4.1.50.plugins #16
Closed
4.1.50.plugins #16
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using memcmp to compare structures wasn't safe, as I found out on ARM when I was getting falce miscompares. Use the helper function for comparing the MRSs. Fixes: ade6d08 ("vhost: Regenerate region list from changed sections list") Cc: [email protected] Signed-off-by: Dr. David Alan Gilbert <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Marc-André Lureau <[email protected]> Message-Id: <[email protected]> Reviewed-by: Dr. David Alan Gilbert <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
…itmap All pages, either partially sent or partially dirty, will be discarded in postcopy_send_discard_bm_ram(), since we update the unsentmap to be unsentmap = unsentmap | dirty in ram_postcopy_send_discard_bitmap(). This is not necessary to do discard when canonicalizing bitmap. And by doing so, we separate the page discard into two individual steps: * canonicalize bitmap * discard page Signed-off-by: Wei Yang <[email protected]> Message-Id: <[email protected]> Reviewed-by: Dr. David Alan Gilbert <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
Commit f3f491f ('Postcopy: Maintain unsentmap') introduced unsentmap to track not yet sent pages. This is not necessary since: * unsentmap is a sub-set of bmap before postcopy start * unsentmap is the summation of bmap and unsentmap after canonicalizing This patch just removes it. Signed-off-by: Wei Yang <[email protected]> Message-Id: <[email protected]> Reviewed-by: Dr. David Alan Gilbert <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
This is a cleanup for previous removal of unsentmap. The sent parameter is not necessary now. Signed-off-by: Wei Yang <[email protected]> Message-Id: <[email protected]> Reviewed-by: Dr. David Alan Gilbert <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
If we've already finished the migration or something has already gone wrong, don't moan about the migration stream disconnecting. Signed-off-by: Dr. David Alan Gilbert <[email protected]> Message-Id: <[email protected]> Reviewed-by: Peter Xu <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
This fixes a deadlock that can occur on the migration source after a failed RDMA migration; as the source tries to cleanup it clears a pair of pointers and uses synchronize_rcu to wait; this is happening on the main thread. With the CPUs running a CPU thread can be an rcu reader and attempt to grab the main lock (kvm_handle_io->address_space_write->flatview_write->flatview_write_continue-> prepare_mmio_access->qemu_mutex_lock_iothread_impl) Replace the synchronize_rcu with a call_rcu to postpone the freeing. Fixes: 74637e6 ("migration: implement bi-directional RDMA QIOChannel") ( https://bugzilla.redhat.com/show_bug.cgi?id=1746787 ) Signed-off-by: Dr. David Alan Gilbert <[email protected]> Message-Id: <[email protected]> Reviewed-by: Peter Xu <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
We've got various places where we wait for a migration to enter a given state; but if we enter an unexpected state we tend to fail in odd ways; add a mechanism for explicitly testing for any state which we shouldn't be in. Signed-off-by: Dr. David Alan Gilbert <[email protected]> Message-Id: <[email protected]> Reviewed-by: Cleber Rosa <[email protected]> Tested-by: Cleber Rosa <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Juan Quintela <[email protected]> Reviewed-by: Peter Xu <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
On slow hosts with tcg we were sometimes finding that the migration would complete during precopy and never get into the postcopy test. Trim back the bandwidth a bit to make that much less likely. Signed-off-by: Dr. David Alan Gilbert <[email protected]> Message-Id: <[email protected]> Reviewed-by: Cleber Rosa <[email protected]> Acked-by: Alex Bennée <[email protected]> Tested-by: Cleber Rosa <[email protected]> Tested-by: Alex Bennée <[email protected]> Reviewed-by: Juan Quintela <[email protected]> Reviewed-by: Peter Xu <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
Various parts of the migration code do different things when they're in postcopy mode; prior to this patch this has been 'postcopy-active'. This patch extends 'in_postcopy' to include 'postcopy-paused' and 'postcopy-recover'. In particular, when you set the max-postcopy-bandwidth parameter, this only affects the current migration fd if we're 'in_postcopy'; this leads to a race in the postcopy recovery test where it increases the speed from 4k/sec to unlimited, but that increase can get ignored if the change is made between the point at which the reconnection happens and it transitions back to active. Signed-off-by: Dr. David Alan Gilbert <[email protected]> Message-Id: <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Peter Xu <[email protected]> Reviewed-by: Juan Quintela <[email protected]> Tested-by: Alex Bennée <[email protected]> Tested-by: Markus Armbruster <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
These bits do not need to vary with the actual page size used by the guest. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Reviewed-by: Paolo Bonzini <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
This forced inlining can result in missing symbols, which makes a debugging build harder to follow. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Reported-by: Peter Maydell <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
Use this as a compile-time assert that a particular code path is not reachable. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
Increase the current runtime assert to a compile-time assert. Reviewed-by: David Hildenbrand <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
We will shortly be using these more than once. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
Handle bswap on ram directly in load/store_helper. This fixes a bug with the previous implementation in that one cannot use the I/O path for RAM. Fixes: a26fc6f Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
The memory_region_tb_read tracepoint is unreachable, since notdirty is supposed to apply only to writes. The memory_region_tb_write tracepoint is mis-named, because notdirty is not only used for TB invalidation. It is also used for e.g. VGA RAM updates and migration. Replace memory_region_tb_write with memory_notdirty_write_access, and place it in memory_notdirty_write_prepare where it can catch all of the instances. Add memory_notdirty_set_dirty to log when we no longer intercept writes to a page. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
It does not require going through the whole I/O path in order to discard a write. Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
Pages that we want to track for NOTDIRTY are RAM. We do not really need to go through the I/O path to handle them. Acked-by: David Hildenbrand <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
There is only one caller, tlb_set_page_with_attrs. We cannot inline the entire function because the AddressSpaceDispatch structure is private to exec.c, and cannot easily be moved to include/exec/memory-internal.h. Compute is_ram and is_romd once within tlb_set_page_with_attrs. Fold the number of tests against these predicates. Compute cpu_physical_memory_is_clean outside of the tlb lock region. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
Since 9458a9a, all readers of the dirty bitmaps wait for the rcu lock, which means that they wait until the end of any executing TranslationBlock. As a consequence, there is no need for the actual access to happen in between the _prepare and _complete. Therefore, we can improve things by merging the two functions into notdirty_write and dropping the NotDirtyInfo structure. In addition, the only users of notdirty_write are in cputlb.c, so move the merged function there. Pass in the CPUIOTLBEntry from which the ram_addr_t may be computed. Reviewed-by: David Hildenbrand <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
We can use notdirty_write for the write and return a valid host pointer for this case. Reviewed-by: David Hildenbrand <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
With the merge of notdirty handling into store_helper, the last user of cpu->mem_io_vaddr was removed. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
All callers pass false to this argument. Remove it and pass the constant on to tb_invalidate_phys_page_range__locked. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
Rather than rely on cpu->mem_io_pc, pass retaddr down directly. Within tb_invalidate_phys_page_range__locked, the is_cpu_write_access parameter is non-zero exactly when retaddr would be non-zero, so that is a simple replacement. Recognize that current_tb_not_found is true only when mem_io_pc (and now retaddr) are also non-zero, so remove a redundant test. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
