From 8156d480861e937768d7d9ac0b73c1e74c368f1d Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Thu, 2 Jun 2016 10:48:25 +0200 Subject: pc: allow raising low memory via max-ram-below-4g option This patch extends the functionality of the max-ram-below-4g option to also allow increasing lowmem. Use case: Give as much memory as possible to legacy non-PAE guests. While being at it also rework the lowmem calculation logic and add a longish comment describing how it works and what the compatibility constrains are. Note: This is a incompatible change. When setting max-ram-below-4g to a value larger than 3.5G (or 3G with gigabyte alignment) it has no effect on older qemu versions: qemu silently ignores it. With the patch applied it actually has an effect and changes the ram layout. Highly unlikely to hit in practive though as there is no reason start old qemu versions that way. Signed-off-by: Gerd Hoffmann Reviewed-by: Eduardo Habkost Message-Id: <1464857305-26675-1-git-send-email-kraxel@redhat.com> Signed-off-by: Paolo Bonzini --- hw/i386/pc.c | 2 +- hw/i386/pc_piix.c | 61 +++++++++++++++++++++++++++++++++++-------------------- 2 files changed, 40 insertions(+), 23 deletions(-) (limited to 'hw') diff --git a/hw/i386/pc.c b/hw/i386/pc.c index e29ccc8341..bfaf5a399b 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -1893,7 +1893,7 @@ static void pc_machine_initfn(Object *obj) pc_machine_get_hotplug_memory_region_size, NULL, NULL, NULL, &error_abort); - pcms->max_ram_below_4g = 1ULL << 32; /* 4G */ + pcms->max_ram_below_4g = 0xe0000000; /* 3.5G */ object_property_add(obj, PC_MACHINE_MAX_RAM_BELOW_4G, "size", pc_machine_get_max_ram_below_4g, pc_machine_set_max_ram_below_4g, diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c index 24e7042680..7b4790f86f 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c @@ -87,29 +87,46 @@ static void pc_init1(MachineState *machine, MemoryRegion *rom_memory; ram_addr_t lowmem; - /* Check whether RAM fits below 4G (leaving 1/2 GByte for IO memory). - * If it doesn't, we need to split it in chunks below and above 4G. - * In any case, try to make sure that guest addresses aligned at - * 1G boundaries get mapped to host addresses aligned at 1G boundaries. - * For old machine types, use whatever split we used historically to avoid - * breaking migration. - */ - if (machine->ram_size >= 0xe0000000) { - lowmem = pcmc->gigabyte_align ? 0xc0000000 : 0xe0000000; - } else { - lowmem = 0xe0000000; - } - - /* Handle the machine opt max-ram-below-4g. It is basically doing - * min(qemu limit, user limit). + /* + * Calculate ram split, for memory below and above 4G. It's a bit + * complicated for backward compatibility reasons ... + * + * - Traditional split is 3.5G (lowmem = 0xe0000000). This is the + * default value for max_ram_below_4g now. + * + * - Then, to gigabyte align the memory, we move the split to 3G + * (lowmem = 0xc0000000). But only in case we have to split in + * the first place, i.e. ram_size is larger than (traditional) + * lowmem. And for new machine types (gigabyte_align = true) + * only, for live migration compatibility reasons. + * + * - Next the max-ram-below-4g option was added, which allowed to + * reduce lowmem to a smaller value, to allow a larger PCI I/O + * window below 4G. qemu doesn't enforce gigabyte alignment here, + * but prints a warning. + * + * - Finally max-ram-below-4g got updated to also allow raising lowmem, + * so legacy non-PAE guests can get as much memory as possible in + * the 32bit address space below 4G. + * + * Examples: + * qemu -M pc-1.7 -m 4G (old