- Jan 29, 2024
-
-
Michael Tokarev authored
Signed-off-by:Michael Tokarev <mjt@tls.msk.ru>
-
- Jan 27, 2024
-
-
Peter Maydell authored
In commit 1b7bc9b5 we changed handle_vec_simd_sqshrn() so that instead of starting with a 0 value and depositing in each new element from the narrowing operation, it instead started with the raw result of the narrowing operation of the first element. This is fine in the vector case, because the deposit operations for the second and subsequent elements will always overwrite any higher bits that might have been in the first element's result value in tcg_rd. However in the scalar case we only go through this loop once. The effect is that for a signed narrowing operation, if the result is negative then we will now return a value where the bits above the first element are incorrectly 1 (because the narrowfn returns a sign-extended result, not one that is truncated to the element size). Fix this by using an extract operation to get exactly the correct bits of the output of the narrowfn for element 1, instead of a plain move. Cc: qemu-stable@nongnu.org ...
-
Max Filippov authored
r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register by the guest. The host uses 3 bits of the index for ITLB indexing and 4 bits for DTLB, but there's only 7 entries in the ITLB array and 10 in the DTLB array, so a malicious guest may trigger out-of-bound access to these arrays. Change split_tlb_entry_spec return type to bool to indicate whether TLB way passed to it is valid. Change get_tlb_entry to return NULL in case invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that requested TLB way and entry indices are valid. Add checks to the [rwi]tlb helpers that requested TLB way is valid and return 0 or do nothing when it's not. Cc: qemu-stable@nongnu.org Fixes: b67ea0cd ("target-xtensa: implement memory protection options") Signed-off-by:
Max Filippov <jcmvbkbc@gmail.com> Reviewed-by:
Peter Maydell <peter.maydell@linaro.org> Message-id: 20231215120307.545381-1-jcmvbkbc@gmail.com Signed-off-by:
-
- Jan 26, 2024
-
-
Daniel P. Berrangé authoredOn a loaded system with --enable-debug, this test can take longer than 5 minutes. Raising the timeout to 6 minutes gives greater headroom for such situations. Signed-off-by:
Daniel P. Berrangé <berrange@redhat.com> [thuth: Increase the timeout to 6 minutes for very loaded systems] Signed-off-by:
Thomas Huth <thuth@redhat.com>
Message-Id: <20231215070357.10888-11-thuth@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> (cherry picked from commit e8a12fe3 ) Signed-off-by:
-
Stefan Hajnoczi authoredmonitor_qmp_dispatcher_co() runs in the iohandler AioContext that is not polled during nested event loops. The coroutine currently reschedules itself in the main loop's qemu_aio_context AioContext, which is polled during nested event loops. One known problem is that QMP device-add calls drain_call_rcu(), which temporarily drops the BQL, leading to all sorts of havoc like other vCPU threads re-entering device emulation code while another vCPU thread is waiting in device emulation code with aio_poll(). Paolo Bonzini suggested running non-coroutine QMP handlers in the iohandler AioContext. This avoids trouble with nested event loops. His original idea was to move coroutine rescheduling to monitor_qmp_dispatch(), but I resorted to moving it to qmp_dispatch() because we don't know if the QMP handler needs to run in coroutine context in monitor_qmp_dispatch(). monitor_qmp_dispatch() would have been nicer since it's associated with the monitor implementat...
