). SET_MEM_TABLE does not require a reply according to the spec. (2) Qemu commits the memory to the guest. (3) Guest issues an I/O operation over a new memory region which was configured on (1). (4) The application has not yet remapped the memory, but it sees the I/O request. (5) The application cannot satisfy the request because it does not know about those GPAs. While a guaranteed fix would require a protocol extension (committed separately), a best-effort workaround for existing applications is to send a GET_FEATURES message before completing the vhost_user_set_mem_table() call. Since GET_FEATURES requires a reply, an application that processes vhost-user messages synchronously would probably have completed the SET_MEM_TABLE before replying. Signed-off-by: Prerna Saxena <prerna.saxena@nutanix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-08-10vhost-user: Introduce a new protocol feature REPLY_ACK.Prerna Saxena
This introduces the VHOST_USER_PROTOCOL_F_REPLY_ACK. If negotiated, client applications should send a u64 payload in response to any message that contains the "need_reply" bit set on the message flags. Setting the payload to "zero" indicates the command finished successfully. Likewise, setting it to "non-zero" indicates an error. Currently implemented only for SET_MEM_TABLE. Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Prerna Saxena <prerna.saxena@nutanix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-08-10vhost: check for vhost_ops before using.Ilya Maximets
'vhost_set_vring_enable()' tries to call function using pointer to 'vhost_ops' which can be already zeroized in 'vhost_dev_cleanup()' while vhost disconnection. Fix that by checking 'vhost_ops' before using. This fixes QEMU crash on calling 'ethtool -L eth0 combined 2' if vhost disconnected. Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2016-08-10Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.7-20160810' ↵Peter Maydell
into staging ppc patch queue for 2016-08-10 Here are some more last minute PAPR and ppc related fixes for qemu-2.7. One patch makes compressed memory dumps work with guest kernels using page sizes up to 64KiB. This is important since most current pseries guests use a 64KiB default page size. The remainder fix a regression with handling of CPU aliases which causes serious problem for libvirt. # gpg: Signature made Wed 10 Aug 2016 06:44:27 BST # gpg: using RSA key 0x6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.7-20160810: ppc/kvm: Register also a generic spapr CPU core family type ppc/kvm: Do not mess up the generic CPU family registration hw/ppc/spapr: Look up CPU alias names instead of hard-coding the aliases ppc: Introduce a function to look up CPU alias strings spapr: remove extra type variable ppc64: fix compressed dump with pseries kernel Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-10checkpatch: default to success if only warningsPaolo Bonzini
CHK-level checks have been removed from checkpatch or bumped to errors, so there is no effect anymore for --strict/--subjective. Furthermore, even most WARNs have been bumped to errors, with WARN only reserved to things that patchew probably ought not to complain about (and that maintainers probably will notice anyway during review if they are extreme). Default to exiting with success even if there are WARN-level failures, and cause --strict to fail for warnings. Maintainers that want to have a strict 80-character limit for their subsystem can add it to a commit hook for example. The --subjective synonym is removed. Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-10checkpatch: bump most warnings to errorsPaolo Bonzini
This only leaves a warning-level message for the extra-long lines soft limit. Everything else is bumped up. In the future warnings can be added for checks that can have false positives. Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-10CODING_STYLE, checkpatch: update line length rulesPaolo Bonzini
Line lengths above 80 characters do exist. They are rare, but they happen from time to time. An ignored rule is worse than an exception to the rule, so do the latter. Some on the list expressed their preference for a soft limit that is slightly lower than 80 characters, to account for extra characters in unified diffs (including three-way diffs) and for email quoting. However, there was no consensus on this so keep the 80-character soft limit and add a hard limit at 90. Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-10checkpatch: check for CVS keywords on all sourcesPaolo Bonzini
These should apply to all files, not just C/C++. Tweak the regular expression to check for whole words, to avoid false positives on Perl variables starting with "Id". Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-10checkpatch: tweak the files in which TABs are checkedPaolo Bonzini