default) -> 3584M low, 512M high + * qemu -M pc -m 4G (new default) -> 3072M low, 1024M high + * qemu -M pc,max-ram-below-4g=2G -m 4G -> 2048M low, 2048M high + * qemu -M pc,max-ram-below-4g=4G -m 3968M -> 3968M low (=4G-128M) */ - if (lowmem > pcms->max_ram_below_4g) { - lowmem = pcms->max_ram_below_4g; - if (machine->ram_size - lowmem > lowmem && - lowmem & ((1ULL << 30) - 1)) { - error_report("Warning: Large machine and max_ram_below_4g(%"PRIu64 - ") not a multiple of 1G; possible bad performance.", - pcms->max_ram_below_4g); + lowmem = pcms->max_ram_below_4g; + if (machine->ram_size >= pcms->max_ram_below_4g) { + if (pcmc->gigabyte_align) { + if (lowmem > 0xc0000000) { + lowmem = 0xc0000000; + } + if (lowmem & ((1ULL << 30) - 1)) { + error_report("Warning: Large machine and max_ram_below_4g " + "(%" PRIu64 ") not a multiple of 1G; " + "possible bad performance.", + pcms->max_ram_below_4g); + } } } -- cgit v1.2.3 From 4b3eec91b90346c57ec99694ddc806b70a54ff90 Mon Sep 17 00:00:00 2001 From: xiaoqiang zhao Date: Wed, 1 Jun 2016 15:58:18 +0800 Subject: hw/char: QOM'ify escc.c (fix) The previous commit e7c9136977cb99c6eb52c9139f7b8d8b5fa87db9 (hw/char: QOM'ify escc.c) cause qemu-system-ppc/ppc64 OpenBIOS to freeze on startup, this commit fix it. Signed-off-by: xiaoqiang zhao Tested-by: Mark Cave-Ayland Message-Id: <1464767898-30526-1-git-send-email-zxq_yx_007@163.com> Signed-off-by: Paolo Bonzini --- hw/char/escc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'hw') diff --git a/hw/char/escc.c b/hw/char/escc.c index 8e6a7df465..31a5f902f9 100644 --- a/hw/char/escc.c +++ b/hw/char/escc.c @@ -989,18 +989,13 @@ static void escc_init1(Object *obj) SysBusDevice *dev = SYS_BUS_DEVICE(obj); unsigned int i; - s->chn[0].disabled = s->disabled; - s->chn[1].disabled = s->disabled; for (i = 0; i < 2; i++) { sysbus_init_irq(dev, &s->chn[i].irq); s->chn[i].chn = 1 - i; - s->chn[i].clock = s->frequency / 2; } s->chn[0].otherchn = &s->chn[1]; s->chn[1].otherchn = &s->chn[0]; - memory_region_init_io(&s->mmio, obj, &escc_mem_ops, s, "escc", - ESCC_SIZE << s->it_shift); sysbus_init_mmio(dev, &s->mmio); } @@ -1009,8 +1004,15 @@ static void escc_realize(DeviceState *dev, Error **errp) ESCCState *s = ESCC(dev); unsigned int i; + s->chn[0].disabled = s->disabled; + s->chn[1].disabled = s->disabled; + + memory_region_init_io(&s->mmio, OBJECT(dev), &escc_mem_ops, s, "escc", + ESCC_SIZE << s->it_shift); + for (i = 0; i < 2; i++) { if (s->chn[i].chr) { + s->chn[i].clock = s->frequency / 2; qemu_chr_add_handlers(s->chn[i].chr, serial_can_receive, serial_receive1, serial_event, &s->chn[i]); } -- cgit v1.2.3 From ff589551c8e8e9e95e211b9d8daafb4ed39f1aec Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Mon, 6 Jun 2016 22:04:43 +0530 Subject: scsi: esp: check TI buffer index before read/write The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte FIFO buffers. One is used to handle commands and other is for information transfer. Three control variables 'ti_rptr', 'ti_wptr' and 'ti_size' are used to control r/w access to the information transfer buffer ti_buf[TI_BUFSZ=16]. In that, 'ti_rptr' is used as read index, where read occurs. 'ti_wptr' is a write index, where write would occur. 'ti_size' indicates total bytes to be read from the buffer. While reading/writing to this buffer, index could exceed its size. Add check to avoid OOB r/w access. Reported-by: Huawei PSIRT Reported-by: Li Qiang Signed-off-by: Prasad J Pandit Message-Id: <1465230883-22303-1-git-send-email-ppandit@redhat.com> Signed-off-by: Paolo Bonzini --- hw/scsi/esp.