Re: pushing a few more qemu-kvm fixes from upstream
I prepared a set of changes I really want to go to wheezy.
"Preliminary" debdiff follows. There's at least one more
fix I'd love to see, but the bug hasn't been chased yet
(#683983). Also, there are a few other bugs in BTS which
are worth fixing but it is a slow process.
The proposed debdiff includes a few new bugs I filed today.
Each has been verified (reproduced), and the fix has beeen
verified too, and I did some testing on my set of guests
to ensure the result does not break something.. obvious.
I filed all these bugs with Severity important, ie, not
to be RC bugs, but this is just the "minimal" severity
possible for these bugs, -- the cases where each bug
happens are quite important use cases for the packsage.
A few comments about my original email below.
On 08.08.2012 11:57, Michael Tokarev wrote:
> Hello again.
>
> There are quite a few fixes accumulated in qemu-kvm 1.1
> stable upstream branch since qemu-kvm 1.1 debian release.
> Some of them are already included in the debian release.
>
> The others.. some aren't relevant for qemu-kvm (like
> non-x86 bits), some are just compiler warning suppressions
> or other neatiness, but some are real fixes for real bugs.
>
> In this message I'm just drawing some overview of the changes
> which I think are important, to ask for opinion of the
> release team -- which changes are considered acceptable and
> which aren't. Based on this, I'll prepare a new release
> with a proper debdiff and changelog, etc.
>
> The relevant upstream git tree:
> http://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-1.1
>
> From these 32 patches, the following patches are "nice to have" in
> wheezy:
>
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=c63c453889d0bfbd183da686bc076590220fd44a
> "virtio-blk: Fix geometry sector calculation"
> somewhat large patch which allows CHS geometry to be used with
> virtio block devices. Not hugely important, but I already come
> across this issue more than once when testing various partitioning
> tools in guests.
I'd include this too, but it is more like a de-cripled feature.
It is part of 1.1.1 upstream stable.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=07ff37597bee726681c94c650568870bd4ff94d1
> "exec: fix TB invalidation after breakpoint insertion/deletion"
> this one-liner re-enables debugging of qemu-kvm
I can't easily reproduce/verify this. Asked upstream.
It is part of 1.1.1 upstream stable.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca09717e8e0664801522781962a3c727d04eef33
> "kvm/apic: correct short memset"
> Epic one-liner:
> - memset(kapic, 0, sizeof(kapic));
> + memset(kapic, 0, sizeof(*kapic));
> I'm not sure what problem it actually fixes, it might even be a
> security issue.
Ditto, will ask upstream for more details.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=c49dd1bf6450b7880972b2f176ec10e8a496073c
> "monitor: Fix memory leak with readline completion"
> Memory for monitor command completion is never freed.
> The memleak isn't large, and this feature isn't used often, but the memleak is present.
> Simple patch.
I included it in the debdiff.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=065436479b9164b51892dbd7a7e35a3f9f496894
> "rtl8139: honor RxOverflow flag in can_receive method"
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b7093f294c330c4db789c077dac9d8611e4f8ee0
> "rtl8139: validate rx ring before receiving packets"
> Two changes for rtl8139 virtual device which makes it behave
> more like real hardware. I don't know whenever there are any
> real usage cases triggering these issues, but this stuff is
> very difficult to debug - when a guest expects one thing from
> the "hardware" but the hardware does something else.
> First fix is trivial, second is a bit larger.
I'd include these two, but I don't have a reproducer
and hence verifier.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=70d582074f0b9485ad9800f8e0126ef68608ba85
> "fdc: fix implied seek while there is no media in drive"
> This is another fix from the same theme: making virtual hw behave
> more like real hw. Apparently without this fix, windows can't
> be installed into a virtual machine with a (virtual) floppy drive.
> Simple fix.
This one is actually already included into qemu-kvm 1.1.0.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=1658e3cd893e3a35d89388fdd736a6d81cb405e8
> "ahci: Fix reset of MSI function"
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0ec39075710ae15acc2a5825cd21e0c229fa04af
> "intel-hda: Fix reset of MSI function"
> Two simple fixes for two virtual devices which currently
> mis-handle device reset in some cases (when MSI is in use).
> Device resets aren't frequent thing to see from a guest,
> but when it happens, without these fixes the devices will
> stop working. Appears to be from the same theme again.
