[Spice-commits] 92 commits - VERSION arch_init.c block/qapi.c block/raw-posix.c docs/tracing.txt exec.c hw/acpi hw/arm hw/block hw/core hw/display hw/i386 hw/ide hw/intc hw/mem hw/mips hw/net hw/nvram hw/pci hw/scsi hw/usb hw/virtio include/exec include/hw include/qemu include/sysemu kvm-all.c kvm-stub.c libcacard/vscclient.c linux-headers/asm-arm linux-headers/asm-arm64 linux-headers/asm-powerpc linux-headers/asm-s390 linux-headers/linux memory.c monitor.c net/l2tpv3.c net/slirp.c net/socket.c pc-bios/openbios-ppc pc-bios/openbios-sparc32 pc-bios/openbios-sparc64 qapi-schema.json qapi/block-core.json qapi/common.json qemu-char.c qemu-options.hx qemu-timer.c qga/main.c qmp-commands.hx roms/openbios scripts/tracetool target-arm/helper.c target-cris/translate.c target-i386/cpu.c target-ppc/translate.c target-ppc/translate_init.c target-s390x/kvm.c tests/acpi-test-data ui/gtk.c ui/input.c util/acl.c util/oslib-posix.c util/oslib-win32.c vl.c
Gerd Hoffmann
kraxel at kemper.freedesktop.org
Fri Dec 12 06:08:20 PST 2014
VERSION | 2
arch_init.c | 20
block/qapi.c | 26 -
block/raw-posix.c | 173 +++----
docs/tracing.txt | 6
exec.c | 15
hw/acpi/piix4.c | 4
hw/arm/virt.c | 2
hw/block/nvme.c | 3
hw/block/xen_disk.c | 72 ++-
hw/core/loader.c | 21
hw/core/qdev.c | 12
hw/display/cirrus_vga.c | 65 ++
hw/i386/acpi-build.c | 22
hw/i386/acpi-dsdt-mem-hotplug.dsl | 176 +++++++
hw/i386/acpi-dsdt.dsl | 3
hw/i386/acpi-dsdt.hex.generated | 795 ++++++++++++++++++++++++++++++++++
hw/i386/pc.c | 102 +++-
hw/i386/pc_piix.c | 20
hw/i386/pc_q35.c | 10
hw/i386/q35-acpi-dsdt.dsl | 3
hw/i386/q35-acpi-dsdt.hex.generated | 797 ++++++++++++++++++++++++++++++++++
hw/i386/ssdt-mem.hex.generated | 8
hw/i386/ssdt-misc.dsl | 165 -------
hw/i386/ssdt-misc.hex.generated | 834 +-----------------------------------
hw/ide/core.c | 2
hw/intc/apic.c | 20
hw/mem/pc-dimm.c | 19
hw/mips/mips_mipssim.c | 2
hw/net/pcnet.c | 55 +-
hw/net/rtl8139.c | 4
hw/net/virtio-net.c | 5
hw/nvram/fw_cfg.c | 7
hw/pci/pcie.c | 4
hw/pci/shpc.c | 4
hw/scsi/vhost-scsi.c | 1
hw/usb/hcd-musb.c | 8
hw/virtio/vhost.c | 2
hw/virtio/virtio-rng.c | 15
include/exec/exec-all.h | 2
include/exec/memory.h | 2
include/exec/ram_addr.h | 25 +
include/hw/i386/pc.h | 6
include/hw/loader.h | 2
include/hw/mem/pc-dimm.h | 2
include/hw/qdev-core.h | 2
include/qemu/osdep.h | 3
include/sysemu/kvm.h | 1
kvm-all.c | 24 -
kvm-stub.c | 5
libcacard/vscclient.c | 7
linux-headers/asm-arm/kvm.h | 2
linux-headers/asm-arm64/kvm.h | 2
linux-headers/asm-powerpc/kvm.h | 6
linux-headers/asm-s390/kvm.h | 10
linux-headers/linux/kvm.h | 28 -
linux-headers/linux/vfio.h | 3
memory.c | 5
monitor.c | 11
net/l2tpv3.c | 5
net/slirp.c | 3
net/socket.c | 13
pc-bios/openbios-ppc |binary
pc-bios/openbios-sparc32 |binary
pc-bios/openbios-sparc64 |binary
qapi-schema.json | 6
qapi/block-core.json | 5
qapi/common.json | 15
qemu-char.c | 7
qemu-options.hx | 8
qemu-timer.c | 9
qga/main.c | 4
qmp-commands.hx | 16
roms/openbios | 2
scripts/tracetool/__init__.py | 67 +-
target-arm/helper.c | 20
target-cris/translate.c | 8
target-i386/cpu.c | 10
target-ppc/translate.c | 2
target-ppc/translate_init.c | 52 +-
target-s390x/kvm.c | 4
tests/acpi-test-data/pc/DSDT |binary
tests/acpi-test-data/pc/SSDT |binary
tests/acpi-test-data/q35/DSDT |binary
tests/acpi-test-data/q35/SSDT |binary
ui/gtk.c | 19
ui/input.c | 4
util/acl.c | 10
util/oslib-posix.c | 5
util/oslib-win32.c | 2
vl.c | 2
91 files changed, 2554 insertions(+), 1396 deletions(-)
New commits:
commit 45e1611de8be0eae55967694dd6e627c2dc354f2
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Tue Dec 9 12:13:37 2014 +0000
Update version for v2.2.0 release
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/VERSION b/VERSION
index 7a4e91e..ccbccc3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.95
+2.2.0
commit d00e6cddc220de993573dfb5fd160ac72ccd49ab
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Thu Dec 4 15:51:22 2014 +0000
Update version for v2.2.0-rc5 release
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/VERSION b/VERSION
index 9b218e8..7a4e91e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.94
+2.1.95
commit 54f3a180a3d0b334c55d0f61d6e9fe5c7c6d42d5
Merge: 0d7954c bf25983
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Thu Dec 4 12:22:46 2014 +0000
Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2014-8106-20141204-1' into staging
cirrus: fix blit region check
# gpg: Signature made Thu 04 Dec 2014 11:54:57 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel at redhat.com>"
# gpg: aka "Gerd Hoffmann <gerd at kraxel.org>"
# gpg: aka "Gerd Hoffmann (private) <kraxel at gmail.com>"
* remotes/kraxel/tags/pull-cve-2014-8106-20141204-1:
cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
cirrus: fix blit region check
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit 0d7954c288e91b8a457f15a0a8e8244facf6594b
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Mon Dec 1 13:35:26 2014 +0000
Update version for v2.2.0-rc4 release
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/VERSION b/VERSION
index 9be10bc..9b218e8 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.93
+2.1.94
commit b19ca188022d720e6cdf87c43c27cb68bac32f6a
Author: Gonglei <arei.gonglei at huawei.com>
Date: Fri Nov 28 17:26:29 2014 +0800
vhost: Fix vhostfd leak in error branch
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Reviewed-by: Jason Wang <jasowang at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Message-id: 1417166789-1960-1-git-send-email-arei.gonglei at huawei.com
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/hw/scsi/vhost-scsi.c b/hw/scsi/vhost-scsi.c
index 308b393..dcb2bc5 100644
--- a/hw/scsi/vhost-scsi.c
+++ b/hw/scsi/vhost-scsi.c
@@ -233,6 +233,7 @@ static void vhost_scsi_realize(DeviceState *dev, Error **errp)
vhost_dummy_handle_output);
if (err != NULL) {
error_propagate(errp, err);
+ close(vhostfd);
return;
}
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 5d7c40a..5a12861 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -817,10 +817,12 @@ int vhost_dev_init(struct vhost_dev *hdev, void *opaque,
int i, r;
if (vhost_set_backend_type(hdev, backend_type) < 0) {
+ close((uintptr_t)opaque);
return -1;
}
if (hdev->vhost_ops->vhost_backend_init(hdev, opaque) < 0) {
+ close((uintptr_t)opaque);
return -errno;
}
commit bf25983345ca44aec3dd92c57142be45452bd38a
Author: Gerd Hoffmann <kraxel at redhat.com>
Date: Wed Nov 19 13:27:28 2014 +0100
cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
This is CVE-2014-8106.
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index d54fb06..2725264 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -293,6 +293,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
assert(s->cirrus_blt_width > 0);
assert(s->cirrus_blt_height > 0);
+ if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
+ return true;
+ }
+
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
return true;
commit d3532a0db02296e687711b8cdc7791924efccea0
Author: Gerd Hoffmann <kraxel at redhat.com>
Date: Wed Nov 19 11:37:42 2014 +0100
cirrus: fix blit region check
Issues:
* Doesn't check pitches correctly in case it is negative.
* Doesn't check width at all.
Turn macro into functions while being at it, also factor out the check
for one region which we then can simply call twice for src + dst.
This is CVE-2014-8106.
Reported-by: Paolo Bonzini <pbonzini at redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 8a5b76c..d54fb06 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -173,20 +173,6 @@
#define CIRRUS_PNPMMIO_SIZE 0x1000
-#define BLTUNSAFE(s) \
- ( \
- ( /* check dst is within bounds */ \
- (s)->cirrus_blt_height * ABS((s)->cirrus_blt_dstpitch) \
- + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
- (s)->vga.vram_size \
- ) || \
- ( /* check src is within bounds */ \
- (s)->cirrus_blt_height * ABS((s)->cirrus_blt_srcpitch) \
- + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
- (s)->vga.vram_size \
- ) \
- )
-
struct CirrusVGAState;
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
uint8_t * dst, const uint8_t * src,
@@ -279,6 +265,46 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
*
***************************************/
+static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ int32_t pitch, int32_t addr)
+{
+ if (pitch < 0) {
+ int64_t min = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch;
+ int32_t max = addr
+ + s->cirrus_blt_width;
+ if (min < 0 || max >= s->vga.vram_size) {
+ return true;
+ }
+ } else {
+ int64_t max = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch
+ + s->cirrus_blt_width;
+ if (max >= s->vga.vram_size) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static bool blit_is_unsafe(struct CirrusVGAState *s)
+{
+ /* should be the case, see cirrus_bitblt_start */
+ assert(s->cirrus_blt_width > 0);
+ assert(s->cirrus_blt_height > 0);
+
+ if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
+ s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
+
+ return false;
+}
+
static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
uint8_t *dst,const uint8_t *src,
int dstpitch,int srcpitch,
@@ -636,7 +662,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s))
return 0;
(*s->cirrus_rop) (s, dst, src,
@@ -654,8 +680,9 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
{
cirrus_fill_t rop_func;
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s)) {
return 0;
+ }
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch,
@@ -752,7 +779,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
{
- if (BLTUNSAFE(s))
+ if (blit_is_unsafe(s))
return 0;
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
commit db12451decf7dfe0f083564183e135f2095228b9
Author: David Gibson <david at gibson.dropbear.id.au>
Date: Thu Nov 27 16:48:10 2014 +1100
Fix for crash after migration in virtio-rng on bi-endian targets
VirtIO devices now remember which endianness they're operating in in order
to support targets which may have guests of either endianness, such as
powerpc. This endianness state is transferred in a subsection of the
virtio device's information.
With virtio-rng this can lead to an abort after a loadvm hitting the
assert() in virtio_is_big_endian(). This can be reproduced by doing a
migrate and load from file on a bi-endian target with a virtio-rng device.
The actual guest state isn't particularly important to triggering this.
The cause is that virtio_rng_load_device() calls virtio_rng_process() which
accesses the ring and thus needs the endianness. However,
virtio_rng_process() is called via virtio_load() before it loads the
subsections. Essentially the ->load callback in VirtioDeviceClass should
only be used for actually reading the device state from the stream, not for
post-load re-initialization.
This patch fixes the bug by moving the virtio_rng_process() after the call
to virtio_load(). Better yet would be to convert virtio to use vmsd and
have the virtio_rng_process() as a post_load callback, but that's a bigger
project for another day.
This is bugfix, and should be considered for the 2.2 branch.
Signed-off-by: David Gibson <david at gibson.dropbear.id.au>
Reviewed-by: Greg Kurz <gkurz at linux.vnet.ibm.com>
Message-id: 1417067290-20715-1-git-send-email-david at gibson.dropbear.id.au
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c
index e85a979..473c044 100644
--- a/hw/virtio/virtio-rng.c
+++ b/hw/virtio/virtio-rng.c
@@ -113,20 +113,22 @@ static void virtio_rng_save(QEMUFile *f, void *opaque)
static int virtio_rng_load(QEMUFile *f, void *opaque, int version_id)
{
+ VirtIORNG *vrng = opaque;
+ int ret;
+
if (version_id != 1) {
return -EINVAL;
}
- return virtio_load(VIRTIO_DEVICE(opaque), f, version_id);
-}
+ ret = virtio_load(VIRTIO_DEVICE(vrng), f, version_id);
+ if (ret != 0) {
+ return ret;
+ }
-static int virtio_rng_load_device(VirtIODevice *vdev, QEMUFile *f,
- int version_id)
-{
/* We may have an element ready but couldn't process it due to a quota
* limit. Make sure to try again after live migration when the quota may
* have been reset.
*/
- virtio_rng_process(VIRTIO_RNG(vdev));
+ virtio_rng_process(vrng);
return 0;
}
@@ -231,7 +233,6 @@ static void virtio_rng_class_init(ObjectClass *klass, void *data)
vdc->realize = virtio_rng_device_realize;
vdc->unrealize = virtio_rng_device_unrealize;
vdc->get_features = get_features;
- vdc->load = virtio_rng_load_device;
}
static void virtio_rng_initfn(Object *obj)
commit 771b6ed37e3aa188a7485560b949a41c6cf174dc
Author: Jason Wang <jasowang at redhat.com>
Date: Thu Nov 27 18:04:03 2014 +0800
virtio-net: fix unmap leak
virtio_net_handle_ctrl() and other functions that process control vq
request call iov_discard_front() which will shorten the iov. This will
lead unmapping in virtqueue_push() leaks mapping.
Fixes this by keeping the original iov untouched and using a temp variable
in those functions.
Cc: Wen Congyang <wency at cn.fujitsu.com>
Cc: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
Cc: qemu-stable at nongnu.org
Signed-off-by: Jason Wang <jasowang at redhat.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
Reviewed-by: Fam Zheng <famz at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Message-id: 1417082643-23907-1-git-send-email-jasowang at redhat.com
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 9b88775..e574bd4 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -798,7 +798,7 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
virtio_net_ctrl_ack status = VIRTIO_NET_ERR;
VirtQueueElement elem;
size_t s;
- struct iovec *iov;
+ struct iovec *iov, *iov2;
unsigned int iov_cnt;
while (virtqueue_pop(vq, &elem)) {
@@ -808,8 +808,8 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
exit(1);
}
- iov = elem.out_sg;
iov_cnt = elem.out_num;
+ iov2 = iov = g_memdup(elem.out_sg, sizeof(struct iovec) * elem.out_num);
s = iov_to_buf(iov, iov_cnt, 0, &ctrl, sizeof(ctrl));
iov_discard_front(&iov, &iov_cnt, sizeof(ctrl));
if (s != sizeof(ctrl)) {
@@ -833,6 +833,7 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
virtqueue_push(vq, &elem, sizeof(status));
virtio_notify(vdev, vq);
+ g_free(iov2);
}
}
commit 4cae4d5acaea23f3def84c8dc67ef5106323e5cb
Author: Marcel Apfelbaum <marcel.a at redhat.com>
Date: Wed Nov 26 13:50:01 2014 +0200
hmp: fix regression of HMP device_del auto-completion
The commits:
- 6a1fa9f5 (monitor: add del completion for peripheral device)
- 66e56b13 (qdev: add qdev_build_hotpluggable_device_list helper)
cause a QEMU crash when trying to use HMP device_del auto-completion.
It can be easily reproduced by:
<qemu-bin> -enable-kvm ~/images/fedora.qcow2 -monitor stdio -device virtio-net-pci,id=vnet
(qemu) device_del
/home/mapfelba/git/upstream/qemu/hw/core/qdev.c:941:qdev_build_hotpluggable_device_list: Object 0x7f6ce04e4fe0 is not an instance of type device
Aborted (core dumped)
The root cause is qdev_build_hotpluggable_device_list going recursively over
all peripherals and their children assuming all are devices. It doesn't work
since PCI devices have at least on child which is a memory region (bus master).
Solved by observing that all devices appear as direct children of
/machine/peripheral container. No need of going recursively
over all the children.
Signed-off-by: Marcel Apfelbaum <marcel.a at redhat.com>
Reported-by: Gal Hammer <ghammer at redhat.com>
Reviewed-by: Igor Mammedov <imammedo at redhat.com>
Message-id: 1417002601-20799-1-git-send-email-marcel.a at redhat.com
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 413b413..35fd00d 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -935,7 +935,7 @@ void qdev_alias_all_properties(DeviceState *target, Object *source)
} while (class != object_class_by_name(TYPE_DEVICE));
}
-int qdev_build_hotpluggable_device_list(Object *obj, void *opaque)
+static int qdev_add_hotpluggable_device(Object *obj, void *opaque)
{
GSList **list = opaque;
DeviceState *dev = DEVICE(obj);
@@ -944,10 +944,18 @@ int qdev_build_hotpluggable_device_list(Object *obj, void *opaque)
*list = g_slist_append(*list, dev);
}
- object_child_foreach(obj, qdev_build_hotpluggable_device_list, opaque);
return 0;
}
+GSList *qdev_build_hotpluggable_device_list(Object *peripheral)
+{
+ GSList *list = NULL;
+
+ object_child_foreach(peripheral, qdev_add_hotpluggable_device, &list);
+
+ return list;
+}
+
static bool device_get_realized(Object *obj, Error **errp)
{
DeviceState *dev = DEVICE(obj);
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index d3a2940..589bbe7 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -365,7 +365,7 @@ extern int qdev_hotplug;
char *qdev_get_dev_path(DeviceState *dev);
-int qdev_build_hotpluggable_device_list(Object *obj, void *opaque);
+GSList *qdev_build_hotpluggable_device_list(Object *peripheral);
void qbus_set_hotplug_handler(BusState *bus, DeviceState *handler,
Error **errp);
diff --git a/monitor.c b/monitor.c
index fa00594..f1031a1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4321,17 +4321,14 @@ void object_add_completion(ReadLineState *rs, int nb_args, const char *str)
static void peripheral_device_del_completion(ReadLineState *rs,
const char *str, size_t len)
{
- Object *peripheral;
- GSList *list = NULL, *item;
+ Object *peripheral = container_get(qdev_get_machine(), "/peripheral");
+ GSList *list, *item;
- peripheral = object_resolve_path("/machine/peripheral/", NULL);
- if (peripheral == NULL) {
+ list = qdev_build_hotpluggable_device_list(peripheral);
+ if (!list) {
return;
}
- object_child_foreach(peripheral, qdev_build_hotpluggable_device_list,
- &list);
-
for (item = list; item; item = g_slist_next(item)) {
DeviceState *dev = item->data;
commit 490309fcfbed9fa1ed357541f609975016a34628
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Tue Nov 25 18:21:45 2014 +0000
qemu-timer: Avoid overflows when converting timeout to struct timespec
In qemu_poll_ns(), when we convert an int64_t nanosecond timeout into
a struct timespec, we may accidentally run into overflow problems if
the timeout is very long. This happens because the tv_sec field is a
time_t, which is signed, so we might end up setting it to a negative
value by mistake. This will result in what was intended to be a
near-infinite timeout turning into an instantaneous timeout, and we'll
busy loop. Cap the maximum timeout at INT32_MAX seconds (about 68 years)
to avoid this problem.
This specifically manifested on ARM hosts as an extreme slowdown on
guest shutdown (when the guest reprogrammed the PL031 RTC to not
generate alarms using a very long timeout) but could happen on other
hosts and guests too.
Reported-by: Christoffer Dall <christoffer.dall at linaro.org>
Cc: qemu-stable at nongnu.org
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
Reviewed-by: Fam Zheng <famz at redhat.com>
Message-id: 1416939705-1272-1-git-send-email-peter.maydell at linaro.org
diff --git a/qemu-timer.c b/qemu-timer.c
index 00a5d35..c77de64 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -314,7 +314,14 @@ int qemu_poll_ns(GPollFD *fds, guint nfds, int64_t timeout)
return ppoll((struct pollfd *)fds, nfds, NULL, NULL);
} else {
struct timespec ts;
- ts.tv_sec = timeout / 1000000000LL;
+ int64_t tvsec = timeout / 1000000000LL;
+ /* Avoid possibly overflowing and specifying a negative number of
+ * seconds, which would turn a very long timeout into a busy-wait.
+ */
+ if (tvsec > (int64_t)INT32_MAX) {
+ tvsec = INT32_MAX;
+ }
+ ts.tv_sec = tvsec;
ts.tv_nsec = timeout % 1000000000LL;
return ppoll((struct pollfd *)fds, nfds, &ts, NULL);
}
commit 3ef4ebcc5c0360629bb05f49d9b961774247d6ca
Merge: 2528043 dc622de
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Wed Nov 26 12:18:00 2014 +0000
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
The final 2.2 patches from me.
# gpg: Signature made Wed 26 Nov 2014 11:12:25 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini at gnu.org>"
# gpg: aka "Paolo Bonzini <pbonzini at redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini/tags/for-upstream:
s390x/kvm: Fix compile error
fw_cfg: fix boot order bug when dynamically modified via QOM
-machine vmport=auto: Fix handling of VMWare ioport emulation for xen
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit dc622deb2d49aac6afa485f9025be8fed440ef3d
Author: Christian Borntraeger <borntraeger at de.ibm.com>
Date: Wed Nov 26 11:07:24 2014 +0100
s390x/kvm: Fix compile error
commit a2b257d6212a "memory: expose alignment used for allocating RAM
as MemoryRegion API" triggered a compile error on KVM/s390x.
Fix the prototype and the implementation of legacy_s390_alloc.
Cc: Igor Mammedov <imammedo at redhat.com>
Cc: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger at de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index 50709ba..2c638ab 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -106,7 +106,7 @@ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
static int cap_sync_regs;
static int cap_async_pf;
-static void *legacy_s390_alloc(size_t size);
+static void *legacy_s390_alloc(size_t size, uint64_t *align);
static int kvm_s390_check_clear_cmma(KVMState *s)
{
@@ -404,7 +404,7 @@ int kvm_arch_get_registers(CPUState *cs)
* to grow. We also have to use MAP parameters that avoid
* read-only mapping of guest pages.
*/
-static void *legacy_s390_alloc(size_t size, , uint64_t *align)
+static void *legacy_s390_alloc(size_t size, uint64_t *align)
{
void *mem;
commit f3b3766899fc0a79a175a5d29d0ff427327cd34a
Author: Gonglei <arei.gonglei at huawei.com>
Date: Tue Nov 25 12:38:19 2014 +0800
fw_cfg: fix boot order bug when dynamically modified via QOM
When we dynamically modify boot order, the length of
boot order will be changed, but we don't update
s->files->f[i].size with new length. This casuse
seabios read a wrong vale of qemu cfg file about
bootorder.
Cc: Gerd Hoffmann <kraxel at redhat.com>
Cc: Paolo Bonzini <pbonzini at redhat.com>
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index e7ed27e..a7122ee 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -523,6 +523,7 @@ void *fw_cfg_modify_file(FWCfgState *s, const char *filename,
void *data, size_t len)
{
int i, index;
+ void *ptr = NULL;
assert(s->files);
@@ -531,8 +532,10 @@ void *fw_cfg_modify_file(FWCfgState *s, const char *filename,
for (i = 0; i < index; i++) {
if (strcmp(filename, s->files->f[i].name) == 0) {
- return fw_cfg_modify_bytes_read(s, FW_CFG_FILE_FIRST + i,
- data, len);
+ ptr = fw_cfg_modify_bytes_read(s, FW_CFG_FILE_FIRST + i,
+ data, len);
+ s->files->f[i].size = cpu_to_be32(len);
+ return ptr;
}
}
/* add new one */
commit d1048bef9df0aacde9a54bf9b5b97a6e10950d8c
Author: Don Slutz <dslutz at verizon.com>
Date: Fri Nov 21 11:18:52 2014 -0500
-machine vmport=auto: Fix handling of VMWare ioport emulation for xen
c/s 9b23cfb76b3a5e9eb5cc899eaf2f46bc46d33ba4
or
c/s b154537ad07598377ebf98252fb7d2aff127983b
moved the testing of xen_enabled() from pc_init1() to
pc_machine_initfn().
xen_enabled() does not return the correct value in
pc_machine_initfn().
Changed vmport from a bool to an enum. Added the value "auto" to do
the old way. Move check of xen_enabled() back to pc_init1().
Acked-by: Eric Blake <eblake at redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost at redhat.com>
Signed-off-by: Don Slutz <dslutz at verizon.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 8be50a4..f31d55e 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -61,6 +61,7 @@
#include "hw/mem/pc-dimm.h"
#include "trace.h"
#include "qapi/visitor.h"
+#include "qapi-visit.h"
/* debug PC/ISA interrupts */
//#define DEBUG_IRQ
@@ -1772,18 +1773,21 @@ static void pc_machine_set_max_ram_below_4g(Object *obj, Visitor *v,
pcms->max_ram_below_4g = value;
}
-static bool pc_machine_get_vmport(Object *obj, Error **errp)
+static void pc_machine_get_vmport(Object *obj, Visitor *v, void *opaque,
+ const char *name, Error **errp)
{
PCMachineState *pcms = PC_MACHINE(obj);
+ OnOffAuto vmport = pcms->vmport;
- return pcms->vmport;
+ visit_type_OnOffAuto(v, &vmport, name, errp);
}
-static void pc_machine_set_vmport(Object *obj, bool value, Error **errp)
+static void pc_machine_set_vmport(Object *obj, Visitor *v, void *opaque,
+ const char *name, Error **errp)
{
PCMachineState *pcms = PC_MACHINE(obj);
- pcms->vmport = value;
+ visit_type_OnOffAuto(v, &pcms->vmport, name, errp);
}
static bool pc_machine_get_aligned_dimm(Object *obj, Error **errp)
@@ -1806,11 +1810,11 @@ static void pc_machine_initfn(Object *obj)
pc_machine_set_max_ram_below_4g,
NULL, NULL, NULL);
- pcms->vmport = !xen_enabled();
- object_property_add_bool(obj, PC_MACHINE_VMPORT,
- pc_machine_get_vmport,
- pc_machine_set_vmport,
- NULL);
+ pcms->vmport = ON_OFF_AUTO_AUTO;
+ object_property_add(obj, PC_MACHINE_VMPORT, "OnOffAuto",
+ pc_machine_get_vmport,
+ pc_machine_set_vmport,
+ NULL, NULL, NULL);
pcms->enforce_aligned_dimm = true;
object_property_add_bool(obj, PC_MACHINE_ENFORCE_ALIGNED_DIMM,
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 741dffd..85ed3c8 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -234,9 +234,14 @@ static void pc_init1(MachineState *machine,
pc_vga_init(isa_bus, pci_enabled ? pci_bus : NULL);
+ assert(pc_machine->vmport != ON_OFF_AUTO_MAX);
+ if (pc_machine->vmport == ON_OFF_AUTO_AUTO) {
+ pc_machine->vmport = xen_enabled() ? ON_OFF_AUTO_OFF : ON_OFF_AUTO_ON;
+ }
+
/* init basic PC hardware */
pc_basic_device_init(isa_bus, gsi, &rtc_state, &floppy,
- !pc_machine->vmport, 0x4);
+ (pc_machine->vmport != ON_OFF_AUTO_ON), 0x4);
pc_nic_init(isa_bus, pci_bus);
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index e9ba1a2..0262b5e 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -242,9 +242,14 @@ static void pc_q35_init(MachineState *machine)
pc_register_ferr_irq(gsi[13]);
+ assert(pc_machine->vmport != ON_OFF_AUTO_MAX);
+ if (pc_machine->vmport == ON_OFF_AUTO_AUTO) {
+ pc_machine->vmport = xen_enabled() ? ON_OFF_AUTO_OFF : ON_OFF_AUTO_ON;
+ }
+
/* init basic PC hardware */
pc_basic_device_init(isa_bus, gsi, &rtc_state, &floppy,
- !pc_machine->vmport, 0xff0104);
+ (pc_machine->vmport != ON_OFF_AUTO_ON), 0xff0104);
/* connect pm stuff to lpc */
ich9_lpc_pm_init(lpc);
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 9d85b89..69d9cf8 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -39,7 +39,7 @@ struct PCMachineState {
ISADevice *rtc;
uint64_t max_ram_below_4g;
- bool vmport;
+ OnOffAuto vmport;
bool enforce_aligned_dimm;
};
diff --git a/qapi/common.json b/qapi/common.json
index 4e9a21f..63ef3b4 100644
--- a/qapi/common.json
+++ b/qapi/common.json
@@ -87,3 +87,18 @@
##
{ 'command': 'query-commands', 'returns': ['CommandInfo'] }
+##
+# @OnOffAuto
+#
+# An enumeration of three options: on, off, and auto
+#
+# @auto: QEMU selects the value between on and off
+#
+# @on: Enabled
+#
+# @off: Disabled
+#
+# Since: 2.2
+##
+{ 'enum': 'OnOffAuto',
+ 'data': [ 'auto', 'on', 'off' ] }
diff --git a/qemu-options.hx b/qemu-options.hx
index da9851d..64af16d 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -33,7 +33,7 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
" property accel=accel1[:accel2[:...]] selects accelerator\n"
" supported accelerators are kvm, xen, tcg (default: tcg)\n"
" kernel_irqchip=on|off controls accelerated irqchip support\n"
- " vmport=on|off controls emulation of vmport (default: on)\n"
+ " vmport=on|off|auto controls emulation of vmport (default: auto)\n"
" kvm_shadow_mem=size of KVM shadow MMU\n"
" dump-guest-core=on|off include guest memory in a core dump (default=on)\n"
" mem-merge=on|off controls memory merge support (default: on)\n"
@@ -52,8 +52,10 @@ than one accelerator specified, the next one is used if the previous one fails
to initialize.