Include Python and shell scripts, and make an exception for Perl scripts we imported from Linux or elsewhere. Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-10ppc/kvm: Register also a generic spapr CPU core family typeThomas Huth
There is a regression with the "-cpu" parameter introduced by the spapr CPU hotplug code: We used to allow to specify a "CPU family" name with the "-cpu" parameter when running on KVM so that the user does not need to know the gory details of the exact CPU version of the host CPU. For example, it was possible to use "-cpu POWER8" on a POWER8E host CPU. This behavior does not work anymore with the new hot-pluggable spapr-cpu-core types. Since libvirt already heavily depends on the old behavior, this is quite a severe regression in the QEMU parameter interface. Let's fix it by supporting a CPU family type for the spapr-cpu-core on KVM, too. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1363812 Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-10ppc/kvm: Do not mess up the generic CPU family registrationThomas Huth
The code for registering the sPAPR CPU host core type has been added inbetween the generic CPU host core type and the generic CPU family type. That way the instance_init and the class_init information got lost when registering the generic CPU family type. Fix it by moving the generic family registration before the spapr cpu core registration code. Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-10hw/ppc/spapr: Look up CPU alias names instead of hard-coding the aliasesThomas Huth
Hard-coding the CPU alias names in the spapr_cores[] array has two big disadvantages: 1) We register a real type with the CPU alias name in spapr_cpu_core_register_types() - this prevents us from registering a CPU family name in kvm_ppc_register_host_cpu_type() with the same name (as we do it for the non-hotpluggable CPU types). 2) It's quite cumbersome to maintain the aliases here in sync with the ppc_cpu_aliases list from target-ppc/cpu-models.c. So let's simply add proper alias lookup to the spapr cpu core code, too (by checking whether the given model can be used directly, and if not by trying to look up the given model as an alias name instead). Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-10ppc: Introduce a function to look up CPU alias stringsThomas Huth
We will need this function to look up the aliases in the spapr-cpu-core code, too. Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-10spapr: remove extra type variableCédric Le Goater
The sPAPR CPU core typename is already available in the upper block. Let's use it and move the check upward also. Signed-off-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-10ppc64: fix compressed dump with pseries kernelLaurent Vivier
If we don't provide the page size in target-ppc:cpu_get_dump_info(), the default one (TARGET_PAGE_SIZE, 4KB) is used to create the compressed dump. It works fine with Macintosh, but not with pseries as the kernel default page size is 64KB. Without this patch, if we generate a compressed dump in the QEMU monitor: (qemu) dump-guest-memory -z qemu.dump This dump cannot be read by crash: # crash vmlinux qemu.dump ... WARNING: cannot translate vmemmap kernel virtual addresses: commands requiring page structure contents will fail ... Page_size is used to determine the dumpfile's block size. The block size needs to be at least the page size, but a multiple of page size works fine too. For PPC64, linux supports either 4KB or 64KB software page size. So we define the page_size to 64KB. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Andrew Jones <drjones@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2016-08-09timer: set vm_clock disabled defaultGonglei
(commit 80dcfb8532ae76343109a48f12ba8ca1c505c179) Upon migration, the code use a timer based on vm_clock for 1ns in the future from post_load to do the event send in case host_connected differs between migration source and target. However, it's not guaranteed that the apic is ready to inject irqs into the guest, and the irq line remained high, resulting in any future interrupts going unnoticed by the guest as well. That's because 1) the migration coroutine is not blocked when it get EAGAIN while reading QEMUFile. 2) The vm_clock is enabled default currently, it doesn't rely on the calling of vm_start(), that means vm_clock timers can run before VCPUs are running. So, let's set the vm_clock disabled default, keep the initial intention of design for vm_clock timers. Meanwhile, change the test-aio usecase, using QEMU_CLOCK_REALTIME instead of QEMU_CLOCK_VIRTUAL as the block code does. CC: Paolo Bonzini <pbonzini@redhat.com> CC: Dr. David Alan Gilbert <dgilbert@redhat.com> CC: qemu-stable@nongnu.org Signed-off-by: Gonglei <arei.gonglei@huawei.com> Message-Id: <1470728955-90600-1-git-send-email-arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-09checkpatch: ignore automatically imported Linux headersRadim Krčmář