I'll ask upstream for more details.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=cd63a77e990f68a699ba220c8006386bd4379f81
> "ahci: SATA FIS is 20 bytes, not 0x20"
> Yet another from the "device compatibility" theme, a 2-liner.
>
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=7672b714b28e3d49f73c605873404bf6f644c2b2
> "kvm: i8254: Fix conversion of in-kernel to userspace state"
> This is a relatively large fix for timekeeping (kernel<=>user
> timer conversion was wrong). Timekeeping is a very difficult
> topic in virtual environment, and this appears to be an important
> part of it.
And this one, too, is already included into qemu-kvm 1.1.0.
Which is very good, since the change, while important, is
also difficult.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0da4c073228c645a0366f3fe801df072cf268482
> "qcow2: fix autoclear image header update"
> This one is relatively simple fix for an interesting problem,
> which may lead to data corruption.
I'd include this too, asked upstream about a reproducer
and possible effects of the original bug.
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=845685265756467050859e2359acf16321111352
> "qemu-img: document qed format on qemu-img man page"
> Not a bugfix obviously, but should be a welcome change, I hope.
>
Note again: all the above, plus quite a few more, are parts
of upstream qemu-kvm 1.1.1 "stable" series. I'm cherry-picking
the most important - in my opinion - commits from there.
> Neither of these issues are filed as bugreports against
> debian bts, as in, no debian users (me included) hit the
> issues yet, and some issues are difficult to hit (esp.
> the ones from more-hardware-like-behavour category, like
> the rtl8139 things above - it excersises a "edge" code
> paths which rarely happens in real life but leads to
> unexpected and very difficult to debug results when
> actually happens). I can try to create bugreports with
> actual reproducers for each, when appropriate, but it
> will be a large work.
>
> There are a few other issues found with fixes already
> written, which hopefully will be part of next upstream
> stable release (1.1.2). For some of them I already filed
> bugreports:
>
> #684261 "qemu segfaults whith aio=native, virtio and a block device"
> #684263: "ahci: large cdrom reads leads to corrupt data"
I included fixes for these in the debdiff.
> and some others are like other fixes already mentioned
> above.
>
> The question is: what to do with all this? Which fixes
> are okay for wheezy still, and which should be dropped?
> (To be fair, I don't want to drop any of these, each is
> a clear bug with a good possibility to be hit by users
> once wheezy is released and the software will be in much
> more wider use).
>
> Alternatively, maybe it is a good idea to apply whole
> 1.1.1 series with other not-so-important-or-relevant
> changes (like changes for build system, silencing of
> warnings, or changes for non-x86 architecture), -- to
> be more on-line with upstream stable branch.. all the
> other changes in there are at least harmless, and may
> be useful for debian in the future (like compiler
> warnings happening with more recent gcc).
> I'm sorry this email is so large with so many technical
> details. I tried to give a short and clear summary for
> each change which I think is important, and am asking
> for some hints from the release team about how to
> proceed.
I think I'll include a few more fixes - from both the
already released upstream 1.1.1 series and from changes
proposed for upstream 1.1.x stable into the mix, and
will ask for unblock. Without including whole 1.1.1
series. Or else I'm rising to make to large a patch...
Thanks!