-
Stefan Hajnoczi authored
The common.qemu bash functions allow tests to interact with the QMP monitor of a QEMU process. I spent two days trying to update 141 when the order of the test output changed, but found it would still fail occassionally because printf() and QMP events race with synchronous QMP communication. I gave up and ported 141 to the existing Python API for QMP tests. The Python API is less affected by the order in which QEMU prints output because it does not print all QMP traffic by default. The next commit changes the order in which QMP messages are received. Make 141 reliable first. Cc: Hanna Czenczek <hreitz@redhat.com> Signed-off-by:
Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20240118144823.1497953-3-stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by:
-
Stefan Hajnoczi authored
Add a filter function for QMP responses that contain QEMU's automatically generated node ids. The ids change between runs and must be masked in the reference output. The next commit will use this new function. Signed-off-by:
Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20240118144823.1497953-2-stefanha@redhat.com>
Reviewed-by: -
Ari Sundholm authored
There is a bug in the blklogwrites driver pertaining to logging "write zeroes" operations, causing log corruption. This can be easily observed by setting detect-zeroes to something other than "off" for the driver. The issue is caused by a concurrency bug pertaining to the fact that "write zeroes" operations have to be logged in two parts: first the log entry metadata, then the zeroed-out region. While the log entry metadata is being written by bdrv_co_pwritev(), another operation may begin in the meanwhile and modify the state of the blklogwrites driver. This is as intended by the coroutine-driven I/O model in QEMU, of course. Unfortunately, this specific scenario is mishandled. A short example: 1. Initially, in the current operation (#1), the current log sector number in the driver state is only incremented by the number of sectors taken by the log entry metadata, after which the log entry metadata is written. The current operati... -
Jason Wang authored
When HASH_REPORT is negotiated, the guest_hdr_len might be larger than the size of the mergeable rx buffer header. Using virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack overflow in this case. Fixing this by using virtio_net_hdr_v1_hash instead. Reported-by:
Xiao Lei <leixiao.nop@zju.edu.cn> Cc: Yuri Benditovich <yuri.benditovich@daynix.com> Cc: qemu-stable@nongnu.org Cc: Mauro Matteo Cascella <mcascell@redhat.com> Fixes: CVE-2023-6693 Fixes: e22f0603 ("virtio-net: reference implementation of hash report") Reviewed-by:
Jason Wang <jasowang@redhat.com> (cherry picked from commit 2220e818 ) Signed-off-by:
-
- Jan 25, 2024
-
-
Joseph Burt authored
When tcg_out_qemu_st_{index,direct} were merged, the direct case for MO_64 was omitted, causing qemu_st_i64 to be encoded as 0xffffffff due to underflow when adding h.base and h.index. Fixes: 1df6d611 ("tcg/arm: Introduce HostAddress") Signed-off-by:Joseph Burt <caseorum@gmail.com> Message-Id: <20240121211439.100829-1-caseorum@gmail.com> Reviewed-by:
Richard Henderson <richard.henderson@linaro.org> Signed-off-by:
-
Fiona Ebner authoredUsing fleecing backup like in [0] on a qcow2 image (with metadata preallocation) can lead to the following assertion failure: > bdrv_co_do_block_status: Assertion `!