@item kernel_irqchip=on|off
Enables in-kernel irqchip support for the chosen accelerator when available.
- at item vmport=on|off
-Enables emulation of VMWare IO port, for vmmouse etc. (enabled by default)
+ at item vmport=on|off|auto
+Enables emulation of VMWare IO port, for vmmouse etc. auto says to select the
+value based on accel. For accel=xen the default is off otherwise the default
+is on.
@item kvm_shadow_mem=size
Defines the size of the KVM shadow MMU.
@item dump-guest-core=on|off
diff --git a/vl.c b/vl.c
index f4a6e5e..eb89d62 100644
--- a/vl.c
+++ b/vl.c
@@ -381,7 +381,7 @@ static QemuOptsList qemu_machine_opts = {
.help = "maximum ram below the 4G boundary (32bit boundary)",
}, {
.name = PC_MACHINE_VMPORT,
- .type = QEMU_OPT_BOOL,
+ .type = QEMU_OPT_STRING,
.help = "Enable vmport (pc & q35)",
},{
.name = "iommu",
commit 2528043f1f299e0e88cb026f1ca7c40bbb4e1f80
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Tue Nov 25 18:23:54 2014 +0000
Update version for v2.2.0-rc3 release
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/VERSION b/VERSION
index a048613..9be10bc 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.92
+2.1.93
commit df5b2adb7398d71016ee469f71e52075ed95e04e
Author: Gerd Hoffmann <kraxel at redhat.com>
Date: Tue Nov 25 14:54:17 2014 +0100
input: move input-send-event into experimental namespace
Ongoing discussions on how we are going to specify the console,
so tag the command as experiental so we can refine things in
the 2.3 development cycle.
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
Message-id: 1416923657-10614-1-git-send-email-armbru at redhat.com
[Spell out "not a stable API", and x- the QAPI schema, too]
Signed-off-by: Markus Armbruster <armbru at redhat.com>
Reviewed-by: Amos Kong <akong at redhat.com>
Reviewed-by: Eric Blake <eblake at redhat.com>
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/qapi-schema.json b/qapi-schema.json
index d0926d9..9ffdcf8 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3245,7 +3245,7 @@
'abs' : 'InputMoveEvent' } }
##
-# @input-send-event
+# @x-input-send-event
#
# Send input event(s) to guest.
#
@@ -3257,8 +3257,10 @@
#
# Since: 2.2
#
+# Note: this command is experimental, and not a stable API.
+#
##
-{ 'command': 'input-send-event',
+{ 'command': 'x-input-send-event',
'data': { '*console':'int', 'events': [ 'InputEvent' ] } }
##
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 8812401..718dd92 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -3791,13 +3791,13 @@ Example:
EQMP
{
- .name = "input-send-event",
+ .name = "x-input-send-event",
.args_type = "console:i?,events:q",
- .mhandler.cmd_new = qmp_marshal_input_input_send_event,
+ .mhandler.cmd_new = qmp_marshal_input_x_input_send_event,
},
SQMP
- at input-send-event
+ at x-input-send-event
-----------------
Send input event to guest.
@@ -3811,17 +3811,19 @@ The consoles are visible in the qom tree, under
/backend/console[$index]. They have a device link and head property, so
it is possible to map which console belongs to which device and display.
+Note: this command is experimental, and not a stable API.
+
Example (1):
Press left mouse button.
--> { "execute": "input-send-event",
+-> { "execute": "x-input-send-event",
"arguments": { "console": 0,
"events": [ { "type": "btn",
"data" : { "down": true, "button": "Left" } } } }
<- { "return": {} }
--> { "execute": "input-send-event",
+-> { "execute": "x-input-send-event",
"arguments": { "console": 0,
"events": [ { "type": "btn",
"data" : { "down": false, "button": "Left" } } } }
@@ -3831,7 +3833,7 @@ Example (2):
Press ctrl-alt-del.
--> { "execute": "input-send-event",
+-> { "execute": "x-input-send-event",
"arguments": { "console": 0, "events": [
{ "type": "key", "data" : { "down": true,
"key": {"type": "qcode", "data": "ctrl" } } },
@@ -3845,7 +3847,7 @@ Example (3):
Move mouse pointer to absolute coordinates (20000, 400).
--> { "execute": "input-send-event" ,
+-> { "execute": "x-input-send-event" ,
"arguments": { "console": 0, "events": [
{ "type": "abs", "data" : { "axis": "X", "value" : 20000 } },
{ "type": "abs", "data" : { "axis": "Y", "value" : 400 } } ] } }
diff --git a/ui/input.c b/ui/input.c
index 37ff46f..7ba99e5 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -122,8 +122,8 @@ qemu_input_find_handler(uint32_t mask, QemuConsole *con)
return NULL;
}
-void qmp_input_send_event(bool has_console, int64_t console,
- InputEventList *events, Error **errp)
+void qmp_x_input_send_event(bool has_console, int64_t console,
+ InputEventList *events, Error **errp)
{
InputEventList *e;
QemuConsole *con;
commit ca6028185d19d3f2bd331c15175c3ef5afc30c77
Merge: 3d4a70f dd0247e
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Mon Nov 24 19:31:50 2014 +0000
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
pc, pci, misc bugfixes
A bunch of bugfixes for 2.2.
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
# gpg: Signature made Mon 24 Nov 2014 18:59:47 GMT using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst at kernel.org>"
# gpg: aka "Michael S. Tsirkin <mst at redhat.com>"
* remotes/mst/tags/for_upstream:
pc: acpi: mark all possible CPUs as enabled in SRAT
pcie: fix improper use of negative value
pcie: fix typo in pcie_cap_deverr_init()
target-i386: move generic memory hotplug methods to DSDTs
acpi-build: mark RAM dirty on table update
hw/pci: fix crash on shpc error flow
pc: count in 1Gb hugepage alignment when sizing hotplug-memory container
pc: explicitly check maxmem limit when adding DIMM
pc: pc-dimm: use backend alignment during address auto allocation
pc: align DIMM's address/size by backend's alignment value
memory: expose alignment used for allocating RAM as MemoryRegion API
pc: limit DIMM address and size to page aligned values
pc: make pc_dimm_plug() more readble
pc: kvm: check if KVM has free memory slots to avoid abort()
qemu-char: fix tcp_get_fds
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit dd0247e09a542d2a7ba6e390c70b5616edb9ec56
Author: Igor Mammedov <imammedo at redhat.com>
Date: Mon Nov 10 16:20:50 2014 +0000
pc: acpi: mark all possible CPUs as enabled in SRAT
If QEMU is started with -numa ... Windows only notices that
CPU has been hot-added but it will not online such CPUs.
It's caused by the fact that possible CPUs are flagged as
not enabled in SRAT and Windows honoring that information
doesn't use corresponding CPU.
ACPI 5.0 Spec regarding to flag says:
"
Table 5-47 Local APIC Flags
...
Enabled: if zero, this processor is unusable, and the operating system
support will not attempt to use it.
"
Fix QEMU to adhere to spec and mark possible CPUs as enabled
in SRAT.
With that Windows onlines hot-added CPUs as expected.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 92a36e3..b37a397 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -1270,8 +1270,7 @@ acpi_build_srat_memory(AcpiSratMemoryAffinity *numamem, uint64_t base,
}
static void
-build_srat(GArray *table_data, GArray *linker,
- AcpiCpuInfo *cpu, PcGuestInfo *guest_info)
+build_srat(GArray *table_data, GArray *linker, PcGuestInfo *guest_info)
{
AcpiSystemResourceAffinityTable *srat;
AcpiSratProcessorAffinity *core;
@@ -1301,11 +1300,7 @@ build_srat(GArray *table_data, GArray *linker,
core->proximity_lo = curnode;
memset(core->proximity_hi, 0, 3);
core->local_sapic_eid = 0;
- if (test_bit(i, cpu->found_cpus)) {
- core->flags = cpu_to_le32(1);
- } else {
- core->flags = cpu_to_le32(0);
- }
+ core->flags = cpu_to_le32(1);
}
@@ -1623,7 +1618,7 @@ void acpi_build(PcGuestInfo *guest_info, AcpiBuildTables *tables)
}
if (guest_info->numa_nodes) {
acpi_add_table(table_offsets, tables->table_data);
- build_srat(tables->table_data, tables->linker, &cpu, guest_info);
+ build_srat(tables->table_data, tables->linker, guest_info);
}
if (acpi_get_mcfg(&mcfg)) {
acpi_add_table(table_offsets, tables->table_data);
commit 6c150fbd341ac10b8559abcfd5915cfff17b70c6
Author: Gonglei <arei.gonglei at huawei.com>
Date: Thu Nov 20 16:55:54 2014 +0800
pcie: fix improper use of negative value
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index fbba589..1abbbb1 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -229,7 +229,7 @@ static void pcie_cap_slot_hotplug_common(PCIDevice *hotplug_dev,
/* the slot is electromechanically locked.
* This error is propagated up to qdev and then to HMP/QMP.
*/
- error_setg_errno(errp, -EBUSY, "slot is electromechanically locked");
+ error_setg_errno(errp, EBUSY, "slot is electromechanically locked");
}
}
commit 8e815eeefe205155f5561ddd06a29c75819d2ca8
Author: Gonglei <arei.gonglei at huawei.com>
Date: Tue Nov 18 10:47:57 2014 +0800
pcie: fix typo in pcie_cap_deverr_init()
Reported-by:
https://bugs.launchpad.net/qemu/+bug/1393440
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index 58455bd..fbba589 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -145,7 +145,7 @@ void pcie_cap_deverr_init(PCIDevice *dev)
PCI_EXP_DEVCTL_FERE | PCI_EXP_DEVCTL_URRE);
pci_long_test_and_set_mask(dev->w1cmask + pos + PCI_EXP_DEVSTA,
PCI_EXP_DEVSTA_CED | PCI_EXP_DEVSTA_NFED |
- PCI_EXP_DEVSTA_URD | PCI_EXP_DEVSTA_URD);
+ PCI_EXP_DEVSTA_FED | PCI_EXP_DEVSTA_URD);
}
void pcie_cap_deverr_reset(PCIDevice *dev)
commit 4f99ab7a782250847ca33ae23a172501496c604d
Author: Paolo Bonzini <pbonzini at redhat.com>
Date: Wed Oct 15 09:45:44 2014 +0200
target-i386: move generic memory hotplug methods to DSDTs
This makes it simpler to keep the SSDT byte-for-byte identical for a
given machine type, which is a goal we want to have for 2.2 and newer
types.
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/i386/acpi-dsdt-mem-hotplug.dsl b/hw/i386/acpi-dsdt-mem-hotplug.dsl
new file mode 100644
index 0000000..2a36c47
--- /dev/null
+++ b/hw/i386/acpi-dsdt-mem-hotplug.dsl
@@ -0,0 +1,176 @@
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+ External(MEMORY_SLOT_NOTIFY_METHOD, MethodObj)
+
+ Scope(\_SB.PCI0) {
+ Device(MEMORY_HOTPLUG_DEVICE) {
+ Name(_HID, "PNP0A06")
+ Name(_UID, "Memory hotplug resources")
+ External(MEMORY_SLOTS_NUMBER, IntObj)
+
+ /* Memory hotplug IO registers */
+ OperationRegion(MEMORY_HOTPLUG_IO_REGION, SystemIO,
+ ACPI_MEMORY_HOTPLUG_BASE,
+ ACPI_MEMORY_HOTPLUG_IO_LEN)
+
+ Name(_CRS, ResourceTemplate() {
+ IO(Decode16, ACPI_MEMORY_HOTPLUG_BASE, ACPI_MEMORY_HOTPLUG_BASE,
+ 0, ACPI_MEMORY_HOTPLUG_IO_LEN, IO)
+ })
+
+ Method(_STA, 0) {
+ If (LEqual(MEMORY_SLOTS_NUMBER, Zero)) {
+ Return(0x0)
+ }
+ /* present, functioning, decoding, not shown in UI */
+ Return(0xB)
+ }
+
+ Field(MEMORY_HOTPLUG_IO_REGION, DWordAcc, NoLock, Preserve) {
+ MEMORY_SLOT_ADDR_LOW, 32, // read only
+ MEMORY_SLOT_ADDR_HIGH, 32, // read only
+ MEMORY_SLOT_SIZE_LOW, 32, // read only
+ MEMORY_SLOT_SIZE_HIGH, 32, // read only
+ MEMORY_SLOT_PROXIMITY, 32, // read only
+ }
+ Field(MEMORY_HOTPLUG_IO_REGION, ByteAcc, NoLock, Preserve) {
+ Offset(20),
+ MEMORY_SLOT_ENABLED, 1, // 1 if enabled, read only
+ MEMORY_SLOT_INSERT_EVENT, 1, // (read) 1 if has a insert event. (write) 1 to clear event
+ }
+
+ Mutex (MEMORY_SLOT_LOCK, 0)
+ Field (MEMORY_HOTPLUG_IO_REGION, DWordAcc, NoLock, Preserve) {
+ MEMORY_SLOT_SLECTOR, 32, // DIMM selector, write only
+ MEMORY_SLOT_OST_EVENT, 32, // _OST event code, write only
+ MEMORY_SLOT_OST_STATUS, 32, // _OST status code, write only
+ }
+
+ Method(MEMORY_SLOT_SCAN_METHOD, 0) {
+ If (LEqual(MEMORY_SLOTS_NUMBER, Zero)) {
+ Return(Zero)
+ }
+
+ Store(Zero, Local0) // Mem devs iterrator
+ Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
+ while (LLess(Local0, MEMORY_SLOTS_NUMBER)) {
+ Store(Local0, MEMORY_SLOT_SLECTOR) // select Local0 DIMM
+ If (LEqual(MEMORY_SLOT_INSERT_EVENT, One)) { // Memory device needs check
+ MEMORY_SLOT_NOTIFY_METHOD(Local0, 1)
+ Store(1, MEMORY_SLOT_INSERT_EVENT)
+ }
+ // TODO: handle memory eject request
+ Add(Local0, One, Local0) // goto next DIMM
+ }
+ Release(MEMORY_SLOT_LOCK)
+ Return(One)
+ }
+
+ Method(MEMORY_SLOT_STATUS_METHOD, 1) {
+ Store(Zero, Local0)
+
+ Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
+ Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
+
+ If (LEqual(MEMORY_SLOT_ENABLED, One)) {
+ Store(0xF, Local0)
+ }
+
+ Release(MEMORY_SLOT_LOCK)
+ Return(Local0)
+ }
+
+ Method(MEMORY_SLOT_CRS_METHOD, 1, Serialized) {
+ Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
+ Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
+
+ Name(MR64, ResourceTemplate() {
+ QWordMemory(ResourceProducer, PosDecode, MinFixed, MaxFixed,
+ Cacheable, ReadWrite,
+ 0x0000000000000000, // Address Space Granularity
+ 0x0000000000000000, // Address Range Minimum
+ 0xFFFFFFFFFFFFFFFE, // Address Range Maximum
+ 0x0000000000000000, // Address Translation Offset
+ 0xFFFFFFFFFFFFFFFF, // Address Length
+ ,, MW64, AddressRangeMemory, TypeStatic)
+ })
+
+ CreateDWordField(MR64, 14, MINL)
+ CreateDWordField(MR64, 18, MINH)
+ CreateDWordField(MR64, 38, LENL)
+ CreateDWordField(MR64, 42, LENH)
+ CreateDWordField(MR64, 22, MAXL)
+ CreateDWordField(MR64, 26, MAXH)
+
+ Store(MEMORY_SLOT_ADDR_HIGH, MINH)
+ Store(MEMORY_SLOT_ADDR_LOW, MINL)
+ Store(MEMORY_SLOT_SIZE_HIGH, LENH)
+ Store(MEMORY_SLOT_SIZE_LOW, LENL)
+
+ // 64-bit math: MAX = MIN + LEN - 1
+ Add(MINL, LENL, MAXL)
+ Add(MINH, LENH, MAXH)
+ If (LLess(MAXL, MINL)) {
+ Add(MAXH, One, MAXH)
+ }
+ If (LLess(MAXL, One)) {
+ Subtract(MAXH, One, MAXH)
+ }
+ Subtract(MAXL, One, MAXL)
+
+ If (LEqual(MAXH, Zero)){
+ Name(MR32, ResourceTemplate() {
+ DWordMemory(ResourceProducer, PosDecode, MinFixed, MaxFixed,
+ Cacheable, ReadWrite,
+ 0x00000000, // Address Space Granularity
+ 0x00000000, // Address Range Minimum
+ 0xFFFFFFFE, // Address Range Maximum
+ 0x00000000, // Address Translation Offset
+ 0xFFFFFFFF, // Address Length
+ ,, MW32, AddressRangeMemory, TypeStatic)
+ })
+ CreateDWordField(MR32, MW32._MIN, MIN)
+ CreateDWordField(MR32, MW32._MAX, MAX)
+ CreateDWordField(MR32, MW32._LEN, LEN)
+ Store(MINL, MIN)
+ Store(MAXL, MAX)
+ Store(LENL, LEN)
+
+ Release(MEMORY_SLOT_LOCK)
+ Return(MR32)
+ }
+
+ Release(MEMORY_SLOT_LOCK)
+ Return(MR64)
+ }
+
+ Method(MEMORY_SLOT_PROXIMITY_METHOD, 1) {
+ Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
+ Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
+ Store(MEMORY_SLOT_PROXIMITY, Local0)
+ Release(MEMORY_SLOT_LOCK)
+ Return(Local0)
+ }
+
+ Method(MEMORY_SLOT_OST_METHOD, 4) {
+ Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
+ Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
+ Store(Arg1, MEMORY_SLOT_OST_EVENT)
+ Store(Arg2, MEMORY_SLOT_OST_STATUS)
+ Release(MEMORY_SLOT_LOCK)
+ }
+ } // Device()
+ } // Scope()
diff --git a/hw/i386/acpi-dsdt.dsl b/hw/i386/acpi-dsdt.dsl
index 559f4b6..a611e07 100644
--- a/hw/i386/acpi-dsdt.dsl
+++ b/hw/i386/acpi-dsdt.dsl
@@ -297,13 +297,12 @@ DefinitionBlock (
#include "hw/acpi/pc-hotplug.h"
#define CPU_STATUS_BASE PIIX4_CPU_HOTPLUG_IO_BASE
#include "acpi-dsdt-cpu-hotplug.dsl"
+#include "acpi-dsdt-mem-hotplug.dsl"
/****************************************************************
* General purpose events
****************************************************************/
- External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD, MethodObj)
-
Scope(\_GPE) {
Name(_HID, "ACPI0006")
diff --git a/hw/i386/acpi-dsdt.hex.generated b/hw/i386/acpi-dsdt.hex.generated
index a21bf41..875570e 100644
--- a/hw/i386/acpi-dsdt.hex.generated
+++ b/hw/i386/acpi-dsdt.hex.generated
@@ -3,12 +3,12 @@ static unsigned char AcpiDsdtAmlCode[] = {
0x53,
0x44,
0x54,
-0xf7,
-0xa,
+0x8,
+0xe,
0x0,
0x0,
0x1,
-0x1f,
+0xfc,
0x42,
0x58,
0x50,
@@ -32,8 +32,8 @@ static unsigned char AcpiDsdtAmlCode[] = {
0x54,
0x4c,
0x28,
-0x5,
-0x10,
+0x8,
+0x14,
0x20,
0x10,
0x49,
@@ -2593,6 +2593,791 @@ static unsigned char AcpiDsdtAmlCode[] = {
0xa,
0xb,
0x10,
+0x40,
+0x31,
+0x2e,
+0x5f,
+0x53,
+0x42,
+0x5f,
+0x50,
+0x43,
+0x49,
+0x30,
+0x5b,
+0x82,
+0x43,
+0x30,
+0x4d,
+0x48,
+0x50,
+0x44,
+0x8,
+0x5f,
+0x48,
+0x49,
+0x44,
+0xd,
+0x50,
+0x4e,
+0x50,
+0x30,
+0x41,
+0x30,
+0x36,
+0x0,
+0x8,
+0x5f,
+0x55,
+0x49,
+0x44,
+0xd,
+0x4d,
+0x65,
+0x6d,
+0x6f,
+0x72,
+0x79,
+0x20,
+0x68,
+0x6f,
+0x74,
+0x70,
+0x6c,
+0x75,
+0x67,
+0x20,
+0x72,
+0x65,
+0x73,
+0x6f,
+0x75,
+0x72,
+0x63,
+0x65,
+0x73,
+0x0,
+0x5b,
+0x80,
+0x48,
+0x50,
+0x4d,
+0x52,
+0x1,
+0xb,
+0x0,
+0xa,
+0xa,
+0x18,
+0x8,
+0x5f,
+0x43,
+0x52,
+0x53,
+0x11,
+0xd,
+0xa,
+0xa,
+0x47,
+0x1,
+0x0,
+0xa,
+0x0,
+0xa,
+0x0,
+0x18,
+0x79,
+0x0,
+0x14,
+0x13,
+0x5f,
+0x53,
+0x54,
+0x41,
+0x0,
+0xa0,
+0x9,
+0x93,
+0x4d,
+0x44,
+0x4e,
+0x52,
+0x0,
+0xa4,
+0x0,
+0xa4,
+0xa,
+0xb,
+0x5b,
+0x81,
+0x1f,
+0x48,
+0x50,
+0x4d,
+0x52,
+0x3,
+0x4d,
+0x52,
+0x42,
+0x4c,
+0x20,
+0x4d,
+0x52,
+0x42,
+0x48,
+0x20,
+0x4d,
+0x52,
+0x4c,
+0x4c,
+0x20,
+0x4d,
+0x52,
+0x4c,
+0x48,
+0x20,
+0x4d,
+0x50,
+0x58,
+0x5f,
+0x20,
+0x5b,
+0x81,
+0x13,
+0x48,
+0x50,
+0x4d,
+0x52,
+0x1,
+0x0,
+0x40,
+0xa,
+0x4d,
+0x45,
+0x53,
+0x5f,
+0x1,
+0x4d,
+0x49,
+0x4e,
+0x53,
+0x1,
+0x5b,
+0x1,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0x0,
+0x5b,
+0x81,
+0x15,
+0x48,
+0x50,
+0x4d,
+0x52,
+0x3,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0x20,
+0x4d,
+0x4f,
+0x45,
+0x56,
+0x20,
+0x4d,
+0x4f,
+0x53,
+0x43,
+0x20,
+0x14,
+0x4a,
+0x4,
+0x4d,
+0x53,
+0x43,
+0x4e,
+0x0,
+0xa0,
+0x9,
+0x93,
+0x4d,
+0x44,
+0x4e,
+0x52,
+0x0,
+0xa4,
+0x0,
+0x70,
+0x0,
+0x60,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0xa2,
+0x25,
+0x95,
+0x60,
+0x4d,
+0x44,
+0x4e,
+0x52,
+0x70,
+0x60,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0xa0,
+0x13,
+0x93,
+0x4d,
+0x49,
+0x4e,
+0x53,
+0x1,
+0x4d,
+0x54,
+0x46,
+0x59,
+0x60,
+0x1,
+0x70,
+0x1,
+0x4d,
+0x49,
+0x4e,
+0x53,
+0x72,
+0x60,
+0x1,
+0x60,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x1,
+0x14,
+0x2d,
+0x4d,
+0x52,
+0x53,
+0x54,
+0x1,
+0x70,
+0x0,
+0x60,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0x70,
+0x99,
+0x68,
+0x0,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0xa0,
+0xb,
+0x93,
+0x4d,
+0x45,
+0x53,
+0x5f,
+0x1,
+0x70,
+0xa,
+0xf,
+0x60,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x60,
+0x14,
+0x41,
+0x18,
+0x4d,
+0x43,
+0x52,
+0x53,
+0x9,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0x70,
+0x99,
+0x68,
+0x0,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0x8,
+0x4d,
+0x52,
+0x36,
+0x34,
+0x11,
+0x33,
+0xa,
+0x30,
+0x8a,
+0x2b,
+0x0,
+0x0,
+0xc,
+0x3,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0xfe,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0x79,
+0x0,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0xe,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x12,
+0x4d,
+0x49,
+0x4e,
+0x48,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x26,
+0x4c,
+0x45,
+0x4e,
+0x4c,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x2a,
+0x4c,
+0x45,
+0x4e,
+0x48,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x16,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x1a,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x70,
+0x4d,
+0x52,
+0x42,
+0x48,
+0x4d,
+0x49,
+0x4e,
+0x48,
+0x70,
+0x4d,
+0x52,
+0x42,
+0x4c,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x70,
+0x4d,
+0x52,
+0x4c,
+0x48,
+0x4c,
+0x45,
+0x4e,
+0x48,
+0x70,
+0x4d,
+0x52,
+0x4c,
+0x4c,
+0x4c,
+0x45,
+0x4e,
+0x4c,
+0x72,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x4c,
+0x45,
+0x4e,
+0x4c,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x72,
+0x4d,
+0x49,
+0x4e,
+0x48,
+0x4c,
+0x45,
+0x4e,
+0x48,
+0x4d,
+0x41,
+0x58,
+0x48,
+0xa0,
+0x14,
+0x95,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x72,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x1,
+0x4d,
+0x41,
+0x58,
+0x48,
+0xa0,
+0x11,
+0x95,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x1,
+0x74,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x1,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x74,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x1,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0xa0,
+0x44,
+0x7,
+0x93,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x0,
+0x8,
+0x4d,
+0x52,
+0x33,
+0x32,
+0x11,
+0x1f,
+0xa,
+0x1c,
+0x87,
+0x17,
+0x0,
+0x0,
+0xc,
+0x3,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0xfe,
+0xff,
+0xff,
+0xff,
+0x0,
+0x0,
+0x0,
+0x0,
+0xff,
+0xff,
+0xff,
+0xff,
+0x79,
+0x0,
+0x8a,
+0x4d,
+0x52,
+0x33,
+0x32,
+0xa,
+0xa,
+0x4d,
+0x49,
+0x4e,
+0x5f,
+0x8a,
+0x4d,
+0x52,
+0x33,
+0x32,
+0xa,
+0xe,
+0x4d,
+0x41,
+0x58,
+0x5f,
+0x8a,
+0x4d,
+0x52,
+0x33,
+0x32,
+0xa,
+0x16,
+0x4c,
+0x45,
+0x4e,
+0x5f,
+0x70,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x4d,
+0x49,
+0x4e,
+0x5f,
+0x70,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x4d,
+0x41,
+0x58,
+0x5f,
+0x70,
+0x4c,
+0x45,
+0x4e,
+0x4c,
+0x4c,
+0x45,
+0x4e,
+0x5f,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x4d,
+0x52,
+0x33,
+0x32,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x4d,
+0x52,
+0x36,
+0x34,
+0x14,
+0x24,
+0x4d,
+0x50,
+0x58,
+0x4d,
+0x1,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0x70,
+0x99,
+0x68,
+0x0,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0x70,
+0x4d,
+0x50,
+0x58,
+0x5f,
