Akihiko Odaki writes:
> rom_bar is tristate but was defined as uint32_t so convert it into
> OnOffAuto to clarify that. For compatibility, a uint32 value set via
> QOM will be converted into OnOffAuto.
>
> Signed-off-by: Akihiko Odaki
I agree making property "rombar" an integer was a design mis
On Wed, Jul 31, 2024 at 10:32:19AM +0200, Markus Armbruster wrote:
> Whether it would be worth your trouble and mine just to clean up
> "rombar" seems highly dubious, though.
Exactly.
--
MST
On 7/30/24 19:56, Michael S. Tsirkin wrote:
On Tue, Jul 30, 2024 at 09:26:20PM +0900, Akihiko Odaki wrote:
On 2024/07/30 20:37, Michael S. Tsirkin wrote:
On Mon, Jul 15, 2024 at 02:19:06PM +0900, Akihiko Odaki wrote:
Based-on: <20240714-rombar-v2-0-af1504ef5...@daynix.com>
("[PATCH v2 0/4] hw/
On 2024/07/15 14:15, Akihiko Odaki wrote:
On 2024/05/16 11:00, Yui Washizu wrote:
On 2024/04/28 18:05, Akihiko Odaki wrote:
Based-on: <20240315-reuse-v9-0-67aa69af4...@daynix.com>
("[PATCH for 9.1 v9 00/11] hw/pci: SR-IOV related fixes and
improvements")
Introduction
This se
Am 30.07.2024 um 10:10 hat Markus Armbruster geschrieben:
> camel_to_upper() converts its argument from camel case to upper case
> with '_' between words. Used for generated enumeration constant
> prefixes.
>
> When some of the words are spelled all caps, where exactly to insert
> '_' is guesswor
On Tue, Jul 30, 2024 at 02:26:49PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé writes:
>
> > On Tue, Jul 30, 2024 at 10:10:25AM +0200, Markus Armbruster wrote:
> >> QAPI's 'prefix' feature can make the connection between enumeration
> >> type and its constants less than obvious. It's be
In some error cases, scsi_block_sgio_complete() never calls the passed
callback, but directly completes the request. This leads to bugs because
its error paths are not exact copies of what the callback would normally
do.
In preparation to fix this, allow passing positive return values to the
callb
Running validation tests in Windows 2019's Failover Cluster Manager
fails in two different ways when run with rerror/werror=stop:
1. It runs into an assertion failure because the sgio-based I/O path
takes shortcuts in its error handling that skip necessary cleanup
2. RESERVATION_CONFLICT is tr
Instead of calling into scsi_handle_rw_error() directly from
scsi_block_sgio_complete() and skipping the normal callback, go through
the normal cleanup path by calling the callback with a positive error
value.
The important difference here is not only that the code path is cleaner,
but that the ca
In the case of scsi-block, RESERVATION_CONFLICT is not a backend error,
but indicates that the guest tried to make a request that it isn't
allowed to execute. Pass the error to the guest so that it can decide
what to do with it.
Without this, if we stop the VM in response to a RESERVATION_CONFLICT
scsi_block_sgio_complete() has surprising behaviour in that there are
error cases in which it directly completes the request and never calls
the passed callback. In the current state of the code, this doesn't seem
to result in bugs, but with future code changes, we must be careful to
never rely on
On 30/7/24 11:47, Andrey Drobyshev wrote:
Apparently 'qemu-img info' doesn't report the backing file format field
for qed (as it does for qcow2):
$ qemu-img create -f qed base.qed 1M && qemu-img create -f qed -b base.qed -F
qed top.qed 1M
$ qemu-img create -f qcow2 base.qcow2 1M && qemu-img cre
In vdi_co_pwritev() we multiply a sector count by SECTOR_SIZE to
get the size to write in bytes. Coverity notes that this means that
we do the multiply as a 32x32->32 multiply before converting to
64 bits, which has the potential to overflow.
This is very unlikely to happen, since the block map ha
This patchset is a collection of fixes for minor Coverity reported
issues. In all cases, there isn't a user-visible problem, but
the Coverity issue pointed up somewhere where we could clean
up the code or make it a bit more obvious to a human reader
what the intent was.
Only lightly tested (with "
In compare_fingerprint() we effectively check whether the characters
in the fingerprint are valid hex digits twice: first we do so with
qemu_isxdigit(), but then the hex2decimal() function also has a code
path where it effectively detects an invalid digit and returns -1.
This causes Coverity to com
Coverity complains about an overflow in isa_fdc_get_drive_max_chs()
that can happen if the loop over fd_formats never finds a match,
because we initialize *maxc to 0 and then at the end of the
function decrement it.
This can't ever actually happen because fd_formats has at least
one entry for each
Coverity notes that the code at the end of the loop in
bmdma_prepare_buf() is unreachable. This is because in commit
9fbf0fa81fca8f527 ("ide: remove hardcoded 2GiB transactional limit")
we removed the only codepath in the loop which could "break" out of
it, but didn't notice that this meant we sho
In ide_atapi_cmd_reply_end() we calculate a 16-bit size, and then
assign its two halves to s->lcyl and s->hcyl like this:
s->lcyl = size;
s->hcyl = size >> 8;
Coverity warns that the first line here can overflow the
8-bit s->lcyl variable. This is true, and in this case we'r
In the loop in qemu_gluster_parse_json() we do:
char *str = NULL;
for(...) {
str = g_strdup_printf(...);
...
if (various errors) {
goto out;
}
...
g_free(str);
str = NULL;
}
return 0;
out:
various cleanups;
In pflash_write() Coverity points out that we can decrement the
unsigned pfl->counter below zero, which makes it wrap around. In
fact this is harmless, because if pfl->counter is 0 at this point we
also increment pfl->wcycle to 3, and the wcycle == 3 handling doesn't
look at counter; the only way
Peter Maydell writes:
> In ide_atapi_cmd_reply_end() we calculate a 16-bit size, and then
> assign its two halves to s->lcyl and s->hcyl like this:
>
>s->lcyl = size;
>s->hcyl = size >> 8;
>
> Coverity warns that the first line here can overflow the
> 8-bit s->lcyl variabl
On Wed, 31 Jul 2024 at 15:47, Markus Armbruster wrote:
>
> Peter Maydell writes:
>
> > In ide_atapi_cmd_reply_end() we calculate a 16-bit size, and then
> > assign its two halves to s->lcyl and s->hcyl like this:
> >
> >s->lcyl = size;
> >s->hcyl = size >> 8;
> >
> > Cover
Peter Maydell writes:
> Coverity complains about an overflow in isa_fdc_get_drive_max_chs()
> that can happen if the loop over fd_formats never finds a match,
> because we initialize *maxc to 0 and then at the end of the
> function decrement it.
>
> This can't ever actually happen because fd_form
Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
> Coverity complains about an overflow in isa_fdc_get_drive_max_chs()
> that can happen if the loop over fd_formats never finds a match,
> because we initialize *maxc to 0 and then at the end of the
> function decrement it.
>
> This can't ever
Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
> In ide_atapi_cmd_reply_end() we calculate a 16-bit size, and then
> assign its two halves to s->lcyl and s->hcyl like this:
>
>s->lcyl = size;
>s->hcyl = size >> 8;
>
> Coverity warns that the first line here can over
Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
> In vdi_co_pwritev() we multiply a sector count by SECTOR_SIZE to
> get the size to write in bytes. Coverity notes that this means that
> we do the multiply as a 32x32->32 multiply before converting to
> 64 bits, which has the potential to over
Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
> In the loop in qemu_gluster_parse_json() we do:
>
> char *str = NULL;
> for(...) {
> str = g_strdup_printf(...);
> ...
> if (various errors) {
> goto out;
> }
> ...
> g_free(
Am 31.07.24 um 16:36 schrieb Peter Maydell:
In vdi_co_pwritev() we multiply a sector count by SECTOR_SIZE to
get the size to write in bytes. Coverity notes that this means that
we do the multiply as a 32x32->32 multiply before converting to
64 bits, which has the potential to overflow.
