[Qemu-devel] [PULL 0/2] Block patches
[PULL for-7.0 0/2] Block patches
1
The following changes since commit 33f18cf7dca7741d3647d514040904ce83edd73d:
1
The following changes since commit 15ef89d2a1a7b93845a6b09c2ee8e1979f6eb30b:
2
2
3
Merge remote-tracking branch 'remotes/kraxel/tags/audio-20190821-pull-request' into staging (2019-08-21 15:18:50 +0100)
3
Update version for v7.0.0-rc1 release (2022-03-22 22:58:44 +0000)
4
4
5
are available in the Git repository at:
5
are available in the Git repository at:
6
6
7
https://github.com/stefanha/qemu.git tags/block-pull-request
7
https://gitlab.com/stefanha/qemu.git tags/block-pull-request
8
8
9
for you to fetch changes up to 5d4c1ed3d46d7e2010b389fe5f3376f605182ab0:
9
for you to fetch changes up to 2539eade4f689eda7e9fe45486f18334bfbafaf0:
10
10
11
vhost-user-scsi: prevent using uninitialized vqs (2019-08-22 16:52:23 +0100)
11
hw: Fix misleading hexadecimal format (2022-03-24 10:38:42 +0000)
12
12
13
----------------------------------------------------------------
13
----------------------------------------------------------------
14
Pull request
14
Pull request
15
15
16
Philippe found cases where the 0x%d format string was used, leading to
17
misleading output. The patches look harmless and could save people time, so I
18
think it's worth including them in 7.0.
19
16
----------------------------------------------------------------
20
----------------------------------------------------------------
17
21
18
Raphael Norwitz (1):
22
Philippe Mathieu-Daudé (2):
19
vhost-user-scsi: prevent using uninitialized vqs
23
block: Fix misleading hexadecimal format
24
hw: Fix misleading hexadecimal format
20
25
21
Stefan Hajnoczi (1):
26
block/parallels-ext.c | 2 +-
22
util/async: hold AioContext ref to prevent use-after-free
27
hw/i386/sgx.c | 2 +-
23
28
hw/i386/trace-events | 6 +++---
24
hw/scsi/vhost-user-scsi.c | 2 +-
29
hw/misc/trace-events | 4 ++--
25
util/async.c | 8 ++++++++
30
hw/scsi/trace-events | 4 ++--
26
2 files changed, 9 insertions(+), 1 deletion(-)
31
5 files changed, 9 insertions(+), 9 deletions(-)
27
32
28
--
33
--
29
2.21.0
34
2.35.1
30
35
31
diff view generated by jsdifflib
[Qemu-devel] [PULL 2/2] vhost-user-scsi: prevent using uninitialized vqs
[PULL for-7.0 1/2] block: Fix misleading hexadecimal format
1
From: Raphael Norwitz <raphael.norwitz@nutanix.com>
1
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
2
2
3
Of the 3 virtqueues, seabios only sets cmd, leaving ctrl
3
"0x%u" format is very misleading, replace by "0x%x".
4
and event without a physical address. This can cause
5
vhost_verify_ring_part_mapping to return ENOMEM, causing
6
the following logs:
7
4
8
qemu-system-x86_64: Unable to map available ring for ring 0
5
Found running:
9
qemu-system-x86_64: Verify ring failure on region 0
10
6
11
The qemu commit e6cc11d64fc998c11a4dfcde8fda3fc33a74d844
7
$ git grep -E '0x%[0-9]*([lL]*|" ?PRI)[dDuU]' block/
12
has already resolved the issue for vhost scsi devices but
13
the fix was never applied to vhost-user scsi devices.
14
8
15
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
9
Inspired-by: Richard Henderson <richard.henderson@linaro.org>
16
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
10
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
17
Message-id: 1560299717-177734-1-git-send-email-raphael.norwitz@nutanix.com
11
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
18
Message-Id: <1560299717-177734-1-git-send-email-raphael.norwitz@nutanix.com>
12
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
13
Reviewed-by: Denis V. Lunev <den@openvz.org>
14
Message-id: 20220323114718.58714-2-philippe.mathieu.daude@gmail.com
19
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
15
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
20
---
16
---
21
hw/scsi/vhost-user-scsi.c | 2 +-
17
block/parallels-ext.c | 2 +-
22
1 file changed, 1 insertion(+), 1 deletion(-)
18
1 file changed, 1 insertion(+), 1 deletion(-)
23
19
24
diff --git a/hw/scsi/vhost-user-scsi.c b/hw/scsi/vhost-user-scsi.c
20
diff --git a/block/parallels-ext.c b/block/parallels-ext.c
25
index XXXXXXX..XXXXXXX 100644
21
index XXXXXXX..XXXXXXX 100644
26
--- a/hw/scsi/vhost-user-scsi.c
22
--- a/block/parallels-ext.c
27
+++ b/hw/scsi/vhost-user-scsi.c
23
+++ b/block/parallels-ext.c
28
@@ -XXX,XX +XXX,XX @@ static void vhost_user_scsi_realize(DeviceState *dev, Error **errp)
24
@@ -XXX,XX +XXX,XX @@ static int parallels_parse_format_extension(BlockDriverState *bs,
29
}
25
break;
30
26
31
vsc->dev.nvqs = 2 + vs->conf.num_queues;
27
default:
32
- vsc->dev.vqs = g_new(struct vhost_virtqueue, vsc->dev.nvqs);
28
- error_setg(errp, "Unknown feature: 0x%" PRIu64, fh.magic);
33
+ vsc->dev.vqs = g_new0(struct vhost_virtqueue, vsc->dev.nvqs);
29
+ error_setg(errp, "Unknown feature: 0x%" PRIx64, fh.magic);
34
vsc->dev.vq_index = 0;
30
goto fail;
35
vsc->dev.backend_features = 0;
31
}
36
vqs = vsc->dev.vqs;
32
37
--
33
--
38
2.21.0
34
2.35.1
39
35
40
36
diff view generated by jsdifflib
[Qemu-devel] [PULL 1/2] util/async: hold AioContext ref to prevent use-after-free
[PULL for-7.0 2/2] hw: Fix misleading hexadecimal format
1
The tests/test-bdrv-drain /bdrv-drain/iothread/drain test case does the
1
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
2
following:
3
2
4
1. The preadv coroutine calls aio_bh_schedule_oneshot() and then yields.
3
"0x%u" format is very misleading, replace by "0x%x".
5
2. The one-shot BH executes in another AioContext. All it does is call
6
aio_co_wakeup(preadv_co).
7
3. The preadv coroutine is re-entered and returns.
8
4
9
There is a race condition in aio_co_wake() where the preadv coroutine
5
Found running:
10
returns and the test case destroys the preadv IOThread. aio_co_wake()
11
can still be running in the other AioContext and it performs an access
12
to the freed IOThread AioContext.
13
6
14
Here is the race in aio_co_schedule():
7
$ git grep -E '0x%[0-9]*([lL]*|" ?PRI)[dDuU]' hw/
15
8
16
QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
9
Inspired-by: Richard Henderson <richard.henderson@linaro.org>
17
co, co_scheduled_next);
10
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
18
<-- race: co may execute before we invoke qemu_bh_schedule()!
11
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
19
qemu_bh_schedule(ctx->co_schedule_bh);
12
Message-id: 20220323114718.58714-3-philippe.mathieu.daude@gmail.com
20
21
So if co causes ctx to be freed then we're in trouble. Fix this problem
22
by holding a reference to ctx.
23
24
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
25
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
26
Message-id: 20190723190623.21537-1-stefanha@redhat.com
27
Message-Id: <20190723190623.21537-1-stefanha@redhat.com>
28
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
13
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
29
---
14
---
30
util/async.c | 8 ++++++++
15
hw/i386/sgx.c | 2 +-
31
1 file changed, 8 insertions(+)
16
hw/i386/trace-events | 6 +++---
17
hw/misc/trace-events | 4 ++--
18
hw/scsi/trace-events | 4 ++--
19
4 files changed, 8 insertions(+), 8 deletions(-)
32
20
33
diff --git a/util/async.c b/util/async.c
21
diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
34
index XXXXXXX..XXXXXXX 100644
22
index XXXXXXX..XXXXXXX 100644
35
--- a/util/async.c
23
--- a/hw/i386/sgx.c
36
+++ b/util/async.c
24
+++ b/hw/i386/sgx.c
37
@@ -XXX,XX +XXX,XX @@ void aio_co_schedule(AioContext *ctx, Coroutine *co)
25
@@ -XXX,XX +XXX,XX @@ void pc_machine_init_sgx_epc(PCMachineState *pcms)
38
abort();
39
}
26
}
40
27
41
+ /* The coroutine might run and release the last ctx reference before we
28
if ((sgx_epc->base + sgx_epc->size) < sgx_epc->base) {
42
+ * invoke qemu_bh_schedule(). Take a reference to keep ctx alive until
29
- error_report("Size of all 'sgx-epc' =0x%"PRIu64" causes EPC to wrap",
43
+ * we're done.