Fixes the previous TLB_WATCHPOINT patches because we are currently failing to set cpu->mem_io_pc with the call to cpu_check_watchpoint. Pass down the retaddr directly because it's readily available. Fixes: 50b107c Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Richard Henderson <[email protected]>
…v2' into staging nbd patches for 2019-09-24 - Improved error message for plaintext client of encrypted server - Fix various assertions when -object iothread is in use - Silence a Coverity error for use-after-free on error path # gpg: Signature made Wed 25 Sep 2019 14:35:52 BST # gpg: using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A # gpg: Good signature from "Eric Blake <[email protected]>" [full] # gpg: aka "Eric Blake (Free Software Programmer) <[email protected]>" [full] # gpg: aka "[jpeg image of size 6874]" [full] # Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A * remotes/ericb/tags/pull-nbd-2019-09-24-v2: util/qemu-sockets: fix keep_alive handling in inet_connect_saddr tests: Use iothreads during iotest 223 nbd: Grab aio context lock in more places nbd/server: attach client channel to the export's AioContext nbd/client: Add hint when TLS is missing Signed-off-by: Peter Maydell <[email protected]>
…190925a' into staging Migration pull 2019-09-25 me: test fixes from (should stop hangs in postcopy tests). me: An RDMA cleanup hang fix Wei: Tidy ups around postcopy Marc-Andre: mem leak fix # gpg: Signature made Wed 25 Sep 2019 15:59:41 BST # gpg: using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7 # gpg: Good signature from "Dr. David Alan Gilbert (RH2) <[email protected]>" [full] # Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7 * remotes/dgilbert/tags/pull-migration-20190925a: migration/postcopy: Recognise the recovery states as 'in_postcopy' tests/migration/postcopy: trim migration bandwidth tests/migration: Fail on unexpected migration states migration/rdma.c: Swap synchronize_rcu for call_rcu migration/rdma: Don't moan about disconnects at the end migration: remove sent parameter in get_queued_page_not_dirty migration/postcopy: unsentmap is not necessary for postcopy migration/postcopy: not necessary to do discard when canonicalizing bitmap migration: fix vmdesc leak on vmstate_save() error Signed-off-by: Peter Maydell <[email protected]>
…ging vhost: fixes Misc fixes related to memory region handling. Signed-off-by: Michael S. Tsirkin <[email protected]> # gpg: Signature made Wed 25 Sep 2019 15:28:23 BST # gpg: using RSA key 281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <[email protected]>" [full] # gpg: aka "Michael S. Tsirkin <[email protected]>" [full] # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: vhost: Fix memory region section comparison memory: Provide an equality function for MemoryRegionSections memory: Align MemoryRegionSections fields Signed-off-by: Peter Maydell <[email protected]>
* key_bytes -> master_key_len * payload_offset = payload_offset_sector (to emphasise that this isn't byte offset) * key_offset -> key_offset_sector - same as above for luks slots Signed-off-by: Maxim Levitsky <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]>
-fsanitize=undefined is not the same thing as --enable-sanitizers. After commit 47c823e ("tests/docker: add sanitizers back to clang build", 2019-09-11) test-clang is almost duplicating the asan (test-debug) test, so partly revert commit 47c823e while leaving ubsan enabled. Signed-off-by: Paolo Bonzini <[email protected]>
…ble_features The next patch will add a different reason for filtering features, unrelated to host feature support. Extract a new function that takes care of disabling the features and optionally reporting them. Signed-off-by: Paolo Bonzini <[email protected]>
Sometimes a CPU feature does not make sense unless another is present. In the case of VMX features, KVM does not even allow setting the VMX controls to some invalid combinations. Therefore, this patch adds a generic mechanism that looks for bits that the user explicitly cleared, and uses them to remove other bits from the expanded CPU definition. If these dependent bits were also explicitly *set* by the user, this will be a warning for "-cpu check" and an error for "-cpu enforce". If not, then the dependent bits are cleared silently, for convenience. With VMX features, this will be used so that for example "-cpu host,-rdrand" will also hide support for RDRAND exiting. Signed-off-by: Paolo Bonzini <[email protected]>
