Hi,
I also encounter the same problem. When I use the Qemu mainline and with
-machine pc-i440fx-2.0, the win7 guest will show blue screen, and give me
"The BIOS in this system is not fully ACPI compliant. Please contact your system
Vendor for an updated BIOS.
Technical information:
*** STOP: 0x
Hi,
I also encounter the same problem. When I use the Qemu mainline and with
-machine pc-i440fx-2.0, the win7 guest will show blue screen, and give me
"The BIOS in this system is not fully ACPI compliant. Please contact your system
Vendor for an updated BIOS.
Technical information:
*** STOP: 0x
2014-03-26 3:25 GMT+08:00 Leandro Dorileo :
> On Fri, Mar 21, 2014 at 06:12:23PM +0800, Chunyan Liu wrote:
> > In QEMUOptionParameter and QemuOptsList conversion, 'assigned' info
> > is lost. In current code, only qcow2 amend uses 'assigned' for a check.
> > It will be broken after next patch. So,
On Mi, 2014-03-26 at 11:57 +0800, arei.gong...@huawei.com wrote:
> From: Gonglei
>
> UHCI emulation polls the device at a freq of 1000HZ, which consumes
> 12~13% CPU even though a Windows guest is completely idle when the guest
> was configed usb1.1 tablet devcie. This solution counts accumulated
> -Original Message-
> From: Gerd Hoffmann [mailto:kra...@redhat.com]
> Sent: Wednesday, March 26, 2014 3:59 PM
> To: Gonglei (Arei)
> Cc: qemu-devel@nongnu.org; Huangweidong (C)
> Subject: Re: [PATCH] uhci: Lower uhci timer freq when guest is idle
>
> On Mi, 2014-03-26 at 11:57 +0800, are
On 25/03/14 13:37, Paolo Bonzini wrote:
> Il 25/03/2014 04:19, Gonglei (Arei) ha scritto:
>> Based on discussions in:
>> http://lists.gnu.org/archive/html/qemu-devel/2013-11/threads.html#03322
>>
>> About KVM_SET_GSI_ROUTING ioctl, I tested changing RCU to SRCU, but
>> unfortunately
>> it looks li
> > Based on discussions in:
> > http://lists.gnu.org/archive/html/qemu-devel/2013-11/threads.html#03322
> >
> > About KVM_SET_GSI_ROUTING ioctl, I tested changing RCU to SRCU, but
> unfortunately
> > it looks like SRCU's grace period is no better than RCU.
>
> Really? This is not what Christian
On Tue, Mar 25, 2014 at 10:35:28AM +, Anton Ivanov wrote:
> On 25/03/14 10:17, Stefan Hajnoczi wrote:
> > On Mon, Mar 24, 2014 at 11:56:16AM +, anton.iva...@kot-begemot.co.uk
> > wrote:
> >> 1. Correct buffering and corect poll FSM
> >>
> >> Current qemu queue logic assumes single packet i
On Tue, Mar 25, 2014 at 02:49:42PM +, Alex Bennée wrote:
>
> Stefan Hajnoczi writes:
>
> > On Mon, Mar 24, 2014 at 05:04:54PM +, alex.ben...@linaro.org wrote:
> >> From: Alex Bennée
> >>
> >> This makes the UST backend pay attention to the format string arguments
> >> that are defined
> On my system I have HZ=100 and lots of CPUs. So RCUs "every cpu has
> scheduled"
> is certainly slower than SRCUs algorithm
> (/*
> * We use an adaptive strategy for synchronize_srcu() and especially for
> * synchronize_srcu_expedited(). We spin for a fixed time period
> * (defined below) to
[snip]
>> So the fact that qemu_send_packet_async() has returned a non-zero does not
>> mean that we have not paid the price for it :)
> A non-zero return is simply an error code from the ->receive() function.
> In this case the packet is dropped but queuing is unaffected.
