From 4f68392c2613a88821b211d99d2b4305ea731cda Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Nov 04 2015 20:48:36 +0000 Subject: Rebased to version 2.4.1 --- diff --git a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch deleted file mode 100644 index 9401ea7..0000000 --- a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch +++ /dev/null @@ -1,94 +0,0 @@ -From: Aurelien Jarno -Date: Sun, 13 Sep 2015 23:03:44 +0200 -Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and - vpermxor - -For vector instructions, the helpers get pointers to the vector register -in arguments. Some operands might point to the same register, including -the operand holding the result. - -When emulating instructions which access the vector elements in a -non-linear way, we need to store the result in an temporary variable. - -This fixes openssl when emulating a POWER8 CPU. - -Cc: Tom Musta -Cc: Alexander Graf -Cc: qemu-stable@nongnu.org -Signed-off-by: Aurelien Jarno ---- - target-ppc/int_helper.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c -index 0a55d5e..b122868 100644 ---- a/target-ppc/int_helper.c -+++ b/target-ppc/int_helper.c -@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a) - - void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u32) { -- r->AVRW(i) = b->AVRW(i) ^ -+ result.AVRW(i) = b->AVRW(i) ^ - (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^ - AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^ - AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^ - AES_Te3[a->AVRB(AES_shifts[4*i + 3])]); - } -+ *r = result; - } - - void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u8) { -- r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); -+ result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); - } -+ *r = result; - } - - void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) -@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - - void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u8) { -- r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); -+ result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); - } -+ *r = result; - } - - #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n))) -@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r, ppc_avr_t *a, uint32_t st_six) - - void helper_vpermxor(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c) - { -+ ppc_avr_t result; - int i; -+ - VECTOR_FOR_INORDER_I(i, u8) { - int indexA = c->u8[i] >> 4; - int indexB = c->u8[i] & 0xF; - #if defined(HOST_WORDS_BIGENDIAN) -- r->u8[i] = a->u8[indexA] ^ b->u8[indexB]; -+ result.u8[i] = a->u8[indexA] ^ b->u8[indexB]; - #else -- r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; -+ result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; - #endif - } -+ *r = result; - } - - #undef VECTOR_FOR_INORDER_I diff --git a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch deleted file mode 100644 index 2d2f370..0000000 --- a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Aurelien Jarno -Date: Sun, 13 Sep 2015 23:03:45 +0200 -Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding - -The xscmpodp and xscmpudp instructions only have the AX, BX bits in -there encoding, the lowest bit (usually TX) is marked as an invalid -bit. We therefore can't decode them with GEN_XX2FORM, which decodes -the two lowest bit. - -Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark -the lowest bit as invalid. - -Cc: Tom Musta -Cc: Alexander Graf -Cc: qemu-stable@nongnu.org -Signed-off-by: Aurelien Jarno ---- - target-ppc/translate.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/target-ppc/translate.c b/target-ppc/translate.c -index 84c5cea..c0eed13 100644 ---- a/target-ppc/translate.c -+++ b/target-ppc/translate.c -@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2) - -+#undef GEN_XX2IFORM -+#define GEN_XX2IFORM(name, opc2, opc3, fl2) \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2) -+ - #undef GEN_XX3_RC_FORM - #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2) \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \ -@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX), - GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX), - GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX), - GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX), --GEN_XX2FORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), --GEN_XX2FORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), -+GEN_XX2IFORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), -+GEN_XX2IFORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), - GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), - GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), - GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), diff --git a/0003-ide-fix-ATAPI-command-permissions.patch b/0003-ide-fix-ATAPI-command-permissions.patch deleted file mode 100644 index 7afc084..0000000 --- a/0003-ide-fix-ATAPI-command-permissions.patch +++ /dev/null @@ -1,141 +0,0 @@ -From: John Snow -Date: Thu, 17 Sep 2015 14:17:05 -0400 -Subject: [PATCH] ide: fix ATAPI command permissions - -We're a little too lenient with what we'll let an ATAPI drive handle. -Clamp down on the IDE command execution table to remove CD_OK permissions -from commands that are not and have never been ATAPI commands. - -For ATAPI command validity, please see: -- ATA4 Section 6.5 ("PACKET Command feature set") -- ATA8/ACS Section 4.3 ("The PACKET feature set") -- ACS3 Section 4.3 ("The PACKET feature set") - -ACS3 has a historical command validity table in Table B.4 -("Historical Command Assignments") that can be referenced to find when -a command was introduced, deprecated, obsoleted, etc. - -The only reference for ATAPI command validity is by checking that -version's PACKET feature set section. - -ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 -therefore are assumed to have never been ATAPI commands. - -Mandatory commands, as listed in ATA8-ACS3, are: - -- DEVICE RESET -- EXECUTE DEVICE DIAGNOSTIC -- IDENTIFY DEVICE -- IDENTIFY PACKET DEVICE -- NOP -- PACKET -- READ SECTOR(S) -- SET FEATURES - -Optional commands as listed in ATA8-ACS3, are: - -- FLUSH CACHE -- READ LOG DMA EXT -- READ LOG EXT -- WRITE LOG DMA EXT -- WRITE LOG EXT - -All other commands are illegal to send to an ATAPI device and should -be rejected by the device. - -CD_OK removal justifications: - -0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. -0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. -0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. -0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. -0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. -0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. -0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. -0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. -0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. -0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. -0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. -0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. - -This patch fixes a divide by zero fault that can be caused by sending -the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to -attempt to use zeroed CHS values to perform sector arithmetic. - -Reported-by: Qinghao Tang -Signed-off-by: John Snow -Reviewed-by: Markus Armbruster -Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com -CC: qemu-stable@nongnu.org -(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a) ---- - hw/ide/core.c | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 50449ca..71caea9 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -1747,11 +1747,11 @@ static const struct { - } ide_cmd_table[0x100] = { - /* NOP not implemented, mandatory for CD */ - [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, -- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, -+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, - [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, - [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, - [WIN_READ] = { cmd_read_pio, ALL_OK }, -- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, -+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, - [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, - [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, - [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, -@@ -1770,12 +1770,12 @@ static const struct { - [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, - [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, - [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, -- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, -- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, -- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, -- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, -- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, -- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, -+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, -+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, - [WIN_PACKETCMD] = { cmd_packet, CD_OK }, - [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, - [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, -@@ -1789,19 +1789,19 @@ static const struct { - [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, - [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, - [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, -- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, -- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, -- [WIN_STANDBY] = { cmd_nop, ALL_OK }, -- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, -- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, -- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, -+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, -+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, -+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, -+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, -+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, -+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, - [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, - [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, - [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, - [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, - [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, - [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, -- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, -+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, - }; - - static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) diff --git a/0004-virtio-introduce-virtqueue_unmap_sg.patch b/0004-virtio-introduce-virtqueue_unmap_sg.patch deleted file mode 100644 index 1481b88..0000000 --- a/0004-virtio-introduce-virtqueue_unmap_sg.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Jason Wang -Date: Fri, 25 Sep 2015 13:21:28 +0800 -Subject: [PATCH] virtio: introduce virtqueue_unmap_sg() - -Factor out sg unmapping logic. This will be reused by the patch that -can discard descriptor. - -Cc: Michael S. Tsirkin -Cc: Andrew James -Signed-off-by: Jason Wang -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin - -(cherry picked from commit ce317461573bac12b10d67699b4ddf1f97cf066c) ---- - hw/virtio/virtio.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 788b556..242aecb 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq) - return vring_avail_idx(vq) == vq->last_avail_idx; - } - --void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, -- unsigned int len, unsigned int idx) -+static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, -+ unsigned int len) - { - unsigned int offset; - int i; - -- trace_virtqueue_fill(vq, elem, len, idx); -- - offset = 0; - for (i = 0; i < elem->in_num; i++) { - size_t size = MIN(len - offset, elem->in_sg[i].iov_len); -@@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, - cpu_physical_memory_unmap(elem->out_sg[i].iov_base, - elem->out_sg[i].iov_len, - 0, elem->out_sg[i].iov_len); -+} -+ -+void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, -+ unsigned int len, unsigned int idx) -+{ -+ trace_virtqueue_fill(vq, elem, len, idx); -+ -+ virtqueue_unmap_sg(vq, elem, len); - - idx = (idx + vring_used_idx(vq)) % vq->vring.num; - diff --git a/0005-virtio-introduce-virtqueue_discard.patch b/0005-virtio-introduce-virtqueue_discard.patch deleted file mode 100644 index 817665a..0000000 --- a/0005-virtio-introduce-virtqueue_discard.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Jason Wang -Date: Fri, 25 Sep 2015 13:21:29 +0800 -Subject: [PATCH] virtio: introduce virtqueue_discard() - -This patch introduces virtqueue_discard() to discard a descriptor and -unmap the sgs. This will be used by the patch that will discard -descriptor when packet is truncated. - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin - -(cherry picked from commit 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade) ---- - hw/virtio/virtio.c | 7 +++++++ - include/hw/virtio/virtio.h | 2 ++ - 2 files changed, 9 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 242aecb..b1f4e16 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, - 0, elem->out_sg[i].iov_len); - } - -+void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, -+ unsigned int len) -+{ -+ vq->last_avail_idx--; -+ virtqueue_unmap_sg(vq, elem, len); -+} -+ - void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len, unsigned int idx) - { -diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h -index cccae89..8023bde 100644 ---- a/include/hw/virtio/virtio.h -+++ b/include/hw/virtio/virtio.h -@@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev, int n); - void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len); - void virtqueue_flush(VirtQueue *vq, unsigned int count); -+void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, -+ unsigned int len); - void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len, unsigned int idx); - diff --git a/0006-virtio-net-correctly-drop-truncated-packets.patch b/0006-virtio-net-correctly-drop-truncated-packets.patch deleted file mode 100644 index eb21dbb..0000000 --- a/0006-virtio-net-correctly-drop-truncated-packets.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Jason Wang -Date: Fri, 25 Sep 2015 13:21:30 +0800 -Subject: [PATCH] virtio-net: correctly drop truncated packets - -When packet is truncated during receiving, we drop the packets but -neither discard the descriptor nor add and signal used -descriptor. This will lead several issues: - -- sg mappings are leaked -- rx will be stalled if a lots of packets were truncated - -In order to be consistent with vhost, fix by discarding the descriptor -in this case. - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin - -(cherry picked from commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3) ---- - hw/net/virtio-net.c | 8 +------- - 1 file changed, 1 insertion(+), 7 deletions(-) - -diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c -index 1510839..775389b 100644 ---- a/hw/net/virtio-net.c -+++ b/hw/net/virtio-net.c -@@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetClientState *nc, const uint8_t *buf, size_t - * must have consumed the complete packet. - * Otherwise, drop it. */ - if (!n->mergeable_rx_bufs && offset < size) { --#if 0 -- error_report("virtio-net truncated non-mergeable packet: " -- "i %zd mergeable %d offset %zd, size %zd, " -- "guest hdr len %zd, host hdr len %zd", -- i, n->mergeable_rx_bufs, -- offset, size, n->guest_hdr_len, n->host_hdr_len); --#endif -+ virtqueue_discard(q->rx_vq, &elem, total); - return size; - } - diff --git a/0007-mirror-Fix-coroutine-reentrance.patch b/0007-mirror-Fix-coroutine-reentrance.patch deleted file mode 100644 index 9faced1..0000000 --- a/0007-mirror-Fix-coroutine-reentrance.patch +++ /dev/null @@ -1,117 +0,0 @@ -From: Kevin Wolf -Date: Thu, 13 Aug 2015 10:41:50 +0200 -Subject: [PATCH] mirror: Fix coroutine reentrance - -This fixes a regression introduced by commit dcfb3beb ("mirror: Do zero -write on target if sectors not allocated"), which was reported to cause -aborts with the message "Co-routine re-entered recursively". - -The cause for this bug is the following code in mirror_iteration_done(): - - if (s->common.busy) { - qemu_coroutine_enter(s->common.co, NULL); - } - -This has always been ugly because - unlike most places that reenter - it -doesn't have a specific yield that it pairs with, but is more -uncontrolled. What we really mean here is "reenter the coroutine if -it's in one of the four explicit yields in mirror.c". - -This used to be equivalent with s->common.busy because neither -mirror_run() nor mirror_iteration() call any function that could yield. -However since commit dcfb3beb this doesn't hold true any more: -bdrv_get_block_status_above() can yield. - -So what happens is that bdrv_get_block_status_above() wants to take a -lock that is already held, so it adds itself to the queue of waiting -coroutines and yields. Instead of being woken up by the unlock function, -however, it gets woken up by mirror_iteration_done(), which is obviously -wrong. - -In most cases the code actually happens to cope fairly well with such -cases, but in this specific case, the unlock must already have scheduled -the coroutine for wakeup when mirror_iteration_done() reentered it. And -then the coroutine happened to process the scheduled restarts and tried -to reenter itself recursively. - -This patch fixes the problem by pairing the reenter in -mirror_iteration_done() with specific yields instead of abusing -s->common.busy. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf -Reviewed-by: Paolo Bonzini -Reviewed-by: Stefan Hajnoczi -Reviewed-by: Jeff Cody -Message-id: 1439455310-11263-1-git-send-email-kwolf@redhat.com -Signed-off-by: Jeff Cody -(cherry picked from commit e424aff5f307227b1c2512bbb8ece891bb895cef) ---- - block/mirror.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/block/mirror.c b/block/mirror.c -index fc4d8f5..b2fb4b9 100644 ---- a/block/mirror.c -+++ b/block/mirror.c -@@ -60,6 +60,7 @@ typedef struct MirrorBlockJob { - int sectors_in_flight; - int ret; - bool unmap; -+ bool waiting_for_io; - } MirrorBlockJob; - - typedef struct MirrorOp { -@@ -114,11 +115,7 @@ static void mirror_iteration_done(MirrorOp *op, int ret) - qemu_iovec_destroy(&op->qiov); - g_slice_free(MirrorOp, op); - -- /* Enter coroutine when it is not sleeping. The coroutine sleeps to -- * rate-limit itself. The coroutine will eventually resume since there is -- * a sleep timeout so don't wake it early. -- */ -- if (s->common.busy) { -+ if (s->waiting_for_io) { - qemu_coroutine_enter(s->common.co, NULL); - } - } -@@ -203,7 +200,9 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s) - /* Wait for I/O to this cluster (from a previous iteration) to be done. */ - while (test_bit(next_chunk, s->in_flight_bitmap)) { - trace_mirror_yield_in_flight(s, sector_num, s->in_flight); -+ s->waiting_for_io = true; - qemu_coroutine_yield(); -+ s->waiting_for_io = false; - } - - do { -@@ -239,7 +238,9 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s) - */ - while (nb_chunks == 0 && s->buf_free_count < added_chunks) { - trace_mirror_yield_buf_busy(s, nb_chunks, s->in_flight); -+ s->waiting_for_io = true; - qemu_coroutine_yield(); -+ s->waiting_for_io = false; - } - if (s->buf_free_count < nb_chunks + added_chunks) { - trace_mirror_break_buf_busy(s, nb_chunks, s->in_flight); -@@ -333,7 +334,9 @@ static void mirror_free_init(MirrorBlockJob *s) - static void mirror_drain(MirrorBlockJob *s) - { - while (s->in_flight > 0) { -+ s->waiting_for_io = true; - qemu_coroutine_yield(); -+ s->waiting_for_io = false; - } - } - -@@ -506,7 +509,9 @@ static void coroutine_fn mirror_run(void *opaque) - if (s->in_flight == MAX_IN_FLIGHT || s->buf_free_count == 0 || - (cnt == 0 && s->in_flight > 0)) { - trace_mirror_yield(s, s->in_flight, s->buf_free_count, cnt); -+ s->waiting_for_io = true; - qemu_coroutine_yield(); -+ s->waiting_for_io = false; - continue; - } else if (cnt != 0) { - delay_ns = mirror_iteration(s); diff --git a/qemu.spec b/qemu.spec index f778aa1..e311b1a 100644 --- a/qemu.spec +++ b/qemu.spec @@ -39,8 +39,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.4.0.1 -Release: 2%{?dist} +Version: 2.4.1 +Release: 1%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -68,19 +68,6 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -# Fix emulation of various instructions, required by libm in F22 ppc64 -# guests. -Patch0001: 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch -Patch0002: 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch -# CVE-2015-6855: ide: divide by zero issue (bz #1261793) -Patch0003: 0003-ide-fix-ATAPI-command-permissions.patch -# CVE-2015-7295: virtio-net possible remote DoS (bz #1264393) -Patch0004: 0004-virtio-introduce-virtqueue_unmap_sg.patch -Patch0005: 0005-virtio-introduce-virtqueue_discard.patch -Patch0006: 0006-virtio-net-correctly-drop-truncated-packets.patch -# drive-mirror: Fix coroutine reentrance (bz #1266936) -Patch0007: 0007-mirror-Fix-coroutine-reentrance.patch - BuildRequires: SDL2-devel BuildRequires: zlib-devel BuildRequires: which @@ -1212,6 +1199,9 @@ getent passwd qemu >/dev/null || \ %changelog +* Wed Nov 04 2015 Cole Robinson - 2:2.4.1-1 +- Rebased to version 2.4.1 + * Sun Oct 11 2015 Cole Robinson - 2:2.4.0.1-2 - Rebuild for xen 4.6 diff --git a/sources b/sources index d4f0f63..8610765 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -c99445164e77184a9ba2e7dbf7ed5c29 qemu-2.4.0.1.tar.bz2 +a895e93ec1dafc34bc64ed676f0d55a6 qemu-2.4.1.tar.bz2