/mjt
diff -Nru qemu-kvm-1.1.0+dfsg/debian/changelog qemu-kvm-1.1.0+dfsg/debian/changelog
--- qemu-kvm-1.1.0+dfsg/debian/changelog 2012-07-18 21:44:09.000000000 +0400
+++ qemu-kvm-1.1.0+dfsg/debian/changelog 2012-08-08 23:36:53.000000000 +0400
@@ -1,3 +1,20 @@
+qemu-kvm (1.1.0+dfsg-4~1) UNRELEASED; urgency=low
+
+ * uhci:-fix-uhci_async_cancel_all.patch (upstream commit
+ 77fa9aee38758a078870e25f0dcf642066b4d5cc). This fixes
+ use-after-free in usb code (Closes: #684323)
+ * eventfd-making-it-thread-safe.patch - fix a missing
+ ioeventfd notifier (Closes: #680719)
+ * qom-object_delete-should-unparent-the-object-first.patch
+ fixes assertion failure on usb_del (Closes: #684282)
+ * virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch
+ (Closes: #684261)
+ * monitor-Fix-memory-leak-with-readline-completion.patch (Closes: #684311)
+ * ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch (Closes: #684263)
+ * ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch (Closes: #684327)
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Wed, 08 Aug 2012 21:41:59 +0400
+
qemu-kvm (1.1.0+dfsg-3) unstable; urgency=low
* ship /usr/share/kvm/qemu-icon.bmp (Closes: #681306)
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch 2012-08-08 22:53:57.000000000 +0400
@@ -0,0 +1,171 @@
+Subject: [1/2,v2] ahci: Fix ahci cdrom read corruptions for reads > 128k
+Date: Fri, 03 Aug 2012 09:57:06 -0000
+From: Jason Baron <jbaron@redhat.com>
+Message-Id: <bd1a04fe31f6dfb29a7ab8771cdc40589c029773.1344023079.git.jbaron@redhat.com>
+To: agraf@suse.de
+Cc: kwolf@redhat.com, aliguori@us.ibm.com, qemu-devel@nongnu.org,
+ armbru@redhat.com, qemu-stable@nongnu.org,
+ alex.williamson@redhat.com, avi@redhat.com, pbonzini@redhat.com,
+ afaerber@suse.de
+Bug: http://bugs.debian.org/684263
+Comment: fix sent to upstream, discussed+agreed, should go to upstream stable/1.1
+Comment: backported to stable-1.1 by mjt (fixing qemu_sglist_init() calls)
+
+While testing q35, which has its cdrom attached to the ahci controller, I found
+that the Fedora 17 install would panic on boot. The panic occurs while
+squashfs is trying to read from the cdrom. The errors are:
+
+[ 8.622711] SQUASHFS error: xz_dec_run error, data probably corrupt
+[ 8.625180] SQUASHFS error: squashfs_read_data failed to read block
+0x20be48a
+
+I was also able to produce corrupt data reads using an installed piix based
+qemu machine, using 'dd'. I found that the corruptions were only occuring when
+then read size was greater than 128k. For example, the following command
+results in corrupted reads:
+
+dd if=/dev/sr0 of=/tmp/blah bs=256k iflag=direct
+
+The > 128k size reads exercise a different code path than 128k and below. In
+ide_atapi_cmd_read_dma_cb() s->io_buffer_size is capped at 128k. Thus,
+ide_atapi_cmd_read_dma_cb() is called a second time when the read is > 128k.
+However, ahci_dma_rw_buf() restart the read from offset 0, instead of at 128k.
+Thus, resulting in a corrupted read.
+
+To fix this, I've introduced 'io_buffer_offset' field in IDEState to keep
+track of the offset. I've also modified ahci_populate_sglist() to take a new
+3rd offset argument, so that the sglist is property initialized.
+
+I've tested this patch using 'dd' testing, and Fedora 17 now correctly boots
+and installs on q35 with the cdrom ahci controller.
+
+Signed-off-by: Jason Baron <jbaron@redhat.com>
+Tested-by: Andreas Färber <afaerber@suse.de>
+
+---
+hw/ide/ahci.c | 41 ++++++++++++++++++++++++++++++++++-------
+ hw/ide/internal.h | 1 +
+ 2 files changed, 35 insertions(+), 7 deletions(-)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index efea93f..de580a6 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -636,7 +636,7 @@ static void ahci_write_fis_d2h(AHCIDevice *ad, uint8_t *cmd_fis)
+ }
+ }
+
+-static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist)
++static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, int offset)
+ {
+ AHCICmdHdr *cmd = ad->cur_cmd;
+ uint32_t opts = le32_to_cpu(cmd->opts);
+@@ -647,6 +647,10 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist)
+ uint8_t *prdt;
+ int i;
+ int r = 0;
++ int sum = 0;
++ int off_idx = -1;
++ int off_pos = -1;
++ int tbl_entry_size;
+
+ if (!sglist_alloc_hint) {
+ DPRINTF(ad->port_no, "no sg list given by guest: 0x%08x\n", opts);
+@@ -669,10 +673,31 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist)
+ /* Get entries in the PRDT, init a qemu sglist accordingly */
+ if (sglist_alloc_hint > 0) {
+ AHCI_SG *tbl = (AHCI_SG *)prdt;
+-
+- qemu_sglist_init(sglist, sglist_alloc_hint);
++ sum = 0;
+ for (i = 0; i < sglist_alloc_hint; i++) {
+ /* flags_size is zero-based */
++ tbl_entry_size = (le32_to_cpu(tbl[i].flags_size) + 1);
++ if (offset <= (sum + tbl_entry_size)) {
++ off_idx = i;
++ off_pos = offset - sum;
++ break;
++ }
++ sum += tbl_entry_size;
++ }
++ if ((off_idx == -1) || (off_pos < 0) || (off_pos > tbl_entry_size)) {
++ DPRINTF(ad->port_no, "%s: Incorrect offset! "
++ "off_idx: %d, off_pos: %d\n",
++ __func__, off_idx, off_pos);
++ r = -1;
++ goto out;
++ }
++
++ qemu_sglist_init(sglist, (sglist_alloc_hint - off_idx));
++ qemu_sglist_add(sglist, le64_to_cpu(tbl[off_idx].addr + off_pos),
++ le32_to_cpu(tbl[off_idx].flags_size) + 1 - off_pos);
++
++ for (i = off_idx + 1; i < sglist_alloc_hint; i++) {
++ /* flags_size is zero-based */
+ qemu_sglist_add(sglist, le64_to_cpu(tbl[i].addr),
+ le32_to_cpu(tbl[i].flags_size) + 1);
+ }
+@@ -745,7 +770,7 @@ static void process_ncq_command(AHCIState *s, int port, uint8_t *cmd_fis,
+ ncq_tfs->lba, ncq_tfs->lba + ncq_tfs->sector_count - 2,
+ s->dev[port].port.ifs[0].nb_sectors - 1);
+
+- ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist);
++ ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0);
+ ncq_tfs->tag = tag;
+
+ switch(ncq_fis->command) {
+@@ -970,7 +995,7 @@ static int ahci_start_transfer(IDEDMA *dma)
+ goto out;
+ }
+
+- if (!ahci_populate_sglist(ad, &s->sg)) {
++ if (!ahci_populate_sglist(ad, &s->sg, 0)) {
+ has_sglist = 1;
+ }
+
+@@ -1015,6 +1040,7 @@ static void ahci_start_dma(IDEDMA *dma, IDEState *s,
+ DPRINTF(ad->port_no, "\n");
+ ad->dma_cb = dma_cb;
+ ad->dma_status |= BM_STATUS_DMAING;
++ s->io_buffer_offset = 0;
+ dma_cb(s, 0);
+ }
+
+@@ -1023,7 +1049,7 @@ static int ahci_dma_prepare_buf(IDEDMA *dma, int is_write)
+ AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+ IDEState *s = &ad->port.ifs[0];
+
+- ahci_populate_sglist(ad, &s->sg);
++ ahci_populate_sglist(ad, &s->sg, 0);
+ s->io_buffer_size = s->sg.size;
+
+ DPRINTF(ad->port_no, "len=%#x\n", s->io_buffer_size);
+@@ -1037,7 +1063,7 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+ uint8_t *p = s->io_buffer + s->io_buffer_index;
+ int l = s->io_buffer_size - s->io_buffer_index;
+
+- if (ahci_populate_sglist(ad, &s->sg)) {
++ if (ahci_populate_sglist(ad, &s->sg, s->io_buffer_offset)) {
+ return 0;
+ }
+
+@@ -1050,6 +1076,7 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+ /* update number of transferred bytes */
+ ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l);
+ s->io_buffer_index += l;
++ s->io_buffer_offset += l;
+
+ DPRINTF(ad->port_no, "len=%#x\n", l);
+
+diff --git a/hw/ide/internal.h b/hw/ide/internal.h
+index 7170bd9..bf7d313 100644
+--- a/hw/ide/internal.h
++++ b/hw/ide/internal.h
+@@ -393,6 +393,7 @@ struct IDEState {
+ struct iovec iov;
+ QEMUIOVector qiov;
+ /* ATA DMA state */
++ int io_buffer_offset;
+ int io_buffer_size;
+ QEMUSGList sg;
+ /* PIO transfer handling */
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch 2012-08-08 23:28:42.000000000 +0400
@@ -0,0 +1,49 @@
+Date: Fri, 3 Aug 2012 15:57:10 -0400
+From: Jason Baron <jbaron@redhat.com>
+Message-Id: <1b114377e92202a2aba65ade4f80d63514366cf6.1344023079.git.jbaron@redhat.com>
+Subject: ahci: Fix sglist memleak in ahci_dma_rw_buf()
+Comment: upstream fix which should go to upstream stable-1.1
+Bug: http://bugs.debian.org/684327
+
+I noticed that in hw/ide/ahci:ahci_dma_rw_buf() we do not free the sglist. Thus,
+I've added a call to qemu_sglist_destroy() to fix this memory leak.