>
>> The relevant code
On Wed, Mar 26, 2014 at 01:55:53AM +0530, Prasad Joshi wrote:
> Signed-off-by: Prasad Joshi
> ---
> qemu-img.c | 1 +
> 1 file changed, 1 insertion(+)
Thanks, applied to my block tree:
https://github.com/stefanha/qemu/commits/block
Stefan
* Michael S. Tsirkin (m...@redhat.com) wrote:
> On Tue, Mar 25, 2014 at 08:17:11PM +, Dr. David Alan Gilbert (git) wrote:
> >5) At the moment you select BER output format by setting an environment
> > variable ( export QEMUMIGFORMAT=BER ) , I need to put more thought
> > in t
Peter Lieven writes:
> this patch tries to optimize zero write requests
> by automatically using bdrv_write_zeroes if it is
> supported by the format.
>
> this should significantly speed up file system initialization and
> should speed zero write test used to test backend storage performance.
>
>
On Tue, Mar 25, 2014 at 04:44:48PM +0800, Li, Zhen-Hua wrote:
> From: "Li, ZhenHua"
>
> In virtio-blk module, when there is new request, new req structure
> will be created by malloc. Use a req pool instead of this, will increase
> performance;
>
> Increacement: about 5% to 10%.
>
> Signed-off
On Tue, Mar 25, 2014 at 01:26:05PM +0100, Stefan Hajnoczi wrote:
> From: "Frank Ch. Eigler"
>
> SystemTap sdt.h sometimes results in compiled probes without sufficient
> information to extract arguments. This can be solved in a slightly
> hacky way by encouraging the compiler to place arguments
On Wed, Mar 26, 2014 at 06:45:10AM -, Robert Hu wrote:
CCing Laszlo, Michael, and Marcel for ACPI
> Public bug reported:
>
> Environment:
>
> Host OS (ia32/ia32e/IA64):ia32e
> Guest OS (ia32/ia32e/IA64):ia32e
> Guest OS Type (Linux/Windows):Windows
> kvm.git Commit:94b3ffcd41a90
On 15.03.2014 03:48, Richard Henderson wrote:
> Loading an qemu pointer as an immediate happens often. E.g.
>
> - exit_tb $0x7fa8140013
> + exit_tb $0x7f81ee0013
> ...
> - : d2800260mov x0, #0x13
> - : f2b50280movkx0, #0xa814, lsl #16
> - : f2c00fe0movkx0, #
On 15.03.2014 03:48, Richard Henderson wrote:
> Some guest env are small enough to reach the tlb with only a 12-bit addition.
>
> Signed-off-by: Richard Henderson
> ---
> tcg/aarch64/tcg-target.c | 28 +++-
> 1 file changed, 19 insertions(+), 9 deletions(-)
>
> diff --gi
On 15.03.2014 03:48, Richard Henderson wrote:
> In some cases, a direct branch will be in range.
>
> Signed-off-by: Richard Henderson
> ---
> tcg/aarch64/tcg-target.c | 6 ++
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/tcg/aarch64/tcg-target.c b/tcg/aarch64/tcg-target
Il 26/03/2014 09:22, Gonglei (Arei) ha scritto:
Yes, previously I was using synchronize_srcu, which is not good. When I
changed it to synchronize_srcu_expedited, grace period delay is much better
than synchronize_srcu. Though in our tests, we can still see some impact
of KVM_SET_GSI_ROUTING ioctl
On 15.03.2014 03:48, Richard Henderson wrote:
> Signed-off-by: Richard Henderson
> ---
> tcg/aarch64/tcg-target.c | 11 +--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/tcg/aarch64/tcg-target.c b/tcg/aarch64/tcg-target.c
> index 3b8aa7d..26dc1ab 100644
> --- a/tcg/a
On 15.03.2014 03:48, Richard Henderson wrote:
> Making the bswap conditional on the memop instead of a
> compile-time test instead.