(ret & BDRV_BLOCK_ZERO)' failed. In the reproducer [0], it happens because the BDRV_BLOCK_RECURSE flag will be set by the qcow2 driver, so the caller will recursively check the file child. Then the BDRV_BLOCK_ZERO set too. Later up the call chain, in bdrv_co_do_block_status() for the snapshot-access driver, the assertion failure will happen, because both flags are set. To fix it, clear the recurse flag after the recursive check was done. In detail: > #0 qcow2_co_block_status Returns 0x45 = BDRV_BLOCK_RECURSE | BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID. > #1 bdrv_co_do_block_status Because of the data flag, bdrv_co_do_block_status() will now also set BDRV_BLOCK_ALLOCATED. Because of the recurse flag, bdrv_co_do_block_status() for the bdrv_file child will be called, which returns 0x16 = BDRV_BLOCK_ALLOCATED | BDRV_BLOCK_OFFSET_VALID | BDRV_BLOCK_ZERO. Now the return value inherits the zero flag. Returns 0x57 = BDRV_BLOCK_RECURSE | BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID | BDRV_BLOCK_ALLOCATED | BDRV_BLOCK_ZERO. > #2 bdrv_co_common_block_status_above > #3 bdrv_co_block_status_above > #4 bdrv_co_block_status > #5 cbw_co_snapshot_block_status > #6 bdrv_co_snapshot_block_status > #7 snapshot_access_co_block_status > #8 bdrv_co_do_block_status Return value is propagated all the way up to here, where the assertion failure happens, because BDRV_BLOCK_RECURSE and BDRV_BLOCK_ZERO are both set. > #9 bdrv_co_common_block_status_above > #10 bdrv_co_block_status_above > #11 block_copy_block_status > #12 block_copy_dirty_clusters > #13 block_copy_common > #14 block_copy_async_co_entry > #15 coroutine_trampoline [0]: > #!/bin/bash > rm /tmp/disk.qcow2 > ./qemu-img create /tmp/disk.qcow2 -o preallocation=metadata -f qcow2 1G > ./qemu-img create /tmp/fleecing.qcow2 -f qcow2 1G > ./qemu-img create /tmp/backup.qcow2 -f qcow2 1G > ./qemu-system-x86_64 --qmp stdio \ > --blockdev qcow2,node-name=node0,file.driver=file,file.filename=/tmp/disk.qcow2 \ > --blockdev qcow2,node-name=node1,file.driver=file,file.filename=/tmp/fleecing.qcow2 \ > --blockdev qcow2,node-name=node2,file.driver=file,file.filename=/tmp/backup.qcow2 \ > <<EOF > {"execute": "qmp_capabilities"} > {"execute": "blockdev-add", "arguments": { "driver": "copy-before-write", "file": "node0", "target": "node1", "node-name": "node3" } } > {"execute": "blockdev-add", "arguments": { "driver": "snapshot-access", "file": "node3", "node-name": "snap0" } } > {"execute": "blockdev-backup", "arguments": { "device": "snap0", "target": "node1", "sync": "full", "job-id": "backup0" } } > EOF Signed-off-by:Fiona Ebner <f.ebner@proxmox.com> Reviewed-by:
Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Message-id: 20240116154839.401030-1-f.ebner@proxmox.com Signed-off-by:
Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 8a9be799
)
Signed-off-by: -
Paolo Bonzini authored
This is causing regressions that have not been analyzed yet. Revert the change on stable branches. Cc: qemu-stable@nongnu.org Cc: Michael Tokarev <mjt@tls.msk.ru> Related: #2092 Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com> Signed-off-by:
-
- Jan 23, 2024
-
-
Alex Bennée authored
This is now expected by rtd so I've expanded using their example as 22.04 is one of our supported platforms. I tried to work out if there was an easy way to re-generate a requirements.txt from our pythondeps.toml but in the end went for the easier solution. Cc: <qemu-stable@nongnu.org> Signed-off-by:
-
- Jan 20, 2024
-
-
Mark Cave-Ayland authored
Even though the BLAST command isn't fully implemented in QEMU, the DMA_STAT_BCMBLT bit should be set after the command has been issued to indicate that the command has completed. This fixes an issue with the DC390 DOS driver which issues the BLAST command as part of its normal error recovery routine at startup, and otherwise sits in a tight loop waiting for DMA_STAT_BCMBLT to be set before continuing. Signed-off-by:
Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by:
Guenter Roeck <linux@roeck-us.net> Tested-by:
Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit c2d7de55 ) Signed-off-by:
-
Mark Cave-Ayland authored