Linux uses tabs for indentation and checkpatch always complained about automatically imported headers. update-linux-headers.sh could be modified to expand tabs, but there is no real reason to complain about any ugly code in Linux headers, so skip all hunk-related checks. Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-09clang: Fix warning reg. expansion to 'defined'Pranith Kumar
Clang produces the following warning. The warning is detailed here: https://reviews.llvm.org/D15866. Fix the warning. /home/pranith/devops/code/qemu/hw/display/qxl.c:507:5: warning: macro expansion producing 'defined' has undefined behavior [-Wexpansion-to-defined] ^ /home/pranith/devops/code/qemu/include/ui/qemu-spice.h:46:5: note: expanded from macro 'SPICE_NEEDS_SET_MM_TIME' (!defined(SPICE_SERVER_VERSION) || (SPICE_SERVER_VERSION < 0xc06)) ^ /home/pranith/devops/code/qemu/hw/display/qxl.c:1074:5: warning: macro expansion producing 'defined' has undefined behavior [-Wexpansion-to-defined] ^ /home/pranith/devops/code/qemu/include/ui/qemu-spice.h:46:5: note: expanded from macro 'SPICE_NEEDS_SET_MM_TIME' (!defined(SPICE_SERVER_VERSION) || (SPICE_SERVER_VERSION < 0xc06)) Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Pranith Kumar <bobby.prani@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-09Disable warn about left shifts of negative valuesPranith Kumar
It seems like there's no good reason for the compiler to exploit the undefinedness of left shifts. GCC explicitly documents that they do not use at all this possibility and, while they also say this is subject to change, they have been saying this for 10 years (since the wording appeared in the GCC 4.0 manual). Disable these warnings by passing in -Wno-shift-negative-value. Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Markus Armbruster <armbru@redhat.com> Cc: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> [pranith: forward-port part of patch to 2.7] Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
2016-08-09atomic: strip "const" from variables declared with typeofPaolo Bonzini
With the latest clang, we have the following warning: /home/pranith/devops/code/qemu/include/qemu/seqlock.h:62:21: warning: passing 'typeof (*&sl->sequence) *' (aka 'const unsigned int *') to parameter of type 'unsigned int *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers] return unlikely(atomic_read(&sl->sequence) != start); ^~~~~~~~~~~~~~~~~~~~~~~~~~ /home/pranith/devops/code/qemu/include/qemu/atomic.h:58:25: note: expanded from macro 'atomic_read' __atomic_load(ptr, &_val, __ATOMIC_RELAXED); \ ^~~~~ Stripping const is a bit tricky due to promotions, but it is doable with either C11 _Generic or GCC extensions. Use the latter. Reported-by: Pranith Kumar <bobby.prani@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> [pranith: Add conversion for bool type] Signed-off-by: Pranith Kumar <bobby.prani@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-09optionrom: fix compilation with mingw docker targetPaolo Bonzini
Two fixes are needed. First, mingw does not have -D_FORTIFY_SOURCE, hence --enable-debug disables optimization. This is not acceptable for ROMs, which should override CFLAGS to force inclusion of -O2. Second, PE stores global constructors and destructors using the following linker script snippet: ___CTOR_LIST__ = .; __CTOR_LIST__ = . ; LONG (-1);*(.ctors); *(.ctor); *(SORT(.ctors.*)); LONG (0); ___DTOR_LIST__ = .; __DTOR_LIST__ = . ; LONG (-1); *(.dtors); *(.dtor); *(SORT(.dtors.*)); LONG (0); The LONG directives cause the .img files to be 16 bytes too large; the recently added check to signrom.py catches this. To fix this, replace -T and -e options with a linker script. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-09optionrom: add -fno-stack-protectorPaolo Bonzini
This is required by OpenBSD. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-09build-sys: fix building with make CFLAGS=.. argumentMarc-André Lureau
When calling make with a CFLAGS=.. argument, the -g/-O filter is not applied, which may result with build failure with ASAN for example. It could be solved with an 'override' directive on CFLAGS, but that would actually prevent setting different CFLAGS manually. Instead, filter the CFLAGS argument from the top-level Makefile (so you could still call make with a different CFLAGS argument on a rom/Makefile manually) Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20160805082421.21994-2-marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-09linuxboot_dma: avoid guest ABI breakage on gcc vs. clang compilationPaolo Bonzini