30
+ error_report("Size of all 'sgx-epc' =0x%"PRIx64" causes EPC to wrap",
44
+ */
31
sgx_epc->size);
45
+ aio_context_ref(ctx);
32
exit(EXIT_FAILURE);
46
+
33
}
47
QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
34
diff --git a/hw/i386/trace-events b/hw/i386/trace-events
48
co, co_scheduled_next);
35
index XXXXXXX..XXXXXXX 100644
49
qemu_bh_schedule(ctx->co_schedule_bh);
36
--- a/hw/i386/trace-events
50
+
37
+++ b/hw/i386/trace-events
51
+ aio_context_unref(ctx);
38
@@ -XXX,XX +XXX,XX @@ vtd_fault_disabled(void) "Fault processing disabled for context entry"
52
}
39
vtd_replay_ce_valid(const char *mode, uint8_t bus, uint8_t dev, uint8_t fn, uint16_t domain, uint64_t hi, uint64_t lo) "%s: replay valid context device %02"PRIx8":%02"PRIx8".%02"PRIx8" domain 0x%"PRIx16" hi 0x%"PRIx64" lo 0x%"PRIx64
53
40
vtd_replay_ce_invalid(uint8_t bus, uint8_t dev, uint8_t fn) "replay invalid context device %02"PRIx8":%02"PRIx8".%02"PRIx8
54
void aio_co_wake(struct Coroutine *co)
41
vtd_page_walk_level(uint64_t addr, uint32_t level, uint64_t start, uint64_t end) "walk (base=0x%"PRIx64", level=%"PRIu32") iova range 0x%"PRIx64" - 0x%"PRIx64
42
-vtd_page_walk_one(uint16_t domain, uint64_t iova, uint64_t gpa, uint64_t mask, int perm) "domain 0x%"PRIu16" iova 0x%"PRIx64" -> gpa 0x%"PRIx64" mask 0x%"PRIx64" perm %d"
43
+vtd_page_walk_one(uint16_t domain, uint64_t iova, uint64_t gpa, uint64_t mask, int perm) "domain 0x%"PRIx16" iova 0x%"PRIx64" -> gpa 0x%"PRIx64" mask 0x%"PRIx64" perm %d"
44
vtd_page_walk_one_skip_map(uint64_t iova, uint64_t mask, uint64_t translated) "iova 0x%"PRIx64" mask 0x%"PRIx64" translated 0x%"PRIx64
45
vtd_page_walk_one_skip_unmap(uint64_t iova, uint64_t mask) "iova 0x%"PRIx64" mask 0x%"PRIx64
46
vtd_page_walk_skip_read(uint64_t iova, uint64_t next) "Page walk skip iova 0x%"PRIx64" - 0x%"PRIx64" due to unable to read"
47
vtd_page_walk_skip_reserve(uint64_t iova, uint64_t next) "Page walk skip iova 0x%"PRIx64" - 0x%"PRIx64" due to rsrv set"
48
vtd_switch_address_space(uint8_t bus, uint8_t slot, uint8_t fn, bool on) "Device %02x:%02x.%x switching address space (iommu enabled=%d)"
49
vtd_as_unmap_whole(uint8_t bus, uint8_t slot, uint8_t fn, uint64_t iova, uint64_t size) "Device %02x:%02x.%x start 0x%"PRIx64" size 0x%"PRIx64
50
-vtd_translate_pt(uint16_t sid, uint64_t addr) "source id 0x%"PRIu16", iova 0x%"PRIx64
51
-vtd_pt_enable_fast_path(uint16_t sid, bool success) "sid 0x%"PRIu16" %d"
52
+vtd_translate_pt(uint16_t sid, uint64_t addr) "source id 0x%"PRIx16", iova 0x%"PRIx64
53
+vtd_pt_enable_fast_path(uint16_t sid, bool success) "sid 0x%"PRIx16" %d"
54
vtd_irq_generate(uint64_t addr, uint64_t data) "addr 0x%"PRIx64" data 0x%"PRIx64
55
vtd_reg_read(uint64_t addr, uint64_t size) "addr 0x%"PRIx64" size 0x%"PRIx64
56
vtd_reg_write(uint64_t addr, uint64_t size, uint64_t val) "addr 0x%"PRIx64" size 0x%"PRIx64" value 0x%"PRIx64
57
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
58
index XXXXXXX..XXXXXXX 100644
59
--- a/hw/misc/trace-events
60
+++ b/hw/misc/trace-events
61
@@ -XXX,XX +XXX,XX @@
62
# See docs/devel/tracing.rst for syntax documentation.
63
64
# allwinner-cpucfg.c
65
-allwinner_cpucfg_cpu_reset(uint8_t cpu_id, uint32_t reset_addr) "id %u, reset_addr 0x%" PRIu32
66
+allwinner_cpucfg_cpu_reset(uint8_t cpu_id, uint32_t reset_addr) "id %u, reset_addr 0x%" PRIx32
67
allwinner_cpucfg_read(uint64_t offset, uint64_t data, unsigned size) "offset 0x%" PRIx64 " data 0x%" PRIx64 " size %" PRIu32
68
allwinner_cpucfg_write(uint64_t offset, uint64_t data, unsigned size) "offset 0x%" PRIx64 " data 0x%" PRIx64 " size %" PRIu32
69
70
@@ -XXX,XX +XXX,XX @@ imx7_gpr_write(uint64_t offset, uint64_t value) "addr 0x%08" PRIx64 "value 0x%08
71
72
# mos6522.c
73
mos6522_set_counter(int index, unsigned int val) "T%d.counter=%d"
74
-mos6522_get_next_irq_time(uint16_t latch, int64_t d, int64_t delta) "latch=%d counter=0x%"PRId64 " delta_next=0x%"PRId64
75
+mos6522_get_next_irq_time(uint16_t latch, int64_t d, int64_t delta) "latch=%d counter=0x%"PRIx64 " delta_next=0x%"PRIx64
76
mos6522_set_sr_int(void) "set sr_int"
77
mos6522_write(uint64_t addr, const char *name, uint64_t val) "reg=0x%"PRIx64 " [%s] val=0x%"PRIx64
78
mos6522_read(uint64_t addr, const char *name, unsigned val) "reg=0x%"PRIx64 " [%s] val=0x%x"
79
diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
80
index XXXXXXX..XXXXXXX 100644
81
--- a/hw/scsi/trace-events
82
+++ b/hw/scsi/trace-events
83
@@ -XXX,XX +XXX,XX @@ lsi_bad_phase_interrupt(void) "Phase mismatch interrupt"
84
lsi_bad_selection(uint32_t id) "Selected absent target %"PRIu32
85
lsi_do_dma_unavailable(void) "DMA no data available"
86
lsi_do_dma(uint64_t addr, int len) "DMA addr=0x%"PRIx64" len=%d"
87
-lsi_queue_command(uint32_t tag) "Queueing tag=0x%"PRId32
88
+lsi_queue_command(uint32_t tag) "Queueing tag=0x%"PRIx32
89
lsi_add_msg_byte_error(void) "MSG IN data too long"
90
lsi_add_msg_byte(uint8_t data) "MSG IN 0x%02x"
91
lsi_reselect(int id) "Reselected target %d"
92
@@ -XXX,XX +XXX,XX @@ lsi_do_msgout_noop(void) "MSG: No Operation"
93
lsi_do_msgout_extended(uint8_t msg, uint8_t len) "Extended message 0x%x (len %d)"
94
lsi_do_msgout_ignored(const char *msg) "%s (ignored)"
95
lsi_do_msgout_simplequeue(uint8_t select_tag) "SIMPLE queue tag=0x%x"
96
-lsi_do_msgout_abort(uint32_t tag) "MSG: ABORT TAG tag=0x%"PRId32
97
+lsi_do_msgout_abort(uint32_t tag) "MSG: ABORT TAG tag=0x%"PRIx32
98
lsi_do_msgout_clearqueue(uint32_t tag) "MSG: CLEAR QUEUE tag=0x%"PRIx32
99
lsi_do_msgout_busdevicereset(uint32_t tag) "MSG: BUS DEVICE RESET tag=0x%"PRIx32
100
lsi_do_msgout_select(int id) "Select LUN %d"
55
--
101
--
56
2.21.0
102
2.35.1
57
103
58
104
diff view generated by jsdifflib

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.