Bug#684934: unblock: qemu-kvm/1.1.1+dfsg-1 (pre-upload)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package qemu-kvm
In emails sent to debian-release@ (<[🔎] 50221BEA.7040800@msgid.tls.msk.ru>
and a followup <[🔎] 5022C692.5030904@msgid.tls.msk.ru>) I described a ton
of bugfixes happening on qemu-kvm front. Upstream did a stable/bugfix
release 1.1.1, with a large set of bugfixes, plus there's a large set
of new fixes being worked on.
Initially my plan was to cherry-pick only the "most important" fixes
from the upstream stable/bugfix 1.1.1 release, to simplify work for
the release team and to make whole thing more obvious. But after
looking at other fixes in there, trying to gather additional info
about these and doing some tests in attempt to reproduce the initial
bugs, I understood that whole upstream stable/bugfix release is a
better solution than any cherry-picking like that. Especially since
some subsequent fixes touches areas already partially fixed by the
"less important" changes, resulting in a mess.
So after trying such cherry-picking (of already cherry-picked fixes),
I decided it will be more correct and productive to include whole
upstream 1.1.1 stable/bugfix release. Because almost every change
in there is actually important.
Upstream fixes includes changes in some irrelevant areas - like in
(emulated) architectures (like xtensa) not enabled/used in qemu-kvm
package (which is x86-only) -- these are just unnecessary baggage
for the release team, but they're harmless, and the result is much
better understood - a release actually published by upstream and
used by many other users.
I tried to file bugreports against debian BTS covering fixes included
into upstream 1.1.1 release, but I didn't cover all of them. I can
try to complete this process if really necessary, but it will require
a bit more time.
Whole 1.1.1 upstream qemu-kvm diffstat (compared with 1.1.0 release):
29 files changed, 416 insertions(+), 85 deletions(-)
(good portion of it is 221 lines in newly added tests/tcg/xtensa/test_mmu.S
which is a new test covering bugs fixed in the unused by qemu-kvm
architecture).
The whole set of changes can be browsed online as git history at
http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=shortlog;h=refs/tags/qemu-kvm-1.1.1 --
this sometimes might be easier, especially to understand each
individual change, than to read a debdiff (which includes more
stuff and which is provided below).
Meanwhile, a few more fixes accumulated and are waiting for the yet
another upstream stable/bugfix 1.1.2 release (which hasn't happened
to date). And these includes real bugs hit by real debian users too.
Some of these bugreports were filed by myself. All with severity
"important" (as they're really important usage cases), so neither is
RC bug technically, at least for now, but these are all necessary to
fix before wheezy release.
I want to especially mention a last bugfix, for #683096 , which includes
2 patches (from upstream) which are somewhat intrusive (yet local to
i8254 device emulation) but are very to fix another timer-related
issue in kvm.
The current diffstat is included below. This is not yet a final
released version, instead, I'm asking whenever this whole thing
will be okay for the release team.
Pleas note that qemu package will need the same set of fixes, it
also needs updating to 1.1.1, and there, the diff between upstream
1.1.0 and 1.1.1 is larger, since it includes changes from qemu-kvm
which already was there in 1.1.0 release but not in qemu-1.1.0.
Also, qemu needs more work in other arches (and there, xtensa actually
becomes relevant too). But it is, while very closely related (as
the same set of changes is being applied) a bit different story --
in order to fix a bug discovered today we'll have to package yet
another piece of software for debian, introducing a new binary
package.
Thank you for your attention and time!
/mjt
unblock qemu-kvm/1.1.1+dfsg-1
diff -Nru qemu-kvm-1.1.0+dfsg/block/qcow2.c qemu-kvm-1.1.1+dfsg/block/qcow2.c
--- qemu-kvm-1.1.0+dfsg/block/qcow2.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/block/qcow2.c 2012-07-16 11:52:03.000000000 +0400
@@ -298,14 +298,6 @@
goto fail;
}
- if (!bs->read_only && s->autoclear_features != 0) {
- s->autoclear_features = 0;
- ret = qcow2_update_header(bs);
- if (ret < 0) {
- goto fail;
- }
- }
-
/* Check support for various header values */
if (header.refcount_order != 4) {
report_unsupported(bs, "%d bit reference counts",
@@ -411,6 +403,15 @@
goto fail;
}
+ /* Clear unknown autoclear feature bits */
+ if (!bs->read_only && s->autoclear_features != 0) {
+ s->autoclear_features = 0;
+ ret = qcow2_update_header(bs);
+ if (ret < 0) {
+ goto fail;
+ }
+ }
+
/* Initialise locks */
qemu_co_mutex_init(&s->lock);
diff -Nru qemu-kvm-1.1.0+dfsg/block/qcow2-cluster.c qemu-kvm-1.1.1+dfsg/block/qcow2-cluster.c
--- qemu-kvm-1.1.0+dfsg/block/qcow2-cluster.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/block/qcow2-cluster.c 2012-07-16 11:52:03.000000000 +0400
@@ -471,6 +471,8 @@
QCOW_OFLAG_COMPRESSED | QCOW_OFLAG_ZERO);
*cluster_offset &= L2E_OFFSET_MASK;
break;
+ default:
+ abort();
}
qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
diff -Nru qemu-kvm-1.1.0+dfsg/block/qcow2-refcount.c qemu-kvm-1.1.1+dfsg/block/qcow2-refcount.c
--- qemu-kvm-1.1.0+dfsg/block/qcow2-refcount.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/block/qcow2-refcount.c 2012-07-16 11:52:03.000000000 +0400
@@ -367,7 +367,7 @@
}
for(i = 0; i < table_size; i++) {
- cpu_to_be64s(&new_table[i]);
+ be64_to_cpus(&new_table[i]);
}
/* Hook up the new refcount table in the qcow2 header */
diff -Nru qemu-kvm-1.1.0+dfsg/block/sheepdog.c qemu-kvm-1.1.1+dfsg/block/sheepdog.c
--- qemu-kvm-1.1.0+dfsg/block/sheepdog.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/block/sheepdog.c 2012-07-16 11:52:03.000000000 +0400
@@ -1957,7 +1957,7 @@
int64_t pos, int size, int load)
{
int fd, create;
- int ret = 0;
+ int ret = 0, remaining = size;
unsigned int data_len;
uint64_t vmstate_oid;
uint32_t vdi_index;
@@ -1968,11 +1968,11 @@
return fd;
}
- while (size) {
+ while (remaining) {
vdi_index = pos / SD_DATA_OBJ_SIZE;
offset = pos % SD_DATA_OBJ_SIZE;
- data_len = MIN(size, SD_DATA_OBJ_SIZE);
+ data_len = MIN(remaining, SD_DATA_OBJ_SIZE);
vmstate_oid = vid_to_vmstate_oid(s->inode.vdi_id, vdi_index);
@@ -1993,9 +1993,9 @@
}
pos += data_len;
- size -= data_len;
- ret += data_len;
+ remaining -= data_len;
}
+ ret = size;
cleanup:
closesocket(fd);
return ret;
diff -Nru qemu-kvm-1.1.0+dfsg/configure qemu-kvm-1.1.1+dfsg/configure
--- qemu-kvm-1.1.0+dfsg/configure 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/configure 2012-07-16 11:52:03.000000000 +0400
@@ -2828,7 +2828,11 @@
open_by_hande_at=no
cat > $TMPC << EOF
#include <fcntl.h>
+#if !defined(AT_EMPTY_PATH)
+# error missing definition
+#else
int main(void) { struct file_handle fh; return open_by_handle_at(0, &fh, 0); }
+#endif
EOF
if compile_prog "" "" ; then
open_by_handle_at=yes
@@ -2932,7 +2936,8 @@
tools="$tools fsdev/virtfs-proxy-helper\$(EXESUF)"
else
if test "$virtfs" = yes; then
- feature_not_found "virtfs"
+ echo "VirtFS is supported only on Linux and requires libcap-devel and libattr-devel"
+ exit 1
fi
virtfs=no
fi
diff -Nru qemu-kvm-1.1.0+dfsg/debian/changelog qemu-kvm-1.1.1+dfsg/debian/changelog
--- qemu-kvm-1.1.0+dfsg/debian/changelog 2012-07-18 21:44:09.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/debian/changelog 2012-08-14 23:54:55.000000000 +0400
@@ -1,3 +1,27 @@
+qemu-kvm (1.1.1+dfsg-1) UNRELEASED; urgency=low
+
+ * new upstream bugfix release (1.1.1) (Closes: #684311)
+ Removed applied upstream patches:
+ - qemu-kvm-Add-missing-default-machine-options.patch
+ - qemu-kvm-virtio-Do-not-register-mask-notifiers-witho.patch
+ * uhci:-fix-uhci_async_cancel_all.patch fixes use-after-free
+ in usb code (Closes: #684323)
+ * eventfd-making-it-thread-safe.patch - fix a missing
+ ioeventfd notifier (Closes: #680719)
+ * qom-object_delete-should-unparent-the-object-first.patch
+ fixes assertion failure on usb_del (Closes: #684282)
+ * virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch
+ (Closes: #684261)
+ * ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch (Closes: #684263)
+ * ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch (Closes: #684327)
+ * kvm-i8254-cache-kernel-clock-offset-in-KVMPITState.patch and
+ kvm-i8254-finish-time-conversion-fix.patch - two patches from upstream
+ stable to fix TSC vs PIT timers (Closes: #683096)
+ * document -netdev option in the manpage, a long-standing omission
+ (net-add--netdev-options-to-man-page.patch)
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Wed, 08 Aug 2012 21:41:59 +0400
+
qemu-kvm (1.1.0+dfsg-3) unstable; urgency=low
* ship /usr/share/kvm/qemu-icon.bmp (Closes: #681306)
diff -Nru qemu-kvm-1.1.0+dfsg/debian/optional-features qemu-kvm-1.1.1+dfsg/debian/optional-features
--- qemu-kvm-1.1.0+dfsg/debian/optional-features 2012-07-18 20:28:48.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/debian/optional-features 2012-08-14 23:31:45.000000000 +0400
