[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 53d421: slirp: fix clearing ifq_so from pendi
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 53d421: slirp: fix clearing ifq_so from pending packets |
|
Date: |
Mon, 02 Oct 2017 17:06:19 -0700 |
Branch: refs/heads/stable-2.10
Home: https://github.com/qemu/qemu
Commit: 53d421dd9cd11a961903b59a29176e3c11f13519
https://github.com/qemu/qemu/commit/53d421dd9cd11a961903b59a29176e3c11f13519
Author: Samuel Thibault <address@hidden>
Date: 2017-09-12 (Tue, 12 Sep 2017)
Changed paths:
M slirp/socket.c
Log Message:
-----------
slirp: fix clearing ifq_so from pending packets
The if_fastq and if_batchq contain not only packets, but queues of packets
for the same socket. When sofree frees a socket, it thus has to clear ifq_so
from all the packets from the queues, not only the first.
Signed-off-by: Samuel Thibault <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 1201d308519f1e915866d7583d5136d03cc1d384)
Signed-off-by: Michael Roth <address@hidden>
Commit: e1b4750f06a8a04c958d98e9a15e717b18a20c54
https://github.com/qemu/qemu/commit/e1b4750f06a8a04c958d98e9a15e717b18a20c54
Author: Farhan Ali <address@hidden>
Date: 2017-09-12 (Tue, 12 Sep 2017)
Changed paths:
M pc-bios/s390-ccw/cio.h
Log Message:
-----------
s390-ccw: Fix alignment for CCW1
The commit 198c0d1f9df8c4 s390x/css: check ccw address validity
exposes an alignment issue in ccw bios.
According to PoP the CCW must be doubleword aligned. Let's fix
this in the bios.
Cc: address@hidden
Signed-off-by: Farhan Ali <address@hidden>
Reviewed-by: Halil Pasic <address@hidden>
Reviewed-by: Eric Farman <address@hidden>
Acked-by: Christian Borntraeger <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 3a1e4561ad63b303b092387ae006bd41468ece63)
Signed-off-by: Michael Roth <address@hidden>
Commit: 728bfa3273ebaaab51bb41467a20790c7e5f5268
https://github.com/qemu/qemu/commit/728bfa3273ebaaab51bb41467a20790c7e5f5268
Author: Richard Henderson <address@hidden>
Date: 2017-09-12 (Tue, 12 Sep 2017)
Changed paths:
M target/arm/translate-a64.c
Log Message:
-----------
target/arm: Fix aa64 ldp register writeback
For "ldp x0, x1, [x0]", if the second load is on a second page and
the second page is unmapped, the exception would be raised with x0
already modified. This means the instruction couldn't be restarted.
Cc: address@hidden
Cc: address@hidden
Reported-by: Andrew <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>
Message-id: address@hidden
Fixes: https://bugs.launchpad.net/qemu/+bug/1713066
Signed-off-by: Richard Henderson <address@hidden>
[PMM: tweaked comment format]
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 3e4d91b94ce400326fae0850578d9e9f30a71adb)
Signed-off-by: Michael Roth <address@hidden>
Commit: 168ff32c5d1e05d7e11db28d6bcc257783ba849a
https://github.com/qemu/qemu/commit/168ff32c5d1e05d7e11db28d6bcc257783ba849a
Author: Greg Kurz <address@hidden>
Date: 2017-09-12 (Tue, 12 Sep 2017)
Changed paths:
M vl.c
Log Message:
-----------
virtfs: error out gracefully when mandatory suboptions are missing
We internally convert -virtfs to -fsdev/-device. If the user doesn't
provide the path or security_model suboptions, and the fsdev backend
requires them, we hit an assertion when populating the internal -fsdev
option:
util/qemu-option.c:547: opt_set: Assertion `opt->str' failed.
Aborted (core dumped)
Let's test the suboption presence on the command line before trying
to set it in the internal -fsdev option, and let the backend code
error out gracefully (ie, like it already does when the user passes
-fsdev on the command line).
Reported-by: Thomas Huth <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
(cherry picked from commit 32b6943699948f7adc35ada233fbd25daffad5e9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 85cdc23e755f1f65a1820fb68a8ed91c1f7b3a1f
https://github.com/qemu/qemu/commit/85cdc23e755f1f65a1820fb68a8ed91c1f7b3a1f
Author: Pranith Kumar <address@hidden>
Date: 2017-09-14 (Thu, 14 Sep 2017)
Changed paths:
M hw/intc/arm_gicv3_kvm.c
Log Message:
-----------
arm_gicv3_kvm: Fix compile warning
Fix the following warning:
/home/pranith/qemu/hw/intc/arm_gicv3_kvm.c:296:17: warning: logical not is only
applied to the left hand side of this bitwise operator
[-Wlogical-not-parentheses]
if (!c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS) {
^ ~
/home/pranith/qemu/hw/intc/arm_gicv3_kvm.c:296:17: note: add parentheses after
the '!' to evaluate the bitwise operator first
if (!c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS) {
^
/home/pranith/qemu/hw/intc/arm_gicv3_kvm.c:296:17: note: add parentheses around
left hand side expression to silence this warning
if (!c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS) {
^
This logic error meant we were not setting the PTZ
bit when we should -- luckily as the comment suggests
this wouldn't have had any effects beyond making GIC
initialization take a little longer.