too many insteads? :)
> Signed-off-by: Richard Henderson
> ---
> tcg/aarch64/tcg-target.c | 131
> +++
> 1 file change
On 15.03.2014 03:48, Richard Henderson wrote:
> Signed-off-by: Richard Henderson
> ---
> tcg/aarch64/tcg-target.c | 101
> ++-
> tcg/aarch64/tcg-target.h | 2 +-
> 2 files changed, 39 insertions(+), 64 deletions(-)
>
> diff --git a/tcg/aarch64/tcg-t
On 15.03.2014 03:48, Richard Henderson wrote:
> Cleaning up the implementation of REV and REV16 at the same time.
>
> Signed-off-by: Richard Henderson
> ---
> tcg/aarch64/tcg-target.c | 22 ++
> 1 file changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/tcg/aarch64/tc
Il 25/03/2014 19:59, Peter Maydell ha scritto:
> Could "virt" be a sane default for qemu-system-arm?
> 2.0 might be the right time to change it.
Really I don't think there is a sane default at all for
ARM. Boards are just too different and you must know
which one you want. Anything other than "
Il 25/03/2014 20:26, Peter Maydell ha scritto:
Currently for both qemu-system-arm and qemu-system-aarch64
the default board model if the user doesn't specify one
is the 'integratorcp'. This is a totally arbitrary historical
accident since it was the first board to be modelled.
That board is now j
Stefan,
Thank you for your suggestions. I will try g_slice_* and give more
performance testing results.
ZhenHua
On 03/26/2014 05:27 PM, Stefan Hajnoczi wrote:
On Tue, Mar 25, 2014 at 04:44:48PM +0800, Li, Zhen-Hua wrote:
From: "Li, ZhenHua"
In virtio-blk module, when there is new request,
Il 26/03/2014 03:02, Li, Zhen-Hua ha scritto:
From: "Li, ZhenHua"
In virtio-blk module, when there is new request, new req structure
will be created by malloc. Use a req pool instead of this, will increase
performance;
Increacement: about 5% to 10%.
Can you try g_slice_new/g_slice_free inst
Sorry I am confused .
There are two ways now:
1. Just use g_slice_new to replace malloc/free.
2. Use a pool as a replacement of frequently create/destroy reqs. And
when create the pool, use g_slice_new.
Which are you meaning?
Thanks
ZhenHua
On 03/26/2014 05:55 PM, Paolo Bonzini wrote:
Il 26
Il 26/03/2014 10:59, Li, ZhenHua ha scritto:
Sorry I am confused .
There are two ways now:
1. Just use g_slice_new to replace malloc/free.
2. Use a pool as a replacement of frequently create/destroy reqs. And
when create the pool, use g_slice_new.
Which are you meaning?
I think both I and Ste
On Wed, Mar 26, 2014 at 06:45:10AM -, Robert Hu wrote:
> Public bug reported:
>
> Environment:
>
> Host OS (ia32/ia32e/IA64):ia32e
> Guest OS (ia32/ia32e/IA64):ia32e
> Guest OS Type (Linux/Windows):Windows
> kvm.git Commit:94b3ffcd41a90d2cb0b32ca23aa58a0d5dc0
> qemu-kvm Commit
On Mo, 2014-03-24 at 11:39 +0200, Alon Levy wrote:
> The command ring and cursor rings are pushed to by the guest, and
> cleared asynchronously by qemu's spice thread. It is easy to have
> them non empty by bad guest behaviour, and we must never abort on bad
> guest behaviour.
I think we should ei
On Wed, Mar 26, 2014 at 08:46:35AM +0200, Michael S. Tsirkin wrote:
> On Wed, Mar 26, 2014 at 08:19:43AM +0800, Amos Kong wrote:
> > Stefan Fritsch just fixed a virtio-net driver bug [1], virtio-net won't
> > filter out VLAN-tagged packets if VIRTIO_NET_F_CTRL_VLAN isn't negotiated.