+
+In addition, I've adeed a call in qemu_sglist_destroy() to 0 all of the sglist
+fields, in case there is some other codepath that tries to free the sglist.
+
+Signed-off-by: Jason Baron <jbaron@redhat.com>
+---
+ dma-helpers.c | 1 +
+ hw/ide/ahci.c | 3 +++
+ 2 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/dma-helpers.c b/dma-helpers.c
+index 35cb500..13593d1 100644
+--- a/dma-helpers.c
++++ b/dma-helpers.c
+@@ -65,6 +65,7 @@ void qemu_sglist_add(QEMUSGList *qsg, dma_addr_t base, dma_addr_t len)
+ void qemu_sglist_destroy(QEMUSGList *qsg)
+ {
+ g_free(qsg->sg);
++ memset(qsg, 0, sizeof(*qsg));
+ }
+
+ typedef struct {
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index de580a6..5ea3cad 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -1073,6 +1073,9 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+ dma_buf_write(p, l, &s->sg);
+ }
+
++ /* free sglist that was created in ahci_populate_sglist() */
++ qemu_sglist_destroy(&s->sg);
++
+ /* update number of transferred bytes */
+ ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l);
+ s->io_buffer_index += l;
+--
+1.7.1
+
+
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/eventfd-making-it-thread-safe.patch qemu-kvm-1.1.0+dfsg/debian/patches/eventfd-making-it-thread-safe.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/eventfd-making-it-thread-safe.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.0+dfsg/debian/patches/eventfd-making-it-thread-safe.patch 2012-08-08 22:07:36.000000000 +0400
@@ -0,0 +1,45 @@
+Subject: eventfd: making it thread safe
+Date: Wed, 18 Jul 2012 02:52:04 -0000
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Message-Id: <1342615924-20925-1-git-send-email-aik@ozlabs.ru>
+To: "Michael S . Tsirkin" <mst@redhat.com>
+Cc: Alexey Kardashevskiy <aik@ozlabs.ru>, qemu-devel@nongnu.org
+Bug: http://bugs.debian.org/680719
+Bug: https://bugs.launchpad.net/qemu/+bug/1021649
+Comment: proposed fix for a known issue, should go to upstream stable-1.1 too
+
+QEMU uses IO handlers to run select() in the main loop.
+The handlers list is managed by qemu_set_fd_handler() helper
+which works fine when called from the main thread as it is
+called when select() is not waiting.
+
+However IO handlers list can be changed in the thread other than
+the main one doing os_host_main_loop_wait(), for example, as a result
+of a hypercall which changes PCI config space (VFIO on POWER is the case)
+and enables/disabled MSI/MSIX which closes/creates eventfd handles.
+As the main loop should be waiting on the newly created eventfds,
+it has to be restarted.
+
+The patch adds the qemu_notify_event() call to interrupt select()
+to make main_loop() restart select() with the updated IO handlers
+list.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+
+---
+iohandler.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/iohandler.c b/iohandler.c
+index 3c74de6..dea4355 100644
+--- a/iohandler.c
++++ b/iohandler.c
+@@ -77,6 +77,7 @@ int qemu_set_fd_handler2(int fd,
+ ioh->fd_write = fd_write;
+ ioh->opaque = opaque;
+ ioh->deleted = 0;
++ qemu_notify_event();
+ }
+ return 0;
+ }
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/monitor-Fix-memory-leak-with-readline-completion.patch qemu-kvm-1.1.0+dfsg/debian/patches/monitor-Fix-memory-leak-with-readline-completion.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/monitor-Fix-memory-leak-with-readline-completion.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.0+dfsg/debian/patches/monitor-Fix-memory-leak-with-readline-completion.patch 2012-08-08 22:41:15.000000000 +0400
@@ -0,0 +1,32 @@
+Commit: c49dd1bf6450b7880972b2f176ec10e8a496073c
+Author: Stefan Weil <sw@weilnetz.de>
+Date: Mon May 14 09:47:20 2012 +0000
+Subject: monitor: Fix memory leak with readline completion
+Bug: http://bugs.debian.org/684311
+Comment: upstream stable-1.1.1 fix
+
+ Each string which is shown during readline completion in the QEMU monitor
+ is allocated dynamically but currently never deallocated.
+
+ Add the missing loop which calls g_free for the allocated strings.
+
+ Signed-off-by: Stefan Weil <sw@weilnetz.de>
+ Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+ (cherry picked from commit fc9fa4bd0a295ac18808c4cd2cfac484bc4649d3)
+
+ Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+diff --git a/readline.c b/readline.c
+index a6c0039..540cd8a 100644
+--- a/readline.c
++++ b/readline.c
+@@ -337,6 +337,9 @@ static void readline_completion(ReadLineState *rs)
+ }
+ readline_show_prompt(rs);
+ }
++ for (i = 0; i < rs->nb_completions; i++) {
++ g_free(rs->completions[i]);
++ }
+ }
+
+ /* return true if command handled */
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/qom-object_delete-should-unparent-the-object-first.patch qemu-kvm-1.1.0+dfsg/debian/patches/qom-object_delete-should-unparent-the-object-first.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/qom-object_delete-should-unparent-the-object-first.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.0+dfsg/debian/patches/qom-object_delete-should-unparent-the-object-first.patch 2012-08-08 22:29:22.000000000 +0400
@@ -0,0 +1,84 @@
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed Aug 8 14:39:11 2012 +0200
+Bug-Debian: http://bugs.debian.org/684282
+Comment: cherry-picked from qemu/master to stable-1.1 (mjt)
+Comment: upstream stable also includes f63e60327b8e239 which should be reverted
+
+ qom: object_delete should unparent the object first
+
+ object_deinit is only called when the reference count goes to zero,
+ and yet tries to do an object_unparent. Now, object_unparent
+ either does nothing or it will decrease the reference count.
+ Because we know the reference count is zero, the object_unparent
+ call in object_deinit is useless.
+
+ Instead, we need to disconnect the object from its parent just
+ before we remove the last reference apart from the parent's. This
+ happens in object_delete. Once we do this, all calls to
+ object_unparent peppered through QEMU can go away.
+
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
+index 0345490..585da4e 100644
+--- a/hw/acpi_piix4.c
++++ b/hw/acpi_piix4.c
+@@ -299,7 +299,6 @@ static void acpi_piix_eject_slot(PIIX4PMState *s, unsigned slots)
+ if (pc->no_hotplug) {
+ slot_free = false;
+ } else {
+- object_unparent(OBJECT(dev));
+ qdev_free(qdev);
+ }
+ }
+diff --git a/hw/qdev.c b/hw/qdev.c
+index 6a8f6bd..9bb1c6b 100644
+--- a/hw/qdev.c
++++ b/hw/qdev.c
+@@ -240,7 +240,6 @@ void qbus_reset_all_fn(void *opaque)
+ int qdev_simple_unplug_cb(DeviceState *dev)
+ {
+ /* just zap it */
+- object_unparent(OBJECT(dev));
+ qdev_free(dev);
+ return 0;
+ }
+diff --git a/hw/xen_platform.c b/hw/xen_platform.c
+index 0214f37..84221df 100644
+--- a/hw/xen_platform.c
++++ b/hw/xen_platform.c
+@@ -87,9 +87,6 @@ static void unplug_nic(PCIBus *b, PCIDevice *d)
+ {
+ if (pci_get_word(d->config + PCI_CLASS_DEVICE) ==
+ PCI_CLASS_NETWORK_ETHERNET) {
+- /* Until qdev_free includes a call to object_unparent, we call it here
+- */
+- object_unparent(&d->qdev.parent_obj);
+ qdev_free(&d->qdev);
+ }
+ }
+diff --git a/qom/object.c b/qom/object.c
+index 6f839ad..58dd886 100644
+--- a/qom/object.c
++++ b/qom/object.c
+@@ -347,8 +347,6 @@ static void object_deinit(Object *obj, TypeImpl *type)
+ if (type_has_parent(type)) {
+ object_deinit(obj, type_get_parent(type));
+ }
+-
+- object_unparent(obj);
+ }
+
+ void object_finalize(void *data)
+@@ -385,8 +383,9 @@ Object *object_new(const char *typename)
+
+ void object_delete(Object *obj)
+ {
++ object_unparent(obj);
++ g_assert(obj->ref == 1);
+ object_unref(obj);
+- g_assert(obj->ref == 0);
+ g_free(obj);
+ }
+
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/series qemu-kvm-1.1.0+dfsg/debian/patches/series