+0x60,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x60,
+0x14,
+0x28,
+0x4d,
+0x4f,
+0x53,
+0x54,
+0x4,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0x70,
+0x99,
+0x68,
+0x0,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0x70,
+0x69,
+0x4d,
+0x4f,
+0x45,
+0x56,
+0x70,
+0x6a,
+0x4d,
+0x4f,
+0x53,
+0x43,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0x10,
0x45,
0xd,
0x5f,
diff --git a/hw/i386/q35-acpi-dsdt.dsl b/hw/i386/q35-acpi-dsdt.dsl
index 054b035..e1cee5d 100644
--- a/hw/i386/q35-acpi-dsdt.dsl
+++ b/hw/i386/q35-acpi-dsdt.dsl
@@ -405,13 +405,12 @@ DefinitionBlock (
#include "hw/acpi/pc-hotplug.h"
#define CPU_STATUS_BASE ICH9_CPU_HOTPLUG_IO_BASE
#include "acpi-dsdt-cpu-hotplug.dsl"
+#include "acpi-dsdt-mem-hotplug.dsl"
/****************************************************************
* General purpose events
****************************************************************/
- External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD, MethodObj)
-
Scope(\_GPE) {
Name(_HID, "ACPI0006")
diff --git a/hw/i386/q35-acpi-dsdt.hex.generated b/hw/i386/q35-acpi-dsdt.hex.generated
index c9eb4ac..4807bdf 100644
--- a/hw/i386/q35-acpi-dsdt.hex.generated
+++ b/hw/i386/q35-acpi-dsdt.hex.generated
@@ -3,12 +3,12 @@ static unsigned char Q35AcpiDsdtAmlCode[] = {
0x53,
0x44,
0x54,
-0xe5,
-0x1c,
+0xf6,
+0x1f,
0x0,
0x0,
0x1,
-0xb7,
+0x91,
0x42,
0x58,
0x50,
@@ -31,9 +31,9 @@ static unsigned char Q35AcpiDsdtAmlCode[] = {
0x4e,
0x54,
0x4c,
-0x15,
-0x11,
-0x13,
+0x28,
+0x8,
+0x14,
0x20,
0x10,
0x49,
@@ -7234,6 +7234,791 @@ static unsigned char Q35AcpiDsdtAmlCode[] = {
0xa,
0xb,
0x10,
+0x40,
+0x31,
+0x2e,
+0x5f,
+0x53,
+0x42,
+0x5f,
+0x50,
+0x43,
+0x49,
+0x30,
+0x5b,
+0x82,
+0x43,
+0x30,
+0x4d,
+0x48,
+0x50,
+0x44,
+0x8,
+0x5f,
+0x48,
+0x49,
+0x44,
+0xd,
+0x50,
+0x4e,
+0x50,
+0x30,
+0x41,
+0x30,
+0x36,
+0x0,
+0x8,
+0x5f,
+0x55,
+0x49,
+0x44,
+0xd,
+0x4d,
+0x65,
+0x6d,
+0x6f,
+0x72,
+0x79,
+0x20,
+0x68,
+0x6f,
+0x74,
+0x70,
+0x6c,
+0x75,
+0x67,
+0x20,
+0x72,
+0x65,
+0x73,
+0x6f,
+0x75,
+0x72,
+0x63,
+0x65,
+0x73,
+0x0,
+0x5b,
+0x80,
+0x48,
+0x50,
+0x4d,
+0x52,
+0x1,
+0xb,
+0x0,
+0xa,
+0xa,
+0x18,
+0x8,
+0x5f,
+0x43,
+0x52,
+0x53,
+0x11,
+0xd,
+0xa,
+0xa,
+0x47,
+0x1,
+0x0,
+0xa,
+0x0,
+0xa,
+0x0,
+0x18,
+0x79,
+0x0,
+0x14,
+0x13,
+0x5f,
+0x53,
+0x54,
+0x41,
+0x0,
+0xa0,
+0x9,
+0x93,
+0x4d,
+0x44,
+0x4e,
+0x52,
+0x0,
+0xa4,
+0x0,
+0xa4,
+0xa,
+0xb,
+0x5b,
+0x81,
+0x1f,
+0x48,
+0x50,
+0x4d,
+0x52,
+0x3,
+0x4d,
+0x52,
+0x42,
+0x4c,
+0x20,
+0x4d,
+0x52,
+0x42,
+0x48,
+0x20,
+0x4d,
+0x52,
+0x4c,
+0x4c,
+0x20,
+0x4d,
+0x52,
+0x4c,
+0x48,
+0x20,
+0x4d,
+0x50,
+0x58,
+0x5f,
+0x20,
+0x5b,
+0x81,
+0x13,
+0x48,
+0x50,
+0x4d,
+0x52,
+0x1,
+0x0,
+0x40,
+0xa,
+0x4d,
+0x45,
+0x53,
+0x5f,
+0x1,
+0x4d,
+0x49,
+0x4e,
+0x53,
+0x1,
+0x5b,
+0x1,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0x0,
+0x5b,
+0x81,
+0x15,
+0x48,
+0x50,
+0x4d,
+0x52,
+0x3,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0x20,
+0x4d,
+0x4f,
+0x45,
+0x56,
+0x20,
+0x4d,
+0x4f,
+0x53,
+0x43,
+0x20,
+0x14,
+0x4a,
+0x4,
+0x4d,
+0x53,
+0x43,
+0x4e,
+0x0,
+0xa0,
+0x9,
+0x93,
+0x4d,
+0x44,
+0x4e,
+0x52,
+0x0,
+0xa4,
+0x0,
+0x70,
+0x0,
+0x60,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0xa2,
+0x25,
+0x95,
+0x60,
+0x4d,
+0x44,
+0x4e,
+0x52,
+0x70,
+0x60,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0xa0,
+0x13,
+0x93,
+0x4d,
+0x49,
+0x4e,
+0x53,
+0x1,
+0x4d,
+0x54,
+0x46,
+0x59,
+0x60,
+0x1,
+0x70,
+0x1,
+0x4d,
+0x49,
+0x4e,
+0x53,
+0x72,
+0x60,
+0x1,
+0x60,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x1,
+0x14,
+0x2d,
+0x4d,
+0x52,
+0x53,
+0x54,
+0x1,
+0x70,
+0x0,
+0x60,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0x70,
+0x99,
+0x68,
+0x0,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0xa0,
+0xb,
+0x93,
+0x4d,
+0x45,
+0x53,
+0x5f,
+0x1,
+0x70,
+0xa,
+0xf,
+0x60,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x60,
+0x14,
+0x41,
+0x18,
+0x4d,
+0x43,
+0x52,
+0x53,
+0x9,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0x70,
+0x99,
+0x68,
+0x0,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0x8,
+0x4d,
+0x52,
+0x36,
+0x34,
+0x11,
+0x33,
+0xa,
+0x30,
+0x8a,
+0x2b,
+0x0,
+0x0,
+0xc,
+0x3,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0xfe,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0xff,
+0x79,
+0x0,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0xe,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x12,
+0x4d,
+0x49,
+0x4e,
+0x48,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x26,
+0x4c,
+0x45,
+0x4e,
+0x4c,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x2a,
+0x4c,
+0x45,
+0x4e,
+0x48,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x16,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x8a,
+0x4d,
+0x52,
+0x36,
+0x34,
+0xa,
+0x1a,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x70,
+0x4d,
+0x52,
+0x42,
+0x48,
+0x4d,
+0x49,
+0x4e,
+0x48,
+0x70,
+0x4d,
+0x52,
+0x42,
+0x4c,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x70,
+0x4d,
+0x52,
+0x4c,
+0x48,
+0x4c,
+0x45,
+0x4e,
+0x48,
+0x70,
+0x4d,
+0x52,
+0x4c,
+0x4c,
+0x4c,
+0x45,
+0x4e,
+0x4c,
+0x72,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x4c,
+0x45,
+0x4e,
+0x4c,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x72,
+0x4d,
+0x49,
+0x4e,
+0x48,
+0x4c,
+0x45,
+0x4e,
+0x48,
+0x4d,
+0x41,
+0x58,
+0x48,
+0xa0,
+0x14,
+0x95,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x72,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x1,
+0x4d,
+0x41,
+0x58,
+0x48,
+0xa0,
+0x11,
+0x95,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x1,
+0x74,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x1,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x74,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x1,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0xa0,
+0x44,
+0x7,
+0x93,
+0x4d,
+0x41,
+0x58,
+0x48,
+0x0,
+0x8,
+0x4d,
+0x52,
+0x33,
+0x32,
+0x11,
+0x1f,
+0xa,
+0x1c,
+0x87,
+0x17,
+0x0,
+0x0,
+0xc,
+0x3,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0x0,
+0xfe,
+0xff,
+0xff,
+0xff,
+0x0,
+0x0,
+0x0,
+0x0,
+0xff,
+0xff,
+0xff,
+0xff,
+0x79,
+0x0,
+0x8a,
+0x4d,
+0x52,
+0x33,
+0x32,
+0xa,
+0xa,
+0x4d,
+0x49,
+0x4e,
+0x5f,
+0x8a,
+0x4d,
+0x52,
+0x33,
+0x32,
+0xa,
+0xe,
+0x4d,
+0x41,
+0x58,
+0x5f,
+0x8a,
+0x4d,
+0x52,
+0x33,
+0x32,
+0xa,
+0x16,
+0x4c,
+0x45,
+0x4e,
+0x5f,
+0x70,
+0x4d,
+0x49,
+0x4e,
+0x4c,
+0x4d,
+0x49,
+0x4e,
+0x5f,
+0x70,
+0x4d,
+0x41,
+0x58,
+0x4c,
+0x4d,
+0x41,
+0x58,
+0x5f,
+0x70,
+0x4c,
+0x45,
+0x4e,
+0x4c,
+0x4c,
+0x45,
+0x4e,
+0x5f,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x4d,
+0x52,
+0x33,
+0x32,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x4d,
+0x52,
+0x36,
+0x34,
+0x14,
+0x24,
+0x4d,
+0x50,
+0x58,
+0x4d,
+0x1,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0x70,
+0x99,
+0x68,
+0x0,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0x70,
+0x4d,
+0x50,
+0x58,
+0x5f,
+0x60,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xa4,
+0x60,
+0x14,
+0x28,
+0x4d,
+0x4f,
+0x53,
+0x54,
+0x4,
+0x5b,
+0x23,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0xff,
+0xff,
+0x70,
+0x99,
+0x68,
+0x0,
+0x4d,
+0x53,
+0x45,
+0x4c,
+0x70,
+0x69,
+0x4d,
+0x4f,
+0x45,
+0x56,
+0x70,
+0x6a,
+0x4d,
+0x4f,
+0x53,
+0x43,
+0x5b,
+0x27,
+0x4d,
+0x4c,
+0x43,
+0x4b,
+0x10,
0x42,
0xa,
0x5f,
diff --git a/hw/i386/ssdt-mem.hex.generated b/hw/i386/ssdt-mem.hex.generated
index 00bd34d..b3bfbbd 100644
--- a/hw/i386/ssdt-mem.hex.generated
+++ b/hw/i386/ssdt-mem.hex.generated
@@ -11,7 +11,7 @@ static unsigned char ssdm_mem_aml[] = {
0x0,
0x0,
0x2,
-0x71,
+0x66,
0x42,
0x58,
0x50,
@@ -34,9 +34,9 @@ static unsigned char ssdm_mem_aml[] = {
0x4e,
0x54,
0x4c,
-0x15,
-0x11,
-0x13,
+0x28,
+0x8,
+0x14,
0x20,
0x10,
0x42,
diff --git a/hw/i386/ssdt-misc.dsl b/hw/i386/ssdt-misc.dsl
index 0fd4480..1e3baae 100644
--- a/hw/i386/ssdt-misc.dsl
+++ b/hw/i386/ssdt-misc.dsl
@@ -36,6 +36,8 @@ DefinitionBlock ("ssdt-misc.aml", "SSDT", 0x01, "BXPC", "BXSSDTSUSP", 0x1)
Name(P1E, Buffer() { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 })
ACPI_EXTRACT_NAME_BUFFER8 acpi_pci64_length
Name(P1L, Buffer() { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 })
+ ACPI_EXTRACT_NAME_DWORD_CONST ssdt_mctrl_nr_slots
+ Name(MEMORY_SLOTS_NUMBER, 0x12345678)
}
@@ -117,167 +119,4 @@ DefinitionBlock ("ssdt-misc.aml", "SSDT", 0x01, "BXPC", "BXSSDTSUSP", 0x1)
}
}
}
-
- External(MEMORY_SLOT_NOTIFY_METHOD, MethodObj)
- Scope(\_SB.PCI0) {
- Device(MEMORY_HOTPLUG_DEVICE) {
- Name(_HID, "PNP0A06")
- Name(_UID, "Memory hotplug resources")
-
- ACPI_EXTRACT_NAME_DWORD_CONST ssdt_mctrl_nr_slots
- Name(MEMORY_SLOTS_NUMBER, 0x12345678)
-
- /* Memory hotplug IO registers */
- OperationRegion(MEMORY_HOTPLUG_IO_REGION, SystemIO,
- ACPI_MEMORY_HOTPLUG_BASE,
- ACPI_MEMORY_HOTPLUG_IO_LEN)
-
- Name(_CRS, ResourceTemplate() {
- IO(Decode16, ACPI_MEMORY_HOTPLUG_BASE, ACPI_MEMORY_HOTPLUG_BASE,
- 0, ACPI_MEMORY_HOTPLUG_IO_LEN, IO)
- })
-
- Method(_STA, 0) {
- If (LEqual(MEMORY_SLOTS_NUMBER, Zero)) {
- Return(0x0)
- }
- /* present, functioning, decoding, not shown in UI */
- Return(0xB)
- }
-
- Field(MEMORY_HOTPLUG_IO_REGION, DWordAcc, NoLock, Preserve) {
- MEMORY_SLOT_ADDR_LOW, 32, // read only
- MEMORY_SLOT_ADDR_HIGH, 32, // read only
- MEMORY_SLOT_SIZE_LOW, 32, // read only
- MEMORY_SLOT_SIZE_HIGH, 32, // read only
- MEMORY_SLOT_PROXIMITY, 32, // read only
- }
- Field(MEMORY_HOTPLUG_IO_REGION, ByteAcc, NoLock, Preserve) {
- Offset(20),
- MEMORY_SLOT_ENABLED, 1, // 1 if enabled, read only
- MEMORY_SLOT_INSERT_EVENT, 1, // (read) 1 if has a insert event. (write) 1 to clear event
- }
-
- Mutex (MEMORY_SLOT_LOCK, 0)
- Field (MEMORY_HOTPLUG_IO_REGION, DWordAcc, NoLock, Preserve) {
- MEMORY_SLOT_SLECTOR, 32, // DIMM selector, write only
- MEMORY_SLOT_OST_EVENT, 32, // _OST event code, write only
- MEMORY_SLOT_OST_STATUS, 32, // _OST status code, write only
- }
-
- Method(MEMORY_SLOT_SCAN_METHOD, 0) {
- If (LEqual(MEMORY_SLOTS_NUMBER, Zero)) {
- Return(Zero)
- }
-
- Store(Zero, Local0) // Mem devs iterrator
- Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
- while (LLess(Local0, MEMORY_SLOTS_NUMBER)) {
- Store(Local0, MEMORY_SLOT_SLECTOR) // select Local0 DIMM
- If (LEqual(MEMORY_SLOT_INSERT_EVENT, One)) { // Memory device needs check
- MEMORY_SLOT_NOTIFY_METHOD(Local0, 1)
- Store(1, MEMORY_SLOT_INSERT_EVENT)
- }
- // TODO: handle memory eject request
- Add(Local0, One, Local0) // goto next DIMM
- }
- Release(MEMORY_SLOT_LOCK)
- Return(One)
- }
-
- Method(MEMORY_SLOT_STATUS_METHOD, 1) {
- Store(Zero, Local0)
-
- Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
- Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
-
- If (LEqual(MEMORY_SLOT_ENABLED, One)) {
- Store(0xF, Local0)
- }
-
- Release(MEMORY_SLOT_LOCK)
- Return(Local0)
- }
-
- Method(MEMORY_SLOT_CRS_METHOD, 1, Serialized) {
- Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
- Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
-
- Name(MR64, ResourceTemplate() {
- QWordMemory(ResourceProducer, PosDecode, MinFixed, MaxFixed,
- Cacheable, ReadWrite,
- 0x0000000000000000, // Address Space Granularity
- 0x0000000000000000, // Address Range Minimum
- 0xFFFFFFFFFFFFFFFE, // Address Range Maximum
- 0x0000000000000000, // Address Translation Offset
- 0xFFFFFFFFFFFFFFFF, // Address Length
- ,, MW64, AddressRangeMemory, TypeStatic)
- })
-
- CreateDWordField(MR64, 14, MINL)
- CreateDWordField(MR64, 18, MINH)
- CreateDWordField(MR64, 38, LENL)
- CreateDWordField(MR64, 42, LENH)
- CreateDWordField(MR64, 22, MAXL)
- CreateDWordField(MR64, 26, MAXH)
-
- Store(MEMORY_SLOT_ADDR_HIGH, MINH)
- Store(MEMORY_SLOT_ADDR_LOW, MINL)
- Store(MEMORY_SLOT_SIZE_HIGH, LENH)
- Store(MEMORY_SLOT_SIZE_LOW, LENL)
-
- // 64-bit math: MAX = MIN + LEN - 1
- Add(MINL, LENL, MAXL)
- Add(MINH, LENH, MAXH)
- If (LLess(MAXL, MINL)) {
- Add(MAXH, One, MAXH)
- }
- If (LLess(MAXL, One)) {
- Subtract(MAXH, One, MAXH)
- }
- Subtract(MAXL, One, MAXL)
-
- If (LEqual(MAXH, Zero)){
- Name(MR32, ResourceTemplate() {
- DWordMemory(ResourceProducer, PosDecode, MinFixed, MaxFixed,
- Cacheable, ReadWrite,
- 0x00000000, // Address Space Granularity
- 0x00000000, // Address Range Minimum
- 0xFFFFFFFE, // Address Range Maximum
- 0x00000000, // Address Translation Offset
- 0xFFFFFFFF, // Address Length
- ,, MW32, AddressRangeMemory, TypeStatic)
- })
- CreateDWordField(MR32, MW32._MIN, MIN)
- CreateDWordField(MR32, MW32._MAX, MAX)
- CreateDWordField(MR32, MW32._LEN, LEN)
- Store(MINL, MIN)
- Store(MAXL, MAX)
- Store(LENL, LEN)
-
- Release(MEMORY_SLOT_LOCK)
- Return(MR32)
- }
-
- Release(MEMORY_SLOT_LOCK)
- Return(MR64)
- }
-
- Method(MEMORY_SLOT_PROXIMITY_METHOD, 1) {
- Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
- Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
- Store(MEMORY_SLOT_PROXIMITY, Local0)
- Release(MEMORY_SLOT_LOCK)
- Return(Local0)
- }
-
- Method(MEMORY_SLOT_OST_METHOD, 4) {
- Acquire(MEMORY_SLOT_LOCK, 0xFFFF)
- Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
- Store(Arg1, MEMORY_SLOT_OST_EVENT)
- Store(Arg2, MEMORY_SLOT_OST_STATUS)
- Release(MEMORY_SLOT_LOCK)
- }
- } // Device()
- } // Scope()
}
diff --git a/hw/i386/ssdt-misc.hex.generated b/hw/i386/ssdt-misc.hex.generated
index ba4268a..cbcf61d 100644
--- a/hw/i386/ssdt-misc.hex.generated
+++ b/hw/i386/ssdt-misc.hex.generated
@@ -2,13 +2,13 @@ static unsigned char acpi_pci64_length[] = {
0x6f
};
static unsigned char acpi_s4_pkg[] = {
-0x8f
+0x99
};
-static unsigned short ssdt_mctrl_nr_slots[] = {
-0x1aa
+static unsigned char ssdt_mctrl_nr_slots[] = {
+0x7d
};
static unsigned char acpi_s3_name[] = {
-0x7c
+0x86
};
static unsigned char acpi_pci32_start[] = {
0x2f
@@ -21,12 +21,12 @@ static unsigned char ssdp_misc_aml[] = {
0x53,
0x44,
0x54,
-0x7e,
-0x4,
+0x6c,
+0x1,
0x0,
0x0,
0x1,
-0x8b,
+0x3,
0x42,
0x58,
0x50,
@@ -49,12 +49,12 @@ static unsigned char ssdp_misc_aml[] = {
0x4e,
0x54,
0x4c,
-0x15,
-0x11,
-0x13,
+0x28,
+0x8,
+0x14,
0x20,
0x10,
-0x42,
+0x4c,
0x5,
0x5c,
0x0,
@@ -136,6 +136,16 @@ static unsigned char ssdp_misc_aml[] = {
0x0,
0x0,
0x0,
+0x8,
+0x4d,
+0x44,
+0x4e,
+0x52,
+0xc,
+0x78,
+0x56,
+0x34,
+0x12,
0x10,
0x29,
0x5c,
@@ -370,809 +380,13 @@ static unsigned char ssdp_misc_aml[] = {
0x49,
0x4f,
0x4d,
-0x58,
-0x10,
-0x4b,
-0x31,
-0x5c,
-0x2e,
-0x5f,
-0x53,
-0x42,
-0x5f,
-0x50,
-0x43,
-0x49,
-0x30,
-0x5b,
-0x82,
-0x4d,
-0x30,
-0x4d,
-0x48,
-0x50,
-0x44,
-0x8,
-0x5f,
-0x48,
-0x49,
-0x44,
-0xd,
-0x50,
-0x4e,
-0x50,
-0x30,
-0x41,
-0x30,
-0x36,
-0x0,
-0x8,
-0x5f,
-0x55,
-0x49,
-0x44,
-0xd,
-0x4d,
-0x65,
-0x6d,
-0x6f,
-0x72,
-0x79,
-0x20,
-0x68,
-0x6f,
-0x74,
-0x70,
-0x6c,
-0x75,
-0x67,
-0x20,
-0x72,
-0x65,
-0x73,
-0x6f,
-0x75,
-0x72,
-0x63,
-0x65,
-0x73,
-0x0,
-0x8,
-0x4d,
-0x44,
-0x4e,
-0x52,
-0xc,
-0x78,
-0x56,
-0x34,
-0x12,
-0x5b,
-0x80,
-0x48,
-0x50,
-0x4d,
-0x52,
-0x1,
-0xb,
-0x0,
-0xa,
-0xa,
-0x18,
-0x8,
-0x5f,
-0x43,
-0x52,
-0x53,
-0x11,
-0xd,
-0xa,
-0xa,
-0x47,
-0x1,
-0x0,
-0xa,
-0x0,
-0xa,
-0x0,
-0x18,
-0x79,
-0x0,
-0x14,
-0x13,
-0x5f,
-0x53,
-0x54,
-0x41,
-0x0,
-0xa0,
-0x9,
-0x93,
-0x4d,
-0x44,
-0x4e,
-0x52,
-0x0,
-0xa4,
-0x0,
-0xa4,
-0xa,
-0xb,
-0x5b,
-0x81,
-0x1f,
-0x48,
-0x50,
-0x4d,
-0x52,
-0x3,
-0x4d,
-0x52,
-0x42,
-0x4c,
-0x20,
-0x4d,
-0x52,
-0x42,
-0x48,
-0x20,
-0x4d,
-0x52,
-0x4c,
-0x4c,
-0x20,
-0x4d,
-0x52,
-0x4c,
-0x48,
-0x20,
-0x4d,
-0x50,
-0x58,
-0x5f,
-0x20,
-0x5b,
-0x81,
-0x13,
-0x48,
-0x50,
-0x4d,
-0x52,
-0x1,
-0x0,
-0x40,
-0xa,
-0x4d,
-0x45,
-0x53,
-0x5f,
-0x1,
-0x4d,
-0x49,
-0x4e,
-0x53,
-0x1,
-0x5b,
-0x1,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0x0,
-0x5b,
-0x81,
-0x15,
-0x48,
-0x50,
-0x4d,
-0x52,
-0x3,
-0x4d,
-0x53,
-0x45,
-0x4c,
-0x20,
-0x4d,
-0x4f,
-0x45,
-0x56,
-0x20,
-0x4d,
-0x4f,
-0x53,
-0x43,
-0x20,
-0x14,
-0x4a,
-0x4,
-0x4d,
-0x53,
-0x43,
-0x4e,
-0x0,
-0xa0,
-0x9,
-0x93,
-0x4d,
-0x44,
-0x4e,
-0x52,
-0x0,
-0xa4,
-0x0,
-0x70,
-0x0,
-0x60,
-0x5b,
-0x23,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xff,
-0xff,
-0xa2,
-0x25,
-0x95,
-0x60,
-0x4d,
-0x44,
-0x4e,
-0x52,
-0x70,
-0x60,
-0x4d,
-0x53,
-0x45,
-0x4c,
-0xa0,
-0x13,
-0x93,
-0x4d,
-0x49,
-0x4e,
-0x53,
-0x1,
-0x4d,
-0x54,
-0x46,
-0x59,
-0x60,
-0x1,
-0x70,
-0x1,
-0x4d,
-0x49,
-0x4e,
-0x53,
-0x72,
-0x60,
-0x1,
-0x60,
-0x5b,
-0x27,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xa4,
-0x1,
-0x14,
-0x2d,
-0x4d,
-0x52,
-0x53,
-0x54,
-0x1,
-0x70,
-0x0,
-0x60,
-0x5b,
-0x23,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xff,
-0xff,
-0x70,
-0x99,
-0x68,
-0x0,
-0x4d,
-0x53,
-0x45,
-0x4c,
-0xa0,
-0xb,
-0x93,
-0x4d,
-0x45,
-0x53,
-0x5f,
-0x1,
-0x70,
-0xa,
-0xf,
-0x60,
-0x5b,
-0x27,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xa4,
-0x60,
-0x14,
-0x41,
-0x18,
-0x4d,
-0x43,
-0x52,
-0x53,
-0x9,
-0x5b,
-0x23,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xff,
-0xff,
-0x70,
-0x99,
-0x68,
-0x0,
-0x4d,
-0x53,
-0x45,
-0x4c,
-0x8,
-0x4d,
-0x52,
-0x36,
-0x34,
-0x11,
-0x33,
-0xa,
-0x30,
-0x8a,
-0x2b,
-0x0,
-0x0,
-0xc,
-0x3,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0xfe,
-0xff,
-0xff,
-0xff,
-0xff,
-0xff,
-0xff,
-0xff,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0xff,
-0xff,
-0xff,
-0xff,
-0xff,
-0xff,
-0xff,
-0xff,
-0x79,
-0x0,
-0x8a,
-0x4d,
-0x52,
-0x36,
-0x34,
-0xa,
-0xe,
-0x4d,
-0x49,
-0x4e,
-0x4c,
-0x8a,
-0x4d,
-0x52,
-0x36,
-0x34,
-0xa,
-0x12,
-0x4d,
-0x49,
-0x4e,
-0x48,
-0x8a,
-0x4d,
-0x52,
-0x36,
-0x34,
-0xa,
-0x26,
-0x4c,
-0x45,
-0x4e,
-0x4c,
-0x8a,
-0x4d,
-0x52,
-0x36,
-0x34,
-0xa,
-0x2a,
-0x4c,
-0x45,
-0x4e,
-0x48,
-0x8a,
-0x4d,
-0x52,
-0x36,
-0x34,
-0xa,
-0x16,
-0x4d,
-0x41,
-0x58,
-0x4c,
-0x8a,
-0x4d,
-0x52,
-0x36,
-0x34,
-0xa,
-0x1a,
-0x4d,
-0x41,
-0x58,
-0x48,
-0x70,
-0x4d,
-0x52,
-0x42,
-0x48,
-0x4d,
-0x49,
-0x4e,
-0x48,
-0x70,
-0x4d,
-0x52,
-0x42,
-0x4c,
-0x4d,
-0x49,
-0x4e,
-0x4c,
-0x70,
-0x4d,
-0x52,
-0x4c,
-0x48,
-0x4c,
-0x45,
-0x4e,
-0x48,
-0x70,
-0x4d,
-0x52,
-0x4c,
-0x4c,
-0x4c,
-0x45,
-0x4e,
-0x4c,
-0x72,
-0x4d,
-0x49,
-0x4e,
-0x4c,
-0x4c,
-0x45,
-0x4e,
-0x4c,
-0x4d,
-0x41,
-0x58,
-0x4c,
-0x72,
-0x4d,
-0x49,
-0x4e,
-0x48,
-0x4c,
-0x45,
-0x4e,
-0x48,
-0x4d,
-0x41,
-0x58,
-0x48,
-0xa0,
-0x14,
-0x95,
-0x4d,
-0x41,
-0x58,
-0x4c,
-0x4d,
-0x49,
-0x4e,
-0x4c,
-0x72,
-0x4d,
-0x41,
-0x58,
-0x48,
-0x1,
-0x4d,
-0x41,
-0x58,
-0x48,
-0xa0,
-0x11,
-0x95,
-0x4d,
-0x41,
-0x58,
-0x4c,
-0x1,
-0x74,
-0x4d,
-0x41,
-0x58,
-0x48,
-0x1,
-0x4d,
-0x41,
-0x58,
-0x48,
-0x74,
-0x4d,
-0x41,
-0x58,
-0x4c,
-0x1,
-0x4d,
-0x41,
-0x58,
-0x4c,
-0xa0,
-0x44,
-0x7,
-0x93,
-0x4d,
-0x41,
-0x58,
-0x48,
-0x0,
-0x8,
-0x4d,
-0x52,
-0x33,
-0x32,
-0x11,
-0x1f,
-0xa,
-0x1c,
-0x87,
-0x17,
-0x0,
-0x0,
-0xc,
-0x3,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0x0,
-0xfe,
-0xff,
-0xff,
-0xff,
-0x0,
-0x0,
-0x0,
-0x0,
-0xff,
-0xff,
-0xff,
-0xff,
-0x79,
-0x0,
-0x8a,
-0x4d,
-0x52,
-0x33,
-0x32,
-0xa,
-0xa,
-0x4d,
-0x49,
-0x4e,
-0x5f,
-0x8a,
-0x4d,
-0x52,
-0x33,
-0x32,
-0xa,
-0xe,
-0x4d,
-0x41,
-0x58,
-0x5f,
-0x8a,
-0x4d,
-0x52,
-0x33,
-0x32,
-0xa,
-0x16,
-0x4c,
-0x45,
-0x4e,
-0x5f,
-0x70,
-0x4d,
-0x49,
-0x4e,
-0x4c,
-0x4d,
-0x49,
-0x4e,
-0x5f,
-0x70,
-0x4d,
-0x41,
-0x58,
-0x4c,
-0x4d,
-0x41,
-0x58,
-0x5f,
-0x70,
-0x4c,
-0x45,
-0x4e,
-0x4c,
-0x4c,
-0x45,
-0x4e,
-0x5f,
-0x5b,
-0x27,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xa4,
-0x4d,
-0x52,
-0x33,
-0x32,
-0x5b,
-0x27,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xa4,
-0x4d,
-0x52,
-0x36,
-0x34,
-0x14,
-0x24,
-0x4d,
-0x50,
-0x58,
-0x4d,
-0x1,
-0x5b,
-0x23,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xff,
-0xff,
-0x70,
-0x99,
-0x68,
-0x0,
-0x4d,
-0x53,
-0x45,
-0x4c,
-0x70,
-0x4d,
-0x50,
-0x58,
-0x5f,
-0x60,
-0x5b,
-0x27,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xa4,
-0x60,
-0x14,
-0x28,
-0x4d,
-0x4f,
-0x53,
-0x54,
-0x4,
-0x5b,
-0x23,
-0x4d,
-0x4c,
-0x43,
-0x4b,
-0xff,
-0xff,
-0x70,
-0x99,
-0x68,
-0x0,
-0x4d,
-0x53,
-0x45,
-0x4c,
-0x70,
-0x69,
-0x4d,
-0x4f,
-0x45,
-0x56,
-0x70,
-0x6a,
-0x4d,
-0x4f,
-0x53,
-0x43,
-0x5b,
-0x27,
-0x4d,
-0x4c,
-0x43,
-0x4b
+0x58
};
static unsigned char ssdt_isa_pest[] = {
-0xd0
+0xda
};
static unsigned char acpi_s4_name[] = {
-0x88
+0x92
};
static unsigned char acpi_pci64_start[] = {
0x4d
diff --git a/tests/acpi-test-data/pc/DSDT b/tests/acpi-test-data/pc/DSDT
index d37ec34..ee9cc67 100644
Binary files a/tests/acpi-test-data/pc/DSDT and b/tests/acpi-test-data/pc/DSDT differ
diff --git a/tests/acpi-test-data/pc/SSDT b/tests/acpi-test-data/pc/SSDT
index eb2d8b6..558e4c8 100644
Binary files a/tests/acpi-test-data/pc/SSDT and b/tests/acpi-test-data/pc/SSDT differ
diff --git a/tests/acpi-test-data/q35/DSDT b/tests/acpi-test-data/q35/DSDT
index 2d2bc4a..ef0c75f 100644
Binary files a/tests/acpi-test-data/q35/DSDT and b/tests/acpi-test-data/q35/DSDT differ
diff --git a/tests/acpi-test-data/q35/SSDT b/tests/acpi-test-data/q35/SSDT
index 778b79b..4e45510 100644
Binary files a/tests/acpi-test-data/q35/SSDT and b/tests/acpi-test-data/q35/SSDT differ
commit ad5b88b1f198182642b6cbf3dacb4cade0c80fb9
Author: Michael S. Tsirkin <mst at redhat.com>
Date: Mon Nov 17 07:49:21 2014 +0200
acpi-build: mark RAM dirty on table update
acpi build modifies internal FW CFG RAM on first access
but we forgot to mark it dirty.
If this RAM has been migrated already, it won't be
migrated again, returning corrupted tables to guest.
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/core/loader.c b/hw/core/loader.c
index fc15535..7527fd3 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -811,12 +811,12 @@ err:
return -1;
}
-void *rom_add_blob(const char *name, const void *blob, size_t len,
+ram_addr_t rom_add_blob(const char *name, const void *blob, size_t len,
hwaddr addr, const char *fw_file_name,
FWCfgReadCallback fw_callback, void *callback_opaque)
{
Rom *rom;
- void *data = NULL;
+ ram_addr_t ret = RAM_ADDR_MAX;
rom = g_malloc0(sizeof(*rom));
rom->name = g_strdup(name);
@@ -828,11 +828,13 @@ void *rom_add_blob(const char *name, const void *blob, size_t len,
rom_insert(rom);
if (fw_file_name && fw_cfg) {
char devpath[100];
+ void *data;
snprintf(devpath, sizeof(devpath), "/rom@%s", fw_file_name);
if (rom_file_has_mr) {
data = rom_set_mr(rom, OBJECT(fw_cfg), devpath);
+ ret = memory_region_get_ram_addr(rom->mr);
} else {
data = rom->data;
}
@@ -841,7 +843,7 @@ void *rom_add_blob(const char *name, const void *blob, size_t len,
fw_callback, callback_opaque,
data, rom->romsize);
}
- return data;
+ return ret;
}
/* This function is specific for elf program because we don't need to allocate
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 4003b6b..92a36e3 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -56,6 +56,7 @@
#include "qapi/qmp/qint.h"
#include "qom/qom-qobject.h"
+#include "exec/ram_addr.h"
/* These are used to size the ACPI tables for -M pc-i440fx-1.7 and
* -M pc-i440fx-2.0. Even if the actual amount of AML generated grows
@@ -1511,7 +1512,7 @@ static inline void acpi_build_tables_cleanup(AcpiBuildTables *tables, bool mfre)
typedef
struct AcpiBuildState {
/* Copy of table in RAM (for patching). */
- uint8_t *table_ram;
+ ram_addr_t table_ram;
uint32_t table_size;
/* Is table patched? */
uint8_t patched;
@@ -1716,9 +1717,12 @@ static void acpi_build_update(void *build_opaque, uint32_t offset)
acpi_build(build_state->guest_info, &tables);
assert(acpi_data_len(tables.table_data) == build_state->table_size);
- memcpy(build_state->table_ram, tables.table_data->data,
+ memcpy(qemu_get_ram_ptr(build_state->table_ram), tables.table_data->data,
build_state->table_size);
+ cpu_physical_memory_set_dirty_range_nocode(build_state->table_ram,
+ build_state->table_size);
+
acpi_build_tables_cleanup(&tables, true);
}
@@ -1728,7 +1732,7 @@ static void acpi_build_reset(void *build_opaque)
build_state->patched = 0;
}
-static void *acpi_add_rom_blob(AcpiBuildState *build_state, GArray *blob,
+static ram_addr_t acpi_add_rom_blob(AcpiBuildState *build_state, GArray *blob,
const char *name)
{
return rom_add_blob(name, blob->data, acpi_data_len(blob), -1, name,
@@ -1777,6 +1781,7 @@ void acpi_setup(PcGuestInfo *guest_info)
/* Now expose it all to Guest */
build_state->table_ram = acpi_add_rom_blob(build_state, tables.table_data,
ACPI_BUILD_TABLE_FILE);
+ assert(build_state->table_ram != RAM_ADDR_MAX);
build_state->table_size = acpi_data_len(tables.table_data);
acpi_add_rom_blob(NULL, tables.linker, "etc/table-loader");
diff --git a/include/hw/loader.h b/include/hw/loader.h
index 054c6a2..6481639 100644
--- a/include/hw/loader.h
+++ b/include/hw/loader.h
@@ -59,7 +59,7 @@ extern bool rom_file_has_mr;
int rom_add_file(const char *file, const char *fw_dir,
hwaddr addr, int32_t bootindex,
bool option_rom);
-void *rom_add_blob(const char *name, const void *blob, size_t len,
+ram_addr_t rom_add_blob(const char *name, const void *blob, size_t len,
hwaddr addr, const char *fw_file_name,
FWCfgReadCallback fw_callback, void *callback_opaque);
int rom_add_elf_program(const char *name, void *data, size_t datasize,
commit 109e90e47029f415783cd6e9a0eb9d0f10954c18
Author: Marcel Apfelbaum <marcel.a at redhat.com>
Date: Wed Nov 5 16:29:35 2014 +0200
hw/pci: fix crash on shpc error flow
If the pci bridge enters in error flow as part
of init process it will only delete the shpc mmio
subregion but not remove it from the properties list,
resulting in segmentation fault when the bridge runs
the exit function.
Example: add a pci bridge without specifing the chassis number:
<qemu-bin> ... -device pci-bridge,id=p1
Result:
(qemu) qemu-system-x86_64: -device pci-bridge,id=p1: Bridge chassis not specified. Each bridge is required to be assigned a unique chassis id > 0.
qemu-system-x86_64: -device pci-bridge,id=p1: Device
initialization failed.
Segmentation fault (core dumped)
if (child->class->unparent) {
#0 0x00005555558d629b in object_finalize_child_property (obj=0x555556d2e830, name=0x555556d30630 "shpc-mmio[0]", opaque=0x555556a42fc8) at qom/object.c:1078
#1 0x00005555558d4b1f in object_property_del_all (obj=0x555556d2e830) at qom/object.c:367
#2 0x00005555558d4ca1 in object_finalize (data=0x555556d2e830) at qom/object.c:412
#3 0x00005555558d55a1 in object_unref (obj=0x555556d2e830) at qom/object.c:720
#4 0x000055555572c907 in qdev_device_add (opts=0x5555563544f0) at qdev-monitor.c:566
#5 0x0000555555744f16 in device_init_func (opts=0x5555563544f0, opaque=0x0) at vl.c:2213
#6 0x00005555559cf5f0 in qemu_opts_foreach (list=0x555555e0f8e0 <qemu_device_opts>, func=0x555555744efa <device_init_func>, opaque=0x0, abort_on_failure=1) at util/qemu-option.c:1057
#7 0x000055555574a11b in main (argc=16, argv=0x7fffffffdde8, envp=0x7fffffffde70) at vl.c:423
Unparent the shpc mmio region as part of shpc cleanup.
Signed-off-by: Marcel Apfelbaum <marcel.a at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
Reviewed-by: Amos Kong <akong at redhat.com>
diff --git a/hw/pci/shpc.c b/hw/pci/shpc.c
index 9a39060..27c496e 100644
--- a/hw/pci/shpc.c
+++ b/hw/pci/shpc.c
@@ -663,6 +663,7 @@ void shpc_cleanup(PCIDevice *d, MemoryRegion *bar)
SHPCDevice *shpc = d->shpc;
d->cap_present &= ~QEMU_PCI_CAP_SHPC;
memory_region_del_subregion(bar, &shpc->mmio);
+ object_unparent(OBJECT(&shpc->mmio));
/* TODO: cleanup config space changes? */
g_free(shpc->config);
g_free(shpc->cmask);
commit 085f8e88ba73b7ff80298b0085f6e615d3b5c45f
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Oct 31 16:38:42 2014 +0000
pc: count in 1Gb hugepage alignment when sizing hotplug-memory container
if DIMMs with different size/alignment are interleaved
in creation order, it could lead to hotplug-memory
container fragmentation and following inability to use
all RAM upto maxmem.
For example:
-m 4G,slots=3,maxmem=7G
-object memory-backend-file,id=mem-1,size=256M,mem-path=/pagesize-2MB
-device pc-dimm,id=mem1,memdev=mem-1
-object memory-backend-file,id=mem-2,size=1G,mem-path=/pagesize-1GB
-device pc-dimm,id=mem2,memdev=mem-2
-object memory-backend-file,id=mem-3,size=256M,mem-path=/pagesize-2MB
-device pc-dimm,id=mem3,memdev=mem-3
fragments hotplug-memory container and doesn't allow
to use 1GB hugepage backend to consume remainig 1Gb.
To ease managment factor count in max 1Gb alignment for
each memory slot when sizing hotplug-memory region so
that regadless of fragmentaion it would be possible to
add max aligned DIMM.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 3d732cf..8be50a4 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1247,6 +1247,11 @@ FWCfgState *pc_memory_init(MachineState *machine,
pcms->hotplug_memory_base =
ROUND_UP(0x100000000ULL + above_4g_mem_size, 1ULL << 30);
+ if (pcms->enforce_aligned_dimm) {
+ /* size hotplug region assuming 1G page max alignment per slot */
+ hotplug_mem_size += (1ULL << 30) * machine->ram_slots;
+ }
+
if ((pcms->hotplug_memory_base + hotplug_mem_size) <
hotplug_mem_size) {
error_report("unsupported amount of maximum memory: " RAM_ADDR_FMT,
commit b03541fa7722d64a1c961a8467d778d7e086a933
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Oct 31 16:38:41 2014 +0000
pc: explicitly check maxmem limit when adding DIMM
Currently maxmem limit is not checked and depends on
hotplug region container not being able to fit more RAM
than maxmem. Do check explicitly so that it would
be possible to change hotplug container size later
to deal with fragmentation.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 021ec44..3d732cf 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1545,6 +1545,37 @@ void qemu_register_pc_machine(QEMUMachine *m)
g_free(name);
}
+static int pc_dimm_count(Object *obj, void *opaque)
+{
+ int *count = opaque;
+
+ if (object_dynamic_cast(obj, TYPE_PC_DIMM)) {
+ (*count)++;
+ }
+
+ object_child_foreach(obj, pc_dimm_count, opaque);
+ return 0;
+}
+
+static int pc_existing_dimms_capacity(Object *obj, void *opaque)
+{
+ Error *local_err = NULL;
+ uint64_t *size = opaque;
+
+ if (object_dynamic_cast(obj, TYPE_PC_DIMM)) {
+ (*size) += object_property_get_int(obj, PC_DIMM_SIZE_PROP, &local_err);
+
+ if (local_err) {
+ qerror_report_err(local_err);
+ error_free(local_err);
+ return 1;
+ }
+ }
+
+ object_child_foreach(obj, pc_dimm_count, opaque);
+ return 0;
+}
+
static void pc_dimm_plug(HotplugHandler *hotplug_dev,
DeviceState *dev, Error **errp)
{
@@ -1556,6 +1587,7 @@ static void pc_dimm_plug(HotplugHandler *hotplug_dev,
PCDIMMDevice *dimm = PC_DIMM(dev);
PCDIMMDeviceClass *ddc = PC_DIMM_GET_CLASS(dimm);
MemoryRegion *mr = ddc->get_memory_region(dimm);
+ uint64_t existing_dimms_capacity = 0;
uint64_t align = TARGET_PAGE_SIZE;
uint64_t addr;
@@ -1576,6 +1608,19 @@ static void pc_dimm_plug(HotplugHandler *hotplug_dev,
goto out;
}
+ if (pc_existing_dimms_capacity(OBJECT(machine), &existing_dimms_capacity)) {
+ error_setg(&local_err, "failed to get total size of existing DIMMs");
+ goto out;
+ }
+
+ if (existing_dimms_capacity + memory_region_size(mr) >
+ machine->maxram_size - machine->ram_size) {
+ error_setg(&local_err, "not enough space, currently 0x%" PRIx64
+ " in use of total 0x" RAM_ADDR_FMT,
+ existing_dimms_capacity, machine->maxram_size);
+ goto out;
+ }
+
object_property_set_int(OBJECT(dev), addr, PC_DIMM_ADDR_PROP, &local_err);
if (local_err) {
goto out;
commit 3d4a70f80fead02a3b3872790b4c8f07ee804494
Merge: a31a747 24bf10d
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Mon Nov 24 15:01:54 2014 +0000
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block patches for 2.2.0-rc3
# gpg: Signature made Mon 24 Nov 2014 12:52:23 GMT using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf at redhat.com>"
* remotes/kevin/tags/for-upstream:
Revert "qemu-img info: show nocow info"
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit a31a7475e930dc0b8f27fb71f01ff4f0db92d1f4
Merge: 0e88f47 5224c88
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Mon Nov 24 13:50:22 2014 +0000
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
Three patches to fix ExtINT for the QEMU implementation of the local APIC.
# gpg: Signature made Mon 24 Nov 2014 13:38:36 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini at gnu.org>"
# gpg: aka "Paolo Bonzini <pbonzini at redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini/tags/for-upstream:
apic: fix incorrect handling of ExtINT interrupts wrt processor priority
apic: fix loss of IPI due to masked ExtINT
apic: avoid getting out of halted state on masked PIC interrupts
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit 5224c88dd3f771702d450780a25f155e0fc8bb2b
Author: Paolo Bonzini <pbonzini at redhat.com>
Date: Tue Nov 11 13:14:18 2014 +0100
apic: fix incorrect handling of ExtINT interrupts wrt processor priority
This fixes another failure with ExtINT, demonstrated by QNX. The failure
mode is as follows:
- IPI sent to cpu 0 (bit set in APIC irr)
- IPI accepted by cpu 0 (bit cleared in irr, set in isr)
- IPI sent to cpu 0 (bit set in both irr and isr)
- PIC interrupt sent to cpu 0
The PIC interrupt causes CPU_INTERRUPT_HARD to be set, but
apic_irq_pending observes that the highest pending APIC interrupt priority
(the IPI) is the same as the processor priority (since the IPI is still
being handled), so apic_get_interrupt returns a spurious interrupt rather
than the pending PIC interrupt. The result is an endless sequence of
spurious interrupts, since nothing will clear CPU_INTERRUPT_HARD.
Instead, ExtINT interrupts should have ignored the processor priority.
Calling apic_check_pic early in apic_get_interrupt ensures that
apic_deliver_pic_intr is called instead of delivering the spurious
interrupt. apic_deliver_pic_intr then clears CPU_INTERRUPT_HARD if needed.
Reported-by: Richard Bilson <rbilson at qnx.com>
Tested-by: Richard Bilson <rbilson at qnx.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index 6ec5861..0f97b47 100644
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@@ -571,7 +571,10 @@ int apic_get_interrupt(DeviceState *dev)
apic_sync_vapic(s, SYNC_FROM_VAPIC);
intno = apic_irq_pending(s);
- if (intno == 0) {
+ /* if there is an interrupt from the 8259, let the caller handle
+ * that first since ExtINT interrupts ignore the priority.
+ */
+ if (intno == 0 || apic_check_pic(s)) {
apic_sync_vapic(s, SYNC_TO_VAPIC);
return -1;
} else if (intno < 0) {
@@ -582,9 +585,6 @@ int apic_get_interrupt(DeviceState *dev)
apic_set_bit(s->isr, intno);
apic_sync_vapic(s, SYNC_TO_VAPIC);
- /* re-inject if there is still a pending PIC interrupt */
- apic_check_pic(s);
-
apic_update_irq(s);
return intno;
commit 8092cb71322ca488deeb7c750ff8022ffcc2f9a6
Author: Paolo Bonzini <pbonzini at redhat.com>
Date: Tue Nov 11 13:14:14 2014 +0100
apic: fix loss of IPI due to masked ExtINT
This patch fixes an obscure failure of the QNX kernel on QEMU x86 SMP.
In QNX, all hardware interrupts come via the PIC, and are delivered by
the cpu 0 LAPIC in ExtINT mode, while IPIs are delivered by the LAPIC
in fixed mode.
This bug happens as follows:
- cpu 0 masks a particular PIC interrupt
- IPI sent to cpu 0 (CPU_INTERRUPT_HARD is set)
- before the IPI is accepted, the masked interrupt line is asserted by the
device
Since the interrupt is masked, apic_deliver_pic_intr will clear
CPU_INTERRUPT_HARD. The IPI will still be set in the APIC irr, but since
CPU_INTERRUPT_HARD is not set the cpu will not notice. Depending on the
scenario this can cause a system hang, i.e. if cpu 0 is expected to unmask
the interrupt.
In order to fix this, do a full check of the APIC before an EXTINT
is acknowledged. This can result in clearing CPU_INTERRUPT_HARD, but
can also result in delivering the lost IPI.
Reported-by: Richard Bilson <rbilson at qnx.com>
Tested-by: Richard Bilson <rbilson at qnx.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index 0653409..6ec5861 100644
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@@ -188,7 +188,7 @@ void apic_deliver_pic_intr(DeviceState *dev, int level)
apic_reset_bit(s->irr, lvt & 0xff);
/* fall through */
case APIC_DM_EXTINT:
- cpu_reset_interrupt(CPU(s->cpu), CPU_INTERRUPT_HARD);
+ apic_update_irq(s);
break;
}
}
@@ -376,6 +376,8 @@ static void apic_update_irq(APICCommonState *s)
cpu_interrupt(cpu, CPU_INTERRUPT_POLL);
} else if (apic_irq_pending(s) > 0) {
cpu_interrupt(cpu, CPU_INTERRUPT_HARD);
+ } else if (!apic_accept_pic_intr(&s->busdev.qdev) || !pic_get_output(isa_pic)) {
+ cpu_reset_interrupt(cpu, CPU_INTERRUPT_HARD);
}
}
commit 60e68042cf70f271308dc6b4b22b609d054af929
Author: Paolo Bonzini <pbonzini at redhat.com>
Date: Tue Nov 11 13:14:05 2014 +0100
apic: avoid getting out of halted state on masked PIC interrupts
After the next patch, if a masked PIC interrupts causes CPU_INTERRUPT_POLL
to be set, the CPU will spuriously get out of halted state. While this
is technically valid, we should avoid that.
Make CPU_INTERRUPT_POLL run apic_update_irq in the right thread and then
look at CPU_INTERRUPT_HARD. If CPU_INTERRUPT_HARD does not get set,
do not report the CPU as having work.
Also move the handling of software-disabled APIC from apic_update_irq
to apic_irq_pending, and always trigger CPU_INTERRUPT_POLL. This will
be important once we will add a case that resets CPU_INTERRUPT_HARD
from apic_update_irq. We want to run it even if we go through
CPU_INTERRUPT_POLL, and even if the local APIC is software disabled.
Reported-by: Richard Bilson <rbilson at qnx.com>
Tested-by: Richard Bilson <rbilson at qnx.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index 03ff9e9..0653409 100644
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@@ -349,6 +349,11 @@ static int apic_get_arb_pri(APICCommonState *s)
static int apic_irq_pending(APICCommonState *s)
{
int irrv, ppr;
+
+ if (!(s->spurious_vec & APIC_SV_ENABLE)) {
+ return 0;
+ }
+
irrv = get_highest_priority_int(s->irr);
if (irrv < 0) {
return 0;
@@ -366,9 +371,6 @@ static void apic_update_irq(APICCommonState *s)
{
CPUState *cpu;
- if (!(s->spurious_vec & APIC_SV_ENABLE)) {
- return;
- }
cpu = CPU(s->cpu);
if (!qemu_cpu_is_self(cpu)) {
cpu_interrupt(cpu, CPU_INTERRUPT_POLL);
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 3f13dfe..e9df33e 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -2912,8 +2912,14 @@ static bool x86_cpu_has_work(CPUState *cs)
X86CPU *cpu = X86_CPU(cs);
CPUX86State *env = &cpu->env;
- return ((cs->interrupt_request & (CPU_INTERRUPT_HARD |
- CPU_INTERRUPT_POLL)) &&
+#if !defined(CONFIG_USER_ONLY)
+ if (cs->interrupt_request & CPU_INTERRUPT_POLL) {
+ apic_poll_irq(cpu->apic_state);
+ cpu_reset_interrupt(cs, CPU_INTERRUPT_POLL);
+ }
+#endif
+
+ return ((cs->interrupt_request & CPU_INTERRUPT_HARD) &&
(env->eflags & IF_MASK)) ||
(cs->interrupt_request & (CPU_INTERRUPT_NMI |
CPU_INTERRUPT_INIT |
commit 24bf10dac389942b58f0d24e96590c927251b3d6
Author: Kevin Wolf <kwolf at redhat.com>
Date: Fri Nov 21 17:43:57 2014 +0100
Revert "qemu-img info: show nocow info"
This reverts commit 000c4dfff4d7686e2fba3066a477a1290ed60622.
The main reason for reverting this commit before the 2.2 release is that
it adds a QAPI interface that we don't want to keep: The 'nocow' flag
doesn't generally make sense for block nodes, but only for the raw-posix
driver. It should therefore be part of ImageInfoSpecific rather than
ImageInfo.
The commit contains more problems, but unlike the API stability issue
they wouldn't justify reverting it.