The setting of DMA_STAT_DONE at the end of a DMA transfer can be configured to generate an interrupt, however the Linux driver manually checks for DMA_STAT_DONE being set and if it is, considers that a DMA transfer has completed. If DMA_STAT_DONE is set but the ESP device isn't indicating an interrupt then the Linux driver considers this to be a spurious interrupt. However this can occur in QEMU as there is a delay between the end of DMA transfer where DMA_STAT_DONE is set, and the ESP device raising its completion interrupt. This appears to be an incorrect assumption in the Linux driver as the ESP and PCI DMA interrupt sources are separate (and may not be raised exactly together), however we can work around this by synchronising the setting of DMA_STAT_DONE at the end of a DMA transfer with the ESP completion interrupt. In conjunction with the previous commit Linux is now able to correctly boot from an am53c974 PCI SCSI device on the hppa C3700 machine without emitting "iget: checksum invalid" and "Spurious irq, sreg=10" errors. Signed-off-by:
-
Mark Cave-Ayland authored
The am53c974/dc390 PCI interrupt has two separate sources: the first is from the internal ESP device, and the second is from the PCI DMA transfer logic. Update the ESP interrupt handler so that it sets DMA_STAT_SCSIINT rather than driving the PCI IRQ directly, and introduce a new esp_pci_update_irq() function to generate the correct PCI IRQ level. In particular this fixes spurious interrupts being generated by setting DMA_STAT_DONE at the end of a transfer if DMA_CMD_INTE_D isn't set in the DMA_CMD register. Signed-off-by:
-
Mark Cave-Ayland authored
The current code in esp_pci_dma_memory_rw() sets the DMA address to the value of the DMA_SPA (Starting Physical Address) register which is incorrect: this means that for each callback from the SCSI layer the DMA address is set back to the starting address. In the case where only a single SCSI callback occurs (currently for transfer lengths < 128kB) this works fine, however for larger transfers the DMA address wraps back to the initial starting address, corrupting the buffer holding the data transferred to the guest. Fix esp_pci_dma_memory_rw() to use the DMA_WAC (Working Address Counter) for the DMA address which is correctly incremented across multiple SCSI layer transfers. Signed-off-by:
-
Nick Briggs authoredSolaris has #defines for htonll and ntohll which cause syntax errors when compiling code that attempts to (re)define these functions.. Signed-off-by:
Nick Briggs <nicholas.h.briggs@gmail.com> Link: https://lore.kernel.org/r/65a04a7d.497ab3.3e7bef1f@gateway.sonic.net Signed-off-by:
Peter Xu <peterx@redhat.com>
(cherry picked from commit 44ce1b5d
)
Signed-off-by: -
Gerd Hoffmann authored
Add an update buffer where all block updates are staged. Flush or discard updates properly, so we should never see half-completed block writes in pflash storage. Drop a bunch of FIXME comments ;) Signed-off-by:
Gerd Hoffmann <kraxel@redhat.com> Reviewed-by:
-
Gerd Hoffmann authored
Use the helper functions we have to read/write multi-byte values in correct byte order. Suggested-by:
-
Gerd Hoffmann authored
Move the offset calculation, do it once at the start of the function and let the 'p' variable point directly to the memory location which should be updated. This makes it simpler to update other buffers than pfl->storage in an upcoming patch. No functional change. Signed-off-by:
-
Philippe Mathieu-Daudé authored
Both cryptodev_backend_set_throttle() and CryptoDevBackendClass::init() can set their Error** argument. Do not ignore them, return early on failure. Without that, running into another failure trips error_setv()'s assertion. Use the ERRP_GUARD() macro as suggested in commit ae7c80a7 ("error: New macro ERRP_GUARD()"). Cc: qemu-stable@nongnu.org Fixes: e7a775fd ("cryptodev: Account statistics") Fixes: 2580b452 ("cryptodev: support QoS") Reviewed-by:
zhenwei pi <pizhenwei@bytedance.com> Reviewed-by:
Gonglei <arei.gonglei@huawei.com> Reviewed-by:
Markus Armbruster <armbru@redhat.com> Signed-off-by:
-
Paolo Bonzini authored
For PC-relative translation blocks, env->eip changes during the execution of a translation block, Therefore, QEMU must be able to recover an instruction's PC just from the TranslationBlock struct and the instruction data with. Because a TB will not span two pages, QEMU stores all the low bits of EIP in the instruction data and replaces them in x86_restore_state_to_opc. Bits 12 and higher (which may vary between executions of a PCREL TB, since these only use the physical address in the hash key) are kept unmodified from env->eip. The assumption is that these bits of EIP, unlike bits 0-11, will not change as the translation block executes. Unfortunately, this is incorrect when the CS base is not aligned to a page. Then the linear address of the instructions (i.e. the one with the CS base addred) indeed will never span two pages, but bits 12+ of EIP can actually change. For example, if CS base is 0x80262200 and EIP = 0x6FF4, the first instruction in the translation block will be at linear address 0x802691F4. Even a very small TB will cross to EIP = 0x7xxx, while the linear addresses will remain comfortably within a single page. The fix is simply to use the low bits of the linear address for data[0], since those don't change. Then x86_restore_state_to_opc uses tb->cs_base to compute a temporary linear address (referring to some unknown instruction in the TB, but with the correct values of bits 12 and higher); the low bits are replaced with data[0], and EIP is obtained by subtracting again the CS base. Huge thanks to Mark Cave-Ayland for the image and initial debugging, and to Gitlab user @kjliew for help with bisecting another occurrence of (hopefully!) the same bug. It should be relatively easy to write a testcase that performs MMIO on an EIP with different bits 12+ than the first instruction of the translation block; any help is welcome. Fixes: e3a79e0e ("target/i386: Enable TARGET_TB_PCREL", 2022-10-11) Cc: qemu-stable@nongnu.org Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: Richard Henderson <richard.henderson@linaro.org> Resolves: #1759 Resolves: #1964 Resolves: #2012 Signed-off-by:
-
guoguangyao authored
The PCREL patches introduced a bug when updating EIP in the !CF_PCREL case. Using s->pc in func gen_update_eip_next() solves the problem. Cc: qemu-stable@nongnu.org Fixes: b5e0d5d2 ("target/i386: Fix 32-bit wrapping of pc/eip computation") Fixes: 5b2fd6cf (b5e0d5d2 in 8.1.4) Signed-off-by:
guoguangyao <guoguangyao18@mails.ucas.ac.cn> Reviewed-by:
-
Richard Henderson authoredWith PCREL, we have a page-relative view of EIP, and an approximation of PC = EIP+CSBASE that is good enough to detect page crossings. If we try to recompute PC after masking EIP, we will mess up that approximation and write a corrupt value to EIP. We already handled masking properly for PCREL, so the fix in b5e0d5d2 was only needed for the !PCREL path. Cc: qemu-stable@nongnu.org Fixes: b5e0d5d2 ("target/i386: Fix 32-bit wrapping of pc/eip computation") Fixes: 5b2fd6cf (b5e0d5d2 in 8.1.4) Reported-by:
-
- Jan 19, 2024
-
-
Anastasia Belova authored
j is used while loading an ELF file to byteswap segments' data. If data is larger than 2GB an overflow may happen. So j should be elf_word. This commit fixes a minor bug: it's unlikely anybody is trying to load ELF files with 2GB+ segments for wrong-endianness targets, but if they did, it wouldn't work correctly. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: qemu-stable@nongnu.org Fixes: 7ef295ea ("loader: Add data swap option to load-elf") Signed-off-by:
Anastasia Belova <abelova@astralinux.ru> Reviewed-by:
-
- Jan 13, 2024
-
-
Peter Maydell authored
Sometimes the CI "pages" job fails with a message like this from htags: $ htags -anT --tree-view=filetree -m qemu_init -t "Welcome to the QEMU sourcecode" htags: Negative exec line limit = -371 This is due to a bug in hflags where if the environment is too large it falls over: https://lists.gnu.org/archive/html/bug-global/2024-01/msg00000.html This happens to us because GitLab CI puts the commit message of the commit under test into the CI_COMMIT_MESSAGE and/or CI_COMMIT_TAG_MESSAGE environment variables, so the job will fail if the commit happens to have a verbose commit message. Work around the htags bug by unsetting these variables while running htags. Cc: qemu-stable@nongnu.org Resolves: #2080 Reviewed-by:
Thomas Huth <thuth@redhat.com>
(cherry picked from commit 52a21689
)
Signed-off-by: -
Ilya Leoshkevich authored
LAE should set the access register corresponding to the first operand, instead, it always modifies access register 1. Co-developed-by:
Ido Plat <Ido.Plat@ibm.com> Cc: qemu-stable@nongnu.org Fixes: a1c7610a ("target-s390x: implement LAY and LAEY instructions") Reviewed-by:
David Hildenbrand <david@redhat.com> Signed-off-by:
Ilya Leoshkevich <iii@linux.ibm.com> Message-ID: <20240111092328.929421-2-iii@linux.ibm.com> Signed-off-by:
Thomas Huth <thuth@redhat.com>
(cherry picked from commit e358a25a
)
Signed-off-by: -
Samuel Tardieu authored
An apparent copy-paste error tests for the presence of the virtio-rng-ccw device in order to perform tests on the virtio-scsi-ccw device. Signed-off-by:
Samuel Tardieu <sam@rfc1149.net> Message-ID: <20240106130121.1244993-1-sam@rfc1149.net> Fixes: 65331bf5 ("tests/qtest: Check for virtio-ccw devices before using them") Reviewed-by:
Thomas Huth <thuth@redhat.com>
(cherry picked from commit c98873ee
)
Signed-off-by:
-
- Jan 11, 2024
-
-
Natanael Copa authored
Use PPC_FEATURE2_ISEL and PPC_FEATURE2_VEC_CRYPTO from linux headers instead of the GNU specific PPC_FEATURE2_HAS_ISEL and PPC_FEATURE2_HAS_VEC_CRYPTO. This fixes build with musl libc. Cc: qemu-stable@nongnu.org Resolves: #1861 Signed-off-by:
Natanael Copa <ncopa@alpinelinux.org> Fixes: 63922f46 ("tcg/ppc: Replace HAVE_ISEL macro with a variable") Fixes: 68f340d4 ("tcg/ppc: Enable Altivec detection") Message-Id: <20231219105236.7059-1-ncopa@alpinelinux.org> Signed-off-by:
-
Peter Maydell authored
The hypervisor can deliver (virtual) LPIs to a guest by setting up a list register to have an intid which is an LPI. The GIC has to treat these a little differently to standard interrupt IDs, because LPIs have no Active state, and so the guest will only EOI them, it will not also deactivate them. So icv_eoir_write() must do two things: * if the LPI ID is not in any list register, we drop the priority but do not increment the EOI count * if the LPI ID is in a list register, we immediately deactivate it, regardless of the split-drop-and-deactivate control This can be seen in the VirtualWriteEOIR0() and VirtualWriteEOIR1() pseudocode in the GICv3 architecture specification. Without this fix, potentially a hypervisor guest might stall because LPIs get stuck in a bogus Active+Pending state. Cc: qemu-stable@nongnu.org Signed-off-by:
Miguel Luis <miguel.luis@oracle.com> (cherry picked from commit 82a65e31 ) Signed-off-by:
-
- Jan 08, 2024
-
-
Michael Tokarev authored
Current error message: qemu-system-x86_64: -chardev spice,id=foo: Parameter 'driver' expects an abstract device type while in fact the meaning is in reverse, -chardev expects a non-abstract device type. Fixes: 777357d7 ("chardev: qom-ify" 2016-12-07) Signed-off-by:
Zhao Liu <zhao1.liu@intel.com> (cherry picked from commit 4ad87cd4 ) Signed-off-by:
-
Xu Lu authored
The mcycle/minstret counter's stop flag is mistakenly updated on a copy on stack. Thus the counter increments even when the CY/IR bit in the mcountinhibit register is set. This commit corrects its behavior. Fixes: 3780e337 (target/riscv: Support mcycle/minstret write operation) Signed-off-by:
Xu Lu <luxu.kernel@bytedance.com> Reviewed-by:
Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Signed-off-by:
-
- Jan 05, 2024
-
-
Pavel Pisa authored
A CAN sja1000 standard frame filter mask has been computed and applied incorrectly for standard frames when single Acceptance Filter Mode (MOD_AFM = 1) has been selected. The problem has not been found by Linux kernel testing because it uses dual filter mode (MOD_AFM = 0) and leaves falters fully open. The problem has been noticed by Grant Ramsay when testing with Zephyr RTOS which uses single filter mode. Signed-off-by:
Pavel Pisa <pisa@cmp.felk.cvut.cz> Reported-by:
Grant Ramsay <gramsay@enphaseenergy.com> Resolves: #2028 Fixes: 733210e7 ("hw/net/can: SJA1000 chip register level emulation") Message-ID: <20240103231426.5685-1-pisa@fel.cvut.cz> (cherry picked from commit 25145a7d ) Signed-off-by:
-
- Dec 22, 2023
-
-
Kevin Wolf authored
We have a few test cases that include tests for corner case aspects of internal snapshots, but nothing that tests that they actually function as snapshots or that involves deleting a snapshot. Add a test for this kind of basic internal snapshot functionality. The error cases include a regression test for the crash we just fixed with snapshot operations on inactive images. Signed-off-by:
-
Kevin Wolf authored
Currently, the conflict between -incoming and -loadvm is only detected when loading the snapshot fails because the image is still inactive for the incoming migration. This results in a suboptimal error message: $ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer qemu-system-x86_64: Device 'ide0-hd0' is writable but does not support snapshots Catch the situation already in qemu_validate_options() to improve the message: $ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer qemu-system-x86_64: 'incoming' and 'loadvm' options are mutually exclusive Signed-off-by:
-
Kevin Wolf authored
bdrv_is_read_only() only checks if the node is configured to be read-only eventually, but even if it returns false, writing to the node may not be permitted at the moment (because it's inactive). bdrv_is_writable() checks that the node can be written to right now, and this is what the snapshot operations really need. Change bdrv_can_snapshot() to use bdrv_is_writable() to fix crashes like the following: $ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer qemu-system-x86_64: ../block/io.c:1990: int bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest *, int): Assertion `!(bs->open_flags & BDRV_O_INACTIVE)' failed. The resulting error message after this patch isn't perfect yet, but at least it doesn't crash any more: $ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer qemu-system-x86_64: Device 'ide0-hd0' is writable but does not support snapshots Signed-off-by:
-
Michael Tokarev authored
Signed-off-by:
-
- Dec 20, 2023
-
-
Jean-Philippe Brucker authored
MDCR_EL2.HPMN allows an hypervisor to limit the number of PMU counters available to EL1 and EL0 (to keep the others to itself). QEMU already implements this split correctly, except for PMCR_EL0.N reads: the number of counters read by EL1 or EL0 should be the one configured in MDCR_EL2.HPMN. Cc: qemu-stable@nongnu.org Signed-off-by:
Jean-Philippe Brucker <jean-philippe@linaro.org> Message-id: 20231215144652.4193815-2-jean-philippe@linaro.org Reviewed-by:
-
- Dec 14, 2023
-
-
Richard Henderson authored
In 32-bit mode, pc = eip + cs_base is also 32-bit, and must wrap. Failure to do so results in incorrect memory exceptions to the guest. Before 732d5487, this was implicitly done via truncation to target_ulong but only in qemu-system-i386, not qemu-system-x86_64. To fix this, we must add conditional zero-extensions. Since we have to test for 32 vs 64-bit anyway, note that cs_base is always zero in 64-bit mode. Resolves: #2022 Signed-off-by:
-