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) (limited to 'hw') diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 591c8172d5..3adb685177 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -400,19 +400,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr) trace_esp_mem_readb(saddr, s->rregs[saddr]); switch (saddr) { case ESP_FIFO: - if (s->ti_size > 0) { + if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { + /* Data out. */ + qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n"); + s->rregs[ESP_FIFO] = 0; + esp_raise_irq(s); + } else if (s->ti_rptr < s->ti_wptr) { s->ti_size--; - if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { - /* Data out. */ - qemu_log_mask(LOG_UNIMP, - "esp: PIO data read not implemented\n"); - s->rregs[ESP_FIFO] = 0; - } else { - s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; - } + s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; esp_raise_irq(s); } - if (s->ti_size == 0) { + if (s->ti_rptr == s->ti_wptr) { s->ti_rptr = 0; s->ti_wptr = 0; } @@ -456,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) } else { trace_esp_error_fifo_overrun(); } - } else if (s->ti_size == TI_BUFSZ - 1) { + } else if (s->ti_wptr == TI_BUFSZ - 1) { trace_esp_error_fifo_overrun(); } else { s->ti_size++; -- cgit v1.2.3 From 6214a11ac167b1e866c04a81360286d186f04d82 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 1 Jun 2016 15:14:36 +0200 Subject: scsi: mark TYPE_SCSI_DISK_BASE as abstract Suggested-by: Stefan Hajnoczi Reviewed-by: Stefan Hajnoczi Signed-off-by: Paolo Bonzini --- hw/scsi/scsi-disk.c | 1 + 1 file changed, 1 insertion(+) (limited to 'hw') diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index ab7cf9cbf8..6724cbf8d8 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -2842,6 +2842,7 @@ static const TypeInfo scsi_disk_base_info = { .class_init = scsi_disk_base_class_initfn, .instance_size = sizeof(SCSIDiskState), .class_size = sizeof(SCSIDiskClass), + .abstract = true, }; #define DEFINE_SCSI_DISK_PROPERTIES() \ -- cgit v1.2.3 From 844864fbae66935951529408831c2f22367a57b6 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Tue, 7 Jun 2016 16:44:03 +0530 Subject: scsi: megasas: null terminate bios version buffer While reading information via 'megasas_ctrl_get_info' routine, a local bios version buffer isn't null terminated. Add the terminating null byte to avoid any OOB access. Reported-by: Li Qiang Reviewed-by: Peter Maydell Signed-off-by: Prasad J Pandit Signed-off-by: Paolo Bonzini --- hw/scsi/megasas.c | 1 + 1 file changed, 1 insertion(+) (limited to 'hw') diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index cc66d36186..a9ffc32682 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) ptr = memory_region_get_ram_ptr(&pci_dev->rom); memcpy(biosver, ptr + 0x41, 31); + biosver[31] = 0; memcpy(info.image_component[1].name, "BIOS", 4); memcpy(info.image_component[1].version, biosver, strlen((const char *)biosver)); -- cgit v1.2.3 From ed45cae39117d413155417b57286e9d172c4c411 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 6 Jun 2016 10:42:27 +0200 Subject: scsi-disk: add missing break Signed-off-by: Paolo Bonzini --- hw/scsi/scsi-disk.c | 1 + 1 file changed, 1 insertion(+) (limited to 'hw') diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index 6724cbf8d8..188196990e 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -2740,6 +2740,7 @@ static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf) /* 10-byte CDB. */ r->cdb1 = req->cmd.buf[1]; r->group_number = req->cmd.buf[6]; + break; case 4: /* 12-byte CDB. */ r->cdb1 = req->cmd.buf[1]; -- cgit v1.2.3