Conflicts:
block/qapi.c
Signed-off-by: Kevin Wolf <kwolf at redhat.com>
Reviewed-by: Eric Blake <eblake at redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com>
diff --git a/block/qapi.c b/block/qapi.c
index 1301144..a87a34a 100644
--- a/block/qapi.c
+++ b/block/qapi.c
@@ -29,13 +29,6 @@
#include "qapi/qmp-output-visitor.h"
#include "qapi/qmp/types.h"
#include "sysemu/block-backend.h"
-#ifdef __linux__
-#include <linux/fs.h>
-#include <sys/ioctl.h>
-#ifndef FS_NOCOW_FL
-#define FS_NOCOW_FL 0x00800000 /* Do not cow file */
-#endif
-#endif
BlockDeviceInfo *bdrv_block_device_info(BlockDriverState *bs)
{
@@ -180,9 +173,6 @@ void bdrv_query_image_info(BlockDriverState *bs,
int ret;
Error *err = NULL;
ImageInfo *info;
-#ifdef __linux__
- int fd, attr;
-#endif
size = bdrv_getlength(bs);
if (size < 0) {
@@ -212,18 +202,6 @@ void bdrv_query_image_info(BlockDriverState *bs,
info->format_specific = bdrv_get_specific_info(bs);
info->has_format_specific = info->format_specific != NULL;
-#ifdef __linux__
- /* get NOCOW info */
- fd = qemu_open(bs->filename, O_RDONLY | O_NONBLOCK);
- if (fd >= 0) {
- if (ioctl(fd, FS_IOC_GETFLAGS, &attr) == 0 && (attr & FS_NOCOW_FL)) {
- info->has_nocow = true;
- info->nocow = true;
- }
- qemu_close(fd);
- }
-#endif
-
backing_filename = bs->backing_file;
if (backing_filename[0] != '\0') {
info->backing_filename = g_strdup(backing_filename);
@@ -655,8 +633,4 @@ void bdrv_image_info_dump(fprintf_function func_fprintf, void *f,
func_fprintf(f, "Format specific information:\n");
bdrv_image_info_specific_dump(func_fprintf, f, info->format_specific);
}
-
- if (info->has_nocow && info->nocow) {
- func_fprintf(f, "NOCOW flag: set\n");
- }
}
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 8c3e45d..a14e6ab 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -119,8 +119,6 @@
# @format-specific: #optional structure supplying additional format-specific
# information (since 1.7)
#
-# @nocow: #optional info of whether NOCOW flag is set or not. (since 2.2)
-#
# Since: 1.3
#
##
@@ -132,8 +130,7 @@
'*backing-filename': 'str', '*full-backing-filename': 'str',
'*backing-filename-format': 'str', '*snapshots': ['SnapshotInfo'],
'*backing-image': 'ImageInfo',
- '*format-specific': 'ImageInfoSpecific',
- '*nocow': 'bool' } }
+ '*format-specific': 'ImageInfoSpecific' } }
##
# @ImageCheck:
commit 0c0de1b681bc11a8ebc94bd45e99d6f4e8fafd80
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Oct 31 16:38:40 2014 +0000
pc: pc-dimm: use backend alignment during address auto allocation
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
index 4944f0f..d431834 100644
--- a/hw/mem/pc-dimm.c
+++ b/hw/mem/pc-dimm.c
@@ -146,6 +146,9 @@ uint64_t pc_dimm_get_free_addr(uint64_t address_space_start,
uint64_t new_addr, ret = 0;
uint64_t address_space_end = address_space_start + address_space_size;
+ g_assert(QEMU_ALIGN_UP(address_space_start, align) == address_space_start);
+ g_assert(QEMU_ALIGN_UP(address_space_size, align) == address_space_size);
+
if (!address_space_size) {
error_setg(errp, "memory hotplug is not enabled, "
"please add maxmem option");
@@ -189,7 +192,7 @@ uint64_t pc_dimm_get_free_addr(uint64_t address_space_start,
error_setg(errp, "address range conflicts with '%s'", d->id);
goto out;
}
- new_addr = dimm->addr + dimm_size;
+ new_addr = QEMU_ALIGN_UP(dimm->addr + dimm_size, align);
}
}
ret = new_addr;
commit 91aa70ab2a748e3a72004d1a729248221b7bb24a
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Oct 31 16:38:39 2014 +0000
pc: align DIMM's address/size by backend's alignment value
Performance wise it's better to align GVA by the backend's
page size.
Also do not allow to create DIMM device with suboptimal
size (i.e. not aligned to backends page size) to aviod
memory loss.
Do above only for 2.2 and newer machine types to avoid
breaking working configs with 2.1 machine type.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 33928b9..021ec44 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1564,6 +1564,10 @@ static void pc_dimm_plug(HotplugHandler *hotplug_dev,
goto out;
}
+ if (memory_region_get_alignment(mr) && pcms->enforce_aligned_dimm) {
+ align = memory_region_get_alignment(mr);
+ }
+
addr = pc_dimm_get_free_addr(pcms->hotplug_memory_base,
memory_region_size(&pcms->hotplug_memory),
!addr ? NULL : &addr, align,
@@ -1732,6 +1736,13 @@ static void pc_machine_set_vmport(Object *obj, bool value, Error **errp)
pcms->vmport = value;
}
+static bool pc_machine_get_aligned_dimm(Object *obj, Error **errp)
+{
+ PCMachineState *pcms = PC_MACHINE(obj);
+
+ return pcms->enforce_aligned_dimm;
+}
+
static void pc_machine_initfn(Object *obj)
{
PCMachineState *pcms = PC_MACHINE(obj);
@@ -1744,11 +1755,17 @@ static void pc_machine_initfn(Object *obj)
pc_machine_get_max_ram_below_4g,
pc_machine_set_max_ram_below_4g,
NULL, NULL, NULL);
+
pcms->vmport = !xen_enabled();
object_property_add_bool(obj, PC_MACHINE_VMPORT,
pc_machine_get_vmport,
pc_machine_set_vmport,
NULL);
+
+ pcms->enforce_aligned_dimm = true;
+ object_property_add_bool(obj, PC_MACHINE_ENFORCE_ALIGNED_DIMM,
+ pc_machine_get_aligned_dimm,
+ NULL, NULL);
}
static void pc_machine_class_init(ObjectClass *oc, void *data)
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 7bb97a4..741dffd 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -305,10 +305,12 @@ static void pc_init_pci(MachineState *machine)
static void pc_compat_2_1(MachineState *machine)
{
+ PCMachineState *pcms = PC_MACHINE(machine);
smbios_uuid_encoded = false;
x86_cpu_compat_set_features("coreduo", FEAT_1_ECX, CPUID_EXT_VMX, 0);
x86_cpu_compat_set_features("core2duo", FEAT_1_ECX, CPUID_EXT_VMX, 0);
x86_cpu_compat_kvm_no_autodisable(FEAT_8000_0001_ECX, CPUID_EXT3_SVM);
+ pcms->enforce_aligned_dimm = false;
}
static void pc_compat_2_0(MachineState *machine)
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 598e679..e9ba1a2 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -284,6 +284,9 @@ static void pc_q35_init(MachineState *machine)
static void pc_compat_2_1(MachineState *machine)
{
+ PCMachineState *pcms = PC_MACHINE(machine);
+
+ pcms->enforce_aligned_dimm = false;
smbios_uuid_encoded = false;
x86_cpu_compat_set_features("coreduo", FEAT_1_ECX, CPUID_EXT_VMX, 0);
x86_cpu_compat_set_features("core2duo", FEAT_1_ECX, CPUID_EXT_VMX, 0);
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 7c3731f..9d85b89 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -24,6 +24,8 @@
* address space begins.
* @hotplug_memory: hotplug memory addess space container
* @acpi_dev: link to ACPI PM device that performs ACPI hotplug handling
+ * @enforce_aligned_dimm: check that DIMM's address/size is aligned by
+ * backend's alignment value if provided
*/
struct PCMachineState {
/*< private >*/
@@ -38,12 +40,14 @@ struct PCMachineState {
uint64_t max_ram_below_4g;
bool vmport;
+ bool enforce_aligned_dimm;
};
#define PC_MACHINE_ACPI_DEVICE_PROP "acpi-device"
#define PC_MACHINE_MEMHP_REGION_SIZE "hotplug-memory-region-size"
#define PC_MACHINE_MAX_RAM_BELOW_4G "max-ram-below-4g"
#define PC_MACHINE_VMPORT "vmport"
+#define PC_MACHINE_ENFORCE_ALIGNED_DIMM "enforce-aligned-dimm"
/**
* PCMachineClass:
commit a2b257d6212ade772473f86bf0637480b2578a7e
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Oct 31 16:38:37 2014 +0000
memory: expose alignment used for allocating RAM as MemoryRegion API
introduce memory_region_get_alignment() that returns
underlying memory block alignment or 0 if it's not
relevant/implemented for backend.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/exec.c b/exec.c
index f0e2bd3..71ac104 100644
--- a/exec.c
+++ b/exec.c
@@ -909,14 +909,15 @@ static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
uint16_t section);
static subpage_t *subpage_init(AddressSpace *as, hwaddr base);
-static void *(*phys_mem_alloc)(size_t size) = qemu_anon_ram_alloc;
+static void *(*phys_mem_alloc)(size_t size, uint64_t *align) =
+ qemu_anon_ram_alloc;
/*
* Set a custom physical guest memory alloator.
* Accelerators with unusual needs may need this. Hopefully, we can
* get rid of it eventually.
*/
-void phys_mem_set_alloc(void *(*alloc)(size_t))
+void phys_mem_set_alloc(void *(*alloc)(size_t, uint64_t *align))
{
phys_mem_alloc = alloc;
}
@@ -1098,6 +1099,7 @@ static void *file_ram_alloc(RAMBlock *block,
error_propagate(errp, local_err);
goto error;
}
+ block->mr->align = hpagesize;
if (memory < hpagesize) {
error_setg(errp, "memory size 0x" RAM_ADDR_FMT " must be equal to "
@@ -1309,7 +1311,8 @@ static ram_addr_t ram_block_add(RAMBlock *new_block, Error **errp)
if (xen_enabled()) {
xen_ram_alloc(new_block->offset, new_block->length, new_block->mr);
} else {
- new_block->host = phys_mem_alloc(new_block->length);
+ new_block->host = phys_mem_alloc(new_block->length,
+ &new_block->mr->align);
if (!new_block->host) {
error_setg_errno(errp, errno,
"cannot set up guest memory '%s'",
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index 421a142..0844885 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -333,7 +333,7 @@ extern uintptr_t tci_tb_ptr;
#if !defined(CONFIG_USER_ONLY)
-void phys_mem_set_alloc(void *(*alloc)(size_t));
+void phys_mem_set_alloc(void *(*alloc)(size_t, uint64_t *align));
struct MemoryRegion *iotlb_to_region(AddressSpace *as, hwaddr index);
bool io_mem_read(struct MemoryRegion *mr, hwaddr addr,
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 74a58b4..f64ab5e 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -146,6 +146,7 @@ struct MemoryRegion {
hwaddr addr;
void (*destructor)(MemoryRegion *mr);
ram_addr_t ram_addr;
+ uint64_t align;
bool subpage;
bool terminates;
bool romd_mode;
@@ -838,6 +839,7 @@ void memory_region_add_subregion_overlap(MemoryRegion *mr,
*/
ram_addr_t memory_region_get_ram_addr(MemoryRegion *mr);
+uint64_t memory_region_get_alignment(const MemoryRegion *mr);
/**
* memory_region_del_subregion: Remove a subregion.
*
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index c032434..b3300cc 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -5,6 +5,7 @@
#include <stdarg.h>
#include <stddef.h>
#include <stdbool.h>
+#include <stdint.h>
#include <sys/types.h>
#ifdef __OpenBSD__
#include <sys/signal.h>
@@ -103,7 +104,7 @@ typedef signed int int_fast16_t;
int qemu_daemon(int nochdir, int noclose);
void *qemu_try_memalign(size_t alignment, size_t size);
void *qemu_memalign(size_t alignment, size_t size);
-void *qemu_anon_ram_alloc(size_t size);
+void *qemu_anon_ram_alloc(size_t size, uint64_t *align);
void qemu_vfree(void *ptr);
void qemu_anon_ram_free(void *ptr, size_t size);
diff --git a/memory.c b/memory.c
index 0f4fdc7..15cf9eb 100644
--- a/memory.c
+++ b/memory.c
@@ -1749,6 +1749,11 @@ ram_addr_t memory_region_get_ram_addr(MemoryRegion *mr)
return mr->ram_addr;
}
+uint64_t memory_region_get_alignment(const MemoryRegion *mr)
+{
+ return mr->align;
+}
+
static int cmp_flatrange_addr(const void *addr_, const void *fr_)
{
const AddrRange *addr = addr_;
diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index d247471..50709ba 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -404,7 +404,7 @@ int kvm_arch_get_registers(CPUState *cs)
* to grow. We also have to use MAP parameters that avoid
* read-only mapping of guest pages.
*/
-static void *legacy_s390_alloc(size_t size)
+static void *legacy_s390_alloc(size_t size, , uint64_t *align)
{
void *mem;
diff --git a/util/oslib-posix.c b/util/oslib-posix.c
index 8c9d80e..16fcec2 100644
--- a/util/oslib-posix.c
+++ b/util/oslib-posix.c
@@ -124,7 +124,7 @@ void *qemu_memalign(size_t alignment, size_t size)
}
/* alloc shared memory pages */
-void *qemu_anon_ram_alloc(size_t size)
+void *qemu_anon_ram_alloc(size_t size, uint64_t *alignment)
{
size_t align = QEMU_VMALLOC_ALIGN;
size_t total = size + align - getpagesize();
@@ -136,6 +136,9 @@ void *qemu_anon_ram_alloc(size_t size)
return NULL;
}
+ if (alignment) {
+ *alignment = align;
+ }
ptr += offset;
total -= offset;
diff --git a/util/oslib-win32.c b/util/oslib-win32.c
index a3eab4a..87cfbe0 100644
--- a/util/oslib-win32.c
+++ b/util/oslib-win32.c
@@ -67,7 +67,7 @@ void *qemu_memalign(size_t alignment, size_t size)
return qemu_oom_check(qemu_try_memalign(alignment, size));
}
-void *qemu_anon_ram_alloc(size_t size)
+void *qemu_anon_ram_alloc(size_t size, uint64_t *align)
{
void *ptr;
commit 92a37a04d6e034b73ea1ba4825ba4d5860f0a810
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Oct 31 16:38:36 2014 +0000
pc: limit DIMM address and size to page aligned values
When running in KVM mode, kvm_set_phys_mem() will silently
fail if registered MemoryRegion address/size is not page
aligned. Causing memory hotplug failure in guest.
Mapping non aligned MemoryRegion in TCG mode 'works', but
sane guest OS still expects page aligned memory module
and fails to initialize it if it's not aligned.
So do not allow non aligned (i.e. valid) address/size
values for DIMM to avoid either KVM failure or guest
issues caused by it.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 70ae3cf..33928b9 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1556,6 +1556,7 @@ static void pc_dimm_plug(HotplugHandler *hotplug_dev,
PCDIMMDevice *dimm = PC_DIMM(dev);
PCDIMMDeviceClass *ddc = PC_DIMM_GET_CLASS(dimm);
MemoryRegion *mr = ddc->get_memory_region(dimm);
+ uint64_t align = TARGET_PAGE_SIZE;
uint64_t addr;
addr = object_property_get_int(OBJECT(dimm), PC_DIMM_ADDR_PROP, &local_err);
@@ -1565,7 +1566,7 @@ static void pc_dimm_plug(HotplugHandler *hotplug_dev,
addr = pc_dimm_get_free_addr(pcms->hotplug_memory_base,
memory_region_size(&pcms->hotplug_memory),
- !addr ? NULL : &addr,
+ !addr ? NULL : &addr, align,
memory_region_size(mr), &local_err);
if (local_err) {
goto out;
diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
index a800ea7..4944f0f 100644
--- a/hw/mem/pc-dimm.c
+++ b/hw/mem/pc-dimm.c
@@ -139,7 +139,7 @@ static int pc_dimm_built_list(Object *obj, void *opaque)
uint64_t pc_dimm_get_free_addr(uint64_t address_space_start,
uint64_t address_space_size,
- uint64_t *hint, uint64_t size,
+ uint64_t *hint, uint64_t align, uint64_t size,
Error **errp)
{
GSList *list = NULL, *item;
@@ -152,6 +152,18 @@ uint64_t pc_dimm_get_free_addr(uint64_t address_space_start,
goto out;
}
+ if (hint && QEMU_ALIGN_UP(*hint, align) != *hint) {
+ error_setg(errp, "address must be aligned to 0x%" PRIx64 " bytes",
+ align);
+ goto out;
+ }
+
+ if (QEMU_ALIGN_UP(size, align) != size) {
+ error_setg(errp, "backend memory size must be multiple of 0x%"
+ PRIx64, align);
+ goto out;
+ }
+
assert(address_space_end > address_space_start);
object_child_foreach(qdev_get_machine(), pc_dimm_built_list, &list);
diff --git a/include/hw/mem/pc-dimm.h b/include/hw/mem/pc-dimm.h
index 761eeef..e1dcbbc 100644
--- a/include/hw/mem/pc-dimm.h
+++ b/include/hw/mem/pc-dimm.h
@@ -72,7 +72,7 @@ typedef struct PCDIMMDeviceClass {
uint64_t pc_dimm_get_free_addr(uint64_t address_space_start,
uint64_t address_space_size,
- uint64_t *hint, uint64_t size,
+ uint64_t *hint, uint64_t align, uint64_t size,
Error **errp);
int pc_dimm_get_free_slot(const int *hint, int max_slots, Error **errp);
commit 34dde13685ebc2c07923f32ad69e40b27c0e0bb4
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Oct 31 16:38:35 2014 +0000
pc: make pc_dimm_plug() more readble
split addr initialization from declaration so that
later when new local vars are added property getter
wouldn't drift off of error check.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index ce7b752..70ae3cf 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1556,8 +1556,9 @@ static void pc_dimm_plug(HotplugHandler *hotplug_dev,
PCDIMMDevice *dimm = PC_DIMM(dev);
PCDIMMDeviceClass *ddc = PC_DIMM_GET_CLASS(dimm);
MemoryRegion *mr = ddc->get_memory_region(dimm);
- uint64_t addr = object_property_get_int(OBJECT(dimm), PC_DIMM_ADDR_PROP,
- &local_err);
+ uint64_t addr;
+
+ addr = object_property_get_int(OBJECT(dimm), PC_DIMM_ADDR_PROP, &local_err);
if (local_err) {
goto out;
}
commit b8865591d4d5680b4f766c25ca1db110320b4d15
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Oct 31 16:38:32 2014 +0000
pc: kvm: check if KVM has free memory slots to avoid abort()
When more memory devices are used than available
KVM memory slots, QEMU crashes with:
kvm_alloc_slot: no free slot available
Aborted (core dumped)
Fix this by checking that KVM has a free slot before
attempting to map memory in guest address space.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Acked-by: Paolo Bonzini <pbonzini at redhat.com>
Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 1205db8..ce7b752 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1598,6 +1598,11 @@ static void pc_dimm_plug(HotplugHandler *hotplug_dev,
goto out;
}
+ if (kvm_enabled() && !kvm_has_free_slot(machine)) {
+ error_setg(&local_err, "hypervisor has no free memory slots left");
+ goto out;
+ }
+
memory_region_add_subregion(&pcms->hotplug_memory,
addr - pcms->hotplug_memory_base, mr);
vmstate_register_ram(mr, dev);
diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
index b0cd657..22e42ef 100644
--- a/include/sysemu/kvm.h
+++ b/include/sysemu/kvm.h
@@ -163,6 +163,7 @@ extern KVMState *kvm_state;
/* external API */
+bool kvm_has_free_slot(MachineState *ms);
int kvm_has_sync_mmu(void);
int kvm_has_vcpu_events(void);
int kvm_has_robust_singlestep(void);
diff --git a/kvm-all.c b/kvm-all.c
index 596e7ce..937bc9d 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -132,7 +132,7 @@ static const KVMCapabilityInfo kvm_required_capabilites[] = {
KVM_CAP_LAST_INFO
};
-static KVMSlot *kvm_alloc_slot(KVMState *s)
+static KVMSlot *kvm_get_free_slot(KVMState *s)
{
int i;
@@ -142,6 +142,22 @@ static KVMSlot *kvm_alloc_slot(KVMState *s)
}
}
+ return NULL;
+}
+
+bool kvm_has_free_slot(MachineState *ms)
+{
+ return kvm_get_free_slot(KVM_STATE(ms->accelerator));
+}
+
+static KVMSlot *kvm_alloc_slot(KVMState *s)
+{
+ KVMSlot *slot = kvm_get_free_slot(s);
+
+ if (slot) {
+ return slot;
+ }
+
fprintf(stderr, "%s: no free slot available\n", __func__);
abort();
}
diff --git a/kvm-stub.c b/kvm-stub.c
index 43fc0dd..7ba90c5 100644
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@ -147,4 +147,9 @@ int kvm_irqchip_remove_irqfd_notifier(KVMState *s, EventNotifier *n, int virq)
{
return -ENOSYS;
}
+
+bool kvm_has_free_slot(MachineState *ms)
+{
+ return false;
+}
#endif
commit c409572678936d3ffa8694f5a1dae531c2212e21
Author: Michael S. Tsirkin <mst at redhat.com>
Date: Sun Nov 2 18:48:32 2014 +0200
qemu-char: fix tcp_get_fds
tcp_get_fds API discards fds if there's more than 1 of these.
It's tricky to fix this without API changes in the generic case.
However, this API is only used by tests ATM, and tests know how
many fds they expect.
So let's not waste cycles trying to fix this properly:
simply assume at most 16 fds (tests use at most 8 now).
assert if some test tries to get more.
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
diff --git a/qemu-char.c b/qemu-char.c
index 4a76f0f..a8b01da 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -88,6 +88,7 @@
#define READ_BUF_LEN 4096
#define READ_RETRIES 10
#define CHR_MAX_FILENAME_SIZE 256
+#define TCP_MAX_FDS 16
/***********************************************************/
/* Socket address helpers */
@@ -2668,6 +2669,8 @@ static int tcp_get_msgfds(CharDriverState *chr, int *fds, int num)
TCPCharDriver *s = chr->opaque;
int to_copy = (s->read_msgfds_num < num) ? s->read_msgfds_num : num;
+ assert(num <= TCP_MAX_FDS);
+
if (to_copy) {
int i;
@@ -2762,7 +2765,7 @@ static ssize_t tcp_chr_recv(CharDriverState *chr, char *buf, size_t len)
struct iovec iov[1];
union {
struct cmsghdr cmsg;
- char control[CMSG_SPACE(sizeof(int))];
+ char control[CMSG_SPACE(sizeof(int) * TCP_MAX_FDS)];
} msg_control;
int flags = 0;
ssize_t ret;
commit 0e88f478508b566152c6681f4889ed9830a2c0a5
Merge: a00c117 b0af844
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Fri Nov 21 14:15:37 2014 +0000
Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging
# gpg: Signature made Fri 21 Nov 2014 11:12:37 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha at redhat.com>"
# gpg: aka "Stefan Hajnoczi <stefanha at gmail.com>"
* remotes/stefanha/tags/net-pull-request:
rtl8139: fix Pointer to local outside scope
pcnet: fix Negative array index read
net/socket: fix Uninitialized scalar variable
net/slirp: fix memory leak
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit a00c1173385741007f71ce505d092f4cc174f449
Merge: 9c7074d b310a2a
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Fri Nov 21 13:22:18 2014 +0000
Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20141121-1' into staging
gtk: two bugfixes for 2.2.
# gpg: Signature made Fri 21 Nov 2014 07:38:45 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel at redhat.com>"
# gpg: aka "Gerd Hoffmann <gerd at kraxel.org>"
# gpg: aka "Gerd Hoffmann (private) <kraxel at gmail.com>"
* remotes/kraxel/tags/pull-gtk-20141121-1:
gtk: Don't crash if -nodefaults
gtk: fix possible memory leak about local_err
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit b0af844007841609cc11fab58f838bd105cbe144
Author: Gonglei <arei.gonglei at huawei.com>
Date: Thu Nov 20 19:35:03 2014 +0800
rtl8139: fix Pointer to local outside scope
Coverity spot:
Assigning: iov = struct iovec [3]({{buf, 12UL},
{(void *)dot1q_buf, 4UL},
{buf + 12, size - 12}})
(address of temporary variable of type struct iovec [3]).
out_of_scope: Temporary variable of type struct iovec [3] goes out of scope.
Pointer to local outside scope (RETURN_LOCAL)
use_invalid:
Using iov, which points to an out-of-scope temporary variable of type struct iovec [3].
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
Reviewed-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 8b8a1b1..5f0197c 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -1775,6 +1775,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
int do_interrupt, const uint8_t *dot1q_buf)
{
struct iovec *iov = NULL;
+ struct iovec vlan_iov[3];
if (!size)
{
@@ -1789,6 +1790,9 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
{ .iov_base = buf + ETHER_ADDR_LEN * 2,
.iov_len = size - ETHER_ADDR_LEN * 2 },
};
+
+ memcpy(vlan_iov, iov, sizeof(vlan_iov));
+ iov = vlan_iov;
}
if (TxLoopBack == (s->TxConfig & TxLoopBack))
commit 7b50d00911ddd6d56a766ac5671e47304c20a21b
Author: Gonglei <arei.gonglei at huawei.com>
Date: Thu Nov 20 19:35:02 2014 +0800
pcnet: fix Negative array index read
s->xmit_pos maybe assigned to a negative value (-1),
but in this branch variable s->xmit_pos as an index to
array s->buffer. Let's add a check for s->xmit_pos.
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
Reviewed-by: Jason Wang <jasowang at redhat.com>
Reviewed-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index d344c15..f409b92 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1212,7 +1212,7 @@ static void pcnet_transmit(PCNetState *s)
hwaddr xmit_cxda = 0;
int count = CSR_XMTRL(s)-1;
int add_crc = 0;
-
+ int bcnt;
s->xmit_pos = -1;
if (!CSR_TXON(s)) {
@@ -1247,35 +1247,40 @@ static void pcnet_transmit(PCNetState *s)
s->xmit_pos = -1;
goto txdone;
}
+
+ if (s->xmit_pos < 0) {
+ goto txdone;
+ }
+
+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+ s->xmit_pos += bcnt;
+
if (!GET_FIELD(tmd.status, TMDS, ENP)) {
- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
- s->xmit_pos += bcnt;
- } else if (s->xmit_pos >= 0) {
- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
- s->xmit_pos += bcnt;
+ goto txdone;
+ }
+
#ifdef PCNET_DEBUG
- printf("pcnet_transmit size=%d\n", s->xmit_pos);
+ printf("pcnet_transmit size=%d\n", s->xmit_pos);
#endif
- if (CSR_LOOP(s)) {
- if (BCR_SWSTYLE(s) == 1)
- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
- s->looptest = 0;
- } else
- if (s->nic)
- qemu_send_packet(qemu_get_queue(s->nic), s->buffer,
- s->xmit_pos);
-
- s->csr[0] &= ~0x0008; /* clear TDMD */
- s->csr[4] |= 0x0004; /* set TXSTRT */
- s->xmit_pos = -1;
+ if (CSR_LOOP(s)) {
+ if (BCR_SWSTYLE(s) == 1)
+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
+ pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+ s->looptest = 0;
+ } else {
+ if (s->nic) {
+ qemu_send_packet(qemu_get_queue(s->nic), s->buffer,
+ s->xmit_pos);
+ }
}
+ s->csr[0] &= ~0x0008; /* clear TDMD */
+ s->csr[4] |= 0x0004; /* set TXSTRT */
+ s->xmit_pos = -1;
+
txdone:
SET_FIELD(&tmd.status, TMDS, OWN, 0);
TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s)));
commit 8db804ac412010fc96397c2d67ee6417eccd9d34
Author: Gonglei <arei.gonglei at huawei.com>
Date: Thu Nov 20 19:35:01 2014 +0800
net/socket: fix Uninitialized scalar variable
If is_connected parameter is false, the saddr
variable will no initialize. Coverity report:
uninit_use: Using uninitialized value saddr.sin_port.
We don't need add saddr information to nc->info_str
when is_connected is false.
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Reviewed-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
diff --git a/net/socket.c b/net/socket.c
index ca4b8ba..68a93cd 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -389,11 +389,6 @@ static NetSocketState *net_socket_fd_init_dgram(NetClientState *peer,
nc = qemu_new_net_client(&net_dgram_socket_info, peer, model, name);
- snprintf(nc->info_str, sizeof(nc->info_str),
- "socket: fd=%d (%s mcast=%s:%d)",
- fd, is_connected ? "cloned" : "",
- inet_ntoa(saddr.sin_addr), ntohs(saddr.sin_port));
-
s = DO_UPCAST(NetSocketState, nc, nc);
s->fd = fd;
@@ -404,6 +399,12 @@ static NetSocketState *net_socket_fd_init_dgram(NetClientState *peer,
/* mcast: save bound address as dst */
if (is_connected) {
s->dgram_dst = saddr;
+ snprintf(nc->info_str, sizeof(nc->info_str),
+ "socket: fd=%d (cloned mcast=%s:%d)",
+ fd, inet_ntoa(saddr.sin_addr), ntohs(saddr.sin_port));
+ } else {
+ snprintf(nc->info_str, sizeof(nc->info_str),
+ "socket: fd=%d", fd);
}
return s;
commit 7a8919dc29a9f46dcadd950c2aa1acf74f28974d
Author: Gonglei <arei.gonglei at huawei.com>
Date: Thu Nov 20 19:35:00 2014 +0800
net/slirp: fix memory leak
commit b412eb61 introduce 'cmd:' target for guestfwd,
and fwd don't be used in this scenario, and will leak
memory in true branch with 'cmd:'. Let's allocate memory
for fwd variable just in else statement.
Cc: Alexander Graf <agraf at suse.de>
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Reviewed-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
diff --git a/net/slirp.c b/net/slirp.c
index dc89e6b..377d7ef 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -643,17 +643,16 @@ static int slirp_guestfwd(SlirpState *s, const char *config_str,
goto fail_syntax;
}
- fwd = g_malloc(sizeof(struct GuestFwd));
snprintf(buf, sizeof(buf), "guestfwd.tcp.%d", port);
if ((strlen(p) > 4) && !strncmp(p, "cmd:", 4)) {
if (slirp_add_exec(s->slirp, 0, &p[4], &server, port) < 0) {
error_report("conflicting/invalid host:port in guest forwarding "
"rule '%s'", config_str);
- g_free(fwd);
return -1;
}
} else {
+ fwd = g_malloc(sizeof(struct GuestFwd));
fwd->hd = qemu_chr_new(buf, p, NULL);
if (!fwd->hd) {
error_report("could not open guest forwarding device '%s'", buf);
commit b310a2a6095ec927a42cc1aba520a316be0faf51
Author: Fam Zheng <famz at redhat.com>
Date: Fri Nov 21 09:59:09 2014 +0800
gtk: Don't crash if -nodefaults
This fixes a crash by just skipping the vte resize hack if cur is NULL.
Reproducer:
qemu-system-x86_64 -nodefaults
Signed-off-by: Fam Zheng <famz at redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
diff --git a/ui/gtk.c b/ui/gtk.c
index 9496b8d..0385757 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -1909,15 +1909,17 @@ void gtk_display_init(DisplayState *ds, bool full_screen, bool grab_on_hover)
#ifdef VTE_RESIZE_HACK
{
VirtualConsole *cur = gd_vc_find_current(s);
- int i;
-
- for (i = 0; i < s->nb_vcs; i++) {
- VirtualConsole *vc = &s->vc[i];
- if (vc && vc->type == GD_VC_VTE && vc != cur) {
- gtk_widget_hide(vc->vte.terminal);
+ if (cur) {
+ int i;
+
+ for (i = 0; i < s->nb_vcs; i++) {
+ VirtualConsole *vc = &s->vc[i];
+ if (vc && vc->type == GD_VC_VTE && vc != cur) {
+ gtk_widget_hide(vc->vte.terminal);
+ }
}
+ gd_update_windowsize(cur);
}
- gd_update_windowsize(cur);
}
#endif
commit 8a0f9b5263bb3a96d574ca78ad3b8f1d7bf8b12b
Author: zhanghailiang <zhang.zhanghailiang at huawei.com>
Date: Fri Nov 14 11:25:28 2014 +0800
gtk: fix possible memory leak about local_err
local_err in gd_vc_gfx_init() is not freed, and we don't use it,
so remove it.
Signed-off-by: zhanghailiang <zhang.zhanghailiang at huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
diff --git a/ui/gtk.c b/ui/gtk.c
index 38bf463..9496b8d 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -1666,10 +1666,9 @@ static GSList *gd_vc_gfx_init(GtkDisplayState *s, VirtualConsole *vc,
QemuConsole *con, int idx,
GSList *group, GtkWidget *view_menu)
{
- Error *local_err = NULL;
Object *obj;
- obj = object_property_get_link(OBJECT(con), "device", &local_err);
+ obj = object_property_get_link(OBJECT(con), "device", NULL);
if (obj) {
vc->label = g_strdup_printf("%s", object_get_typename(obj));
} else {
commit 9c7074da5ec64e1fd61df881ab291f75541ff2b0
Author: Leif Lindholm <leif.lindholm at linaro.org>
Date: Wed Nov 19 11:08:45 2014 +0000
hw/arm/virt: set stdout-path instead of linux,stdout-path
ePAPR 1.1 defines the stdout-path property, making the os-specific
linux,stdout-path property redundant. Change the DT setup for ARM virt
to use the generic property - supported by Linux since 3.15.
The old QEMU behaviour was not present in any released version of
QEMU, and was only added to QEMU after the kernel changed, so
this should not break any existing setups.
Signed-off-by: Leif Lindholm <leif.lindholm at linaro.org>
[PMM: add note to commit about the old behaviour never hving been
in a released version of QEMU]
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 78f618d..314e55b 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -389,7 +389,7 @@ static void create_uart(const VirtBoardInfo *vbi, qemu_irq *pic)
qemu_fdt_setprop(vbi->fdt, nodename, "clock-names",
clocknames, sizeof(clocknames));
- qemu_fdt_setprop_string(vbi->fdt, "/chosen", "linux,stdout-path", nodename);
+ qemu_fdt_setprop_string(vbi->fdt, "/chosen", "stdout-path", nodename);
g_free(nodename);
}
commit ff323a6b5468523aab07d376875685ec00385f44
Merge: f75ad80 76cb658
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Thu Nov 20 14:02:24 2014 +0000
Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' into staging
Patch queue for ppc - 2014-11-20
Hopefully the last few fixups for 2.2:
- KVM memory slot fix (should usually only occur on PPC)
- e300 fix
- Altivec mtvscr instruction fix
# gpg: Signature made Thu 20 Nov 2014 13:53:34 GMT using RSA key ID 03FEDC60
# gpg: Good signature from "Alexander Graf <agraf at suse.de>"
# gpg: aka "Alexander Graf <alex at csgraf.de>"
* remotes/agraf/tags/signed-ppc-for-upstream:
target-ppc: Altivec's mtvscr Decodes Wrong Register
kvm: Fix memory slot page alignment logic
target-ppc: Fix breakpoint registers for e300
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit 76cb6584196b6f35d6e9b5124974d3eba643f772
Author: Tom Musta <tommusta at gmail.com>
Date: Fri Nov 14 14:01:41 2014 -0600
target-ppc: Altivec's mtvscr Decodes Wrong Register
The Move to Vector Status and Control Register (mtvscr) instruction
uses VRB as the source register. Fix the code generator to correctly
decode the VRB field. That is, use "rB(ctx->opcode)" instead of
"rD(ctx->opcode)".
Signed-off-by: Tom Musta <tommusta at gmail.com>
Signed-off-by: Alexander Graf <agraf at suse.de>
diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index 910ce56..d381632 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -6848,7 +6848,7 @@ static void gen_mtvscr(DisasContext *ctx)
gen_exception(ctx, POWERPC_EXCP_VPU);
return;
}
- p = gen_avr_ptr(rD(ctx->opcode));
+ p = gen_avr_ptr(rB(ctx->opcode));
gen_helper_mtvscr(cpu_env, p);
tcg_temp_free_ptr(p);
}
commit f2a64032a14c642d0ddc9a7a846fc3d737deede5
Author: Alexander Graf <agraf at suse.de>
Date: Fri Nov 7 22:12:48 2014 +0100
kvm: Fix memory slot page alignment logic
Memory slots have to be page aligned to get entered into KVM. There
is existing logic that tries to ensure that we pad memory slots that
are not page aligned to the biggest region that would still fit in the
alignment requirements.
Unfortunately, that logic is broken. It tries to calculate the start
offset based on the region size.
Fix up the logic to do the thing it was intended to do and document it
properly in the comment above it.
With this patch applied, I can successfully run an e500 guest with more
than 3GB RAM (at which point RAM starts overlapping subpage memory regions).
Cc: qemu-stable at nongnu.org
Signed-off-by: Alexander Graf <agraf at suse.de>
diff --git a/kvm-all.c b/kvm-all.c
index 44a5e72..596e7ce 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -634,8 +634,10 @@ static void kvm_set_phys_mem(MemoryRegionSection *section, bool add)
unsigned delta;
/* kvm works in page size chunks, but the function may be called
- with sub-page size and unaligned start address. */
- delta = TARGET_PAGE_ALIGN(size) - size;
+ with sub-page size and unaligned start address. Pad the start
+ address to next and truncate size to previous page boundary. */
+ delta = (TARGET_PAGE_SIZE - (start_addr & ~TARGET_PAGE_MASK));
+ delta &= ~TARGET_PAGE_MASK;
if (delta > size) {
return;
}
commit 3ade1a055c9ac6c351a008703e30fb831f23b941
Author: Fabien Chouteau <chouteau at adacore.com>
Date: Thu Nov 6 17:23:50 2014 +0100
target-ppc: Fix breakpoint registers for e300
In the previous patch, the registers were added to init_proc_G2LE
instead of init_proc_e300.
Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
Signed-off-by: Alexander Graf <agraf at suse.de>
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 20d58c0..1fece7b 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -4374,32 +4374,6 @@ static void init_proc_G2LE (CPUPPCState *env)
SPR_NOACCESS, SPR_NOACCESS,
&spr_read_generic, &spr_write_generic,
0x00000000);
- /* Breakpoints */
- /* XXX : not implemented */
- spr_register(env, SPR_DABR, "DABR",
- SPR_NOACCESS, SPR_NOACCESS,
- &spr_read_generic, &spr_write_generic,
- 0x00000000);
- /* XXX : not implemented */
- spr_register(env, SPR_DABR2, "DABR2",
- SPR_NOACCESS, SPR_NOACCESS,
- &spr_read_generic, &spr_write_generic,
- 0x00000000);
- /* XXX : not implemented */
- spr_register(env, SPR_IABR2, "IABR2",
- SPR_NOACCESS, SPR_NOACCESS,
- &spr_read_generic, &spr_write_generic,
- 0x00000000);
- /* XXX : not implemented */
- spr_register(env, SPR_IBCR, "IBCR",
- SPR_NOACCESS, SPR_NOACCESS,
- &spr_read_generic, &spr_write_generic,
- 0x00000000);
- /* XXX : not implemented */
- spr_register(env, SPR_DBCR, "DBCR",
- SPR_NOACCESS, SPR_NOACCESS,
- &spr_read_generic, &spr_write_generic,
- 0x00000000);
/* Memory management */
gen_low_BATs(env);
@@ -4628,6 +4602,32 @@ static void init_proc_e300 (CPUPPCState *env)
SPR_NOACCESS, SPR_NOACCESS,
&spr_read_generic, &spr_write_generic,
0x00000000);
+ /* Breakpoints */
+ /* XXX : not implemented */
+ spr_register(env, SPR_DABR, "DABR",
+ SPR_NOACCESS, SPR_NOACCESS,
+ &spr_read_generic, &spr_write_generic,
+ 0x00000000);
+ /* XXX : not implemented */
+ spr_register(env, SPR_DABR2, "DABR2",
+ SPR_NOACCESS, SPR_NOACCESS,
+ &spr_read_generic, &spr_write_generic,
+ 0x00000000);
+ /* XXX : not implemented */
+ spr_register(env, SPR_IABR2, "IABR2",
+ SPR_NOACCESS, SPR_NOACCESS,
+ &spr_read_generic, &spr_write_generic,
+ 0x00000000);
+ /* XXX : not implemented */
+ spr_register(env, SPR_IBCR, "IBCR",
+ SPR_NOACCESS, SPR_NOACCESS,
+ &spr_read_generic, &spr_write_generic,
+ 0x00000000);
+ /* XXX : not implemented */
+ spr_register(env, SPR_DBCR, "DBCR",
+ SPR_NOACCESS, SPR_NOACCESS,
+ &spr_read_generic, &spr_write_generic,
+ 0x00000000);
/* Memory management */
gen_low_BATs(env);
gen_high_BATs(env);
commit f75ad80f6c8ce0d83224076bd3445c77451977d5
Merge: af3ff19 6c1b663
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Thu Nov 20 13:00:28 2014 +0000
Merge remote-tracking branch 'remotes/amit-migration/tags/for-2.2-2' into staging
Fix from a while back that unfortunately got ignored. Dave Gilbert says
it may actually fix a case where autoconverge would break on a repeat
migration (and not just fix stats).
# gpg: Signature made Thu 20 Nov 2014 12:52:41 GMT using RSA key ID 854083B6
# gpg: Good signature from "Amit Shah <amit at amitshah.net>"
# gpg: aka "Amit Shah <amit at kernel.org>"
# gpg: aka "Amit Shah <amitshah at gmx.net>"
* remotes/amit-migration/tags/for-2.2-2:
migration: static variables will not be reset at second migration
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit 6c1b663c4c3725bc4bc33f78ed266ddef80a2ca8
Author: ChenLiang <chenliang88 at huawei.com>
Date: Thu Mar 20 20:15:03 2014 +0800
migration: static variables will not be reset at second migration
The static variables in migration_bitmap_sync will not be reset in
the case of a second attempted migration.
Signed-off-by: ChenLiang <chenliang88 at huawei.com>
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert at redhat.com>
Signed-off-by: Amit Shah <amit.shah at redhat.com>
diff --git a/arch_init.c b/arch_init.c
index 593a990..7680d28 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -486,15 +486,23 @@ static void migration_bitmap_sync_range(ram_addr_t start, ram_addr_t length)
/* Needs iothread lock! */
+/* Fix me: there are too many global variables used in migration process. */
+static int64_t start_time;
+static int64_t bytes_xfer_prev;
+static int64_t num_dirty_pages_period;
+
+static void migration_bitmap_sync_init(void)
+{
+ start_time = 0;
+ bytes_xfer_prev = 0;
+ num_dirty_pages_period = 0;
+}
static void migration_bitmap_sync(void)
{
RAMBlock *block;
uint64_t num_dirty_pages_init = migration_dirty_pages;
MigrationState *s = migrate_get_current();
- static int64_t start_time;
- static int64_t bytes_xfer_prev;
- static int64_t num_dirty_pages_period;
int64_t end_time;
int64_t bytes_xfer_now;
static uint64_t xbzrle_cache_miss_prev;
@@ -774,6 +782,7 @@ static int ram_save_setup(QEMUFile *f, void *opaque)
mig_throttle_on = false;
dirty_rate_high_cnt = 0;
bitmap_sync_count = 0;
+ migration_bitmap_sync_init();
if (migrate_use_xbzrle()) {
XBZRLE_cache_lock();
commit af3ff19b48f0bbf3a8bd35c47460358e8c6ae5e5
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Tue Nov 18 18:00:58 2014 +0000
Update version for v2.2.0-rc2 release
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/VERSION b/VERSION
index 40e6c8e..a048613 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.91
+2.1.92
commit 6b896ab261942f441a16836e3fa3c83f3f4488b9
Author: Don Slutz <dslutz at verizon.com>
Date: Mon Nov 17 16:20:39 2014 -0500
hw/ide/core.c: Prevent SIGSEGV during migration
The other callers to blk_set_enable_write_cache() in this file
already check for s->blk == NULL.
Signed-off-by: Don Slutz <dslutz at verizon.com>
Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com>
Message-id: 1416259239-13281-1-git-send-email-dslutz at verizon.com
Cc: qemu-stable at nongnu.org
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 00e21cf..d4af5e2 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2401,7 +2401,7 @@ static int ide_drive_post_load(void *opaque, int version_id)
{
IDEState *s = opaque;
- if (s->identify_set) {
+ if (s->blk && s->identify_set) {
blk_set_enable_write_cache(s->blk, !!(s->identify_data[85] & (1 << 5)));
}
return 0;
commit 8336e465acdc0ebaaaa685d218edca346f91100b
Merge: b1b1e81 ed6273e
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Tue Nov 18 16:17:32 2014 +0000
Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging
# gpg: Signature made Tue 18 Nov 2014 15:04:53 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha at redhat.com>"
# gpg: aka "Stefan Hajnoczi <stefanha at gmail.com>"
* remotes/stefanha/tags/net-pull-request:
net: The third parameter of getsockname should be initialized
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit b1b1e81fb51965bb53be3d58d3dd9b3b3aa17242
Merge: 1ab8f86 776ec96
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Tue Nov 18 15:05:36 2014 +0000
Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging
# gpg: Signature made Tue 18 Nov 2014 15:04:14 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha at redhat.com>"
# gpg: aka "Stefan Hajnoczi <stefanha at gmail.com>"
* remotes/stefanha/tags/tracing-pull-request:
Tracing: Fix simpletrace.py error on tcg enabled binary traces
Tracing docs fix configure option and description
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit ed6273e26fdfb94a282dbbf1234a75422c6b4c4b
Author: zhanghailiang <zhang.zhanghailiang at huawei.com>
Date: Mon Nov 17 13:54:05 2014 +0800
net: The third parameter of getsockname should be initialized
Signed-off-by: zhanghailiang <zhang.zhanghailiang at huawei.com>
Reviewed-by: Markus Armbruster <armbru at redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
diff --git a/net/socket.c b/net/socket.c
index fb21e20..ca4b8ba 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -352,7 +352,7 @@ static NetSocketState *net_socket_fd_init_dgram(NetClientState *peer,
{
struct sockaddr_in saddr;
int newfd;
- socklen_t saddr_len;
+ socklen_t saddr_len = sizeof(saddr);
NetClientState *nc;
NetSocketState *s;
commit 776ec96f790e2c943c13313d8ecab4713b47ab65
Author: Christoph Seifert <christoph.seifert at posteo.de>
Date: Sun Nov 2 22:37:59 2014 +0100
Tracing: Fix simpletrace.py error on tcg enabled binary traces
simpletrace.py does not recognize the tcg option while reading trace-events file. In result simpletrace does not work on binary traces and tcg enabled events. Moved transformation of tcg enabled events to _read_events() which is used by simpletrace.
Signed-off-by: Christoph Seifert <christoph.seifert at posteo.de>
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
diff --git a/scripts/tracetool/__init__.py b/scripts/tracetool/__init__.py
index 3d5743f..181675f 100644
--- a/scripts/tracetool/__init__.py
+++ b/scripts/tracetool/__init__.py
@@ -253,14 +253,44 @@ class Event(object):
def _read_events(fobj):
- res = []
+ events = []
for line in fobj:
if not line.strip():
continue
if line.lstrip().startswith('#'):
continue
- res.append(Event.build(line))
- return res
+
+ event = Event.build(line)
+
+ # transform TCG-enabled events
+ if "tcg" not in event.properties:
+ events.append(event)
+ else:
+ event_trans = event.copy()
+ event_trans.name += "_trans"
+ event_trans.properties += ["tcg-trans"]
+ event_trans.fmt = event.fmt[0]
+ args_trans = []
+ for atrans, aorig in zip(
+ event_trans.transform(tracetool.transform.TCG_2_HOST).args,
+ event.args):
+ if atrans == aorig:
+ args_trans.append(atrans)
+ event_trans.args = Arguments(args_trans)
+ event_trans = event_trans.copy()
+
+ event_exec = event.copy()
+ event_exec.name += "_exec"
+ event_exec.properties += ["tcg-exec"]
+ event_exec.fmt = event.fmt[1]
+ event_exec = event_exec.transform(tracetool.transform.TCG_2_HOST)
+
+ new_event = [event_trans, event_exec]
+ event.event_trans, event.event_exec = new_event
+
+ events.extend(new_event)
+
+ return events
class TracetoolError (Exception):
@@ -333,35 +363,4 @@ def generate(fevents, format, backends,
events = _read_events(fevents)
- # transform TCG-enabled events
- new_events = []
- for event in events:
- if "tcg" not in event.properties:
- new_events.append(event)
- else:
- event_trans = event.copy()
- event_trans.name += "_trans"
- event_trans.properties += ["tcg-trans"]
- event_trans.fmt = event.fmt[0]
- args_trans = []
- for atrans, aorig in zip(
- event_trans.transform(tracetool.transform.TCG_2_HOST).args,
- event.args):
- if atrans == aorig:
- args_trans.append(atrans)
- event_trans.args = Arguments(args_trans)
- event_trans = event_trans.copy()
-
- event_exec = event.copy()
- event_exec.name += "_exec"
- event_exec.properties += ["tcg-exec"]
- event_exec.fmt = event.fmt[1]
- event_exec = event_exec.transform(tracetool.transform.TCG_2_HOST)
-
- new_event = [event_trans, event_exec]
- event.event_trans, event.event_exec = new_event
-
- new_events.extend(new_event)
- events = new_events
-
tracetool.format.generate(events, format, backend)
commit b73e8bd414b70f7ee63474cbddce0fb809e56a5d
Author: Dr. David Alan Gilbert <dgilbert at redhat.com>
Date: Tue Oct 7 15:12:41 2014 +0100
Tracing docs fix configure option and description
Fix the example trace configure option.
Update the text to say that multiple backends are allowed and what
happens when multiple backends are enabled.
Signed-off-by: Dr. David Alan Gilbert <dgilbert at redhat.com>
Message-id: 1412691161-31785-1-git-send-email-dgilbert at redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
diff --git a/docs/tracing.txt b/docs/tracing.txt
index 7d38926..7117c5e 100644
--- a/docs/tracing.txt
+++ b/docs/tracing.txt
@@ -139,12 +139,12 @@ events are not tightly coupled to a specific trace backend, such as LTTng or
SystemTap. Support for trace backends can be added by extending the "tracetool"
script.
-The trace backend is chosen at configure time and only one trace backend can
-be built into the binary:
+The trace backends are chosen at configure time:
- ./configure --trace-backends=simple
+ ./configure --enable-trace-backends=simple
For a list of supported trace backends, try ./configure --help or see below.
+If multiple backends are enabled, the trace is sent to them all.
The following subsections describe the supported trace backends.
commit 1ab8f867ef2ef0aa259e0e0d1040d67350af1bec
Merge: ea5b201 098ffa6
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Tue Nov 18 13:43:37 2014 +0000
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block patches for 2.2.0-rc2
# gpg: Signature made Tue 18 Nov 2014 11:32:55 GMT using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf at redhat.com>"
* remotes/kevin/tags/for-upstream:
block/raw-posix: Catch fsync() errors
block/raw-posix: Only sync after successful preallocation
block/raw-posix: Fix preallocating write() loop
raw-posix: The SEEK_HOLE code is flawed, rewrite it
raw-posix: SEEK_HOLE suffices, get rid of FIEMAP
raw-posix: Fix comment for raw_co_get_block_status()
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit ea5b201a0acfb4c3029afd4e7999b4278e1351d4
Merge: 444b199 0be839a
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Tue Nov 18 12:29:05 2014 +0000
Merge remote-tracking branch 'remotes/amit-migration/tags/for-2.2' into staging
Fix for CVE-2014-7840, avoiding arbitrary qemu memory overwrite for
migration by Michael S. Tsirkin.
# gpg: Signature made Tue 18 Nov 2014 11:23:00 GMT using RSA key ID 854083B6
# gpg: Good signature from "Amit Shah <amit at amitshah.net>"
# gpg: aka "Amit Shah <amit at kernel.org>"
# gpg: aka "Amit Shah <amitshah at gmx.net>"
* remotes/amit-migration/tags/for-2.2:
migration: fix parameter validation on ram load
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit 444b1996cb3769d8636b223c281fb09ab89b7a31
Author: Ard Biesheuvel <ard.biesheuvel at linaro.org>
Date: Mon Nov 17 19:28:18 2014 +0100
linux-headers: update to 3.18-rc5
This updates the Linux header to version 3.18-rc5, adding support for
(among other things) read-only memslots on ARM and arm64.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel at linaro.org>
Message-id: 1416248898-6302-1-git-send-email-ard.biesheuvel at linaro.org
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
diff --git a/linux-headers/asm-arm/kvm.h b/linux-headers/asm-arm/kvm.h
index e6ebdd3..09ee408 100644
--- a/linux-headers/asm-arm/kvm.h
+++ b/linux-headers/asm-arm/kvm.h
@@ -25,6 +25,7 @@
#define __KVM_HAVE_GUEST_DEBUG
#define __KVM_HAVE_IRQ_LINE
+#define __KVM_HAVE_READONLY_MEM
#define KVM_REG_SIZE(id) \
(1U << (((id) & KVM_REG_SIZE_MASK) >> KVM_REG_SIZE_SHIFT))
@@ -173,6 +174,7 @@ struct kvm_arch_memory_slot {
#define KVM_DEV_ARM_VGIC_CPUID_MASK (0xffULL << KVM_DEV_ARM_VGIC_CPUID_SHIFT)
#define KVM_DEV_ARM_VGIC_OFFSET_SHIFT 0
#define KVM_DEV_ARM_VGIC_OFFSET_MASK (0xffffffffULL << KVM_DEV_ARM_VGIC_OFFSET_SHIFT)
+#define KVM_DEV_ARM_VGIC_GRP_NR_IRQS 3
/* KVM_IRQ_LINE irq field index values */
#define KVM_ARM_IRQ_TYPE_SHIFT 24
diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h
index e633ff8..8e38878 100644
--- a/linux-headers/asm-arm64/kvm.h
+++ b/linux-headers/asm-arm64/kvm.h
@@ -37,6 +37,7 @@
#define __KVM_HAVE_GUEST_DEBUG
#define __KVM_HAVE_IRQ_LINE
+#define __KVM_HAVE_READONLY_MEM
#define KVM_REG_SIZE(id) \
(1U << (((id) & KVM_REG_SIZE_MASK) >> KVM_REG_SIZE_SHIFT))
@@ -159,6 +160,7 @@ struct kvm_arch_memory_slot {
#define KVM_DEV_ARM_VGIC_CPUID_MASK (0xffULL << KVM_DEV_ARM_VGIC_CPUID_SHIFT)
#define KVM_DEV_ARM_VGIC_OFFSET_SHIFT 0
#define KVM_DEV_ARM_VGIC_OFFSET_MASK (0xffffffffULL << KVM_DEV_ARM_VGIC_OFFSET_SHIFT)
+#define KVM_DEV_ARM_VGIC_GRP_NR_IRQS 3
/* KVM_IRQ_LINE irq field index values */
#define KVM_ARM_IRQ_TYPE_SHIFT 24
diff --git a/linux-headers/asm-powerpc/kvm.h b/linux-headers/asm-powerpc/kvm.h
index e0e49db..ab4d473 100644
--- a/linux-headers/asm-powerpc/kvm.h
+++ b/linux-headers/asm-powerpc/kvm.h
@@ -476,6 +476,11 @@ struct kvm_get_htab_header {
/* FP and vector status/control registers */
#define KVM_REG_PPC_FPSCR (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0x80)
+/*
+ * VSCR register is documented as a 32-bit register in the ISA, but it can
+ * only be accesses via a vector register. Expose VSCR as a 32-bit register
+ * even though the kernel represents it as a 128-bit vector.
+ */
#define KVM_REG_PPC_VSCR (KVM_REG_PPC | KVM_REG_SIZE_U32 | 0x81)
/* Virtual processor areas */
@@ -557,6 +562,7 @@ struct kvm_get_htab_header {
#define KVM_REG_PPC_DABRX (KVM_REG_PPC | KVM_REG_SIZE_U32 | 0xb8)
#define KVM_REG_PPC_WORT (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xb9)
#define KVM_REG_PPC_SPRG9 (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xba)
+#define KVM_REG_PPC_DBSR (KVM_REG_PPC | KVM_REG_SIZE_U32 | 0xbb)
/* Transactional Memory checkpointed state:
* This is all GPRs, all VSX regs and a subset of SPRs
diff --git a/linux-headers/asm-s390/kvm.h b/linux-headers/asm-s390/kvm.h
index 98bedf3..d36b2fa 100644
--- a/linux-headers/asm-s390/kvm.h
+++ b/linux-headers/asm-s390/kvm.h
@@ -111,12 +111,22 @@ struct kvm_guest_debug_arch {
#define KVM_SYNC_GPRS (1UL << 1)
#define KVM_SYNC_ACRS (1UL << 2)
#define KVM_SYNC_CRS (1UL << 3)
+#define KVM_SYNC_ARCH0 (1UL << 4)
+#define KVM_SYNC_PFAULT (1UL << 5)
/* definition of registers in kvm_run */
struct kvm_sync_regs {
__u64 prefix; /* prefix register */
__u64 gprs[16]; /* general purpose registers */
__u32 acrs[16]; /* access registers */
__u64 crs[16]; /* control registers */
+ __u64 todpr; /* tod programmable register [ARCH0] */
+ __u64 cputm; /* cpu timer [ARCH0] */
+ __u64 ckc; /* clock comparator [ARCH0] */
+ __u64 pp; /* program parameter [ARCH0] */
+ __u64 gbea; /* guest breaking-event address [ARCH0] */
+ __u64 pft; /* pfault token [PFAULT] */
+ __u64 pfs; /* pfault select [PFAULT] */
+ __u64 pfc; /* pfault compare [PFAULT] */
};
#define KVM_REG_S390_TODPR (KVM_REG_S390 | KVM_REG_SIZE_U32 | 0x1)
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index 2669938..12045a1 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -654,9 +654,7 @@ struct kvm_ppc_smmu_info {
#endif
/* Bug in KVM_SET_USER_MEMORY_REGION fixed: */
#define KVM_CAP_DESTROY_MEMORY_REGION_WORKS 21
-#ifdef __KVM_HAVE_USER_NMI
#define KVM_CAP_USER_NMI 22
-#endif
#ifdef __KVM_HAVE_GUEST_DEBUG
#define KVM_CAP_SET_GUEST_DEBUG 23
#endif
@@ -738,9 +736,7 @@ struct kvm_ppc_smmu_info {
#define KVM_CAP_PPC_GET_SMMU_INFO 78
#define KVM_CAP_S390_COW 79
#define KVM_CAP_PPC_ALLOC_HTAB 80
-#ifdef __KVM_HAVE_READONLY_MEM
#define KVM_CAP_READONLY_MEM 81
-#endif
#define KVM_CAP_IRQFD_RESAMPLE 82
#define KVM_CAP_PPC_BOOKE_WATCHDOG 83
#define KVM_CAP_PPC_HTAB_FD 84
@@ -947,15 +943,25 @@ struct kvm_device_attr {
__u64 addr; /* userspace address of attr data */
};
-#define KVM_DEV_TYPE_FSL_MPIC_20 1
-#define KVM_DEV_TYPE_FSL_MPIC_42 2
-#define KVM_DEV_TYPE_XICS 3
-#define KVM_DEV_TYPE_VFIO 4
#define KVM_DEV_VFIO_GROUP 1
#define KVM_DEV_VFIO_GROUP_ADD 1
#define KVM_DEV_VFIO_GROUP_DEL 2
-#define KVM_DEV_TYPE_ARM_VGIC_V2 5
-#define KVM_DEV_TYPE_FLIC 6
+
+enum kvm_device_type {
+ KVM_DEV_TYPE_FSL_MPIC_20 = 1,
+#define KVM_DEV_TYPE_FSL_MPIC_20 KVM_DEV_TYPE_FSL_MPIC_20
+ KVM_DEV_TYPE_FSL_MPIC_42,
+#define KVM_DEV_TYPE_FSL_MPIC_42 KVM_DEV_TYPE_FSL_MPIC_42
+ KVM_DEV_TYPE_XICS,
+#define KVM_DEV_TYPE_XICS KVM_DEV_TYPE_XICS
+ KVM_DEV_TYPE_VFIO,
+#define KVM_DEV_TYPE_VFIO KVM_DEV_TYPE_VFIO
+ KVM_DEV_TYPE_ARM_VGIC_V2,
+#define KVM_DEV_TYPE_ARM_VGIC_V2 KVM_DEV_TYPE_ARM_VGIC_V2
+ KVM_DEV_TYPE_FLIC,
+#define KVM_DEV_TYPE_FLIC KVM_DEV_TYPE_FLIC
+ KVM_DEV_TYPE_MAX,
+};
/*
* ioctls for VM fds
@@ -1093,7 +1099,7 @@ struct kvm_s390_ucas_mapping {
#define KVM_S390_INITIAL_RESET _IO(KVMIO, 0x97)
#define KVM_GET_MP_STATE _IOR(KVMIO, 0x98, struct kvm_mp_state)
#define KVM_SET_MP_STATE _IOW(KVMIO, 0x99, struct kvm_mp_state)
-/* Available with KVM_CAP_NMI */
+/* Available with KVM_CAP_USER_NMI */
#define KVM_NMI _IO(KVMIO, 0x9a)
/* Available with KVM_CAP_SET_GUEST_DEBUG */
#define KVM_SET_GUEST_DEBUG _IOW(KVMIO, 0x9b, struct kvm_guest_debug)
diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
index 95b591b..0f21aa6 100644
--- a/linux-headers/linux/vfio.h
+++ b/linux-headers/linux/vfio.h
@@ -33,6 +33,9 @@
/* Check if EEH is supported */
#define VFIO_EEH 5
+/* Two-stage IOMMU */
+#define VFIO_TYPE1_NESTING_IOMMU 6 /* Implies v2 */
+
/*
* The IOCTL interface is designed for extensibility by embedding the
* structure length (argsz) and flags into structures passed between
commit 0be839a2701369f669532ea5884c15bead1c6e08
Author: Michael S. Tsirkin <mst at redhat.com>
Date: Wed Nov 12 11:44:39 2014 +0200
migration: fix parameter validation on ram load
During migration, the values read from migration stream during ram load
are not validated. Especially offset in host_from_stream_offset() and
also the length of the writes in the callers of said function.
To fix this, we need to make sure that the [offset, offset + length]
range fits into one of the allocated memory regions.
Validating addr < len should be sufficient since data seems to always be
managed in TARGET_PAGE_SIZE chunks.
Fixes: CVE-2014-7840
Note: follow-up patches add extra checks on each block->host access.
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert at redhat.com>
Signed-off-by: Amit Shah <amit.shah at redhat.com>
diff --git a/arch_init.c b/arch_init.c
index 88a5ba0..593a990 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f,
uint8_t len;
if (flags & RAM_SAVE_FLAG_CONTINUE) {
- if (!block) {
+ if (!block || block->length <= offset) {
error_report("Ack, bad migration stream!");
return NULL;
}
@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f,
id[len] = 0;
QTAILQ_FOREACH(block, &ram_list.blocks, next) {
- if (!strncmp(id, block->idstr, sizeof(id)))
+ if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) {
return memory_region_get_ram_ptr(block->mr) + offset;
+ }
}
error_report("Can't find block %s!", id);
commit 098ffa6674a82ceac0e3ccb3a8a5bf6ca44adcd5
Author: Max Reitz <mreitz at redhat.com>
Date: Tue Nov 18 11:23:06 2014 +0100
block/raw-posix: Catch fsync() errors
fsync() may fail, and that case should be handled.
Reported-by: László Érsek <lersek at redhat.com>
Signed-off-by: Max Reitz <mreitz at redhat.com>
Signed-off-by: Kevin Wolf <kwolf at redhat.com>
diff --git a/block/raw-posix.c b/block/raw-posix.c
index d106fc4..b1af77e 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1454,7 +1454,12 @@ static int raw_create(const char *filename, QemuOpts *opts, Error **errp)
left -= result;
}
if (result >= 0) {
- fsync(fd);
+ result = fsync(fd);
+ if (result < 0) {
+ result = -errno;
+ error_setg_errno(errp, -result,
+ "Could not flush new file to disk");
+ }
}
g_free(buf);
break;
commit 731de38052b245eab79e417aeac5e1dcebe6437f
Author: Max Reitz <mreitz at redhat.com>
Date: Tue Nov 18 11:23:05 2014 +0100
block/raw-posix: Only sync after successful preallocation
The loop which filled the file with zeroes may have been left early due
to an error. In that case, the fsync() should be skipped.
Signed-off-by: Max Reitz <mreitz at redhat.com>
Signed-off-by: Kevin Wolf <kwolf at redhat.com>
diff --git a/block/raw-posix.c b/block/raw-posix.c
index e0e48c5..d106fc4 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1453,7 +1453,9 @@ static int raw_create(const char *filename, QemuOpts *opts, Error **errp)
}
left -= result;
}
- fsync(fd);
+ if (result >= 0) {
+ fsync(fd);
+ }
g_free(buf);
break;
}
commit 39411cf3c316de0fe3cbb9585774bacfe3bd8efd
Author: Max Reitz <mreitz at redhat.com>
Date: Tue Nov 18 11:23:04 2014 +0100
block/raw-posix: Fix preallocating write() loop
write() may write less bytes than requested; in this case, the number of
bytes written is returned. This is the byte count we should be
subtracting from the number of bytes still to be written, and not the
byte count we requested to write.
Reported-by: László Érsek <lersek at redhat.com>
Signed-off-by: Max Reitz <mreitz at redhat.com>
Signed-off-by: Kevin Wolf <kwolf at redhat.com>
diff --git a/block/raw-posix.c b/block/raw-posix.c
index 414e6d1..e0e48c5 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1451,7 +1451,7 @@ static int raw_create(const char *filename, QemuOpts *opts, Error **errp)
"Could not write to the new file");
break;
}
- left -= num;
+ left -= result;
}
fsync(fd);
g_free(buf);
commit f874bf905ff2f8dcc17acbfc61e49a92a6f4d04b
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Sun Nov 16 19:44:21 2014 +0000
exec: Handle multipage ranges in invalidate_and_set_dirty()
The code in invalidate_and_set_dirty() needs to handle addr/length
combinations which cross guest physical page boundaries. This can happen,
for example, when disk I/O reads large blocks into guest RAM which previously
held code that we have cached translations for. Unfortunately we were only
checking the clean/dirty status of the first page in the range, and then
were calling a tb_invalidate function which only handles ranges that don't
cross page boundaries. Fix the function to deal with multipage ranges.
The symptoms of this bug were that guest code would misbehave (eg segfault),
in particular after a guest reboot but potentially any time the guest
reused a page of its physical RAM for new code.
Cc: qemu-stable at nongnu.org
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
Message-id: 1416167061-13203-1-git-send-email-peter.maydell at linaro.org
diff --git a/exec.c b/exec.c
index 759055d..f0e2bd3 100644
--- a/exec.c
+++ b/exec.c
@@ -2066,10 +2066,8 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
static void invalidate_and_set_dirty(hwaddr addr,
hwaddr length)
{
- if (cpu_physical_memory_is_clean(addr)) {
- /* invalidate code */
- tb_invalidate_phys_page_range(addr, addr + length, 0);
- /* set dirty bit */
+ if (cpu_physical_memory_range_includes_clean(addr, length)) {
+ tb_invalidate_phys_range(addr, addr + length, 0);
cpu_physical_memory_set_dirty_range_nocode(addr, length);
}
xen_modified_memory(addr, length);
diff --git a/include/exec/ram_addr.h b/include/exec/ram_addr.h
index cf1d4c7..8fc75cd 100644
--- a/include/exec/ram_addr.h
+++ b/include/exec/ram_addr.h
@@ -49,6 +49,21 @@ static inline bool cpu_physical_memory_get_dirty(ram_addr_t start,
return next < end;
}
+static inline bool cpu_physical_memory_get_clean(ram_addr_t start,
+ ram_addr_t length,
+ unsigned client)
+{
+ unsigned long end, page, next;
+
+ assert(client < DIRTY_MEMORY_NUM);
+
+ end = TARGET_PAGE_ALIGN(start + length) >> TARGET_PAGE_BITS;
+ page = start >> TARGET_PAGE_BITS;
+ next = find_next_zero_bit(ram_list.dirty_memory[client], end, page);
+
+ return next < end;
+}
+
static inline bool cpu_physical_memory_get_dirty_flag(ram_addr_t addr,
unsigned client)
{
@@ -64,6 +79,16 @@ static inline bool cpu_physical_memory_is_clean(ram_addr_t addr)
return !(vga && code && migration);
}
+static inline bool cpu_physical_memory_range_includes_clean(ram_addr_t start,
+ ram_addr_t length)
+{
+ bool vga = cpu_physical_memory_get_clean(start, length, DIRTY_MEMORY_VGA);
+ bool code = cpu_physical_memory_get_clean(start, length, DIRTY_MEMORY_CODE);
+ bool migration =
+ cpu_physical_memory_get_clean(start, length, DIRTY_MEMORY_MIGRATION);
+ return vga || code || migration;
+}
+
static inline void cpu_physical_memory_set_dirty_flag(ram_addr_t addr,
unsigned client)
{
commit 867678530240ed7a4aaf647df08be98bebd3b1f0
Merge: 1aba4be d1f06fe
Author: Kevin Wolf <kwolf at redhat.com>
Date: Tue Nov 18 11:01:05 2014 +0100
Merge remote-tracking branch 'mreitz/block' into queue-block
* mreitz/block:
raw-posix: The SEEK_HOLE code is flawed, rewrite it
raw-posix: SEEK_HOLE suffices, get rid of FIEMAP
raw-posix: Fix comment for raw_co_get_block_status()
commit d1f06fe665acdd7aa7a46a5ef88172c3d7d3028e
Author: Markus Armbruster <armbru at redhat.com>
Date: Mon Nov 17 11:18:34 2014 +0100
raw-posix: The SEEK_HOLE code is flawed, rewrite it
On systems where SEEK_HOLE in a trailing hole seeks to EOF (Solaris,
but not Linux), try_seek_hole() reports trailing data instead.
Additionally, unlikely lseek() failures are treated badly:
* When SEEK_HOLE fails, try_seek_hole() reports trailing data. For
-ENXIO, there's in fact a trailing hole. Can happen only when
something truncated the file since we opened it.
* When SEEK_HOLE succeeds, SEEK_DATA fails, and SEEK_END succeeds,
then try_seek_hole() reports a trailing hole. This is okay only
when SEEK_DATA failed with -ENXIO (which means the non-trailing hole
found by SEEK_HOLE has since become trailing somehow). For other
failures (unlikely), it's wrong.
* When SEEK_HOLE succeeds, SEEK_DATA fails, SEEK_END fails (unlikely),
then try_seek_hole() reports bogus data [-1,start), which its caller
raw_co_get_block_status() turns into zero sectors of data. Could
theoretically lead to infinite loops in code that attempts to scan
data vs. hole forward.
Rewrite from scratch, with very careful comments.
Signed-off-by: Markus Armbruster <armbru at redhat.com>
Reviewed-by: Max Reitz <mreitz at redhat.com>
Reviewed-by: Eric Blake <eblake at redhat.com>
Signed-off-by: Max Reitz <mreitz at redhat.com>
diff --git a/block/raw-posix.c b/block/raw-posix.c
index a29130e..414e6d1 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1475,28 +1475,86 @@ out:
return result;
}
-static int try_seek_hole(BlockDriverState *bs, off_t start, off_t *data,
- off_t *hole)
+/*
+ * Find allocation range in @bs around offset @start.
+ * May change underlying file descriptor's file offset.
+ * If @start is not in a hole, store @start in @data, and the
+ * beginning of the next hole in @hole, and return 0.
+ * If @start is in a non-trailing hole, store @start in @hole and the
+ * beginning of the next non-hole in @data, and return 0.
+ * If @start is in a trailing hole or beyond EOF, return -ENXIO.
+ * If we can't find out, return a negative errno other than -ENXIO.
+ */
+static int find_allocation(BlockDriverState *bs, off_t start,
+ off_t *data, off_t *hole)
{
#if defined SEEK_HOLE && defined SEEK_DATA
BDRVRawState *s = bs->opaque;
+ off_t offs;
- *hole = lseek(s->fd, start, SEEK_HOLE);
- if (*hole == -1) {
- return -errno;
+ /*
+ * SEEK_DATA cases:
+ * D1. offs == start: start is in data
+ * D2. offs > start: start is in a hole, next data at offs
+ * D3. offs < 0, errno = ENXIO: either start is in a trailing hole
+ * or start is beyond EOF
+ * If the latter happens, the file has been truncated behind
+ * our back since we opened it. All bets are off then.
+ * Treating like a trailing hole is simplest.
+ * D4. offs < 0, errno != ENXIO: we learned nothing
+ */
+ offs = lseek(s->fd, start, SEEK_DATA);
+ if (offs < 0) {
+ return -errno; /* D3 or D4 */
+ }
+ assert(offs >= start);
+
+ if (offs > start) {
+ /* D2: in hole, next data at offs */
+ *hole = start;
+ *data = offs;
+ return 0;
}
- if (*hole > start) {
+ /* D1: in data, end not yet known */
+
+ /*
+ * SEEK_HOLE cases:
+ * H1. offs == start: start is in a hole
+ * If this happens here, a hole has been dug behind our back
+ * since the previous lseek().
+ * H2. offs > start: either start is in data, next hole at offs,
+ * or start is in trailing hole, EOF at offs
+ * Linux treats trailing holes like any other hole: offs ==
+ * start. Solaris seeks to EOF instead: offs > start (blech).
+ * If that happens here, a hole has been dug behind our back
+ * since the previous lseek().
+ * H3. offs < 0, errno = ENXIO: start is beyond EOF
+ * If this happens, the file has been truncated behind our
+ * back since we opened it. Treat it like a trailing hole.
+ * H4. offs < 0, errno != ENXIO: we learned nothing
+ * Pretend we know nothing at all, i.e. "forget" about D1.
+ */
+ offs = lseek(s->fd, start, SEEK_HOLE);
+ if (offs < 0) {
+ return -errno; /* D1 and (H3 or H4) */
+ }
+ assert(offs >= start);
+
+ if (offs > start) {
+ /*
+ * D1 and H2: either in data, next hole at offs, or it was in
+ * data but is now in a trailing hole. In the latter case,
+ * all bets are off. Treating it as if it there was data all
+ * the way to EOF is safe, so simply do that.
+ */
*data = start;
- } else {
- /* On a hole. We need another syscall to find its end. */
- *data = lseek(s->fd, start, SEEK_DATA);
- if (*data == -1) {
- *data = lseek(s->fd, 0, SEEK_END);
- }
+ *hole = offs;
+ return 0;
}
- return 0;
+ /* D1 and H1 */
+ return -EBUSY;
#else
return -ENOTSUP;
#endif
@@ -1539,25 +1597,26 @@ static int64_t coroutine_fn raw_co_get_block_status(BlockDriverState *bs,
nb_sectors = DIV_ROUND_UP(total_size - start, BDRV_SECTOR_SIZE);
}
- ret = try_seek_hole(bs, start, &data, &hole);
- if (ret < 0) {
- /* Assume everything is allocated. */
- data = 0;
- hole = start + nb_sectors * BDRV_SECTOR_SIZE;
- ret = 0;
- }
-
- assert(ret >= 0);
-
- if (data <= start) {
+ ret = find_allocation(bs, start, &data, &hole);
+ if (ret == -ENXIO) {
+ /* Trailing hole */
+ *pnum = nb_sectors;
+ ret = BDRV_BLOCK_ZERO;
+ } else if (ret < 0) {
+ /* No info available, so pretend there are no holes */
+ *pnum = nb_sectors;
+ ret = BDRV_BLOCK_DATA;
+ } else if (data == start) {
/* On a data extent, compute sectors to the end of the extent. */
*pnum = MIN(nb_sectors, (hole - start) / BDRV_SECTOR_SIZE);
- return ret | BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID | start;
+ ret = BDRV_BLOCK_DATA;
} else {
/* On a hole, compute sectors to the beginning of the next extent. */
+ assert(hole == start);
*pnum = MIN(nb_sectors, (data - start) / BDRV_SECTOR_SIZE);
- return ret | BDRV_BLOCK_ZERO | BDRV_BLOCK_OFFSET_VALID | start;
+ ret = BDRV_BLOCK_ZERO;
}
+ return ret | BDRV_BLOCK_OFFSET_VALID | start;
}
static coroutine_fn BlockAIOCB *raw_aio_discard(BlockDriverState *bs,
commit c4875e5b2216cf5427459e619b10f75083565792
Author: Markus Armbruster <armbru at redhat.com>
Date: Mon Nov 17 11:18:33 2014 +0100
raw-posix: SEEK_HOLE suffices, get rid of FIEMAP
Commit 5500316 (May 2012) implemented raw_co_is_allocated() as
follows:
1. If defined(CONFIG_FIEMAP), use the FS_IOC_FIEMAP ioctl
2. Else if defined(SEEK_HOLE) && defined(SEEK_DATA), use lseek()
3. Else pretend there are no holes
Later on, raw_co_is_allocated() was generalized to
raw_co_get_block_status().
Commit 4f11aa8 (May 2014) changed it to try the three methods in order
until success, because "there may be implementations which support
[SEEK_HOLE/SEEK_DATA] but not [FIEMAP] (e.g., NFSv4.2) as well as vice
versa."
Unfortunately, we used FIEMAP incorrectly: we lacked FIEMAP_FLAG_SYNC.
Commit 38c4d0a (Sep 2014) added it. Because that's a significant
speed hit, the next commit 7c159037 put SEEK_HOLE/SEEK_DATA first.
As you see, the obvious use of FIEMAP is wrong, and the correct use is
slow. I guess this puts it somewhere between -7 "The obvious use is
wrong" and -10 "It's impossible to get right" on Rusty Russel's Hard
to Misuse scale[*].
"Fortunately", the FIEMAP code is used only when
* SEEK_HOLE/SEEK_DATA aren't defined, but CONFIG_FIEMAP is
Uncommon. SEEK_HOLE had no XFS implementation between 2011 (when it
was introduced for ext4 and btrfs) and 2012.
* SEEK_HOLE/SEEK_DATA and CONFIG_FIEMAP are defined, but lseek() fails
Unlikely.
Thus, the FIEMAP code executes rarely. Makes it a nice hidey-hole for
bugs. Worse, bugs hiding there can theoretically bite even on a host
that has SEEK_HOLE/SEEK_DATA.
I don't want to worry about this crap, not even theoretically. Get
rid of it.
[*] http://ozlabs.org/~rusty/index.cgi/tech/2008-04-01.html
Signed-off-by: Markus Armbruster <armbru at redhat.com>
Reviewed-by: Max Reitz <mreitz at redhat.com>
Reviewed-by: Eric Blake <eblake at redhat.com>
Signed-off-by: Max Reitz <mreitz at redhat.com>
diff --git a/block/raw-posix.c b/block/raw-posix.c
index 706d3c0..a29130e 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -60,9 +60,6 @@
#define FS_NOCOW_FL 0x00800000 /* Do not cow file */
#endif
#endif
-#ifdef CONFIG_FIEMAP
-#include <linux/fiemap.h>
-#endif
#ifdef CONFIG_FALLOCATE_PUNCH_HOLE
#include <linux/falloc.h>
#endif
@@ -151,9 +148,6 @@ typedef struct BDRVRawState {
bool has_write_zeroes:1;
bool discard_zeroes:1;
bool needs_alignment;
-#ifdef CONFIG_FIEMAP
- bool skip_fiemap;
-#endif
} BDRVRawState;
typedef struct BDRVRawReopenState {
@@ -1481,52 +1475,6 @@ out:
return result;
}
-static int try_fiemap(BlockDriverState *bs, off_t start, off_t *data,
- off_t *hole, int nb_sectors)
-{
-#ifdef CONFIG_FIEMAP
- BDRVRawState *s = bs->opaque;
- int ret = 0;
- struct {
- struct fiemap fm;
- struct fiemap_extent fe;
- } f;
-
- if (s->skip_fiemap) {
- return -ENOTSUP;
- }
-
- f.fm.fm_start = start;
- f.fm.fm_length = (int64_t)nb_sectors * BDRV_SECTOR_SIZE;
- f.fm.fm_flags = FIEMAP_FLAG_SYNC;
- f.fm.fm_extent_count = 1;
- f.fm.fm_reserved = 0;
- if (ioctl(s->fd, FS_IOC_FIEMAP, &f) == -1) {
- s->skip_fiemap = true;
- return -errno;
- }
-
- if (f.fm.fm_mapped_extents == 0) {
- /* No extents found, data is beyond f.fm.fm_start + f.fm.fm_length.
- * f.fm.fm_start + f.fm.fm_length must be clamped to the file size!
- */
- off_t length = lseek(s->fd, 0, SEEK_END);
- *hole = f.fm.fm_start;
- *data = MIN(f.fm.fm_start + f.fm.fm_length, length);
- } else {
- *data = f.fe.fe_logical;
- *hole = f.fe.fe_logical + f.fe.fe_length;
- if (f.fe.fe_flags & FIEMAP_EXTENT_UNWRITTEN) {
- ret |= BDRV_BLOCK_ZERO;
- }
- }
-
- return ret;
-#else
- return -ENOTSUP;
-#endif
-}
-
static int try_seek_hole(BlockDriverState *bs, off_t start, off_t *data,
off_t *hole)
{
@@ -1593,13 +1541,10 @@ static int64_t coroutine_fn raw_co_get_block_status(BlockDriverState *bs,
ret = try_seek_hole(bs, start, &data, &hole);
if (ret < 0) {
- ret = try_fiemap(bs, start, &data, &hole, nb_sectors);
- if (ret < 0) {
- /* Assume everything is allocated. */
- data = 0;
- hole = start + nb_sectors * BDRV_SECTOR_SIZE;
- ret = 0;
- }
+ /* Assume everything is allocated. */
+ data = 0;
+ hole = start + nb_sectors * BDRV_SECTOR_SIZE;
+ ret = 0;
}
assert(ret >= 0);
commit be2ebc6dad31918e9b6ba241dbe1ea0942c5d691
Author: Markus Armbruster <armbru at redhat.com>
Date: Mon Nov 17 11:18:32 2014 +0100
raw-posix: Fix comment for raw_co_get_block_status()
Missed in commit 705be72.
Signed-off-by: Markus Armbruster <armbru at redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
Reviewed-by: Fam Zheng <famz at redhat.com>
Reviewed-by: Eric Blake <eblake at redhat.com>
Reviewed-by: Max Reitz <mreitz at redhat.com>
Signed-off-by: Max Reitz <mreitz at redhat.com>
diff --git a/block/raw-posix.c b/block/raw-posix.c
index e100ae2..706d3c0 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1555,9 +1555,7 @@ static int try_seek_hole(BlockDriverState *bs, off_t start, off_t *data,
}
/*
- * Returns true iff the specified sector is present in the disk image. Drivers
- * not implementing the functionality are assumed to not support backing files,
- * hence all their sectors are reported as allocated.
+ * Returns the allocation status of the specified sectors.
*
* If 'sector_num' is beyond the end of the disk image the return value is 0
* and 'pnum' is set to 0.
commit d6be29e3fb5659102ac0e48e295d177cb67e32c5
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Thu Nov 13 14:56:09 2014 +0000
target-arm: handle address translations that start at level 3
The ARMv8 address translation system defines that a page table walk
starts at a level which depends on the translation granule size
and the number of bits of virtual address that need to be resolved.
Where the translation granule is 64KB and the guest sets the
TCR.TxSZ field to between 35 and 39, it's actually possible to
start at level 3 (the final level). QEMU's implementation failed
to handle this case, and so we would set level to 2 and behave
incorrectly (including invoking the C undefined behaviour of
shifting left by a negative number). Correct the code that
determines the starting level to deal with the start-at-3 case,
by replacing the if-else ladder with an expression derived from
the ARM ARM pseudocode version.
This error was detected by the Coverity scan, which spotted
the potential shift by a negative number.
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
Message-id: 1415890569-7454-1-git-send-email-peter.maydell at linaro.org
diff --git a/target-arm/helper.c b/target-arm/helper.c
index c47487a..b74d348 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -4545,16 +4545,18 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address,
goto do_fault;
}
- /* The starting level depends on the virtual address size which can be
- * up to 48-bits and the translation granule size.
+ /* The starting level depends on the virtual address size (which can be
+ * up to 48 bits) and the translation granule size. It indicates the number
+ * of strides (granule_sz bits at a time) needed to consume the bits
+ * of the input address. In the pseudocode this is:
+ * level = 4 - RoundUp((inputsize - grainsize) / stride)
+ * where their 'inputsize' is our 'va_size - tsz', 'grainsize' is
+ * our 'granule_sz + 3' and 'stride' is our 'granule_sz'.
+ * Applying the usual "rounded up m/n is (m+n-1)/n" and simplifying:
+ * = 4 - (va_size - tsz - granule_sz - 3 + granule_sz - 1) / granule_sz
+ * = 4 - (va_size - tsz - 4) / granule_sz;
*/
- if ((va_size - tsz) > (granule_sz * 4 + 3)) {
- level = 0;
- } else if ((va_size - tsz) > (granule_sz * 3 + 3)) {
- level = 1;
- } else {
- level = 2;
- }
+ level = 4 - (va_size - tsz - 4) / granule_sz;
/* Clear the vaddr bits which aren't part of the within-region address,
* so that we don't have to special case things when calculating the
commit 1aba4be97eb01b650d146c7f01dc961d55da62ab
Merge: d8edf52 a9be765
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Mon Nov 17 17:22:03 2014 +0000
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
A smattering of fixes for problems that Coverity reported.
# gpg: Signature made Mon 17 Nov 2014 17:03:25 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini at gnu.org>"
# gpg: aka "Paolo Bonzini <pbonzini at redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini/tags/for-upstream:
hcd-musb: fix dereference null return value
target-cris/translate.c: fix out of bounds read
shpc: fix error propaagation
qemu-char: fix MISSING_COMMA
acl: fix memory leak
nvme: remove superfluous check
loader: fix NEGATIVE_RETURNS
qga: fix false negative argument passing
mips_mipssim: fix use-after-free for filename
l2tpv3: fix fd leak
l2tpv3: fix possible double free
libcacard: fix resource leak
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit a9be76576e375a994bbcea0a5eb2a3852969de0e
Author: Paolo Bonzini <pbonzini at redhat.com>
Date: Mon Nov 17 11:57:23 2014 +0100
hcd-musb: fix dereference null return value
usb_ep_get and usb_handle_packet can deal with a NULL device, but we have
to avoid dereferencing NULL pointers when building the id.
Thanks to Gonglei for an initial stab at fixing this.
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
index 66bc61a..40809f6 100644
--- a/hw/usb/hcd-musb.c
+++ b/hw/usb/hcd-musb.c
@@ -608,6 +608,7 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
USBDevice *dev;
USBEndpoint *uep;
int idx = epnum && dir;
+ int id;
int ttype;
/* ep->type[0,1] contains:
@@ -625,8 +626,11 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
/* A wild guess on the FADDR semantics... */
dev = usb_find_device(&s->port, ep->faddr[idx]);
uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
- usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
- (dev->addr << 16) | (uep->nr << 8) | pid, false, true);
+ id = pid;
+ if (uep) {
+ id |= (dev->addr << 16) | (uep->nr << 8);
+ }
+ usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
ep->packey[dir].ep = ep;
ep->packey[dir].dir = dir;
commit d8edf52a51846286ecdbe8370b5111655618e849
Merge: 4e70f92 35fb5b7
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Mon Nov 17 15:37:10 2014 +0000
Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' into staging
Update OpenBIOS images
# gpg: Signature made Sat 15 Nov 2014 13:12:02 GMT using RSA key ID AE0F321F
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland at ilande.co.uk>"
* remotes/mcayland/tags/qemu-openbios-signed:
Update OpenBIOS images
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit fae38221e78fc9f847965f6d18b359b8044df348
Author: zhanghailiang <zhang.zhanghailiang at huawei.com>
Date: Mon Nov 17 13:57:34 2014 +0800
target-cris/translate.c: fix out of bounds read
In function t_gen_mov_TN_preg and t_gen_mov_preg_TN, The begin check about the
validity of in-parameter 'r' is useless. We still access cpu_PR[r] in the
follow code if it is invalid. Which will be an out-of-bounds read error.
Fix it by using assert() to ensure it is valid before using it.
Signed-off-by: zhanghailiang <zhang.zhanghailiang at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/target-cris/translate.c b/target-cris/translate.c
index e37b04e..76406af 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -169,9 +169,7 @@ static int preg_sizes[] = {
static inline void t_gen_mov_TN_preg(TCGv tn, int r)
{
- if (r < 0 || r > 15) {
- fprintf(stderr, "wrong register read $p%d\n", r);
- }
+ assert(r >= 0 && r <= 15);
if (r == PR_BZ || r == PR_WZ || r == PR_DZ) {
tcg_gen_mov_tl(tn, tcg_const_tl(0));
} else if (r == PR_VR) {
@@ -182,9 +180,7 @@ static inline void t_gen_mov_TN_preg(TCGv tn, int r)
}
static inline void t_gen_mov_preg_TN(DisasContext *dc, int r, TCGv tn)
{
- if (r < 0 || r > 15) {
- fprintf(stderr, "wrong register write $p%d\n", r);
- }
+ assert(r >= 0 && r <= 15);
if (r == PR_BZ || r == PR_WZ || r == PR_DZ) {
return;
} else if (r == PR_SRS) {
commit 0e8b439ae57ee3c46fb95e1775ea038d34496346
Author: Gonglei <arei.gonglei at huawei.com>
Date: Sat Nov 15 18:06:47 2014 +0800
shpc: fix error propaagation
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/pci/shpc.c b/hw/pci/shpc.c
index 65b2f51..9a39060 100644
--- a/hw/pci/shpc.c
+++ b/hw/pci/shpc.c
@@ -559,8 +559,9 @@ void shpc_device_hot_unplug_request_cb(HotplugHandler *hotplug_dev,
uint8_t led;
int slot;
- shpc_device_hotplug_common(PCI_DEVICE(dev), &slot, shpc, errp);
+ shpc_device_hotplug_common(PCI_DEVICE(dev), &slot, shpc, &local_err);
if (local_err) {
+ error_propagate(errp, local_err);
return;
}
commit 86d10328a019b19838de3f7964a9da16af3a5073
Author: Gonglei <arei.gonglei at huawei.com>
Date: Sat Nov 15 18:06:46 2014 +0800
qemu-char: fix MISSING_COMMA
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/qemu-char.c b/qemu-char.c
index bd0709b..4a76f0f 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -464,7 +464,7 @@ static const char * const mux_help[] = {
"% h print this help\n\r",
"% x exit emulator\n\r",
"% s save disk data back to file (if -snapshot)\n\r",
- "% t toggle console timestamps\n\r"
+ "% t toggle console timestamps\n\r",
"% b send break (magic sysrq)\n\r",
"% c switch between console and monitor\n\r",
"% % sends %\n\r",
commit 6cfcd864a468eb7bd3da20a5462b5af1791581d3
Author: Gonglei <arei.gonglei at huawei.com>
Date: Sat Nov 15 18:06:45 2014 +0800
acl: fix memory leak
If 'i != index' for all acl->entries, variable
entry leaks the storage it points to.
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/util/acl.c b/util/acl.c
index 938b7ae..571d686 100644
--- a/util/acl.c
+++ b/util/acl.c
@@ -132,7 +132,6 @@ int qemu_acl_insert(qemu_acl *acl,
const char *match,
int index)
{
- qemu_acl_entry *entry;
qemu_acl_entry *tmp;
int i = 0;
@@ -142,13 +141,14 @@ int qemu_acl_insert(qemu_acl *acl,
return qemu_acl_append(acl, deny, match);
}
- entry = g_malloc(sizeof(*entry));
- entry->match = g_strdup(match);
- entry->deny = deny;
-
QTAILQ_FOREACH(tmp, &acl->entries, next) {
i++;
if (i == index) {
+ qemu_acl_entry *entry;
+ entry = g_malloc(sizeof(*entry));
+ entry->match = g_strdup(match);
+ entry->deny = deny;
+
QTAILQ_INSERT_BEFORE(tmp, entry, next);
acl->nentries++;
break;
commit 720fdd6fa92df9041316e94816ab7e56abaed4e9
Author: Gonglei <arei.gonglei at huawei.com>
Date: Sat Nov 15 18:06:44 2014 +0800
nvme: remove superfluous check
Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
((n->bar.aqa >> AQA_ASQS_SHIFT) & AQA_ASQS_MASK) > 4095
is always false regardless of the values of its operands.
This occurs as the logical second operand of '||'.
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index b6263dc..1327658 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -583,8 +583,7 @@ static int nvme_start_ctrl(NvmeCtrl *n)
NVME_CC_IOCQES(n->bar.cc) > NVME_CTRL_CQES_MAX(n->id_ctrl.cqes) ||
NVME_CC_IOSQES(n->bar.cc) < NVME_CTRL_SQES_MIN(n->id_ctrl.sqes) ||
NVME_CC_IOSQES(n->bar.cc) > NVME_CTRL_SQES_MAX(n->id_ctrl.sqes) ||
- !NVME_AQA_ASQS(n->bar.aqa) || NVME_AQA_ASQS(n->bar.aqa) > 4095 ||
- !NVME_AQA_ACQS(n->bar.aqa) || NVME_AQA_ACQS(n->bar.aqa) > 4095) {
+ !NVME_AQA_ASQS(n->bar.aqa) || !NVME_AQA_ACQS(n->bar.aqa)) {
return -1;
}
commit ddd2eab72fbd383a56f439bf278c6d647abd4f54
Author: Gonglei <arei.gonglei at huawei.com>
Date: Sat Nov 15 18:06:43 2014 +0800
loader: fix NEGATIVE_RETURNS
lseek will return -1 on error, g_malloc0(size) and read(,,size)
paramenters cannot be negative. We should add a check for return
value of lseek().
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/core/loader.c b/hw/core/loader.c
index bbe6eb3..fc15535 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -80,6 +80,13 @@ int load_image(const char *filename, uint8_t *addr)
if (fd < 0)
return -1;
size = lseek(fd, 0, SEEK_END);
+ if (size == -1) {
+ fprintf(stderr, "file %-20s: get size error: %s\n",
+ filename, strerror(errno));
+ close(fd);
+ return -1;
+ }
+
lseek(fd, 0, SEEK_SET);
if (read(fd, addr, size) != size) {
close(fd);
@@ -748,6 +755,12 @@ int rom_add_file(const char *file, const char *fw_dir,
}
rom->addr = addr;
rom->romsize = lseek(fd, 0, SEEK_END);
+ if (rom->romsize == -1) {
+ fprintf(stderr, "rom: file %-20s: get size error: %s\n",
+ rom->name, strerror(errno));
+ goto err;
+ }
+
rom->datasize = rom->romsize;
rom->data = g_malloc0(rom->datasize);
lseek(fd, 0, SEEK_SET);
commit 1def74548d8013949c7d4704420d4fdd5fb85268
Author: Gonglei <arei.gonglei at huawei.com>
Date: Sat Nov 15 18:06:42 2014 +0800
qga: fix false negative argument passing
Function send_response(s, &qdict->base) returns a negative number
when any failures occured. But strerror()'s parameter cannot be
negative. Let's change the testing condition and pass '-ret' to
strerr().
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/qga/main.c b/qga/main.c
index 227f2bd..9939a2b 100644
--- a/qga/main.c
+++ b/qga/main.c
@@ -603,8 +603,8 @@ static void process_event(JSONMessageParser *parser, QList *tokens)
error_free(err);
}
ret = send_response(s, QOBJECT(qdict));
- if (ret) {
- g_warning("error sending error response: %s", strerror(ret));
+ if (ret < 0) {
+ g_warning("error sending error response: %s", strerror(-ret));
}
}
commit 77e205a52856adffdd5db70449a8604aa9f66e74
Author: Gonglei <arei.gonglei at huawei.com>
Date: Sat Nov 15 18:06:41 2014 +0800
mips_mipssim: fix use-after-free for filename
May pass freed pointer filename as an argument to error_report.
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/mips/mips_mipssim.c b/hw/mips/mips_mipssim.c
index 7ea0b9a..5d44c3f 100644
--- a/hw/mips/mips_mipssim.c
+++ b/hw/mips/mips_mipssim.c
@@ -197,7 +197,7 @@ mips_mipssim_init(MachineState *machine)
!kernel_filename && !qtest_enabled()) {
/* Bail out if we have neither a kernel image nor boot vector code. */
error_report("Could not load MIPS bios '%s', and no "
- "-kernel argument was specified", filename);
+ "-kernel argument was specified", bios_name);
exit(1);
} else {
/* We have a boot vector start address. */
commit d4754a953196516b16beef707dcdfdb35c2eec6e
Author: Gonglei <arei.gonglei at huawei.com>
Date: Sat Nov 15 18:06:40 2014 +0800
l2tpv3: fix fd leak
In this false branch, fd will leak when it is zero.
Change the testing condition.
Signed-off-by: Gonglei <arei.gonglei at huawei.com>
[Fix net_l2tpv3_cleanup as well. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/net/l2tpv3.c b/net/l2tpv3.c
index 65db5ef..3b805a7 100644
--- a/net/l2tpv3.c
+++ b/net/l2tpv3.c
@@ -516,7 +516,7 @@ static void net_l2tpv3_cleanup(NetClientState *nc)
qemu_purge_queued_packets(nc);
l2tpv3_read_poll(s, false);
l2tpv3_write_poll(s, false);
- if (s->fd > 0) {
+ if (s->fd >= 0) {
close(s->fd);
}
destroy_vector(s->msgvec, MAX_L2TPV3_MSGCNT, IOVSIZE);
@@ -745,7 +745,7 @@ int net_init_l2tpv3(const NetClientOptions *opts,
return 0;
outerr:
qemu_del_net_client(nc);
- if (fd > 0) {
+ if (fd >= 0) {
close(fd);
}
if (result) {
commit 35fb5b73a2d2f29823f218e6ba12c0ece06af26f
Author: Mark Cave-Ayland <mark.cave-ayland at ilande.co.uk>
Date: Sat Nov 15 13:01:44 2014 +0000
Update OpenBIOS images
Update OpenBIOS images to SVN r1327 built from submodule.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland at ilande.co.uk>
diff --git a/pc-bios/openbios-ppc b/pc-bios/openbios-ppc
index 070399a..994052f 100644
Binary files a/pc-bios/openbios-ppc and b/pc-bios/openbios-ppc differ
diff --git a/pc-bios/openbios-sparc32 b/pc-bios/openbios-sparc32
index 1cf6ea7..6d5a381 100644
Binary files a/pc-bios/openbios-sparc32 and b/pc-bios/openbios-sparc32 differ
diff --git a/pc-bios/openbios-sparc64 b/pc-bios/openbios-sparc64
index 2ed0dff..61bd46b 100644
Binary files a/pc-bios/openbios-sparc64 and b/pc-bios/openbios-sparc64 differ
diff --git a/roms/openbios b/roms/openbios
index b95d533..038aa78 160000
--- a/roms/openbios
+++ b/roms/openbios
@@ -1 +1 @@
-Subproject commit b95d5338f321498a11937ce52ecce510414d4582
+Subproject commit 038aa78d3c331731733378a73e778ee620a5b9da
commit 4e70f9271dabc58fbf14680843bfac510c193152
Merge: b87dcdd 2f01dfa
Author: Peter Maydell <peter.maydell at linaro.org>
Date: Fri Nov 14 12:05:33 2014 +0000
Merge remote-tracking branch 'remotes/sstabellini/xen-2014-11-14' into staging
* remotes/sstabellini/xen-2014-11-14:
xen_disk: fix unmapping of persistent grants
pc: piix4_pm: init legacy PCI hotplug when running on Xen
Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
commit 77374582ab961af2c5e702f767f52179d5f7676c
Author: zhanghailiang <zhang.zhanghailiang at huawei.com>
Date: Fri Nov 14 09:39:23 2014 +0800
l2tpv3: fix possible double free
freeaddrinfo(result) does not assign result = NULL, after frees it.
There will be a double free when it goes error case.
It is reported by covertiy.
Reviewed-by: Gonglei <arei.gonglei at huawei.com>
Cc: qemu-stable at nongnu.org
Signed-off-by: zhanghailiang <zhang.zhanghailiang at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/net/l2tpv3.c b/net/l2tpv3.c
index 528d95b..65db5ef 100644
--- a/net/l2tpv3.c
+++ b/net/l2tpv3.c
@@ -660,7 +660,6 @@ int net_init_l2tpv3(const NetClientOptions *opts,
if (fd == -1) {
fd = -errno;
error_report("l2tpv3_open : socket creation failed, errno = %d", -fd);
- freeaddrinfo(result);
goto outerr;
}
if (bind(fd, (struct sockaddr *) result->ai_addr, result->ai_addrlen)) {
commit 5bbebf622897a59db5da4c468e737bfec4d71280
Author: zhanghailiang <zhang.zhanghailiang at huawei.com>
Date: Fri Nov 14 10:18:08 2014 +0800
libcacard: fix resource leak
In function connect_to_qemu(), getaddrinfo() will allocate memory
that is stored into server, it should be freed by using freeaddrinfo()
before connect_to_qemu() return.
Cc: qemu-stable at nongnu.org
Reviewed-by: Markus Armbruster <armbru at redhat.com>
Signed-off-by: zhanghailiang <zhang.zhanghailiang at huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/libcacard/vscclient.c b/libcacard/vscclient.c
index 80111df..fa6041d 100644
--- a/libcacard/vscclient.c
+++ b/libcacard/vscclient.c
@@ -597,7 +597,7 @@ connect_to_qemu(
const char *port
) {
struct addrinfo hints;
- struct addrinfo *server;
+ struct addrinfo *server = NULL;
int ret, sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
@@ -629,9 +629,14 @@ connect_to_qemu(
if (verbose) {
printf("Connected (sizeof Header=%zd)!\n", sizeof(VSCMsgHeader));
}
+
+ freeaddrinfo(server);
return sock;
cleanup_socket:
+ if (server) {
+ freeaddrinfo(server);
+ }
closesocket(sock);
return -1;
}
commit 2f01dfacb56bc7a0d4639adc9dff9aae131e6216
Author: Roger Pau Monne <roger.pau at citrix.com>
Date: Thu Nov 13 18:42:09 2014 +0100
xen_disk: fix unmapping of persistent grants
This patch fixes two issues with persistent grants and the disk PV backend
(Qdisk):
- Keep track of memory regions where persistent grants have been mapped
since we need to unmap them as a whole. It is not possible to unmap a
single grant if it has been batch-mapped. A new check has also been added
to make sure persistent grants are only used if the whole mapped region
can be persistently mapped in the batch_maps case.
- Unmap persistent grants before switching to the closed state, so the
frontend can also free them.
Signed-off-by: Roger Pau Monné <roger.pau at citrix.com>
Reported-by: George Dunlap <george.dunlap at eu.citrix.com>
Cc: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
Cc: Kevin Wolf <kwolf at redhat.com>
Cc: Stefan Hajnoczi <stefanha at redhat.com>
Cc: George Dunlap <george.dunlap at eu.citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index 231e9a7..21842a0 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -59,6 +59,13 @@ struct PersistentGrant {
typedef struct PersistentGrant PersistentGrant;
+struct PersistentRegion {
+ void *addr;
+ int num;
+};
+
+typedef struct PersistentRegion PersistentRegion;
+
struct ioreq {
blkif_request_t req;
int16_t status;
@@ -118,6 +125,7 @@ struct XenBlkDev {
gboolean feature_discard;
gboolean feature_persistent;
GTree *persistent_gnts;
+ GSList *persistent_regions;
unsigned int persistent_gnt_count;
unsigned int max_grants;
@@ -177,6 +185,23 @@ static void destroy_grant(gpointer pgnt)
g_free(grant);
}
+static void remove_persistent_region(gpointer data, gpointer dev)
+{
+ PersistentRegion *region = data;
+ struct XenBlkDev *blkdev = dev;
+ XenGnttab gnt = blkdev->xendev.gnttabdev;
+
+ if (xc_gnttab_munmap(gnt, region->addr, region->num) != 0) {
+ xen_be_printf(&blkdev->xendev, 0,
+ "xc_gnttab_munmap region %p failed: %s\n",
+ region->addr, strerror(errno));
+ }
+ xen_be_printf(&blkdev->xendev, 3,
+ "unmapped grant region %p with %d pages\n",
+ region->addr, region->num);
+ g_free(region);
+}
+
static struct ioreq *ioreq_start(struct XenBlkDev *blkdev)
{
struct ioreq *ioreq = NULL;
@@ -343,6 +368,7 @@ static int ioreq_map(struct ioreq *ioreq)
void *page[BLKIF_MAX_SEGMENTS_PER_REQUEST];
int i, j, new_maps = 0;
PersistentGrant *grant;
+ PersistentRegion *region;
/* domids and refs variables will contain the information necessary
* to map the grants that are needed to fulfill this request.
*
@@ -421,7 +447,22 @@ static int ioreq_map(struct ioreq *ioreq)
}
}
}
- if (ioreq->blkdev->feature_persistent) {
+ if (ioreq->blkdev->feature_persistent && new_maps != 0 &&
+ (!batch_maps || (ioreq->blkdev->persistent_gnt_count + new_maps <=
+ ioreq->blkdev->max_grants))) {
+ /*
+ * If we are using persistent grants and batch mappings only
+ * add the new maps to the list of persistent grants if the whole
+ * area can be persistently mapped.
+ */
+ if (batch_maps) {
+ region = g_malloc0(sizeof(*region));
+ region->addr = ioreq->pages;
+ region->num = new_maps;
+ ioreq->blkdev->persistent_regions = g_slist_append(
+ ioreq->blkdev->persistent_regions,
+ region);
+ }
while ((ioreq->blkdev->persistent_gnt_count < ioreq->blkdev->max_grants)
&& new_maps) {
/* Go through the list of newly mapped grants and add as many
@@ -447,6 +488,7 @@ static int ioreq_map(struct ioreq *ioreq)
grant);
ioreq->blkdev->persistent_gnt_count++;
}
+ assert(!batch_maps || new_maps == 0);
}
for (i = 0; i < ioreq->v.niov; i++) {
ioreq->v.iov[i].iov_base += (uintptr_t)page[i];
@@ -971,7 +1013,10 @@ static int blk_connect(struct XenDevice *xendev)
blkdev->max_grants = max_requests * BLKIF_MAX_SEGMENTS_PER_REQUEST;
blkdev->persistent_gnts = g_tree_new_full((GCompareDataFunc)int_cmp,
NULL, NULL,
+ batch_maps ?
+ (GDestroyNotify)g_free :
(GDestroyNotify)destroy_grant);
+ blkdev->persistent_regions = NULL;
blkdev->persistent_gnt_count = 0;
}
@@ -1000,6 +1045,26 @@ static void blk_disconnect(struct XenDevice *xendev)
blkdev->cnt_map--;
blkdev->sring = NULL;
}
+
+ /*
+ * Unmap persistent grants before switching to the closed state
+ * so the frontend can free them.
+ *
+ * In the !batch_maps case g_tree_destroy will take care of unmapping
+ * the grant, but in the batch_maps case we need to iterate over every
+ * region in persistent_regions and unmap it.
+ */
+ if (blkdev->feature_persistent) {
+ g_tree_destroy(blkdev->persistent_gnts);
+ assert(batch_maps || blkdev->persistent_gnt_count == 0);
+ if (batch_maps) {
+ blkdev->persistent_gnt_count = 0;
+ g_slist_foreach(blkdev->persistent_regions,
+ (GFunc)remove_persistent_region, blkdev);
+ g_slist_free(blkdev->persistent_regions);
+ }
+ blkdev->feature_persistent = false;
+ }
}
static int blk_free(struct XenDevice *xendev)
@@ -1011,11 +1076,6 @@ static int blk_free(struct XenDevice *xendev)
blk_disconnect(xendev);
}
- /* Free persistent grants */
- if (blkdev->feature_persistent) {
- g_tree_destroy(blkdev->persistent_gnts);
- }
-
while (!QLIST_EMPTY(&blkdev->freelist)) {
ioreq = QLIST_FIRST(&blkdev->freelist);
QLIST_REMOVE(ioreq, list);
commit 91ab2ed7221c70ed7fd09ab2665b1f0493c775a4
Author: Igor Mammedov <imammedo at redhat.com>
Date: Fri Nov 14 11:11:44 2014 +0000
pc: piix4_pm: init legacy PCI hotplug when running on Xen
If user starts QEMU with "-machine pc,accel=xen", then
compat property in xenfv won't work and it would cause error:
"Unsupported bus. Bus doesn't have property 'acpi-pcihp-bsel' set"
when PCI device is added with -device on QEMU CLI.
From: Igor Mammedov <imammedo at redhat.com>
In case of Xen instead of using compat property, just use the fact
that xen doesn't use QEMU's fw_cfg/acpi tables to switch piix4_pm
into legacy PCI hotplug mode when Xen is enabled.
Signed-off-by: Igor Mammedov <imammedo at redhat.com>
Signed-off-by: Li Liang <liang.z.li at intel.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
Acked-by: Paolo Bonzini <pbonzini at redhat.com>
diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index 78c0a6d..481a16c 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -36,6 +36,7 @@
#include "hw/mem/pc-dimm.h"
#include "hw/acpi/memory_hotplug.h"
#include "hw/acpi/acpi_dev_interface.h"
+#include "hw/xen/xen.h"
//#define DEBUG
@@ -501,6 +502,9 @@ I2CBus *piix4_pm_init(PCIBus *bus, int devfn, uint32_t smb_io_base,
s->irq = sci_irq;
s->smi_irq = smi_irq;
s->kvm_enabled = kvm_enabled;
+ if (xen_enabled()) {
+ s->use_acpi_pci_hotplug = false;
+ }
qdev_init_nofail(dev);
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index b559181..7bb97a4 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -916,17 +916,6 @@ static QEMUMachine xenfv_machine = {
.max_cpus = HVM_MAX_VCPUS,
.default_machine_opts = "accel=xen",
.hot_add_cpu = pc_hot_add_cpu,
- .compat_props = (GlobalProperty[]) {
- /* xenfv has no fwcfg and so does not load acpi from QEMU.
- * as such new acpi features don't work.
- */
- {
- .driver = "PIIX4_PM",
- .property = "acpi-pci-hotplug-with-bridge-support",
- .value = "off",
- },
- { /* end of list */ }
- },
};
#endif
More information about the Spice-commits
mailing list