Signed-off-by: Pranith Kumar <address@hidden>
Message-id: address@hidden
Cc: address@hidden
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 7229ec5825df6b933f150b54a8a2bedd2de1864c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 65a24b5c448710d1d2cf2ecdaea620793a9437e5
https://github.com/qemu/qemu/commit/65a24b5c448710d1d2cf2ecdaea620793a9437e5
Author: Thomas Huth <address@hidden>
Date: 2017-09-14 (Thu, 14 Sep 2017)
Changed paths:
M hw/arm/allwinner-a10.c
M scripts/device-crash-test
Log Message:
-----------
hw/arm/allwinner-a10: Mark the allwinner-a10 device with user_creatable =
false
QEMU currently exits unexpectedly when the user accidentially
tries to do something like this:
$ aarch64-softmmu/qemu-system-aarch64 -S -M integratorcp -nographic
QEMU 2.9.93 monitor - type 'help' for more information
(qemu) device_add allwinner-a10
Unsupported NIC model: smc91c111
Exiting just due to a "device_add" should not happen. Looking closer
at the the realize and instance_init function of this device also
reveals that it is using serial_hds and nd_table directly there, so
this device is clearly not creatable by the user and should be marked
accordingly.
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Eduardo Habkost <address@hidden>
Message-id: address@hidden
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit dc89a180caf143a5d596d3f2f776d13be83a687d)
Signed-off-by: Michael Roth <address@hidden>
Commit: c6841b112e995a0635db59fe25da9a308c595b7a
https://github.com/qemu/qemu/commit/c6841b112e995a0635db59fe25da9a308c595b7a
Author: Pavel Butsykin <address@hidden>
Date: 2017-09-14 (Thu, 14 Sep 2017)
Changed paths:
M block/qcow2.c
Log Message:
-----------
qcow2: move qcow2_store_persistent_dirty_bitmaps() before cache flushing
After calling qcow2_inactivate(), all qcow2 caches must be flushed, but this
may not happen, because the last call qcow2_store_persistent_dirty_bitmaps()
can lead to marking l2/refcont cache as dirty.
Let's move qcow2_store_persistent_dirty_bitmaps() before the caсhe flushing
to fix it.
Cc: address@hidden
Signed-off-by: Pavel Butsykin <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 83a8c775a8bf134eb18a719322939b74a818d750)
Signed-off-by: Michael Roth <address@hidden>
Commit: b24304ca131ecf0eb029ee2c39d46fd4a9ab8901
https://github.com/qemu/qemu/commit/b24304ca131ecf0eb029ee2c39d46fd4a9ab8901
Author: Alex Williamson <address@hidden>
Date: 2017-09-14 (Thu, 14 Sep 2017)
Changed paths:
M hw/virtio/vhost.c
Log Message:
-----------
vhost: Release memory references on cleanup
vhost registers a MemoryListener where it adds and removes references
to MemoryRegions as the MemoryRegionSections pass through. The
region_add callback is invoked for each existing section when the
MemoryListener is registered, but unregistering the MemoryListener
performs no reciprocal region_del callback. It's therefore the
owner of the MemoryListener's responsibility to cleanup any persistent
changes, such as these memory references, after unregistering.
The consequence of this bug is that if we have both a vhost device
and a vfio device, the vhost device will reference any mmap'd MMIO of
the vfio device via this MemoryListener. If the vhost device is then
removed, those references remain outstanding. If we then attempt to
remove the vfio device, it never gets finalized and the only way to
release the kernel file descriptors is to terminate the QEMU process.
Fixes: dfde4e6e1a86 ("memory: add ref/unref calls")
Cc: Michael S. Tsirkin <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: address@hidden # v1.6.0+
Signed-off-by: Alex Williamson <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit ee4c112846a0f2ac4fe5601918b0a2642ac8e2ed)
Signed-off-by: Michael Roth <address@hidden>
Commit: b8cd97891978f1eaec84d7ad6f8f6b6767186060
https://github.com/qemu/qemu/commit/b8cd97891978f1eaec84d7ad6f8f6b6767186060
Author: Peter Maydell <address@hidden>
Date: 2017-09-17 (Sun, 17 Sep 2017)
Changed paths:
M hw/arm/mps2.c
Log Message:
-----------
mps2-an511: Fix wiring of UART overflow interrupt lines
Fix an error that meant we were wiring every UART's overflow
interrupts into the same inputs 0 and 1 of the OR gate,
rather than giving each its own input.
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Alistair Francis <address@hidden>
Message-id: address@hidden
(cherry picked from commit ce3bc112cdb1d462e2d52eaa17a7314e7f3af504)
Signed-off-by: Michael Roth <address@hidden>
Commit: b95fbe6f122af9992a016a620477c6e7f1cc383a
https://github.com/qemu/qemu/commit/b95fbe6f122af9992a016a620477c6e7f1cc383a
Author: Hannes Reinecke <address@hidden>
Date: 2017-09-19 (Tue, 19 Sep 2017)
Changed paths:
M hw/scsi/scsi-bus.c
Log Message:
-----------
scsi-bus: correct responses for INQUIRY and REQUEST SENSE
According to SPC-3 INQUIRY and REQUEST SENSE should return GOOD
even on unsupported LUNS.
Signed-off-by: Hannes Reinecke <address@hidden>
Message-Id: <address@hidden>
Reported-by: Laszlo Ersek <address@hidden>
Fixes: ded6ddc5a7b95217557fa360913d1213e12d4a6d
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: Hannes Reinecke <address@hidden>
(cherry picked from commit b07fbce6349c7b84642e7ed56c7a1ac3c1caca61)
Signed-off-by: Michael Roth <address@hidden>
Commit: 48f65ce837250f327bcfa04977b72b72f43f232c
https://github.com/qemu/qemu/commit/48f65ce837250f327bcfa04977b72b72f43f232c
Author: Marc-André Lureau <address@hidden>
Date: 2017-09-19 (Tue, 19 Sep 2017)
Changed paths:
M contrib/libvhost-user/libvhost-user.c
M contrib/libvhost-user/libvhost-user.h
Log Message:
-----------
libvhost-user: support resuming vq->last_avail_idx based on used_idx
This is the same workaround as commit 523b018dde3b765, which was lost
with libvhost-user transition in commit e10e798c85c2331.
Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 35480cbfcb73143af66c8de4b444d686a46c2e88)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2a2eab66604fb26e2020932eb6be450e2c7e8613
https://github.com/qemu/qemu/commit/2a2eab66604fb26e2020932eb6be450e2c7e8613
Author: Marc-André Lureau <address@hidden>
Date: 2017-09-19 (Tue, 19 Sep 2017)
Changed paths:
M tests/vhost-user-bridge.c
Log Message:
-----------
vhost-user-bridge: fix resume regression (since 2.9)
Commit e10e798c85c2331 switched to libvhost-user which lacked support
for resuming the avail_idx based on used_idx.
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1485867
Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 672339f7eff5e9226f302037290e84e783d2b5cd)
Signed-off-by: Michael Roth <address@hidden>
Commit: d6f7f3b0cf4b6c5e7cdff9dfa6d20545e1051375
https://github.com/qemu/qemu/commit/d6f7f3b0cf4b6c5e7cdff9dfa6d20545e1051375
Author: Gerd Hoffmann <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/display/vga.c
Log Message:
-----------
vga: fix display update region calculation (split screen)
vga display update mis-calculated the region for the dirty bitmap
snapshot in case split screen mode is used. This can trigger an
assert in cpu_physical_memory_snapshot_get_dirty().
Impact: DoS for privileged guest users.
Fixes: CVE-2017-13673
Fixes: fec5e8c92becad223df9d972770522f64aafdb72
Cc: P J P <address@hidden>
Reported-by: David Buchanan <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit e65294157d4b69393b3f819c99f4f647452b48e3)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2965be1f00d88972650b6dc4bdc28976d2c66043
https://github.com/qemu/qemu/commit/2965be1f00d88972650b6dc4bdc28976d2c66043
Author: Gerd Hoffmann <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/display/vga-helpers.h
M hw/display/vga.c
M hw/display/vga_int.h
Log Message:
-----------
vga: stop passing pointers to vga_draw_line* functions
Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).
Impact: DoS for privileged guest users. qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.
Fixes: CVE-2017-13672
Cc: P J P <address@hidden>
Reported-by: David Buchanan <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 3d90c6254863693a6b13d918d2b8682e08bbc681)
Signed-off-by: Michael Roth <address@hidden>
Commit: fca5f37fe9016cfea90c31d3e35e4154ef1a7f28
https://github.com/qemu/qemu/commit/fca5f37fe9016cfea90c31d3e35e4154ef1a7f28
Author: Prasad J Pandit <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/i386/multiboot.c
Log Message:
-----------
multiboot: validate multiboot header address values
While loading kernel via multiboot-v1 image, (flags & 0x00010000)
indicates that multiboot header contains valid addresses to load
the kernel image. These addresses are used to compute kernel
size and kernel text offset in the OS image. Validate these
address values to avoid an OOB access issue.
This is CVE-2017-14167.
Reported-by: Thomas Garnier <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb)
Signed-off-by: Michael Roth <address@hidden>
Commit: d3f05848fc8f8240539c7d810f12a321f57a22f9
https://github.com/qemu/qemu/commit/d3f05848fc8f8240539c7d810f12a321f57a22f9
Author: Thomas Huth <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/watchdog/wdt_diag288.c
Log Message:
-----------
watchdog/wdt_diag288: Mark diag288 watchdog as non-hotpluggable
QEMU currently aborts when the user tries to hot-unplug a diag288
device:
$ qemu-system-s390x -nographic -nodefaults -S -monitor stdio
QEMU 2.9.92 monitor - type 'help' for more information
(qemu) device_add diag288,id=x
(qemu) device_del x
**
ERROR:qemu/qdev-monitor.c:872:qdev_unplug: assertion failed: (hotplug_ctrl)
Aborted (core dumped)
The device is not designed as hot-pluggable (it should only be used
via the "-watchdog" parameter), so let's simply remove the possibility
to hotplug it to prevent that users can run into this ugly situation.
Signed-off-by: Thomas Huth <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: David Hildenbrand <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 84ebd3e8c7d4fe955b359b9aac84395907b0412e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8a9d7f30636b5ab151f47c7f03b4797bc1408151
https://github.com/qemu/qemu/commit/8a9d7f30636b5ab151f47c7f03b4797bc1408151
Author: Thomas Huth <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/s390x/ipl.c
Log Message:
-----------
s390x/ipl: The s390-ipl device is not hot-pluggable
The s390-ipl device can not be created by the user, since it is meant only
to be instantiated once internally to load the ROMs and kernel. If the user
tries to do a "device_add s390-ipl" via the monitor later, QEMU aborts with
a "ROM images must be loaded at startup" error message.
Signed-off-by: Thomas Huth <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: David Hildenbrand <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 0d4fa4996fc5ee56ea7d072e272b8e69948460a5)
Signed-off-by: Michael Roth <address@hidden>
Commit: de4ad17a8ed674e672c626c5e4b7e27dc82ca55e
https://github.com/qemu/qemu/commit/de4ad17a8ed674e672c626c5e4b7e27dc82ca55e
Author: Thomas Huth <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/arm/digic.c
Log Message:
-----------
hw/arm/digic: Mark device with user_creatable = false
QEMU currently shows some unexpected behavior when the user trys to
do a "device_add digic" on an unrelated ARM machine like integratorcp
in "-nographic" mode (the device_add command does not immediately
return to the monitor prompt), and trying to "device_del" the device
later results in a "qemu/qdev-monitor.c:872:qdev_unplug: assertion
failed: (hotplug_ctrl)" error condition.
Looking at the realize function of the device, it uses serial_hds
directly and this means that the device can not be added a second
time, so let's simply mark it with "user_creatable = false" now.
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit f58f25599b72c7479e6a1ff67c7f671823aa14da)
Signed-off-by: Michael Roth <address@hidden>
Commit: cc7dd3ad3fce9baf0e869847a6ddef33f2b463ab
https://github.com/qemu/qemu/commit/cc7dd3ad3fce9baf0e869847a6ddef33f2b463ab
Author: Thomas Huth <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/arm/aspeed_soc.c
Log Message:
-----------
hw/arm/aspeed_soc: Mark devices as user_creatable = false
QEMU currently aborts if the user is accidentially trying to
do something like this:
$ aarch64-softmmu/qemu-system-aarch64 -S -M integratorcp -nographic
QEMU 2.9.93 monitor - type 'help' for more information
(qemu) device_add ast2400
Unexpected error in error_set_from_qdev_prop_error()
at hw/core/qdev-properties.c:1032:
Aborted (core dumped)
The ast2400 SoC devices are clearly not creatable by the user since
they are using the serial_hds and nd_table arrays directly in their
realize function, so mark them with user_creatable = false.
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Reviewed-by: Cédric Le Goater <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 469f3da42ef4af347fa7831e1cc0bd35d17f5b83)
Signed-off-by: Michael Roth <address@hidden>
Commit: e96002e0d13cc87910534fd83ca1e6f021dad454
https://github.com/qemu/qemu/commit/e96002e0d13cc87910534fd83ca1e6f021dad454
Author: Thomas Huth <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/ide/microdrive.c
Log Message:
-----------
hw/ide/microdrive: Mark the dscm1xxxx device with user_creatable = false
QEMU currently aborts with an assertion message when the user is trying
to remove a dscm1xxxx again:
$ aarch64-softmmu/qemu-system-aarch64 -S -M integratorcp -nographic
QEMU 2.9.93 monitor - type 'help' for more information
(qemu) device_add dscm1xxxx,id=xyz
(qemu) device_del xyz
**
ERROR:qemu/qdev-monitor.c:872:qdev_unplug: assertion failed: (hotplug_ctrl)
Aborted (core dumped)
Looks like this device has to be wired up in code and is not meant
to be hot-pluggable, so let's mark it with user_creatable = false.
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>
(cherry picked from commit 4c93950659487c7ad4f85571ee78524c1e3a94b3)
Signed-off-by: Michael Roth <address@hidden>
Commit: 83b23fe55c7b969e778c18960ea7c381e92070e8
https://github.com/qemu/qemu/commit/83b23fe55c7b969e778c18960ea7c381e92070e8
Author: Igor Mammedov <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
ide: ahci: unparent children buses before freeing their memory
Fixes read after freeing error reported
https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04243.html
Message-Id: <address@hidden>
ich9-ahci device creates ide buses and attaches them as QOM children
at realize time, however it forgets to properly clean them up
at unrealize time and frees memory containing these children,
with following call-chain:
qdev_device_add()
object_property_set_bool('realized', true)
device_set_realized()
...
pci_qdev_realize() -> pci_ich9_ahci_realize() -> ahci_realize()
...
s->dev = g_new0(AHCIDevice, ports);
...
AHCIDevice *ad = &s->dev[i];
ide_bus_new(&ad->port, sizeof(ad->port), qdev, i, 1);
^^^ creates bus in memory allocated by above gnew()
and adds it as child propety to ahci device
...
hotplug_handler_plug(); -> goto post_realize_fail;
pci_qdev_unrealize() -> pci_ich9_uninit() -> ahci_uninit()
...
g_free(s->dev);
^^^ free memory that holds children busses
return with error from device_set_realized()
As result later when qdev_device_add() tries to unparent ich9-ahci
after failed device_set_realized(),
object_unparent() -> object_property_del_child()
iterates over existing QOM children including buses added by
ide_bus_new() and tries to unparent them, which causes access to
freed memory where they where located.
Reported-by: Thomas Huth <address@hidden>
Signed-off-by: Igor Mammedov <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Tested-by: Thomas Huth <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>
(cherry picked from commit 955f5c7ba127746345a3d43b4d7c885ca159ae6b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7e1288cd0ce54d1d9b2805f23c3c33b6c57152d0
https://github.com/qemu/qemu/commit/7e1288cd0ce54d1d9b2805f23c3c33b6c57152d0
Author: Gerd Hoffmann <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M ui/console.c
Log Message:
-----------
console: fix dpy_gfx_replace_surface assert
virtio-gpu can trigger the assert added by commit "6905b93447 console:
add same surface replace pre-condition" in multihead setups (where
surface can be NULL for secondary displays). Allow surface being NULL.
Fixes: 6905b93447a42e606dfd126b90f75f4cd3c6fe94
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden
(cherry picked from commit 1540008629bbb6a9c0826582d94ecf7a559f784c)
Signed-off-by: Michael Roth <address@hidden>
Commit: e90997dc8f8272378b259a0080a0062597e72c10
https://github.com/qemu/qemu/commit/e90997dc8f8272378b259a0080a0062597e72c10
Author: Jan Dakinevich <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9pfs: fix readdir() for 9p2000.u
If the client is using 9p2000.u, the following occurs:
$ cd ${virtfs_shared_dir}
$ mkdir -p a/b/c
$ ls a/b
ls: cannot access 'a/b/a': No such file or directory
ls: cannot access 'a/b/b': No such file or directory
a b c
instead of the expected:
$ ls a/b
c
This is a regression introduced by commit f57f5878578a;
local_name_to_path() now resolves ".." and "." in paths,
and v9fs_do_readdir_with_stat()->stat_to_v9stat() then
copies the basename of the resulting path to the response.
With the example above, this means that "." and ".." are
turned into "b" and "a" respectively...
stat_to_v9stat() currently assumes it is passed a full
canonicalized path and uses it to do two different things:
1) to pass it to v9fs_co_readlink() in case the file is a symbolic
link
2) to set the name field of the V9fsStat structure to the basename
part of the given path
It only has two users: v9fs_stat() and v9fs_do_readdir_with_stat().
v9fs_stat() really needs 1) and 2) to be performed since it starts
with the full canonicalized path stored in the fid. It is different
for v9fs_do_readdir_with_stat() though because the name we want to
put into the V9fsStat structure is the d_name field of the dirent
actually (ie, we want to keep the "." and ".." special names). So,
we only need 1) in this case.
This patch hence adds a basename argument to stat_to_v9stat(), to
be used to set the name field of the V9fsStat structure, and moves
the basename logic to v9fs_stat().
Signed-off-by: Jan Dakinevich <address@hidden>
(groug, renamed old name argument to path and updated changelog)
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit 6069537f4336a59054afda91a6545d3648c64619)
Signed-off-by: Michael Roth <address@hidden>
Commit: d13a0bde83d216ec07d2fe6e54fe1bab34643db1
https://github.com/qemu/qemu/commit/d13a0bde83d216ec07d2fe6e54fe1bab34643db1
Author: Jan Dakinevich <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9pfs: fix name_to_path assertion in v9fs_complete_rename()
The third parameter of v9fs_co_name_to_path() must not contain `/'
character.
The issue is most likely related to 9p2000.u protocol only.
Signed-off-by: Jan Dakinevich <address@hidden>
[groug, regression caused by commit f57f5878578a # 2.10]
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit 4d8bc7334b06ef01a21cad3d1eb8dc183037a06b)
Signed-off-by: Michael Roth <address@hidden>
Commit: a83858fdb57e91945f2ea95f7ec31b89ccfd46ca
https://github.com/qemu/qemu/commit/a83858fdb57e91945f2ea95f7ec31b89ccfd46ca
Author: Jan Dakinevich <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9pfs: check the size of transport buffer before marshaling
v9fs_do_readdir_with_stat() should check for a maximum buffer size
before an attempt to marshal gathered data. Otherwise, buffers assumed
as misconfigured and the transport would be broken.
The patch brings v9fs_do_readdir_with_stat() in conformity with
v9fs_do_readdir() behavior.
Signed-off-by: Jan Dakinevich <address@hidden>
[groug, regression caused my commit 8d37de41cab1 # 2.10]
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit 772a73692ecb52bace0cff6f95df62f59b8cabe0)
Signed-off-by: Michael Roth <address@hidden>
Commit: a432f419abce2d63907978c3d48dfc9e3f740e49
https://github.com/qemu/qemu/commit/a432f419abce2d63907978c3d48dfc9e3f740e49
Author: Christian Borntraeger <address@hidden>
Date: 2017-09-22 (Fri, 22 Sep 2017)
Changed paths:
M target/s390x/kvm.c
Log Message:
-----------
s390x/ais: for 2.10 stable: disable ais facility
The migration interface for ais was introduced with kernel 4.13
but the capability itself had been active since 4.12. As migration
support is considered necessary lets disable ais in the 2.10
stable version. A proper fix and re-enablement will be done
for qemu 2.11.
Signed-off-by: Christian Borntraeger <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 3f2d07b3b01ea61126b382633ab4006320923048)
Signed-off-by: Michael Roth <address@hidden>
Commit: 33a599667a9e70588483a31286dfff8cfc27d513
https://github.com/qemu/qemu/commit/33a599667a9e70588483a31286dfff8cfc27d513
Author: Eric Blake <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M include/qemu/osdep.h
Log Message:
-----------
osdep: Fix ROUND_UP(64-bit, 32-bit)
When using bit-wise operations that exploit the power-of-two
nature of the second argument of ROUND_UP(), we still need to
ensure that the mask is as wide as the first argument (done
by using a ternary to force proper arithmetic promotion).
Unpatched, ROUND_UP(2ULL*1024*1024*1024*1024, 512U) produces 0,
instead of the intended 2TiB, because negation of an unsigned
32-bit quantity followed by widening to 64-bits does not
sign-extend the mask.
Broken since its introduction in commit 292c8e50 (v1.5.0).
Callers that passed the same width type to both macro parameters,
or that had other code to ensure the first parameter's maximum
runtime value did not exceed the second parameter's width, are
unaffected, but I did not audit to see which (if any) existing
clients of the macro could trigger incorrect behavior (I found
the bug while adding a new use of the macro).
While preparing the patch, checkpatch complained about poor
spacing, so I also fixed that here and in the nearby DIV_ROUND_UP.
CC: address@hidden
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 2098b073f398cd628c09c5a78537a6854e85830d)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7496699ba63b8690fbd38b232ee41da25fc9d8d7
https://github.com/qemu/qemu/commit/7496699ba63b8690fbd38b232ee41da25fc9d8d7
Author: Manos Pitsidianakis <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M block/throttle-groups.c
Log Message:
-----------
block/throttle-groups.c: allocate RestartData on the heap
RestartData is the opaque data of the throttle_group_restart_queue_entry
coroutine. By being stack allocated, it isn't available anymore if
aio_co_enter schedules the coroutine with a bottom half and runs after
throttle_group_restart_queue returns.
Cc: address@hidden
Signed-off-by: Manos Pitsidianakis <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Alberto Garcia <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 43a5dc02fd6070827d5c4ff652b885219fa8cbe1)
Conflicts:
block/throttle-groups.c
* reworked to avoid functional dep on 022cdc9, since that involves
refactoring for a feature not present in 2.10
Signed-off-by: Michael Roth <address@hidden>
Commit: 780fb4ce48bce4d6755972bf783dff915b0d1a11
https://github.com/qemu/qemu/commit/780fb4ce48bce4d6755972bf783dff915b0d1a11
Author: Vladimir Sementsov-Ogievskiy <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M block/qcow2-bitmap.c
Log Message:
-----------
block/qcow2-bitmap: fix use of uninitialized pointer
Without initialization to zero dirty_bitmap field may be not zero
for a bitmap which should not be stored and
qcow2_store_persistent_dirty_bitmaps will erroneously call
store_bitmap for it which leads to SIGSEGV on bdrv_dirty_bitmap_name.
Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
Message-id: address@hidden
Cc: address@hidden
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit 5330f32b71b1868bdb3b444733063cb5adc4e8e6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4d824886c84cd88dd2f3ce9061835689152c25f8
https://github.com/qemu/qemu/commit/4d824886c84cd88dd2f3ce9061835689152c25f8
Author: Alex Bennée <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M accel/tcg/cputlb.c
Log Message:
-----------
accel/tcg/cputlb: avoid recursive BQL (fixes #1706296)
The mmio path (see exec.c:prepare_mmio_access) already protects itself
against recursive locking and it makes sense to do the same for
io_readx/writex. Otherwise any helper running in the BQL context will
assert when it attempts to write to device memory as in the case of
the bug report.
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Alex Bennée <address@hidden>
CC: Richard Jones <address@hidden>
CC: Paolo Bonzini <address@hidden>
CC: address@hidden
Message-Id: <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>
(cherry picked from commit 8b81253332b5a3f3c67b6462f39caef47a00dd29)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0691b70a2a16824846e878b91487e99cca6a34e7
https://github.com/qemu/qemu/commit/0691b70a2a16824846e878b91487e99cca6a34e7
Author: Stefan Hajnoczi <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M block/nbd-client.c
Log Message:
-----------
nbd-client: avoid read_reply_co entry if send failed
The following segfault is encountered if the NBD server closes the UNIX
domain socket immediately after negotiation:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 aio_co_schedule (ctx=0x0, co=0xd3c0ff2ef0) at util/async.c:441
441 QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
(gdb) bt
#0 0x000000d3c01a50f8 in aio_co_schedule (ctx=0x0, co=0xd3c0ff2ef0) at
util/async.c:441
#1 0x000000d3c012fa90 in nbd_coroutine_end (address@hidden,
request=<optimized out>) at block/nbd-client.c:207
#2 0x000000d3c012fb58 in nbd_client_co_preadv (bs=0xd3c0fec650, offset=0,
bytes=<optimized out>, qiov=0x7ffc10a91b20, flags=0) at block/nbd-client.c:237
#3 0x000000d3c0128e63 in bdrv_driver_preadv (address@hidden, address@hidden,
address@hidden, address@hidden, flags=0) at block/io.c:836
#4 0x000000d3c012c3e0 in bdrv_aligned_preadv (address@hidden,
address@hidden, address@hidden, address@hidden, address@hidden, address@hidden,
f
+lags=0) at block/io.c:1086
#5 0x000000d3c012c6b8 in bdrv_co_preadv (child=0xd3c0ff51d0, address@hidden,
address@hidden, address@hidden, address@hidden) at block/io.c:1182
#6 0x000000d3c011cc17 in blk_co_preadv (blk=0xd3c0ff4f80, offset=0,
bytes=512, qiov=0x7ffc10a91b20, flags=0) at block/block-backend.c:1032
#7 0x000000d3c011ccec in blk_read_entry (opaque=0x7ffc10a91b40) at
block/block-backend.c:1079
#8 0x000000d3c01bbb96 in coroutine_trampoline (i0=<optimized out>,
i1=<optimized out>) at util/coroutine-ucontext.c:79
#9 0x00007f3196cb8600 in __start_context () at /lib64/libc.so.6
The problem is that nbd_client_init() uses
nbd_client_attach_aio_context() -> aio_co_schedule(new_context,
client->read_reply_co). Execution of read_reply_co is deferred to a BH
which doesn't run until later.
In the mean time blk_co_preadv() can be called and nbd_coroutine_end()
calls aio_wake() on read_reply_co. At this point in time
read_reply_co's ctx isn't set because it has never been entered yet.
This patch simplifies the nbd_co_send_request() ->
nbd_co_receive_reply() -> nbd_coroutine_end() lifecycle to just
nbd_co_send_request() -> nbd_co_receive_reply(). The request is "ended"
if an error occurs at any point. Callers no longer have to invoke
nbd_coroutine_end().
This cleanup also eliminates the segfault because we don't call
aio_co_schedule() to wake up s->read_reply_co if sending the request
failed. It is only necessary to wake up s->read_reply_co if a reply was
received.
Note this only happens with UNIX domain sockets on Linux. It doesn't
seem possible to reproduce this with TCP sockets.