@@ -3,7 +3,7 @@
# The reason it is in separate file instead of
# directly in debian/rules are the comments.
-# attr/xattr suport, needed for virtfs (9pfs)
+# attr/xattr suport, needed for virtfs (9pfs) below
--enable-attr
# bluez support, bluetooth devices
--enable-bluez
@@ -43,7 +43,7 @@
--enable-vde
# /dev/vhost-net
--enable-vhost-net
-# VirtFS - XXX description please
+# VirtFS - 9pfs, virtual filesystem with linux driver (needs attrs, above)
--enable-virtfs
# vnc display support with all the features
--enable-vnc
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch qemu-kvm-1.1.1+dfsg/debian/patches/ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch 2012-08-14 22:46:02.000000000 +0400
@@ -0,0 +1,171 @@
+Subject: [1/2,v2] ahci: Fix ahci cdrom read corruptions for reads > 128k
+Date: Fri, 03 Aug 2012 09:57:06 -0000
+From: Jason Baron <jbaron@redhat.com>
+Message-Id: <bd1a04fe31f6dfb29a7ab8771cdc40589c029773.1344023079.git.jbaron@redhat.com>
+To: agraf@suse.de
+Cc: kwolf@redhat.com, aliguori@us.ibm.com, qemu-devel@nongnu.org,
+ armbru@redhat.com, qemu-stable@nongnu.org,
+ alex.williamson@redhat.com, avi@redhat.com, pbonzini@redhat.com,
+ afaerber@suse.de
+Bug: http://bugs.debian.org/684263
+Comment: fix sent to upstream, discussed+agreed, should go to upstream stable/1.1
+Comment: backported to stable-1.1 by mjt (fixing qemu_sglist_init() calls)
+
+While testing q35, which has its cdrom attached to the ahci controller, I found
+that the Fedora 17 install would panic on boot. The panic occurs while
+squashfs is trying to read from the cdrom. The errors are:
+
+[ 8.622711] SQUASHFS error: xz_dec_run error, data probably corrupt
+[ 8.625180] SQUASHFS error: squashfs_read_data failed to read block
+0x20be48a
+
+I was also able to produce corrupt data reads using an installed piix based
+qemu machine, using 'dd'. I found that the corruptions were only occuring when
+then read size was greater than 128k. For example, the following command
+results in corrupted reads:
+
+dd if=/dev/sr0 of=/tmp/blah bs=256k iflag=direct
+
+The > 128k size reads exercise a different code path than 128k and below. In
+ide_atapi_cmd_read_dma_cb() s->io_buffer_size is capped at 128k. Thus,
+ide_atapi_cmd_read_dma_cb() is called a second time when the read is > 128k.
+However, ahci_dma_rw_buf() restart the read from offset 0, instead of at 128k.
+Thus, resulting in a corrupted read.
+
+To fix this, I've introduced 'io_buffer_offset' field in IDEState to keep
+track of the offset. I've also modified ahci_populate_sglist() to take a new
+3rd offset argument, so that the sglist is property initialized.
+
+I've tested this patch using 'dd' testing, and Fedora 17 now correctly boots
+and installs on q35 with the cdrom ahci controller.
+
+Signed-off-by: Jason Baron <jbaron@redhat.com>
+Tested-by: Andreas Färber <afaerber@suse.de>
+
+---
+hw/ide/ahci.c | 41 ++++++++++++++++++++++++++++++++++-------
+ hw/ide/internal.h | 1 +
+ 2 files changed, 35 insertions(+), 7 deletions(-)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index efea93f..de580a6 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -636,7 +636,7 @@ static void ahci_write_fis_d2h(AHCIDevice *ad, uint8_t *cmd_fis)
+ }
+ }
+
+-static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist)
++static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, int offset)
+ {
+ AHCICmdHdr *cmd = ad->cur_cmd;
+ uint32_t opts = le32_to_cpu(cmd->opts);
+@@ -647,6 +647,10 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist)
+ uint8_t *prdt;
+ int i;
+ int r = 0;
++ int sum = 0;
++ int off_idx = -1;
++ int off_pos = -1;
++ int tbl_entry_size;
+
+ if (!sglist_alloc_hint) {
+ DPRINTF(ad->port_no, "no sg list given by guest: 0x%08x\n", opts);
+@@ -669,10 +673,31 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist)
+ /* Get entries in the PRDT, init a qemu sglist accordingly */
+ if (sglist_alloc_hint > 0) {
+ AHCI_SG *tbl = (AHCI_SG *)prdt;
+-
+- qemu_sglist_init(sglist, sglist_alloc_hint);
++ sum = 0;
+ for (i = 0; i < sglist_alloc_hint; i++) {
+ /* flags_size is zero-based */
++ tbl_entry_size = (le32_to_cpu(tbl[i].flags_size) + 1);
++ if (offset <= (sum + tbl_entry_size)) {
++ off_idx = i;
++ off_pos = offset - sum;
++ break;
++ }
++ sum += tbl_entry_size;
++ }
++ if ((off_idx == -1) || (off_pos < 0) || (off_pos > tbl_entry_size)) {
++ DPRINTF(ad->port_no, "%s: Incorrect offset! "
++ "off_idx: %d, off_pos: %d\n",
++ __func__, off_idx, off_pos);
++ r = -1;
++ goto out;
++ }
++
++ qemu_sglist_init(sglist, (sglist_alloc_hint - off_idx));
++ qemu_sglist_add(sglist, le64_to_cpu(tbl[off_idx].addr + off_pos),
++ le32_to_cpu(tbl[off_idx].flags_size) + 1 - off_pos);
++
++ for (i = off_idx + 1; i < sglist_alloc_hint; i++) {
++ /* flags_size is zero-based */
+ qemu_sglist_add(sglist, le64_to_cpu(tbl[i].addr),
+ le32_to_cpu(tbl[i].flags_size) + 1);
+ }
+@@ -745,7 +770,7 @@ static void process_ncq_command(AHCIState *s, int port, uint8_t *cmd_fis,
+ ncq_tfs->lba, ncq_tfs->lba + ncq_tfs->sector_count - 2,
+ s->dev[port].port.ifs[0].nb_sectors - 1);
+
+- ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist);
++ ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0);
+ ncq_tfs->tag = tag;
+
+ switch(ncq_fis->command) {
+@@ -970,7 +995,7 @@ static int ahci_start_transfer(IDEDMA *dma)
+ goto out;
+ }
+
+- if (!ahci_populate_sglist(ad, &s->sg)) {
++ if (!ahci_populate_sglist(ad, &s->sg, 0)) {
+ has_sglist = 1;
+ }
+
+@@ -1015,6 +1040,7 @@ static void ahci_start_dma(IDEDMA *dma, IDEState *s,
+ DPRINTF(ad->port_no, "\n");
+ ad->dma_cb = dma_cb;
+ ad->dma_status |= BM_STATUS_DMAING;
++ s->io_buffer_offset = 0;
+ dma_cb(s, 0);
+ }
+
+@@ -1023,7 +1049,7 @@ static int ahci_dma_prepare_buf(IDEDMA *dma, int is_write)
+ AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+ IDEState *s = &ad->port.ifs[0];
+
+- ahci_populate_sglist(ad, &s->sg);
++ ahci_populate_sglist(ad, &s->sg, 0);
+ s->io_buffer_size = s->sg.size;
+
+ DPRINTF(ad->port_no, "len=%#x\n", s->io_buffer_size);
+@@ -1037,7 +1063,7 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+ uint8_t *p = s->io_buffer + s->io_buffer_index;
+ int l = s->io_buffer_size - s->io_buffer_index;
+
+- if (ahci_populate_sglist(ad, &s->sg)) {
++ if (ahci_populate_sglist(ad, &s->sg, s->io_buffer_offset)) {
+ return 0;
+ }
+
+@@ -1050,6 +1076,7 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+ /* update number of transferred bytes */
+ ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l);
+ s->io_buffer_index += l;
++ s->io_buffer_offset += l;
+
+ DPRINTF(ad->port_no, "len=%#x\n", l);
+
+diff --git a/hw/ide/internal.h b/hw/ide/internal.h
+index 7170bd9..bf7d313 100644
+--- a/hw/ide/internal.h
++++ b/hw/ide/internal.h
+@@ -393,6 +393,7 @@ struct IDEState {
+ struct iovec iov;
+ QEMUIOVector qiov;
+ /* ATA DMA state */
++ int io_buffer_offset;
+ int io_buffer_size;
+ QEMUSGList sg;
+ /* PIO transfer handling */
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch qemu-kvm-1.1.1+dfsg/debian/patches/ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch 2012-08-14 22:46:02.000000000 +0400
@@ -0,0 +1,49 @@
+Date: Fri, 3 Aug 2012 15:57:10 -0400
+From: Jason Baron <jbaron@redhat.com>
+Message-Id: <1b114377e92202a2aba65ade4f80d63514366cf6.1344023079.git.jbaron@redhat.com>
+Subject: ahci: Fix sglist memleak in ahci_dma_rw_buf()
+Comment: upstream fix which should go to upstream stable-1.1
+Bug: http://bugs.debian.org/684327
+
+I noticed that in hw/ide/ahci:ahci_dma_rw_buf() we do not free the sglist. Thus,
+I've added a call to qemu_sglist_destroy() to fix this memory leak.
+
+In addition, I've adeed a call in qemu_sglist_destroy() to 0 all of the sglist
+fields, in case there is some other codepath that tries to free the sglist.
+
+Signed-off-by: Jason Baron <jbaron@redhat.com>
+---
+ dma-helpers.c | 1 +
+ hw/ide/ahci.c | 3 +++
+ 2 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/dma-helpers.c b/dma-helpers.c
+index 35cb500..13593d1 100644
+--- a/dma-helpers.c
++++ b/dma-helpers.c
+@@ -65,6 +65,7 @@ void qemu_sglist_add(QEMUSGList *qsg, dma_addr_t base, dma_addr_t len)
+ void qemu_sglist_destroy(QEMUSGList *qsg)
+ {
+ g_free(qsg->sg);
++ memset(qsg, 0, sizeof(*qsg));
+ }
+
+ typedef struct {
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index de580a6..5ea3cad 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -1073,6 +1073,9 @@ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+ dma_buf_write(p, l, &s->sg);
+ }
+
++ /* free sglist that was created in ahci_populate_sglist() */
++ qemu_sglist_destroy(&s->sg);
++
+ /* update number of transferred bytes */
+ ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l);
+ s->io_buffer_index += l;
+--
+1.7.1
+
+
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/eventfd-making-it-thread-safe.patch qemu-kvm-1.1.1+dfsg/debian/patches/eventfd-making-it-thread-safe.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/eventfd-making-it-thread-safe.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/eventfd-making-it-thread-safe.patch 2012-08-14 22:46:02.000000000 +0400
@@ -0,0 +1,45 @@
+Subject: eventfd: making it thread safe
+Date: Wed, 18 Jul 2012 02:52:04 -0000
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Message-Id: <1342615924-20925-1-git-send-email-aik@ozlabs.ru>
+To: "Michael S . Tsirkin" <mst@redhat.com>
+Cc: Alexey Kardashevskiy <aik@ozlabs.ru>, qemu-devel@nongnu.org
+Bug: http://bugs.debian.org/680719
+Bug: https://bugs.launchpad.net/qemu/+bug/1021649
+Comment: proposed fix for a known issue, should go to upstream stable-1.1 too
+
+QEMU uses IO handlers to run select() in the main loop.