--- qemu-kvm-1.1.0+dfsg/debian/patches/series 2012-07-07 16:11:28.000000000 +0400
+++ qemu-kvm-1.1.0+dfsg/debian/patches/series 2012-08-08 23:29:26.000000000 +0400
@@ -3,7 +3,20 @@
resurrect-extboot.diff
disable-hpet-for-tcg.patch
use-libexecdir.patch
+
+# upstream stable patches
qemu-kvm-Add-missing-default-machine-options.patch
qemu-kvm-virtio-Do-not-register-mask-notifiers-witho.patch
+monitor-Fix-memory-leak-with-readline-completion.patch
+
+# upstream fixes
+uhci:-fix-uhci_async_cancel_all.patch
+eventfd-making-it-thread-safe.patch
+qom-object_delete-should-unparent-the-object-first.patch
+virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch
+ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch
+ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch
+
+# other fixes
align-ram_size-to-8k-boundary.patch
dont-try-to-hotplug-cpu.patch
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/uhci:-fix-uhci_async_cancel_all.patch qemu-kvm-1.1.0+dfsg/debian/patches/uhci:-fix-uhci_async_cancel_all.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/uhci:-fix-uhci_async_cancel_all.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.0+dfsg/debian/patches/uhci:-fix-uhci_async_cancel_all.patch 2012-08-08 22:06:46.000000000 +0400
@@ -0,0 +1,33 @@
+Commit: 77fa9aee38758a078870e25f0dcf642066b4d5cc
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri Jun 15 09:39:50 2012 +0200
+Subject: uhci: fix uhci_async_cancel_all
+Message-ID: <1340201134-21109-7-git-send-email-kraxel@redhat.com>
+Bug: http://bugs.debian.org/684323
+Bug: https://bugzilla.novell.com/show_bug.cgi?id=766310
+Comment: proposed for upstream stable-1.1 series
+
+ We update the QTAILQ in the loop, thus we must use the SAFE version
+ to make sure we don't touch the queue struct after freeing it.
+
+ https://bugzilla.novell.com/show_bug.cgi?id=766310
+
+ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
+index 9871e24..2ebce04 100644
+--- a/hw/usb/hcd-uhci.c
++++ b/hw/usb/hcd-uhci.c
+@@ -292,10 +292,10 @@ static void uhci_async_cancel_device(UHCIState *s, USBDevice *dev)
+
+ static void uhci_async_cancel_all(UHCIState *s)
+ {
+- UHCIQueue *queue;
++ UHCIQueue *queue, *nq;
+ UHCIAsync *curr, *n;
+
+- QTAILQ_FOREACH(queue, &s->queues, next) {
++ QTAILQ_FOREACH_SAFE(queue, &s->queues, next, nq) {
+ QTAILQ_FOREACH_SAFE(curr, &queue->asyncs, next, n) {
+ uhci_async_unlink(curr);
+ uhci_async_cancel(curr);
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch qemu-kvm-1.1.0+dfsg/debian/patches/virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.0+dfsg/debian/patches/virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch 2012-08-08 22:36:28.000000000 +0400
@@ -0,0 +1,28 @@
+From: Avi Kivity <avi@redhat.com>
+Date: Mon, 6 Aug 2012 15:35:02 +0300
+Subject: virtio-blk: fix use-after-free while handling scsi commands
+Message-Id: <501FBAA2.6050205@redhat.com>
+Bug: http://bugs.debian.org/684261
+Comment: fix by upstream which should go to upstream stable-1.1 too
+Comment: spelling fixed (virtio-mlk -> virtio-blk) in Subject
+
+The scsi passthrough handler falls through after completing a
+request into the failure path, resulting in a use after free.
+
+Reprducible by running a guest with aio=native on a block device.
+
+Reported-by: Stefan Priebe <s.priebe@profihost.ag>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+
+diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
+index f21757e..552b3b6 100644
+--- a/hw/virtio-blk.c
++++ b/hw/virtio-blk.c
+@@ -254,6 +254,7 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
+
+ virtio_blk_req_complete(req, status);
+ g_free(req);
++ return;
+ #else
+ abort();
+ #endif
Reply to: