Sometimes, we destroy the dirty_bitmap in kvm_memory_slot before any sync action
occur, this bit in dirty_bitmap will be missed, and which will lead the corresponding
dirty pages to be missed in migration.
This usually happens when do migration during VM's Start-up or Reboot.
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
[Use s->migration_log instead of exec.c's in_migration. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit 49d2e64 (machine: remove qemu_machine_opts global list)
made machine options specific to machine sub-type, leaving
the qemu_machine_opts desc array empty. Sadly this is the place
qmp_query_command_line_options is looking for supported options.
As a fix for for 2.3 the machine_qemu_opts (the generic ones)
are restored only for qemu-config scope.
We need to find a better fix for 2.4.
Reported-by: Tony Krowiak <akrowiak@linux.vnet.ibm.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <1427906841-1576-1-git-send-email-marcel@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Since the BSP bit is writable on real hardware, during reset all the CPUs which
were not chosen to be the BSP should have their BSP bit cleared. This fix is
required for KVM to work correctly when it changes the BSP bit.
An additional fix is required for QEMU tcg to allow software to change the BSP
bit.
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Message-Id: <1427932716-11800-1-git-send-email-namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
configure script may add -fstack-protector-strong option instead
of -fstack-protector-all, depending on availability ( see
commit 63678e17c ). Both options have to by filtered out for
qga-vss.dll, otherwise MinGW cross-compilation fails at linking
stage.
Signed-off-by: Joseph Hindin <jhindin@daynix.com>
Message-Id: <1427906337-20805-2-git-send-email-jhindin@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commits 6e05a12f8f and db25a1581 both attempt to fix the
same "failed to free memory containing flash filename" bug,
with the effect that when they were both applied we ended
up freeing the memory twice. Delete the spurious extra free.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Message-id: 1427968334-14527-1-git-send-email-peter.maydell@linaro.org
As 4de9a88(hw/arm/virt: Fix memory leak reported by Coverity)
and 6e05a12(arm: fix memory leak) both handle the memory leak
reported by Coverity, this cause qemu corruption due to
double free.
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Message-id: 1427944026-8968-1-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The current code was negatively indexing the cpu state array and not
synchronizing banked spsr register state with the current mode's spsr
state, causing occasional failures with migration.
Some munging is done to take care of the aarch64 mapping and also to
ensure the most current value of the spsr is updated to the banked
registers (relevant for KVM<->TCG migration).
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
For migration to work we need to sync all of the register state. This is
especially noticeable when GCC starts using FP registers as spill
registers even with integer programs.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
As there is logic to deal with the difference between edge and level
triggered interrupts in the kernel we must ensure it knows the
configuration of the IRQs before we restore the pending state.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This adds the saving and restore of the current Multi-Processing state
of the machine. While the KVM_GET/SET_MP_STATE API exposes a number of
potential states for x86 we only use two for ARM. Either the process is
running or not. We then save this state into the cpu_powered TCG state
to avoid changing the serialisation format.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The AArch64 SPSR_EL1 register is architecturally mandated to
be mapped to the AArch32 SPSR_svc register. This means its
state should live in QEMU's env->banked_spsr[1] field.
Correct the various places in the code that incorrectly
put it in banked_spsr[0].
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
As the conditional statement had to be split anyway, we can also
add a better error report message.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-id: 1426877982-3603-1-git-send-email-sw@weilnetz.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
As the conditional statement had to be split anyway, we can also
add a better error report message.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-id: 1426877963-3556-1-git-send-email-sw@weilnetz.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Coverity reports a resource leak for sysboot_filename which is allocated
by qemu_find_file.
In addition, that name is used to get the size of the image, but a
different image name was used to load it.
In addition, instead of passing the maximum allowed image size the actual
image size was passed to load_image_targphys.
Fix all three issues.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-id: 1426326781-2488-1-git-send-email-sw@weilnetz.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The VNC server websockets decoder will read and buffer data from
websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM. In practice,
because QEMU runs g_strstr_len() across the buffered header data,
it will spend increasingly long burning CPU time searching for
the substring match and less & less time reading data. So while
this does cause arbitrary memory growth, the bigger problem is
that QEMU will be burning 100% of available CPU time.
A novnc websockets client typically sends headers of around
512 bytes in length. As such it is reasonable to place a 4096
byte limit on the amount of data buffered while searching for
the end of HTTP headers.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The logic for decoding websocket frames wants to fully
decode the frame header and payload, before allowing the
VNC server to see any of the payload data. There is no
size limit on websocket payloads, so this allows a
malicious network client to consume 2^64 bytes in memory
in QEMU. It can trigger this denial of service before
the VNC server even performs any authentication.
The fix is to decode the header, and then incrementally
decode the payload data as it is needed. With this fix
the websocket decoder will allow at most 4k of data to
be buffered before decoding and processing payload.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]
@@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,
- *payload_size = input->offset;
+ *payload_size = *payload_remain;
[ kraxel: fix 32bit build ]
@@ -306,7 +306,7 @@ struct VncState
- uint64_t ws_payload_remain;
+ size_t ws_payload_remain;
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This reverts commit c3c1bb99d1.
It causes problems with boards that declare memory regions shorter
than the registers they contain.
Reported-by: Zoltan Balaton <balaton@eik.bme.hu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
If QEMU forks after the CPU threads have been created, qemu_mutex_lock_iothread
will not be able to do qemu_cpu_kick_thread. There is no solution other than
assuming that forks after the CPU threads have been created will end up in an
exec. Forks before the CPU threads have been created (such as -daemonize)
have to call rcu_after_fork manually.
Notably, the oxygen theme for GTK+ forks and shows a "No such process" error
without this patch.
This patch can be reverted once the iothread loses the "kick the TCG thread"
magic.
User-mode emulation does not use the iothread, so it can also call
rcu_after_fork.
Reported by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Tested by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit cd61cb2 pc: acpi-build: generate pvpanic device description dynamically
introduced regression changing pvpanic device HID from
QEMU0001 to QEMU0002.
Fix AML generated code so that pvpanic device
would keep its original HID. i.e. QEMU0001
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reported-by: Gal Hammer <ghammer@redhat.com>
Message-Id: <1427717907-25027-1-git-send-email-imammedo@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
showing a memory device whose memdev is removed leads an assert:
(qemu) object_add memory-backend-ram,id=ram0,size=128M
(qemu) device_add pc-dimm,id=d0,memdev=ram0
(qemu) object_del ram0
(qemu) info memory-devices
**
ERROR:qom/object.c:1274:object_get_canonical_path_component:\
assertion failed: (obj->parent != NULL)
Aborted
The patch prevents removing an in-use mem backend and error out.
Signed-off-by: Lin Ma <lma@suse.com>
Message-Id: <1427704589-7688-3-git-send-email-lma@suse.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
If backends implement the can_be_deleted and it returns false,
Then the qmp_object_del won't delete the given backends.
Signed-off-by: Lin Ma <lma@suse.com>
Message-Id: <1427704589-7688-2-git-send-email-lma@suse.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit 8074264 (qom: Add description field in ObjectProperty struct)
introduced property descriptions and copied them for alias properties.
Instead of using the caller-supplied property name, use the returned
property name for setting the description. This avoids an Error when
setting a property description for a property with literal "[*]" that
doesn't exist due to automatic property naming in object_property_add().
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org (v2.2+)
Signed-off-by: Andreas Färber <afaerber@suse.de>
- virtqueue index issues in virtio-ccw
- cleanup and sign extension fix for the ipl device
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJVGQDWAAoJEN7Pa5PG8C+v7AAP/3EXIWAJSIY9fS/RDmyMfS04
By0jEnNtmEykRcBvZJFXCCiyfGjHBVaQeAYkadnk4K4AUMVeLR5Zqy66Ii3JK86K
EK3EymTBTo2BIgniJqVF6sjaOKXtp30BCqncAjYY0a+OUDBNEkjcoJ/fuzvpaSXz
WH9Q2kiSDl3pBOpspcj5Nbms/jEW9nc/5cdJCV30AuEDblnaJxVe/vEvUSxZnd47
WKgKITrCAiwjInjr6qd1p8JbFpZh3mEs5rCSjYGrzx+ZhpXuRliaaY0vfNrLIuQY
sXNGy4KWvPgyfIwshA+VGijdKjti92x4dYTtabq+tHxHR+/UrXZaFpMR/HChz6Bj
LW8e31eLLMv1gdQDJ1Q9togiCqLYxiEtmLw4/u8ZwIx00JIH4DGB38qNQC/41icK
xsuGWDZpucfQKsKaF1BromHjSsbrHnGz38mMcvWmiFUt5/nZ3lqSnx+WFcW+u8RR
Wdl5Q9T8l09WU9dfVvymXFdPfkN7wODF3KyRc4oJ/dE2U5/bSJwhm+RMugI+ed3T
fSrWSgebN8VGjlcgEgwVnrfre+aoYr4H9IWKOEOjzEIITk9wYBEbccD1lhfJAOWc
ESuR7d9KyPJp0E7bxAPtKEiTJVEc2QfphBB6rVhtweiEnGDLZyXZr5YHWymv7Aar
J8440Ad2AYB4aidDA1os
=8Zpv
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150330' into staging
s390x fixes:
- virtqueue index issues in virtio-ccw
- cleanup and sign extension fix for the ipl device
# gpg: Signature made Mon Mar 30 08:52:54 2015 BST using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
* remotes/cohuck/tags/s390x-20150330:
s390x/ipl: avoid sign extension
s390x: do not include ram_addr.h
virtio-ccw: range check in READ_VQ_CONF
virtio-ccw: fix range check for SET_VQ
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Replace g_test_add_func() with new qtest_add_func() and g_test_add()
macro with qtest_add() macro. This effectively changes GTester paths:
/i440fx/foo -> /x86_64/i440fx/foo etc.