This is
Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
> In pflash_write() Coverity points out that we can decrement the
> unsigned pfl->counter below zero, which makes it wrap around. In
> fact this is harmless, because if pfl->counter is 0 at this point we
> also increment pfl->wcycle to 3, and t
Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
> Coverity notes that the code at the end of the loop in
> bmdma_prepare_buf() is unreachable. This is because in commit
> 9fbf0fa81fca8f527 ("ide: remove hardcoded 2GiB transactional limit")
> we removed the only codepath in the loop which cou
Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
> In compare_fingerprint() we effectively check whether the characters
> in the fingerprint are valid hex digits twice: first we do so with
> qemu_isxdigit(), but then the hex2decimal() function also has a code
> path where it effectively detect
On Wed, 31 Jul 2024 at 16:21, Kevin Wolf wrote:
>
> Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
> > In compare_fingerprint() we effectively check whether the characters
> > in the fingerprint are valid hex digits twice: first we do so with
> > qemu_isxdigit(), but then the hex2decimal()
On 30/7/24 11:21, Philippe Mathieu-Daudé wrote:
Since malicious guest can write invalid addresses to
the ADMASYSADDR register, we need to check whether the
descriptor could be correctly filled or not.
Cc: qemu-sta...@nongnu.org
Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller"
On 31/7/24 16:36, Peter Maydell wrote:
In the loop in qemu_gluster_parse_json() we do:
char *str = NULL;
for(...) {
str = g_strdup_printf(...);
...
if (various errors) {
goto out;
}
...
g_free(str);
str = NULL;
On 31/7/24 16:36, Peter Maydell wrote:
Coverity complains about an overflow in isa_fdc_get_drive_max_chs()
that can happen if the loop over fd_formats never finds a match,
because we initialize *maxc to 0 and then at the end of the
function decrement it.
This can't ever actually happen because f
On 31/7/24 17:13, Kevin Wolf wrote:
Am 31.07.2024 um 16:36 hat Peter Maydell geschrieben:
Coverity notes that the code at the end of the loop in
bmdma_prepare_buf() is unreachable. This is because in commit
9fbf0fa81fca8f527 ("ide: remove hardcoded 2GiB transactional limit")
we removed the only
Since v1:
- split patch
- do not return MemTxResult from get_adma_description()
- single DMA read in SDHC_CTRL_ADMA2_64 case
Based-on: <20240730092138.32443-5-phi...@linaro.org>
Philippe Mathieu-Daudé (4):
hw/sd/sdhci: Reduce variables scope in sdhci_do_adma()
hw/sd/sdhci: Reduce variables sc
Since malicious guest can write invalid addresses to
the ADMASYSADDR register, we need to check whether the
descriptor could be correctly filled or not.
Cc: qemu-sta...@nongnu.org
Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller")
Signed-off-by: Philippe Mathieu-Daudé
---
hw/s
All variables are only used within the for loop.
Declare them within it. In particular this resets
'dscr' on each iteration.
Signed-off-by: Philippe Mathieu-Daudé
---
hw/sd/sdhci.c | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
i
The 'adma1' variable is only used in the SDHC_CTRL_ADMA1_32
case, and 'adma2' in SDHC_CTRL_ADMA2_32. Add braces in the
switch case to use local declarations.
Do the same in the SDHC_CTRL_ADMA2_64 case because we'll add
a local variable there in the next commit.
Replace 0xF000 -> ~0xfff to alig
Instead of 3 consecutive dma_memory_read() calls, use
a packed structure to read the descriptor in a single
call.
Signed-off-by: Philippe Mathieu-Daudé
---
hw/sd/sdhci.c | 22 +-
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
inde
On 2024/07/31 18:34, Yui Washizu wrote:
On 2024/07/15 14:15, Akihiko Odaki wrote:
On 2024/05/16 11:00, Yui Washizu wrote:
On 2024/04/28 18:05, Akihiko Odaki wrote:
Based-on: <20240315-reuse-v9-0-67aa69af4...@daynix.com>
("[PATCH for 9.1 v9 00/11] hw/pci: SR-IOV related fixes and
improvement
On Thu, Aug 01, 2024 at 02:37:55PM +0900, Akihiko Odaki wrote:
> I don't know much about vDPA-capable device, but as a reference, igb only
> has 8 VFs.
modern vdpa capable devices have much more than 8 VFs, 8 is a very low
number.
--
MST
43 matches
Mail list logo