VMX requires 64-bit feature words for the IA32_VMX_EPT_VPID_CAP and IA32_VMX_BASIC MSRs. (The VMX control MSRs are 64-bit wide but actually have only 32 bits of information). Signed-off-by: Paolo Bonzini <[email protected]>
These will be used to compile the list of VMX features for named CPU models, and/or by the code that sets up the VMX MSRs. Signed-off-by: Paolo Bonzini <[email protected]>
The low bits are 1 if the control must be one, the high bits are 1 if the control can be one. Correct the variable names as they are very confusing. Signed-off-by: Paolo Bonzini <[email protected]>
Add code to convert the VMX feature words back into MSR values, allowing the user to enable/disable VMX features as they wish. The same infrastructure enables support for limiting VMX features in named CPU models. Signed-off-by: Paolo Bonzini <[email protected]>
…trols Some secondary controls are automatically enabled/disabled based on the CPUID values that are set for the guest. However, they are still available at a global level and therefore should be present when KVM_GET_MSRS is sent to /dev/kvm. Unfortunately KVM forgot to include those, so fix that. Signed-off-by: Paolo Bonzini <[email protected]>
When I run QEMU with KVM under Valgrind, I currently get this warning:
Syscall param ioctl(generic) points to uninitialised byte(s)
at 0x95BA45B: ioctl (in /usr/lib64/libc-2.28.so)
by 0x429DC3: kvm_ioctl (kvm-all.c:2365)
by 0x51B249: kvm_arch_get_supported_msr_feature (kvm.c:469)
by 0x4C2A49: x86_cpu_get_supported_feature_word (cpu.c:3765)
by 0x4C4116: x86_cpu_expand_features (cpu.c:5065)
by 0x4C7F8D: x86_cpu_realizefn (cpu.c:5242)
by 0x5961F3: device_set_realized (qdev.c:835)
by 0x7038F6: property_set_bool (object.c:2080)
by 0x707EFE: object_property_set_qobject (qom-qobject.c:26)
by 0x705814: object_property_set_bool (object.c:1338)
by 0x498435: pc_new_cpu (pc.c:1549)
by 0x49C67D: pc_cpus_init (pc.c:1681)
Address 0x1ffeffee74 is on thread 1's stack
in frame atos-tools#2, created by kvm_arch_get_supported_msr_feature (kvm.c:445)
It's harmless, but a little bit annoying, so silence it by properly
initializing the whole structure with zeroes.
Signed-off-by: Thomas Huth <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
… staging * Compilation fix for KVM (Alex) * SMM fix (Dmitry) * VFIO error reporting (Eric) * win32 fixes and workarounds (Marc-André) * qemu-pr-helper crash bugfix (Maxim) * Memory leak fixes (myself) * VMX features (myself) * Record-replay deadlock (Pavel) * i386 CPUID bits (Sebastian) * kconfig tweak (Thomas) * Valgrind fix (Thomas) * Autoconverge test (Yury) # gpg: Signature made Fri 04 Oct 2019 17:57:48 BST # gpg: using RSA key BFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <[email protected]>" [full] # gpg: aka "Paolo Bonzini <[email protected]>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: (29 commits) target/i386/kvm: Silence warning from Valgrind about uninitialized bytes target/i386: work around KVM_GET_MSRS bug for secondary execution controls target/i386: add VMX features vmxcap: correct the name of the variables target/i386: add VMX definitions target/i386: expand feature words to 64 bits target/i386: introduce generic feature dependency mechanism target/i386: handle filtered_features in a new function mark_unavailable_features tests/docker: only enable ubsan for test-clang win32: work around main-loop busy loop on socket/fd event tests: skip serial test on windows util: WSAEWOULDBLOCK on connect should map to EINPROGRESS Fix wrong behavior of cpu_memory_rw_debug() function in SMM memory: allow memory_region_register_iommu_notifier() to fail vfio: Turn the container error into an Error handle i386: Add CPUID bit for CLZERO and XSAVEERPTR docker: test-debug: disable LeakSanitizer lm32: do not leak memory on object_new/object_unref cris: do not leak struct cris_disasm_data mips: fix memory leaks in board initialization ... Signed-off-by: Peter Maydell <[email protected]>
…04' into staging
ppc patch queue 2019-10-04
Here's the next batch of ppc and spapr patches. Includes:
* Fist part of a large cleanup to irq infrastructure
* Recreate the full FDT at CAS time, instead of making a difficult
to follow set of updates. This will help us move towards
eliminating CAS reboots altogether
* No longer provide RTAS blob to SLOF - SLOF can include it just as
well itself, since guests will generally need to relocate it with