Suggested-by: Paolo Bonzini <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Eric Blake <address@hidden>
(cherry picked from commit 3c2d5183f9fa4eac3d17d841e26da65a0181ae7b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2c3a8cc58162328267ecb25d6b610b00d886c887
https://github.com/qemu/qemu/commit/2c3a8cc58162328267ecb25d6b610b00d886c887
Author: Anthony PERARD <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M hw/acpi/pcihp.c
Log Message:
-----------
hw/acpi: Limit hotplug to root bus on legacy mode
Signed-off-by: Anthony PERARD <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit f5855994fee2f8815dc86b8453e4a63e290aea05)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8edf4c6adc2a424647fbd6411e0c06713e721626
https://github.com/qemu/qemu/commit/8edf4c6adc2a424647fbd6411e0c06713e721626
Author: Anthony PERARD <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M hw/acpi/pcihp.c
M hw/i386/acpi-build.c
M stubs/Makefile.objs
A stubs/pci-host-piix.c
Log Message:
-----------
hw/acpi: Move acpi_set_pci_info to pcihp
HW part of ACPI PCI hotplug in QEMU depends on ACPI_PCIHP_PROP_BSEL
being set on a PCI bus that supports ACPI hotplug. It should work
regardless of the source of ACPI tables (QEMU generator/legacy SeaBIOS/Xen).
So move ACPI_PCIHP_PROP_BSEL initialization into HW ACPI implementation
part from QEMU's ACPI table generator.
To do PCI passthrough with Xen, the property ACPI_PCIHP_PROP_BSEL needs
to be set, but this was done only when ACPI tables are built which is
not needed for a Xen guest. The need for the property starts with commit
"pc: pcihp: avoid adding ACPI_PCIHP_PROP_BSEL twice"
(f0c9d64a68b776374ec4732424a3e27753ce37b6).
Adding find_i440fx into stubs so that mips-softmmu target can be built.
Reported-by: Sander Eikelenboom <address@hidden>
Signed-off-by: Anthony PERARD <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit ab938ae43f8a3a71a3525566edf586081b7a7452)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6a903482b144e26f298b307c525fcd12a2486d7b
https://github.com/qemu/qemu/commit/6a903482b144e26f298b307c525fcd12a2486d7b
Author: Anthony PERARD <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M hw/acpi/piix4.c
Log Message:
-----------
Revert "ACPI: don't call acpi_pcihp_device_plug_cb on xen"
This reverts commit 153eba4726dfa1bdfc31d1fe973b2a61b9035492.
This patch prevents PCI passthrough hotplug on Xen. Even if the Xen tool
stack prepares its own ACPI tables, we still rely on QEMU for hotplug
ACPI notifications.
The original issue is fixed by the two previous patch:
hw/acpi: Limit hotplug to root bus on legacy mode
hw/acpi: Move acpi_set_pci_info to pcihp
Signed-off-by: Anthony PERARD <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 2bed1ba77fae50bc8b5e68ede2d80b652b30c3b8)
Signed-off-by: Michael Roth <address@hidden>
Commit: 17cd46fbdfb8cc0d759f05e19398b664d60781b8
https://github.com/qemu/qemu/commit/17cd46fbdfb8cc0d759f05e19398b664d60781b8
Author: Christian Borntraeger <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M target/s390x/gen-features.c
Log Message:
-----------
s390x/cpumodel: remove ais from z14 default model-> also for 2.10.1
We disabled ais for 2.10, so let's also remove it from the z14
default model.
Fixes: 3f2d07b3b01e ("s390x/ais: for 2.10 stable: disable ais facility")
CC: address@hidden
Signed-off-by: Christian Borntraeger <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 9dacc908462693719d84ec594e839434959cf6f1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 547435f5506e351baa2151a681eeaca2cae79591
https://github.com/qemu/qemu/commit/547435f5506e351baa2151a681eeaca2cae79591
Author: Peter Lieven <address@hidden>
Date: 2017-09-28 (Thu, 28 Sep 2017)
Changed paths:
M migration/block.c
M migration/block.h
M migration/ram.c
Log Message:
-----------
migration: disable auto-converge during bulk block migration
auto-converge and block migration currently do not play well together.
During block migration the auto-converge logic detects that ram
migration makes no progress and thus throttles down the vm until
it nearly stalls completely. Avoid this by disabling the throttling
logic during the bulk phase of the block migration.
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
(cherry picked from commit 9ac78b6171bec47083a9b6ce88dc1f114caea2f9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7851197b812b383ae1208c5d86391c5179c8209d
https://github.com/qemu/qemu/commit/7851197b812b383ae1208c5d86391c5179c8209d
Author: Michael Roth <address@hidden>
Date: 2017-10-02 (Mon, 02 Oct 2017)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 2.10.1 release
Signed-off-by: Michael Roth <address@hidden>
Compare: https://github.com/qemu/qemu/compare/53d421dd9cd1^...7851197b812b
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 53d421: slirp: fix clearing ifq_so from pending packets,
GitHub <=