>
> Yes but th
On 26 March 2014 09:51, Paolo Bonzini wrote:
> It's your call as the maintainer. I certainly wouldn't object to that,
> though (perhaps it's my delusion) I would have hoped that "virt" would have
> been a suitable choice for users coming from x86.
It's one option, but it's still (for instance) n
On Wed, Mar 26, 2014 at 07:16:42AM +, Gonglei (Arei) wrote:
> Hi,
>
> I also encounter the same problem. When I use the Qemu mainline and with
> -machine pc-i440fx-2.0, the win7 guest will show blue screen, and give me
> "The BIOS in this system is not fully ACPI compliant. Please contact you
Il 26/03/2014 11:37, hu...@cn.fujitsu.com ha scritto:
> Signed-off-by: Hu Tao
Just a small comment below.
> ---
> qapi/string-output-visitor.c | 236
> +++--
> tests/test-string-output-visitor.c | 35 ++
> 2 files changed, 260 insertions(+), 11 deleti
On Wed, Mar 26, 2014 at 06:29:52PM +0800, Amos Kong wrote:
> From: Stefan Fritsch
>
> If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all
> VLAN-tagged packets but send them to the guest.
>
> This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because
> the OpenBSD dri
On Wed, Mar 26, 2014 at 06:29:52PM +0800, Amos Kong wrote:
> From: Stefan Fritsch
>
> If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all
> VLAN-tagged packets but send them to the guest.
>
> This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because
> the OpenBSD dri
From: Stefan Fritsch
If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all
VLAN-tagged packets but send them to the guest.
This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because
the OpenBSD driver started as a port from NetBSD).
Signed-off-by: Stefan Fritsch
Signe
From: Wanlong Gao
Add the numa_info structure to contain the numa nodes memory,
VCPUs information and the future added numa nodes host memory
policies.
Reviewed-by: Eduardo Habkost
Signed-off-by: Andre Przywara
Signed-off-by: Wanlong Gao
[Fix hw/ppc/spapr.c - Paolo]
Signed-off-by: Paolo Bonzi
From: Wanlong Gao
If the total number of the assigned numa nodes memory is not
equal to the assigned ram size, it will write the wrong data
to ACPI table, then the guest will ignore the wrong ACPI table
and recognize all memory to one node. It's buggy, we should
check it to ensure that we write t
From: Paolo Bonzini
This option provides the infrastructure for binding guest NUMA nodes
to host NUMA nodes. For example:
-object memory-ram,size=1024M,policy=bind,host-nodes=0,id=ram-node0 \
-numa node,nodeid=0,cpus=0,memdev=ram-node0 \
-object memory-ram,size=1024M,policy=interleave,host-n
From: Paolo Bonzini
Signed-off-by: Paolo Bonzini
---
hw/i386/pc.c | 11 +--
hw/i386/pc_piix.c| 8 +++-
hw/i386/pc_q35.c | 4 +---
include/hw/i386/pc.h | 7 +++
4 files changed, 12 insertions(+), 18 deletions(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 2
From: Igor Mammedov
Adds option to -m
"size" - startup memory amount
For compatibility with legacy CLI if suffix-less number is passed,
it assumes amount in Mb.
Otherwise user is free to use suffixed number using suffixes b,k/K,M,G
Signed-off-by: Igor Mammedov
Signed-off-by: Paolo Bonzini
R
From: Igor Mammedov
Provides framework for splitting host RAM allocation/
policies into a separate backend that could be used
by devices.
Initially only legacy RAM backend is provided, which
uses memory_region_init_ram() allocator and compatible
with every CLI option that affects memory_region_i
From: Paolo Bonzini
Follow the lines of the HMP implementation, using OptsVisitor
to parse the options. This gives access to OptsVisitor's
rich parsing of integer lists.
Signed-off-by: Paolo Bonzini
---
vl.c | 87 +++-
1 file cha
From: Paolo Bonzini
Prepare for adding more flags. The "_MASK" suffix is unique, kill it.
Signed-off-by: Paolo Bonzini
---
exec.c | 9 ++---
include/exec/cpu-all.h | 3 ---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/exec.c b/exec.c
index 710e025..691d21
From: Paolo Bonzini
Signed-off-by: Paolo Bonzini
---
backends/Makefile.objs | 1 +
backends/hostmem-file.c | 108
2 files changed, 109 insertions(+)
create mode 100644 backends/hostmem-file.c
diff --git a/backends/Makefile.objs b/backends/Ma
From: Paolo Bonzini
A new "share" property can be used with the "memory-file" backend to
map memory with MAP_SHARED instead of MAP_PRIVATE.
Signed-off-by: Paolo Bonzini
---
backends/hostmem-file.c | 26 +-
exec.c | 18 ++
include/exec/me
Signed-off-by: Hu Tao
---
include/qom/object.h | 18 ++
qom/object.c | 35 +++
2 files changed, 53 insertions(+)
diff --git a/include/qom/object.h b/include/qom/object.h
index a641dcd..2e488f1 100644
--- a/include/qom/object.h
+++ b/include
From: Wanlong Gao
Signed-off-by: Wanlong Gao
Reviewed-by: Eduardo Habkost
Signed-off-by: Paolo Bonzini
---
Makefile.target | 2 +-
cpus.c| 14
include/exec/cpu-all.h| 2 -
include/exec/cpu-common.h | 2 +
include/sysemu/cpus.h | 1 -
include
On Tue, Mar 11, 2014 at 06:46:10PM -0600, Eric Blake wrote:
> On 03/06/2014 11:09 PM, Amos Kong wrote:
> > vm_config_groups[] only contains part of the options which have
> > parameters, and all options which have no parameter aren't added
> > to vm_config_groups[]. Current query-command-line-optio
From: Paolo Bonzini
This allows the superclass to set various policies on the memory
region that the subclass creates.
Signed-off-by: Paolo Bonzini
---
backends/hostmem-file.c | 9 -
backends/hostmem-ram.c | 8 +++-
backends/hostmem.c | 12 ++--
include/sysemu/ho
From: Wanlong Gao
Add detection of libnuma (mostly contained in the numactl package)
to the configure script. Can be enabled or disabled on the command
line, default is use if available.
Signed-off-by: Andre Przywara
Signed-off-by: Wanlong Gao
Signed-off-by: Paolo Bonzini
---
configure | 33
From: Paolo Bonzini
And allow preallocation of file-based memory even without -mem-prealloc.
Some care is necessary because -mem-prealloc does not allow disabling
preallocation for hostmem-file.
Signed-off-by: Paolo Bonzini
---
backends/hostmem-file.c | 3 +++
backends/hostmem.c | 42 +
From: Paolo Bonzini
Signed-off-by: Paolo Bonzini
---
backends/hostmem.c | 85 +++-
include/qemu/osdep.h | 10 ++
include/sysemu/hostmem.h | 1 +
3 files changed, 95 insertions(+), 1 deletion(-)
diff --git a/backends/hostmem.c b/backend
This is the hmp counterpart of qmp query-memdev.
Signed-off-by: Hu Tao
---
hmp.c | 36
hmp.h | 1 +
monitor.c | 7 +++
3 files changed, 44 insertions(+)
diff --git a/hmp.c b/hmp.c
index 2f279c4..b500856 100644
--- a/hmp.c
+++ b/hmp.c
@@ -22,6 +
Signed-off-by: Hu Tao
---
qapi/string-output-visitor.c | 236 +++--
tests/test-string-output-visitor.c | 35 ++
2 files changed, 260 insertions(+), 11 deletions(-)
diff --git a/qapi/string-output-visitor.c b/qapi/string-output-visitor.c
index fb1d2e8..e
Hello,
I can confirm the problem too, (opteron 63XX -> opteron 61XX)
qemu 1.7.1 (qemu64 or kvm64 vcpu) , host kernel 2.6.32 (rhel6.5)
I can reproduce it 100%
- Mail original -
De: "Markus Kovero"
À: qemu-devel@nongnu.org
Envoyé: Lundi 27 Janvier 2014 15:20:19
Objet: Re: [Qemu-devel] l
From: Paolo Bonzini
So that backends can use it.
Signed-off-by: Paolo Bonzini
---
exec.c | 44 +--
include/qemu/osdep.h | 2 ++
util/oslib-posix.c | 73
3 files changed, 76 insertions(+), 43 delet
Signed-off-by: Hu Tao
---
include/qemu/range.h | 119 +++
1 file changed, 119 insertions(+)
diff --git a/include/qemu/range.h b/include/qemu/range.h
index aae9720..d2dd49d 100644
--- a/include/qemu/range.h
+++ b/include/qemu/range.h
@@ -3,6 +3,7 @@
From: Paolo Bonzini
Use QERR_INVALID_PARAMETER_VALUE for consistency.
Signed-off-by: Paolo Bonzini
---
qmp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/qmp.c b/qmp.c
index 54b95ba..440f3ab 100644
--- a/qmp.c
+++ b/qmp.c
@@ -544,7 +544,8 @@ void object_add(const char
On Wed, Mar 26, 2014 at 08:22:29AM +, Gonglei (Arei) wrote:
> > > Based on discussions in:
> > > http://lists.gnu.org/archive/html/qemu-devel/2013-11/threads.html#03322
> > >
> > > About KVM_SET_GSI_ROUTING ioctl, I tested changing RCU to SRCU, but
> > unfortunately
> > > it looks like SRCU's g
This is the model file that is being used for the QEMU project's scans
on scan.coverity.com. It fixed about 30 false positives (10% of the
total) and exposed about 60 new memory leaks.
The file is not automatically used; changes to it must be propagated
to the website manually by an admin (right
From: Wanlong Gao
libnuma choosed 128 for MAX_NODES, so we follow libnuma here.
Signed-off-by: Wanlong Gao
Reviewed-by: Eduardo Habkost
Signed-off-by: Paolo Bonzini
---
include/sysemu/sysemu.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/sysemu/sysemu.h b/inclu
From: Luiz Capitulino
The -numa option documentation in qemu's manpage lacks the command-line
options and some information regarding how it relates to options -m and
-smp. This commit fills in the missing text.
Signed-off-by: Luiz Capitulino
Signed-off-by: Paolo Bonzini
---
qemu-options.hx |
On 26/03/14 09:22, Gonglei (Arei) wrote:
> Without patches, ping time can jump from 0.3ms to 2ms-30ms. With
> synchronize_srcu
> patch, ping time is worse. With synchronize_srcu_expedited patch, ping time
> is
> overall good, though sometimes ping time jump to 1ms-3ms.
Just to understand what
changes to v2.1:
- switch all boards to memory_region_allocate_system_memory
- make string input/output visitor parse int list
- add hmp info memdev
- tweaks to get pass of checkpatch.pl.
You can search `Current state of NUMA series, and hostmem improvements'
for the link of v2.1. Sorry f
Signed-off-by: Hu Tao
---
hw/alpha/typhoon.c | 4 ++--
hw/arm/cubieboard.c | 5 +++--
hw/arm/digic_boards.c| 3 +--
hw/arm/exynos4210.c | 18 +--
hw/arm/highbank.c| 3 ++-
h
Add the cloop block driver to qemu-iotests.
Signed-off-by: Stefan Hajnoczi
Signed-off-by: Kevin Wolf
---
tests/qemu-iotests/common| 7 +++
tests/qemu-iotests/common.rc | 3 +++
2 files changed, 10 insertions(+)
diff --git a/tests/qemu-iotests/common b/tests/qemu-iotests/common
index 57
Add a cloop format-specific test case. Later patches add tests for
input validation to the script.
Signed-off-by: Stefan Hajnoczi
Signed-off-by: Kevin Wolf
---
tests/qemu-iotests/075 | 53 +
tests/qemu-iotests/075.out |
The offsets[] array allows efficient seeking and tells us the maximum
compressed data size. If the offsets are bogus the maximum compressed
data size will be unrealistic.
This could cause g_malloc() to abort and bogus offsets mean the image is
broken anyway. Therefore we should refuse such image
This patch series fixes missing input validation in qcow2, vdi, vhdx, vpc,
bochs, curl, parallels, cloop, and dmg.
Some of the patches have been assigned CVEs because they have a security
impact.
Most of the missing input validation is in code that has been in the tree for a
long time. The philo
Avoid unbounded s->uncompressed_block memory allocation by checking that
the block_size header field has a reasonable value. Also enforce the
assumption that the value is a non-zero multiple of 512.
These constraints conform to cloop 2.639's code so we accept existing
image files.
Signed-off-by:
From: Kevin Wolf
Signed-off-by: Kevin Wolf
Reviewed-by: Stefan Hajnoczi
---
tests/qemu-iotests/078 | 53 +++
tests/qemu-iotests/078.out | 6 +++
tests/qemu-iotests/common| 7 +++
tests/qemu-iotests
The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:
uint32_t n_blocks, offsets_size;
[...]
ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
[...]
s->n_blocks = be32_to_cpu(s->n_blocks);
/* read offsets
From: Jeff Cody
Other variables (e.g. sectors_per_block) are calculated using these
variables, and if not range-checked illegal values could be obtained
causing infinite loops and other potential issues when calculating
BAT entries.
The 1.00 VHDX spec requires BlockSize to be min 1MB, max 256MB.
From: Kevin Wolf
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.
Signed-off-by: Kevin Wolf
Reviewed-by: Stefan Hajnoczi
---
block/bochs.c | 13 +
te
Limit offsets_size to 512 MB so that:
1. g_malloc() does not abort due to an unreasonable size argument.
2. offsets_size does not overflow the bdrv_pread() int size argument.
This limit imposes a maximum image size of 16 TB at 256 KB block size.
Signed-off-by: Stefan Hajnoczi
Signed-off-by: Ke
From: Kevin Wolf
This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().
Signed-off-by: Kevin Wolf
Reviewed-by: Stefan Hajnoczi
---
block/bochs.c | 8
tests/qemu-iotests/078 | 13 +
tests/qemu-iotests/078.out | 8 +
From: Jeff Cody
The maximum blocks_in_image is 0x / 4, which also limits the
maximum disk_size for a VDI image.
Signed-off-by: Jeff Cody
Signed-off-by: Kevin Wolf
---
block/vdi.c | 28 +---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/block/vd
From: Jeff Cody
This adds checks to make sure that max_table_entries and block_size
are in sane ranges. Memory is allocated based on max_table_entries,
and block_size is used to calculate indices into that allocated
memory, so if these values are incorrect that can lead to potential
unbounded me
Use the right types instead of signed int:
size_t new_size;
This is a byte count for g_realloc() that is calculated from uint32_t
and size_t values.
uint32_t chunk_count;
Use the same type as s->n_chunks, which is used together with
chunk_count.
This patch is a cleanup and does not
From: Kevin Wolf
This fixes some cases of division by zero crashes.
Signed-off-by: Kevin Wolf
---
block/vpc.c| 5
tests/qemu-iotests/088 | 64 ++
tests/qemu-iotests/088.out | 17
tests/qemu-iotests/group | 1
From: Kevin Wolf
free_cluster_index is only correct if update_refcount() was called from
an allocation function, and even there it's brittle because it's used to
protect unfinished allocations which still have a refcount of 0 - if it
moves in the wrong place, the unfinished allocation can be corr
From: Kevin Wolf
This ensures that the checks catch all invalid cluster indexes
instead of returning the refcount of a wrong cluster.
Signed-off-by: Kevin Wolf
---
block/qcow2-refcount.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/qcow2-refcount.c b/block/qcow2-re
From: Paolo Bonzini
Split the internal interface in exec.c to a separate function, and
push the check on mem_path up to memory_region_init_ram.
Signed-off-by: Paolo Bonzini
---
exec.c | 105 +---
include/exec/cpu-all.h | 3 --
inc
From: Kevin Wolf
Signed-off-by: Kevin Wolf
---
block/qcow2-refcount.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 9130042..a37ee45 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@
From: Kevin Wolf
Header, header extension and the backing file name must all be stored in
the first cluster. Setting the backing file to a much higher value
allowed header extensions to become much bigger than we want them to be
(unbounded allocation).
Signed-off-by: Kevin Wolf
---
block/qcow2
From: Paolo Bonzini
Right now, -mem-path will fall back to RAM-based allocation in some
cases. This should never happen with "-object memory-file", prepare
the code by adding correct error propagation.
Signed-off-by: Paolo Bonzini
---
exec.c | 36 -
When a terminator is reached the base for offsets and sectors is stored.
The following records that are processed will use this base value.
If the first record we encounter is a terminator, then calculating the
base values would result in out-of-bounds array accesses. Don't do
that.
Signed-off-b
From: Kevin Wolf
The end of the refcount table must not exceed INT64_MAX so that integer
overflows are avoided.
Also check for misaligned refcount table. Such images are invalid and
probably the result of data corruption. Error out to avoid further
corruption.
Signed-off-by: Kevin Wolf
---
bl
Peter,
The following changes since commit 7f6613cedc59fa849105668ae971dc31004bca1c:
target-mips: fix MTHC1 and MFHC1 when FPU in FR=0 mode (2014-03-25 23:36:35
+0100)
are available in the git repository at:
git://github.com/bonzini/qemu.git scsi-next
for you to fetch changes up to ec8929a
From: Kevin Wolf
Limit the in-memory reference count table size to 8 MB, it's enough in
practice. This fixes an unbounded allocation as well as a buffer
overflow in qcow2_refcount_init().
Signed-off-by: Kevin Wolf
---
block/qcow2-refcount.c | 4 +++-
block/qcow2.c | 9 ++
From: Kevin Wolf
This avoids an unbounded allocation.
Signed-off-by: Kevin Wolf
---
block/qcow2-snapshot.c | 4
block/qcow2.c | 4 +---
block/qcow2.h | 4
tests/qemu-iotests/080 | 15 ++-
tests/qemu-iotests/080.out | 6 ++
5 files
From: Stefan Fritsch
If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all
VLAN-tagged packets but send them to the guest.
This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because
the OpenBSD driver started as a port from NetBSD).
Signed-off-by: Stefan Fritsch
Signe
From: Igor Mammedov
Add object to /objects before calling user_creatable_complete()
handler, so that object might be able to call
object_get_canonical_path() in its completion handler.
Signed-off-by: Igor Mammedov
Signed-off-by: Paolo Bonzini
---
qmp.c | 8 +---
1 file changed, 5 insertio
From: Wanlong Gao
Signed-off-by: Wanlong Gao
Signed-off-by: Igor Mammedov
Tested-by: Eduardo Habkost
Reviewed-by: Eduardo Habkost
Signed-off-by: Paolo Bonzini
---
include/sysemu/sysemu.h | 3 +-
numa.c | 145 +++-
qapi-schema.js
From: Amos Kong
Stefan Fritsch just fixed a virtio-net driver bug [1], virtio-net won't
filter out VLAN-tagged packets if VIRTIO_NET_F_CTRL_VLAN isn't negotiated.
This patch added a new field to @RxFilterInfo to indicate vlan receive
state ('normal', 'none', 'all'). If VIRTIO_NET_F_CTRL_VLAN isn
1 - 100 of 305 matches
Mail list logo