a call to instantiate-rtas
* A number of DFP fixes and cleanups from Mark Cave-Ayland
* Assorted bugfixes
* Several new small devices for powernv
# gpg: Signature made Fri 04 Oct 2019 10:35:57 BST
# gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392
# gpg: Good signature from "David Gibson <[email protected]>" [full]
# gpg: aka "David Gibson (Red Hat) <[email protected]>" [full]
# gpg: aka "David Gibson (ozlabs.org) <[email protected]>" [full]
# gpg: aka "David Gibson (kernel.org) <[email protected]>" [unknown]
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392
* remotes/dgibson/tags/ppc-for-4.2-20191004: (53 commits)
ppc/pnv: Remove the XICSFabric Interface from the POWER9 machine
spapr: Eliminate SpaprIrq::init hook
spapr: Add return value to spapr_irq_check()
spapr: Use less cryptic representation of which irq backends are supported
xive: Improve irq claim/free path
spapr, xics, xive: Better use of assert()s on irq claim/free paths
spapr: Handle freeing of multiple irqs in frontend only
spapr: Remove unhelpful tracepoints from spapr_irq_free_xics()
spapr: Eliminate SpaprIrq:get_nodename method
spapr: Simplify spapr_qirq() handling
spapr: Fix indexing of XICS irqs
spapr: Eliminate nr_irqs parameter to SpaprIrq::init
spapr: Clarify and fix handling of nr_irqs
spapr: Replace spapr_vio_qirq() helper with spapr_vio_irq_pulse() helper
spapr: Fold spapr_phb_lsi_qirq() into its single caller
xics: Create sPAPR specific ICS subtype
xics: Merge TYPE_ICS_BASE and TYPE_ICS_SIMPLE classes
xics: Eliminate reset hook
xics: Rename misleading ics_simple_*() functions
xics: Eliminate 'reject', 'resend' and 'eoi' class hooks
...
Signed-off-by: Peter Maydell <[email protected]>
The `make efi` target added by 536d217 is built from the roms/edk2 submodule, which in turn relies on additional submodules nested under roms/edk2. The make-release script currently only pulls in top-level submodules, so these nested submodules are missing in the resulting tarball. We could try to address this situation more generally by recursively pulling in all submodules, but this doesn't necessarily ensure the end-result will build properly (this case also required other changes). Additionally, due to the nature of submodules, we may not always have control over how these sorts of things are dealt with, so for now we continue to handle it on a case-by-case in the make-release script. Cc: Laszlo Ersek <[email protected]> Cc: Bruce Rogers <[email protected]> Cc: [email protected] # v4.1.0 Reported-by: Bruce Rogers <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Tested-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Michael Roth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Currently the `make efi` target pulls submodules nested under the roms/edk2 submodule as dependencies. However, when we attempt to build from a tarball this fails since we are no longer in a git tree. A preceding patch will pre-populate these submodules in the tarball, so assume this build dependency is only needed when building from a git tree. Cc: Laszlo Ersek <[email protected]> Cc: Bruce Rogers <[email protected]> Cc: [email protected] # v4.1.0 Reported-by: Bruce Rogers <[email protected]> Reviewed-by: Laszlo Ersek <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Tested-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Michael Roth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Various C projects provide a 'make help' target. Our root directory does so. The roms/ directory lacks a such rule, but already displays a help output when the default target is called. Add a 'help' target aliased to the default one, to avoid: $ make -C roms help make: *** No rule to make target 'help'. Stop. Reviewed-by: John Snow <[email protected]> Reviewed-by: Laszlo Ersek <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Unify the recipe for "build-edk2-tools" in "tests/uefi-test-tools/Makefile" with the recipe for "edk2-basetools" in "roms/Makefile". Cc: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Tested-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: John Snow <[email protected]> Signed-off-by: Laszlo Ersek <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