Recent GCC compiles linuxboot_dma.c to 921 bytes, while CentOS 6 needs 1029 and clang needs 1527. Because the size of the ROM, rounded to the next 512 bytes, must match, this causes the API to break between a <1K ROM and one that is bigger. We want to make the ROM 1.5 KB in size, but it's better to make clang produce leaner ROMs, because currently it is worryingly close to the limit. To fix this prevent clang's happy inlining (which -Os cannot prevent). This only requires adding a noinline attribute. Second, the patch makes sure that the ROM has enough padding to prevent ABI breakage on different compilers. The size is now hardcoded in the file that is passed to signrom.py, as was the case before commit 6f71b77 ("scripts/signrom.py: Allow option ROM checksum script to write the size header.", 2016-05-23); signrom.py however will still pad the input to the requested size. This ensures that the padding goes beyond the next multiple of 512 if necessary, and also avoids the need for -fno-toplevel-reorder which clang doesn't support. signrom.py can then error out if the requested size is too small for the actual size of the compiled ROM. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-08-09Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into stagingPeter Maydell
# gpg: Signature made Tue 09 Aug 2016 16:47:32 BST # gpg: using RSA key 0x7DEF8106AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/ide-pull-request: atapi: fix halted DMA reset Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-09atapi: fix halted DMA resetJohn Snow
Followup to 87ac25fd, this time for ATAPI DMA. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com> Message-id: 1470164128-28158-1-git-send-email-jsnow@redhat.com Acked-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com>
2016-08-09Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Tue 09 Aug 2016 08:28:39 BST # gpg: using RSA key 0xEF04965B398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite net: vmxnet3: check for device_active before write net: check fragment length during fragmentation Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-09hw/net: Fix a heap overflow in xlnx.xps-ethernetlitechaojianhu
The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-08-09net: vmxnet3: check for device_active before writeLi Qiang
Vmxnet3 device emulator does not check if the device is active, before using it for write. It leads to a use after free issue, if the vmxnet3_io_bar0_write routine is called after the device is deactivated. Add check to avoid it. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Acked-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-08-09net: check fragment length during fragmentationPrasad J Pandit
Network transport abstraction layer supports packet fragmentation. While fragmenting a packet, it checks for more fragments from packet length and current fragment length. It is susceptible to an infinite loop, if the current fragment length is zero. Add check to avoid it. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> CC: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-08-08Update version for v2.7.0-rc2 releasev2.7.0-rc2Peter Maydell
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2016-08-08' ↵Peter Maydell
into staging Monitor patches for 2016-08-08 # gpg: Signature made Mon 08 Aug 2016 13:24:42 BST # gpg: using RSA key 0x3870B400EB918653 # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-monitor-2016-08-08: audio: clean up before monitor clean up monitor: fix crash when leaving qemu with spice audio Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into stagingPeter Maydell
More block layer patches for 2.7.0-rc2 # gpg: Signature made Mon 08 Aug 2016 12:51:30 BST # gpg: using RSA key 0x7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6 * remotes/kevin/tags/for-upstream: iotests: fix 109 mirror: finish earlier on error tests: Test blockjob IDs block/qdev: Let 'drive' property fall back to node name Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20160808' into stagingPeter Maydell
One more s390x fix for a bug in the pci rework. # gpg: Signature made Mon 08 Aug 2016 11:49:34 BST # gpg: using RSA key 0xDECF6B93C6F02FAF # gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>" # gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" # Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF * remotes/cohuck/tags/s390x-20160808: s390x/pci: fix null pointer bug Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08hw/sparc/leon3: Don't call get_image_size() on a NULL pointerPeter Maydell