Cc: qemu-stable@nongnu.org
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
It calls g_test_add_data_func() with a path supplemented by the
architecture, like qtest_add_func() does.
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Use qtest_add_func() instead of g_test_add_func() to reflect
the architecture tested, changing GTester paths as follows:
/fw_cfg/foo -> /x86_64/fw_cfg/foo etc.
Cc: qemu-stable@nongnu.org
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Make s390_update_iplstate() return uint32_t to avoid sign extensions
for cssids > 127. While this doesn't matter in practice yet (as
nobody supports MCSS-E and thus won't see the real cssid), play safe.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jason J. Herne <jjherne@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
ram_addr.h is an internal interface and it is not needed anyway by
hw/s390x/ipl.c.
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Processing for READ_VQ_CONF needs to check whether the requested queue
value is actually in the supported range and post a channel program
check if not.
Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
able to trigger a write beyond the VirtQueue structure.
Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Many bits in the CMD register are supposed to be strictly read-only.
We should not be deleting them on every write.
As a side-effect: pay explicit attention to when a guest marks off
the FIS Receive or Start bits, and disable the status bits ourselves,
instead of letting them implicitly fall off.
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1426283454-15590-3-git-send-email-jsnow@redhat.com
The FIS Receive Buffer and Command List Buffer pointers
should not be edited while the FIS receive engine or
Command Receive engines are running.
Currently, we attempt to re-map the buffers every time they
are adjusted, but while the AHCI engines are off, these registers
may contain stale values, so we should not attempt to re-map these
values until the engines are reactivated.
Reported-by: Jordan Hargrave <jharg93@gmail.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1426283454-15590-2-git-send-email-jsnow@redhat.com
It's detected by coverity.In is_vlan_packet s->mac_reg[VET] is
unsigned int but is dereferenced as a narrower unsigned short.
This may lead to unexpected results depending on machine
endianness.
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1426224119-8352-1-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1426858337-21423-1-git-send-email-armbru@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
If the zero write is not aligned, bdrv_co_do_pwritev will segfault
because of accessing to the NULL qiov passed in by bdrv_co_write_zeroes.
Fix this by allocating a local qiov in bdrv_co_do_pwritev if the request
is not aligned. (In this case the padding iovs are necessary anyway, so
it doesn't hurt.)
Also add a check at the end of bdrv_co_do_pwritev to clear the zero flag
if padding is involved.
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1427160230-4489-2-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
The shift operation on nlb gives a 32 bit result if no type cast is
applied. This bug was reported by Coverity.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-id: 1426348844-8793-1-git-send-email-sw@weilnetz.de
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJVFDsLAAoJEEy22O7T6HE4grQP/2cOVdC6wk/VMLahDr4MxICE
1a5eYDQldZM39wGgZTDy8CVcMtKN/O1YJi+FV/+CRZ+40sh1/Nd5tr0ltBcA8KkY
Q5qumberkiZKT7c5h1S7BGt4RlPT+IiTI9w4gLugY34VNWnfnCBFEyW0TQZXpjVp
XabObmD76y7Yt7IYgwhmebQF2E7Bhyazry7XlKi4ZxoANwqs7zAY0cqRFHuSoy4i
Te/hVIUvHVIOgtITU70J5dIHVG9Ahckf7rZI0IHwGrFuVmQhPzoK4yMi7sEF7MQR
z3q587ne5ycfw+51zkDR5ha/4PUHN9ZRFnkjZtSfOaj5Om+eZv2d7rUjeTZI9cTT
pQgSIkZAlh+vYP4G989QvU+F++UWzJM9F4gWFZdUBV6Ph17+dfg6Qqjuqxlr3CgB
a3e3UV+C4NRsWiDWkz3A9rciFh9cfbDSXlC/YnSQC/bIx3fiktpoHuzg3RBQjPY+
rLqbbovKEyfhy4vHq51VtBIofjP9nzXuNTgzPuhJhy5CFGuI06dErrNZiKkqNXri
pNY1hMq1bYp+BHFUJXLvzGE9zpNyDEwOzuaCi5GGtTPOjOhG2ZyLBEpC4g/b/CLh
GOBI67hc0vYe24S5IH/mBt4YzHtbq6cuVPdHcQUqx+6G337Wjrsr6TaS7FLk1qzE
dSHYUaKtvL5VXTqIzH4q
=/n5P
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150326-1' into staging
gtk: do not call gtk_widget_get_window if drawing area is not initialized
# gpg: Signature made Thu Mar 26 16:59:55 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
* remotes/kraxel/tags/pull-gtk-20150326-1:
gtk: do not call gtk_widget_get_window if drawing area is not initialized
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
zhanghailiang
Marcel Apfelbaum
Nadav Amit
Joseph Hindin
Paolo Bonzini
Peter Maydell
Shannon Zhao
Alex Bennée
Stefan Weil
Daniel P. Berrange
Igor Mammedov
Lin Ma
Andreas Färber
Bastian Koppelmann
Cornelia Huck
John Snow
Shannon Zhao
Markus Armbruster
Fam Zheng