It turns out that forcing python2 for running the edk2 "build" utility is neither necessary nor sufficient. Forcing python2 is not sufficient for two reasons: - QEMU is moving away from python2, with python2 nearing EOL, - according to my most recent testing, the lacking dependency information in the makefiles that are generated by edk2's "build" utility can cause parallel build failures even when "build" is executed by python2. And forcing python2 is not necessary because we can still return to the original idea of filtering out jobserver-related options from MAKEFLAGS. So do that. While at it, cut short edk2's auto-detection of the python3.* minor version, by setting PYTHON_COMMAND to "python3" (which we expect to be available wherever we intend to build edk2). With this patch, the guest UEFI binaries that are used as part of the BIOS tables test, and the OVMF and ArmVirtQemu platform firmwares, will be built strictly in a single job, regardless of an outermost "-jN" make option. Alas, there appears to be no reliable way to build edk2 in an (outer make, inner make) environment, with a jobserver enabled. Cc: Eduardo Habkost <[email protected]> Cc: John Snow <[email protected]> Cc: Philippe Mathieu-Daudé <[email protected]> Reported-by: John Snow <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Tested-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: John Snow <[email protected]> Signed-off-by: Laszlo Ersek <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
…taging Block layer patches: - Fix internal snapshots with typical -blockdev setups - iotests: Require Python 3.6 or later # gpg: Signature made Fri 04 Oct 2019 10:59:21 BST # gpg: using RSA key 7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <[email protected]>" [full] # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6 * remotes/kevin/tags/for-upstream: iotests: Remove Python 2 compatibility code iotests: Require Python 3.6 or later iotests: Test internal snapshots with -blockdev block/snapshot: Restrict set of snapshot nodes Signed-off-by: Peter Maydell <[email protected]>
…into staging slirp: Allow non-local DNS address when restrict is off # gpg: Signature made Mon 07 Oct 2019 00:54:44 BST # gpg: using RSA key 5ED9E856F7D6C6EAF51167A18D35C355720BBAFD # gpg: Good signature from "Samuel Thibault <[email protected]>" [unknown] # gpg: aka "Samuel Thibault <[email protected]>" [marginal] # gpg: aka "Samuel Thibault <[email protected]>" [unknown] # gpg: aka "Samuel Thibault <[email protected]>" [marginal] # gpg: aka "Samuel Thibault <[email protected]>" [marginal] # gpg: aka "Samuel Thibault <[email protected]>" [marginal] # gpg: aka "Samuel Thibault <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 900C B024 B679 31D4 0F82 304B D017 8C76 7D06 9EE6 # Subkey fingerprint: 5ED9 E856 F7D6 C6EA F511 67A1 8D35 C355 720B BAFD * remotes/thibault/tags/samuel-thibault: slirp: Allow non-local DNS address when restrict is off Signed-off-by: Peter Maydell <[email protected]>
…191007' into staging Improve scripts relying on the EDK2 submodule, drop Python2 dependency in EDK2 build scripts. # gpg: Signature made Mon 07 Oct 2019 14:31:38 BST # gpg: using RSA key 89C1E78F601EE86C867495CBA2A3FD6EDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (Phil) <[email protected]>" [marginal] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 89C1 E78F 601E E86C 8674 95CB A2A3 FD6E DEAD C0DE * remotes/philmd-gitlab/tags/edk2-next-20191007: edk2 build scripts: work around TianoCore#1607 without forcing Python 2 edk2 build scripts: honor external BaseTools flags with uefi-test-tools roms: Add a 'make help' target alias roms/Makefile.edk2: don't pull in submodules when building from tarball make-release: pull in edk2 submodules so we can build it from tarballs Signed-off-by: Peter Maydell <[email protected]>
Make it more obvious, that filling qiov corresponds to qiov allocation, which in turn corresponds to total_niov calculation, based on mid_niov (not mid_len). Still add an assertion to show that there should be no difference. [Added mingw "error: 'mid_iov' may be used uninitialized in this function" compiler error fix suggested by Vladimir. --Stefan] Reported-by: Coverity (CID 1405302) Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]> Message-id: [email protected] Suggested-by: Peter Maydell <[email protected]> Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]> Message-Id: <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> fixup! util/ioc.c: try to reassure Coverity about qemu_iovec_init_extended
virtio_notify_config() needs to acquire the global mutex, which isn't
allowed from an iothread, and may lead to a deadlock like this:
- main thead
* Has acquired: qemu_global_mutex.
* Is trying the acquire: iothread AioContext lock via
AIO_WAIT_WHILE (after aio_poll).
- iothread
* Has acquired: AioContext lock.
* Is trying to acquire: qemu_global_mutex (via
virtio_notify_config->prepare_mmio_access).
If virtio_blk_resize() is called from an iothread, schedule
virtio_notify_config() to be run in the main context BH.
[Removed unnecessary newline as suggested by Kevin Wolf
<[email protected]>.
--Stefan]
Signed-off-by: Sergio Lopez <[email protected]>
Reviewed-by: Kevin Wolf <[email protected]>
Message-id: [email protected]
Message-Id: <[email protected]>
Signed-off-by: Stefan Hajnoczi <[email protected]>
We must not write data to inactive nodes, and a COR is certainly something we can simply not do without upsetting anyone. So skip COR operations on inactive nodes. Signed-off-by: Max Reitz <[email protected]> Reviewed-by: Eric Blake <[email protected]> Message-id: [email protected] Message-Id: <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]>
Launching the destination VM before the source VM gives us a regression test for HEAD^: The guest device causes a read from the disk image through guess_disk_lchs(). This will not work if the first sector (containing the partition table) is yet unallocated, we use COR, and the node is inactive. By launching the source VM before the destination, however, the COR filter on the source will allocate that area in the image shared between both VMs, thus the problem will not become apparent. Switching the launch order causes the sector to still be unallocated when guess_disk_lchs() runs on the inactive node in the destination VM, and thus we get our test case. Signed-off-by: Max Reitz <[email protected]> Reviewed-by: Eric Blake <[email protected]> Message-id: [email protected] Message-Id: <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]>
…t' into staging Pull request This pull request also contains the two commits from the previous pull request that was dropped due to a mingw compilation error. The compilation should now be fixed. # gpg: Signature made Tue 08 Oct 2019 15:54:26 BST # gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <[email protected]>" [full] # gpg: aka "Stefan Hajnoczi <[email protected]>" [full] # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/block-pull-request: iotests/262: Switch source/dest VM launch order block: Skip COR for inactive nodes virtio-blk: schedule virtio_notify_config to run on main context util/ioc.c: try to reassure Coverity about qemu_iovec_init_extended Signed-off-by: Peter Maydell <[email protected]>
NicolasDerumigny
pushed a commit
to NicolasDerumigny/qemu
that referenced
this pull request
Jun 1, 2022
Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/542. Without the previous commit, we get: $ make check-qtest-i386 ... Running test tests/qtest/intel-hda-test AddressSanitizer:DEADLYSIGNAL ================================================================= ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0 #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356 atos-tools#1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15 atos-tools#2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15 atos-tools#3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10 atos-tools#4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 atos-tools#5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 atos-tools#6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 atos-tools#7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 atos-tools#8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 atos-tools#9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 atos-tools#10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 atos-tools#11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 atos-tools#12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 atos-tools#13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 atos-tools#14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 atos-tools#15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 atos-tools#16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 atos-tools#17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 atos-tools#18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 atos-tools#19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 atos-tools#20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 atos-tools#21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 atos-tools#22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 qemu#23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 qemu#24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 qemu#25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 qemu#26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 qemu#27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 qemu#28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 qemu#29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 qemu#30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 qemu#31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 qemu#32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 qemu#33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 qemu#34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 qemu#35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 qemu#36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 qemu#37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 qemu#38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 qemu#39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 qemu#40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 qemu#41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 qemu#42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 qemu#43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 qemu#44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 qemu#45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 qemu#46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 qemu#47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 qemu#48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 ... SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal ==1580408==ABORTING Broken pipe Aborted (core dumped) Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Acked-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>
NicolasDerumigny
pushed a commit
to NicolasDerumigny/qemu
that referenced
this pull request
Jun 1, 2022
The issue reported by OSS-Fuzz produces the following backtrace:
==447470==ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 1 at 0x61500002a080 thread T0
#0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
atos-tools#1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
atos-tools#2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11
atos-tools#3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
atos-tools#4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
atos-tools#5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
atos-tools#6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
atos-tools#7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12
atos-tools#8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18
atos-tools#9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16
atos-tools#10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
atos-tools#11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
atos-tools#12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12
atos-tools#13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
atos-tools#14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
atos-tools#15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
atos-tools#16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9
atos-tools#17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5
atos-tools#18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
atos-tools#19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
atos-tools#20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23
atos-tools#21 0x721301eb in flatview_write softmmu/physmem.c:2854:12
atos-tools#22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18
qemu#23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9
A DMA descriptor is previously filled in RAM. An I/O access to the
device (frames atos-tools#22 to atos-tools#16) start the DMA engine (frame atos-tools#13). The
engine fetch the descriptor and execute the request, which itself
accesses the SDHCI I/O registers (frame atos-tools#1 and #0), triggering a
re-entrancy issue.
Fix by prohibit transactions from the DMA to devices. The DMA engine
is thus restricted to memories.
Reported-by: OSS-Fuzz (Issue 36391)
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451
Message-Id: <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
NicolasDerumigny
pushed a commit
to NicolasDerumigny/qemu
that referenced
this pull request
Jun 1, 2022
Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/451. Without the previous commit, we get: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test ==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8 READ of size 1 at 0x61500002a080 thread T0 #0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18 atos-tools#1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19 atos-tools#2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11 atos-tools#3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 atos-tools#4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16 atos-tools#5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9 atos-tools#6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23 atos-tools#7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12 atos-tools#8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18 atos-tools#9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16 atos-tools#10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 atos-tools#11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12 atos-tools#12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12 atos-tools#13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27 atos-tools#14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13 atos-tools#15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9 atos-tools#16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9 atos-tools#17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5 atos-tools#18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 atos-tools#19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16 atos-tools#20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23 atos-tools#21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12 atos-tools#22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18 qemu#23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9 0x61500002a080 is located 0 bytes to the right of 512-byte region [0x615000029e80,0x61500002a080) allocated by thread T0 here: #0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737) atos-tools#1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0) atos-tools#2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in sdhci_read_dataport Shadow bytes around the buggy address: 0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Heap left redzone: fa Freed heap region: fd ==447470==ABORTING Broken pipe ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2) Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Acked-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> [thuth: Replaced "-m 4G" with "-m 512M"] Signed-off-by: Thomas Huth <[email protected]>
|
Closing. Subsummed by 7.0 pull request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updated version of the plugin branch on 4.10. Dropped the support of QEMU because of changes happening in d14055d. This should probably not be merged into master, but rather into a new separate branch.