get_image_size() doesn't handle being passed a NULL pointer, so avoid doing that. Spotted by the clang ub sanitizer (which notices the attempt to pass NULL to open()). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1470391439-28427-1-git-send-email-peter.maydell@linaro.org
2016-08-08Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2016-08-08' ↵Peter Maydell
into staging Error reporting patches for 2016-08-08 # gpg: Signature made Mon 08 Aug 2016 08:14:49 BST # gpg: using RSA key 0x3870B400EB918653 # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-error-2016-08-08: error: Fix error_printf() calls lacking newlines vfio: Use error_report() instead of error_printf() for errors checkpatch: Fix newline detection in error_setg() & friends error: Strip trailing '\n' from error string arguments (again) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08audio: clean up before monitor clean upMarc-André Lureau
Since aa5cb7f5e, the chardevs are being cleaned up when leaving qemu, before the atexit() handlers. audio_cleanup() may use the monitor to notify of changes. For compatibility reasons, let's clean up audio before the monitor so it keeps emitting monitor events. The audio_atexit() function is made idempotent (so it can be called multiple times), and renamed to audio_cleanup(). Since coreaudio backend is using a 'isAtexit' code path, change it to check audio_is_cleaning_up() instead, so the path is taken during normal exit. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20160801112343.29082-3-marcandre.lureau@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-08-08monitor: fix crash when leaving qemu with spice audioMarc-André Lureau
Since aa5cb7f5e, the chardevs are being cleaned up when leaving qemu. However, the monitor has still references to them, which may lead to crashes when running atexit() and trying to send monitor events: #0 0x00007fffdb18f6f5 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007fffdb1912fa in __GI_abort () at abort.c:89 #2 0x0000555555c263e7 in error_exit (err=22, msg=0x555555d47980 <__func__.13537> "qemu_mutex_lock") at util/qemu-thread-posix.c:39 #3 0x0000555555c26488 in qemu_mutex_lock (mutex=0x5555567a2420) at util/qemu-thread-posix.c:66 #4 0x00005555558c52db in qemu_chr_fe_write (s=0x5555567a2420, buf=0x55555740dc40 "{\"timestamp\": {\"seconds\": 1470041716, \"microseconds\": 989699}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"127.0.0.1\"}, \"client\": {\"port\": \"40272\", \"f"..., len=240) at qemu-char.c:280 #5 0x0000555555787cad in monitor_flush_locked (mon=0x5555567bd9e0) at /home/elmarco/src/qemu/monitor.c:311 #6 0x0000555555787e46 in monitor_puts (mon=0x5555567bd9e0, str=0x5555567a44ef "") at /home/elmarco/src/qemu/monitor.c:353 #7 0x00005555557880fe in monitor_json_emitter (mon=0x5555567bd9e0, data=0x5555567c73a0) at /home/elmarco/src/qemu/monitor.c:401 #8 0x00005555557882d2 in monitor_qapi_event_emit (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x5555567c73a0) at /home/elmarco/src/qemu/monitor.c:472 #9 0x000055555578838f in monitor_qapi_event_queue (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x5555567c73a0, errp=0x7fffffffca88) at /home/elmarco/src/qemu/monitor.c:497 #10 0x0000555555c15541 in qapi_event_send_spice_disconnected (server=0x5555571139d0, client=0x5555570d0db0, errp=0x5555566c0428 <error_abort>) at qapi-event.c:1038 #11 0x0000555555b11bc6 in channel_event (event=3, info=0x5555570d6c00) at ui/spice-core.c:248 #12 0x00007fffdcc9983a in adapter_channel_event (event=3, info=0x5555570d6c00) at reds.c:120 #13 0x00007fffdcc99a25 in reds_handle_channel_event (reds=0x5555567a9d60, event=3, info=0x5555570d6c00) at reds.c:324 #14 0x00007fffdcc7d4c4 in main_dispatcher_self_handle_channel_event (self=0x5555567b28b0, event=3, info=0x5555570d6c00) at main-dispatcher.c:175 #15 0x00007fffdcc7d5b1 in main_dispatcher_channel_event (self=0x5555567b28b0, event=3, info=0x5555570d6c00) at main-dispatcher.c:194 #16 0x00007fffdcca7674 in reds_stream_push_channel_event (s=0x5555570d9910, event=3) at reds-stream.c:354 #17 0x00007fffdcca749b in reds_stream_free (s=0x5555570d9910) at reds-stream.c:323 #18 0x00007fffdccb5dad in snd_disconnect_channel (channel=0x5555576a89a0) at sound.c:229 #19 0x00007fffdccb9e57 in snd_detach_common (worker=0x555557739720) at sound.c:1589 #20 0x00007fffdccb9f0e in snd_detach_playback (sin=0x5555569fe3f8) at sound.c:1602 #21 0x00007fffdcca3373 in spice_server_remove_interface (sin=0x5555569fe3f8) at reds.c:3387 #22 0x00005555558ff6e2 in line_out_fini (hw=0x5555569fe370) at audio/spiceaudio.c:152 #23 0x00005555558f909e in audio_atexit () at audio/audio.c:1754 #24 0x00007fffdb1941e8 in __run_exit_handlers (status=0, listp=0x7fffdb5175d8 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82 #25 0x00007fffdb194235 in __GI_exit (status=<optimized out>) at exit.c:104 #26 0x00007fffdb17b738 in __libc_start_main (main=0x5555558d7874 <main>, argc=67, argv=0x7fffffffcf48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffcf38) at ../csu/libc-start.c:323 Add a monitor_cleanup() functions to remove all the monitors before cleaning up the chardev. Note that we are "losing" some events that used to be sent during atexit(). Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20160801112343.29082-2-marcandre.lureau@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-08-08Merge remote-tracking branch ↵Peter Maydell
'remotes/elmarco/tags/leaks-for-2.7-pull-request' into staging # gpg: Signature made Sun 07 Aug 2016 21:03:14 BST # gpg: using RSA key 0xDAE8E10975969CE5 # gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" # gpg: aka "Marc-André Lureau <marcandre.lureau@gmail.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 87A9 BD93 3F87 C606 D276 F62D DAE8 E109 7596 9CE5 * remotes/elmarco/tags/leaks-for-2.7-pull-request: ahci: fix sglist leak on retry usb: free leaking path usb: free USBDevice.strings virtio-input: free config list qjson: free str ahci: free irqs array char: free MuxDriver when closing char: free the tcp connection data when closing numa: do not leak NumaOptions Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08iotests: fix 109Vladimir Sementsov-Ogievskiy
109 iotest is broken for raw after 0965a41e998ab820b5 [mirror: double performance of the bulk stage if the disc is full] The problem is with finishing block-job with error: before specified patch mirror was not very async and it created one big request at disk start, this request finished with error and qemu produced BLOCK_JOB_COMPLETED with zero progress. After 0965a41, mirror starts several smaller requests in parallel, when BLOCK_JOB_COMPLETED emited we have some successful non-zero progress. This patch solves the issue by filtering out progress from 109 test output. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-08-08mirror: finish earlier on errorVladimir Sementsov-Ogievskiy
Stop to produce new async copy requests from mirror_iteration if critical error (error action = BLOCK_ERROR_ACTION_REPORT) detected. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-08-08tests: Test blockjob IDsAlberto Garcia
Since 7f0317cfc8da6 we have API to specify the ID of block jobs and we also guarantee that they are well-formed and unique. This patch adds tests to check some common scenarios. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-08-08block/qdev: Let 'drive' property fall back to node nameKevin Wolf
If a qdev block device is created with an anonymous BlockBackend (i.e. a node name rather than a BB name was given for the drive property), qdev used to return an empty string when the property was read. This patch fixes it to return the node name instead. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2016-08-08s390x/pci: fix null pointer bugYi Min Zhao
We should make sure that it's not NULL firstly. Signed-off-by: Yi Min Zhao <zyimin@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-08-08Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.7-20160808' ↵Peter Maydell
into staging ppc patch queue 2016-08-08 This batch has several last minute bug fixes to be merged for qemu-2.7. # gpg: Signature made Mon 08 Aug 2016 03:40:58 BST # gpg: using RSA key 0x6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.7-20160808: spapr: Fix undefined behaviour in spapr_tce_reset() macio: set res_count value to 0 after non-block ATAPI DMA transfers spapr: Correctly set query_hotpluggable_cpus hook based on machine version Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20160805' into stagingPeter Maydell
indirect register lowering # gpg: Signature made Fri 05 Aug 2016 17:34:53 BST # gpg: using RSA key 0xAD1270CC4DD0279B # gpg: Good signature from "Richard Henderson <rth7680@gmail.com>" # gpg: aka "Richard Henderson <rth@redhat.com>" # gpg: aka "Richard Henderson <rth@twiddle.net>" # Primary key fingerprint: 9CB1 8DDA F8E8 49AD 2AFC 16A4 AD12 70CC 4DD0 279B * remotes/rth/tags/pull-tcg-20160805: tcg: Lower indirect registers in a separate pass tcg: Require liveness analysis tcg: Include liveness info in the dumps tcg: Compress dead_temps and mem_temps into a single array tcg: Fold life data into TCGOp tcg: Reorg TCGOp chaining tcg: Compress liveness data to 16 bits Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-08-08error: Fix error_printf() calls lacking newlinesMarkus Armbruster
Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1470224274-31522-5-git-send-email-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>