+The handlers list is managed by qemu_set_fd_handler() helper
+which works fine when called from the main thread as it is
+called when select() is not waiting.
+
+However IO handlers list can be changed in the thread other than
+the main one doing os_host_main_loop_wait(), for example, as a result
+of a hypercall which changes PCI config space (VFIO on POWER is the case)
+and enables/disabled MSI/MSIX which closes/creates eventfd handles.
+As the main loop should be waiting on the newly created eventfds,
+it has to be restarted.
+
+The patch adds the qemu_notify_event() call to interrupt select()
+to make main_loop() restart select() with the updated IO handlers
+list.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+
+---
+iohandler.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/iohandler.c b/iohandler.c
+index 3c74de6..dea4355 100644
+--- a/iohandler.c
++++ b/iohandler.c
+@@ -77,6 +77,7 @@ int qemu_set_fd_handler2(int fd,
+ ioh->fd_write = fd_write;
+ ioh->opaque = opaque;
+ ioh->deleted = 0;
++ qemu_notify_event();
+ }
+ return 0;
+ }
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/kvm-i8254-cache-kernel-clock-offset-in-KVMPITState.patch qemu-kvm-1.1.1+dfsg/debian/patches/kvm-i8254-cache-kernel-clock-offset-in-KVMPITState.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/kvm-i8254-cache-kernel-clock-offset-in-KVMPITState.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/kvm-i8254-cache-kernel-clock-offset-in-KVMPITState.patch 2012-08-14 23:43:24.000000000 +0400
@@ -0,0 +1,101 @@
+Message-ID: <502A0B4F.105@siemens.com>
+Date: Tue, 14 Aug 2012 10:24:03 +0200
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Subject: [PATCH uq/master 1/2] kvm: i8254: Cache kernel clock offset in KVMPITState
+Bug: http://bugs.debian.org/683096
+
+To prepare the final fix for clock calibration issues with the in-kernel
+PIT, we want to cache the offset between vmclock and the clock used by
+the in-kernel PIT. So far, we only need to update it when the VM state
+changes between running and stopped because we only read the in-kernel
+PIT state while the VM is running.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ hw/kvm/i8254.c | 38 ++++++++++++++++++++++++--------------
+ 1 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/hw/kvm/i8254.c b/hw/kvm/i8254.c
+index c5d3711..c235d80 100644
+--- a/hw/kvm/i8254.c
++++ b/hw/kvm/i8254.c
+@@ -35,7 +35,8 @@
+ typedef struct KVMPITState {
+ PITCommonState pit;
+ LostTickPolicy lost_tick_policy;
+- bool state_valid;
++ bool vm_stopped;
++ int64_t kernel_clock_offset;
+ } KVMPITState;
+
+ static int64_t abs64(int64_t v)
+@@ -43,19 +44,11 @@ static int64_t abs64(int64_t v)
+ return v < 0 ? -v : v;
+ }
+
+-static void kvm_pit_get(PITCommonState *pit)
++static void kvm_pit_update_clock_offset(KVMPITState *s)
+ {
+- KVMPITState *s = DO_UPCAST(KVMPITState, pit, pit);
+- struct kvm_pit_state2 kpit;
+- struct kvm_pit_channel_state *kchan;
+- struct PITChannelState *sc;
+ int64_t offset, clock_offset;
+ struct timespec ts;
+- int i, ret;
+-
+- if (s->state_valid) {
+- return;
+- }
++ int i;
+
+ /*
+ * Measure the delta between CLOCK_MONOTONIC, the base used for
+@@ -72,6 +65,21 @@ static void kvm_pit_get(PITCommonState *pit)
+ clock_offset = offset;
+ }
+ }
++ s->kernel_clock_offset = clock_offset;
++}
++
++static void kvm_pit_get(PITCommonState *pit)
++{
++ KVMPITState *s = DO_UPCAST(KVMPITState, pit, pit);
++ struct kvm_pit_state2 kpit;
++ struct kvm_pit_channel_state *kchan;
++ struct PITChannelState *sc;
++ int i, ret;
++
++ /* No need to re-read the state if VM is stopped. */
++ if (s->vm_stopped) {
++ return;
++ }
+
+ if (kvm_has_pit_state2()) {
+ ret = kvm_vm_ioctl(kvm_state, KVM_GET_PIT2, &kpit);
+@@ -106,7 +114,7 @@ static void kvm_pit_get(PITCommonState *pit)
+ sc->mode = kchan->mode;
+ sc->bcd = kchan->bcd;
+ sc->gate = kchan->gate;
+- sc->count_load_time = kchan->count_load_time + clock_offset;
++ sc->count_load_time = kchan->count_load_time + s->kernel_clock_offset;
+ }
+
+ sc = &pit->channels[0];
+@@ -211,10 +219,12 @@ static void kvm_pit_vm_state_change(void *opaque, int running,
+ KVMPITState *s = opaque;
+
+ if (running) {
+- s->state_valid = false;
++ kvm_pit_update_clock_offset(s);
++ s->vm_stopped = false;
+ } else {
++ kvm_pit_update_clock_offset(s);
+ kvm_pit_get(&s->pit);
+- s->state_valid = true;
++ s->vm_stopped = true;
+ }
+ }
+
+--
+1.7.3.4
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/kvm-i8254-finish-time-conversion-fix.patch qemu-kvm-1.1.1+dfsg/debian/patches/kvm-i8254-finish-time-conversion-fix.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/kvm-i8254-finish-time-conversion-fix.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/kvm-i8254-finish-time-conversion-fix.patch 2012-08-14 23:43:33.000000000 +0400
@@ -0,0 +1,62 @@
+Message-ID: <502A0B4F.105@siemens.com>
+Date: Tue, 14 Aug 2012 10:24:47 +0200
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Subject: [PATCH uq/master 2/2] kvm: i8254: Finish time conversion fix
+Bug: http://bugs.debian.org/683096
+
+0cdd3d1444 fixed reading back the counter load time from the kernel
+while assuming the kernel would always update its load time on writing
+the state. That is only true for channel 1, and so pit_get_channel_info
+returned wrong output pin states for high counter values.
+
+Fix this by applying the offset also on kvm_pit_put. Now we also need to
+update the offset when we write the state while the VM is stopped as it
+keeps on changing in that state.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ hw/kvm/i8254.c | 14 ++++++++++----
+ 1 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/hw/kvm/i8254.c b/hw/kvm/i8254.c
+index c235d80..53d13e3 100644
+--- a/hw/kvm/i8254.c
++++ b/hw/kvm/i8254.c
+@@ -122,17 +122,23 @@ static void kvm_pit_get(PITCommonState *pit)
+ pit_get_next_transition_time(sc, sc->count_load_time);
+ }
+
+-static void kvm_pit_put(PITCommonState *s)
++static void kvm_pit_put(PITCommonState *pit)
+ {
++ KVMPITState *s = DO_UPCAST(KVMPITState, pit, pit);
+ struct kvm_pit_state2 kpit;
+ struct kvm_pit_channel_state *kchan;
+ struct PITChannelState *sc;
+ int i, ret;
+
+- kpit.flags = s->channels[0].irq_disabled ? KVM_PIT_FLAGS_HPET_LEGACY : 0;
++ /* The offset keeps changing as long as the VM is stopped. */
++ if (s->vm_stopped) {
++ kvm_pit_update_clock_offset(s);
++ }
++
++ kpit.flags = pit->channels[0].irq_disabled ? KVM_PIT_FLAGS_HPET_LEGACY : 0;
+ for (i = 0; i < 3; i++) {
+ kchan = &kpit.channels[i];
+- sc = &s->channels[i];
++ sc = &pit->channels[i];
+ kchan->count = sc->count;
+ kchan->latched_count = sc->latched_count;
+ kchan->count_latched = sc->count_latched;
+@@ -145,7 +151,7 @@ static void kvm_pit_put(PITCommonState *s)
+ kchan->mode = sc->mode;
+ kchan->bcd = sc->bcd;
+ kchan->gate = sc->gate;
+- kchan->count_load_time = sc->count_load_time;
++ kchan->count_load_time = sc->count_load_time - s->kernel_clock_offset;
+ }
+
+ ret = kvm_vm_ioctl(kvm_state,
+--
+1.7.3.4
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/net-add--netdev-options-to-man-page.patch qemu-kvm-1.1.1+dfsg/debian/patches/net-add--netdev-options-to-man-page.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/net-add--netdev-options-to-man-page.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/net-add--netdev-options-to-man-page.patch 2012-08-14 23:53:24.000000000 +0400
@@ -0,0 +1,77 @@
+From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Date: Tue, 14 Aug 2012 14:25:51 +0100
+Message-Id: <1344950751-10331-1-git-send-email-stefanha@linux.vnet.ibm.com>
+
+Document the -netdev syntax which supercedes the older -net syntax.
+This patch is a first step to making -netdev prominent in the QEMU
+manual.
+
+Reported-by: Anatoly Techtonik <techtonik@gmail.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+---
+ qemu-options.hx | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 47cb5bd..ea9b824 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -1335,6 +1335,7 @@ Valid values for @var{type} are
+ Not all devices are supported on all targets. Use -net nic,model=?
+ for a list of available devices for your target.
+
++@item -netdev user,id=@var{id}[,@var{option}][,@var{option}][,...]
+ @item -net user[,@var{option}][,@var{option}][,...]
+ Use the user mode network stack which requires no administrator
+ privilege to run. Valid options are:
+@@ -1343,6 +1344,7 @@ privilege to run. Valid options are:
+ @item vlan=@var{n}
+ Connect user mode stack to VLAN @var{n} (@var{n} = 0 is the default).
+
++@item id=@var{id}
+ @item name=@var{name}
+ Assign symbolic name for use in monitor commands.
+
+@@ -1468,6 +1470,7 @@ processed and applied to -net user. Mixing them with the new configuration
+ syntax gives undefined results. Their use for new applications is discouraged
+ as they will be removed from future versions.
+
++@item -netdev tap,id=@var{id}[,fd=@var{h}][,ifname=@var{name}][,script=@var{file}][,downscript=@var{dfile}][,helper=@var{helper}]
+ @item -net tap[,vlan=@var{n}][,name=@var{name}][,fd=@var{h}][,ifname=@var{name}][,script=@var{file}][,downscript=@var{dfile}][,helper=@var{helper}]
+ Connect the host TAP network interface @var{name} to VLAN @var{n}.
+
+@@ -1507,6 +1510,7 @@ qemu-system-i386 linux.img \
+ -net nic -net tap,"helper=/usr/local/libexec/qemu-bridge-helper"
+ @end example
+
++@item -netdev bridge,id=@var{id}[,br=@var{bridge}][,helper=@var{helper}]
+ @item -net bridge[,vlan=@var{n}][,name=@var{name}][,br=@var{bridge}][,helper=@var{helper}]
+ Connect a host TAP network interface to a host bridge device.
+
+@@ -1529,6 +1533,7 @@ qemu-system-i386 linux.img -net bridge -net nic,model=virtio
+ qemu-system-i386 linux.img -net bridge,br=qemubr0 -net nic,model=virtio
+ @end example
+
++@item -netdev socket,id=@var{id}[,fd=@var{h}][,listen=[@var{host}]:@var{port}][,connect=@var{host}:@var{port}]
+ @item -net socket[,vlan=@var{n}][,name=@var{name}][,fd=@var{h}] [,listen=[@var{host}]:@var{port}][,connect=@var{host}:@var{port}]
+
+ Connect the VLAN @var{n} to a remote VLAN in another QEMU virtual
+@@ -1551,6 +1556,7 @@ qemu-system-i386 linux.img \
+ -net socket,connect=127.0.0.1:1234
+ @end example
+
++@item -netdev socket,id=@var{id}[,fd=@var{h}][,mcast=@var{maddr}:@var{port}[,localaddr=@var{addr}]]
+ @item -net socket[,vlan=@var{n}][,name=@var{name}][,fd=@var{h}][,mcast=@var{maddr}:@var{port}[,localaddr=@var{addr}]]
+
+ Create a VLAN @var{n} shared with another QEMU virtual
+@@ -1602,6 +1608,7 @@ qemu-system-i386 linux.img \
+ -net socket,mcast=239.192.168.1:1102,localaddr=1.2.3.4
+ @end example
+
++@item -netdev vde,id=@var{id}[,sock=@var{socketpath}][,port=@var{n}][,group=@var{groupname}][,mode=@var{octalmode}]
+ @item -net vde[,vlan=@var{n}][,name=@var{name}][,sock=@var{socketpath}] [,port=@var{n}][,group=@var{groupname}][,mode=@var{octalmode}]
+ Connect VLAN @var{n} to PORT @var{n} of a vde switch running on host and
+ listening for incoming connections on @var{socketpath}. Use GROUP @var{groupname}
+--
+1.7.10.4
+
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/qemu-kvm-Add-missing-default-machine-options.patch qemu-kvm-1.1.1+dfsg/debian/patches/qemu-kvm-Add-missing-default-machine-options.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/qemu-kvm-Add-missing-default-machine-options.patch 2012-07-03 18:04:55.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/debian/patches/qemu-kvm-Add-missing-default-machine-options.patch 1970-01-01 03:00:00.000000000 +0300
@@ -1,36 +0,0 @@
-From 398b87f4ef3426569bdda2da2c9c2b89f4ba906f Mon Sep 17 00:00:00 2001
-From: Jan Kiszka <jan.kiszka@siemens.com>
-Date: Mon, 2 Jul 2012 09:34:46 +0200
-Subject: [PATCH 1/2] qemu-kvm: Add missing default machine options
-
-qemu-kvm-specific machine defaults were missing for pc-0.15 and pc-1.0.
-
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
-Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
----
- hw/pc_piix.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/pc_piix.c b/hw/pc_piix.c
-index c3fb74e..4e8a280 100644
---- a/hw/pc_piix.c
-+++ b/hw/pc_piix.c
-@@ -393,6 +393,7 @@ static QEMUMachine pc_machine_v1_0 = {
- .desc = "Standard PC",
- .init = pc_init_pci,
- .max_cpus = 255,
-+ .default_machine_opts = "accel=kvm,kernel_irqchip=on",
- .compat_props = (GlobalProperty[]) {
- PC_COMPAT_1_0,
- { /* end of list */ }
-@@ -407,6 +408,7 @@ static QEMUMachine pc_machine_v0_15 = {
- .desc = "Standard PC",
- .init = pc_init_pci,
- .max_cpus = 255,
-+ .default_machine_opts = "accel=kvm,kernel_irqchip=on",
- .compat_props = (GlobalProperty[]) {
- PC_COMPAT_0_15,
- { /* end of list */ }
---
-1.7.10
-
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/qemu-kvm-virtio-Do-not-register-mask-notifiers-witho.patch qemu-kvm-1.1.1+dfsg/debian/patches/qemu-kvm-virtio-Do-not-register-mask-notifiers-witho.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/qemu-kvm-virtio-Do-not-register-mask-notifiers-witho.patch 2012-07-03 18:04:55.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/debian/patches/qemu-kvm-virtio-Do-not-register-mask-notifiers-witho.patch 1970-01-01 03:00:00.000000000 +0300
@@ -1,41 +0,0 @@
-From 6f82a5ea52302bab33287b0191538be6f9138637 Mon Sep 17 00:00:00 2001
-From: Jan Kiszka <jan.kiszka@siemens.com>
-Date: Mon, 2 Jul 2012 10:05:39 +0200
-Subject: [PATCH 2/2] qemu-kvm: virtio: Do not register mask notifiers without
- in-kernel irqchip support
-
-We crash if we registers mask notifiers without backing in-kernel
-irqchip. This corresponds to the check in QEMU upstream after 1.1 now.
-
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
----
- hw/virtio-pci.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
-index a0c2ca7..5b64356 100644
---- a/hw/virtio-pci.c
-+++ b/hw/virtio-pci.c
-@@ -629,7 +629,7 @@ static int virtio_pci_set_guest_notifiers(void *opaque, bool assign)
-
- /* Must unset mask notifier while guest notifier
- * is still assigned */
-- if (!assign) {
-+ if (kvm_irqchip_in_kernel() && !assign) {
- r = msix_unset_mask_notifier(&proxy->pci_dev);
- assert(r >= 0);
- }
-@@ -647,7 +647,7 @@ static int virtio_pci_set_guest_notifiers(void *opaque, bool assign)
-
- /* Must set mask notifier after guest notifier
- * has been assigned */
-- if (assign) {
-+ if (kvm_irqchip_in_kernel() && assign) {
- r = msix_set_mask_notifier(&proxy->pci_dev,
- virtio_pci_mask_notifier);
- if (r < 0) {
---
-1.7.10
-
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/qom-object_delete-should-unparent-the-object-first.patch qemu-kvm-1.1.1+dfsg/debian/patches/qom-object_delete-should-unparent-the-object-first.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/qom-object_delete-should-unparent-the-object-first.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/qom-object_delete-should-unparent-the-object-first.patch 2012-08-14 23:16:15.000000000 +0400
@@ -0,0 +1,99 @@
+From 6d1ea139acf85184fa721654bcc68a4544a536ca Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 8 Aug 2012 14:33:02 +0200
+Subject: qom: object_delete should unparent the object first
+Bug: http://bugs.debian.org/684282
+Comment: cherry-picked (removed hw/shpc.c) to 1.1.1 by mjt
+
+object_deinit is only called when the reference count goes to zero,
+and yet tries to do an object_unparent. Now, object_unparent
+either does nothing or it will decrease the reference count.
+Because we know the reference count is zero, the object_unparent
+call in object_deinit is useless.
+
+Instead, we need to disconnect the object from its parent just
+before we remove the last reference apart from the parent's. This
+happens in object_delete. Once we do this, all calls to
+object_unparent peppered through QEMU can go away.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/acpi_piix4.c | 1 -
+ hw/qdev.c | 2 --
+ hw/xen_platform.c | 3 ---
+ qom/object.c | 3 +--
+
+diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
+index 0aace60..72d6e5c 100644
+--- a/hw/acpi_piix4.c
++++ b/hw/acpi_piix4.c
+@@ -305,7 +305,6 @@ static void acpi_piix_eject_slot(PIIX4PMState *s, unsigned slots)
+ if (pc->no_hotplug) {
+ slot_free = false;
+ } else {
+- object_unparent(OBJECT(dev));
+ qdev_free(qdev);
+ }
+ }
+diff --git a/hw/qdev.c b/hw/qdev.c
+index b5b74b9..b5a52ac 100644
+--- a/hw/qdev.c
++++ b/hw/qdev.c
+@@ -159,7 +159,6 @@ int qdev_init(DeviceState *dev)
+
+ rc = dc->init(dev);
+ if (rc < 0) {
+- object_unparent(OBJECT(dev));
+ qdev_free(dev);
+ return rc;
+ }
+@@ -243,7 +242,6 @@ void qbus_reset_all_fn(void *opaque)
+ int qdev_simple_unplug_cb(DeviceState *dev)
+ {
+ /* just zap it */
+- object_unparent(OBJECT(dev));
+ qdev_free(dev);
+ return 0;
+ }
+diff --git a/hw/xen_platform.c b/hw/xen_platform.c
+index c1fe984..0d6c2ff 100644
+--- a/hw/xen_platform.c
++++ b/hw/xen_platform.c
+@@ -87,9 +87,6 @@ static void unplug_nic(PCIBus *b, PCIDevice *d, void *o)
+ {
+ if (pci_get_word(d->config + PCI_CLASS_DEVICE) ==
+ PCI_CLASS_NETWORK_ETHERNET) {
+- /* Until qdev_free includes a call to object_unparent, we call it here
+- */
+- object_unparent(&d->qdev.parent_obj);
+ qdev_free(&d->qdev);
+ }
+ }
+diff --git a/qom/object.c b/qom/object.c
+index 00bb3b0..3ccd744 100644
+--- a/qom/object.c
++++ b/qom/object.c
+@@ -366,8 +366,6 @@ static void object_deinit(Object *obj, TypeImpl *type)
+ if (type_has_parent(type)) {
+ object_deinit(obj, type_get_parent(type));
+ }
+-
+- object_unparent(obj);
+ }
+
+ void object_finalize(void *data)
+@@ -402,8 +402,9 @@ Object *object_new(const char *typename)
+
+ void object_delete(Object *obj)
+ {
++ object_unparent(obj);
++ g_assert(obj->ref == 1);
+ object_unref(obj);
+- g_assert(obj->ref == 0);
+ g_free(obj);
+ }
+
+--
+1.7.11.2
+
+
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/series qemu-kvm-1.1.1+dfsg/debian/patches/series
--- qemu-kvm-1.1.0+dfsg/debian/patches/series 2012-07-07 16:11:28.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/debian/patches/series 2012-08-14 23:53:43.000000000 +0400
@@ -3,7 +3,21 @@
resurrect-extboot.diff
disable-hpet-for-tcg.patch
use-libexecdir.patch
-qemu-kvm-Add-missing-default-machine-options.patch
-qemu-kvm-virtio-Do-not-register-mask-notifiers-witho.patch
+
+# upstream stable patches
+
+# upstream fixes
+uhci:-fix-uhci_async_cancel_all.patch
+eventfd-making-it-thread-safe.patch
+qom-object_delete-should-unparent-the-object-first.patch
+virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch
+ahci-Fix-ahci-cdrom-read-corruptions-for-reads-128k.patch
+ahci-Fix-sglist-memleak-in-ahci_dma_rw_buf.patch
+kvm-i8254-cache-kernel-clock-offset-in-KVMPITState.patch
+kvm-i8254-finish-time-conversion-fix.patch
+
+# other fixes
align-ram_size-to-8k-boundary.patch
dont-try-to-hotplug-cpu.patch
+
+net-add--netdev-options-to-man-page.patch
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/uhci:-fix-uhci_async_cancel_all.patch qemu-kvm-1.1.1+dfsg/debian/patches/uhci:-fix-uhci_async_cancel_all.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/uhci:-fix-uhci_async_cancel_all.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/uhci:-fix-uhci_async_cancel_all.patch 2012-08-14 22:46:02.000000000 +0400
@@ -0,0 +1,33 @@
+Commit: 77fa9aee38758a078870e25f0dcf642066b4d5cc
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri Jun 15 09:39:50 2012 +0200
+Subject: uhci: fix uhci_async_cancel_all
+Message-ID: <1340201134-21109-7-git-send-email-kraxel@redhat.com>
+Bug: http://bugs.debian.org/684323
+Bug: https://bugzilla.novell.com/show_bug.cgi?id=766310
+Comment: proposed for upstream stable-1.1 series
+
+ We update the QTAILQ in the loop, thus we must use the SAFE version
+ to make sure we don't touch the queue struct after freeing it.
+
+ https://bugzilla.novell.com/show_bug.cgi?id=766310
+
+ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
+index 9871e24..2ebce04 100644
+--- a/hw/usb/hcd-uhci.c
++++ b/hw/usb/hcd-uhci.c
+@@ -292,10 +292,10 @@ static void uhci_async_cancel_device(UHCIState *s, USBDevice *dev)
+
+ static void uhci_async_cancel_all(UHCIState *s)
+ {
+- UHCIQueue *queue;
++ UHCIQueue *queue, *nq;
+ UHCIAsync *curr, *n;
+
+- QTAILQ_FOREACH(queue, &s->queues, next) {
++ QTAILQ_FOREACH_SAFE(queue, &s->queues, next, nq) {
+ QTAILQ_FOREACH_SAFE(curr, &queue->asyncs, next, n) {
+ uhci_async_unlink(curr);
+ uhci_async_cancel(curr);
diff -Nru qemu-kvm-1.1.0+dfsg/debian/patches/virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch qemu-kvm-1.1.1+dfsg/debian/patches/virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch
--- qemu-kvm-1.1.0+dfsg/debian/patches/virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-kvm-1.1.1+dfsg/debian/patches/virtio-blk-fix-use-after-free-while-handling-scsi-commands.patch 2012-08-14 22:46:02.000000000 +0400
@@ -0,0 +1,28 @@
+From: Avi Kivity <avi@redhat.com>
+Date: Mon, 6 Aug 2012 15:35:02 +0300
+Subject: virtio-blk: fix use-after-free while handling scsi commands
+Message-Id: <501FBAA2.6050205@redhat.com>
+Bug: http://bugs.debian.org/684261
+Comment: fix by upstream which should go to upstream stable-1.1 too
+Comment: spelling fixed (virtio-mlk -> virtio-blk) in Subject
+
+The scsi passthrough handler falls through after completing a
+request into the failure path, resulting in a use after free.
+
+Reprducible by running a guest with aio=native on a block device.
+
+Reported-by: Stefan Priebe <s.priebe@profihost.ag>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+
+diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
+index f21757e..552b3b6 100644
+--- a/hw/virtio-blk.c
++++ b/hw/virtio-blk.c
+@@ -254,6 +254,7 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
+
+ virtio_blk_req_complete(req, status);
+ g_free(req);
++ return;
+ #else
+ abort();
+ #endif
diff -Nru qemu-kvm-1.1.0+dfsg/exec.c qemu-kvm-1.1.1+dfsg/exec.c
--- qemu-kvm-1.1.0+dfsg/exec.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/exec.c 2012-07-16 11:52:03.000000000 +0400
@@ -1492,7 +1492,8 @@
static void breakpoint_invalidate(CPUArchState *env, target_ulong pc)
{
- tb_invalidate_phys_addr(cpu_get_phys_page_debug(env, pc));
+ tb_invalidate_phys_addr(cpu_get_phys_page_debug(env, pc) |
+ (pc & ~TARGET_PAGE_MASK));
}
#endif
#endif /* TARGET_HAS_ICE */
diff -Nru qemu-kvm-1.1.0+dfsg/hw/ide/ahci.c qemu-kvm-1.1.1+dfsg/hw/ide/ahci.c
--- qemu-kvm-1.1.0+dfsg/hw/ide/ahci.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/ide/ahci.c 2012-07-16 11:52:03.000000000 +0400
@@ -462,7 +462,7 @@
static void ahci_init_d2h(AHCIDevice *ad)
{
- uint8_t init_fis[0x20];
+ uint8_t init_fis[20];
IDEState *ide_state = &ad->port.ifs[0];
memset(init_fis, 0, sizeof(init_fis));
@@ -619,7 +619,7 @@
d2h_fis[11] = cmd_fis[11];
d2h_fis[12] = cmd_fis[12];
d2h_fis[13] = cmd_fis[13];
- for (i = 14; i < 0x20; i++) {
+ for (i = 14; i < 20; i++) {
d2h_fis[i] = 0;
}
diff -Nru qemu-kvm-1.1.0+dfsg/hw/ide/ich.c qemu-kvm-1.1.1+dfsg/hw/ide/ich.c
--- qemu-kvm-1.1.0+dfsg/hw/ide/ich.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/ide/ich.c 2012-07-16 11:52:03.000000000 +0400
@@ -84,6 +84,14 @@
.unmigratable = 1,
};
+static void pci_ich9_reset(void *opaque)
+{
+ struct AHCIPCIState *d = opaque;
+
+ msi_reset(&d->card);
+ ahci_reset(opaque);
+}
+
static int pci_ich9_ahci_init(PCIDevice *dev)
{
struct AHCIPCIState *d;
@@ -102,7 +110,7 @@
/* XXX Software should program this register */
d->card.config[0x90] = 1 << 6; /* Address Map Register - AHCI mode */
- qemu_register_reset(ahci_reset, d);
+ qemu_register_reset(pci_ich9_reset, d);
msi_init(dev, 0x50, 1, true, false);
d->ahci.irq = d->card.irq[0];
@@ -133,7 +141,7 @@
d = DO_UPCAST(struct AHCIPCIState, card, dev);
msi_uninit(dev);
- qemu_unregister_reset(ahci_reset, d);
+ qemu_unregister_reset(pci_ich9_reset, d);
ahci_uninit(&d->ahci);
return 0;
diff -Nru qemu-kvm-1.1.0+dfsg/hw/intel-hda.c qemu-kvm-1.1.1+dfsg/hw/intel-hda.c
--- qemu-kvm-1.1.0+dfsg/hw/intel-hda.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/intel-hda.c 2012-07-16 11:52:03.000000000 +0400
@@ -1107,6 +1107,9 @@
DeviceState *qdev;
HDACodecDevice *cdev;
+ if (d->msi) {
+ msi_reset(&d->pci);
+ }
intel_hda_regs_reset(d);
d->wall_base_ns = qemu_get_clock_ns(vm_clock);
diff -Nru qemu-kvm-1.1.0+dfsg/hw/kvm/apic.c qemu-kvm-1.1.1+dfsg/hw/kvm/apic.c
--- qemu-kvm-1.1.0+dfsg/hw/kvm/apic.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/kvm/apic.c 2012-07-16 11:52:03.000000000 +0400
@@ -29,7 +29,7 @@
APICCommonState *s = DO_UPCAST(APICCommonState, busdev.qdev, d);
int i;
- memset(kapic, 0, sizeof(kapic));
+ memset(kapic, 0, sizeof(*kapic));
kvm_apic_set_reg(kapic, 0x2, s->id << 24);
kvm_apic_set_reg(kapic, 0x8, s->tpr);
kvm_apic_set_reg(kapic, 0xd, s->log_dest << 24);
diff -Nru qemu-kvm-1.1.0+dfsg/hw/pci_bridge_dev.c qemu-kvm-1.1.1+dfsg/hw/pci_bridge_dev.c
--- qemu-kvm-1.1.0+dfsg/hw/pci_bridge_dev.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/pci_bridge_dev.c 2012-07-16 11:52:03.000000000 +0400
@@ -52,7 +52,7 @@
{
PCIBridge *br = DO_UPCAST(PCIBridge, dev, dev);
PCIBridgeDev *bridge_dev = DO_UPCAST(PCIBridgeDev, bridge, br);
- int err;
+ int err, ret;
pci_bridge_map_irq(br, NULL, pci_bridge_dev_map_irq_fn);
err = pci_bridge_initfn(dev);
if (err) {
@@ -86,6 +86,8 @@
shpc_cleanup(dev, &bridge_dev->bar);
shpc_error:
memory_region_destroy(&bridge_dev->bar);
+ ret = pci_bridge_exitfn(dev);
+ assert(!ret);
bridge_error:
return err;
}
diff -Nru qemu-kvm-1.1.0+dfsg/hw/pc_piix.c qemu-kvm-1.1.1+dfsg/hw/pc_piix.c
--- qemu-kvm-1.1.0+dfsg/hw/pc_piix.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/pc_piix.c 2012-07-16 11:52:03.000000000 +0400
@@ -393,6 +393,7 @@
.desc = "Standard PC",
.init = pc_init_pci,
.max_cpus = 255,
+ .default_machine_opts = "accel=kvm,kernel_irqchip=on",
.compat_props = (GlobalProperty[]) {
PC_COMPAT_1_0,
{ /* end of list */ }
@@ -407,6 +408,7 @@
.desc = "Standard PC",
.init = pc_init_pci,
.max_cpus = 255,
+ .default_machine_opts = "accel=kvm,kernel_irqchip=on",
.compat_props = (GlobalProperty[]) {
PC_COMPAT_0_15,
{ /* end of list */ }
diff -Nru qemu-kvm-1.1.0+dfsg/hw/qdev.c qemu-kvm-1.1.1+dfsg/hw/qdev.c
--- qemu-kvm-1.1.0+dfsg/hw/qdev.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/qdev.c 2012-07-16 11:52:03.000000000 +0400
@@ -150,6 +150,7 @@
rc = dc->init(dev);
if (rc < 0) {
+ object_unparent(OBJECT(dev));
qdev_free(dev);
return rc;
}
diff -Nru qemu-kvm-1.1.0+dfsg/hw/qdev-monitor.c qemu-kvm-1.1.1+dfsg/hw/qdev-monitor.c
--- qemu-kvm-1.1.0+dfsg/hw/qdev-monitor.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/qdev-monitor.c 2012-07-16 11:52:03.000000000 +0400
@@ -20,6 +20,7 @@
#include "qdev.h"
#include "monitor.h"
#include "qmp-commands.h"
+#include "arch_init.h"
/*
* Aliases were a bad idea from the start. Let's keep them
@@ -29,16 +30,18 @@
{
const char *typename;
const char *alias;
+ uint32_t arch_mask;
} QDevAlias;
static const QDevAlias qdev_alias_table[] = {
- { "virtio-blk-pci", "virtio-blk" },
- { "virtio-net-pci", "virtio-net" },
- { "virtio-serial-pci", "virtio-serial" },
- { "virtio-balloon-pci", "virtio-balloon" },
- { "virtio-blk-s390", "virtio-blk" },
- { "virtio-net-s390", "virtio-net" },
- { "virtio-serial-s390", "virtio-serial" },
+ { "virtio-blk-pci", "virtio-blk", QEMU_ARCH_ALL & ~QEMU_ARCH_S390X },
+ { "virtio-net-pci", "virtio-net", QEMU_ARCH_ALL & ~QEMU_ARCH_S390X },
+ { "virtio-serial-pci", "virtio-serial", QEMU_ARCH_ALL & ~QEMU_ARCH_S390X },
+ { "virtio-balloon-pci", "virtio-balloon",
+ QEMU_ARCH_ALL & ~QEMU_ARCH_S390X },
+ { "virtio-blk-s390", "virtio-blk", QEMU_ARCH_S390X },
+ { "virtio-net-s390", "virtio-net", QEMU_ARCH_S390X },
+ { "virtio-serial-s390", "virtio-serial", QEMU_ARCH_S390X },
{ "lsi53c895a", "lsi" },
{ "ich9-ahci", "ahci" },
{ }
@@ -50,6 +53,11 @@
int i;
for (i = 0; qdev_alias_table[i].typename; i++) {
+ if (qdev_alias_table[i].arch_mask &&
+ !(qdev_alias_table[i].arch_mask & arch_type)) {
+ continue;
+ }
+
if (strcmp(qdev_alias_table[i].typename, typename) == 0) {
return qdev_alias_table[i].alias;
}
@@ -110,6 +118,11 @@
int i;
for (i = 0; qdev_alias_table[i].alias; i++) {
+ if (qdev_alias_table[i].arch_mask &&
+ !(qdev_alias_table[i].arch_mask & arch_type)) {
+ continue;
+ }
+
if (strcmp(qdev_alias_table[i].alias, alias) == 0) {
return qdev_alias_table[i].typename;
}
diff -Nru qemu-kvm-1.1.0+dfsg/hw/rtl8139.c qemu-kvm-1.1.1+dfsg/hw/rtl8139.c
--- qemu-kvm-1.1.0+dfsg/hw/rtl8139.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/rtl8139.c 2012-07-16 11:52:03.000000000 +0400
@@ -781,6 +781,13 @@
#endif
}
+/* Workaround for buggy guest driver such as linux who allocates rx
+ * rings after the receiver were enabled. */
+static bool rtl8139_cp_rx_valid(RTL8139State *s)
+{
+ return !(s->RxRingAddrLO == 0 && s->RxRingAddrHI == 0);
+}
+
static int rtl8139_can_receive(VLANClientState *nc)
{
RTL8139State *s = DO_UPCAST(NICState, nc, nc)->opaque;
@@ -792,14 +799,14 @@
if (!rtl8139_receiver_enabled(s))
return 1;
- if (rtl8139_cp_receiver_enabled(s)) {
+ if (rtl8139_cp_receiver_enabled(s) && rtl8139_cp_rx_valid(s)) {
/* ??? Flow control not implemented in c+ mode.
This is a hack to work around slirp deficiencies anyway. */
return 1;
} else {
avail = MOD2(s->RxBufferSize + s->RxBufPtr - s->RxBufAddr,
s->RxBufferSize);
- return (avail == 0 || avail >= 1514);
+ return (avail == 0 || avail >= 1514 || (s->IntrMask & RxOverflow));
}
}
@@ -937,6 +944,10 @@
if (rtl8139_cp_receiver_enabled(s))
{
+ if (!rtl8139_cp_rx_valid(s)) {
+ return size;
+ }
+
DPRINTF("in C+ Rx mode ================\n");
/* begin C+ receiver mode */
diff -Nru qemu-kvm-1.1.0+dfsg/hw/virtio-blk.c qemu-kvm-1.1.1+dfsg/hw/virtio-blk.c
--- qemu-kvm-1.1.0+dfsg/hw/virtio-blk.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/virtio-blk.c 2012-07-16 11:52:03.000000000 +0400
@@ -147,9 +147,11 @@
static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
{
+#ifdef __linux__
int ret;
- int status = VIRTIO_BLK_S_OK;
int i;
+#endif
+ int status = VIRTIO_BLK_S_OK;
/*
* We require at least one output segment each for the virtio_blk_outhdr
@@ -489,7 +491,22 @@
stw_raw(&blkcfg.min_io_size, s->conf->min_io_size / blk_size);
stw_raw(&blkcfg.opt_io_size, s->conf->opt_io_size / blk_size);
blkcfg.heads = heads;
- blkcfg.sectors = secs & ~s->sector_mask;
+ /*
+ * We must ensure that the block device capacity is a multiple of
+ * the logical block size. If that is not the case, lets use
+ * sector_mask to adopt the geometry to have a correct picture.
+ * For those devices where the capacity is ok for the given geometry
+ * we dont touch the sector value of the geometry, since some devices
+ * (like s390 dasd) need a specific value. Here the capacity is already
+ * cyls*heads*secs*blk_size and the sector value is not block size
+ * divided by 512 - instead it is the amount of blk_size blocks
+ * per track (cylinder).
+ */
+ if (bdrv_getlength(s->bs) / heads / secs % blk_size) {
+ blkcfg.sectors = secs & ~s->sector_mask;
+ } else {
+ blkcfg.sectors = secs;
+ }
blkcfg.size_max = 0;
blkcfg.physical_block_exp = get_physical_block_exp(s->conf);
blkcfg.alignment_offset = 0;
diff -Nru qemu-kvm-1.1.0+dfsg/hw/virtio-pci.c qemu-kvm-1.1.1+dfsg/hw/virtio-pci.c
--- qemu-kvm-1.1.0+dfsg/hw/virtio-pci.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/virtio-pci.c 2012-07-16 11:52:03.000000000 +0400
@@ -629,7 +629,7 @@
/* Must unset mask notifier while guest notifier
* is still assigned */
- if (!assign) {
+ if (kvm_irqchip_in_kernel() && !assign) {
r = msix_unset_mask_notifier(&proxy->pci_dev);
assert(r >= 0);
}
@@ -647,7 +647,7 @@
/* Must set mask notifier after guest notifier
* has been assigned */
- if (assign) {
+ if (kvm_irqchip_in_kernel() && assign) {
r = msix_set_mask_notifier(&proxy->pci_dev,
virtio_pci_mask_notifier);
if (r < 0) {
diff -Nru qemu-kvm-1.1.0+dfsg/hw/xen_disk.c qemu-kvm-1.1.1+dfsg/hw/xen_disk.c
--- qemu-kvm-1.1.0+dfsg/hw/xen_disk.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/hw/xen_disk.c 2012-07-16 11:52:03.000000000 +0400
@@ -537,6 +537,15 @@
blk_handle_requests(blkdev);
}
+/*
+ * We need to account for the grant allocations requiring contiguous
+ * chunks; the worst case number would be
+ * max_req * max_seg + (max_req - 1) * (max_seg - 1) + 1,
+ * but in order to keep things simple just use
+ * 2 * max_req * max_seg.
+ */
+#define MAX_GRANTS(max_req, max_seg) (2 * (max_req) * (max_seg))
+
static void blk_alloc(struct XenDevice *xendev)
{
struct XenBlkDev *blkdev = container_of(xendev, struct XenBlkDev, xendev);
@@ -548,6 +557,11 @@
if (xen_mode != XEN_EMULATE) {
batch_maps = 1;
}
+ if (xc_gnttab_set_max_grants(xendev->gnttabdev,
+ MAX_GRANTS(max_requests, BLKIF_MAX_SEGMENTS_PER_REQUEST)) < 0) {
+ xen_be_printf(xendev, 0, "xc_gnttab_set_max_grants failed: %s\n",
+ strerror(errno));
+ }
}
static int blk_init(struct XenDevice *xendev)
diff -Nru qemu-kvm-1.1.0+dfsg/KVM_VERSION qemu-kvm-1.1.1+dfsg/KVM_VERSION
--- qemu-kvm-1.1.0+dfsg/KVM_VERSION 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/KVM_VERSION 2012-07-16 11:52:03.000000000 +0400
@@ -1 +1 @@
-qemu-kvm-1.1.0
+qemu-kvm-1.1.1
diff -Nru qemu-kvm-1.1.0+dfsg/Makefile qemu-kvm-1.1.1+dfsg/Makefile
--- qemu-kvm-1.1.0+dfsg/Makefile 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/Makefile 2012-07-16 11:52:03.000000000 +0400
@@ -271,6 +271,7 @@
install-doc: $(DOCS)
$(INSTALL_DIR) "$(DESTDIR)$(qemu_docdir)"
$(INSTALL_DATA) qemu-doc.html qemu-tech.html "$(DESTDIR)$(qemu_docdir)"
+ $(INSTALL_DATA) QMP/qmp-commands.txt "$(DESTDIR)$(qemu_docdir)"
ifdef CONFIG_POSIX
$(INSTALL_DIR) "$(DESTDIR)$(mandir)/man1"
$(INSTALL_DATA) qemu.1 qemu-img.1 "$(DESTDIR)$(mandir)/man1"
diff -Nru qemu-kvm-1.1.0+dfsg/os-win32.c qemu-kvm-1.1.1+dfsg/os-win32.c
--- qemu-kvm-1.1.0+dfsg/os-win32.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/os-win32.c 2012-07-16 11:52:03.000000000 +0400
@@ -57,7 +57,13 @@
static BOOL WINAPI qemu_ctrl_handler(DWORD type)
{
- exit(STATUS_CONTROL_C_EXIT);
+ qemu_system_shutdown_request();
+ /* Windows 7 kills application when the function returns.
+ Sleep here to give QEMU a try for closing.
+ Sleep period is 10000ms because Windows kills the program
+ after 10 seconds anyway. */
+ Sleep(10000);
+
return TRUE;
}
diff -Nru qemu-kvm-1.1.0+dfsg/qemu-img.texi qemu-kvm-1.1.1+dfsg/qemu-img.texi
--- qemu-kvm-1.1.0+dfsg/qemu-img.texi 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/qemu-img.texi 2012-07-16 11:52:03.000000000 +0400
@@ -232,6 +232,29 @@
@end table
+@item qed
+Image format with support for backing files and compact image files (when your
+filesystem or transport medium does not support holes). Good performance due
+to less metadata than the more featureful qcow2 format, especially with
+cache=writethrough or cache=directsync. Consider using qcow2 which will soon
+have a similar optimization and is most actively developed.
+
+Supported options:
+@table @code
+@item backing_file
+File name of a base image (see @option{create} subcommand).
+@item backing_fmt
+Image file format of backing file (optional). Useful if the format cannot be
+autodetected because it has no header, like some vhd/vpc files.
+@item cluster_size
+Changes the cluster size (must be power-of-2 between 4K and 64K). Smaller
+cluster sizes can improve the image file size whereas larger cluster sizes
+generally provide better performance.
+@item table_size
+Changes the number of clusters per L1/L2 table (must be power-of-2 between 1
+and 16). There is normally no need to change this value but this option can be
+used for performance benchmarking.
+@end table
@item qcow
Old QEMU image format. Left for compatibility.
diff -Nru qemu-kvm-1.1.0+dfsg/readline.c qemu-kvm-1.1.1+dfsg/readline.c
--- qemu-kvm-1.1.0+dfsg/readline.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/readline.c 2012-07-16 11:52:03.000000000 +0400
@@ -337,6 +337,9 @@
}
readline_show_prompt(rs);
}
+ for (i = 0; i < rs->nb_completions; i++) {
+ g_free(rs->completions[i]);
+ }
}
/* return true if command handled */
diff -Nru qemu-kvm-1.1.0+dfsg/target-xtensa/cpu.h qemu-kvm-1.1.1+dfsg/target-xtensa/cpu.h
--- qemu-kvm-1.1.0+dfsg/target-xtensa/cpu.h 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/target-xtensa/cpu.h 2012-07-16 11:52:03.000000000 +0400
@@ -370,9 +370,12 @@
uint32_t *vpn, uint32_t wi, uint32_t *ei);
int xtensa_tlb_lookup(const CPUXtensaState *env, uint32_t addr, bool dtlb,
uint32_t *pwi, uint32_t *pei, uint8_t *pring);
+void xtensa_tlb_set_entry_mmu(const CPUXtensaState *env,
+ xtensa_tlb_entry *entry, bool dtlb,
+ unsigned wi, unsigned ei, uint32_t vpn, uint32_t pte);
void xtensa_tlb_set_entry(CPUXtensaState *env, bool dtlb,
unsigned wi, unsigned ei, uint32_t vpn, uint32_t pte);
-int xtensa_get_physical_addr(CPUXtensaState *env,
+int xtensa_get_physical_addr(CPUXtensaState *env, bool update_tlb,
uint32_t vaddr, int is_write, int mmu_idx,
uint32_t *paddr, uint32_t *page_size, unsigned *access);
void reset_mmu(CPUXtensaState *env);
diff -Nru qemu-kvm-1.1.0+dfsg/target-xtensa/helper.c qemu-kvm-1.1.1+dfsg/target-xtensa/helper.c
--- qemu-kvm-1.1.0+dfsg/target-xtensa/helper.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/target-xtensa/helper.c 2012-07-16 11:52:03.000000000 +0400
@@ -135,11 +135,11 @@
uint32_t page_size;
unsigned access;
- if (xtensa_get_physical_addr(env, addr, 0, 0,
+ if (xtensa_get_physical_addr(env, false, addr, 0, 0,
&paddr, &page_size, &access) == 0) {
return paddr;
}
- if (xtensa_get_physical_addr(env, addr, 2, 0,
+ if (xtensa_get_physical_addr(env, false, addr, 2, 0,
&paddr, &page_size, &access) == 0) {
return paddr;
}
@@ -448,30 +448,48 @@
}
}
-static int autorefill_mmu(CPUXtensaState *env, uint32_t vaddr, bool dtlb,
- uint32_t *wi, uint32_t *ei, uint8_t *ring);
+static int get_pte(CPUXtensaState *env, uint32_t vaddr, uint32_t *pte);
-static int get_physical_addr_mmu(CPUXtensaState *env,
+static int get_physical_addr_mmu(CPUXtensaState *env, bool update_tlb,
uint32_t vaddr, int is_write, int mmu_idx,
- uint32_t *paddr, uint32_t *page_size, unsigned *access)
+ uint32_t *paddr, uint32_t *page_size, unsigned *access,
+ bool may_lookup_pt)
{
bool dtlb = is_write != 2;
uint32_t wi;
uint32_t ei;
uint8_t ring;
+ uint32_t vpn;
+ uint32_t pte;
+ const xtensa_tlb_entry *entry = NULL;
+ xtensa_tlb_entry tmp_entry;
int ret = xtensa_tlb_lookup(env, vaddr, dtlb, &wi, &ei, &ring);
if ((ret == INST_TLB_MISS_CAUSE || ret == LOAD_STORE_TLB_MISS_CAUSE) &&
- (mmu_idx != 0 || ((vaddr ^ env->sregs[PTEVADDR]) & 0xffc00000)) &&
- autorefill_mmu(env, vaddr, dtlb, &wi, &ei, &ring) == 0) {
+ may_lookup_pt && get_pte(env, vaddr, &pte) == 0) {
+ ring = (pte >> 4) & 0x3;
+ wi = 0;
+ split_tlb_entry_spec_way(env, vaddr, dtlb, &vpn, wi, &ei);
+
+ if (update_tlb) {
+ wi = ++env->autorefill_idx & 0x3;
+ xtensa_tlb_set_entry(env, dtlb, wi, ei, vpn, pte);
+ env->sregs[EXCVADDR] = vaddr;
+ qemu_log("%s: autorefill(%08x): %08x -> %08x\n",
+ __func__, vaddr, vpn, pte);
+ } else {
+ xtensa_tlb_set_entry_mmu(env, &tmp_entry, dtlb, wi, ei, vpn, pte);
+ entry = &tmp_entry;
+ }
ret = 0;
}
if (ret != 0) {
return ret;
}
- const xtensa_tlb_entry *entry =
- xtensa_tlb_get_entry(env, dtlb, wi, ei);
+ if (entry == NULL) {
+ entry = xtensa_tlb_get_entry(env, dtlb, wi, ei);
+ }
if (ring < mmu_idx) {
return dtlb ?
@@ -494,30 +512,21 @@
return 0;
}
-static int autorefill_mmu(CPUXtensaState *env, uint32_t vaddr, bool dtlb,
- uint32_t *wi, uint32_t *ei, uint8_t *ring)
+static int get_pte(CPUXtensaState *env, uint32_t vaddr, uint32_t *pte)
{
uint32_t paddr;
uint32_t page_size;
unsigned access;
uint32_t pt_vaddr =
(env->sregs[PTEVADDR] | (vaddr >> 10)) & 0xfffffffc;
- int ret = get_physical_addr_mmu(env, pt_vaddr, 0, 0,
- &paddr, &page_size, &access);
+ int ret = get_physical_addr_mmu(env, false, pt_vaddr, 0, 0,
+ &paddr, &page_size, &access, false);
qemu_log("%s: trying autorefill(%08x) -> %08x\n", __func__,
vaddr, ret ? ~0 : paddr);
if (ret == 0) {
- uint32_t vpn;
- uint32_t pte = ldl_phys(paddr);
-
- *ring = (pte >> 4) & 0x3;
- *wi = (++env->autorefill_idx) & 0x3;
- split_tlb_entry_spec_way(env, vaddr, dtlb, &vpn, *wi, ei);
- xtensa_tlb_set_entry(env, dtlb, *wi, *ei, vpn, pte);
- qemu_log("%s: autorefill(%08x): %08x -> %08x\n",
- __func__, vaddr, vpn, pte);
+ *pte = ldl_phys(paddr);
}
return ret;
}
@@ -553,13 +562,13 @@
*
* \return 0 if ok, exception cause code otherwise
*/
-int xtensa_get_physical_addr(CPUXtensaState *env,
+int xtensa_get_physical_addr(CPUXtensaState *env, bool update_tlb,
uint32_t vaddr, int is_write, int mmu_idx,
uint32_t *paddr, uint32_t *page_size, unsigned *access)
{
if (xtensa_option_enabled(env->config, XTENSA_OPTION_MMU)) {
- return get_physical_addr_mmu(env, vaddr, is_write, mmu_idx,
- paddr, page_size, access);
+ return get_physical_addr_mmu(env, update_tlb,
+ vaddr, is_write, mmu_idx, paddr, page_size, access, true);
} else if (xtensa_option_bits_enabled(env->config,
XTENSA_OPTION_BIT(XTENSA_OPTION_REGION_PROTECTION) |
XTENSA_OPTION_BIT(XTENSA_OPTION_REGION_TRANSLATION))) {
diff -Nru qemu-kvm-1.1.0+dfsg/target-xtensa/op_helper.c qemu-kvm-1.1.1+dfsg/target-xtensa/op_helper.c
--- qemu-kvm-1.1.0+dfsg/target-xtensa/op_helper.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/target-xtensa/op_helper.c 2012-07-16 11:52:03.000000000 +0400
@@ -79,7 +79,7 @@
uint32_t paddr;
uint32_t page_size;
unsigned access;
- int ret = xtensa_get_physical_addr(env, vaddr, is_write, mmu_idx,
+ int ret = xtensa_get_physical_addr(env, true, vaddr, is_write, mmu_idx,
&paddr, &page_size, &access);
qemu_log("%s(%08x, %d, %d) -> %08x, ret = %d\n", __func__,
@@ -103,7 +103,7 @@
uint32_t paddr;
uint32_t page_size;
unsigned access;
- int ret = xtensa_get_physical_addr(env, vaddr, 2, 0,
+ int ret = xtensa_get_physical_addr(env, false, vaddr, 2, 0,
&paddr, &page_size, &access);
if (ret == 0) {
tb_invalidate_phys_addr(paddr);
@@ -655,6 +655,16 @@
}
}
+void xtensa_tlb_set_entry_mmu(const CPUXtensaState *env,
+ xtensa_tlb_entry *entry, bool dtlb,
+ unsigned wi, unsigned ei, uint32_t vpn, uint32_t pte)
+{
+ entry->vaddr = vpn;
+ entry->paddr = pte & xtensa_tlb_get_addr_mask(env, dtlb, wi);
+ entry->asid = (env->sregs[RASID] >> ((pte >> 1) & 0x18)) & 0xff;
+ entry->attr = pte & 0xf;
+}
+
void xtensa_tlb_set_entry(CPUXtensaState *env, bool dtlb,
unsigned wi, unsigned ei, uint32_t vpn, uint32_t pte)
{
@@ -665,10 +675,8 @@
if (entry->asid) {
tlb_flush_page(env, entry->vaddr);
}
- entry->vaddr = vpn;
- entry->paddr = pte & xtensa_tlb_get_addr_mask(env, dtlb, wi);
- entry->asid = (env->sregs[RASID] >> ((pte >> 1) & 0x18)) & 0xff;
- entry->attr = pte & 0xf;
+ xtensa_tlb_set_entry_mmu(env, entry, dtlb, wi, ei, vpn, pte);
+ tlb_flush_page(env, entry->vaddr);
} else {
qemu_log("%s %d, %d, %d trying to set immutable entry\n",
__func__, dtlb, wi, ei);
diff -Nru qemu-kvm-1.1.0+dfsg/target-xtensa/translate.c qemu-kvm-1.1.1+dfsg/target-xtensa/translate.c
--- qemu-kvm-1.1.0+dfsg/target-xtensa/translate.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/target-xtensa/translate.c 2012-07-16 11:52:03.000000000 +0400
@@ -388,6 +388,7 @@
dc->next_pc == dc->lend) {
int label = gen_new_label();
+ gen_advance_ccount(dc);
tcg_gen_brcondi_i32(TCG_COND_EQ, cpu_SR[LCOUNT], 0, label);
tcg_gen_subi_i32(cpu_SR[LCOUNT], cpu_SR[LCOUNT], 1);
gen_jumpi(dc, dc->lbeg, slot);
@@ -410,6 +411,7 @@
{
int label = gen_new_label();
+ gen_advance_ccount(dc);
tcg_gen_brcond_i32(cond, t0, t1, label);
gen_jumpi_check_loop_end(dc, 0);
gen_set_label(label);
diff -Nru qemu-kvm-1.1.0+dfsg/tests/tcg/xtensa/test_mmu.S qemu-kvm-1.1.1+dfsg/tests/tcg/xtensa/test_mmu.S
--- qemu-kvm-1.1.0+dfsg/tests/tcg/xtensa/test_mmu.S 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/tests/tcg/xtensa/test_mmu.S 2012-07-16 11:52:03.000000000 +0400
@@ -293,26 +293,219 @@
assert eq, a2, a3
test_end
-test dtlb_autoload
- set_vector kernel, 0
-
- movi a2, 0xd4000000
+/* Set up page table entry vaddr->paddr, ring=pte_ring, attr=pte_attr
+ * and DTLB way 7 to cover this PTE, ring=pt_ring, attr=pt_attr
+ */
+.macro pt_setup pt_ring, pt_attr, pte_ring, vaddr, paddr, pte_attr
+ movi a2, 0x80000000
wsr a2, ptevaddr
- movi a3, 0x00001013
- s32i a3, a2, 4
+
+ movi a3, 0x80000007 | (((\vaddr) >> 10) & 0xfffff000) /* way 7 */
+ movi a4, 0x04000003 | ((\pt_ring) << 4) /* PADDR 64M */
+ wdtlb a4, a3
+ isync
+
+ movi a3, ((\paddr) & 0xfffff000) | ((\pte_ring) << 4) | (\pte_attr)
+ movi a1, ((\vaddr) >> 12) << 2
+ add a2, a1, a2
+ s32i a3, a2, 0
+
+ movi a3, 0x80000007 | (((\vaddr) >> 10) & 0xfffff000) /* way 7 */
+ movi a4, 0x04000000 | ((\pt_ring) << 4) | (\pt_attr) /* PADDR 64M */
+ wdtlb a4, a3
+ isync
+
+ movi a3, (\vaddr)
+.endm
+
+/* out: PS.RING=ring, PS.EXCM=excm, a3=vaddr */
+.macro go_ring ring, excm, vaddr
+ movi a3, 10f
+ pitlb a3, a3
+ ritlb1 a2, a3
+ movi a1, 0x10
+ or a2, a2, a1
+ movi a1, 0x000ff000
+ and a3, a3, a1
+ movi a1, 4
+ or a3, a3, a1
+ witlb a2, a3
+ movi a3, 10f
+ movi a1, 0x000fffff
+ and a1, a3, a1
+
+ movi a2, 0
+ wsr a2, excvaddr
+
+ movi a3, \vaddr
+ movi a2, 0x4000f | ((\ring) << 6) | ((\excm) << 4)
+ jx a1
+10:
+ wsr a2, ps
+ isync
+.endm
+
+/* in: a3 -- virtual address to test */
+.macro assert_auto_tlb
+ movi a2, 0x4000f
+ wsr a2, ps
+ isync
+ pdtlb a2, a3
+ movi a1, 0xfffff01f
+ and a2, a2, a1
+ movi a1, 0xfffff000
+ and a1, a1, a3
+ xor a1, a1, a2
+ assert gei, a1, 0x10
+ movi a2, 0x14
+ assert lt, a1, a2
+.endm
+
+/* in: a3 -- virtual address to test */
+.macro assert_no_auto_tlb
+ movi a2, 0x4000f
+ wsr a2, ps
+ isync
pdtlb a2, a3
movi a1, 0x10
and a1, a1, a2
assert eqi, a1, 0
- l8ui a1, a3, 0
- pdtlb a2, a3
- movi a1, 0xfffff010
- and a1, a1, a2
- movi a3, 0x00001010
- assert eq, a1, a3
- movi a1, 0xf
+.endm
+
+.macro assert_sr sr, v
+ rsr a2, \sr
+ movi a1, (\v)
+ assert eq, a1, a2
+.endm
+
+.macro assert_epc1_1m vaddr
+ movi a2, (\vaddr)
+ movi a1, 0xfffff
and a1, a1, a2
- assert lti, a1, 4
+ rsr a2, epc1
+ assert eq, a1, a2
+.endm
+
+test dtlb_autoload
+ set_vector kernel, 0
+
+ pt_setup 0, 3, 1, 0x1000, 0x1000, 3
+ assert_no_auto_tlb
+
+ l8ui a1, a3, 0
+
+ rsr a2, excvaddr
+ assert eq, a2, a3
+
+ assert_auto_tlb
+test_end
+
+test autoload_load_store_privilege
+ set_vector kernel, 0
+ set_vector double, 2f
+
+ pt_setup 0, 3, 0, 0x2000, 0x2000, 3
+ movi a3, 0x2004
+ assert_no_auto_tlb
+
+ movi a2, 0x4005f /* ring 1 + excm => cring == 0 */
+ wsr a2, ps
+ isync
+1:
+ l32e a2, a3, -4 /* ring used */
+ test_fail
+2:
+ rsr a2, excvaddr
+ addi a1, a3, -4
+ assert eq, a1, a2
+
+ assert_auto_tlb
+ assert_sr depc, 1b
+ assert_sr exccause, 26
+test_end
+
+test autoload_pte_load_prohibited
+ set_vector kernel, 2f
+
+ pt_setup 0, 3, 0, 0x3000, 0, 0xc
+ assert_no_auto_tlb
+1:
+ l32i a2, a3, 0
+ test_fail
+2:
+ rsr a2, excvaddr
+ assert eq, a2, a3
+
+ assert_auto_tlb
+ assert_sr epc1, 1b
+ assert_sr exccause, 28
+test_end
+
+test autoload_pt_load_prohibited
+ set_vector kernel, 2f
+
+ pt_setup 0, 0xc, 0, 0x4000, 0x4000, 3
+ assert_no_auto_tlb
+1:
+ l32i a2, a3, 0
+ test_fail
+2:
+ rsr a2, excvaddr
+ assert eq, a2, a3
+
+ assert_no_auto_tlb
+ assert_sr epc1, 1b
+ assert_sr exccause, 24
+test_end
+
+test autoload_pt_privilege
+ set_vector kernel, 2f
+ pt_setup 0, 3, 1, 0x5000, 0, 3
+ go_ring 1, 0, 0x5001
+
+ l8ui a2, a3, 0
+1:
+ syscall
+2:
+ rsr a2, excvaddr
+ assert eq, a2, a3
+
+ assert_auto_tlb
+ assert_epc1_1m 1b
+ assert_sr exccause, 1
+test_end
+
+test autoload_pte_privilege
+ set_vector kernel, 2f
+ pt_setup 0, 3, 0, 0x6000, 0, 3
+ go_ring 1, 0, 0x6001
+1:
+ l8ui a2, a3, 0
+ syscall
+2:
+ rsr a2, excvaddr
+ assert eq, a2, a3
+
+ assert_auto_tlb
+ assert_epc1_1m 1b
+ assert_sr exccause, 26
+test_end
+
+test autoload_3_level_pt
+ set_vector kernel, 2f
+ pt_setup 1, 3, 1, 0x00400000, 0, 3
+ pt_setup 1, 3, 1, 0x80001000, 0x2000000, 3
+ go_ring 1, 0, 0x00400001
+1:
+ l8ui a2, a3, 0
+ syscall
+2:
+ rsr a2, excvaddr
+ assert eq, a2, a3
+
+ assert_no_auto_tlb
+ assert_epc1_1m 1b
+ assert_sr exccause, 24
test_end
test_suite_end
diff -Nru qemu-kvm-1.1.0+dfsg/trace/simple.c qemu-kvm-1.1.1+dfsg/trace/simple.c
--- qemu-kvm-1.1.0+dfsg/trace/simple.c 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/trace/simple.c 2012-07-16 11:52:03.000000000 +0400
@@ -161,8 +161,11 @@
}
timestamp = get_clock();
-
+#if GLIB_CHECK_VERSION(2, 30, 0)
+ idx = g_atomic_int_add((gint *)&trace_idx, 1) % TRACE_BUF_LEN;
+#else
idx = g_atomic_int_exchange_and_add((gint *)&trace_idx, 1) % TRACE_BUF_LEN;
+#endif
trace_buf[idx] = (TraceRecord){
.event = event,
.timestamp_ns = timestamp,
diff -Nru qemu-kvm-1.1.0+dfsg/VERSION qemu-kvm-1.1.1+dfsg/VERSION
--- qemu-kvm-1.1.0+dfsg/VERSION 2012-06-30 06:14:15.000000000 +0400
+++ qemu-kvm-1.1.1+dfsg/VERSION 2012-07-16 11:52:03.000000000 +0400
@@ -1 +1 @@
-1.1.0
+1.1.1
Reply to: